The framework conducts reconnaissance on active assets and completes its operation with a scan for vulnerabilities, secrets, misconfigurations, and potential phishing domains, utilizing open-source and proprietary tools.
Some of the features that make Mantis stand out are:
Automated discovery, recon, and scan
Distributed scanning (split a single scan across multiple machines)
Scan customization
Dashboard support
Vulnerability management
Advanced alerting
DNS service integration
Integrate new tools (existing and custom) in minutes
“Last year, we explored open-source frameworks our organization can use to monitor assets. We wanted to set up an asset discovery framework that allows us to add custom scripts, enable or disable tools to run based on configs, scale, and deploy the framework across a cluster of VMs. We also wanted to find a way to ingest domains from DNS services into our databases. This led us to create Mantis, an asset discovery framework that could help bug bounty hunters as well as security teams,” Prateek Thakare, lead developer of Mantis, told Help Net Security.
System requirements
Supported OS: Ubuntu, macOS
4GB RAM
2 cores
16GB of storage
Mantis is CPU intensive, so it’s advisable to run it on a dedicated virtual machine.
Future plans and download
“We are planning to have our dashboard making it easier to view and monitor the assets. We will also work on improvising the discovery, recon, and scan process by adding new tools and custom scripts,” Thakare concluded.
Hey 👏 I’m the digital assistance of DISCInfoSec for ISO 27k implementation.
I will try to answer your question. If I don’t know the answer, I will connect you with one my support agents.
Please type your query regarding ISO 27001 implementation 👇
In an unsettling development that emerged late last week, the open-source community was thrust into a state of high alert following the disclosure that XZ Utils, a fundamental compression utility widespread across Linux distributions, had been compromised. This startling revelation has left a significant mark on the open-source ecosystem, prompting a swift and coordinated response from maintainers and security professionals alike.
Discovery of the Backdoor
The initial discovery of the backdoor was made by Andres Freund, a Microsoft software engineer, during routine diagnostics on Debian sid (development) installations. Freund’s investigation, sparked by unusually high CPU usage during SSH logins and accompanying error alerts, led to the identification of the culprit: a malicious insertion within the liblzma library, a core component of the XZ package. This finding was subsequently designated with the vulnerability identifier CVE-2024-3094. Attribution for this calculated insertion has been directed at an individual known as “Jia Tan” (JiaT75 on GitHub), who, through an elaborate scheme of social engineering and the use of sock puppet accounts, gained the trust of the XZ Utils maintainer community. This long-term infiltration underscores the advanced nature of the threat actor involved, pointing towards a highly skilled and resourceful adversary.
Kali Linux (updates between March 26th to March 29th)
Confirmed by OffSec
Affected
Some Arch Linux virtual machine and container images
Confirmed by Arch Linux maintainers
Not Affected
Red Hat Enterprise Linux (RHEL)
Confirmed by Red Hat
Not Affected
Ubuntu
Confirmed by Ubuntu
Not Affected
Linux Mint
Confirmed by Linux Mint
Not Affected
Gentoo Linux
Confirmed by Gentoo Linux
Not Affected
Amazon Linux and Alpine Linux
Confirmed by Amazon Linux and Alpine Linux maintainers
Guidance and Recommendations
In light of these disclosures, affected parties have been advised to approach the situation as a definitive security incident, necessitating a comprehensive review and mitigation process. This includes the diligent examination for any unauthorized access or misuse, the rotation of exposed credentials, and a thorough security audit of systems that might have been compromised during the exposure window.
Insight into the Backdoor Mechanism
The intricacy of the backdoor, embedded within the xz-utils’ liblzma library and manifesting under precise conditions, notably through remote, unprivileged connections to public SSH ports, speaks volumes about the sophistication of the threat actors behind this maneuver. This backdoor not only raises concerns over performance degradation but also poses a significant risk to the integrity and security of the affected systems.
HOW TO DETECT IF YOU ARE A VICTIM
In light of the recent discovery of the CVE-2024-3094 backdoor in XZ Utils versions 5.6.0 and 5.6.1, the cybersecurity community has been on high alert. Binarly has introduced a free scanner to identify the presence of this backdoor in affected systems. Below is a detailed tutorial, including examples, on how to use the Binarly Free Scanner to detect the CVE-2024-3094 backdoor in your systems.
STEP 1: UNDERSTANDING THE THREAT
The CVE-2024-3094 backdoor in XZ Utils versions 5.6.0 and 5.6.1 poses a significant security risk, potentially allowing unauthorized remote access. It’s crucial to grasp the severity of this issue before proceeding.
Example: Imagine a scenario where an organization’s critical systems are running on a compromised version of XZ Utils, leaving the network vulnerable to attackers who could gain unauthorized access through the backdoor.
STEP 2: ACCESSING THE BINARLY FREE SCANNER
Navigate to XZ.fail, the dedicated website Binarly set up for the scanner.
Example: Open your web browser and type “https://xz.fail” in the address bar to access the Binarly Free Scanner’s homepage.
STEP 3: UTILIZING THE SCANNER
The Binarly Free Scanner uses advanced static analysis to detect the backdoor by examining ifunc transition behaviors in the binaries.
Example: After accessing XZ.fail, you’ll be prompted to upload or specify the path to the binary files you wish to scan. Suppose you want to check a file named example.xz; you would select this file for scanning through the web interface or command line, depending on the tool’s usage options provided.
STEP 4: INTERPRETING THE RESULTS
Once the scan completes, the scanner will report back on whether the CVE-2024-3094 backdoor was detected in the scanned files.
Example: If the scanner finds the backdoor in example.xz, it might display a message such as “Backdoor Detected: CVE-2024-3094 present in example.xz”. If no backdoor is found, a message like “No Backdoor Detected: Your files are clean” would appear.
STEP 5: TAKING ACTION
If the scanner detects the backdoor, immediate action is required to remove the compromised binaries and replace them with secure versions.
Example: For a system administrator who finds the backdoor in example.xz, the next steps would involve removing this file, downloading a secure version of XZ Utils from a trusted source, and replacing the compromised file with this clean version.
STEP 6: CONTINUOUS VIGILANCE
Regularly scan your systems with the Binarly Free Scanner and other security tools to ensure no new threats have compromised your binaries.
Example: Set a monthly reminder to use the Binarly Free Scanner on all critical systems, especially after installing updates or adding new software packages, to catch any instances of the CVE-2024-3094 backdoor or other vulnerabilities.
The Binarly Free Scanner is a powerful tool in the fight against the CVE-2024-3094 backdoor, offering a reliable method for detecting and addressing this significant threat. By following these steps and incorporating the examples provided, users can effectively safeguard their systems from potential compromise.
The accidental discovery of this backdoor by Freund represents a crucial turning point, underscoring the importance of vigilant and proactive security practices within the open-source domain. This incident serves as a stark reminder of the vulnerabilities that can arise in even the most trusted components of the digital infrastructure. It has sparked a renewed debate on the necessity for enhanced security protocols and collaborative efforts to safeguard crucial open-source projects against increasingly sophisticated threats.
