InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Barracuda Email Security Gateway (ESG) Appliance has been discovered with an Arbitrary code Execution vulnerability exploited by a China Nexus threat actor tracked as UNC4841.
Additionally, the vulnerability targeted only a limited number of ESG devices.
However, Barracuda has deployed a security update to all the active ESGs to address this vulnerability, and has been automatically applied to all the devices, which does not require any action from the user.
The new vulnerability has been assigned to CVE-2023-7102, and the severity is yet to be categorized.
Chinese Hackers Exploit New Zero-Day
This vulnerability exists due to using a third-party library, “Spreadsheet::ParseExcel,” in the Barracuda ESG appliances.
This open-source third-party library is vulnerable to arbitrary code execution that can be exploited by sending a specially crafted Excel email attachment to the affected device.
The Chinese Nexus threat actors have been using this vulnerability to deploy new variants of SEASPY and SALTWATER malware to the affected devices.
However, Barracuda has patched these vulnerabilities accordingly. Moreover, Barracuda stated, “Barracuda has filed CVE-2023-7102 about Barracuda’s use of Spreadsheet::ParseExcel which has been patched”.
Another vulnerability, CVE-2023-7101, affected the same spreadsheet: ParseExcel, and no patches or updates were available.
Nevertheless, both of these vulnerabilities were associated with a previously discovered vulnerability, CVE-2023-2868, that was exploited by the same threat group in May and June 2023.
Furthermore, a complete report about these vulnerabilities, along with additional information, has been published, which provides detailed information about this vulnerability and the previously discovered vulnerabilities.
Researchers warn of attacks against poorly managed Linux SSH servers that mainly aim at installing DDoS bot and CoinMiner.
Researchers at AhnLab Security Emergency Response Center (ASEC) are warning about attacks targeting poorly managed Linux SSH servers, primarily focused on installing DDoS bots and CoinMiners.
In the reconnaissance phase, the threat actors perform IP scanning to look for servers with the SSH service, or port 22 activated, then launch a brute force or dictionary attack to obtain the ID and password.
Threat actors can also install malware to scan, perform brute force attacks, and sell breached IP and account credentials on the dark web.
Common malware used in attacks against poorly managed Linux SSH servers include ShellBot [1][2], Tsunami[3], ChinaZ DDoS Bot [4], and XMRig CoinMiner [5].
Once successfully logged in, the threat actor first executed the following command to check the total number of CPU cores.
> grep -c ^processor /proc/cpuinfo
“The execution of this command signifies that the threat actor has obtained the account credentials. Afterward, the threat actor logged in again using the same account credentials and downloaded a compressed file.” reads the analysis published by ASEC. “The compressed file contains a port scanner and an SSH dictionary attack tool. Additionally, commands accidentally typed by the threat actor can be seen, such as “cd /ev/network” and “unaem 0a”.”
These researchers believe that the tools employed in the attacks are based on the ones that have been created by the PRG old Team. Each threat actor created its custom version of the tools by modifying them.
The researchers recommend administrators should use strong passwords that are difficult to guess and change them periodically. These measures should protect the Linux SSH servers from brute force attacks and dictionary attacks. The experts also recommend updating to the latest patch to prevent attacks exploiting known vulnerabilities.
“Administrators should also use security programs such as firewalls for servers that are accessible from the outside to restrict access from threat actors. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.” concludes the report.
Cloud security is a critical aspect of modern computing, as businesses and individuals increasingly rely on cloud services to store, process, and manage data. Cloud computing offers numerous benefits, including scalability, flexibility, and cost efficiency, but it also introduces unique security challenges that need to be addressed to ensure the confidentiality, integrity, and availability of sensitive information.
In this Help Net Security round-up, we present segments from previously recorded videos in which security experts share their insights and experiences, shedding light on critical aspects of cloud security.
Complete videos
Paul Calatayud, CISO at Aqua Security, talks about cloud native security and the problem with the lack of understanding of risks to this environment.
Jane Wong, VP of Security Products at Splunk, talks about challenges organizations are facing to secure their multicloud environments.
Keith Nakasone, Federal Strategist at VMware, discusses how government agencies can scale the use of multicloud environments for mission success.
Dimitri Sirota, CEO at BigID, discusses how companies are unprepared to deal with the unique challenges of securing data in the cloud.
Andrew Slater, Practice Director – Cloud at Node4, talks about how organizations have encountered challenges in getting the final 20-30% of their production workloads into public cloud environments and addresses the cybersecurity implications.
Whether you’re a large or small business, network security is something you can’t ignore.
Threat actors can and will, infiltrate businesses of any size wreaking havoc on computer systems, maliciously encrypting data, and in some cases completely destroying a company’s ability to stay in business.
While the latter situation isn’t that common, there have been several recent instances where poor network security has led to significant security breaches.
Consider the Uber breach QAwZ from September 2022, where an MFA fatigue attack led to a breach of Uber’s systems.
A similar attack led to a breach of CISCO’s systems, and Activision ended up being hacked after an SMS phishing attack, which reportedly led to a significant data breach of Activision’s IP and employee data.
These breaches signal the need for better network security practices, and they also show how single security measures are not enough.
All of the breaches mentioned above happened because of a weakness in each company’s MFA practices, but they could’ve been mitigated by other security measures including zero trust granular access rules.
Organizations of all sizes need a network security strategy with modern, cloud-based tools and technologies to stay secure:
Single Sign-On (SSO) With Multi-Factor Authentication (MFA)
Before we even get to network security, organizations should deploy a Single Sign-On (SSO) identity provider with Multi-Factor Authentication (MFA) support.
SSO allows users to access multiple applications using one login.
This makes it easier for users to integrate network security practices into their daily routine without much friction, while the IT team has a much easier time keeping everyone organized.
MFA, meanwhile, adds an extra layer of security by requiring users to provide two or more pieces of evidence to prove their identity.
This is typically a username and password, followed by a one-time code, or biometric authentication such as a fingerprint or facial recognition.
Under an MFA scheme, you can require just a second authentication factor or multiple depending on the level of security you need and your threat model.
SSO with MFA also reduces the risk of password-related security incidents, such as password theft or reuse.
It also makes it harder for hackers to access your network since they have to not only steal the password but somehow obtain the second or even third factor to finally break in.
But as we mentioned at the beginning of this article there are ways to get around MFA security measures, so how do you make sure that doesn’t happen?
It starts with training and clearly defined policies that convey to employees that IT teams and outside security contractors will never ask them for their MFA security codes.
Second, you can increase the difficulty of MFA for higher privileged accounts such as a number-based challenge that requires the user to see both sets of numbers to correctly answer the MFA challenge.
Biometric measures can also be effective as long as employees understand they should never authorize an MFA request they didn’t initiate.
SMTP stands for Simple Mail Transfer Protocol. It’s a protocol used for sending emails across the Internet. SMTP operates on a push model, where the sending server pushes the email to a receiving server or an intermediary mail server. Here are some basic concepts associated with SMTP:
Sending and Receiving Servers: SMTP involves at least two servers: the sending mail server and the receiving mail server. The sending server initiates the process.
SMTP Ports: Commonly, SMTP uses port 25 for non-encrypted communication and port 587 for encrypted communication (STARTTLS). Some servers also use port 465 for SSL/TLS encrypted communication.
SMTP Commands and Responses: SMTP communication is based on commands and responses. Common commands include HELO (or EHLO for Extended SMTP), MAIL FROM to specify the sender, RCPT TO for the recipient, and DATA for the body of the email. Responses from the server indicate success or failure of these commands.
MIME (Multipurpose Internet Mail Extensions): Although SMTP is limited to sending text, MIME standards enable SMTP to send other types of data like images, audio, and video by encoding them into text format.
SMTP Authentication: This is used to authenticate a user who wants to send an email. It helps in preventing unauthorized access to the email server.
SMTP Relay: This refers to the process of transferring an email from one server to another. When an SMTP server forwards an email to another server for further delivery, it’s called relaying.
SMTP in Email Clients: Email clients (like Outlook, Thunderbird) use SMTP to send emails. These clients require configuration of SMTP settings (server address, port, authentication) to send emails.
Limitations and Security: SMTP itself does not encrypt email content; it relies on other protocols (like SSL/TLS) for security. Also, SMTP does not inherently include strong mechanisms to authenticate the sender, which has led to issues like spam and phishing.
Interaction with Other Protocols: SMTP is typically used alongside POP3 or IMAP, which are protocols used for retrieving emails from a mail server.
Use in Modern Email Systems: Despite its age, SMTP remains a fundamental part of the email infrastructure in the Internet and is used in virtually all email systems today.
SMTP SMUGGLING
SMTP Smuggling refers to a technique used in network security to bypass security measures by exploiting vulnerabilities in the Simple Mail Transfer Protocol (SMTP). SMTP is the standard protocol used for sending emails across the Internet. Smuggling in this context typically involves manipulating the SMTP conversation in a way that allows an attacker to inject malicious commands or payloads into an email message. These payloads might be overlooked by security systems that are not properly configured to handle anomalous SMTP traffic.
There are several ways SMTP smuggling can be executed:
Command Injection: By inserting additional SMTP commands into message fields (like the ‘MAIL FROM’ or ‘RCPT TO’ fields), an attacker might trick a server into executing commands it shouldn’t.
CRLF Injection: SMTP commands are typically separated by a carriage return and line feed (CRLF). If an attacker can inject CRLF sequences into a message, they might be able to append additional commands or modify the behavior of the email server.
Content Smuggling: This involves hiding malicious content within an email in a way that evades detection by security systems, which might scan emails for known threats.
Email authentication mechanisms
Email authentication mechanisms like SPF, DKIM, and DMARC are crucial in the fight against email spoofing and phishing. They help verify the authenticity of the sender and ensure the integrity of the message. Here’s a basic overview of each:
1. SPF (SENDER POLICY FRAMEWORK)
Purpose: SPF is used to prevent sender address forgery. It allows the domain owner to specify which mail servers are permitted to send email on behalf of their domain.
How It Works: The domain owner publishes SPF records in their DNS. These records list the authorized sending IP addresses. When an email is received, the receiving server checks the SPF record to verify that the email comes from an authorized server.
