InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
HackerGPT is a ChatGPT-enabled penetrating testing tool that can help with network hacking, mobile hacking, different hacking tactics, and other specific tasks.
The main foundation of HackerGPT is the training data that has been offered. It does not use a jailbreak technique. Particularly, it generates replies using ChatGPT with a specified request while conforming to ethical rules.
Obtaining a 14-day trial is an option available. With this trial, you get access to GPT-4, an unlimited amount of messages for HackerGPT, quicker answers, and other advantages.
“No logs, no cost, anonymous login. Trained on a ton of hacking reports”, the company said.
“HackerGPT is only available in your web browser. Making it into an app will take some time, but with your feedback, we can make progress faster”.
Responses of HackerGPT
For instance, what if we asked HackerGPT to provide a step-by-step tutorial on conducting ARP spoofing?
Threat Sentry Security, the Cyber Security Analyst, said, “Hacker-GPT. This is a pentester dream, my job just became 100 times easier. I told it to create an XSS payload & it did it without hesitation”.
Ethical hacking may use this tool to improve security evaluation and mitigation elements. The difficulty of communicating complicated technological results to both technical and non-technical audiences is a problem ethical hackers frequently face.
ChatGPT’s capacity to produce logical and understandable explanations may make the communication of vulnerabilities simpler, hence facilitating organizations’ comprehension of possible risks and the adoption of the necessary countermeasures.
Todd Fitzgerald, co-author of the ground-breaking (ISC)2CISO Leadership: Essential Principles for Success, Information Security Governance Simplified: From the Boardroom to the Keyboard, co-author for the E-C Council CISO Body of Knowledge, and contributor to many others including Official (ISC)2 Guide to the CISSP CBK, COBIT 5 for Information Security, and ISACA CSX Cybersecurity Fundamental Certification, is back with this new book incorporating practical experience in leading, building, and sustaining an information security/cybersecurity program.
CISO COMPASS includes personal, pragmatic perspectives and lessons learned of over 75 award-winning CISOs, security leaders, professional association leaders, and cybersecurity standard setters who have fought the tough battle. Todd has also, for the first time, adapted the McKinsey 7S framework (strategy, structure, systems, shared values, staff, skills and style) for organizational effectiveness to the practice of leading cybersecurity to structure the content to ensure comprehensive coverage by the CISO and security leaders to key issues impacting the delivery of the cybersecurity strategy and demonstrate to the Board of Directors due diligence. The insights will assist the security leader to create programs appreciated and supported by the organization, capable of industry/ peer award-winning recognition, enhance cybersecurity maturity, gain confidence by senior management, and avoid pitfalls.
The book is a comprehensive, soup-to-nuts book enabling security leaders to effectively protect information assets and build award-winning programs by covering topics such as developing cybersecurity strategy, emerging trends and technologies, cybersecurity organization structure and reporting models, leveraging current incidents, security control frameworks, risk management, laws and regulations, data protection and privacy, meaningful policies and procedures, multi-generational workforce team dynamics, soft skills, and communicating with the Board of Directors and executive management. The book is valuable to current and future security leaders as a valuable resource and an integral part of any college program for information/ cybersecurity.
IN-DEPTH ANALYSIS: NAVIGATING THE PERILS OF CVE-2023-5218 IN GOOGLE CHROME
The digital realm, while offering boundless possibilities, is also a fertile ground for myriad cybersecurity threats. One such peril that has recently come to light is the User-After-Free vulnerability in Google Chrome, specifically identified as CVE-2023-5218. This vulnerability not only poses a significant threat to user data and system integrity but also opens a Pandora’s box of potential cyber-attacks and exploitations.
UNRAVELING THE USER-AFTER-FREE VULNERABILITY
The User-After-Free vulnerability is a type of cybersecurity flaw that surfaces when a program continues to utilize memory space after it has been freed or deleted. This flaw allows attackers to execute arbitrary code or potentially gain unauthorized access to a system. CVE-2023-5218, identified within Google Chrome, was noted to be potentially exploitable to perform such malicious actions, thereby putting users’ data and privacy at substantial risk.
CVE-2023-5218 was unveiled to the public through various cybersecurity platforms and researchers who detected unusual activities and potential exploitation trails leading back to this particular flaw. This vulnerability was identified to be present in a specific Chrome component, prompting Google to release a flurry of updates and patches to mitigate the associated risks.
THE EXPLOIT MECHANICS
Exploiting CVE-2023-5218 allows attackers to manipulate the aforementioned ‘freed’ memory space, enabling them to execute arbitrary code within the context of the affected application. In the context of Chrome, this could potentially allow attackers unauthorized access to sensitive user data, such as saved passwords or personal information, or even navigate the browser to malware-laden websites without user consent.
THE POTENTIAL IMPACT
The exploitation of CVE-2023-5218 could have a multifold impact:
Data Theft: Sensitive user data, including login credentials, personal information, and financial details, could be compromised.