In the aftermath, the open-source community and its stewards are called upon to reassess their security posture, emphasizing the need for comprehensive auditing, transparent communication, and the adoption of robust security measures to prevent future compromises. This incident not only highlights the vulnerabilities inherent in the digital landscape but also the resilience and collaborative spirit of the open-source community in responding to and mitigating such threats.
Cloud Active Defense is an open-source solution that integrates decoys into cloud infrastructure. It creates a dilemma for attackers: risk attacking and being detected immediately, or avoid the traps and reduce their effectiveness. Anyone, including small companies, can use it at no cost and start receiving high-signal alerts.
Where honeypots are good at detecting lateral movement once the initial application has been compromised, Cloud Active Defense brings the deception directly into that initial application.
“We do this by injecting decoys into HTTP responses. These decoys are invisible to regular users and very tempting to attackers. This creates a situation where attackers must constantly guess: is that a trap or an exploitation path? This guessing slows down the attack operation and can lead attackers to ignore valid attack vectors as they suspect them to be traps. Furthermore, since the application’s replies cannot be 100% trusted anymore, find-tuning your exploit payload becomes painful,” Cédric Hébert, CISO – Innovation at SAP and developer of Cloud Active Defense, told Help Net Security.
Future plans and download
“In the short term, we plan to make it easy to ingest the generated alerts to a SIEM system for faster response. We also plan to release code to make it simple to deploy on a Kubernetes cluster, where each application can be configured independently. In the mid-term, we want to work on proposing response strategies: surely, banning the IP address can be an option, but what we envision is, upon detection, to give the possibility to route the active session to a clone of the application where no more harm can be done,” Hebert concluded.
Cloud Active Defense is available for free on GitHub.
One of the primary concerns regarding data privacy is the potential for breaches and unauthorized access. Whether it’s financial records, medical histories, or personal communications, individuals have a right to control who can access their data and for what purposes.
In this Help Net Security round-up, we present parts of previously recorded videos in which security experts discuss various aspects of data privacy and protection.
Complete videos
Stephen Cavey, Chief Evangelist at Ground Labs, talks about how businesses and job seekers are not only prioritizing data privacy but using it as a competitive advantage in this rivalrous landscape.
Dana Morris, SVP Product and Engineering at Virtru, talks about privacy-preserving cryptography.
Kris Lahiri, CSO at Egnyte, believes data privacy violations cast a long shadow and takes a closer look at the lasting consequences.
Karen Schuler, Global Privacy & Data Protection Chair at BDO, discusses overconfidence in data privacy and data protection practices.
Romain Deslorieux, Global Director, Strategic Partnerships at Thales, discusses what companies should be planning based on current regulations and what steps they can take to prepare for the future.
Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation, and growth.
However, this shift towards a more interconnected digital ecosystem has not come without its risks.
According to the “2024 State of SaaS Security Report” by Wing Security, a staggering 97% of organizations faced exposure to attacks through compromised SaaS supply chain applications in 2023, highlighting a critical vulnerability in the digital infrastructure of modern businesses.
The report, which analyzed data from 493 companies in the fourth quarter of 2023, illuminates the multifaceted nature of SaaS security threats.
From supply chain attacks taking center stage to the alarming trend of exploiting exposed credentials, the findings underscore the urgent need for robust security measures.
Supply Chain Attacks: A Domino Effect
Supply chain attacks have emerged as a significant threat, with 96.7% of organizations using at least one app that had a security incident in the past year.
The MOVEit breach, which directly and indirectly impacted over 2,500 organizations, and North Korean actors’ targeted attack on JumpCloud’s clients are stark reminders of the cascading effects a single vulnerability can have across the supply chain.
The simplicity of credential stuffing attacks and the widespread issue of unsecured credentials continue to pose a significant risk.
The report highlights several high-profile incidents, including breaches affecting Norton LifeLock and PayPal customers, where attackers exploited stolen credentials to gain unauthorized access to sensitive information.
MFA Bypassing And Token Theft
Despite adopting Multi-Factor Authentication (MFA) as a security measure, attackers have found ways to bypass these defenses, targeting high-ranking executives in sophisticated phishing campaigns.
Additionally, the report points to a concerning trend of token theft, with many unused tokens creating unnecessary risk exposure for many organizations.
Looking Ahead: SaaS Threat Forecast For 2024
As we move into 2024, the SaaS threat landscape is expected to evolve, with AI posing a new threat.
The report identifies two primary risks associated with AI in the SaaS domain: the vast volume of AI models in SaaS applications and the potential for data mismanagement.
Furthermore, the persistence of credential-based attacks and the rise of interconnected threats across different domains underscore the need for a holistic cybersecurity approach.
Practical Tips For Enhancing SaaS Security
The report offers eight practical tips for organizations to combat these growing threats, including discovering and managing the risk of third-party applications, leveraging threat intelligence, and enforcing MFA.
Additionally, regaining control of the AI-SaaS landscape and establishing an effective offboarding procedure are crucial steps in bolstering an organization’s SaaS security.
The “2024 State of SaaS Security Report” by Wing Security serves as a wake-up call for businesses to reassess their SaaS security strategies.
With 97% of organizations exposed to attacks via compromised SaaS supply chain apps, the need for vigilance and proactive security measures has never been more critical.
As the digital landscape continues to evolve, so must our approaches to protect it.
Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and education.
The latest update, Wireshark 4.2.4, includes a host of fixes and updates to further cement its position as the go-to tool for network professionals and enthusiasts alike.
This release underscores the Wireshark Foundation’s commitment to advancing protocol analysis education, a mission supported by contributions from the global community.
Addressing Vulnerabilities And Enhancements
Fixed Vulnerabilities
The Wireshark team has diligently addressed several vulnerabilities in this release, notably:
wnpa-sec-2024-06 T.38 Dissector Crash (CVE-2024-2955):A critical fix that prevents crashes related to the T.38 protocol dissection, enhancing the stability and security of the application.
The Wireshark team has contested these, stating they are based on invalid assumptions, and has requested their rejection, showcasing the team’s proactive stance on security matters.
Bug Fixes
The 4.2.4 update addresses a variety of bugs, improving user experience and software reliability:
Issues with Extcap configuration not starting and TLS secrets injection causing crashes on Windows have been resolved.
To ensure smoother operation and analysis, fixes have been made for packet dissection CSV export, HTTP dissector port addition, and various fuzz job issues.
An error related to adding new rows to tables has been corrected alongside the ‘–export-objects’ functionality in shark versions later than 3.2.10.
Protocol And Feature Updates
While this release does not introduce new features or protocols, it significantly updates support for many existing protocols, including but not limited to 5GLI, BGP, DHCPv6, and ZigBee ZCL.
