InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The American corporation Lexmark International, Inc. is a privately owned business that specializes in the production of laser printers and other image goods.
The researcher found that the product is susceptible to two vulnerabilities, either of which can be exploited by an adversary to copy file data from a source path to a destination path or to induce the server-side application to make requests to an unintended location. Both of these vulnerabilities are possible due to the fact that the product is vulnerable to both of these vulnerabilities. According to the specialists, the printer has two vulnerabilities that enable an authorized hacker to upload arbitrary files and run code with elevated privileges. Both of these vulnerabilities may be exploited by a malicious user.
He published the code on Github that had a proof-of-concept (PoC) exploit for each of the four vulnerabilities. These vulnerabilities make it possible for an adversary to seize control of a vulnerable device.
According to the findings of the researcher, an attack may be carried out that compromises the device by exploiting all four of its vulnerabilities simultaneously.
The proof-of-concept attack has been successfully tested against a Lexmark MC3224adwe printer using the most recent version of the firmware, CXLBL.081.225; nevertheless, it is claimed to operate successfully against other printers and photocopiers as well.
The security flaw that was discovered in Lexmarkâs printer devices has not been fixed.
This Open Port Scanner tool helps to identify which TCP port is open on your target machine and also provides OS information, service information, and also traceroute.
The Nmap Port scanner tool is a web interface for the widely known Nmap port scanner which is implemented with the correct parameter so as to give speed and accuracy.
Zenmap/Nmap port scanner
The scanning process is sending packets to each port and listening for acknowledgment.
This is called an âSYN scanâ, which sends TCP SYN packets to each port. If a port replies with SYN-ACK, it is flagged as open and an RST is sent back by the Nmap port scanner.
In this way, no full TCP connection is established with the target machine.
IPVOID helps to identify services that are running on the server and view TCP open ports.
It also checks and verifies whether the firewall is working accurately. There are security services that block IPs that you donât hold, so try not to check.
IPVOID port Scanner
The online tool offers a wide range of scanning options to discover details about IP addresses.
This Open port scanner tool helps to check services that are available and running on the server.
If we want to check what OS version is running, and whether ports are open on a server, and whether the server has enabled a firewall or not, then, in this case, to check all the above information, it uses raw IP packets.
Network Port Scanner Tool
This tool is extremely useful to find out if your port forwarding is set up correctly or if your server applications are blocked or not by a firewall.
It helps you to identify which service is accessible outside of the intranet. Machines use a router with NAT to bind with the internet canât be obtained outside of the intranet.
Although, by using port forwarding, ports can deviate from the router to the particular machine.
MxToolBox
This Open port scanner online allows for verifying whether redirection works correctly or not.
Key Features
Round-trip SMTP monitoring.
Inbound and outbound email tests and header analysis.
This Open port scanner online tool is also known as â HideMy[.]nameâ. If anyone wants to hide their identity and access anything and everything, go for a Web proxy.
This tool hides and changes your IP address, and location and you will stay incognito while using the browser.
Proxy Tool
It is a median to the machine and required website. You can also watch blocked content and play online games as well.
You can surf the internet with maximum speed and connection. It gives protection, privacy, and liberty on any device while browsing.
It scanâs all the IP addresses and TCP and UDP ports to check network vulnerabilities.
You can run the scan from the command line as well, save scan configurations also, and minimize run time scan with multi-threading. Trace end-user and terminal machine connection activity.
Solar Winds Port Scanner
It recognizes unknown vulnerabilities and network protocols.
Yougetsignal is the open port checker tool that let you check any external IP address for open ports.
It is a useful tool to check for the restriction placed in the Firewall. With this tool, you can check for all TCP and UDP ports.
Yougetsignal Open port checker
With the listed above port scanner tools, you can determine the open ports in the network infrastructure.
It is always recommended to close the ports if they are not in use for security reasons.
Key Features
Port Forwarding Tester
What Is My IP Address
Network Location Tool
Visual Trace Route Tool
Conclusion
Listed are some of the free tools available online to check for the open ports on the server and for other DNS queries.
We have categorized some of the best port scanner and port checker tools to help to find the open ports and other port-related operations while performing a penetration test on the network.What is the security Risk due to Open Ports?
Most of the suspicious software behaves like a service waiting for connections from a remote assailant so as to give him data or authority over the machine. The most common security practice is to close unused ports in private machines, in order to block known access to any service which may keep running on the PC without the clientâs information, regardless of authorized service is being misconfigured or because of the suspicious software.Is Port Scanning illegal?
Port scanning itself is not illegal, but scanning the destination host without authorization is illegal and you will get into trouble. TCP Port scanners help the server administrators and penetration testers to examine at which ports the data is entering into the network and to protect it from invaders.
Cybersecurity researchers exposed new evasion techniques adopted by an advanced malware downloader called GuLoader.
CrowdStrike researchers d a detailed multiple evasion techniques implemented by an advanced malware downloader called GuLoader (aka CloudEyE).
GuLoader uses a polymorphic shellcode loader to avoid traditional security solutions, the experts mapped all embedded DJB2 hash values for every API used by the malicious code.
The malware uses an anti-analysis technique to avoid execution in virtualized environments.
âIn dissecting GuLoaderâs shellcode, CrowdStrike revealed a new anti-analysis technique meant to detect if the malware is running in a hostile environment by scanning the entire process memory for any Virtual Machine (VM)-related strings.â reads the analysis published by CrowdStrike.
