Sep 15 2023

Attackers hit software firm Retool to get to crypto companies and assets

Category: App Security,Crypto,Security Toolsdisc7 @ 3:18 pm

Retool, the company behind the popular development platform for building internal business software, has suffered a breach that allowed attackers to access and take over accounts of 27 cloud customers, all in the crypto industry.

According to a CoinDesk report, one the known victims is Fortress Trust, i.e., four of its customers who accessed their crypto funds via a portal built by Retool.

It all started with an SMS

The attack started with spear phishing text messages delivered to a number of Retool employees. According to the company, only one fell for the scheme.

The phishing text message. (Source: Retool)

Spoofed to look like it was coming from the company’s IT department, the goal was to make the targets log in to a fake Retool identity portal, at which point they would receive a phone call by the attacker.

“The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code,” Snir Kodesh, Retool’s head of engineering, shared on Wednesday.

“The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite [i.e., Google Workspace] session on that device.”

And because the employee’s MFA codes were synched with their Google account, the attacker now had access to all MFA tokens held within that account.

“With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems. This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry),” Kodesh noted, and added that the attacker also poked around some of the Retool apps – but didn’t specify which ones.

“We have an internal Retool instance used to provide customer support; this is how the account takeovers were executed. The authentication for this instance happens through a VPN, SSO, and a final MFA system. A valid GSuite session alone would have been insufficient.”

Who’s to blame?

“Social engineering can affect anyone,” Kodesh noted, and “even with perfect training and awareness of these attacks, mistakes will happen.” He also put some on the blame for the hack on Google.

The company recently released the Google Authenticator synchronization feature that syncs MFA codes to the cloud and made it easier to activate the feature than not to.

“Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this ‘feature’. If you want to disable it, there isn’t a clear way to ‘disable syncing to the cloud’, instead there is just a “unlink Google account” option. In our corporate Google account, there is also no way for an administrator to centrally disable Google Authenticator’s sync ‘feature’,” he explained.

“Through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator.”

Of course, Google cannot be blamed for this breach entirely – Retool should have regularly reviewed the protections they’ve put in place and evaluated whether they are still adequate. After all, attackers have been finding ways around multi-factor authentication for a while now, and the threat landscape is changing quickly.

If the company had used a FIDO2-compliant hardware security key instead of one-time passwords delivered via an authenticator app, this particular social engineering attack would have failed – as a similar attack against Cloudflare employees did a year ago.

The investigation is ongoing

Retool is working with law enforcement and a third party forensics firm to investigate the breach in depth.

So far, they found that 27 cloud customers have been affected (and they notified them all), but that on-premise Retool customers remain secure.

“Retool on-prem operates in a ‘zero trust’ environment, and doesn’t trust Retool cloud. It is fully self contained, and loads nothing from the cloud environment. This meant that although an attacker had access to Retool cloud, there was nothing they could do to affect on-premise customers,” Kodesh noted.

Fortress’ customers, on the other hand, apparently lost nearly $15 million.

UPDATE (September 15, 2023, 04:35 a.m. ET):

“Our first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies,” Google stated.

“Beyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant. Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies. While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.”

Application Security Program Handbook: A guide for software engineers and team leaders

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Aug 15 2023

HACKING POSTGRESQL APPLICATIONS WITH A SQL INJECTION VULNERABILITY

Category: App Security,data securitydisc7 @ 11:07 am

e. It has an impressive history that spans over 30 years, and now it serves as an effective object-relational database system that is open source. Because of its ability to store and grow even the most complex data workloads, it has become the database of choice for a wide variety of applications, ranging from websites to mobile and analytics systems.It has been discovered that the widely used open-source object-relational database system PostgreSQL has a significant security flaw. The vulnerability, identified as CVE-2023-39417, has a significant CVSS score of 7.5 and gives an attacker the ability to execute arbitrary code as the bootstrap superuser if the attacker also has the capability to create databases at the database level.The vulnerability may be exploited in the PostgreSQL extension script if an administrator has installed files of a vulnerable, trusted, non-bundled extension. The vulnerability is present in the PostgreSQL extension script. When using the @extowner@, @extschema@, or @extschema:…@ functions, there is a security flaw because user input is not properly sanitized. This flaw is the root source of the vulnerability.

An adversary may take advantage of this flaw by sending malicious data to a PostgreSQL database that is running a version of the program that is susceptible to being exploited. It’s possible that the malicious input will be in the form of a SQL query, or it may be a parameter to a function. As soon as the attacker submits the malicious input, they are able to execute arbitrary code in the context of the bootstrap superuser.

The bootstrap superuser is a unique user account that has full authority over a PostgreSQL database. This account is only accessible via the bootstrap script. This indicates that an adversary who is able to run arbitrary code as the bootstrap superuser has the ability to do whatever they want with the database. This includes stealing data, deleting data, or altering data.

All of the PostgreSQL versions 11, 12, 13, 14, and 15 are susceptible to the CVE-2023-39417 issue. The fixed versions are 11.21, 12.16, 13.12, 14.9, and 15.4. PostgreSQL has made available a patch that prevents this attack from taking place at the fundamental level of the server. The process of remediation is made more straightforward by the fact that users do not have to edit individual extensions. It is imperative that you install this necessary update as soon as possible since the safety of your data relies on it.

SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: SQL Injection Strategies, SQL INJECTION VULNERABILITY


Aug 10 2023

CODE EXPLOITING TWO CRITICAL PHP(< 8.0.30) VULNERABILITIES PUBLISHED

Category: App Security,Security vulnerabilitiesdisc7 @ 8:25 am

PHP is a widely used programming language that is put to use in the production of dynamic web pages. On the other hand, much like any other program, it is not completely safe from security flaws. CVE-2023-3823 and CVE-2023-3824 are the names of two new security flaws that have been identified in PHP during the course of the last several months.


CVE-2023-3823 (SCORE OF 8.6 ON THE CVSS SCALE): INFORMATION DISCLOSURE


An information disclosure vulnerability known as CVE-2023-3823 exists in PHP applications and makes it possible for a remote attacker to access sensitive data stored inside such applications. Inadequate validation of the XML input given by the user is the root cause of the vulnerability. This vulnerability might be exploited by the attacker by having them transmit a specially designed piece of XML code to the program. The program would then proceed to parse the code, at which point the attacker would be able to obtain access to sensitive information such as the contents of arbitrary files on the system or the results of queries made to external sources.

This issue may affect any program, library, or service that interacts with XML documents in any way, including processing or communicating with them. Because to the hard work done by nickvergessen, a security researcher, who also released the proof-of-concept.

CVE-2023-3824 IS A BUFFER OVERFLOW VULNERABILITY THAT HAS A CVSS SCORE OF 9.4.