This comprehensive update ensures that Wireshark remains at the forefront of protocol analysis, capable of handling the latest network communication standards.
Installation And Support
Wireshark 4.2.4 can be downloaded from the official Wireshark website, and detailed instructions for installation across various platforms are available.
Manual installation of this update is required for users upgrading from versions 4.2.0 or 4.2.1 on Windows.
Most Linux and Unix distributions provide Wireshark packages through their native package management systems, making installation or upgrade seamless.
For specific file locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries, users can refer to the Help section within Wireshark or use the tshark -G folders command.
Wireshark 4.2.4 exemplifies the ongoing dedication of the Wireshark Foundation and its global community to enhance the utility and security of the world’s premier network protocol analyzer.
This release ensures that Wireshark remains an indispensable tool for network professionals and enthusiasts by addressing critical vulnerabilities, fixing bugs, and updating protocol support.
As the project continues to evolve, the support and contributions from the community remain vital to its success.
On an unexpected Tuesday, the collision of a container ship with the Francis Scott Key Bridge in Baltimore not only disrupted the normal flow of traffic and commerce but also sparked a vigorous debate on the potential causes of this incident. Among the various theories proposed, the role of cybersecurity—or the lack thereof—has emerged as a focal point of discussion. This event has served as a catalyst for a broader examination of cybersecurity practices within the maritime industry, revealing both vulnerabilities and the sometimes-overlooked factors that suggest other causes for such incidents. In the digital age, the maritime industry’s reliance on technology for navigation, communication, and operational functions has grown exponentially. This shift towards digitalization, while beneficial in terms of efficiency and connectivity, has also increased the sector’s exposure to cyber threats. Systems that control navigation, cargo handling, and engine operations are all potential targets for cyberattacks, which can lead to severe safety and financial risks.
EVALUATING THE POTENTIAL FOR A CYBERSECURITY BREACH
In recent years, the maritime industry has increasingly embraced technology, relying on digital systems for navigation, communication, and operational functions. This digital transformation has enhanced efficiency and connectivity but has also exposed the sector to cyber threats. Cyberattacks can target systems controlling navigation, cargo handling, and even the engines of these colossal vessels, posing a significant risk to safety and commerce.
Could Cybersecurity Have Been a Factor in the Baltimore Incident?
To understand whether a cybersecurity breach could have led to the collision with the Francis Scott Key Bridge, it is essential to consider several factors:
Navigation Systems Vulnerability: Modern ships use sophisticated navigation systems like the Automatic Identification System (AIS) and the Electronic Chart Display and Information System (ECDIS). If these systems were compromised, it could lead to inaccurate positioning information or erroneous navigational instructions.
Operational Control Systems: Beyond navigation, ships rely on complex systems for operational control, including engine management and steering control. A cyberattack on these systems could impair a vessel’s ability to maneuver, potentially leading to accidents.
Human Error vs. Cyber Intrusion: Distinguishing between human error and the consequences of a cyberattack can be challenging. Incidents might initially appear as operational or navigational errors but later investigations could uncover tampering with digital systems.
Historical Precedents: The maritime industry has witnessed cyberattacks before, such as the 2017 cyberattack on the shipping giant Maersk, which led to significant operational disruptions. These precedents highlight the plausibility of cybersecurity breaches leading to physical incidents.
While the possibility of a cybersecurity breach cannot be dismissed outright, several arguments suggest that other factors could be more plausible:
Technical Safeguards and Redundancies
Maritime vessels are equipped with numerous technical safeguards and redundant systems designed to prevent total system failure in case of a cyber intrusion. These include manual overrides for navigation and control systems, allowing crew members to maintain control over the vessel even if digital systems are compromised. Such safeguards can mitigate the impact of a cyber attack on a ship’s operational capabilities.
Cybersecurity Protocols and Training
The maritime industry has been increasingly aware of the potential cyber threats and has implemented stringent cybersecurity protocols and training for crew members. These measures are aimed at preventing unauthorized access and ensuring the integrity of the ship’s systems. Crews are trained to recognize and respond to cybersecurity threats, reducing the likelihood of a successful cyber attack impacting vessel navigation or control systems.
Physical Factors and Human Error
Many maritime incidents are the result of physical factors or human error rather than cyber attacks. These can include adverse weather conditions, navigational errors, mechanical failures, and miscommunication among crew members. Such factors have historically been the most common causes of maritime accidents and cannot be overlooked in any thorough investigation.
Complexity of Executing a Targeted Cyber Attack
Executing a cyber attack that leads to a specific outcome, such as causing a ship to collide with a bridge, requires an intimate knowledge of the vessel’s systems, current position, and intended course. It also necessitates overcoming the vessel’s cybersecurity measures without detection. The complexity and specificity of such an attack make it a less likely cause of maritime incidents compared to more conventional explanations.
Lack of Evidence Indicating a Cyber Attack
In the absence of specific evidence pointing to a cyber intrusion, such as anomalies in the ship’s digital systems, unauthorized access logs, or the presence of malware, it is prudent to consider other more likely causes. Cybersecurity investigations involve detailed analysis of digital footprints and system logs, and without concrete evidence suggesting a cyber attack, attributing the incident to such a cause would be speculative.
THE PATH FORWARD: STRENGTHENING CYBERSECURITY WHILE ACKNOWLEDGING OTHER RISKS
Regardless of whether a cyberattack played a role in the Baltimore bridge incident, this event underscores the importance of robust cybersecurity practices in the maritime industry. Enhancing cyber defenses, conducting regular security assessments, and training personnel in cybersecurity awareness are crucial steps in safeguarding maritime operations.
However, it is equally important to recognize and mitigate the non-cyber risks that ships face. A comprehensive approach to safety and security, encompassing both cyber and traditional factors, is essential for protecting the maritime industry against a wide range of threats.
The collision of a container ship with the Francis Scott Key Bridge has highlighted the critical role of cybersecurity in modern maritime operations, while also reminding us of the myriad other factors that can lead to such incidents. As the investigation into this event continues, the maritime industry must take a holistic view of security, embracing both digital and physical measures to ensure the safety of its operations in an increasingly complex and interconnected world.
“Our thoughts and prayers are with the U.S. Coast Guard Sector NCR, multiple first responders, and all those affected by the tragic incident at the Francis Scott Key Bridge in Baltimore. According to reports, a 948-foot Singapore-flagged containership collided with the bridge causing it to collapse, with persons reported to be in the water.”
Over 170,000 users have fallen victim to a meticulously orchestrated scheme exploiting the Python software supply chain.
The Checkmarx Research team has uncovered a multi-faceted attack campaign that leverages fake Python infrastructure to distribute malware, compromising the security of countless developers and organizations.
This article delves into the attack campaign, its impact on victims, the tactics, techniques, and procedures (TTPs) employed by the threat actors, and the critical findings from Checkmarx’s investigation.