âNew redundant code injection mechanism means to ensure code execution by using inline assembly to bypass user mode hooks from security solutions.â
GuLoader first appeared on the threat landscape in 2019, it was used by threat actors to download multiple remote access trojans (RATs) such as AgentTesla, FormBook, Nanocore, NETWIRE and the Parallax RAT.
Early versions of GuLoader were distributed via spam messages using attachments containing the malicious executable. Recent variants were delivered via a Visual Basic Script (VBS) file.
âGuLoader also started employing advanced anti-analysis techniques to evade detection, such as anti-debug, anti-sandbox, anti-VM and anti-detection to make analysis difficult.â reads the analysis.
A recent GuLoader variant analyzed by the experts exhibits a multistage deployment:
The first stage uses a VBS dropper file to drop a second-stage packed payload into a registry key. It then uses a PowerShell script to execute and unpack the second stage payload from the registry key within memory.
Thesecond stage payload performs all anti-analysis routines (described below), creates a Windows process (e.g., an ieinstal.exe) and injects the same shellcode into the new process.
The third stage reimplements all the anti-analysis techniques, downloads the final payload from a remote server and executes it on the victimâs machine.
The malware implements anti-debugging and anti-disassembling checks to detect the presence of breakpoints used for the analysis of code.
The researchers also noticed the use of a redundant code injection mechanism to avoid NTDLL.dll hooks used by antivirus and EDR solutions to detect malicious activities.
âIt then maps that section via NtMapViewofSection on the suspended process.â continues the analysis. âIf this injection technique fails, it uses the following redundancy method:
a. NtAllocateVirtualMemory by invoking the inline assembly instructions (without calling ntdll.dll, to bypass AV/EDR User Mode hooks) of that function, using the following assembly stub:
mov eax,18
mov edx,ntdll.77178850
call edx
ret 18
It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address. It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address.â
Experts pointed out that GuLoader remains a dangerous threat that constantly evolves, they also shared Indicators of Compromise for the latest variant of the downloader.
It has recently been discovered by researchers that Windows has a vulnerability that allows code execution that rivals EternalBlue in terms of potential. It is possible for an attacker to execute malicious code without authentication by exploiting this newly-tracked vulnerability CVE-2022-37958.
It is possible to exploit this vulnerability in a wormable way, which can lead to a chain reaction that can impact other systems that are vulnerable, and a new attack can be launched.
A greater range of network protocols is affected by this vulnerability as opposed to the earlier version, which gave attackers more flexibility.
Successful exploitation of this vulnerability allows any Windows application protocol that accesses the NEGOEX protocol may enable an attacker to remotely execute arbitrary code.
Despite the list of protocols that have been identified, there could be other protocols and standards that are affected as well.
On a target system, there is no user input or authentication required by a victim in order for this vulnerability to succeed. This vulnerability has been classified by Microsoft as âCritical,â with a maximum severity for all categories.
As a result, CVSS 3.1 now has an overall score of 8.1 out of 10. It is important to note that systems with unpatched default configurations are vulnerable to this flaw.
The reclassification was performed by X-Force Red in accordance with its responsible disclosure policy with Microsoft.
Recommendations
For the time being, IBM wonât release the full technical details regarding the vulnerabilities and patches until Q2 2023, in order to give defenders a chance and enough time to apply them.
Security Intelligence recommends that users and administrators apply the patch as soon as possible due to the widespread use of SPNEGO, which ensures that they are protected.
All systems running Windows 7 and newer are compatible with this fix, which is part of the security updates for September 2022.
Moreover, X-Force Red recommends the following additional recommendations:-
Identify which services are exposed to the internet, such as SMB and RDP.
You should continuously monitor your attack surface, including Windows Authentication-enabled servers.
In the event that the patch cannot be applied, set Kerberos or Net-NTLM as the default authentication providers on Windows and remove Negotiate as the default authentication provider.
WhatsApp silently fixed two critical zero-day vulnerabilities that affect both Android & iOS versions allowing attackers to execute an arbitrary code remotely.
Facebook-owned messenger WhatsApp is one of the Top-ranked Messenger apps with more than Billion users around the world in both Android and iPhone.
Both vulnerabilities are marked under âcriticalâ severity with a CVE Score of 10/10 and found by the WhatsApp internal security Team.
WhatsApp 0-Day Bugs
CVE-2022-36934 – An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.
Simplifying these following vulnerabilities, Whatsapp could cause your device to be hacked by receiving a Video File or When on a Video call.
CVE-2022-36934 â Integer Overflow Bug
An Integer overflow bug that affects WhatsApp allows attackers to execute the specially crafted arbitrary code during an established Video call without any sort of user interaction.
An integer overflow also know as âwraparoundâ occurs when an integer value is incremented to a value that is too large to store in the associated representation.
This RCE bug affects an unknown code of the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.
âA heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().â
Hackers can take advantage of this remote code execution vulnerability to deploy the malware on the userâs device to steal sensitive files and also used for surveillance purposes.
According to WhatsApp Advisory âAn integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.â
WhatsApp silently fixed two critical zero-day vulnerabilities that affect both Android & iOS versions allowing attackers to execute an arbitrary code remotely.
Facebook-owned messenger WhatsApp is one of the Top-ranked Messenger apps with more than Billion users around the world in both Android and iPhone.
Both vulnerabilities are marked under âcriticalâ severity with a CVE Score of 10/10 and found by the WhatsApp internal security Team.
WhatsApp 0-Day Bugs
CVE-2022-36934 – An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.