A remote attacker might execute arbitrary code on a PHP system if they exploited the buffer overflow vulnerability known as CVE-2023-3824. This issue is tracked by the CVE identifier. The insufficient bounds checking performed by the phar_dir_read() method is the root cause of the vulnerability. By submitting a request to the application that has been carefully designed, an adversary might take advantage of this vulnerability. The request would then result in a buffer overflow, which would give the adversary the ability to take control of the system and run whatever code they pleased.

The difficulty of exploiting this vulnerability stems from the fact that it involves a number of faulty checks and overflows. For instance, it was discovered that the condition “to_read == 0 || count ZSTR_LEN(str_key)” was flawed and should not have been used. This has a number of repercussions in the code, one of which is that there is a problem with the line ((php_stream_dirent *) buf)->d_name[to_read + 1] = ‘0’;. This piece of code has the potential to overflow, and it does not NUL-terminate the filename in the correct manner. The issue has been compared to a stack information leak as well as a buffer write overflow, which only serves to exacerbate the situation.In addition to that, there may be potential worries over a buffer overflow in the memset. Even though there have been no such occurrences detected inside PHP itself, third-party extensions might still be impacted.

Although the exploitation is certainly difficult and is contingent on the particular application that is being targeted, it is nevertheless theoretically possible. According to the alert issued by the security team, “People who inspect the contents of untrusted phar files could be affected.”

The proof-of-concept was also released thanks to the efforts of security researcher nielsdos, who is credited for his work.

In PHP 8.0.30, the vulnerabilities CVE-2023-3823 and CVE-2023-3824 have also been addressed. If you are still using an earlier version of PHP, you should consider upgrading as soon as you can to the 8.0.30 release.

PHP Security and Session Management: Managing Sessions and Ensuring PHP Security 

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: PHP, PHP Security


Jun 29 2023

Defending Continuous Integration/Continuous
Delivery (CI/CD) Environments

Category: App Security,CI/CDdisc7 @ 3:17 pm

Defending Continuous Integration/Continuous
Delivery (CI/CD) Environments

TOP 9 TECHNIQUES TO SECURE YOUR DEVOPS CONTINUOUS INTEGRATION/CONTINUOUS DELIVERY (CI/CD) PIPELINE IN 2023

NSA Tips: Defending Continuous Integration/Continuous Delivery (CI/CD) Environments

InfoSec tools | InfoSec services | InfoSec books

Tags: CI/CD, CI/CD Environment, DevOps Continuous Integration/Continuous Delivery


Jun 24 2023

Web Application Security: A 2023 Guide

Category: App Security,Web SecurityDISC @ 1:29 pm

Web Application Security: A 2023 Guide | Cyber Press

Written by: Cyber Writes

Web App Security

InfoSec tools | InfoSec services | InfoSec books

Tags: Web Application Security


May 15 2023

Salt Security Achieves AWS WAF Ready Designation

Category: App Security,Information Security,Web Securitydisc7 @ 9:30 am

Today, API security company Salt Security announced it is now an Amazon Web Service (AWS) Web Application Firewall (WAF) Ready Partner. This service helps customers discover Partner solutions validated by AWS Partner Network (APN) Solutions Architects that integrate with AWS WAF to accelerate adoption of an enhanced and holistic security approach. AWS WAF is available to all AWS customers and all AWS Regions and can be deployed directly from the AWS console.

This partnership differentiates Salt Security as an APN member with a product that works with AWS WAF and is generally available for AWS customers. AWS WAF Ready Partners help customers quickly identify easy-to-deploy solutions that can help detect, mitigate, and analyse some of the most common internet threats and vulnerabilities.

Today, businesses of all shapes and sizes are focused on ensuring that websites and applications are protected from external threats that can lead to a loss of revenue, loss of customer trust, and loss of brand reputation. Implementing a WAF can be a challenging task that requires deep security experience that can be expensive and hard to find in-house. AWS WAF Ready Partners offer customers a simpler solution to deploying and maintaining their application layer security solution through easy-to-deploy solutions in order to detect, mitigate, and analyze some of the most common internet threats and vulnerabilities.

Gilad Barzilay, head of business development, Salt Security said: “As an AWS Software Path Partner and member of AWS ISV Accelerate Program, Salt is proud to expand our existing relationship with AWS by becoming an AWS WAF Ready Partner. Many of our customers rely on Salt to secure their APIs on AWS. By achieving these designations, we make it easier and faster for businesses to protect the APIs running on their AWS environments. Our customers benefit from our unique cloud-scale API data lake architecture, which applies AI and ML for API discovery and threat protection.”

“Deploying the Salt platform took almost no effort,” said Jason Weitzman, senior application security engineer at Xolv Technology Solutions. “It integrated quickly with our existing Cloudflare, AWS, Jira and other systems. It also started identifying errors and delivering insights on how to craft better APIs within minutes.”

The Salt platform deploys out of band, to avoid any interference with application performance or availability. The Salt platform pairs with AWS WAF as an API traffic collection point and to block detected attackers. To support the seamless integration and deployment of solutions such as the Salt platform, AWS established the AWS Service Ready Program. The program helps customers identify solutions integrated with AWS services and spend less time evaluating new tools, and more time scaling their use of solutions that are integrated with AWS services.

APIs are a hot topic among cybersecurity professionals and C-suites at the moment due to their increasingly vital business roles. Earlier this year Salt released a new API report that showed a 400% Increase in Attackers, demonstrating the prevalence.

Security of services hosted in the Cloud with Le WAF: Web Application Firewall

 InfoSec tools | InfoSec services | InfoSec books

Tags: WAF, Web Application Firewall


Feb 09 2023

How Application Mapping Can Boost Application Security

Category: App SecurityDISC @ 10:35 am

Application security refers to the measures taken to protect the confidentiality, integrity, and availability of an application and its associated data. This involves designing, developing, and deploying applications in a secure manner and protecting them against threats such as hacking, malware, and data theft. It also involves the use of application security testing tools, as well as ongoing monitoring and management to detect and respond to security incidents. 

Application security aims to prevent unauthorized access to an application and its data, and to ensure the privacy and security of sensitive information processed by the application. This is essential for organizations to maintain the trust of their customers, partners, and stakeholders, and to comply with industry regulations and standards.

What Is Application Mapping?

Application mapping is the process of creating a visual representation of the components, relationships, and interactions of a software application. It helps to identify potential security vulnerabilities and areas of risk, and can be used to support security testing, incident response, and overall application security planning.

Application mapping can be performed manually or with the use of automated tools and typically includes a diagram that shows the various components of the application, such as the user interface, database, and server, and how they interact with each other. This information can be used to create a comprehensive understanding of the application architecture and to develop and implement effective security controls.