Attack Campaign Description
The core of this malicious campaign revolves around an attacker’s ability to combine several TTPs to launch a silent attack on the software supply chain, specifically targeting the Python ecosystem.
By creating multiple malicious open-source tools with enticing descriptions, the attackers lured victims into their trap, primarily through search engines.
Python mirror -files.pythonhosted.org
The campaign’s sophistication is evident in distributing a malicious dependency hosted on a fake Python infrastructure, which was then linked to popular projects on GitHuband legitimate Python packages.
A chilling account from Mohammed Dief, a Python developer and one of the campaign’s victims, highlights the stealth and impact of the attack.
Dief encountered a suspicious error message while working on his laptop, the first sign of the compromise, leading to the realization that his system had been hacked.
Victims And Impact
Among the notable victims of this campaign is the Top.gg GitHub organization, a community boasting over 170,000 members.
The attackers managed to hijack GitHub accounts with high reputations, including that of “editor-syntax,” a maintainer with write permissions to Top.gg’s repositories.
The Top.gg community (which boasts over 170K members) was also a victim of this attack
This allowed them to commit malicious acts and increase the visibility and credibility of their malicious repositories.
The attack’s impact is far-reaching, affecting individual developers and larger communities alike.
Social engineering schemes, account takeovers, and malicious packages published on the PyPi registry have underscored the software supply chain’s vulnerability to such sophisticated attacks.
The Checkmarx Research team has uncovered an attack campaign aimed at the software supply chain.
The campaign appears to have successfully exploited multiple victims.
Threat Actors And TTPs
The threat actors behind this campaign demonstrated high sophistication and planning.
They employed a range of TTPs, including:
Account Takeover via Stolen Cookies: The attackers gained access to high-reputation GitHub accounts by stealing session cookies, bypassing the need for passwords.
Publishing Malicious Packages: By setting up a custom Python mirror and publishing malicious packages to the PyPi registry, they could distribute malware under the guise of legitimate software.
Social Engineering: The attackers used social engineering to trick users into downloading malicious dependencies, further spreading the malware.
By deploying a fake Python package mirror and utilizing typosquatting techniques, the attackers could deceive users and systems into downloading poisoned versions of popular packages like “Colorama.
“The malicious payload delivered through these packages is designed to harvest sensitive information, including passwords, credentials, and data from various software applications.
Malicious Package
The malware targets web browsers, Discord, cryptocurrency wallets, and Telegram, and even includes a keylogging component to capture victims’ keystrokes.
The final stage of the malware reveals its data-stealing capabilities, targeting not only personal and financial information but also attempting to gain unauthorized access to victims’ social media and communication platforms.
This attack campaign highlights the critical vulnerabilities within the software supply chain, particularly in open-source ecosystems like Python’s.
The sophistication and success of the attackers in exploiting these vulnerabilities underscore the need for heightened vigilance and robust security practices among developers and organizations.
Through continuous monitoring, collaboration, and information sharing, the cybersecurity community can mitigate risks and protect the integrity of open-source software.
During the month of Ramadan, Resecurity observed a significant increase in fraudulent activities and scams.
During the month of Ramadan, Resecurity observed a significant increase in fraudulent activities and scams, coinciding with a surge in retail and online transactions. Middle Eastern enterprises, facing this heightened risk, are urged to bolster consumer protection and reinforce their brand security.
Notably, in the Kingdom of Saudi Arabia (KSA), consumer spending topped regional charts, exceeding $16 billion. This spike in e-commerce activity has, unfortunately, drawn the attention of cybercriminals who exploit these platforms to execute scams, leading to substantial financial repercussions for both consumers and businesses. The estimated total financial impact of these activities ranges between $70 and $100 million, accounting for frauds perpetrated against expatriates, residents, and foreign visitors.
Due to continued efforts in brand protection for many clients in the Middle East, Resecurity has effectively blocked over 320 fraudulent resources that were impersonating key logistics providers and e-government services. Cybercriminals are aggressively exploiting platforms such as Sadad, Musaned, Ajeer, Ejar, and well-known logistics services to deceive internet users and draw them into different scams. It is strongly advised to refrain from sharing personal and payment information on questionable sites or with individuals posing as bank or government employees.
The malicious actors utilize cloud-based hosting services like Softr, Netlify, and Vercel, which offer pre-defined templates, to create websites using AI. This method allows them to scale their operations efficiently, saving time and effort while rapidly generating new fraudulent sites at an unprecedented rate.
The full report published by Resecurity is available here:
Interested in discovering how Python can bolster your abilities in safeguarding digital assets? Delve into the potential of Python for cybersecurity.
In the current digital era, cybersecurity holds greater significance than ever before. Python, renowned for its versatility and resilience, has emerged as a fundamental tool for cybersecurity professionals globally.
🔹 How Python can streamline threat detection and analysis. 🔹 Practical examples of Python scripts for automating security tasks. 🔹 Resources and tools to kickstart your journey into Python for cybersecurity.
Regardless of whether you’re an experienced cybersecurity professional or new to the field, Python has the potential to transform your approach to security challenges.
Continuous Threat Exposure Management (CTEM) is an evolving cybersecurity practice focused on identifying, assessing, prioritizing, and addressing security weaknesses and vulnerabilities in an organization’s digital assets and networks continuously. Unlike traditional approaches that might assess threats periodically, CTEM emphasizes a proactive, ongoing process of evaluation and mitigation to adapt to the rapidly changing threat landscape. Here’s a closer look at its key components:
Identification: CTEM starts with the continuous identification of all digital assets within an organization’s environment, including on-premises systems, cloud services, and remote endpoints. It involves understanding what assets exist, where they are located, and their importance to the organization.
Assessment: Regular and ongoing assessments of these assets are conducted to identify vulnerabilities, misconfigurations, and other security weaknesses. This process often utilizes automated scanning tools and threat intelligence to detect issues that could be exploited by attackers.
Prioritization: Not all vulnerabilities pose the same level of risk. CTEM involves prioritizing these weaknesses based on their severity, the value of the affected assets, and the potential impact of an exploit. This helps organizations focus their efforts on the most critical issues first.
Mitigation and Remediation: Once vulnerabilities are identified and prioritized, CTEM focuses on mitigating or remedying these issues. This can involve applying patches, changing configurations, or implementing other security measures to reduce the risk of exploitation.
Continuous Improvement: CTEM is a cyclical process that feeds back into itself. The effectiveness of mitigation efforts is assessed, and the approach is refined over time to improve security posture continuously.
The goal of CTEM is to reduce the “attack surface” of an organization—minimizing the number of vulnerabilities that could be exploited by attackers and thereby reducing the organization’s overall risk. By continuously managing and reducing exposure to threats, organizations can better protect against breaches and cyber attacks.