Limitations: SPF only checks the envelope sender (return-path) and not the header (From:) address, which is often what the recipient sees.
2. DKIM (DOMAINKEYS IDENTIFIED MAIL)
Purpose: DKIM provides a way to validate a domain name identity that is associated with a message through cryptographic authentication.
How It Works: The sending server attaches a digital signature linked to the domain to the header of the email. The receiving server then uses the sender’s public key (published in their DNS) to verify the signature.
Advantages: DKIM verifies that parts of the email (including attachments) have not been altered in transit.
3. DMARC (DOMAIN-BASED MESSAGE AUTHENTICATION, REPORTING, AND CONFORMANCE)
Purpose: DMARC builds on SPF and DKIM. It allows the domain owner to specify how an email that fails SPF and DKIM checks should be handled.
How It Works: DMARC policies are published in DNS. These policies instruct the receiving server what to do with mail that doesn’t pass SPF or DKIM checks (e.g., reject the mail, quarantine it, or pass it with a note).
Benefits: DMARC also includes reporting capabilities, letting senders receive feedback on how their email is being handled.
COMBINED EFFECTIVENESS
Complementary Roles: SPF, DKIM, and DMARC work together to improve email security. SPF validates the sending server, DKIM validates the message integrity, and DMARC tells receivers what to do if the other checks fail.
Combat Spoofing and Phishing: By using these mechanisms, organizations can significantly reduce the risk of their domains being used for email spoofing and phishing attacks.
Adoption and Configuration: Proper configuration of these protocols is critical. Misconfiguration can lead to legitimate emails being rejected or marked as spam.
IMPLEMENTATION
DNS Records: All three require DNS records to be set up. SPF and DMARC are text records, while DKIM uses a TXT record for the public key.
Email Servers and Services: Many email services and servers support these protocols, but they usually require manual setup and configuration by the domain administrator.
Overall, SPF, DKIM, and DMARC are essential tools in the email administrator’s toolkit for securing email communication and protecting a domain’s reputation.
In a groundbreaking discovery, Timo Longin, in collaboration with the SEC Consult Vulnerability Lab, has unveiled a novel exploitation technique in the realm of email security. This technique, known as SMTP smuggling, poses a significant threat to global email communication by allowing malicious actors to send spoofed emails from virtually any email address.
Discovery of SMTP Smuggling: The concept of SMTP smuggling emerged from a research project led by Timo Longin, a renowned figure in the cybersecurity community known for his work on DNS protocol attacks. This new technique exploits differences in how SMTP servers interpret protocol rules, enabling attackers to bypass standard email authentication methods like SPF (Sender Policy Framework).
How SMTP Smuggling Works: SMTP smuggling operates by exploiting the interpretation differences of the SMTP protocol among various email servers. This allows attackers to ‘smuggle’ or send spoofed emails that appear to originate from legitimate sources, thereby passing SPF alignment checks. The research identified two types of SMTP smuggling: outbound and inbound, affecting millions of domains and email servers.
TECHNICAL INSIGHTS: UNDERSTANDING SMTP SMUGGLING IN DEPTH
SMTP Smuggling Exploited: SMTP smuggling takes advantage of discrepancies in how different email servers interpret the SMTP protocol. Specifically, it targets the end-of-data sequence, which signifies the end of an email message. In a standard SMTP session, this sequence is represented by a line with only a period (.) character, preceded by a carriage return and a line feed (<CR><LF>.<CR><LF>). However, variations in interpreting this sequence can lead to vulnerabilities.
Outbound and Inbound Smuggling: The research identified two types of SMTP smuggling: outbound and inbound. Outbound smuggling involves sending emails from a compromised server, while inbound smuggling pertains to receiving emails on a server that misinterprets the end-of-data sequence. Both types can be exploited to send spoofed emails that appear to come from legitimate sources.
EXPLOITING SPF ALIGNMENT CHECKS:
The concept of “Exploiting SPF Alignment Checks” in the context of SMTP smuggling revolves around manipulating the Sender Policy Framework (SPF) checks to send spoofed emails. SPF is an email authentication method designed to prevent sender address forgery. Here’s a detailed explanation of how SPF alignment checks can be exploited through SMTP smuggling:
UNDERSTANDING SPF:
SPF Basics: SPF allows domain owners to specify which mail servers are permitted to send emails on behalf of their domain. This is done by publishing SPF records in DNS. When an email is received, the recipient server checks the SPF record to verify if the email comes from an authorized server.
SPF Check Process: The SPF check typically involves comparing the sender’s IP address (found in the SMTP envelope) against the IP addresses listed in the domain’s SPF record. If the IP address matches one in the SPF record, the email passes the SPF check.
EXPLOITATION THROUGH SMTP SMUGGLING:
Manipulating the ‘MAIL FROM’ Address: In SMTP smuggling, attackers manipulate the ‘MAIL FROM’ address in the SMTP envelope. This address is used for SPF validation. By carefully crafting this address, attackers can pass the SPF check even when sending from an unauthorized server.
Discrepancy between ‘MAIL FROM’ and ‘From’ Header: There’s often a discrepancy between the ‘MAIL FROM’ address in the SMTP envelope (used for SPF checks) and the ‘From’ header in the email body (which the recipient sees). SMTP smuggling exploits this by setting the ‘MAIL FROM’ address to a domain that passes the SPF check, while the ‘From’ header is spoofed to appear as if the email is from a different, often trusted, domain.
Bypassing SPF Alignment: The key to this exploitation is the difference in how various mail servers interpret and process SMTP protocol rules. By smuggling in additional commands or data, attackers can make an email appear to come from a legitimate source, thus bypassing SPF alignment checks.
Consequences: This exploitation can lead to successful phishing attacks, as the email appears to be from a trusted source, despite being sent from an unauthorized server. Recipients are more likely to trust and act upon these emails, leading to potential security breaches.
TECHNICAL EXPERIMENTATION
The “Technical Experimentation” aspect of the SMTP smuggling research conducted by SEC Consult involved a series of methodical tests and analyses to understand how different email servers handle SMTP protocol, particularly focusing on the end-of-data sequence.
The primary goal was to identify discrepancies in how outbound (sending) and inbound (receiving) SMTP servers interpret the SMTP protocol, especially the end-of-data sequence. This sequence is crucial as it signifies the end of an email message.
EXPERIMENT SETUP:
Selection of Email Providers: The researchers selected a range of public email providers that support mail submissions via SMTP. This included popular services like Outlook.com, Gmail, GMX, iCloud, and others.
SMTP Analysis Server: A specialized SMTP analysis server was set up to receive emails from these providers. This server played a critical role in observing how different SMTP servers handle various SMTP commands and sequences.
SMTP Analysis Client: An SMTP analysis client was used to send emails through the outbound SMTP servers of the selected providers. This client was configured to vary the SMTP commands and sequences used in the emails.
KEY AREAS OF FOCUS:
End-of-Data Sequence Variations: The researchers experimented with different end-of-data sequences, such as <LF>.<LF> (Line Feed) instead of the standard <CR><LF>.<CR><LF> (Carriage Return, Line Feed). The goal was to see if outbound servers would process these non-standard sequences differently.
Server Responses to DATA Command: Different responses from email providers to the DATA SMTP command were observed. These responses provided insights into how each server might handle end-of-data sequences.
Operating System Differences: The experiment also considered how different operating systems interpret “a line by itself.” For example, Windows uses <CR><LF> to denote the end of a line, while Unix/Linux systems use <LF>. This difference could affect how email servers process the end-of-data sequence.
EXPERIMENT EXECUTION:
Sending Test Emails: The SMTP analysis client sent test emails through the outbound SMTP servers of the selected providers, using various end-of-data sequences.
Observing Responses: The inbound SMTP analysis server received these emails and recorded how each outbound server handled the different sequences.
Identifying Anomalies: The researchers looked for anomalies where outbound servers did not correctly interpret or filter non-standard end-of-data sequences, and inbound servers accepted them as valid.
FINDINGS:
The experimentation revealed that some SMTP servers did not conform to the standard interpretation of the SMTP protocol, particularly in handling end-of-data sequences. This non-conformity opened the door for SMTP smuggling, where attackers could insert additional SMTP commands into email content.
CASE STUDY – GMX SMTP SERVER
A notable example of SMTP smuggling was demonstrated using GMX’s SMTP server. The researchers were able to send an email with a specially crafted end-of-data sequence that the GMX server did not filter out. This allowed them to insert additional SMTP commands into the email content, which were then executed by the recipient server, effectively ‘smuggling’ malicious commands or content.
EXPLOITATION TECHNIQUE:
Manipulating End-of-Data Sequence: The researchers experimented with different end-of-data sequences, such as <LF>.<LF> instead of the standard <CR><LF>.<CR><LF>.
Observing GMX Server Response: It was observed that when a specific sequence (<LF>.<CR><LF>) was sent to the GMX outbound SMTP server, it passed this sequence unfiltered to the inbound SMTP server.
SUCCESSFUL SMTP SMUGGLING:
Breaking Out of Message Data: By using the <LF>.<CR><LF> sequence, the researchers were able to ‘break out’ of the message data at the inbound SMTP server. This meant that anything following this sequence could be interpreted as a separate SMTP command or additional email content.
Demonstration of Vulnerability: This technique allowed the researchers to effectively insert additional SMTP commands into the email content, demonstrating a successful SMTP smuggling attack.
The research team’s first successful SMTP smuggling exploit was demonstrated using GMX’s SMTP server. This breakthrough confirmed the feasibility of the technique and its potential to compromise email security on a large scale. SMTP smuggling represents a new frontier in email spoofing, challenging existing security measures and highlighting the need for continuous vigilance in the cybersecurity domain. The discovery underscores the importance of regular security audits and updates to protect against emerging threats. The discovery of SMTP smuggling has significant implications for email security. Vulnerabilities were identified in major email services, including Microsoft and GMX, which were promptly addressed. However, SEC Consult has issued a warning to organizations using Cisco Secure Email, urging them to update their configurations to mitigate this vulnerability.
TECHNICAL AND SECURITY MITIGATIONS:
Patch and Update Systems: Regularly update and patch email servers and related software. Providers should ensure their systems are up-to-date with the latest security patches that address known vulnerabilities, including those related to SMTP smuggling.