Simplifying these following vulnerabilities, Whatsapp could cause your device to be hacked by receiving a Video File or When on a Video call.
CVE-2022-36934 â Integer Overflow Bug
An Integer overflow bug that affects WhatsApp allows attackers to execute the specially crafted arbitrary code during an established Video call without any sort of user interaction.
An integer overflow also know as âwraparoundâ occurs when an integer value is incremented to a value that is too large to store in the associated representation.
This RCE bug affects an unknown code of the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.
âA heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().â
Hackers can take advantage of this remote code execution vulnerability to deploy the malware on the userâs device to steal sensitive files and also used for surveillance purposes.
According to WhatsApp Advisory âAn integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.â
Can a device be hacked when switched off? Recent studies suggest so. Letâs see how this is even possible.
Researchers from the Secure Mobile Networking Lab at the University of Darmstadt, Germany, have published a paper describing a theoretical method for hacking an iPhone â even if the device is off. The study examined the operation of the wireless modules, found ways to analyze the Bluetooth firmware and, consequently, to introduce malware capable of running completely independently of iOS, the deviceâs operating system.
With a little imagination, itâs not hard to conceive of a scenario in which an attacker holds an infected phone close to the victimâs device and transfers malware, which then steals payment card information or even a virtual car key.
The reason it requires any imagination at all is because the authors of the paper didnât actually demonstrate this, stopping one step short of a practical attack implementation in which something really useful nasty is loaded into the smartphone. All the same, even without this, the researchers did a lot to analyze the undocumented functionality of the phone, reverse-engineer its Bluetooth firmware, and model various scenarios for using wireless modules.
So, if the attack didnât play out, whatâs this post about? Weâll explain, donât worry, but first an important statement: if a device is powered off, but interaction with it (hacking, for example) is somehow still possible, then guess what â itâs not completely off!
How did we get to the point where switching something off doesnât necessarily mean itâs actually off? Letâs start from the beginningâŠ
Appleâs Low Power Mode
In 2021, Apple announced that the Find My service, which is used for locating a lost device, will now work even if the device is switched off. This improvement is available in all Apple smartphones since the iPhone 11.
If, for example, you lose your phone somewhere and its battery runs out after a while, it doesnât turn off completely, but switches to Low Power Mode, in which only a very limited set of modules are kept alive. These are primarily the Bluetooth and Ultra WideBand (UWB) wireless modules, as well as NFC. Thereâs also the so-called Secure Element â a secure chip that stores your most precious secrets like credit card details for contactless payments or car keys â the latest feature available since 2020 for a limited number of vehicles.
Bluetooth in Low Power Mode is used for data transfer, while UWB â for determining the smartphoneâs location. In Low Power Mode, the smartphone sends out information about itself, which the iPhones of passers-by can pick up. If the owner of a lost phone logs in to their Apple account online and marks the phone as lost, information from surrounding smartphones is then used to determine the whereabouts of the device. For details of how this works, see our recent post about AirTag stalking.
The announcement quickly prompted a heated discussion among information security experts about the maze of potential security risks. The research team from Germany decided to test out possible attack scenarios in practice.
When powering off the phone, the user now sees the âiPhone Remains Findable After Power Offâ message. Source
Find My after power off
First of all, the researchers carried out a detailed analysis of the Find My service in Low Power Mode, and discovered some previously unknown traits. After power off, most of the work is handled by the Bluetooth module, which is reloaded and configured by a set of iOS commands. It then periodically sends data packets over the air, allowing other devices to detect the not-really-off iPhone.
It turned out that the duration of this mode is limited: in version iOS 15.3 only 96 broadcast sessions are set with an interval of 15 minutes. That is, a lost and powered-off iPhone will be findable for just 24 hours. If the phone powered off due to a low battery, the window is even shorter â about five hours. This can be considered a quirk of the feature, but a real bug was also found: sometimes when the phone is off, the âbeaconâ mode is not activated at all, although it should be.
Of most interest here is that the Bluetooth module is reprogrammed before power off; that is, its functionality is fundamentally altered. But what if it can be reprogrammed to the detriment of the owner?
Attack on a powered-off phone
In fact, the teamâs main discovery was that the firmware of the Bluetooth module is not encrypted and not protected by Secure Boot technology. Secure Boot involves multistage verification of the program code at start-up, so that only firmware authorized by the device manufacturer can be run.
The lack of encryption permits analysis of the firmware and a search for vulnerabilities, which can later be used in attacks. But the absence of Secure Boot allows an attacker to go further and completely replace the manufacturerâs code with their own, which the Bluetooth module then executes. For comparison, analysis of the iPhoneâs UWB module firmware revealed that itâs protected by Secure Boot, although the firmware isnât encrypted either.
Of course, thatâs not enough for a serious, practical attack. For that, an attacker needs to analyze the firmware, try to replace it with something of their own making, and look for ways to break in. The authors of the paper describe in detail the theoretical model of the attack, but donât show practically that the iPhone is hackable through Bluetooth, NFC or UWB. Whatâs clear from their findings is that if these modules are always on, the vulnerabilities likewise will always work.
Apple was unimpressed by the study, and declined to respond. This in itself, however, says little: the company is careful to keep a poker face even in cases when a threat is serious and demonstrated to be so in practice.
Bear in mind that Apple goes to great lengths to keep its secrets under wraps: researchers have to deal with closed software code, often encrypted, on Appleâs own hardware, with made-to-order third-party modules. A smartphone is a large, complex system thatâs hard to figure out, especially if the manufacturer hinders rather than helps.