CTEM VS. ALTERNATIVE APPROACHES
Continuous Threat Exposure Management (CTEM) represents a proactive and ongoing approach to managing cybersecurity risks, distinguishing itself from traditional, more reactive security practices. Understanding the differences between CTEM and alternative approaches can help organizations choose the best strategy for their specific needs and threat landscapes. Let’s compare CTEM with some of these alternative approaches:
1. CTEM VS. PERIODIC SECURITY ASSESSMENTS
Periodic Security Assessments typically involve scheduled audits or evaluations of an organization’s security posture at fixed intervals (e.g., quarterly or annually). This approach may fail to catch new vulnerabilities or threats that emerge between assessments, leaving organizations exposed for potentially long periods.
CTEM, on the other hand, emphasizes continuous monitoring and assessment of threats and vulnerabilities. It ensures that emerging threats can be identified and addressed in near real-time, greatly reducing the window of exposure.
2. CTEM VS. PENETRATION TESTING
Penetration Testing is a targeted approach where security professionals simulate cyber-attacks on a system to identify vulnerabilities. While valuable, penetration tests are typically conducted annually or semi-annually and might not uncover vulnerabilities introduced between tests.
CTEM complements penetration testing by continuously scanning for and identifying vulnerabilities, ensuring that new threats are addressed promptly and not just during the next scheduled test.
3. CTEM VS. INCIDENT RESPONSE PLANNING
Incident Response Planning focuses on preparing for, detecting, responding to, and recovering from cybersecurity incidents. It’s reactive by nature, kicking into gear after an incident has occurred.
CTEM works upstream of incident response by aiming to prevent incidents before they happen through continuous threat and vulnerability management. While incident response is a critical component of a comprehensive cybersecurity strategy, CTEM can reduce the likelihood and impact of incidents occurring in the first place.
4. CTEM VS. TRADITIONAL VULNERABILITY MANAGEMENT
Traditional Vulnerability Management involves identifying, classifying, remediating, and mitigating vulnerabilities within software and hardware. While it can be an ongoing process, it often lacks the continuous, real-time monitoring and prioritization framework of CTEM.
CTEM enhances traditional vulnerability management by integrating it into a continuous cycle that includes real-time detection, prioritization based on current threat intelligence, and immediate action to mitigate risks.
KEY ADVANTAGES OF CTEM
Real-Time Threat Intelligence: CTEM integrates the latest threat intelligence to ensure that the organization’s security measures are always ahead of potential threats.
Automation and Integration: By leveraging automation and integrating various security tools, CTEM can streamline the process of threat and vulnerability management, reducing the time from detection to remediation.
Risk-Based Prioritization: CTEM prioritizes vulnerabilities based on their potential impact on the organization, ensuring that resources are allocated effectively to address the most critical issues first.
CTEM offers a comprehensive and continuous approach to cybersecurity, focusing on reducing exposure to threats in a dynamic and ever-evolving threat landscape. While alternative approaches each have their place within an organization’s overall security strategy, integrating them with CTEM principles can provide a more resilient and responsive defense mechanism against cyber threats.
CTEM IN AWS
Implementing Continuous Threat Exposure Management (CTEM) within an AWS Cloud environment involves leveraging AWS services and tools, alongside third-party solutions and best practices, to continuously identify, assess, prioritize, and remediate vulnerabilities and threats. Here’s a detailed example of how CTEM can be applied in AWS:
1. IDENTIFICATION OF ASSETS
AWS Config: Use AWS Config to continuously monitor and record AWS resource configurations and changes, helping to identify which assets exist in your environment, their configurations, and their interdependencies.
AWS Resource Groups: Organize resources by applications, projects, or environments to simplify management and monitoring.
2. ASSESSMENT
Amazon Inspector: Automatically assess applications for vulnerabilities or deviations from best practices, especially important for EC2 instances and container-based applications.
AWS Security Hub: Aggregates security alerts and findings from various AWS services (like Amazon Inspector, Amazon GuardDuty, and IAM Access Analyzer) and supported third-party solutions to give a comprehensive view of your security and compliance status.
3. PRIORITIZATION
AWS Security Hub: Provides a consolidated view of security alerts and findings rated by severity, allowing you to prioritize issues based on their potential impact on your AWS environment.
Custom Lambda Functions: Create AWS Lambda functions to automate the analysis and prioritization process, using criteria specific to your organization’s risk tolerance and security posture.
4. MITIGATION AND REMEDIATION
AWS Systems Manager Patch Manager: Automate the process of patching managed instances with both security and non-security related updates.
CloudFormation Templates: Use AWS CloudFormation to enforce infrastructure configurations that meet your security standards. Quickly redeploy configurations if deviations are detected.
Amazon EventBridge and AWS Lambda: Automate responses to security findings. For example, if Security Hub detects a critical vulnerability, EventBridge can trigger a Lambda function to isolate affected instances or apply necessary patches.
5. CONTINUOUS IMPROVEMENT
AWS Well-Architected Tool: Regularly review your workloads against AWS best practices to identify areas for improvement.
Feedback Loop: Implement a feedback loop using AWS CloudWatch Logs and Amazon Elasticsearch Service to analyze logs and metrics for security insights, which can inform the continuous improvement of your CTEM processes.
IMPLEMENTING CTEM IN AWS: AN EXAMPLE SCENARIO
Imagine you’re managing a web application hosted on AWS. Here’s how CTEM comes to life:
Identification: Use AWS Config and Resource Groups to maintain an updated inventory of your EC2 instances, RDS databases, and S3 buckets critical to your application.
Assessment: Employ Amazon Inspector to regularly scan your EC2 instances for vulnerabilities and AWS Security Hub to assess your overall security posture across services.
Prioritization: Security Hub alerts you to a critical vulnerability in an EC2 instance running your application backend. It’s flagged as high priority due to its access to sensitive data.
Mitigation and Remediation: You automatically trigger a Lambda function through EventBridge based on the Security Hub finding, which isolates the affected EC2 instance and initiates a patching process via Systems Manager Patch Manager.
Continuous Improvement: Post-incident, you use the AWS Well-Architected Tool to evaluate your architecture. Insights gained lead to the implementation of stricter IAM policies and enhanced monitoring with CloudWatch and Elasticsearch for anomaly detection.
This cycle of identifying, assessing, prioritizing, mitigating, and continuously improving forms the core of CTEM in AWS, helping to ensure that your cloud environment remains secure against evolving threats.
CTEM IN AZURE
Implementing Continuous Threat Exposure Management (CTEM) in Azure involves utilizing a range of Azure services and features designed to continuously identify, assess, prioritize, and mitigate security risks. Below is a step-by-step example illustrating how an organization can apply CTEM principles within the Azure cloud environment:
STEP 1: ASSET IDENTIFICATION AND MANAGEMENT
Azure Resource Graph: Use Azure Resource Graph to query and visualize all resources across your Azure environment. This is crucial for understanding what assets you have, their configurations, and their interrelationships.
Azure Tags: Implement tagging strategies to categorize resources based on sensitivity, department, or environment. This aids in the prioritization process later on.
