Sep 21 2023

MOVEit Transfer SQL Injection Let the Attacker Gain Unauthorized Access to the Database

Category: Authentication,data securitydisc7 @ 9:17 am
MOVEit Transfer SQL Injection Let the Attacker Gain Unauthorized Access to the Database

MOVEit transfer service pack has been discovered with three vulnerabilities associated with SQL injections (2) and a Reflected Cross-Site Scripted (XSS). The severity for these vulnerabilities ranges between 6.1 (Medium) and 8.8 (High).

Progress-owned MOVEit transfer was popularly exploited by threat actors who attacked several organizations as part of a ransomware campaign. The organizations previously reported to be affected by MOVEit vulnerability include Shell, BBC, British Airways, CalPERS, Honeywell, and US government agencies.

CVE-2023-42660: MOVEit Transfer SQL Injection

This SQL injection vulnerability was discovered on the MOVEit Transfer machine interface, which could lead to gaining unauthorized access to the MOVEit Transfer database. A threat actor could exploit this vulnerability by submitting a crafted payload to the MOVEit Transfer machine interface. 

Successful exploitation could result in the modification and disclosure of MOVEit database content. However, a threat actor must be authenticated to exploit this vulnerability. Progress has given the severity of this vulnerability as 8.8 (High).

Products affected by this vulnerability include MOVEit Transfer, either MySQL or MSSQL DB, all versions. Users are recommended to upgrade to the September Service Pack to fix this vulnerability.

CVE-2023-40043: MOVEit Transfer SQL Injection

This other SQL injection vulnerability exists in the MOVEit Transfer web interface, which could possibly lead to gaining unauthorized access to the MOVEit Transfer database. A threat actor could exploit this vulnerability by submitting a crafted payload to the MOVEit Transfer web interface.

Successful exploitation could result in the modification and disclosure of MOVEit database content. The prerequisite for a threat actor to exploit this vulnerability includes access to a MOVEit system administrator account. Progress has given the severity of this vulnerability as 7.2 (High).

Products that are affected by this vulnerability include MOVEit Transfer, either MySQL or MSSQL DB, all versions. To prevent this vulnerability, users are recommended to Upgrade to the September Service Pack and limit sysadmin account access.

CVE-2023-42656: MOVEit Transfer Reflected XSS

This Reflected XSS vulnerability was found in the MOVEit Transfer’s web interface, which a malicious payload can exploit during the package composition procedure. A threat could craft a malicious payload and target MOVEit Transfer users. When interacting with the payload, the threat actor can execute malicious JavaScript on the victim’s browser.

Progress has given the severity of this vulnerability as 6.1 (Medium). Products affected due to this vulnerability include MOVEit Transfer, either MySQL or MSSQL DB, all versions. To prevent this vulnerability, users are recommended to Upgrade to September Service Pack and limit sysadmin account access.

A comprehensive list of vulnerable product versions, documentation, release notes, and fixed versions has been given below.

Affected VersionFixed Version (Full Installer)DocumentationRelease Notes
MOVEit Transfer 2023.0.x (15.0.x)MOVEit Transfer 2023.0.6 (15.0.6)MOVEit 2023 Upgrade Documentation   MOVEit Transfer 2023.0.6 Release Notes
MOVEit Transfer 2022.1.x (14.1.x)MOVEit Transfer 2022.1.9 (14.1.9)MOVEit 2022 Upgrade Documentation  MOVEit Transfer 2022.1.9 Release Notes
MOVEit Transfer 2022.0.x (14.0.x)MOVEit Transfer 2022.0.8 (14.0.8)MOVEit 2022 Upgrade Documentation  MOVEit Transfer 2022.0.8 Release Notes
MOVEit Transfer 2021.1.x (13.1.x)MOVEit Transfer 2021.1.8 (13.1.8)MOVEit 2021 Upgrade Documentation  MOVEit Transfer 2021.1.8 Release Notes
MOVEit Transfer 2021.0.x (13.0.x) or olderMust Upgrade to a Supported VersionSee MOVEit Transfer Upgrade and N/A
Migration Guide  

A security advisory has been released by Progress which includes a comprehensive list of the affected products and the vulnerabilities that have been identified.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: MOVEit, SQL injection

Jul 29 2022

Strong Authentication – Robust Identity and Access Management Is a Strategic Choice

Category: Authentication,Password SecurityDISC @ 8:26 am
Strong Authentication – Robust Identity and Access Management Is a Strategic Choice

Passwords no longer meet the demands of today’s identity and access requirements. Therefore, strong authentication methods are needed.