How Application Mapping Can Boost Application Security

Application mapping can boost application security by providing a comprehensive understanding of the application’s architecture, data flow, and interactions between components. This information can be used to identify potential security risks and vulnerabilities and to implement appropriate application security measures to mitigate these risks. Here are some specific ways that application mapping can boost application security:

  • Identification of sensitive data: By creating a visual representation of the flow of data within an application, application mapping can help to identify sensitive data and the components that handle this data. This information can be used to ensure that sensitive data is properly protected and that the appropriate security measures are in place to secure the data.
  • Improved threat modeling: Threat modeling is the process of identifying potential security risks and vulnerabilities within an application. Application mapping can provide a clear understanding of the application’s architecture, components, and data flow, making it easier to identify potential security risks and vulnerabilities.
  • Better access control: Application mapping can be used to identify the relationships between different components and to understand the flow of data within the application. This information can be used to implement better access controls, such as role-based access controls, to ensure that sensitive data is only accessible by authorized users.
  • Improved network segmentation: By creating a visual representation of the application’s architecture and data flow, application mapping can be used to identify the components that are communicating with each other and the flow of data between these components. This information can be used to improve network segmentation and to ensure that sensitive data is only accessible by authorized components.
  • Better incident response: In the event of a security incident, application mapping can provide a clear understanding of the application’s architecture and data flow, making it easier to respond to the incident and restore the application to a secure state.

Application Mapping Best Practices

Recognize All Types of Dependencies

Identifying all types of dependencies is a crucial step in the application mapping process. Dependencies between components can greatly impact the security of an application, so it is important to understand all of these relationships. There are three types of dependencies that should be recognized in application mapping:

  • Functional dependencies: These describe the relationships between components that perform specific functions. For example, a user interface component may depend on a database component to store and retrieve data. By recognizing functional dependencies, organizations can understand how changes to one component can impact the overall functionality of the application.
  • Data dependencies: These describe the relationships between components that exchange data. For example, an application component may receive data from an external source, such as a web service, and pass that data to another component for processing. By recognizing data dependencies, organizations can understand how sensitive data flows through the application and identify areas where data may be vulnerable to attack.
  • Security dependencies: These describe the relationships between security controls and the components they protect. For example, a firewall may protect an application server, or encryption may protect sensitive data in transit. By recognizing security dependencies, organizations can understand the overall security posture of the application and identify areas where security controls may be insufficient or missing.

Actively Avoid Dependencies When Possible

By reducing the number of dependencies between components, organizations can minimize the attack surface and simplify security management. Here are a few ways that dependencies can be reduced:

  • Removing unnecessary components: Unnecessary components can increase the attack surface and the complexity of security management. By removing these components, organizations can reduce the number of dependencies and simplify the application architecture.
  • Limiting access to components: Limiting access to components, such as by restricting network access or implementing access controls, can reduce the number of dependencies and minimize the attack surface. For example, by limiting access to a database component to only the components that need to access it, organizations can reduce the number of potential attack vectors.
  • Simplifying interactions between components: Complex interactions between components can increase the risk of security vulnerabilities and make it more difficult to manage security. By simplifying these interactions, organizations can reduce the number of dependencies and improve the overall security of the application.

Strive To Test Everything

Testing all components and interactions represented in the application map is essential to identify security vulnerabilities and ensure that they are addressed. Here are a few reasons why comprehensive testing is important:

  • Prioritize testing efforts: Application mapping provides a roadmap for comprehensive security testing, which can be used to prioritize testing efforts and ensure that all areas of the application are tested. This can help organizations focus their testing efforts on the most critical components and interactions.
  • Identify vulnerabilities: By testing all components and interactions, organizations can identify security vulnerabilities that may otherwise be overlooked. This can include vulnerabilities in the functionality of individual components, the interactions between components, and the security controls that protect them.
  • Address vulnerabilities before exploitation: Comprehensive testing can help organizations identify and remediate security vulnerabilities before they can be exploited. This can reduce the risk of a successful attack and improve the overall security posture of the application.
  • Ensure the security of the entire application: Testing individual components may not be enough to ensure the security of the entire application. By testing everything, organizations can understand how all components and interactions work together and identify potential security vulnerabilities in the overall architecture.

Periodically Update Your Map

Periodically updating your application map is a best practice that helps ensure the security of an application. Regularly updating the map ensures that it remains accurate and up-to-date, which is essential for effective security management. Here are a few reasons why periodic updates are important:

  • Reflect changes in the application: Applications change over time, and regular updates to the map help ensure that these changes are accurately reflected. For example, new components may be added, existing components may be updated, or relationships between components may change. Keeping the map up-to-date helps organizations understand the impact of these changes on the security of the application.
  • Identify new dependencies: As the application evolves, new dependencies may be introduced that need to be recognized and managed. By regularly updating the map, organizations can identify these new dependencies and understand how they impact the security of the application.
  • Stay ahead of threats: Threats to the security of an application are constantly changing, and regular updates to the map help organizations stay ahead of these threats. By understanding how changes in the application and new threats may impact the security of the application, organizations can take proactive steps to mitigate risk.
  • Improve security management: Periodic updates to the application map can help organizations improve the efficiency and effectiveness of security management. By keeping the map up-to-date, organizations can ensure that security efforts are focused on the right areas and that the overall security posture of the application is strong.

Conclusion

In conclusion, application mapping is a powerful tool that can significantly boost the security of applications. By creating a detailed map of the components and interactions within an application, organizations can gain a better understanding of their security posture and identify potential vulnerabilities. 

By following the best practices in this article, organizations can proactively mitigate risk and improve the efficiency and effectiveness of their security management efforts. In today’s increasingly connected and complex technological landscape, the importance of application security cannot be overstated, and application mapping can play a critical role in ensuring the security and protection of sensitive information and data.

Application Security Program Handbook: A guide for software engineers and team leaders

Application Security for Developers

Checkout out our previous posts on App Security


InfoSec Threats
 | InfoSec books | InfoSec tools | InfoSec services

Tags: Application security


Dec 23 2022

WEB APPLICATION PENTESTING CHECKLIST

Category: App Security,Pen Test,Web SecurityDISC @ 11:37 am
This image has an empty alt attribute; its file name is image-20.png

Web Pentesting Checklist Cyber Security News

PenTesting Titles

Penetration Testing: Protecting Networks and Systems

Pentesting Training

Penetration Testing – Exploitation

Penetration Testing – Post Exploitation

Infosec books | InfoSec tools | InfoSec services

Tags: WEB APPLICATION PENTESTING CHECKLIST


Dec 19 2022

Is this website Safe : How to Check Website Safety to Avoid Cyber Threats Online

Category: App Security,Cyber Threats,Web SecurityDISC @ 10:58 am

is this website safe ? In this digital world, Check website safety is most important concern since there are countless malicious websites available everywhere over the Internet, it is very difficult to find a trustworthy websiteWe need tobrowse smart and need to make sure the site is not dangerous by using Multiple approaches.