Enhance Email Authentication: Implement and enforce advanced email authentication protocols like DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). These protocols provide additional layers of verification, ensuring that the email’s sender is legitimate and that the message content hasn’t been tampered with.
Configure Email Servers Correctly: Ensure that email servers, especially those handling outbound and inbound emails, are configured correctly to handle SMTP protocol standards, particularly the end-of-data sequence. This involves strict adherence to protocol specifications to prevent any ambiguity in interpretation.
Use Advanced Email Filtering Solutions: Employ advanced email filtering solutions that can detect and block spoofed emails. These solutions often use machine learning and other advanced techniques to identify anomalies in email messages that might indicate a spoofing attempt.
Regular Security Audits: Conduct regular security audits of email infrastructure to identify and rectify potential vulnerabilities. This should include a review of server configurations, authentication mechanisms, and update protocols.
SMTP smuggling represents a significant advancement in the understanding of email protocol vulnerabilities. It challenges the existing security paradigms and calls for a reevaluation of email security strategies. As the cybersecurity community works to address these vulnerabilities, this discovery serves as a crucial reminder of the dynamic and evolving nature of cyber threats.
In the rapidly evolving landscape of software development and cybersecurity, the integration of security planning earlier in the software development life cycle has become paramount. This practice, known as DevSecOps, has gained significant traction in recent years as businesses recognize its potential to bolster cyber defenses and ensure the security of their digital assets. As we look ahead to 2024 and beyond, it is crucial to understand the key trends that will shape the future of DevSecOps. I wanted to take a few moments to discuss the emerging trends that will drive innovation and efficiency in the field of DevSecOps, including automation, tool consolidation, infrastructure as code, remediation, and the evolution of the software bill of materials (SBOMs).
Key Trends in 2024
Automation Underpinning Innovation
Automation is at the forefront of driving operational efficiency in the field of security. In 2024, we can expect to see further advancements in automation, coupled with artificial intelligence (AI), empowering companies to streamline decision-making processes and optimize resource allocation. By leveraging automation and AI, security teams can focus on strategic initiatives, leaving operational functions to automated systems. This shift will enable organizations to respond to security threats with greater precision and agility, ultimately enhancing their cyber defenses.
The concept of “secure-by-design” will also gain additional momentum in 2024. By establishing cybersecurity standards, detecting vulnerabilities, and addressing them at the outset, organizations can prevent risks before they manifest. This transformative approach will enable businesses to innovate without unforeseen impediments, ensuring that security is an integral part of the development process from the very beginning.
Tool Consolidation
As organizations seek to incorporate security into their processes, the need for tool consolidation becomes apparent. Rather than accumulating an excessive number of tools, which can lead to inefficiencies and increased costs, businesses will opt for more streamlined security tool architectures and services. According to Gartner, 75% of organizations have already begun the process of consolidating their security tools. By merging tool-chain observability and monitoring into a single platform, companies can gain a comprehensive view of their security landscape and identify any potential blockages. This consolidation will create a more conducive environment for building and strengthening security processes.
Infrastructure as Code (IaC)
Traditional IT infrastructure management processes are often manual, resulting in increased costs and resource allocation. With the rapid growth of cloud computing and the constant release of new applications, infrastructure as code (IaC) emerges as a valuable tool. By utilizing configuration files, IaC allows for the automated management and oversight of today’s ever-evolving infrastructure. This level of abstraction frees engineers from the burden of keeping up with constant changes, maximizing the potential of cloud computing and enabling developers to allocate their time more efficiently.
Remediation
In response to the rising threat of cybercrime, organizations are shifting their focus from mere detection to proactive remediation. Rather than simply identifying security breaches, companies are increasingly investing in continuous monitoring and prompt remediation to eliminate threats. Gartner recommends that organizations be prepared to perform emergency remediation on key systems immediately following the release of security patches. To achieve this, companies must adopt intelligent and automated remediation approaches that are integrated into their processes. Prescriptive “best practices” alone will not suffice; automation is necessary to effectively address security issues in real-time.
Beyond SBOMs
The software bill of materials (SBOMs), an inventory of the codebase, has gained recognition as a game-changer in software transparency. However, in 2024, we can expect SBOMs to evolve further to meet industry standards and deliver on their promise. While SBOMs provide valuable insights into the software components used by an application, there are still obstacles to overcome. Many tools designed to automate SBOM generation lack consistency in data provision, hindering their adoption. Additionally, SBOMs have limited value in procurement decisions, as they require frequent updates to remain relevant. To establish a well-managed and secure software supply chain, additional tools such as software composition analysis and code signing will become essential. Achieving this will require industry-wide collaboration, defining best practices, and incentivizing vendors to prioritize transparency.
Security Remains Vital
Despite budget constraints and organizational restructuring, DevSecOps remains a critical area of focus for businesses. Cybersecurity risks continue to be a top concern, and DevSecOps strategies offer a cost-effective solution to mitigate these risks. However, organizations will optimize their budget allocations by investing in solutions that provide actionable results. In 2024, we can expect to see a greater emphasis on remediation, integration of security into the software development life cycle, and automation to streamline operational processes.
Conclusion
The future of DevSecOps is promising, with several key trends shaping the field in 2024 and beyond. Automation, tool consolidation, infrastructure as code, remediation, and the evolution of SBOMs will drive innovation and efficiency in the industry. As organizations strive to enhance their cyber defenses and navigate the evolving threat landscape, embracing these trends will be crucial. By staying ahead of the curve and implementing robust DevSecOps practices, businesses can ensure the security of their digital assets and maintain a competitive edge in the digital economy.
Hi, I’m Monique, an investigative reporter here at The Markup. There are a few key moments in my 15-year career that have led me on a quest to phone anonymity:
When a dark-tinted sedan followed me home after I published a controversial story, which led to the resignation of someone in power.
When a reader published my personal address in a virtual chatroom filled with thousands of people—the reader used my phone number to do a reverse look-up search, and found my address.
The last straw?
When the federal government traced my phone number back to me and blocked me from communicating with incarcerated people during the COVID-19 pandemic.
When I joined the team in August, my first order of business was making sure I had a secure way to connect with the people trusting me with their lives, while simultaneously keeping myself safe. I needed an off-the-grid phone.
Enter Wesley Callow, our IT support specialist.
What happens next is straight out of a scene of your favorite detective movie as he went about procuring the gear to build a phone that would protect my privacy. Just picture him in a cloak.
If I’ve learned anything from this, it’s that cash is king. And, I need a trench coat.
Step 1: Cash, Cards, and a SIM
Just think of me, Wesley, as a London Fog trench coat, collar-popped-to-perfection kind of guy. When Monique reached out, I embarked on a trip into the world of phone anonymity—a meticulous descent into the “no half measures” underworld, to borrow from the series Breaking Bad, a place where digits and data are in disguise.
First thing: In order to make an anonymous purchase, I needed cash—bank and credit cards leave toomuch of a trace. I drove to our local grocery store and bought some groceries for my teenage boys. This is an almost daily trip, so definitely no suspicious behavior to be spotted. I chatted up the self-checkout assistant about the boys and got an extra $60 in cash back.
When it comes to service providers, Mint Mobile emerged as a top contender, providing relative ease in activation without demanding personal details. They’re like that low-profile café where the barista doesn’t ask for your life story.
I then ventured off to two local Targets where, to my dismay, there were no Mint Mobile prepaid SIM cards. For my third attempt, I tried Best Buy.
I walked in, head down, headed to the cellphone section. Then, the prepaid carrier section. I perused the spinning display, and then, at the very bottom, there was ONE prepaid Mint Mobile SIM left! It was meant to be. For $45, I got three months of service.
I then headed to my next destination: a nearby drug store. I purchased an Apple Store gift card for $10, again using cash. (You could take an Android phone off the grid too, though, but we’re a Mac newsroom).
It was perfect. Zero people were in the store and the clerk was not chatty. I dropped the cash down, exact change—and bounced from the scene. Now I was ready.
Step 2: Wipe the Phone
I had a phone plan. Now, I needed a phone. To begin, Apple/Mac experts suggest purchasing a used, budget-friendly iPhone exclusively with cash. This method, they insist, guarantees no direct ties to one’s identity. Monique had an old phone hiding in her drawer. But first, I needed to make sure it had amnesia.
I had Monique send me her old iPhone via a box I shipped to her with a return label inside of it. Once I received it, I wiped the phone back to its factory settings and made sure there was no preexisting SIM card inside.
Then I put the phone into recovery mode, connected it to an old Mac with no Apple ID, and reformatted it again. Now, it’s double wiped for safety.
Everyone loves a fresh start, right?
Step 3: Identity
For my public Wi-Fi, I infiltrated my local Starbucks. The scent of caramel frappuccinos and whispered secrets filled the air. Here, amidst the caffeine loyal, I set up accounts with Mint, Proton Mail, and Apple. The creation of a disposable email account is essential (Proton Mail is the favored platform), followed by setting up an Apple ID (You’ll need it to download apps on your phone) with your Apple gift card. And if you’re prompted to provide a billing address? Input a random, unrelated location. You won’t ever be connecting a credit card with a real billing address anyway.
Opt for a six-digit security code—not 123456.
Using this now-naked phone, my fresh Mint Mobile SIM card, and an Apple gift card, I sought out a public space with no association to me, such as a library or café—anywhere that has communal computers and Wi-Fi, so we can activate the phone’s service. But wait, Wesley, I thought public Wi-Fi was insecure! Like all things, you have to weigh the pros and cons. The odds of being compromised on a public Wi-Fi network are low in the time it would take to set up the accounts we need, and in return, we don’t have personal location data or a personal IP address attached to those accounts.
Once your accounts are set up, turn off Wi-Fi.
For security purposes, Face ID and Touch ID are a no-go. The unanimous advice: opt for a six-digit security code. And don’t make it 123456.
Step 4: Customizing An Anonymous Device
Post-setup, disable Bluetooth. This is important because Bluetooth signals can be intercepted by third-party devices within range, and that allows hackers to access sensitive information, such as your phone’s contacts and messages. The throwaway Proton Mail email address plays another vital role, acting as the gateway to access Proton, a virtual private network (VPN) that masks all phone application traffic.