System Control: Attackers could gain control over the affected system, using it to launch further attacks or for other malicious purposes.
Malware Spread: By redirecting browsers to malicious websites, malware could be injected into users’ systems, further expanding the impact of the attack.
TECHNICAL INSIGHTS INTO CVE-2023-5218
Vulnerability Class: Use After Free
Impact: Confidentiality, Integrity, and Availability
The vulnerability is rooted in the improper handling of memory in the Site Isolation component of Google Chrome. The flaw arises from referencing memory after it has been freed, which can lead to program crashes, unexpected value utilization, or arbitrary code execution. The vulnerability is classified under CWE-416 and CWE-119, indicating its potential to improperly restrict operations within the bounds of a memory buffer and its susceptibility to use after free exploits.
MITIGATION AND COUNTERMEASURES
The primary mitigation strategy recommended is upgrading to Google Chrome version 118.0.5993.70, which eliminates this vulnerability. However, considering the potential risks associated with such vulnerabilities, organizations and individual users are advised to:
Regularly update and patch software to safeguard against known vulnerabilities.
Employ robust cybersecurity practices, including using security software and adhering to safe browsing practices.
Educate users on recognizing and avoiding potential phishing attempts or malicious sites that might exploit such vulnerabilities.
CONCLUSION
The identification and subsequent mitigation of CVE-2023-5218 underscore the perpetual battle between cybersecurity professionals and cyber adversaries. While this vulnerability has been addressed in the latest Chrome update, it serves as a potent reminder of the criticality of maintaining up-to-date systems and employing prudent cybersecurity practices. As we navigate through the digital era, the complexity and sophistication of cyber threats continue to evolve, making vigilance and preparedness crucial in ensuring secure digital interactions.
The US cybersecurity organization CISA has updated its Known Exploited Vulnerabilities catalog to include five new security flaws that are currently being actively exploited.
This means that attackers are using these vulnerabilities to gain unauthorized access to computer systems, steal sensitive data, or cause damage to critical infrastructure.
It is crucial for organizations to be aware of these vulnerabilities and take immediate steps to mitigate the risk of exploitation.
Earlier this year, several vulnerabilities were reported in popular software applications such as Acrobat, Cisco IOS, WordPad, Skype, and HTTP/2 Rapid Reset.
As a precautionary measure, businesses are advised by CISA to be wary of these vulnerabilities and take necessary steps to secure their systems against potential cyber-attacks.
Malicious cyber actors often exploit these vulnerabilities as they are commonly found in the federal enterprise, posing significant threats to their security.
Five Actively Exploited Flaws
CVE-2023-21608 Adobe Acrobat and Reader Use-After-Free Vulnerability
A Use After Free vulnerability in Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier), and 20.005.30418 (and earlier) might lead to arbitrary code execution in the context of the current user.
This vulnerability can only be exploited if the victim opens a malicious file that involves user involvement. Adobe patched the vulnerability in January 2023, and the PoC exploit code for this issue is available.
An authenticated, remote attacker with administrative access to a group member or a key server could exploit a vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software.
A successful exploit might give the attacker complete control of the targeted system and the ability to run arbitrary code, or it could force the target system to reload, resulting in a DoS attack. Cisco fixed the flaw at the end of September.
CVE-2023-41763 Microsoft Skype for Business Privilege Escalation Vulnerability
An elevation of privilege vulnerability in Skype for Business is identified as CVE-2023-41763.
“An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an HTTP request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker”, Microsoft warns.
The attacker may obtain certain private, sensitive data, and in some situations, the information that was revealed could provide the attacker access to internal networks. Microsoft patched the flaw in its October Patch Tuesday release.
CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability
This is an information disclosure vulnerability in Microsoft WordPad. Because of the flaw, NTLM hashes can be revealed under certain circumstances.
To exploit the issue, an attacker would need to be able to get into the system, but if a footing is gained, the adversary could then launch a specially crafted application and seize control of an affected machine.
“The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file,” Microsoft said.
Microsoft patched the flaw in its October Patch Tuesday release.
The HTTP/2 protocol flaw CVE-2023-44487 has recently been utilized to execute massive DDoS attacks against several targets. The HTTP/2 protocol’s handling of request cancellations or resets is the source of the issue.
When a client makes a reset for an HTTP/2 request, it consumes server resources by canceling the relevant stream.
However, the client can start a new stream right away after initiating a reset. The quick opening and closing of HTTP/2 streams brings on the denial of service.
This vulnerability may affect many web platforms because HTTP/2 has been implemented into so many of them.
CISA urges all organizations to prioritize promptly repairing Catalogue vulnerabilities as part of their vulnerability management procedures to reduce their exposure to attacks.