In general, it is good to type the website URL instead of copy-paste or clicking an URL. Also, check to see the website working with HTTP OR HTTPS.

Investigating: is this website safe

In order to find, is this website safe , we need to figure it out if the URL received from an unknown source and we would recommend cross-checking the URL before clicking on it. Copy the URL to analyzers that available over the Internet and ensure it’s Integrity. 

If it is a shortened URL you can unshorten itwith the siteand then analyze the actual URL.

Methods to analyze Websites

To check website safety, the first and the most recommended method is to check online page scanners, which uses the latest fingerprinting technology to show web applications are up to date or infected by malware.

Like this number of scanners available

Website reputation check needs to be done to find the trustworthiness of website with WOT .

pis

Ensure SSL is there before making a purchase

In order to check website safety, Ensure the website availability with https before entering the payment card details. We can audit the HTTPS availability with the SSL analyzer URL’s available over the internet.

Also, there is a range of certificates available over the Internet from low assured (domain validation) to the Most trusted Extended validation certificates, you can refer the URL for more details. 

Moreover, we can verify their prompt installation with various popular checkers available

Google Safe Browsing: is this website safe

According to Google, in order to check, is this website Safe, Browsing is a service that Google’s security team built to identify unsafe websites across the web and notify users and webmasters of potential harm.

In this Transparency Report, Google discloses details about the threats we detect and the warnings we show to users.

We share this information to increase awareness about unsafe websites, and we hope to encourage progress toward a safer and more secure web.

Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer.

Safe Browsing protections work across Google products and power safer browsing experiences across the Internet.

Check the Browsing Website have Any unsafe Content or not –   Google Safe Browsing

To Report Malicious websites

Please report the dangerous URL to the services mentioned below. They are arranged in categories which should make it relatively easy to decide which services you should report the site to.

Services which blacklist Dangerous sites

Check the Blacklist IP Address 

There are some awesome tools to Check the website IP Address has been listed in the Global Blacklist Database.

Multirblis a free multiple DNSBL (DNS BlackList aka RBL) lookup and FCrDNS (Forward Confirmed reverse DNS aka iprev) check tool to confirm,  is this website Safe.

Check the Website Safety & Reputation

analyzes a website through multiple blacklist engines and online reputation tools to facilitate the detection of fraudulent and malicious websites. This service helps you identify websites involved in malware incidents, fraudulent activities, and phishing websites.

Important tools for Check the Website Reputation and confirm is this website Safe

Conclusion

Cyber criminals are using various sophisticated techniques to fool online users to drop malware and other cyber threats to cause unbearable damages. so beware of the malicious website, don’t blindly open the website and check the website safety before open it.

Is this website Safe : How to Check Website Safety to Avoid Cyber Threats Online

Web Application Security: Exploitation and Countermeasures for Modern Web Applications

Security Analysis with search engines:

Image preview

Tags: #Pentesters, Security Analysis, Web Application Security, Website Safety


Dec 06 2022

Bug in Toyota, Honda, and Nissan Car App Let Hackers Unlock & Start The Car Remotely

The majority of major automobile manufacturers have addressed vulnerability issues that would have given hackers access to their vehicles to perform the following activities remotely:-

  • Lock the car
  • Unlock the car
  • Start the engine
  • Press the horn
  • Flas the headlights
  • Open the trunk of certain cars made after 2012
  • Locate the car

Flaw in SiriusXM

SiriusXM, one of the most widely used connected vehicle platforms available on the market, has a critical bug in its platform that affects all major vehicle brands.

There is a particular interest among security researchers in the area of connected cars, like Yuga Labs’ Sam Curry. In fact, he’s the one who was responsible for discovering a security hole in the connected cars of major car manufacturers during his routine research.

There are a number of car manufacturers who use Sirius XM telematics and infotainment systems as a part of their vehicle technology.

Affected Car Brands

Here below we have mentioned the brands’ names that are affected due to this critical bug in SiriusXM:-

  • Acura
  • BMW
  • Honda
  • Hyundai
  • Infiniti
  • Jaguar
  • Land Rover
  • Lexus
  • Nissan
  • Subaru
  • Toyota

Vulnerability Analysis

During the process of analyzing the data, it was found that there is a domain (http://telematics(.)net) that is used during the vehicle enrollment process for the remote management of Sirius XM.

The flaw is associated with the enrollment process for SiriusXM’s remote management functionality which results in the vehicle being tampered with.

There is not yet any technical information available about the findings of the researchers at the present time, since they haven’t shared anything in detail.

Upon further analysis of the domain, it becomes apparent that the Nissan Car Connected App is one of the most plentiful and frequently referenced apps in this domain.

In order for the data exchanged through the telematics platform to be authorized, the vehicle identification number (VIN) only needs to be used. The VIN of the vehicle can therefore be used to carry out a variety of commands by anyone who knows the number.

The next step would be to log in to the application later on, and then the experts examined the HTTPS traffic that came from a Nissan car owner.

Researchers discovered one HTTP request during the scan in which they conducted a deep analysis. 

It is possible to obtain a bearer token return and a “200 OK” response by passing a VPN prefixed ID through as a customerID in the following way:-

Car App

Using the Authorization bearer in an HTTP request, researchers attempted to obtain information about the user profile of the victim and, as a result, they successfully retrieved the following information:-

  • Name
  • Phone number
  • Address
  • Car details

In addition to this, the API calls used by SiriusXM for its telematics services worked even if the user did not have an active subscription with SiriusXM.

As long as the developers or owners are not involved in the process of securing a vulnerable app, it is impossible to guarantee the security of that app. This is why they should be the only ones who can issue security updates and patches.

Recommendations

Here below we have mentioned the recommendations made by the security analysts:-

  • Ensure that you do not share the VIN number of your car with unreliable third parties.
  • In order to protect your vehicle from thieves, it is imperative to use unique passwords for each app connected to the vehicle.
  • Keep your passwords up-to-date by changing them on a regular basis.
  • Keeping your system up-to-date should be a priority for users.

The Car Hacker’s Handbook: A Guide for the Penetration Tester

Tags: Car Security


Nov 21 2022

How to improve secure coding education

Category: App SecurityDISC @ 2:53 pm

Did you know that not one of the top 50 undergraduate computer science programs in the U.S. requires a course in code or application security for majors? Yet the threatscape is only expanding.

A recent report by Security Journey reveals the gap left by academia when developers are being trained to write code, and the ways in which the current state of security awareness can evolve into continuous, programmatic, and more effective education. Other key suggestions from the discussion include:

  • Investment should be driven down from the top of organizations
  • Training must be relevant to each professional
  • Collaboration between industry and academia is needed

In this Help Net Security video, Jason Hong, Professor at Carnegie Mellon University, discusses the steps both industry and academia can take to improve application security knowledge and secure coding education.