It’s like giving your phone a discreet disguise—instead of my trench coat, think Harry Potter’s invisibility cloak.
Always keep your VPN on, and routinely check that it’s working. Subsequently, any required apps should only be downloaded with the VPN engaged.
The Hard Part: Staying Anonymous
Maintaining this cloak of invisibility comes with challenges. If you find this overwhelming, we totally get it. But doing at least some of these steps will protect you—just find the balance and tradeoffs that work for you. For day-to-day usage, some golden rules emerge:
This phone should strictly be used for its principal purpose. Do not use it for casual online strolls, superfluous apps, or note storage.
Cash is essential, but getting your hands on it requires a bit of effort in this cashless society. To keep your phone off the grid, you have to repeat the same routine: take out cash and buy gift cards. You can’t use a credit or bank card.
Add more data to your SIM card and pay your phone bill with a gift card. Don’t opt into auto-renewal, since that requires that you use a credit card.
After using public Wi-Fi, go into Network Settings, and “forget” the network, so you leave no digital trail.
Instead of home Wi-Fi, use your phone’s data plan and Proton VPN to go online. Proton VPN will make sure your IP address is obscured.
If you’re traveling with your off-the-grid phone and a personal phone, turn Wi-Fi off on one phone, if you’re using it on the other. Or, turn off your off-the-grid phone entirely, and only turn it back on when you’re at your destination. The goal here is to prevent any overlap between which networks your phones connect to.
The final and perhaps the most vital rule: This phone should strictly be used for its principal purpose. Do not use it for casual online strolls, superfluous apps, or note storage, though I know that last one will be hard for journalists. If you must keep notes, disable any notes apps from creating a file in the cloud: Settings → Apple ID → iCloud → Apps Using iCloud → Show All.
The Takeaway
Monique here. Do you feel like you just ran a marathon after reading that? Do you need a moment to process? I sure did.
As a gritty street reporter at heart, I’ve learned true and complete anonymity isn’t easy. But in this line of work, it’s worth it. That means constantly backing up my documents and keeping a duplicate contact list elsewhere, in case my line is compromised and I need a new burner.
Wait, did I just use the word “burner”? Feels like I’m living in an episode of How to Get Away with Murder. (Hi, Viola Davis!)
Covering criminal justice, immigration, social justice, and government accountability means my cellphone is my best friend. It’s not only the first line of communication with my sources, but it’s my first line of trust. My phone hosts applications to make contact with people behind bars—oftentimes the only line the incarcerated has to the outside world. It’s the device that rings in the middle of the night from inconsolable parents who have been separated from their children at the border.
Additionally, it confidentially stores my emails and documents people send to me, and it lets me access encrypted chatrooms that help me better understand and network with the communities I cover.
In today’s hyper-connected era, the lengths some are going to preserve their phone anonymity are undeniably intricate. While not a path for everyone, this approach paints a vivid picture of the extreme measures individuals are willing to take in the name of privacy.
As for me, I keep a copy of Wesley’s guide tucked away, so I don’t forget the many, many rules of how to master this cash-gift-card-SIM-phone-wipedown operation. I want my sources—and people on the fence on whether or not to trust me—to know that I am committed to protecting their identity, privacy, and stories.
Security researchers have discovered a vulnerability (CVE-2023-48795) in the SSH cryptographic network protocol that could allow an attacker to downgrade the connection’s security by truncating the extension negotiation message.
The Terrapin attack
Terrapin is a prefix truncation attack targeting the SSH protocol.
“By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it,” researchers Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk of Ruhr-Universität Bochum have found.
Aside from downgrading the SSH connection’s security by forcing it to use less secure client authentication algorithms, the attack can also be used to exploit vulnerabilites in SSH implementations.
“For example, we found several weaknesses [CVE-2023-46445, CVE-2023-46446] in the AsyncSSH servers’ state machine, allowing an attacker to sign a victim’s client into another account without the victim noticing. Hence, it will enable strong phishing attacks and may grant the attacker Man-in-the-Middle (MitM) capabilities within the encrypted session.”
To pull of a Terrapin attack, though, the attacker must already be able to intercept and modify the data sent from the client or server to the remote peer, they pointed out, making it more feasible to be performed on the local network.
“Besides that, we also require the use of a vulnerable encryption mode. Encrypt-then-MAC and ChaCha20-Poly1305 have been introduced by OpenSSH over 10 years ago. Both have become the default for many years and as such spread across the SSH ecosystem. Our scan indicated that at least 77% of SSH servers on the internet supported at least one mode that can be exploited in practice.”
More details about their findings can be found in their paper and on a dedicated website.
Patches released or incoming
The researchers have contacted nearly 30 providers of various SSH implementations and shared their research so they may provide fixes before publication.
“Many vendors have updated their SSH implementation to support an optional strict key exchange. Strict key exchange is a backwards-incompatible change to the SSH handshake which introduces sequence number resets and takes away an attacker’s capability to inject packets during the initial, unencrypted handshake,” they shared.
But it will take a while for all clients and servers out there to be updated – and both “parties” must be for the connection to be secure against the Terrapin attack.
Vendors/maintainers of affected implementations, applications and Linux distros have been pushing out fixes: AsyncSSH, LibSSH, OpenSSH, PuTTY, Transmit, SUSE, and others.
Administrators can also use the Terrapin Vulnerability Scanner to determine whether an SSH client or server is vulnerable.
“The scanner connects to your SSH server (or listens for an incoming client connection) to detect whether vulnerable encryption modes are offered and if the strict key exchange countermeasure is supported. It does not perform a fully-fledged handshake, nor does it actually perform the attack,” they explained.
The 8220 hacker group, which was first identified in 2017 by Cisco Talos, is exploiting both Windows and Linux web servers with crypto-jacking malware. One of their recent activities involved the exploitation of Oracle WebLogic vulnerability (CVE-2017-3506) and Log4Shell (CVE-2021-44228).
However, the history of this threat group had several exploited vulnerabilities such as Confluence, Log4j, Drupal, Hadoop YARN, and Apache Struts2 applications. Their TTPs are evolved with different publicly released exploits.
8220 Hacker Group
In addition to this, the group was also discovered to be exploiting (CVE-2020-14883), a Remote code execution vulnerability in Oracle WebLogic Server. This exploitation chain is combined with another authentication bypass vulnerability (CVE-2020-14882) in the Oracle WebLogic server.
The exploitation methods of these two vulnerabilities are publicly available, making it relatively easy for the threat actor to modify and exploit them for malicious purposes.
Two different exploit chains were discovered, and one of them enables the loading of an XML file used for further phases of execution of commands on the OS, whereas the other one executes Java code without the use of an XML file.
Infection Chains
The first infection chain uses different XML files that depend on the target OS. In the case of Linux, the downloading of other files is performed via cURL, wget, lwp-download, and python urllib along with a custom bash function that encodes it to base64.
Custom bash function (Source: Imperva)
The method injects a Java code which also initially evaluates the OS and executes the same command strings executed in the first method. Once the download and execution process takes place, the compromised hosts are infected with AgentTesla, rhajk, and nasqa malware variants.
A complete report has been published, which provides detailed information about the exploitation, command used, encoding, and other information.
CVE-2023-35628 is a critical remote code execution (RCE) vulnerability affecting the Microsoft Windows MSHTML platform, with a Common Vulnerability Scoring System (CVSS) score of 8.1, indicating a high level of risk. This flaw is particularly concerning because it can be exploited without any interaction from the user. The vulnerability can be triggered when Microsoft Outlook retrieves and processes a specially crafted email, even before the email is viewed in the Outlook Preview Pane. This makes it a particularly insidious threat, as users may be unaware of the lurking danger.
The nature of CVE-2023-35628 allows a remote, unauthenticated attacker to execute arbitrary code on the victim’s system. The exploit can be initiated by sending a specially crafted email, and it has been noted that ransomware gangs and other malicious entities are likely to find this vulnerability an attractive target. Although the exploit code maturity for CVE-2023-35628 is currently unproven, which means there might not yet be a reliable method for exploiting this vulnerability in the wild, the potential for remote code execution makes it a critical issue for all Windows users.
MSHTML PLATFORM
The vulnerability in the MSHTML platform, specifically CVE-2023-35628, can be attributed to several factors that are commonly found in software vulnerabilities:
Parsing and Rendering of HTML Content: MSHTML, being a component used for parsing and rendering HTML content in applications like Microsoft Outlook, processes a large amount of untrusted input. This input, which often includes complex HTML and scripting content, can contain flaws or unexpected sequences that are not properly handled by the software.
Memory Management Issues: Vulnerabilities often arise due to memory management issues such as buffer overflows, use-after-free errors, or other similar problems. These issues can occur when the software does not correctly allocate, manage, or free memory when processing HTML content. Attackers can exploit these weaknesses to execute arbitrary code.
Insufficient Input Validation: Software vulnerabilities can also stem from insufficient input validation. If MSHTML does not properly validate or sanitize the HTML content it processes, malicious input could be used to trigger an exploit. This could include specially crafted scripts or malformed HTML structures designed to take advantage of the parser’s weaknesses.
Complexity of Web Standards: The complexity of modern web standards can also contribute to vulnerabilities. As standards evolve and become more complex, it becomes increasingly challenging to ensure that every aspect of the parsing and rendering process is secure against all potential attack vectors.
Integration with Email Clients: The integration of MSHTML with email clients like Outlook adds another layer of complexity. Emails are a common vector for delivering malicious content, and the automatic processing of emails (including the rendering of HTML content) can make it easier for attackers to exploit vulnerabilities without direct interaction from the user.
THE NO-CLICK EXPLOIT
An exploit for the CVE-2023-35628 vulnerability in the Windows MSHTML platform would typically involve a few key steps, tailored to leverage the specific nature of this flaw. Here’s a generalized overview of how such an exploit could work:
Crafting a Malicious Email: The attacker starts by creating a specially crafted email. This email would contain malicious code or a payload designed to exploit the vulnerability in the MSHTML platform. The precise nature of this code depends on the specifics of the vulnerability and would be tailored to trigger the flaw in MSHTML.