No one would describe the teamâs findings as breathtaking, but they are the result of lots of painstaking work. The paper has merit for questioning the security policy of powering off the phone, but keeping some modules alive. The doubts were shown to be justified.
A half powered-off device
The paper concludes that the Bluetooth firmware is not sufficiently protected. Itâs theoretically possible either to modify it in iOS or to reprogram the same Low Power Mode by expanding or changing its functionality. The UWB firmware can also be examined for vulnerabilities. The main problem, however, is that these wireless modules (as well as NFC) communicate directly with the protected enclave that is Secure Element. Which brings us to some of the paperâs most exciting conclusions:
Theoretically, itâs possible to steal a virtual car key from an iPhone â even if the device is powered off! Clearly, if the iPhone is the car key, losing the device could mean losing the car. However, in this case the actual phone remains in your possession while the key is stolen. Imagine it like this: an intruder approaches you at the mall, brushes their phone against your bag, and steals your virtual key.
It is theoretically possible to modify the data sent by the Bluetooth module, for example, in order to use a smartphone to spy on a victim â again, even if the phone is powered off.
Having payment card information stolen from your phone is another theoretical possibility.
But all this of course still remains to be proven. The work of the team from Germany shows once more that adding new functionality carries certain security risks that must be taken into account. Especially when the reality is so different from the perception: you think your phone is fully off, when in fact it isnât.
This is not a completely new problem, mind. The Intel Management Engine and AMD Secure Technology, which also handle system protection and secure remote management, are active whenever the motherboard of a laptop or desktop computer is connected to a power source. As in the case of the Bluetooth/UWB/NFC/Secure Element bundle in iPhones, these systems have extensive rights inside the computer, and vulnerabilities in them can be very dangerous.
On the bright side, the paper has no immediate impact on ordinary users: the data obtained in the study is insufficient for a practical attack. As a surefire solution, the authors suggest that Apple should implement a hardware switch that kills the power to the phone completely. But given Appleâs physical-button phobia, you can be sure that wonât happen.
Sansec Threat Research Team noticed a surge in Magento 2 template attacks. This critical template vulnerability in Magento 2 tracked as (CVE-2022-24086) is increasing among eCommerce cyber criminals. The vulnerability allows unauthenticated attackers to execute code on unpatched sites.
Magento is a popular, Adobe-owned open-source e-commerce platform that powers many online shops. More than 150,000 online stores have been created on the platform. As of April 2021, Magento holds a 2.32% market share in global e-commerce platforms.
Critical Magento Vulnerability
Adobe patched this Magento 2 Vulnerability (CVE-2022-24086) in February 2022; later on the security researchers have created exploit code for the vulnerability that opens a way to mass exploitation.Â
Sansec researchers shared findings of 3 template hacks. The report says the observed attacks have been interactive; since the Magento checkout flow is very hard to automate. It starts with the creation of a new customer account and an order placement, which may result in a failed payment.
Part of the Injected Template Code
Experts say, this downloads a Linux executable called 223sam(.)jpg and launches it as a background process.
âIt is actually a Remote Access Trojan (RAT). While it remains in memory, it creates a state file and polls a remote server hosted in Bulgaria for commandsâ, Sansec
Researchers pointed out that RAT has full access to the database and the running PHP processes. Also, RAT can be injected on any of the nodes in a multi-server cluster environment.
Another variation of this attack is the attempted injection of a health_check.php backdoor. It creates a new file accepting commands via the POST parameter:
Malicious PHP file
A third attack variation has this template code, which replaces generated/code/Magento/Framework/App/FrontController/Interceptor.php. This malware is then executed on every Magento page request.
PHP eval Backdoor Created
Therefore, experts recommend the Magento 2 site administrators to upgrade their software to the latest version.
Two critical vulnerabilities have been found recently in the wireless LAN devices of Contec. These critical vulnerabilities were discovered by the cybersecurity analysts, Samy Younsi and Thomas Knudsen of Necrum Security Lab.
There are two models of the FLEXLAN FXA2000 and FXA3000 series from CONTEC which are primarily used in airplane installations as WiFi access points.
As a result, these devices offer extremely high-speed connectivity during flight trips for the following purposes:-
The Flexlan FXA3000 and FXA2000 series LAN devices made by the Japan-based firm contain two critical vulnerabilities tracked as CVEâ2022â36158 and CVEâ2022â36159.
Necrum Security Labsâ researchers Samy Younsi and Thomas Knudsen have discovered two critical vulnerabilities in the wireless LAN devices manufactured by Contec. The company specializes in industrial automation, computing, and IoT communication technology.
Research Details
Reportedly, the Flexlan FXA3000 and FXA2000 series LAN devices made by the Japan-based firm contain two critical vulnerabilities tracked as CVEâ2022â36158 and CVEâ2022â36159.
For your information, these devices are used in airplanes to offer internet connectivity. The abovementioned series of devices offer WiFi access points in airplanes to ensure uninterrupted high-speed internet communication so that passengers could enjoy music, movies, and even purchased goodies during the flight. Hence, these vulnerabilities can allow an adversary to hack the inflight entertainment system and more.
FXA2000 (left) and FXA3000 (right)
Researchers discovered the first vulnerability (CVEâ2022â36158) while performing the firmwareâs reverse engineering. They identified a hidden page, which wasnât listed in the Wireless LAN Manager interface. This page facilitates the execution of Linux commands on the device with root privileges. They could then access all system files and open the telnet port to gain complete access to the device.