“Usernames and passwords are insufficient and vulnerable means of authentication on their own; therefore, it is essential to employ strong authentication techniques like multi-factor authentication (MFA) to confirm users’ identities before granting secure access to resources,” Sarah Lefavrais, Product Marketing Manager, Thales states in her recent article. It’s true. Passwords no longer meet the demands of today’s identity and access requirements. Therefore, strong authentication methods are needed to improve security without hindering user convenience.

What is Strong Authentication?

Tech Target states that strong authentication is “any method of verifying the identity of a user or device that is intrinsically stringent enough to ensure the security of the system it protects by withstanding any attacks it is likely to encounter.” It is commonly referred to as a way to confirm a user’s identity when passwords are not enough. As Tech Target continues, the European Bank and many that adopt its guidelines state that strong authentication must include “at least two mutually-independent factors” so that the compromise of one will not lead to the compromise of the other. These factors are:

  • Knowledge – Something the user knows
  • Possession – Something the user has
  • Inherence – Something the user is

As Lefavrais states, employing more than one of these measures is needed to ensure only legitimate users can access applications and services,  and when applications contain sensitive data such as confidential, personally identifiable information that needs to be protected. 

In IAM strategy, strong authentication methods like MFA and Modern Authentication are quickly replacing traditional methods like passwords, especially as the new gold standard for how IT and security teams enforce access controls, and gain visibility into access events – especially as workloads move to the cloud, VMs and across remote and hybrid environments.

The IAM Security BoundaryStrong authentication is a critical component of modern-day identity and access management. It not only provides additional layers of security around entry points, but allows for customizable levels of authentication, authorization, and access control throughout your environment, giving users only the permissions (and sign-in requirements) they need. To illustrate that point, we’ll investigate two of the primary methods, MFA and Modern Authentication, further in-depth.

Multi-factor Authentication (MFA) is widely seen as the strongest mode of authentication. MFA allows you to:

  • Protect against the compromise made possible by weak passwords. With MFA, a password alone is insufficient to grant access, so credential stuffing and brute force attacks are rendered useless.
  • Reduce identity theft from phishing and other social engineering schemes. Even if you do click on that email and enter a few credentials, if your bank, work VPN, or other access point requires MFA (especially with tokenization, biometrics, or location-based entry), chances are those credentials won’t be enough, and hackers will move on to easier targets.
  • Stay within compliance boundaries like the OMB Memorandum for Zero Trust Cybersecurity and the European Union Agency for Cybersecurity (ENISA) and CERT-EU guidelines, as noted by Lefavrais. These require MFA use throughout subordinate enterprises.

A few MFA methods used in strong authentication include:

  • FIDO security keys
  • Certificate-based smart cards and certificate-based USB tokens
  • Mobile phone and software-based authentication
  • One Time Password (OTP) authenticators
  • Pattern-based (or grid) authenticators
  • Hybrid tokens

Modern Authentication relies on technologies, such as FIDO and Webauthn, contextual authentication and modern federation protocols, which ensure proper user identity and access controls in cloud environments.  That means you can implement more effective access security for cloud apps, alongside the existing access controls that are already in place for on-premises and legacy applications. Flexible policy-based access enable a friendly experience while maintaining a high level of security for roles or resources requiring it.

What to Look for in a Strong Authentication Service

When choosing a strong authentication service, be it on-premises or in the cloud, features to consider are:

  1. Policy-based access with ability to implement conditional access. In order to optimize the end user experience while maintain the best access security for a particular user and application, look for a solution that can enforce a range of authentication methods through policies and risk scoring.
  2. Resistant to phishing. Phishing accounts for roughly a quarter of all data breaches, according to Verizon’s 2021 DBIR. Strong authentication solutions with FIDO2 can both authenticate securely and prevent attacks.
  3. User experience. Do the methods involved create security fatigue, or is it simple to secure multiple-use authentication journeys?
  4. Adaptability and customizability. Can you assign different access controls based on role or asset? What about context, environment, or use case?