Email Delivery and Automatic Processing: The crafted email is then sent to the target. In the case of CVE-2023-35628, the critical aspect is that the vulnerability is triggered when Microsoft Outlook retrieves and processes the email. This processing happens automatically, often before the email is even displayed in the Outlook Preview Pane.
Remote Code Execution: Upon processing the malicious email, the exploit code is executed. This code execution occurs within the context of the MSHTML platform, which is a key component used by Outlook for rendering HTML content in emails.
Taking Control or Damaging the System: Once the code is executed, it can perform various malicious activities. This could range from taking control of the user’s system, stealing sensitive information, installing malware, or performing other harmful actions. The extent of the damage or control depends on the nature of the payload and the permissions available to the MSHTML process.
Memory shaping is an advanced exploitation technique often used in sophisticated cyber attacks, particularly those involving complex software systems and secure environments. It’s a method used by attackers to manipulate the layout or state of memory in a target application to facilitate the exploitation of vulnerabilities. Memory shaping can be a part of exploiting vulnerabilities like buffer overflows, use-after-free errors, or other memory corruption issues.
Here’s a simplified example to illustrate how memory shaping and its exploitation might work:
Identifying a Vulnerability: First, the attacker finds a vulnerability in the target application that can be exploited to corrupt memory. For instance, this could be a buffer overflow, where the application fails to check the length of input, allowing an attacker to write more data to a buffer than it can hold.
Analyzing Memory Layout: The attacker then studies the application’s memory layout to understand how data is stored and managed. This involves identifying where in memory different types of data are located and how they are accessed by the application.
Memory Shaping: Once the attacker has a good understanding of the memory layout, they begin the process of memory shaping. This involves crafting inputs or actions that modify the application’s memory in a controlled way. For example, they might allocate and free memory in a specific pattern to arrange chunks of memory in a desired layout.
Exploiting the Vulnerability: With the memory shaped to their advantage, the attacker then exploits the identified vulnerability. Using the buffer overflow example, they might overflow a buffer with data that includes malicious code (the payload) and carefully calculated addresses or commands that redirect the application’s execution flow to the payload.
Executing Arbitrary Code: If successful, the exploit allows the attacker’s code to be executed with the privileges of the target application. This could lead to various malicious outcomes, such as data theft, installation of malware, or gaining control over the system.
It’s important to note that memory shaping is a complex and technical process that requires in-depth knowledge of both the target application and general exploitation techniques. It’s typically used in scenarios where standard exploitation methods are not effective, often due to security measures like Address Space Layout Randomization (ASLR) or other protections.
Due to the complexity and potential for misuse, specific exploit code or detailed methodologies for memory shaping are not shared publicly. The goal of cybersecurity research in this area is to understand and mitigate such advanced threats, ensuring software and systems are secure against potential attacks.
It’s important to note that the complexity of the exploit for CVE-2023-35628 is considered high. It requires specific knowledge and techniques, particularly related to memory shaping, to successfully exploit the vulnerability. This complexity might limit the exploitation to more skilled attackers.
The attack complexity is considered high due to the reliance on complex memory-shaping techniques to successfully exploit the vulnerability. Despite this complexity, the high impact of the vulnerability necessitates prompt attention and action. Microsoft has addressed this flaw in their December 2023 Patch Tuesday updates, recommending users to update their systems as a preventative measure.
It’s important to note that CVE-2023-35628 is just one of several vulnerabilities addressed in the December 2023 Patch Tuesday updates. Other notable vulnerabilities include CVE-2023-35630 and CVE-2023-35641, which are remote code execution vulnerabilities affecting Microsoft Internet Connection Sharing (ICS) with a CVSS score of 8.8, and a critical spoofing vulnerability in Microsoft Power Platform Connector (CVE-2023-36019) with a CVSS score of 9.6.
The CVE-2023-35628 vulnerability, which is a critical remote code execution flaw in the Windows MSHTML platform, affects a range of Microsoft products, including Office 365 and on-premises versions. This vulnerability is significant due to its potential to allow exploitation as soon as Outlook retrieves and processes a specially crafted malicious email, even before the user interacts with the email. This means that exploitation could occur without any action from the user, not even requiring the Preview Pane in Outlook.
In terms of impact on Office 365 and on-premises environments, it’s important to note that the MSHTML proprietary browser engine, which is the component affected by this vulnerability, is used by Outlook among other applications to render HTML content. The fact that this engine remains installed within Windows, regardless of the status of Internet Explorer 11, means that systems where Internet Explorer 11 has been fully disabled are still vulnerable until patched.
For addressing this vulnerability, Microsoft released patches as part of their December 2023 Patch Tuesday. These patches are essential for mitigating the risk posed by this vulnerability and are available for various versions of Windows and related software components. Given the critical nature of this vulnerability and its potential impact on confidentiality, integrity, and availability, it’s strongly recommended for users and administrators of both Office 365 and on-premises environments to apply these updates promptly.
The December 2023 Patch Tuesday from Microsoft addressed a total of 34 vulnerabilities, including this critical RCE vulnerability in MSHTML. It’s noteworthy that there were no security patches for Exchange, SharePoint, Visual Studio/.NET, or SQL Server in this particular update cycle.
The details about the patches and the specific versions they apply to can be found in Microsoft’s security bulletins and support documentation. For users and administrators, it is crucial to review these resources and ensure that all applicable security updates are applied to protect against potential exploits of this vulnerability
Given the severity and the ease with which this vulnerability can be exploited, it is crucial for Windows users, particularly those using Microsoft Outlook, to ensure their systems are updated with the latest security patches provided by Microsoft. Regular review of patching strategies and overall cybersecurity methods is advisable to maintain a robust security posture.
New findings in cybersecurity research have brought to light a severe vulnerability affecting more than 1,450 pfSense servers. This flaw puts them at risk of potential remote code execution (RCE) attacks, resulting from a combination of command injection and cross-site scripting weaknesses. This poses a substantial threat to the security of these extensively utilized network appliances.
Vulnerabilities in pfSense CE: The vulnerabilities were identified in pfSense CE (Community Edition) version 2.7.0. Researchers discovered two critical flaws that, when exploited in tandem, could lead to remote code execution attacks, allowing attackers to gain control over the affected systems.
Dual Vulnerabilities Identified: (CVE-2023-42325)(CVE-2023-42327)The research uncovered two distinct but related vulnerabilities in pfSense CE 2.7.0. These include a command injection flaw and a cross-site scripting (XSS) vulnerability. When exploited in combination, these vulnerabilities can lead to remote code execution (RCE) attacks.
Command Injection Flaw(CVE-2023-42326):: The command injection vulnerability allows an attacker to execute arbitrary commands on the system. This type of vulnerability is particularly dangerous as it can give attackers the same level of access to the system as the user running the vulnerable service.
Cross-Site Scripting (XSS) Vulnerability: The XSS vulnerability in pfSense CE can be exploited to run malicious scripts in the context of the user’s browser session. This can lead to a variety of malicious activities, including stealing session cookies, which can compromise the user’s session.
Remote Code Execution (RCE) Risk: The combination of these vulnerabilities creates a pathway for remote code execution. This means an attacker could potentially take full control of the pfSense device, leading to severe security breaches, including data theft, unauthorized network access, and disruption of services.
Exploitation Potential: The ease of exploitation of these vulnerabilities adds to the severity of the issue. Attackers with knowledge of these vulnerabilities can exploit them without needing sophisticated skills, making it a pressing concern for all pfSense CE users.
Patch Availability: Netgate, the company behind pfSense, has released patches to address these vulnerabilities. It is crucial for users and administrators to apply these updates as soon as possible to mitigate the risks associated with these security flaws.
Widespread Impact: Given the popularity of pfSense as a firewall and router solution, especially among small to medium-sized enterprises, the impact of these vulnerabilities is potentially widespread, affecting a large number of users and networks.
Exposure of pfSense Instances: Investigations have revealed that around 1,450 pfSense instances, accessible online, are vulnerable to the identified security flaws. This number indicates a substantial portion of the pfSense user base that could be at risk. The fact that these pfSense instances are exposed online exacerbates the risk. Being accessible over the internet makes them potential targets for remote attackers who can exploit the vulnerabilities without needing physical access to the network. The combination of command injection and cross-site scripting vulnerabilities in these instances creates a potential for remote code execution (RCE). This means that an attacker could remotely execute arbitrary code on the affected pfSense device, leading to complete system compromise.
Nature of the Security Flaws: The vulnerabilities involve dangerous command injection and cross-site scripting (XSS) flaws. These types of vulnerabilities are particularly alarming because they can be exploited to run malicious scripts or commands, leading to a full compromise of the server.
Patch Management Lag: Despite the availability of patches released by Netgate, the company behind pfSense, a significant number of instances remain unpatched and vulnerable. This delay in applying critical updates leaves these systems exposed to potential cyber attacks.
The Criticality of Timely Updates: This situation highlights the crucial importance of regular system updates and patch management in the realm of cybersecurity. Systems running outdated or unpatched software are often prime targets for cybercriminals looking to exploit known vulnerabilities.
Potential Impact of Exploitation: If these vulnerabilities are exploited, the consequences could be severe. They range from unauthorized access to sensitive data and disruption of network services to the potential for widespread malware infection.
Urgent Call to Action: Administrators and users of pfSense servers are strongly advised to update their systems to the latest version immediately. This action is necessary to mitigate these vulnerabilities and protect against potential exploitation by malicious actors.
The revelation of these vulnerabilities in pfSense servers serves as a stark reminder of the ever-present and evolving nature of cybersecurity threats. It underscores the need for constant vigilance, regular system updates, and robust security protocols to safeguard digital infrastructures.
How well are organizations implementing cybersecurity controls within the Minimum Viable Secure Product (MVSP) framework? A recent examination conducted by Bitsight and Google indicates a mix of positive and negative outcomes, highlighting areas where enhancement is needed.
What is MVSP?
Minimum Viable Secure Product (MVSP) is a baseline security checklist for B2B software and business process outsourcing suppliers, consisting of 25 controls across four key areas – Business, Application Design, Application Implementation, and Operational.
For the “Cybersecurity Control Insights: An Analysis of Organizational Performance” study, Bitsight and Google collaborated to create a methodology to measure organizational cybersecurity performance using Bitsight analytics across the MVSP framework.