STEP 2: CONTINUOUS VULNERABILITY ASSESSMENT
Azure Security Center: Enable Azure Security Center (ASC) at the Standard tier to conduct continuous security assessments across your Azure resources. ASC provides security recommendations and assesses your resources for vulnerabilities and misconfigurations.
Azure Defender: Integrated into Azure Security Center, Azure Defender provides advanced threat protection for workloads running in Azure, including virtual machines, databases, and containers.
STEP 3: PRIORITIZATION OF RISKS
ASC Secure Score: Use the Secure Score in Azure Security Center as a metric to prioritize security recommendations based on their potential impact on your environment’s security posture.
Custom Logic with Azure Logic Apps: Develop custom workflows using Azure Logic Apps to prioritize alerts based on your organization’s specific criteria, such as asset sensitivity or compliance requirements.
STEP 4: AUTOMATED REMEDIATION
Azure Automation: Employ Azure Automation to run remediation scripts or configurations management across your Azure VMs and services. This can be used to automatically apply patches, update configurations, or manage access controls in response to identified vulnerabilities.
Azure Logic Apps: Trigger automated workflows in response to security alerts. For example, if Azure Security Center identifies an unprotected data storage, an Azure Logic App can automatically initiate a workflow to apply the necessary encryption settings.
STEP 5: CONTINUOUS MONITORING AND INCIDENT RESPONSE
Azure Monitor: Utilize Azure Monitor to collect, analyze, and act on telemetry data from your Azure resources. This includes logs, metrics, and alerts that can help you detect and respond to threats in real-time.
Azure Sentinel: Deploy Azure Sentinel, a cloud-native SIEM service, for a more comprehensive security information and event management solution. Sentinel can collect data across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
STEP 6: CONTINUOUS IMPROVEMENT AND COMPLIANCE
Azure Policy: Implement Azure Policy to enforce organizational standards and to assess compliance at scale. Continuous evaluation of your configurations against these policies ensures compliance and guides ongoing improvement.
Feedback Loops: Establish feedback loops using the insights gained from Azure Monitor, Azure Security Center, and Azure Sentinel to refine and improve your security posture continuously.
EXAMPLE SCENARIO: SECURING A WEB APPLICATION IN AZURE
Let’s say you’re managing a web application hosted in Azure, utilizing Azure App Service for the web front end, Azure SQL Database for data storage, and Azure Blob Storage for unstructured data.
Identification: You catalog all resources related to the web application using Azure Resource Graph and apply tags based on sensitivity and function.
Assessment: Azure Security Center continuously assesses these resources for vulnerabilities, such as misconfigurations or outdated software.
Prioritization: Based on the Secure Score and custom logic in Azure Logic Apps, you prioritize a detected SQL injection vulnerability in Azure SQL Database as critical.
Mitigation: Azure Automation is triggered to isolate the affected database and apply a patch. Concurrently, Azure Logic Apps notifies the security team and logs the incident for review.
Monitoring: Azure Monitor and Azure Sentinel provide ongoing surveillance, detecting any unusual access patterns or potential breaches.
Improvement: Insights from the incident lead to a review and enhancement of the application’s code and a reinforcement of security policies through Azure Policy to prevent similar vulnerabilities in the future.
By following these steps and utilizing Azure’s comprehensive suite of security tools, organizations can implement an effective CTEM strategy that continuously protects against evolving cyber threats.
IMPLEMENTING CTEM IN CLOUD ENVIRONMENTS LIKE AWS AND AZURE
Implementing Continuous Threat Exposure Management (CTEM) in cloud environments like AWS and Azure involves a series of strategic steps, leveraging each platform’s unique tools and services. The approach combines best practices for security and compliance management, automation, and continuous monitoring. Here’s a guide to get started with CTEM in both AWS and Azure:
COMMON STEPS FOR BOTH AWS AND AZURE
Understand Your Environment
Catalogue your cloud resources and services.
Understand the data flow and dependencies between your cloud assets.
Define Your Security Policies and Objectives
Establish what your security baseline looks like.
Define key compliance requirements and security objectives.
Integrate Continuous Monitoring Tools
Leverage cloud-native tools for threat detection, vulnerability assessment, and compliance monitoring.
Integrate third-party security tools if necessary for enhanced capabilities.
Automate Security Responses
Implement automated responses to common threats and vulnerabilities.
Use cloud services to automate patch management and configuration adjustments.
Continuously Assess and Refine
Regularly review security policies and controls.
Adjust based on new threats, technological advancements, and changes in the business environment.
IMPLEMENTING CTEM IN AWS
Enable AWS Security Services
Utilize AWS Security Hub for a comprehensive view of your security state and to centralize and prioritize security alerts.
Use Amazon Inspector for automated security assessments to help find vulnerabilities or deviations from best practices.
Implement AWS Config to continuously monitor and record AWS resource configurations.
Automate Response with AWS Lambda
Use AWS Lambda to automate responses to security findings, such as isolating compromised instances or automatically patching vulnerabilities.
Leverage Amazon CloudWatch
Employ CloudWatch for monitoring and alerting based on specific metrics or logs that indicate potential security threats.
IMPLEMENTING CTEM IN AZURE
Utilize Azure Security Tools
Activate Azure Security Center for continuous assessment and security recommendations. Use its advanced threat protection features to detect and mitigate threats.
Implement Azure Sentinel for SIEM (Security Information and Event Management) capabilities, integrating it with other Azure services for a comprehensive security analysis and threat detection.
Automate with Azure Logic Apps
Use Azure Logic Apps to automate responses to security alerts, such as sending notifications or triggering remediation processes.
Monitor with Azure Monitor
Leverage Azure Monitor to collect, analyze, and act on telemetry data from your Azure and on-premises environments, helping you detect and respond to threats in real-time.
BEST PRACTICES FOR BOTH ENVIRONMENTS
Continuous Compliance: Use policy-as-code to enforce and automate compliance standards across your cloud environments.
Identity and Access Management (IAM): Implement strict IAM policies to ensure least privilege access and utilize multi-factor authentication (MFA) for enhanced security.
Encrypt Data: Ensure data at rest and in transit is encrypted using the cloud providers’ encryption capabilities.
Educate Your Team: Regularly train your team on the latest cloud security best practices and the specific tools and services you are using.
Implementing CTEM in AWS and Azure requires a deep understanding of each cloud environment’s unique features and capabilities. By leveraging the right mix of tools and services, organizations can create a robust security posture that continuously identifies, assesses, and mitigates threats.
IT Governance USA’s research found the following for February 2024:
322 publicly disclosed security incidents (45% of all incidents globally)
621,095,066 records known to be breached
This month, globally, 719,366,482 records were known to be breached – 86% of them were in the USA.
This is unusual. Typically, the USA suffers more incidents than any other country, but these tend to lead to a disproportionately low number of records breached.