Building Secure and Reliable Systems

Tags: Building Secure and Reliable Systems, secure coding education


Nov 07 2022

Top 7 Methods to Minimize Application Threat Risks in Healthcare

Category: App SecurityDISC @ 1:27 pm

Healthcare organizations are increasingly using apps for telehealth and beyond. These apps have a significant impact on how they operate. They also have access to lots of sensitive information, such as EMR.

As a result, we have seen an uptick in healthcare application threats globally. The top threat risks in healthcare industry includes ransomware, DDoS and automated attacks. 

Healthcare data breaches are the costliest across the globe. They cost healthcare organizations USD 9.23 million on average. The figure is more than twice the pan-industry average of USD 4.24 million.  Managing AppSec risks is crucial to healthcare organizations.

How to Reduce Risks of Healthcare Application Threats? 

  • Ongoing Risk Assessments 

This is the first, most critical step in risk management in healthcare. It lays the foundation for a robust AppSec program. Risk assessments help you identify, analyze and rank your apps’ risks. 

Risk assessments involve the following: 

  • Identifying app vulnerabilities
  • Evaluating the exploitability of each vulnerability
  • Identifying application threats 
  • Analysing attack probability 
  • Analysing the potential impact of application threats on mission-critical assets 
  • Allocating resources based on the criticality of risks 
  • Defining ways to keep risks within tolerance levels

This way, you can ensure your mission-critical assets are always available and secure. 

Compliance frameworks like HIPAA mandate that these assessments be done once a year. But that isn’t enough. You need to keep assessing and managing risks regularly. Only then can you harden your app security posture. 

  •  Establish and Update Security Policies 

Clearly defined app security policies are critical to averting application threat risks. These policies should incorporate security, industry, legal and regulatory best practices. The AppSec policies should define security strategies, processes, tools, and procedures. They should define the following: 

  • Incident response and disaster recovery plans
  • Role-based, strict access controls
  • Zero trust authentication and password policies 
  • Backup and storage 
  • Data privacy and security policies 

AppSec should define processes for users to report suspicious activities. AppSec policies should include proper communication plans too.

Further, you must regularly update these security policies. The policies should reflect the latest best practices and the latest risk posture. 

  •  Identify and Secure Threat Entry Points 

How do application threats become successful attacks? Attackers keep looking for exploitable entry points. These entry points are vulnerabilities, misconfigurations, and security gaps. They exploit entry points that aren’t secure when they find them. They can then 

  • Introduce malware
  • Create backdoors
  • Steal data
  • Make services unavailable to patients/ employees 

So, you need to be proactive in finding and securing entry points. And do so before attackers find them. To this end, you must put in place a vulnerability management program. 

Inventory all your healthcare app-related assets. This process should be automated. It should automatically identify all endpoints, APIs, components, third-party services, etc. Make sure to include all assets for crawling by your scanning and next-gen WAF tools. 

Deploy an automated scanner to keep identifying known flaws. This way, you can prevent the inaccuracies and inefficiencies of manual scanning. Perform pen-testing and security audits regularly to identify 

  • Unknown vulnerabilities
  • Logical flaws 
  • Zero-day application threats
  • Understand the exploitability of flaws
  • Strength of security defenses 

You can rank these flaws based on the level of risks involved. Then, you can remediate through permanent fixes or instant virtual patching. Leverage fully managed security solutions to manage your vulnerabilities better.

  • Centralized Visibility into Security Posture 

You must have real-time visibility into your app security posture. This will help you take immediate action to prevent application threats. 

  • Ensure Your Vendors Prioritize Security 

You may use several third-party apps, APIs, and services. It is key that you carefully vet vendors before onboarding services. Why? Your apps will be at risk if they don’t take security seriously. Make sure they take steps to monitor and avert application threats.  

You must also ensure vendors are compliant. To this end, you should keep monitoring and auditing them. 

  • Keep Educating All Users 

Human errors are top vulnerabilities enabling cyber attacks in healthcare. That is why continuous education of all users is a must. Users include patients/ customers, employees, and partners who use your apps. 

All users must know the app security dos and don’ts. They should know what to click and what not to. They must be able to make smart decisions. They must know whom to report to or what action to take when observing unusual activities. 

  • Invest in Reliable Security Solutions 

Invest in reliable, fully managed security solutions like AppTrana. AppTrana includes comprehensive security solutions backed by industry expertise in managing your healthcare security risks. 

The Way Forward Cyber-attacks on healthcare are becoming more lethal, complex, and severe. Take proactive action to minimize your application threat risk.

Threat Risks in Healthcare

Application Security Program Handbook: A guide for software engineers and team leaders

Tags: Application Threat


Oct 04 2022

How cybersecurity frameworks apply to web application security

Category: App SecurityDISC @ 2:26 pm

A cybersecurity framework provides a formal and comprehensive set of guidelines to help organizations define their security policies, assess cybersecurity posture, and improve resilience. Cybersecurity frameworks specify security controls, risk assessment methods, and suitable safeguards to protect information systems and data from cyberthreats. Though originally developed for government agencies and other large organizations, cybersecurity frameworks can also be a useful source of security best practices for medium and small businesses. Without getting too formal, let’s see what cybersecurity frameworks exist, why you may want to use one, and how to hand-pick the cybersecurity processes and actions that apply to your specific web application security program.

Why cybersecurity frameworks exist

Depending on the organization, a successful cyberattack can have serious social, economic, or even political consequences. Whether they result in a denial of service, a data breach, or a stealthy and persistent presence in targeted systems, cyberattacks are now a permanent concern not only for business and government but even for military operations. Well-defined cybersecurity programs are vital for organizations of all sizes, but simply saying “secure everything” isn’t good enough, especially given the complexity of today’s interconnected information systems and supply chains. And with data security and privacy high on the agenda, a systematic and formalized approach is necessary to identify specific security controls that keep sensitive information inaccessible to malicious actors.

With public and private organizations of all sizes facing similar cybersecurity events and challenges, it became clear that a common cybersecurity framework would benefit everyone. By working to a common set of best-practice policies and recommendations, everyone would be able to define their own cybersecurity practices and protective technologies while maintaining a common baseline for auditing and certification. And for organizations that may lack the resources or technical resources to design their own policies from scratch, having such a starter policy kit could be the only way to come up with a reasonably complete and effective cybersecurity policy.