The study analyzed the cybersecurity performance of nearly 100,000 organizations around the world across nine industries. Bitsight mapped its risk vectors to 16 of the MVSP controls and reported performance in 2023 and over time (most recently March 2023). Google validated the statistical approach employed in this analysis.
Are organizations meeting cybersecurity performance standards?
The study found that while every industry in 2023 has a high Pass rate for 10 of the 16 MVSP controls studied, many organizations are still failing on controls critical to protecting themselves against cyber incidents.
The findings indicate that organizations across all industries have several areas in which they must improve their vulnerability management program to reduce exposure to potential breaches.
Notably, 2023 Computer Software industry Fail rates for Dependency Patching and Time to Fix Vulnerabilities — which map to Bitsight analytics correlating to the likelihood of a breach — did not improve from 2020 rates as much as the macro average, leaving other industries vulnerable to third-party risk given their reliance on computer software.
But, organizations did have near-100% Pass rates for the following areas:
Data handling
Incident handling
Logging
Logical access
They also had high Pass rates for Customer training (contributing to a safer third-party digital ecosystem) and Training (organizations are taking training efforts seriously as human error can have serious consequences).
Organizations across all industries are struggling with controls critical to the health of an organization’s vulnerability management program, Bitsight found.
Eight MVSP controls that are important for vulnerability management – External Testing, Self-assessment, Vulnerability Prevention, Encryption, HTTPS-only, Security Headers, Dependency Patching, Time to Fix Vulnerabilities – have either high 2023 Fail rates, low Pass rates, or both, across all industries.
Finally, there has been a decline in use of security headers, including in the computer software industry.
“We expected CS to outperform in most respects but that is not what we observed. CS’s stagnation — and at times underperformance — may be attributed to many factors, including workforce challenges, rising asset inventories, lacking cybersecurity tools, and more,” the analysts noted.
Keeping up with threats
Business leaders around the world need to understand where their companies’ vulnerabilities lie and how they match up with others to better manage increasingly complex cyber risks and stakeholder demands. By understanding the pass and fail rates of MVSP controls organizations will be better armed with the knowledge to benchmark their security performance and improve their cybersecurity strategies to mitigate and reduce vulnerability.
“It is more important than ever for business leaders to be fully aware of the organization’s application security risk, and how they are performing compared to their peers,” said Chris John Riley, Staff Security Engineer, Google.
“If organizations want to build and maintain a mature security posture in today’s turbulent and fast moving environment, they need leaders that prioritize security management and a culture of constant improvement. Using frameworks like the MVSP, organizations can take the initial necessary steps to develop a strong security culture within their organizations.”
In the ever-evolving landscape of cybersecurity, researchers are continually uncovering new methods that challenge existing defense mechanisms. A recent study by SafeBreach, a leader in cybersecurity research, has brought to light a novel process injection technique that exploits Windows thread pools, revealing vulnerabilities in current Endpoint Detection and Response (EDR) solutions. This groundbreaking research not only demonstrates the sophistication of potential cyber threats but also underscores the need for advanced defensive strategies in the digital world. Thread pool exploitation is challenging for EDRs to detect because it uses legitimate system mechanisms for malicious purposes. EDRs often look for known patterns of malicious activity, but when malware hijacks legitimate processes or injects code via expected system behaviors, such as those involving thread pools, it can blend in without raising alarms. Essentially, these techniques don’t leave the typical traces that EDRs are programmed to identify, allowing them to operate under the radar.
UNDERSTANDING PROCESS INJECTION:
Process injection is a technique often used by cyber attackers to execute malicious code within the memory space of a legitimate process. By doing so, they can evade detection and gain unauthorized access to system resources. Traditionally, this method involves three key steps: allocating memory in the target process, writing the malicious code into this allocated space, and then executing the code to carry out the attack.
THE ROLE OF WINDOWS THREAD POOLS:
Central to this new technique is the exploitation of Windows thread pools. Thread pools in Windows are integral for managing worker threads, which are used to perform various tasks in the background. These pools efficiently manage the execution of multiple threads, reducing the overhead associated with thread creation and destruction. In legitimate scenarios, thread pools enhance the performance and responsiveness of applications. Windows thread pools are a system feature used to manage multiple threads efficiently. These pools allow for the execution of worker threads that perform tasks in the background, optimizing the use of system resources. Thread pools are integral to the Windows operating system and are used by various applications for performing asynchronous tasks.
SafeBreach’s research delves into how these thread pools can be manipulated for malicious purposes. By exploiting the mechanisms that govern thread pool operations, attackers can inject malicious code into other running processes, bypassing traditional security measures. This technique presents a significant challenge to existing EDR solutions, which are typically designed to detect more conventional forms of process injection. Here are some examples of such manipulations:
Inserting Malicious Work Items:
Attackers can insert malicious work items into the thread pool. These work items are essentially tasks scheduled to be executed by the pool’s worker threads. By inserting a work item that contains malicious code, an attacker can execute this code under the guise of a legitimate process.
Hijacking Worker Threads:
An attacker might hijack the worker threads of a thread pool. By taking control of these threads, the attacker can redirect their execution flow to execute malicious code. This method can be particularly effective because worker threads are trusted components within the system.
Exploiting Timer Queues:
Windows thread pools use timer queues to schedule tasks to be executed at specific times. An attacker could exploit these timer queues to schedule the execution of malicious code at a predetermined time, potentially bypassing some time-based security checks.
Manipulating I/O Completion Callbacks:
Thread pools handle I/O completion callbacks, which are functions called when an I/O operation is completed. By manipulating these callbacks, an attacker can execute arbitrary code in the context of a legitimate I/O completion routine.
Abusing Asynchronous Procedure Calls (APCs):
While not directly related to thread pools, attackers can use Asynchronous Procedure Calls, which are mechanisms for executing code asynchronously in the context of a particular thread, in conjunction with thread pool manipulation to execute malicious code.
Worker Factory Manipulation:
The worker factory in a thread pool manages the worker threads. By manipulating the worker factory, attackers can potentially control the creation and management of worker threads, allowing them to execute malicious tasks.
Remote TP_TIMER Work Item Insertion:
This involves creating a timer object in the thread pool and then manipulating it to execute malicious code. The timer can be set to trigger at specific intervals, executing the malicious code repeatedly.
Queue Manipulation:
Attackers can manipulate the queues used by thread pools to prioritize or delay certain tasks. By doing so, they can ensure that their malicious tasks are executed at a time when they are most likely to go undetected.
These examples illustrate the versatility and potential stealth of using Windows thread pools for malicious purposes. The exploitation of such integral system components poses a significant challenge to cybersecurity defenses, requiring advanced detection and prevention mechanisms. The following thread pool work items that can be scheduled in Windows. Here’s how each one could potentially be vulnerable to attacks:
Worker Factory Start Routine Overwrite: Overwriting the start routine can redirect worker threads to execute malicious code.
TP_WORK Insertion: By inserting TP_WORK objects, attackers could run arbitrary code in the context of a thread pool thread.
TP_WAIT Insertion: Manipulating wait objects can trigger the execution of malicious code when certain conditions are met.
TP_IO Insertion: By intercepting or inserting IO completion objects, attackers could execute code in response to IO operations.
TP_ALPC Insertion: Attackers could insert ALPC (Advanced Local Procedure Call) objects to execute code upon message arrival.
TP_JOB Insertion: Jobs can be associated with malicious actions, executed when certain job-related events occur.
TP_DIRECT Insertion: Direct insertion allows immediate execution of code, which can be abused for running malware.
TP_TIMER Insertion: Timers can be used by attackers to schedule the execution of malicious payloads at specific times.
These vulnerabilities generally stem from the fact that thread pools execute callback functions, which attackers may manipulate to point to their code, thus achieving code execution within the context of a legitimate process.
Mitigating threats that involve the exploitation of Windows thread pools for process injection requires a multi-faceted approach, combining advanced technological solutions with proactive security practices. Here are some potential measures and recommendations:
Enhanced Detection Algorithms:
Endpoint Detection and Response (EDR) solutions should incorporate advanced algorithms capable of detecting anomalous behaviors associated with thread pool manipulation. This includes unusual activity patterns in worker threads and unexpected changes in thread pool configurations.
Deep System Monitoring:
Implement deep monitoring of system internals, especially focusing on thread pools and worker thread activities. Monitoring should include the creation of work items, modifications to timer queues, and the execution patterns of threads.
Regular Security Audits:
Conduct regular security audits of systems to identify potential vulnerabilities. This includes reviewing and updating the configurations of thread pools and ensuring that security patches and updates are applied promptly.
Advanced Threat Intelligence:
Utilize advanced threat intelligence tools to stay informed about new vulnerabilities and attack techniques involving thread pools. This intelligence can be used to update defensive measures continuously.
Employee Training and Awareness:
Educate IT staff and employees about the latest cybersecurity threats, including those involving thread pool exploitation. Awareness can help in early detection and prevention of such attacks.
Behavioral Analysis and Heuristics:
Implement security solutions that use behavioral analysis and heuristics to detect unusual patterns that might indicate thread pool exploitation. This approach can identify attacks that traditional signature-based methods might miss.
Zero Trust Architecture:
Adopt a zero trust architecture where systems do not automatically trust any entity inside or outside the network. This approach can limit the impact of an attack by restricting access and permissions to essential resources only.
Regular Software Updates:
Ensure that all software, especially operating systems and security tools, are regularly updated. Updates often include patches for known vulnerabilities that could be exploited.
Isolation of Sensitive Processes:
Isolate sensitive processes in secure environments to reduce the risk of thread pool manipulation affecting critical operations. This can include using virtual machines or containers for added security.
Incident Response Planning:
Develop and maintain a robust incident response plan that includes procedures for dealing with thread pool exploitation. This plan should include steps for containment, eradication, recovery, and post-incident analysis.
By implementing these measures, organizations can strengthen their defenses against sophisticated attacks that exploit Windows thread pools, thereby enhancing their overall cybersecurity posture.