Cobalt Strike, a legitimate commercial penetration testing tool, has inadvertently become a favored instrument among cybercriminals for its efficacy in infiltrating network security. Initially released in 2012 by Fortra (formerly known as Help Systems), Cobalt Strike was designed to aid red teams in identifying vulnerabilities within organizational infrastructures. Despite stringent customer screening and licensing for lawful use only, malicious actors have successfully obtained and distributed cracked versions of the software, making it a prevalent tool in cyberattacks involving data theft and ransomware.
Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strike’s post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and more.
COBALT STRIKE 4.9 FEATURES
The latest release, version 4.9, introduces several significant features and improvements:
User-Defined Reflective Loaders (UDRLs): This feature enhances post-exploitation capabilities by allowing users to define and use their reflective loaders, providing more flexibility and control over the loading process of the Beacon payload.
Export Beacon Without a Loader: Users can now export the Beacon payload without a reflective loader, which officially supports prepend-style UDRLs, allowing for more versatile deployment and execution of the Beacon payload in various environments.
Callback Support: Version 4.9 introduces support for callbacks, enabling users to implement and handle custom callback routines effectively.
Beacon User Data Structures Improvement: These structures have been improved to prevent crashes and provide more stability during operations. They also allow a Reflective Loader to resolve and pass system call information to Beacon, overriding Beacon’s default system call resolver.
Host Profile Support for HTTP(S) Listeners: This feature addresses limitations in HTTP(S) processing by introducing a new Malleable C2 profile group named http-host-profiles.
WinHTTP Support: The update adds support for the WinHTTP library to the Beacon’s HTTP(S) listener.
Beacon Data Store: This feature allows users to store Buffer Overflow Frameworks (BOFs) and .NET assemblies in a structured manner.
CRACKED VERSIONS IN THE WILD
Google researchers have recently identified 34 different cracked versions of the Cobalt Strike hacking toolkit actively being used in the wild. These cracked versions are exploited by cybercriminals for various malicious activities, emphasizing the tool’s popularity and widespread illicit use in the cybercriminal community. The discovery of cracked version 4.9 of Cobalt Strike highlights the significant challenges and risks associated with the illicit use of this powerful toolkit.
THE CRACKDOWN
Microsoft, in collaboration with Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), has initiated a widespread legal crackdown on servers hosting these cracked copies. This concerted effort aims to dismantle the malicious infrastructure and disrupt the operations of threat actors utilizing Cobalt Strike for nefarious purposes.
WHY COBALT STRIKE?
Cobalt Strike has gained notoriety among cybercriminals for its post-exploitation capabilities. Once the beacons are deployed, these provide persistent remote access to compromised devices, allowing for sensitive data harvesting or the dropping of additional malicious payloads.
THE USERS
Cobalt Strike’s cracked versions are used by unidentified criminal groups, state-backed threat actors, and hacking groups acting on behalf of foreign governments. These actors have been linked to numerous ransomware attacks impacting various industries, causing significant financial and operational damage.
REMEDIATION EFFORTS
To counteract the malicious use of Cobalt Strike, various entities have provided resources to assist network defenders in identifying Cobalt Strike components within their networks. These resources include open-sourced YARA rules and a collection of indicators of compromise (IOCs).
The illicit use of Cobalt Strike poses a significant threat to global cybersecurity. The ongoing crackdown led by Microsoft, Fortra, and Health-ISAC represents a crucial step towards mitigating the risks associated with Cobalt Strike, underscoring the importance of collaborative efforts in the fight against cybercrime.
Are you excited to pursue a cybersecurity career but unsure where to begin? Whether you’re a student, an incoming professional, or ready to work in a different field, the tried-and-tested career hacks in this eBook will help you get your start in cybersecurity
Inside the eBook
Cybersecurity Is Hot! Current Market Conditions
Where Entry-Level Lands You
Cybersecurity Career Hacks for Students, Incoming Professionals and Career-Changers
DECIPHERING WEBWYRM: AN IN-DEPTH ANALYSIS OF THE PERVASIVE MALWARE THREATENING GLOBAL CYBERSECURITY
In the intricate landscape of global cybersecurity, Webwyrm malware has surfaced as a formidable adversary, casting its ominous shadow across 50 nations and leaving in its wake over 100,000 compromised victims. This insidious digital menace successfully emulates in excess of 1000 reputable companies globally, with the ensuing potential financial fallout estimated to surpass a staggering $100 million. It is imperative for cybersecurity professionals and organizations alike to comprehend the multifaceted nature of this threat to devise and implement robust defensive strategies effectively.
THE EVOLUTIONARY TRAJECTORY OF WEBWYRM
In the dynamic realm of cyber threats, malicious actors incessantly refine their Tactics, Techniques, and Procedures (TTPs), exploiting extant vulnerabilities and augmenting the efficacy of their malicious campaigns. Webwyrm epitomizes this relentless pursuit of evolution, embodying a level of sophistication reminiscent of infamous cyber threats of yore, such as the notorious ‘Blue Whale Challenge.’