Commonly used cybersecurity frameworks

You can think of a cybersecurity framework as a common box of parts for building cybersecurity policies. More formally, a cybersecurity framework can be any document that defines procedures and goals to guide more detailed policies. Existing documents that contain such cybersecurity guidelines include:

  • The NIST Cybersecurity Framework: The most widely used document for cybersecurity policy and planning, developed by the National Institute of Standards and Technology.
  • ISO 27001 Information Security Management: Guidelines for information security management systems (ISMS) prepared by the International Organization for Standardization.
  • CIS Critical Security Controls for Effective Cyber Defense: A framework of actions to protect organizations from known cyberthreats, prepared by the Center for Internet Security.
  • Risk management frameworks: Documents such as NIST’s Risk Management Framework (NIST SP 800-37 Rev. 2) and the ISO 27005:2018 standard for Information Security Risk Management focus on risk management strategies, including cybersecurity risk management.
  • Industry-specific frameworks: Many industries have their own security standards for these sectors, such as PCI DSS for electronic payment processing, HIPAA rules for healthcare, or COBIT for IT management and governance.

A closer look at the NIST cybersecurity framework

In 2013, a US presidential executive order was issued calling for a standardized cybersecurity framework to describe and structure activities and methodologies related to cybersecurity. In response to this, NIST developed its Framework for Improving Critical Infrastructure Cybersecurity, commonly called the NIST Cybersecurity Framework (NIST CSF). It is a detailed policy document created not only to help organizations manage and reduce their cybersecurity risk but also to create a common language for communicating about cybersecurity activities. While the framework was initially intended only for companies managing critical infrastructure services in the US private sector, it is now widely used by public and private organizations of all sizes.

The NIST CSF is divided into three main components:

  • Framework core: The main informational part of the document, defining common activities and outcomes related to cybersecurity. All the core information is organized into functions, categories, and subcategories.
  • Framework profile: A subset of core categories and subcategories that a specific organization has chosen to apply based on its needs and risk assessments.
  • Implementation tiers: A set of policy implementation levels, intended to help organizations in defining and communicating their approach and the identified level of risk for their specific business environment.

The framework core provides a unified structure of cybersecurity management processes, with the five main functions being IdentifyProtectDetectRespond, and Recover. For each function, multiple categories and subcategories are then defined. This is where organizations can pick and mix to put together a set of items for each function that corresponds to their individual risks, requirements, and expected outcomes. For clarity and brevity, each function and category has a unique letter identifier, so for example Asset Management within the Identify function is denoted as ID.AM, while Response Planning within the Response function is RS.RP

Each category includes subcategories that correspond to specific activities, and these subcategories get numerical identifiers. To give another example, subcategory Detection processes are tested under the Detection Processes category and Detect function is identified as DE.DP-3. Subcategory definitions are accompanied by references to the relevant sections of standards documents for quick access to the normative guidelines for each action.

NIST cybersecurity framework

Applying the NIST framework to application security

By design, the NIST CSF has an extremely broad scope and covers far more activities than any specific organization is likely to need. To apply the framework to web application security, you start by analyzing each of the five functions as they relate to your existing and planned application security activities and risk management processes. Then, you select the categories and subcategories relevant to your specific needs and use them as the backbone of your own security policy to ensure you cover all the risks and activities you need. For general web application security, a skeleton cybersecurity policy would need to include at least the following subcategories for each function:

Identify:

  • ID.AM-2: Software platforms and applications within the organization are inventoried
  • ID.RA-1: Asset vulnerabilities are identified and documented

Protect:

  • PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
  • PR.DS-2: Data-in-transit is protected
  • PR.IP-10: Incident response and recovery plans are tested

Detect:

  • DE.AE-2: Detected events are analyzed to understand attack targets and methods
  • DE.CM-8: Vulnerability scans are performed

Respond:

  • RS.RP-1: Response plan is executed during or after an incident
  • RS.AN-1: Notifications from detection systems are investigated

Recover:

  • RC.RP-1: Recovery plan is executed during or after a cybersecurity incident
  • RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams

IBM Application Security for Developers (Free)

Learn to identify security vulnerabilities in applications and implement secure code practices to prevent events like data breaches and leaks. Become familiar with DevSecOps practices, and SAST for identifying security flaws.

Web Application Security: Exploitation and Countermeasures for Modern Web Applications

Tags: Countermeasures for Modern Web Applications, Web Application Security


Aug 30 2022

Don’t Let ‘Perfect’ Be the Enemy of a Good AppSec Program

Category: App SecurityDISC @ 2:43 pm

These five suggestions provide a great place to start building a scalable and affordable program for creating secure apps.

go for good enough reminder note with a cup of coffee and a silver pen
Source: Marek Uliasz via Alamy Stock Photo

Some security programs need to have the absolute highest possible level of security assurance for the systems and the data they protect. They need to be as close to perfect as they can be. Examples of this would be managing evidence for top secret counterterrorism activities, invaluable intellectual property such as the first COVID-19 vaccine, or systems that require uptimes of five 9s (99.999%) or higher, for which downtime of a single minute can cost millions of dollars.

That said, for most companies, a “good” application security (AppSec) program will suffice. A good program is one where your applications are safe against the most common types of attacks but could still fall to a determined, well-funded, and advanced attacker. Let’s discuss the differences, and how to create something that meets your company’s needs.

Elections Require Perfection

For a “perfect” AppSec program, every single potential vulnerability reported by any test must be investigated by a security expert. This means running static application security testing (SAST), dynamic application security testing (DAST), and other automated tools with the confidence level for findings set to report “any and all” possibilities. That requires hiring one or more security experts who are trained to run down each item and given weeks to check each application. It also means hiring several security professionals to do manual security testing and code review, for multiple viewpoints, and to re-test that the bugs are truly fixed and have not created new bugs in the process. It is both time-consuming and quite expensive.

A few years ago, I worked on an application that had to run on a 32-kilobit modem in the Arctic. It makes our elections in Canada happen, which meant it had to be absolutely perfect. We hired several different security professionals, who used a multitude of tools and manual techniques to find both security and non-security issues within our application. We did stress testing, performance testing, integration testing, and so much more. We set up a functional returning office (the place that you vote), with every system fully functional, and ran an entire 36-day mock election, with fake security incidents thrown into the mix, 6 months before the big day. We spent the following 6 months finalizing every detail. It’s unlikely you would have noticed, as when the 52nd General Election happened on Oct. 19, 2015, it went off without a hitch.

They don’t write news articles when everything goes right. We also put in quite a bit more work than what I shared above, which I am not at liberty to share. The point is that being perfect is not cheap, and it is not quick.

5 Ways to Make Good ‘Good Enough’

With that story in mind, does your organization need to be truly perfect? Or is “good” good enough? Let’s look at some ways your organization could create a scalable and affordable application security program that is good.

1. Automate. First off, leverage automation whenever possible. There are many free and paid security tools that can provide good results. When I say good, I mean most of the results they report are true positives, and the false negatives (missed bugs) are at a level your organization can be comfortable with. Some automated tools will allow you to set a confidence level for your results; starting with a confidence level of “high” in the first year of your program, and then shifting to “medium” in the second year, is a good way to get software developers to have faith in what you are reporting while not overwhelming them.