The second vulnerability (CVEâ2022â36159) entailed the use of hard-coded, weak cryptographic keys and backdoor accounts. While investigating, they also learned that the shadow file contained the has of two users, including root and user, and within a few minutes they could access them through a brute-force attack.
How to Fix the Issues?
In their blog post, researchers explained that the device owner could change the accountâs user password from the web adminâs interface, which is the primary reason behind the emergence of these flaws. The root account is reserved for Contec for maintenance purposes.
Therefore, an attacker armed with the root hard-coded password can conveniently access all FXA2000 and FXA3000 series devices.
In order to fix the first issue, the hidden engineering web page must be removed from the under-production devices because the default password is weak and makes it easy for an attacker to inject a backdoor into the device using this page.
Furthermore, the company needs to generate a unique password for each device during the production phase for the second issue.
As pointed out by Eduard Kovacs of SecurityWeek, in its advisory, Contec explained that the vulnerabilities are connected to a private webpage created for developers to execute system commands and the page isnât linked to other pages available to users. These vulnerabilities have been addressed in versions 1.16.00 for the FX3000 series and 1.39.00 for FX2000 series devices.
Through careful examination of which ports, services, and software are most prevalent on the internet and the systems and regions where they run, the research team discovered that misconfigurations and exposures represent 88% of the risks and vulnerabilities across the internet.
âAssessing the state of the internet is crucial in understanding an organizationâs own risks and exposures,â said Zakir Durumeric, Chief Scientist of Censys.
Key findings
Misconfigurations â including unencrypted services, weak or missing security controls and self-signed certificates â make up roughly 60% of observed risks. When analyzing the risk profile of organizations across industries, missing common security headers accounted for the primary security error.
Exposures of services, devices, and information represent 28% of observed risks. This includes everything from accidental database to device exposures.
Critical vulnerabilities and advanced exploits only represent 12% of observed risks. When analyzing organizations by industry, the Computer and Information Technology industry had the widest spread of different risks, while Freight Shipment and Postal Services had the second widest.
Researchers also conducted a holistic assessment of the internetâs response to three major vulnerabilities â Log4j, GitLab and Confluence â to understand mitigation strategies based on how a vulnerability is perceived. From this analysis, Censys learned how the internet responds differently to vulnerability disclosures.
Three distinct types of behavior in response to vulnerability disclosures
Near-immediate upgrading: Systems vulnerable to Log4j acted quickly based on the widespread coverage of the vulnerability. By March 2022, Censys observed only 36% of potential vulnerable services were left unpatched.
Upgrading only after the vulnerability is being actively and widely exploited: While the GitLab vulnerability was being exploited, the remediation process acted slower than others until researchers discovered a botnet composed of thousands of compromised GitLab servers participating in DDoS campaigns.
Near-immediate response by taking the vulnerable instance off the internet entirely: Rather than upgrading, users chose to remove assets entirely from the internet after Confluenceâs vulnerability became public between June 2021 and March 2022.
The internet constantly evolves as new technologies emerge, vulnerabilities are discovered, and organizations expand their operations that interact with the internet. Security teams have the responsibility to protect their organizationsâ digital assets and need proper visibility into the entire landscape to do so.
Although vulnerabilities often garner the bigger headlines, itâs undetected misconfigurations and exposures that create the most risk for an organization, making it important to regularly assess any new hosts or services that appear in your infrastructure. Regardless of vulnerability type, providing organizations with the visibility and tools needed to strengthen their security posture introduces a proactive, more vigilant approach to digital risk management.
A list of free open source vulnerability scanners which developers and penetration testers can use to scan systems for vulnerabilities and potential malware.
A vulnerability assessment is an in-depth analysis of a networkâs hardware, software, and other components to locate and fix potential security holes. Once identified, the software prioritizes security holes by how quickly they must be patched or mitigated. In most cases, the vulnerability scanning tool will also include guidance on how to fix or lessen the impact of any vulnerabilities it finds.
The results from vulnerability scanners can be used as a guide by security teams as they evaluate the safety of their network and take preventative measures.
Devs can use the following open-source vulnerability assessment tools to test their vulnerabilities for free.
Aqua Trivy
For developers to make informed decisions about which components to use in their applications and containers, open-source tools like Aqua Trivy can help them identify vulnerabilities and understand the associated risks. Trivyâs array of vulnerability scanners allows it to detect vulnerabilities in a wide variety of systems.
Static analysis of vulnerabilities in application containers is the focus of the Clair open-source project (currently including OCI and Docker).
Clients can index their container images via the Clair API and compare them to a database of known security flaws.
Tsunami
Tsunami is a flexible, plugin-based network security scanner designed to detect and scan critical vulnerabilities accurately.
Tsunami is scalable, runs quickly, and scans quietly.
Vaf
Vaf is a platform-independent web fuzzer that can quickly thread through requests, fuzz HTTP headers, and even act as a proxy.
Zed Attack Proxy ZAP
Under the OWASP banner, Zed Attack Proxy (ZAP) is developed and maintained as a free, open-source penetration testing tool and can be used as an effective vulnerability scanner.
ZAP is highly adaptable and extensible; it can even be deployed on a Raspberry Pi and is optimized for testing websites and deployed as a vulnerability scanner.
Grab and deploy this backend update if you offer even repo read access
A critical command-injection vulnerability in multiple API endpoints of Atlassian Bitbucket Server and Data Center could allow an unauthorized attacker to remotely execute malware, and view, change, and even delete data stored in repositories.