REFINED MODUS OPERANDI
WebWyrm malware orchestrates a complex, deceptive narrative aimed at duping unsuspecting job seekers into relinquishing their cryptocurrency. Initiating contact predominantly via WhatsApp, the malefactors likely leverage data procured from employment portals to pinpoint and engage individuals predisposed to their deceptive overtures. Prospective victims are enticed with promises of lucrative weekly remuneration, ranging between $1200 and $1500, contingent upon the completion of daily task “packets” or “resets.”
Upon transferring funds into designated cryptocurrency wallets, victims are led to believe that the completion of tasks results in monetary withdrawals from their accounts, which are subsequently returned along with additional commissions. The introduction of “combo tasks” promises substantial financial returns but necessitates a more considerable investment. However, the caveat is that these returns are accessible only upon the sequential completion of all combo tasks, with each task demanding a progressively larger investment.
CAMPAIGN ENABLERS: TECHNICAL INSIGHTS
WebWyrm’s campaign is characterized by its sophistication, adaptability, and elusive operational framework. The initiative employs dedicated personnel engaging with victims via various platforms, thereby lending an aura of legitimacy and support to their endeavors. The orchestrators have meticulously crafted approximately 6000 counterfeit websites, directing victims to register their accounts. These platforms are expertly designed to mimic legitimate enterprises, with a keen focus on geo-targeting and associated contact numbers reflecting the respective victim’s geographical location.
Moreover, the malefactors astutely navigate the ephemeral nature of their infrastructure, allocating specific IP addresses or Autonomous System Numbers (ASNs) to host counterfeit domains for limited durations. This modus operandi facilitates operational continuity and anonymity, allowing for a swift transition to alternative infrastructure in response to potential threats, thereby effectively circumventing detection mechanisms.
INDUSTRIES IN THE CROSSHAIRS
Webwyrm has indiscriminately targeted a plethora of industries, including:
IT Services
Software Development
Mobile App Development
User Experience Design
Digital Marketing
Web Development
SEO
E-Commerce
DEFENSIVE COUNTERMEASURES
Effective defense against Webwyrm necessitates the adoption of several countermeasures:
Origin Tracing of Malefactors via Employment Portals
Collaborative Defensive Initiatives
Deployment of Rapid Response Teams
Implementation of Domain Blacklisting Protocols
Asset Seizure
Launch of Educational Awareness Campaigns
With the incorporation of these enhanced technical insights, it becomes abundantly clear that WebWyrm represents a meticulously orchestrated, sophisticated operation with the singular aim of exploiting job seekers. The nuanced understanding of potential victims, coupled with a highly adaptive and elusive infrastructure, renders this a significant threat warranting coordinated, informed countermeasures to safeguard potential victims. Awareness, education, and the proactive deployment of defense mechanisms are pivotal in mitigating the risks associated with the WebWyrm malware campaign.
Kali Linux turns 10 this year, and to celebrate, the Linux penetration testing distribution has added defensive security tools to its arsenal of open-source security tools.
It remains to be seen if Kali Purple will do for defensive open source security tools what Kali Linux has done for open source pentesting, but the addition of more than 100 open source tools for SIEM, incident response, intrusion detection and more should raise the profile of those defensive tools.
For now, Kali is primarily known for its roughly 600 open source pentesting tools, allowing pentesters to easily install a full range of offensive security tools.
In this article, we’ll focus primarily on how to use this powerful OS to run a pentest and mistakes to avoid. We’ll give you an overview of what can be achieved with Kali Linux using a short selection of pre-installed tools. While this guide serves as an introduction to common pentesting phases, with practical examples that highlight best practices, it’s not a substitution for a complete professional pentesting methodology.
Chalk is a free, open-source tool that helps improve software security. You add a single line to your build script, and it will automatically collect and inject metadata into every build artifact: source code, binaries, and containers.
Gaining visibility
Chalk enables complete visibility across the development process, from the first time a developer creates the code to the entire lifetime a container hosting is running.
Chalk is a convenient tool for compliance by producing SBOMs, embedding code provenance details, and digitally signing them. You can then send these to your preferred location as a report. Additionally, without added effort, you can achieve SLSA level 2 compliance even before SLSA level 1 becomes a mandated standard.
Usage scenarios
“Interestingly, early design partners are constantly developing new use cases, but the classic ones are still unique because nothing else solves those today. The canonical one is knowing what code is in production and what is not. “Prod or not”. That basic use case means most users can shut off code scanning on the majority of their code repos, shutting down the noise and the busy work people have to do looking at it, but also saving massive amounts of money on wasted tools licenses,” Mark Curphey, Co-Founder of Crash Override, told Help Net Security.
“A great and topical one is automatically generating software security supply chain reports. Chalk will generate an SBOM, add build provenance data about where the code came from and who built it, something required by the US gov directives and where no other automated solution exists, and then to top it all, digitally signs it all in a report and sends it to a central report registry. That use case is huge, just huge,” he concluded.