2. Use anti-pattern matching SAST. For SAST tools, when you’re aiming for “good” results, select a next-generation SAST that performs anti-pattern matching (regex looking for known-bad patterns) rather than an original SAST type that performs symbolic execution (running down every possible code outcome, searching for potential flaws and bugs). While the original types of SAST are ideal for creating a perfect application, next-generation SASTs are faster, provide more true positives, and are sometimes quite a bit cheaper as well.

3. Spell out technical requirements. When starting new projects, give your project team a list of expectations, both for technical security requirements and for activities you expect them to participate in as part of the project life cycle. You could create a list once for each type of technology (Web apps, APIs, serverless, infrastructure as code, containers, etc.), then reuse that list for every new project it applies to. This also allows a project manager to schedule time for the security activities to happen so that project teams don’t face unexpected overtime.

4. Run a threat model. During the design phase, reserve one hour with the product owner, the technical leader of the project, and a member of the AppSec team. Perform a simple threat model on your application and implement some of the recommendations from that session.

5. Train people on secure coding. Give your software developers secure coding training. There’s several free or almost-free courses on the Internet for this now, and every bug they help your people avoid creating saves you more time and money than you may realize.

Although this is just a short list of ways to build a scalable and affordable program for creating secure apps, these five suggestions provide a great place to start from or to add to an already existing program to make “good” software.

https://www.darkreading.com/edge-articles/don-t-let-perfect-be-the-enemy-of-a-good-appsec-program

Secure Application Development

Tags: App security by design


Aug 15 2022

How to manage the intersection of Java, security and DevOps at a low complexity cost

Category: App SecurityDISC @ 8:44 am

In this Help Net Security video above, Erik Costlow, Senior Director of Product Management at Azul, talks about Java centric vulnerabilities and the headache they have become for developers everywhere.

He touches on the need for putting security back into DevOps and how developers can better navigate vulnerabilities that are taking up all of their efforts and keeping them from being able to focus on the task at hand.

Java

Microservices Security in Action: Design secure network and API endpoint security for Microservices applications, with examples using Java, Kubernetes, and Istio

Tags: DevOps, Java Security


Aug 05 2022

Software Bill of Material and Vulnerability Management Blind Spots

Category: App Security,Security vulnerabilitiesDISC @ 9:29 am

Software Bill of Material and Vulnerability Management Blind Spots

Open source software is everywhere (which is not a bad thing in itself). However, many buyers don’t have inventory of open source components included in software products they are buying. Business even fail in keeping tack of open source components used in internally developed applications. As a result, vulnerability management programs have blind spots.

Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.

Why it matters:

  1. Use of open source software is not bad in itself. Everyone uses open source software. The biggest examples are Linux and Apache server.
  2. Many commercial software vendors use open source components but don’t properly and adequately disclose all open source components included in the commercial products.
  3. Recent vulnerabilities (e.g. log4j) have far reaching impact.
  4. Software applications developed in-house also include open source components. As these applications age and the initial developers move on to new jobs, older and vulnerable open source components may still stay in the applications unnoticed for long time.

What to do:

  1. It is crucial to have an up-to-date inventory of all open source software, whether used as standalone products or embedded as a library inside a product. We can’t manage if we don’t know its existence.
  2. Require your software vendors to provide you with a list of all open source libraries and their versions embedded into their products.
  3. Make this list part of the vulnerability management program. Monitor release of new vulnerabilities and patches for your inventory of open source software components.

When building a bill of material for open source components, it is imperative to not only contact your software vendors but also review all software applications developed in-house. In some cases you may use source code scanning tools to build inventory of these components.

A Guide to Open-Source Software Security Risks & Best Practices

Implementing Enterprise Cybersecurity with Opensource Software and Standard Architecture

Tags: Open source security, Opensource Software


Aug 04 2022

GitHub blighted by “researcher” who created thousands of malicious projects

Category: App Security,MalwareDISC @ 10:46 am

Just over a year ago, we wrote about a “cybersecurity researcher” who posted almost 4000 pointlessly poisoned Python packages to the popular repository PyPI.

This person went by the curious nickname of Remind Supply Chain Risks, and the packages had project names that were generally similar to well-known projects, presumably in the hope that some of them would get installed by mistake, thanks to users using slightly incorrect search terms or making minor typing mistakes when typing in PyPI URLs.

These pointless packages weren’t overtly malicious, but they did call home to a server hosted in Japan, presumably so that the perpetrator could collect statistics on this “experiment” and write it up while pretending it counted as science.

A month after that, we wrote about a PhD student (who should have known better) and their supervisor (who is apparently an Assistant Professor of Computer Science at a US university, and very definitely should have known better) who went out of their way to introduce numerous apparently legitimate but not-strictly-needed patches into the Linux kernel.

They called these patches hypocrite commits, and the idea was to show that two peculiar patches submitted at different times could, in theory, be combined later on to introduce a security hole, effectively each contributing a sort of “half-vulnerability” that wouldn’t be spotted as a bug on its own.

As you can imagine, the Linux kernel team did not take kindly to being experimented on in this way without permission, not least because they were faced with cleaning up the mess:

Please stop submitting known-invalid patches. Your professor is playing around with the review process in order to achieve a paper in some strange and bizarre way. This is not ok, it is wasting our time, and we will have to report this, AGAIN, to your university…

GitHub splattered with hostile code

Accelerate DevOps with GitHub: Enhance Software Delivery Performance with GitHub Issues, Projects, Actions, and Advanced Security

Tags: DevOps, DevSecOps, malicious projects


Jul 27 2022

DUCKTAIL operation targets Facebook’s Business and Ad accounts

Category: Access Control,App Security,AuthenticationDISC @ 8:29 am

Researchers uncovered an ongoing operation, codenamed DUCKTAIL that targets Facebook Business and Ad Accounts.

Researchers from WithSecure (formerly F-Secure Business) have discovered an ongoing operation, named DUCKTAIL, that targets individuals and organizations that operate on Facebook’s Business and Ads platform.

Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to be active since 2018.

“Our investigation reveals that the threat actor has been actively developing and distributing malware linked to the DUCKTAIL operation since the latter half of 2021. Evidence suggests that the threat actor may have been active in the cybercriminal space as early as late 2018.” reads the report published by the experts.

The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.

The end goal is to hijack Facebook Business accounts managed by the victims.

The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.

WithSecure researchers noticed that samples employed in the DUCKTAIL operation were written in .NET Core and were compiled using its single file feature. This feature bundles all dependent libraries and files into a single executable, it also includes the main assembly. Experts pointed out that the usage of .NET Core and its single-file feature is uncommon in malware development.