Atlassian has fixed the security holes, which are present in versions 7.0.0 to 8.3.0 of the software, inclusive. Luckily there are no known exploits in the wild.Â
But considering the vulnerability, tracked as CVE-2022-36804, received a 9.9 out of 10 CVSS score in terms of severity, we’d suggest you stop what you’re doing and update as soon as possible as it’s safe to assume miscreants are already scanning for vulnerable instances.
As Atlassian explains in its security advisory, published mid-last week: “An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.”
Additionally, the Center for Internet Security has labeled the flaw a “high” security risk for all sizes of business and government entities. These outfits typically use Bitbucket for managing source code in Git repositories.
Atlassian recommends organizations upgrade their instances to a fixed version, and those with configured Bitbucket Mesh nodes will need to update those, too. There’s a compatibility matrix to help users find the Mesh version that’s compatible with the Bitbucket Data Center version.
And if you need to postpone a Bitbucket update, Atlassian advises turning off public repositories globally as a temporary mitigation. This will change the attack vector from an unauthorized to an authorized attack. However, “this can not be considered a complete mitigation as an attacker with a user account could still succeed,” according to the advisory.
Security researcher @TheGrandPew discovered and reported the vulnerability via Atlassian’s bug bounty program.
This latest bug follows a series of hits for the popular enterprise collaboration software maker.
Last month, Atlassian warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of years-old, critical flaws threaten their security. It detailed the so-called Servlet Filter dispatcher vulnerabilities in its July security updates, and said the flaw allowed remote, unauthenticated attackers to bypass authentication used by third-party apps.
In June, Atlassian copped to another critical flaw in Confluence that was under active attack.
Plus, there was also the two-week-long embarrassing cloud outage that affected almost 800 customers this spring. This is less than half a percent of the company’s total customers, but still, as co-founder and co-CEO Mike Cannon-Brookes admitted on the firm’s most recent earnings call, it’s “one customer is too many.” And definitely not a good look for a cloud collaboration business. Âź
 (CVSS 9.8), affecting networking devices using Realtekâs RTL819x system on a chip was released online. The issue resides in the Realtekâs SDK for the open-source eCos operating system, it was discovered by researchers from cybersecurity firm Faraday Security
âOn Realtek eCos SDK-based routers, the âSIP ALGâ module is vulnerable to buffer overflow. The root cause of the vulnerability is insufficient validation on the received buffer, and unsafe calls to strcpy. The âSIP ALGâ module calls strcpy to copy some contents of SIP packets to a predefined fixed buffer and does not check the length of the copied contents.â reads the advisory published by Realtek, which published the issue in March 2022. âA remote attacker can exploit the vulnerability through a WAN interface by crafting arguments in SDP data or the SIP header to make a specific SIP packet, and the successful exploitation would cause a crash or achieve the remote code execution.â
Millions of devices, including routers and access points, are exposed to hacking.
A remote attacker can exploit the flaw to execute arbitrary code without authentication by sending to the vulnerable devices specially crafted SIP packets with malicious SDP data.
The issue is very dangerous because the exploitation doesnât require user interaction.
The PoC code developed by the experts works against Nexxt Nebula 300 Plus routers.
âThis repository contains the materials for the talk âExploring the hidden attack surface of OEM IoT devices: pwning thousands of routers with a vulnerability in Realtekâs SDK for eCos OS.â, which was presented at DEFCON30.â reads the description provided with the exploit code on GitHub.
The repo includes:
analysis: Automated firmware analysis to detect the presence of CVE-2022-27255 (Run analyse_firmware.py).
exploits_nexxt: PoC and exploit code. The PoC should work on every affected router, however the exploit code is specific for the Nexxt Nebula 300 Plus router.
ghidra_scripts: Vulnerable function call searching script and CVE-2022-27255 detection script.
DEFCON: Slide deck & poc video.
Johannes Ullrich, Dean of Research at SANS shared a Snort rule that can be used to detect PoC exploit attempt.
âThe rule looks for âINVITEâ messages that contain the string âm=audio â. It triggers if there are more than 128 bytes following the string (128 bytes is the size of the buffer allocated by the Realtek SDK) and if none of those bytes is a carriage return. The rule may even work sufficiently well without the last content match. Let me know if you see any errors or improvements.â wrote the expert.
Slides for the DEFCON presentation along with exploits, and a detection script forÂ
South Staffordshire in the UK has acknowledged it was targeted in a cyberattack, but Clop ransomware appears to be shaking down the wrong water company.
South Staffordshire plc, a UK water-supply company, has acknowledged it was the victim of a cyberattack. Around the same time, the Clop ransomware group started threatening Thames Water that it would release data it has stolen from the utility unless Thames Water paid up.
The problem? Thames Water wasn’t breached.
Apparently, Clop got its UK water companies confused.
South Staffordshire serves about 1.6 million customers and recently reported that it was targeted in a cyberattack and was “experiencing a disruption to out corporate IT network and our teams are working to resolve this as quickly as possible.” It added there has been no disruption on service.
“This incident has not affected our ability to supply safe water, and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers,” the water company said.
Meanwhile, Thames Water, the UK’s largest water supplier to more than 15 million people, was forced to deny it was breached by Clop ransomware attackers, who threatened they now had the ability to tamper with the water supply, according to reports.
“As providers of critical national infrastructure, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide resilient services to our customers and the environment,â the larger water company told the UK Mirror.