Threat actors have been laundering currencies with multiple methods. One of the most predominant ways they have been using lately was the Cross-chain crime. In a cross-chain crime, threat actors swap their Cryptocurrency between different blockchains and tokens that help maintain their anonymity.
Moreover, this cross-chain crime is carried out using decentralized exchanges (DEXs) and cross-chain bridges. As with the increase in cybercriminal activities such as ransomware attacks, scams, or crypto thefts, this has become an increasingly preferred money laundering method for cybercriminals.
In addition to this, reports also suggest that more than $4.1 billion of illegal funds have been laundered through decentralized exchanges (DEXs), cross-chain bridges, and coin swap services.
This is estimated to rise to $6.5 billion by the end of 2023 and $10.5 billion by 2025. Another report indicates that $2.7 billion was laundered through cross-chain crime over just a 12-month period between July 2022 and July 2023.
Reason for High Adoption Rate
Threat actors and scammers generate revenue through illegal methods using this cross-chain crime for several reasons, which include the popularity of crypto assets excluding bitcoins among criminals, the anonymity it offers, and stable value assets as some of them are government-backed currencies (Tether (USDT) or DAI).
Another major reason for the adoption is that many cross-asset and cross-chain services other than centralized exchanges do not have ID verification. In addition to this, this method offers protection against tracing by using techniques like prolific asset- or chain-hopping.
Annual figures of cumulative illegal funds laundered (Source: Elliptic)
Furthermore, it has been discovered that the Lazarus group, responsible for several high-profile cyberattacks, had laundered over $900 million using this method.
Decentralized services (DEXs), cross-chain bridges, and coin swap services have been found to have laundered over $7 billion of illegal funds as of July 2023. Elliptic researchers have published a complete report about this method and other information.
MGM Resorts encountered a devastating cyberattack recently, incurring an approximate financial setback of $100 million. Unveiled on September 11, this digital attack led to the temporary shutdown of multiple systems within MGM’s various properties, disrupting operations and inflicting significant monetary losses.
DETAILS OF THE ATTACK
The digital onslaught on MGM Resorts wasn’t confined to a single property but spread across its flagship resort and other prestigious properties like Mandalay Bay, Bellagio, The Cosmopolitan, and Aria. The cybercriminals managed to disrupt a range of operations, from the functioning of slot machines and the systems overseeing restaurant management to the technology behind room key cards. Despite the containment efforts by MGM, the attackers successfully exfiltrated a diverse set of customer data, including but not limited to names, addresses, phone numbers, driver’s license numbers, Social Security numbers, and passport details. Fortunately, credit card details remained secure and unaffected.
ECONOMIC FALLOUT
The cyber intrusion had a profound economic impact on MGM Resorts, with losses estimated around $100 million. This financial blow is anticipated to ripple through the earnings of the third and fourth fiscal quarters. However, MGM remains optimistic, projecting a 93% occupancy rate in October and planning for a complete operational recovery in Las Vegas by November. Expenses related to the cyberattack, including consultancy fees, legal services, and other related costs, amounted to less than $10 million.
COMPROMISE OF CUSTOMER DATA
A vast array of customer data, from Social Security numbers to passport details, was pilfered during the cyber attack. The total count of individuals affected by this breach remains uncertain as MGM has not issued any comments on this matter. Proactive measures have been initiated by MGM Resorts to assist the victims of this data breach, including the establishment of dedicated phone lines and informational websites. The company also intends to reach out to the affected individuals via email, extending offers for identity protection services.
IDENTITY OF THE ATTACKERS
Initially, the cyberattack was attributed to hackers affiliated with a group known as Scattered Spider. This group later joined forces with a Russian ransomware collective known as Black Cat/AlphV. Scattered Spider has a notorious reputation, being implicated in several major cyberattacks over the past year, targeting entities like Reddit, Riot Games, Coinbase, and even another major player in the casino industry, Caesars Entertainment.
RECOVERY AND RESPONSE
In response to the cyberattack, MGM Resorts took immediate action by shutting down all its systems to thwart further unauthorized access to customer data. Since these initial countermeasures, the company’s domestic properties have seen a return to normalcy in operations, with the majority of systems that interact with guests being restored. Efforts are ongoing to bring the remaining affected systems back online, with full restoration anticipated in the near future.
CONCLUSION AND FUTURE IMPLICATIONS
The cyberattack experienced by MGM Resorts highlights the substantial risks and potential financial damages associated with digital security breaches in the hospitality sector. With the compromise of sensitive customer information and the incurrence of hefty financial losses, this incident serves as a stark reminder for all businesses in the industry to bolster their cybersecurity infrastructure to safeguard against future digital threats. The episode underscores the imperative for continuous investments in state-of-the-art cybersecurity mechanisms and protocols to preemptively mitigate the risks of future cyber-attacks and protect sensitive customer data.