The use of .Net Core allows the attackers to embed Telegram.Bot client as well as any other external
dependencies into a single executable and use Telegram channels as Command and Control (C&C).

“Since late last year, the threat actor has shifted entirely to using Telegram as their C&C channel making use of the Telegram Bot functionality. Currently, the adversary only exfiltrates stolen information through the C&C channel and no commands are sent from the C&C to the victim’s machine other than potentially sending e-mail addresses for business hijacking purposes.” continues the report.

In order to steal Facebook session cookies from the victims, the malware scans the machine for popular browsers, including Google Chrome, Microsoft Edge, Brave Browser, and Firefox. For each of the browsers that it finds, it extracts all the stored cookies, including any Facebook session cookie.

The malware also steals information from the victim’s personal Facebook account, including name, email address, date of birth, and user ID, along with other data such as 2FA codes, user agents, IP address, and geolocation

Ducktail

Once obtained the above data, the attackers can access to the victim’s personal account, hijack it by adding their email address retrieved from the Telegram channel and grant themselves Admin and Finance editor access.

“They can edit business credit card information and financial details like transactions, invoices, account spend and payment methods. Finance editors can add businesses to your credit cards and monthly invoices. These businesses can use your payment methods to run ads.” states the report.

Countries affected by DUCKTAIL samples analyzed by the experts includes US, India, Saudi Arabia, Italy, Germany, Sweden, Finland, and the Philippines.

“WithSecure cannot determine the success, or lack thereof, that the threat actor has had in circumventing Facebook’s existing security features and hijacking businesses.” concludes the report. “However, the threat actor has continued to update and push out the malware in an attempt to improve its ability to bypass existing/new Facebook security features alongside other implemented features.”

Facebook Business administrators are recommended to check access permissions for their business accounts and remove any unknown users.

Security Manual. Whatsapp and FacebookSecurity Manual. Whatsapp and FacebookSecurity Manual. Whatsapp and Facebook

Tags: DUCKTAIL operation, Facebook security, Security Manual


Jul 14 2022

Microsoft published exploit code for a macOS App sandbox escape flaw

Category: App SecurityDISC @ 8:35 am

Microsoft publicly disclosed technical details for an access issue vulnerability, tracked as CVE-2022-26706, that resides in the macOS App Sandbox.

“Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system.” reads the post published by Microsoft.

Microsoft reported the issue to Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in October 2021. Apple addressed the CVE-2022-26706 flaw on May 16, 2022. 

“An access issue was addressed with additional sandbox restrictions on third-party applications. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4. A sandboxed process may be able to circumvent sandbox restrictions.” reads the description of this issue.

An attacker can trigger the flaw using a specially crafted Office document containing malicious macro code that allows to bypass sandbox restrictions and execute commands on the system.

The Apple App Sandbox provides protection to system resources and user data by limiting your app’s access to resources requested through entitlements.

Developers that want to distribute a macOS app through the Mac App Store must enable the App Sandbox capability.

Microsoft researchers demonstrated that using specially crafted codes could bypass the sandbox rules. An attacker could exploit the sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing malicious payloads.

“We found the vulnerability while researching potential ways to run and detect malicious macros in Microsoft Office on macOS. For backward compatibility, Microsoft Word can read or write files with an “~$” prefix.” reads the post. “Our findings revealed that it was possible to escape the sandbox by leveraging macOS’s Launch Services to run an open –stdin command on a specially crafted Python file with the said prefix.”

The root cause of the issue is backward compatibility, which allows Microsoft Word to read and write files with the prefix “~$.” . 

The experts first created a POC exploit to create a macro that launches a shell script with the Terminal app, bit it was captured by the sandbox because it was automatically given the extended attribute com.apple.quarantine which prevents the execution by the Terminal. Then the experts tried using Python scripts, but the Python app had similar issues running files having the said attribute.

In one of the hacking attempts, the researchers created a proof-of-concept (PoC) that used the -stdin option for the open Command on a Python file to bypass the “com.apple.quarantine” extended attribute restriction. In this way, there was no way for Python to determine that the contents from its standard input originated from a quarantined file.

“Our POC exploit thus became simply as follows:

  1. Drop a “~$exploit.py” file with arbitrary Python commands.
  2. Run open –stdin=’~$exploit.py’ -a Python, which runs the Python app with our dropped file serving as its standard input. Python happily runs our code, and since it’s a child process of launchd, it isn’t bound to Word’s sandbox rules.” continues the post.
macos sandbox exploit

Exploit Code Not People

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Ask DISC an InfoSec & compliance related question

Tags: exploit code


Jun 06 2022

Red TIM Research discovers a Command Injection with a 9,8 score on Resi

During the bug hunting activity, Red Team Research (RTR) detected 2 zero-day bugs on GEMINI-NET, a RESI Informatica solution.

It’s been detected an OS Command Injection, which has been identified from NIST as a Critical one, its score is 9,8.  This vulnerability comes from a failure to check the parameters sent as inputs into the system before they are processed by the server. 

Due to the lack of user input validation, an attacker can ignore the syntax provided by the software and inject arbitrary system commands with the user privileges of the application.

RESI S.p.A. has been for over thirty years a technological partner of the largest Italian organizations such as the Ministry of Defence, the Presidency of the Council of Ministers, the Italian Post Office, Leonardo, Ferrovie dello Stato, TIM, Italtel. Plus RESI S.p.A. Is one of the few Italian companies, that creates national technology.

Please note that patches for these specific vulnerabilities have been released by Resi.

Resi

What GEMINI-NET from Resi is

GEMINI-NET™ is a Resi product that allows active and passive monitoring of networks and communication services, used in many networks, both old and new generation. This platform is an OSS system that can be integrated, modular and scalable.

It monitors in real time all the needs related to typical network services and infrastructure issues and is able to optimize resources and data traffic on the network.

Resi

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Below are the details that have been published on the institutional website and NIST ratings.

CVE-2022-29539 – RESI S.p.A

  • Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78)
    Software Version: 4.2
    NIST
    CVSv3: 9.8
    Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Below are the details that have been published on the institutional website and NIST ratings.

CVE-2022-29539 – RESI S.p.A

  • Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78)
    Software Version: 4.2
    NISThttps://nvd.nist.gov/vuln/detail/CVE-2022-29539
    CVSv3: 9.8
    Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed “bug hunting” activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.

In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.

In two years, more than 70 CVEs have been published, 4 of them with a Critical severity (9.8 of CVSSv3 scores), 23 of them with a High severity and 36 of them with a Medium severity.

Speaking about a vulnerability detected on Johnson & Control’s Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERS”.

It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, and contributing to the security of the products used by many organizations and several individuals.

Secure Application Development


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: command injection, Secure Application Development


Next Page »