Cyberwar refers to the use of digital technology, including computer systems, networks, and electronic communication, as a means to conduct warfare in the virtual realm. In a cyberwar, conflicting parties leverage cyber capabilities to carry out attacks and defenses in an attempt to achieve strategic, political, or military objectives. These attacks can target a wide range of digital assets, including computer systems, networks, and information systems.
Cyberwarfare encompasses various tactics, techniques, and procedures, such as hacking, malware deployment, denial-of-service attacks, and information warfare. The goals of cyberwarfare can range from disrupting or destroying critical infrastructure to stealing sensitive information, conducting espionage, or influencing public opinion.
Key characteristics of cyberwar include its asymmetric nature, where a smaller, technologically sophisticated actor may pose a significant threat to a larger, conventionally powerful entity. Attribution, or determining the origin of cyber attacks, can be challenging, adding complexity to the dynamics of cyberwarfare.
Governments, military organizations, and other entities invest in cybersecurity measures to defend against cyber threats and protect their critical assets from potential attacks in the digital domain. The landscape of cyberwarfare is continually evolving as technology advances and new vulnerabilities emerge.
“The Cyber War Is Here” simplifies the complex world of cybersecurity, cyber risk, and the crucial relationship between corporate boards and Chief Information Security Officers (CISOs). Written by a distinguished cybersecurity expert and USAF Veteran, it emphasizes the strategic importance of cybersecurity in modern business. Marc highlights the evolving role of CISOs, emphasizing their shift from IT guardians to strategic advisors to the board. The book explores successful board-CISO interactions and the consequences of misalignment, offering a clear blueprint for effective partnership. “The Cyber War Is Here” dives into the national and economic security implications of cyber threats, stressing the critical link between cybersecurity and national defense. The book argues that strengthening digital defenses and fostering public-private sector collaboration is essential for national resilience. Designed for a broad audience, from individuals to boards of directors, CISOs, business executives, and policymakers, this book serves as a call to action for proactive cyber governance. It illuminates the interconnectedness of individual organizational security and national security, providing both a catalog of risks and strategies and a roadmap for action in the global cyber conflict arena. “The Cyber War Is Here” is a call to action for all.
ISO 27002, officially named “ISO/IEC 27002 Information Security, Cybersecurity and Privacy Protection – Information Security Controls,” is a widely used and well-known information security standard published by the International Organization for Standardization (ISO). ISO 27002 provides detailed guidelines for the implementation of the controls listed in ISO 27001 Annex A, because ISO 27001 provides only a high-level description of each control. ISO 27002 has become an internationally recognized set of industry best practices that support the implementation of ISO 27001.
The basics
What is the purpose of ISO 27002?
The main purpose of ISO 27002 is to help organizations implement the Annex A controls from ISO 27001, because ISO 27001 does not provide explanations for how these controls should be implemented. ISO 27002 is designed to work in conjunction with ISO 27001, as ISO 27001 describes how to manage security by implementing an Information Security Management System (ISMS).
Why is ISO 27002 important?
ISO 27002 is important because it is the only standard in the ISO 27k series that provides implementation guidance on all 93 controls defined in Annex A of ISO 27001. By using the detailed guidance in ISO 27002, companies can have a much better understanding of the best practices for controls.
ISO 27002 certification – Is it possible?
Certification against ISO 27002 is not possible. ISO 27002 is non-certifiable because, unlike ISO 27001, it is not a management standard. Instead, ISO 27002 is a code of practice (or best practices) for the implementation of security controls that support the ISMS defined in ISO 27001.
How does ISO 27002 support the ISMS?
ISO 27002 supports the ISMS by providing detailed guidance on how to implement the controls necessary to establish and operate an ISMS within a company. For example, ISO 27002 takes a whole page to explain one control, while ISO 27001 dedicates only one sentence to each control. This ensures that organizations have a comprehensive set of guidelines to use as a framework to deploy an effective ISMS in a structured manner.
What is the current version of ISO 27002?
As of the publication date of this article, the current version of ISO 27002 is ISO/IEC 27002:2022. The new 2022 revision of ISO 27002 was published on February 15, 2022.
What is the difference between ISO 27001 and 27002?
As already explained in brief, ISO 27001 is the main standard, and companies can get certified against it; companies cannot certify against ISO 27002:2022 because it is only a supporting standard.
In its Annex A, ISO 27001 provides a list of security controls and what must be achieved with those controls, but it does not explain how they can be implemented. ISO 27002 lists those very same controls and provides guidance on how they could be implemented; however, this guidance in ISO 27002 is not mandatory, i.e., companies can decide whether to use those guidelines or not.
Requirements & security controls
What are the requirements for ISO 27002?
ISO 27002 does not contain explicit requirements for companies to follow — for requirements, you should see ISO 27001. However, ISO 27002 does provide guidance on information security controls that can be applied in an organization.
What are the sections of ISO 27002?
The structure of ISO 27002 is listed and briefly explained below:
Clause 5: Organizational controls – This section contains all controls related to various organizational issues, comprising 37 controls.
Clause 6: People controls – This section focuses on controls related to human resources security, comprising 8 controls.
Clause 7: Physical controls — This section focuses on controls related to the physical environment and equipment, comprising 14 controls.
Clause 8: Technological controls — This section focuses on controls related to technological solutions, comprising 34 controls.
Annex A: Using attributes — This annex provides a matrix of all the new controls, it compares their attributes, and provides suggestions on how to use the controls according to their attributes.
Annex B: Correspondence with ISO/IEC 27002:2013 — This annex provides a mapping between controls from the 2022 revision and the controls from the previous 2013 version.
What is a security control?
ISO 27002 defines a control as “a measure that modifies and/or maintains risk.” Put simply, a control (or a safeguard) is a practice that can be implemented to reduce a risk to an acceptable level. Some examples of security controls include an Access control policy (5.15), Configuration management (8.9), and Secure coding (8.28).
How many controls are there in ISO 27002?
The 2022 revision of ISO 27002 has reduced the number of controls from 114 to 93. Some of the reasons for this reduction in the number of controls include technological advancements and an improvement in the understanding of how to apply security practices.
What are control attributes?
Control attributes provide a standardized way to sort and filter controls against different views to address the needs of different groups.
Attributes options for each control are as follows:
Control types: Preventive, Detective, and Corrective
Information security properties: Confidentiality, Integrity, and Availability
Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
Operational capabilities: Governance, Asset management, Information Protection, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationships Security, Legal and Compliance, Information Security Event Management, and Information Security Assurance
Security domains: Governance and Ecosystem, Protection, Defense, and Resilience
These attributes will ease the integration of ISO 27002:2022 controls with other similar security frameworks, like NIST Risk Management Framework. You can read more about the differences between the 2013 and 2022 versions of ISO 27002 in the last section of this article.
How are the controls structured?
The layout for each ISO control in ISO 27002 consists of the following elements:
Control title: The short name of the control
Attribute table: A table that shows the value(s) of each attribute for the given control
Control: A brief description of the control
Purpose: An explanation of why the control should be implemented
Guidance: Instructions for how the control should be implemented
Other information: Additional explanatory text, or references to related documents
The layout is designed to provide comprehensive information and guidance for each control, helping organizations understand and implement the necessary security measures.
How to implement ISO 27002 controls
To effectively implement ISO 27002 controls, follow a process that assesses the organization’s needs; identifies the appropriate controls, and customizes them if necessary; implements them using a structured approach; and then monitors, measures, and continuously improves them. Once completed, the implemented control should address needs at a combined technological, organizational/process, people, and documentation level.
For example, the implementation of control 8.9 Configuration management will address the following aspects:
Technology. The technology whose configuration needs to be managed could include software, hardware, services, or networks. Smaller companies will probably be able to handle configuration management without any additional tools, whereas larger companies probably need some software that enforces defined configurations.
Organization/processes. You should set up a process for proposing, reviewing, and approving security configurations, as well as the processes for managing and monitoring the configurations.
People. Make employees aware of why strict control of security configurations is needed, and train them to define and implement security configurations.
Documentation. ISO 27001 requires this control to be documented. If you are a small company, you can document the configuration rules in your security operating procedures. Larger companies will typically have a separate procedure that defines the configuration process.
Download ISO27000 family of information security standards today!
Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did.
Before the internet, putting someone under surveillance was expensive and time-consuming. You had to manually follow someone around, noting where they went, whom they talked to, what they purchased, what they did, and what they read. That world is forever gone. Our phones track our locations. Credit cards track our purchases. Apps track whom we talk to, and e-readers know what we read. Computers collect data about what we’re doing on them, and as both storage and processing have become cheaper, that data is increasingly saved and used. What was manual and individual has become bulk and mass. Surveillance has become the business model of the internet, and there’s no reasonable way for us to opt out of it.
Spying is another matter. It has long been possible to tap someone’s phone or put a bug in their home and/or car, but those things still require someone to listen to and make sense of the conversations. Yes, spyware companies like NSO Group help the government hack into people’s phones, but someone still has to sort through all the conversations. And governments like China could censor social media posts based on particular words or phrases, but that was coarse and easy to bypass. Spying is limited by the need for human labor.
AI is about to change that. Summarization is something a modern generative AI system does well. Give it an hourlong meeting, and it will return a one-page summary of what was said. Ask it to search through millions of conversations and organize them by topic, and it’ll do that. Want to know who is talking about what? It’ll tell you.
The technologies aren’t perfect; some of them are pretty primitive. They miss things that are important. They get other things wrong. But so do humans. And, unlike humans, AI tools can be replicated by the millions and are improving at astonishing rates. They’ll get better next year, and even better the year after that. We are about to enter the era of mass spying.
Mass surveillance fundamentally changed the nature of surveillance. Because all the data is saved, mass surveillance allows people to conduct surveillance backward in time, and without even knowing whom specifically you want to target. Tell me where this person was last year. List all the red sedans that drove down this road in the past month. List all of the people who purchased all the ingredients for a pressure cooker bomb in the past year. Find me all the pairs of phones that were moving toward each other, turned themselves off, then turned themselves on again an hour later while moving away from each other (a sign of a secret meeting).
Similarly, mass spying will change the nature of spying. All the data will be saved. It will all be searchable, and understandable, in bulk. Tell me who has talked about a particular topic in the past month, and how discussions about that topic have evolved. Person A did something; check if someone told them to do it. Find everyone who is plotting a crime, or spreading a rumor, or planning to attend a political protest.