Cybercriminal tactics continue to grow in number and advance in ability; in response, many organisations have seen the need to reach a security posture where their teams can proactively combat threats.
Threat hunting plays a pivotal role in modern organizations’ cybersecurity strategies. It involves actively searching for signs of advanced threats and vulnerabilities beyond passive defense mechanisms. The MITRE ATT&CK Framework is an industry-standard threat hunters can use to proactively ensure they have protection against new and evolving attacks. Automating these processes for threat hunting can advance any security team’s capabilities.
However, it can be challenging to integrate or collect security data for effective threat hunting. The number of security technologies often results in fragmented data and hinders a comprehensive threat-hunting approach. Automated threat hunting has become a solution that can advance the capabilities of any security team.
Understanding Disparate Security Technologies
Modern organisations employ a variety of security technologies to safeguard their digital assets. These include firewalls, intrusion detection systems, antivirus software, and endpoint protection. While effective, the sheer number of disparate security technologies poses challenges in centralising security data. Each solution generates logs and alerts, creating data silos.
The Problem of Non-integrated Security Data
Scattered security data creates several difficulties. Security teams grapple with a deluge of data from diverse sources, making identifying relevant threat indicators and patterns challenging. The absence of comprehensive visibility into potential threats leaves organisations vulnerable to increasingly advanced adversaries, who will exploit these data gaps. Inefficiencies plague threat-hunting processes because analysts must manually correlate data from various sources, slowing response times and increasing the likelihood of missing critical threats.
The Concept of Automated Threat Hunting
Automated threat hunting remediates the challenges inherent in integrating disparate security data. Security systems use advanced algorithms to streamline and enhance the threat hunting process. Automated threat hunting empowers security teams to pull security data from different technologies on demand, ensuring they have the right data.
Automating the MITRE ATT&CK Framework for Threat Hunting
Organizations should enhance the use of MITRE ATT&CK Frameworks in their threat hunting processes and techniques with automation to free up time and improve detection.
Automation #1: Pre-Built Response Playbooks
MITRE ATT&CK provides updated data sets of indicators of compromise (IOC) and techniques, tactics, and procedures (TTPs) that adversaries use. Threat hunters use this data to create procedures and processes around known threats to properly respond. Automation can save this set of procedures as a pre-defined playbook, which can be applied in the future for the same threat. It will also search across all data sources in your security environment for a comprehensive visibility into threats.
Automation #2: Collecting the Right Hunt Data
When collecting security data during a hunt, it’s common to collect too much or too little information. Pinpointing the right data saves time and increases hunt accuracy. MITRE ATT&CK frameworks ensure you have the correct data sources by telling you which to collect from logs, security systems, and threat intelligence. Automation allows you to save parameters for data collection of the right sources to apply for future hunts.
Automation #3: Penetration Testing/Red Teaming
Cyberattacks and tactics change all the time, and red/blue teaming are great exercises that help you understand where your proactive abilities are and your defence against them. Automation can provide a great lift here by automating simulations of known TTPS from MITRE Frameworks to fine-tune detection and response management.
Advantages of Automating Threat Hunting
Automating threat hunting allows security teams to effortlessly access security data from diverse technologies when needed, streamlining hunting and procedures, while reducing manual effort. Security analysts can swiftly identify suspicious activities and patterns, resulting in quicker threat detection. The accelerated detection and response to security incidents are crucial in today’s threat landscape. Automated threat hunting expedites the identification of threats, enabling organisations to respond promptly and mitigate potential damage.
The Role of the Security Operations Platform
A security operations platform offers a wide range of capabilities. It centralises security data from disparate technologies and provides security teams with a unified, real-time view of their environment, thus facilitating improved threat detection and response. An essential aspect of this platform is its ability to query security data from all technologies. This functionality ensures that all artifacts, regardless of their source, are examined, making it an invaluable tool in the hunt for threats.
Conclusion
Automating threat hunting via a security operations platform enhances efficiency, augments visibility, and expedites incident response. As we look to the future of cybersecurity, the seamless integration of security data will remain central to effective threat hunting, ensuring that organizations stay ahead of evolving cyber threats.
A recently discovered vulnerability in Microsoft Office Word has raised concerns over the security of the popular productivity suite.
This security flaw, classified as a Cross-Site Scripting (XSS) vulnerability, allows attackers to execute arbitrary JavaScript code within a Word document.
The XSS Vulnerability
Various Office products, including Microsoft Word, offer a feature that allows users to insert external videos into documents through the “Online Videos” tab.
The XSS Vulnerability
When a user attempts to play an external video embedded in a document, the Office checks to determine whether the source of the external video is trustworthy.
This check involves applying a regular expression to the video’s URL, which includes trusted sources like YouTube.
If the source is deemed trustworthy, the Office requests to fetch data such as the video’s title or thumbnail. However, the vulnerability arises in how Office handles the video’s title within the HTML iframe tag.