This month is different due to two outlier breaches:
Zenlayer’s publicly exposed database, which contained 384,658,212 records
IT Governance USA’s research found the following for February 2024:
322 publicly disclosed security incidents (45% of all incidents globally)
621,095,066 records known to be breached
This month, globally, 719,366,482 records were known to be breached – 86% of them were in the USA.
This is unusual. Typically, the USA suffers more incidents than any other country, but these tend to lead to a disproportionately low number of records breached.
This month is different due to two outlier breaches:
Zenlayer’s publicly exposed database, which contained 384,658,212 records
*The threat actor provided 100,000 records as a sample.
Free PDF download: Data Breach Dashboard
For a quick, one-page overview of this month’s findings, please use our Data Breach Dashboard:
You can also download this and previous months’ Dashboards as free PDFs here.
This blog provides further analysis of the data we’ve collected. We also provide an annual overview and analyze the longer-term trends in our 2024 overview of publicly disclosed data breaches and cyber attacks in the USA.
You can learn more about our research methodology here.
Note 1: Where ‘around,’ ‘about,’ etc. is reported, we record the rounded number. Where ‘more than,’ ‘at least,’ etc. is reported, we record the rounded number plus one. Where ‘up to,’ etc. is reported, we record the rounded number minus one.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
Proof-of-concept (PoC) exploit code for a critical RCE vulnerability (CVE-2024-25153) in Fortra FileCatalyst MFT solution has been published.
About CVE-2024-25153
Fortra FileCatalyst is an enterprise managed file transfer (MFT) software solution that includes several components: FileCatalyst Direct, Workflow, and Central.
CVE-2024-25153 is a directory traversal vulnerability in FileCatalyst Workflow’s web portal that could allow a remote authenticated threat actor to execute arbitrary code on vulnerable servers.
“A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells,” the company noted in the advisory.
The vulnerability was first discovered in August 2023 and patched a few days later in the FileCatalyst version 5.1.6 Build 114, but had no CVE identifier at the time.
The identifier was assigned after Fortra became a CVE Numbering Authority (CNA) in December 2023.
The company and Tom Wedgbury, the security researcher that discovered and reported the flaw, planned its coordinated disclosure in March 2024.
CVE-2024-25153 PoC exploit released
Fortra’s security advisory and Wedgbury’s blog post with technical details and the PoC have been published on Wednesday.
There are currently no indications of the vulnerability being exploited in the wild, but organizations are nevertheless advised to apply the available patch (if they haven’t already).
When a PoC for a critical authentication bypass vulnerability (CVE-2024-0204) in Fortra’s GoAnywhere MFT solution was recently made public, exploit attempts began soon after.
In late January 2023, the Cl0p ransomware group leveraged a zero-day vulnerability (CVE-2023-0669) in the same solution, and stole data of over 130 victim organizations.
The Russia-linked threat actor known as APT28 has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.
“The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production,” IBM X-Force said in a report published last week.
The tech company is tracking the activity under the moniker ITG05, which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028.
The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing Israel-Hamas war to deliver a custom backdoor dubbed HeadLace.
APT28 has since also targeted Ukrainian government entities and Polish organizations with phishing messages designed to deploy bespoke implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.
Other campaigns have entailed the exploitation of security flaws in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to plunder NT LAN Manager (NTLM) v2 hashes, raising the possibility that the threat actor may leverage other weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks.
The latest campaigns observed by IBM X-Force between late November 2023 and February 2024 take advantage of the “search-ms:” URI protocol handler in Microsoft Windows to trick victims into downloading malware hosted on actor-controlled WebDAV servers.
There is evidence to suggest that both the WebDAV servers, as well as the MASEPIE C2 servers, may be hosted on compromised Ubiquiti routers, a botnet comprising which was taken down by the U.S. government last month.
The phishing attacks impersonate entities from several countries such as Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., putting to use a mix of authentic publicly available government and non-government lure documents to activate the infection chains.
“In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations,” security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr said.
The climax of APT28’s elaborate scheme ends with the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, run arbitrary commands, and steal browser data. OCEANMAP has been characterized as a more capable version of CredoMap, another backdoor previously identified as used by the group.
“ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities,” the researchers concluded.
In a sophisticated cyberattack campaign, malicious actors impersonating Colombian government agencies target individuals across Latin America.
The attackers are distributing emails containing PDF attachments, falsely accusing recipients of traffic violations or other legal infractions.
These deceptive communications are designed to coerce victims into downloading an archive that harbors a VBS script, initiating a multi-stage infection process.
Upon execution, the obfuscated VBS script triggers a PowerShell script, retrieving the final malware payload from legitimate online storage services through a two-step request process.
🚨 An ongoing campaign targeting #LATAM: Attackers are forcing users to initiate infections 🚨
The #attackers impersonate Colombian government agencies (e.g., COLOMBIANA DE MUNICIPIOS) by sending PDFs, accusing the recipients of traffic violations or other legal issues.
According to the ANY.RUN report was shared with GBHackers on Security; initially, the script acquires the payload’s address from resources such as textbin.net. It then proceeds to download and execute the payload from the provided address, which could be hosted on various platforms including cdn.discordapp(.)com, pasteio(.)com, hidrive.ionos.com, and wtools.io.
The attackers’ execution chain follows a sequence from PDF to ZIP, then to VBS and PowerShell, and finally to the executable file (EXE).
The culminating payload is identified as one of several known remote access trojans (RATs), specifically AsyncRAT, njRAT, or Remcos.
These malicious programs are notorious for their ability to provide unauthorized remote access to the infected systems, posing significant risks to the victims’ privacy and data security.
Here are some notable samples of this campaign: 1, 2, 3, 4.
sample1
This campaign has been meticulously documented, with over 50 operation samples being analyzed.
Cybersecurity professionals and researchers are encouraged to consult the TI Lookup tool for detailed information on these samples, aiding in identifying and mitigating threats related to this campaign.
The technique demonstrated by the attackers in this campaign is not exclusive to Latin American targets and may be adapted for use against various targets in other regions.
The cybersecurity community is urged to remain vigilant and employ robust security measures to protect against such sophisticated threats.
The term “virtual private network,” or VPN for short, has become almost synonymous with “online privacy and security.” VPNs function by creating an encrypted tunnel through which your data may transit as it moves over the internet. They are designed to protect your privacy and make it impossible for anyone to monitor or access your activity while you are online. But what happens if the same instrument that was supposed to keep your privacy safe turns out to be a conduit for attacks? Introduce yourself to “TunnelCrack,” a frightening discovery that has sent shockwaves across the world of cybersecurity. Nian Xue from New York University, Yashaswi Malla and Zihang Xia from New York University Abu Dhabi, Christina Popper from New York University, and Mathy Vanhoef from KU Leuven University were the ones that carried out the study.