There’s so much more. To uncover an organizational structure, look for someone who gives similar instructions to a group of people, then all the people they have relayed those instructions to. To find people’s confidants, look at whom they tell secrets to. You can track friendships and alliances as they form and break, in minute detail. In short, you can know everything about what everybody is talking about.
This spying is not limited to conversations on our phones or computers. Just as cameras everywhere fueled mass surveillance, microphones everywhere will fuel mass spying. Siri and Alexa and “Hey Google” are already always listening; the conversations just aren’t being saved yet.
Knowing that they are under constant surveillance changes how people behave. They conform. They self-censor, with the chilling effects that brings. Surveillance facilitates social control, and spying will only make this worse. Governments around the world already use mass surveillance; they will engage in mass spying as well.
Corporations will spy on people. Mass surveillance ushered in the era of personalized advertisements; mass spying will supercharge that industry. Information about what people are talking about, their moods, their secrets—it’s all catnip for marketers looking for an edge. The tech monopolies that are currently keeping us all under constant surveillance won’t be able to resist collecting and using all of that data.
In the early days of Gmail, Google talked about using people’s Gmail content to serve them personalized ads. The company stopped doing it, almost certainly because the keyword data it collected was so poor—and therefore not useful for marketing purposes. That will soon change. Maybe Google won’t be the first to spy on its users’ conversations, but once others start, they won’t be able to resist. Their true customers—their advertisers—will demand it.
We could limit this capability. We could prohibit mass spying. We could pass strong data-privacy rules. But we haven’t done anything to limit mass surveillance. Why would spying be any different?
In an increasingly connected digital landscape, the security of your organization’s data and publicly facing assets is more critical than ever. According to the CrowdStrike 2023 Threat Hunting Report, more than 20% of all interactive intrusions are associated with the exploitation of public-facing applications. As an organization’s attack surface expands and cyberthreats proliferate, it is imperative IT and security teams take a proactive approach to safeguarding their digital footprint. This starts with implementing a strong exposure management program across the entire enterprise that drastically reduces all attack surface risks.
Do You Really Know Your Organization’s Attack Surface?
To stop an attack before it begins, you must first understand where critical exposures exist. You can think of your organization’s external attack surface as all of the doorways through which an attacker might attempt to sneak in. This includes anything from domain names, SSL certificates and protocols to operating systems, IoT devices and network services. These assets are scattered across on-premises environments, cloud environments, subsidiaries and third-party vendors, and they represent many of the easiest entry points to internal networks and the sensitive data they contain.
Building a Successful Exposure Management Strategy with EASM
Our EASM technology, as part of Falcon Exposure Management, uses a proprietary engine to continuously scan the entire internet, enabling organizations to see their attack surface from an adversary’s perspective. The digital footprint of an organization is simple to generate, using only a company’s root domain. Once generated, it gives security teams a complete view of all of their internet-facing assets, including those on-premises and in the cloud. All exposed assets are automatically classified, analyzed and rated with a contextualized risk score, allowing teams to fix first what matters most.
Reducing the size of your attack surface can minimize the risk of a breach. By following the five tips below, organizations can reduce the number of opportunities an adversary has, strengthen their cybersecurity posture and proactively protect valuable assets from malicious actors.
Top Tips to Reduce External Attack Surface Exposures
Do not allow Remote Desktop Protocol (RDP) connections from outside your organization’s networks
There are plenty of products and open source solutions offering remote access to company resources. When RDP is opened to the internet, it is often not monitored and is susceptible to attacks.
How:
Stand up a server that sits outside of your network perimeter
Install nmap or any other network scanner you’re comfortable with
Grab a list of your IP ranges
Set up a cron job to scan continuously for port 3389
Grab the logs weekly
Use this list to figure out the person inside your organization who owns or is responsible for each host that has responded on port 3389
Clues:
Domain name (if applicable)
IPAM IP range notes
Login banners
For any hosts that MUST have RDP exposed to the internet, enable multifactor authentication (MFA), remove them from your scan script above and continue the process of scanning
Use Network Level Authentication, a Remote Desktop Services feature that requires a user to authenticate before connecting to the server
Avoid allowing directory listing on your web servers
Directory listings expose the server to traversal attacks and a large variety of vulnerabilities. Moreover, the web server may contain files that shouldn’t be exposed through links on the website. Ensure your server does not expose directory listings, and if it must, make sure the directories do not contain sensitive information.
How:
Stand up a server that sits outside of your network perimeter
Install nmap or any other network scanner you are comfortable with
Grab a list of your IP ranges
Set up a cron job to scan continuously for open HTTP
Grab the logs weekly
For every host answering on an HTTP or HTTPS port, use this list as an input for your web app scanning tool of choice (such as nikto or dirsearch)
For any host allowing directory traversal, figure out the person inside your company who owns or is responsible for this website
Clues:
Domain name (if applicable)
IPAM IP range notes
Login banners
Other website info
Place test environments behind a VPN
Ensure none of your development, staging or test environments is exposed to the internet. These environments are often not well-secured and in many cases have access to restricted resources.
How:
Identify all of your production environments:
Have a clear list of domains and IP ranges from IT admin, content delivery network providers and web application firewall providers
Query whois reverse search under your organization name (there are multiple vendors and open source tools for this)
All other environments (domains, subdomains and machines with external-facing IPs) should be protected with a VPN and MFA
Avoid hostile subdomain takeovers
Confirm none of your subdomains is expired or points to third-party pages and accounts that no longer exist, as it might be vulnerable to hostile subdomain takeovers. If you find such subdomains, reconfigure the DNS settings or remove the DNS entry pointing to the external service.
How:
Talk to your IT admin team and get access to your DNS (may be route53, may be self-hosted)
Do a zone transfer on all of the domains your organization owns
Get a list of all of your IP ranges
Parse the IP addresses against your known IP range list
For any IPs that aren’t part of your infrastructure, figure out who they belong to (whois lookup, published list of cloud provider IP ranges)
Determine if they are pointing at anything you know you own
Any unused subdomain should be retired properly:
Use “Null MX” record
Use DMARC configuration to prevent any email from being sent on behalf of the sub/domain
Enforce input validation
Enforce input validation on all internal and external inputs to prevent injection attacks. Input validation best practices include: predefining input size limitation per field and type (str/int if applicable), applying maximum retries for password and user fields, and enforcing backend strict logic to prevent injections (prepared statements with parameterized queries, stored procedures, escaping all user inputs, etc.).
Assume all external user-defined input is an attack surface:
Forms fields
Uniform resource identifiers (URIs)
APIs
Attachments
And more
Bonus Tip: Continuously monitor your attack surface
Securing an expanding attack surface is challenging. The dynamic nature of most modern IT ecosystems means secure assets can suddenly become exposed unknowingly due to an error, misconfiguration or simple oversight. This category of forgotten assets can grow for many reasons: employees with revoked access, engineers with lingering cloud token permissions, or unmaintained databases that should have never been exposed in the first place. Moreover, there are instances of abandoned assets that remain unused or unclassified for extended periods, leaving IT departments without records and, consequently, unable to secure them. Regardless of their origin, these assets present significant security risks.
Having an effective exposure management program enables teams to stay vigilant and proactively monitor and secure entire IT ecosystems, which is essential in safeguarding an entire attack surface. You need to add a scalable way to monitor your internet-facing assets and discover your unknown exposures and risks in real time.
Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative targets.
Outlook vulnerabilities offer:-
Access to sensitive emails
Access to sensitive information
WinRAR vulnerabilities provide an entry point to manipulate compressed files, potentially executing malicious code on a victim’s system.
Cybersecurity researchers at Proofpoint recently discovered that the TA422 APT Group is actively exploiting the Outlook and WinRAR vulnerabilities to attack organizations.
Exploiting Of Patched Vulnerabilities
Since March 2023, Proofpoint found Russian APT TA422 using patched vulnerabilities to target Europe and North America. The TA422 APT group is linked to the following groups and tied to the Russian GRU by the US Intelligence Community:-
While engaging in typical targeted actions, TA422 showed an unexpected surge in emails exploiting CVE-2023-23397, a Microsoft Outlook vulnerability, sending over 10,000 emails to diverse sectors.
Besides this, the operators of the TA422 APT group also exploited a WinRAR vulnerability, CVE-2023-38831, in their campaigns.
TA422 launched massive campaigns in March 2023, exploiting CVE-2023-23397 against targets in:-
Europe
North America
Earlier, they targeted Ukrainian entities in April 2022 using the same exploit. Proofpoint noticed a significant surge in activity, with over 10,000 attempts to exploit a Microsoft Outlook vulnerability during late summer 2023.
It’s unclear if this was a mistake or a deliberate effort to gather target credentials. TA422 re-targeted higher education and manufacturing users, suggesting these entities are priority targets.
In the late summer campaign, TA422 used an appointment attachment with a fake file extension, leading to an SMB listener on a compromised Ubiquiti router.
This router acted as an NTLM listener, recording inbound credential hashes without extensive network engagement when Outlook processed the attachment.
Late summer 2023 sample of TA422 phishing email. (Source – Proofpoint)
Proofpoint’s tracking of Portugalmail addresses revealed more TA422 activity. In September 2023, TA422 exploited WinRAR vulnerability CVE-2023-32231 in two campaigns, using different Portugalmail addresses and spoofing geopolitical entities.
Emails with BRICS Summit and European Parliament meeting subjects contained RAR attachments dropping a .cmd file.
The file modified proxy settings downloaded a lure document, and connected to an IP-literal Responder server. The server, likely a compromised Fortigate FortiOS Firewall, initiated the NTLM credential exchange.
Lure document from the September 1, 2023 campaign. (Source – Proofpoint)
Between September and November 2023, Proofpoint tracked TA422 campaigns using Portugalmail and Mockbin for redirection.
Targeting government and defense sectors, TA422 employed Mockbin to lead victims to InfinityFree domains. After browser fingerprinting, victims were directed to InfinityFree, initiating a chain of activity.
Despite the exploitation of disclosed vulnerabilities like CVE-2023-23397 and CVE-2023-38831, TA422 persists, likely relying on unpatched systems for continued success.