The server responds with information, including the video’s title, description, and the HTML iframe tag.
The issue is that the server adds the video’s title to the “title” attribute of the iframe tag without proper validation.
As a result, attackers can manipulate the iframe tag by adding an “unload” attribute, enabling them to inject arbitrary JavaScript code.
Exploitation
To exploit this vulnerability, an attacker can create a YouTube video with a title that includes a payload for inserting the “onload” attribute, reads the PKsecurity report.
Then, they insert the URL of this malicious video into a Word document using the Online Videos tab. When the video is played, the injected JavaScript code is executed.
Exploitation
Here is a simplified overview of the steps an attacker would take to exploit this flaw:
Create a YouTube video with a payload in the title.
Insert the URL of the malicious video into a Word document.
Set up a web server to serve malicious JavaScript code.
Implications
This vulnerability allows attackers to execute arbitrary JavaScript code when a video embedded in a Word document is played.
While it may not seem immediately alarming, it’s worth noting that past critical exploits in Office applications often began with the execution of arbitrary JavaScript.
Exploiting this vulnerability could potentially lead to a critical Remote Code Execution (RCE) vulnerability if combined with a new vulnerable Uniform Resource Identifier (URI).
This makes it crucial for Microsoft to address and patch this issue promptly. The Microsoft Office XSS flaw underscores the importance of keeping software up to date and being cautious about the content embedded in documents.
Users should be aware of potential security risks associated with video content, especially when it comes from untrusted sources.
The team at Qualys Threat Research Unit has unveiled a fresh vulnerability within the Linux operating system, allowing local attackers to escalate their access level to root privileges. This escalation is made possible by exploiting a buffer overflow weakness located in the GNU C Library’s ld.so dynamic loader. Assigned the identification CVE-2023-4911 and nicknamed “Looney Tunables,” this vulnerability is recognized as high-risk with a CVSS score of 7.8, signifying its high severity.
“Looney Tunables” allows bad actors to exploit a buffer overflow within the ld.so dynamic loader of the GNU C Library (glibc). This exploitation path provides local attackers with a mechanism to elevate their privileges to root level, thereby gaining unparalleled access and control over the system. Given that root privileges allow complete control over a system, attackers can execute a variety of malicious activities, from accessing sensitive information to altering system settings and functionalities, underscoring the critical nature of this security flaw.
The GNU C Library, or glibc, is fundamentally integral to the operation of a majority of systems based on the Linux kernel. This crucial library facilitates numerous system calls, from elementary functions like open, malloc, and printf to more complex ones such as exit, serving as the operational backbone for these systems. As such, glibc plays a pivotal role in the functionality and performance of Linux-based systems, making any vulnerability within this library particularly concerning for system administrators and users alike.
Within glibc, the ld.so dynamic loader is an element of paramount importance. This component is tasked with the significant responsibility of initializing and running programs on Linux systems that rely on glibc for their operation. Its role is crucial as it ensures the smooth execution of various applications and services on a Linux system, making it an indispensable part of the operating environment. Given its central function, any vulnerability within the ld.so dynamic loader is a matter of serious concern as it could potentially compromise the security and stability of a wide range of systems.
In light of the discovery of “Looney Tunables”, it is imperative for organizations and users utilizing Linux-based systems to acknowledge and address this security vulnerability swiftly to safeguard their systems against potential exploits. Immediate mitigation steps, including the application of security patches and updates, should be undertaken to protect systems from the risks associated with this high-severity vulnerability. Users and administrators should stay vigilant and monitor any security advisories and updates issued by the Linux community and cybersecurity experts to ensure timely and effective protection against this newly identified threat.
Furthermore, it would be prudent for organizations to adopt and enforce a set of security best practices. These might include the regular updating and patching of systems, the use of reliable security solutions, conducting cybersecurity awareness and training programs for employees, and implementing network segmentation strategies. These proactive measures can significantly enhance the security posture of an organization, providing robust defense mechanisms against “Looney Tunables” and other similar security threats that might emerge in the future.
The GNU C Library’s ld.so dynamic loader was found to include the security flaw, which exposed a crack in the armor. During the processing of the ‘GLIBC_TUNABLES’ environment variable, this security hole might manifest itself. To put it more simply, a hostile attacker on the local network who has some dexterity and cunning may insert text into the ‘GLIBC_TUNABLES’ environment variable. The attacker is able to execute code with dangerously high privileges if they do this while beginning binaries that have the SUID permission.
This vulnerability was discovered by the observant members of the Qualys Threat Research Unit. According to an investigation into the origin of the vulnerability, it was first discovered in April 2021, when glibc version 2.34 was being distributed. Ironically, the commit was made with the intention of improving security by correcting the behavior of SXID_ERASE in setuid applications.
It is important to keep in mind that attackers, even those with just the most basic privileges, are able to take advantage of this severe gap. since of their simplicity and since they don’t need any input from the user, these assaults are particularly alarming.