While Clop seems to have its records all wrong, both water utilities mounted capable responses to the ransomware group’s attack on critical infrastructure, according to Edward Liebig, global director of cyber ecosystem at Hexagon Asset Lifecycle Intelligence.
“Iâm impressed by South Staffordshire Waterâs ability to defend against the cyberattack in the IT systems and buffer the OT systems from impact,” Liebeg said. “And had Thames Water not done an investigation of the ‘proof of compromise,’ they may very well have decided to negotiate further. In both instances, each organization did their due diligence.”
Hereâs this weekâs BWAIN, our jocular term for a Bug With An Impressive Name.
BWAIN is an accolade that we hand out when a new cybersecurity flaw not only turns out to be interesting and important, but also turns up with its own logo, domain name and website.
This one is dubbed ĂPIC Leak, a pun on the words APIC and EPIC.
The former is short for Advanced Programmable Interrupt Controller, and the latter is simply the word âepicâ, as in giant, massive, extreme, mega, humongous.
The letter Ă hasnât been used in written English since Saxon times. Its name is Êsc, pronounced ash (as in the tree), and it pretty much represents the sound of the A in in the modern word ASH. But we assume youâre supposed to pronounce the word ĂPIC here either as âAPIC-slash-EPICâ, or as âah!-eh?-PICâ.
Whatâs it all about?
All of this raises five fascinating questions:
What is an APIC, and why do I need it?
How can you have data that even the kernel canât peek at?
Letâs rewind to 1981, when the IBM PC first appeared.
The PC included a chip called the Intel 8259A Programmable Interrupt Controller, or PIC. (Later models, from the PC AT onwards, had two PICs, chained together, to support more interrupt events.)
The purpose of the PIC was quite literally to interrupt the program running on the PCâs central processor (CPU) whenever something time-critical took place that needed attention right away.
These hardware interrupts included events such as: the keyboard getting a keystroke; the serial port receiving a character; and a repeating hardware timer ticking over.
Without a hardware interrupt system of this sort, the operating system would need to be littered with function calls to check for incoming keystrokes on a regular basis, which would be a waste of CPU power when no one was typing, but wouldnât be responsive enough when they did.
As you can imagine, the PIC was soon followed by an upgraded chip called the APIC, an advanced sort of PIC built into the CPU itself.
These days, APICs provide much more than just feedback from the keyboard, serial port and system timer.
APIC events are triggered by (and provide real-time data about) events such as overheating, and allow hardware interaction between the different cores in contemporary multicore processors.
And todayâs Intel chips, if we may simplifly greatly, can generally be configured to work in two different ways, known as xAPIC mode and x2APIC mode.
Here, xAPIC is the âlegacyâ way of extracting data from the interrupt controller, and x2APIC is the more modern way.
Simplifying yet further, xAPIC relies on whatâs called MMIO, short for memory-mapped input/output, for reading data out of the APIC when it registers an event of interest.
In MMIO mode, you can find out what triggered an APIC event by reading from a specific region of memory (RAM), which mirrors the input/output registers of the APIC chip itself.
This xAPIC data is mapped into a 4096-byte memory block somewhere in the physical RAM of the computer.
This simplifies accessing the data, but it requires an annoying, complex (and, as we shall see, potentially dangerous) interaction between the APIC chip and system memory.
In contrast, x2APIC requires you to read out the APIC data directly from the chip itself, using what are known as Model Specific Registers (MSRs).
According to Intel, avoiding the MMIO part of the process âprovides significantly increased processor addressability and some enhancements on interrupt delivery.â
Notably, extracting the APIC data directly from on-chip registers means that the total amount of data supported, and the maximum number of CPU cores that can be managed at the same time, is not limited to the 4096 bytes available in MMIO mode.
Software Bill of Material and Vulnerability Management Blind Spots
Open source software is everywhere (which is not a bad thing in itself). However, many buyers donât have inventory of open source components included in software products they are buying. Business even fail in keeping tack of open source components used in internally developed applications. As a result, vulnerability management programs have blind spots.
Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.
Why it matters:
Use of open source software is not bad in itself. Everyone uses open source software. The biggest examples are Linux and Apache server.
Many commercial software vendors use open source components but donât properly and adequately disclose all open source components included in the commercial products.
Recent vulnerabilities (e.g. log4j) have far reaching impact.
Software applications developed in-house also include open source components. As these applications age and the initial developers move on to new jobs, older and vulnerable open source components may still stay in the applications unnoticed for long time.
What to do:
It is crucial to have an up-to-date inventory of all open source software, whether used as standalone products or embedded as a library inside a product. We canât manage if we donât know its existence.
Require your software vendors to provide you with a list of all open source libraries and their versions embedded into their products.
Make this list part of the vulnerability management program. Monitor release of new vulnerabilities and patches for your inventory of open source software components.
When building a bill of material for open source components, it is imperative to not only contact your software vendors but also review all software applications developed in-house. In some cases you may use source code scanning tools to build inventory of these components.
The best-known cryptographic library in the open-source world is almost certainly OpenSSL.
Firstly, itâs one of the most widely-used, to the point that most developers on most platforms have heard of it even if they havenât used it directly.
Secondly, itâs probably the most widely-publicised, sadly because of a rather nasty bug known as Heartbleed that was discovered more than eight years ago.
Despite being patched promptly (and despite reliable workarounds existing for developers who couldnât or wouldnât update their vulnerable OpenSSL versions quickly), Heartbleed remains a sort of âshowcaseâ bug, not least because it was one of the first bugs to be turned into an aggressive PR vehicle by its discoverers.