Ultimately, you need to ensure your strong authentication provider supports your industry’s identity and access regulations and integrates smoothly with your current identity environment, deploying flexibly and maintaining equilibrium as you transition over. To maintain a risk-based authentication posture, IAM solutions must continue evolving alongside increased digitization demands.  When a single lock and key no longer suffice to safeguard the VMs, remote environments, and cloud-based assets of today, we must adopt the access management and strong authentication methods that can.

About the Author: Katrina Thompson is an ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.

Strong Authentication

Solving Identity Management in Modern Applications: Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0

Tags: Identity and Access Management

Jul 27 2022

DUCKTAIL operation targets Facebook’s Business and Ad accounts

Category: Access Control,App Security,AuthenticationDISC @ 8:29 am
DUCKTAIL operation targets Facebook’s Business and Ad accounts

Researchers uncovered an ongoing operation, codenamed DUCKTAIL that targets Facebook Business and Ad Accounts.

Researchers from WithSecure (formerly F-Secure Business) have discovered an ongoing operation, named DUCKTAIL, that targets individuals and organizations that operate on Facebook’s Business and Ads platform.

Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to be active since 2018.

“Our investigation reveals that the threat actor has been actively developing and distributing malware linked to the DUCKTAIL operation since the latter half of 2021. Evidence suggests that the threat actor may have been active in the cybercriminal space as early as late 2018.” reads the report published by the experts.

The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.

The end goal is to hijack Facebook Business accounts managed by the victims.

The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.

WithSecure researchers noticed that samples employed in the DUCKTAIL operation were written in .NET Core and were compiled using its single file feature. This feature bundles all dependent libraries and files into a single executable, it also includes the main assembly. Experts pointed out that the usage of .NET Core and its single-file feature is uncommon in malware development.

The use of .Net Core allows the attackers to embed Telegram.Bot client as well as any other external
dependencies into a single executable and use Telegram channels as Command and Control (C&C).

“Since late last year, the threat actor has shifted entirely to using Telegram as their C&C channel making use of the Telegram Bot functionality. Currently, the adversary only exfiltrates stolen information through the C&C channel and no commands are sent from the C&C to the victim’s machine other than potentially sending e-mail addresses for business hijacking purposes.” continues the report.

In order to steal Facebook session cookies from the victims, the malware scans the machine for popular browsers, including Google Chrome, Microsoft Edge, Brave Browser, and Firefox. For each of the browsers that it finds, it extracts all the stored cookies, including any Facebook session cookie.

The malware also steals information from the victim’s personal Facebook account, including name, email address, date of birth, and user ID, along with other data such as 2FA codes, user agents, IP address, and geolocation

Ducktail

Once obtained the above data, the attackers can access to the victim’s personal account, hijack it by adding their email address retrieved from the Telegram channel and grant themselves Admin and Finance editor access.

“They can edit business credit card information and financial details like transactions, invoices, account spend and payment methods. Finance editors can add businesses to your credit cards and monthly invoices. These businesses can use your payment methods to run ads.” states the report.

Countries affected by DUCKTAIL samples analyzed by the experts includes US, India, Saudi Arabia, Italy, Germany, Sweden, Finland, and the Philippines.

“WithSecure cannot determine the success, or lack thereof, that the threat actor has had in circumventing Facebook’s existing security features and hijacking businesses.” concludes the report. “However, the threat actor has continued to update and push out the malware in an attempt to improve its ability to bypass existing/new Facebook security features alongside other implemented features.”

Facebook Business administrators are recommended to check access permissions for their business accounts and remove any unknown users.

Security Manual. Whatsapp and FacebookSecurity Manual. Whatsapp and FacebookSecurity Manual. Whatsapp and Facebook

Tags: DUCKTAIL operation, Facebook security, Security Manual

Apr 05 2019

Password Security

Category: Authentication,Password SecurityDISC @ 8:59 pm

Password Security Infographic by NCSC


Enter your email address:

Delivered by FeedBurner




Mar 31 2019

Facial ID payment

Category: Access Control,AuthenticationDISC @ 4:50 pm