Two serious vulnerabilities in virtual private networks (VPNs) have been discovered by a research team . These vulnerabilities had been dormant since 1996. It is possible to leak and read user traffic, steal information, or even conduct attacks on user devices by exploiting these vulnerabilities, which are present in practically every VPN product across all platforms. TunnelCrack is a combination of two common security flaws found in virtual private networks (VPNs). Even though a virtual private network (VPN) is designed to safeguard all of the data that a user sends, these attacks are able to circumvent this security. An enemy, for example, may take advantage of the security flaws to steal information from users, read their communications, attack their devices, or even just spill it all. Regardless of the security protocol that is utilized by the VPN, the uncovered flaws may be exploited and used maliciously. In other words, even Virtual Private Networks (VPNs) that claim to utilize “military grade encryption” or that use encryption methods that they themselves invented are vulnerable to attack. When a user joins to an unsecured Wi-Fi network, the initial set of vulnerabilities, which they refer to as LocalNet attacks, is susceptible to being exploited. The second group of vulnerabilities, which are known as ServerIP attacks, are susceptible to being exploited by shady Internet service providers as well as by unsecured wireless networks. Both of these attacks involve manipulating the routing table of the victim in order to deceive the victim into sending traffic outside the secured VPN tunnel. This enables an adversary to read and intercept the data that is being sent.
The video that may be seen below demonstrates three different ways in which an attacker might take advantage of the disclosed vulnerabilities. In the first step of the attack, the LocalNet vulnerability is exploited to force the target to leak communications. This is used to intercept sensitive information that is being transferred to websites that do not have enough security, such as the victim’s account and password being exposed. They also demonstrate how an adversary may determine which websites a user is accessing, which is something that is not generally achievable when utilizing a virtual private network (VPN). Last but not least, a modification of the LocalNet attack is used in order to prevent a surveillance camera from alerting its user to any unexpected motion.
As the demonstration indicates, the vulnerabilities in the VPN may be exploited to trivially leak traffic and identify the websites that an individual is accessing. In addition, any data that is transferred to websites with inappropriate configurations or that is supplied by applications that are not secure may be intercepted.
Users may protect themselves by keeping the software for their VPNs up to date. Additionally, any data that is transferred cannot be stolen if a website is correctly set using HTTP Strict Transport protection (HSTS) to always utilize HTTPS as an additional layer of protection. These days, around 25 percent of websites are built in this manner. In addition, a few of browsers will now display a warning to the user if HTTPS is not being utilized. Last but not least, while they are not always error-free, most current mobile applications employ HTTPS by default and, as a result, also use this additional security.
In addition to being exploited to attack websites, virtual private networks (VPNs) sometimes defend outdated or less secure protocols, which presents an additional danger. These attacks now make it possible for an adversary to circumvent the security provided by a virtual private network (VPN), which means that attackers may target any older or less secure protocols that are used by the victim, such as RDP, POP, FTP, telnet, and so on.
LocalNet Attacks
The adversary in a LocalNet attack pretends to be a hostile Wi-Fi or Ethernet network, and they deceive the victim into joining to their network by using social engineering techniques. Cloning a well-known Wi-Fi hotspot, such as the one offered by “Starbucks,” is a straightforward method for achieving this goal. As soon as a victim establishes a connection to this malicious network, the attacker allots the victim a public IP address as well as a subnet. An illustration of this may be seen in the graphic below; the objective of the opponent in this case is to prevent traffic from reaching the website target.com: The website target.com, which can be seen in the picture to the right, uses the IP address 1.2.3.4. The adversary will convince the victim that the local network is utilizing the subnet 1.2.3.0/24 in order to intercept traffic that is headed toward this website. The victim is told, in other words, that IP addresses in the range 1.2.3.1-254 are immediately accessible inside the local network. A web request will be sent to the IP address 1.2.3.4 if the victim navigates to target.com at this time. The victim will submit the web request outside the secured VPN tunnel because it believes that this IP address is immediately available inside the local network.
An adversary may potentially leak practically all of the victim’s traffic by assigning bigger subnets to the local network they have access to. In addition, although while the LocalNet attack’s primary objective is to send data outside the VPN tunnel, it may also be exploited in such a way as to prevent some traffic from passing through while the VPN is in operation.
ServerIP Attacks
In order to execute a ServerIP attack, the attacker has to have the ability to spoof DNS responses before the VPN is activated, and they also need to be able to monitor traffic going to the VPN server. Acting as a hostile Wi-Fi or Ethernet network is one way to achieve this goal; in a manner similar to the LocalNet attacks, this may also be done. The attacks may also be carried out via an Internet service provider (ISP) that is hostile or by a core Internet router that has been hacked.
The fundamental premise is that the attacker will attempt to impersonate the VPN server by forging its IP address. An attacker may fake the DNS answer to have a different IP address if, for instance, the VPN server is recognized by the hostname vpn.com but its actual IP address is 2.2.2.2. An illustration of this may be seen in the following image, in which the adversary’s objective is to intercept communication sent towards target.com, which has the IP address 1.2.3.4:
The attacker begins by forging the DNS reply for vpn.com such that it returns the IP address 1.2.3.4. This IP address is identical to the IP address of target.com. To put it another way, if you wish to leak traffic towards a certain IP address, you fake that address. After that, the victim will connect to the VPN server that is located at 1.2.3.4. This traffic is then redirected to the victim’s actual VPN server by the adversary, who does this to ensure that the victim is still able to successfully build a VPN connection. As a consequence of this, the victim is still able to successfully build the VPN tunnel even if they are using the incorrect IP address while connecting to the VPN server. In addition to this, the victim will implement a routing rule that will direct all traffic destined for 1.2.3.4 to be routed outside of the VPN tunnel.
A web request is now made to 1.2.3.4 whenever the victim navigates to target.com on their web browser. This request is routed outside of the secured VPN tunnel because of the routing rule that prevents packets from being re-encrypted when they are submitted to the VPN server. As a direct consequence of this, the web request is exposed.
The built-in VPN clients of Windows, macOS, and iOS were discovered to have security flaws by this study. Android versions 12 and above are not impacted by this issue. A significant portion of Linux-based virtual private networks (VPNs) are also susceptible. In addition, they discovered that the majority of OpenVPN profiles, when used with a VPN client that is susceptible to vulnerabilities, utilize a hostname to identify the VPN server, which may lead to behavior that is susceptible to vulnerabilities.
In order to keep customers safe, they worked together with CERT/CC and a number of other VPN providers to develop and release security upgrades over the course of a coordinated disclosure period of ninety days. Mozilla VPN, Surfshark, Malwarebytes, Windscribe (which can import OpenVPN profiles), and Cloudflare’s WARP are a few examples of VPNs that have been updated with patches. You can protect yourself against the LocalNet attack even if updates for your VPN are not currently available by turning off connection to your local network. You may further reduce the risk of attacks by ensuring that websites utilize HTTPS, a protocol that is supported by the majority of websites today.