With an impressive name, a logo all of its own, and a dedicated website, Heartbleed quickly became a global cybersecurity superstory, and, for better or worse, became inextricably linked with mentions of the name OpenSSL, as though the danger of the bug lived on even after it had been excised from the code.
Life beyond OpenSSL
But there are several other open-source cryptographic libraries that are widely used as well as or instead of OpenSSL, notably including Mozillaâs NSS (short for Network Security Services) and the GNU projectâs GnuTLS library.
As it happens, GnuTLS just patched a bug known as CVE-2022-2509, reported in the projectâs security advisory GNUTLS-SA-2022-07-07.
This patch fixes a memory mismanagement error known as a double-free.
A vulnerability, tracked as CVE-2022-30563, impacting Dahua IP Camera can allow attackers to seize control of IP cameras.
The CVE-2022-30563 vulnerability impacting Dahua IP Camera can allow attackers to seize control of IP cameras. The issue affects Dahuaâs implementation of the Open Network Video Interface Forum (ONVIF).
ONVIF provides and promotes standardized interfaces for effective interoperability of IP-based physical security products.
The vulnerability was discovered by researchers from Nozomi Networks and received a CVSS score of 7.4.
âWeâre publishing the details of a new vulnerability (tracked under CVE-2022-30563) affecting the implementation of the Open Network Video Interface Forum (ONVIF) WS-UsernameToken authentication mechanism in some IP cameras developed by Dahua, a very popular manufacturer of IP-based surveillance solutions.â reads the advisory published by Nozomi Networks. âThis vulnerability could be abused by attackers to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.â
ONVIF-conformant products allow users to perform a variety of actions on the remote device through a set of standardized Application Programming Interfaces (APIs), including watching camera footage, locking or unlocking a smart door, and performing maintenance operations.
The flaw resides in the âWS-UsernameTokenâ authentication mechanism implemented by Dahua in some of its IP cameras. Due to the lack of checks to prevent reply attacks, a threat actor can sniff an unencrypted ONVIF interaction and indefinitely replay the credentials in new requests towards the camera, which would be accepted as valid authenticated requests by the device.
Once obtained the credentials, an attacker can add an administrator account and use it to obtain full access to the device and perform actions such as watching live footage from the camera as shown below.
An attacker can conduct this attack by capturing one unencrypted ONVIF request authenticated with the WS-UsernameToken schema.
The following versions of Dahua video products, are affected:
Dahua ASI7XXX: Versions prior to v1.000.0000009.0.R.220620
Dahua IPC-HDBW2XXX: Versions prior to v2.820.0000000.48.R.220614
Dahua IPC-HX2XXX: Versions Prior to v2.820.0000000.48.R.220614
The vendor addressed the issue with the release of a patch on June 28, 2022,
âIn addition to building security, surveillance cameras are used throughout many critical infrastructure sectors such as oil & gas, power grids, telecommunications, etc. These cameras are used to oversee many production processes, providing remote visibility to process engineers. Threat actors, nation-state threat groups in particular, could be interested in hacking IP cameras to help gather intel on the equipment or production processes of the target company.â concludes Nozomi. âThis information could aid in reconnaissance conducted prior to launching a cyberattack. With more knowledge of the target environment, threat actors could craft custom attacks that can physically disrupt production processes in critical infrastructure.â
Google Project Zero experts disclosed details of a 5-Year-Old Apple Safari flaw actively exploited in the wild.
Researchers from the Google Project Zero team have disclosed details of a vulnerability in Apple Safari that was actively exploited in the wild.
The vulnerability, tracked as CVE-2022-22620, was fixed for the first time in 2013, but in 2016 experts discovered a way to bypass the fix.
âWhenever thereâs a new in-the-wild 0-day disclosed, Iâm very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations.â reads the post published by Google Project Zero. âThis blog is the story of a âzombieâ Safari 0-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022.â
Apple has addressed a zero-day vulnerability, tracked as CVE-2022-22620 (CVSS score: 8.8), in the WebKit affecting iOS, iPadOS, macOS, and Safari that may have been actively exploited in the wild.
The zero-day vulnerability was fixed by Apple in February, it is a use-after-free issue that could be exploited by processing maliciously crafted web content, leading to arbitrary code execution
âProcessing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.â reads the security advisory published by Apple. âA use after free issue was addressed with improved memory management.â the google researcher Maddie Stone added. âThe vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild 0-day in January 2022.â
The vulnerability was reported by an anonymous researcher and the company addressed it by improving memory management.
âWhenever Iâm doing a root cause analysis on a browser in-the-wild 0-day, along with studying the code, I also usually search through commit history and bug trackers to see if I can find anything related. I do this to try and understand when the bug was introduced, but also to try and save time.â she said.
The researcher noticed that the commits dated October 2016 and December 2016 were very large, she discovered that the commit in October changed 40 files with 900 additions and 1225 deletions. The commit in December changed 95 files with 1336 additions and 1325 deletions.
âUsually when we talk about variants, they exist due to incomplete patches: the vendor doesnât correctly and completely fix the reported vulnerability. However, for CVE-2022-22620 the vulnerability was correctly and completely fixed in 2013. Its fix was just regressed in 2016 during refactoring. We donât know how long an attacker was exploiting this vulnerability in-the-wild, but we do know that the vulnerability existed (again) for 5 years: December 2016 until January 2022.â concludes the expert. âThereâs no easy answer for what should have been done differently. The developers responding to the initial bug report in 2013 followed a lot of best-practices.â