There is a solution available for those who are unable to update their software promptly and do not have the Secure Boot capability. A SystemTap script has been made available, and once it is enabled, it will immediately stop any setuid application that has been launched with the ‘GLIBC_TUNABLES’ environment variable present. To securely call the setuid program thereafter, one just has to unset or remove the ‘GLIBC_TUNABLES’ environment variable, for instance by executing the command ‘GLIBC_TUNABLES= sudo’.
According to Saeed Abbasi, who is the Product Manager at Qualys’ Threat Research Unit, “Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, underscores the profound and ubiquitous nature of this vulnerability.”
While the Qualys team has indicated that they will not release its exploit code at this time, the inherent simplicity of transforming the buffer overflow into a data-only assault suggests that other research teams may soon take up the challenge.
Systems that are running Debian 12 and 13, Ubuntu 22.04 and 23.04, or Fedora 37 and 38 are vulnerable to the CVE-2023-4911 flaw and should be avoided at all costs. The extent of the possible harm might be enormous due to the widespread use of the glibc library in Linux’s many different distributions. Distributions such as Alpine Linux, which use the musl libc library instead of the glibc library, are given a little bit of wiggle room.
According to Fortinet, ransomware activity has intensified, registering an increase of 13 times compared to the beginning of 2023 in terms of all malware detections. The rise of Ransomware-as-a-Service has primarily driven this surge in ransomware variations.
According to a recent study, 65% of organizations identified ransomware as one of their top three threats to their operational viability. Additionally, ransomware is the most significant threat for 13% of these organizations.
Here’s a collection of free ransomware guides and checklists you can access without registration.
#StopRansomware guide
This guide came from the Joint Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing & Analysis Center (MS-ISAC) and was developed through the Joint Ransomware Task Force. This guide includes two primary resources:
Ransomware and Data Extortion Prevention Best Practice
Ransomware and Data Extortion Response Checklist
Mitigating malware and ransomware attacks
This guidance from the National Cyber Security Centre UK helps private and public sector organizations deal with malware’s effects (including ransomware). It provides actions to help organizations prevent a malware infection and steps to take if you’re already infected.
Definitive guide to ransomware
As more ransomware attacks and variants rise monthly, IBM Security X-Force believes ransomware will continue to threaten businesses in the coming years. This document provides guidance to organizations before and during a ransomware attack.
Mapping the ransomware landscape
In partnership with the DACG, ANSSI publishes the guide: Ransomware attacks, all concerned – How to prevent them and respond to an incident. The guide is very practical, particularly at general and IT managers in the private sector and local authorities.
Ransomware response checklist
If your organization is a victim of a ransomware incident, this checklist may assist in identification, containment, remediation, and system(s) recovery. Organizations are recommended to review and familiarize themselves with the steps in the checklist before an incident.
Ransomware survival guide: Recover from an attack
In this ransomware survival guide, the authors share lessons they’ve learned and best practices they’ve developed to help organizations coordinate their response to an attack and make timely, strategic decisions through all phases of the response.
The ultimate guide to ransomware
This guide explains what ransomware is, how it works, and how you can remove it and protect yourself.
Cybersecurity for small business: Ransomware
Learn the basics for protecting your business, take a quiz about what your learned. The tips were developed in partnership with the National Institute of Standards and Technology, the U.S. Small Business Administration, and the Department of Homeland Security.
Aspects of ransomware covered by the Budapest Convention
The Cybercrime Convention Committee just adopted a guidance note on ransomware. It shows how the provisions of the Convention on Cybercrime and its new Second Additional Protocol can be used to criminalize, investigate and prosecute ransomware-related offences and to engage in international cooperation.
Atlassian fixed a critical zero-day flaw in its Confluence Data Center and Server software, which has been exploited in the wild.
Software giant Atlassian released emergency security updates to address a critical zero-day vulnerability, tracked as CVE-2023-22515 (CVSS score 10), in its Confluence Data Center and Server software.
The flaw CVE-2023-22515 is a privilege escalation vulnerability that affects Confluence Data Center and Server 8.0.0 and later. A remote attacker can trigger the flaw in low-complexity attacks without any user interaction.
The company is aware that the vulnerability has been exploited in attacks.
“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.” reads the advisory published by the company.
“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously.”
According to the advisory, the vulnerability doesn’t impact Atlassian Cloud sites. If customer’s Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
“It’s unusual, though not unprecedented, for a privilege escalation vulnerability to carry a critical severity rating. Atlassian’s advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself.” reads a post published by Rapid7. “It’s possible that the vulnerability could allow a regular user account to elevate to admin — notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default.”
If admins are unable to upgrade their Confluence instances, as an interim measure the company recommends restricting external network access to them.
Atlassian also recommends mitigating known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances.
The software firm also recommends checking instances for the following indicators of compromise:
unexpected members of the confluence-administrator group
unexpected newly created user accounts
requests to /setup/*.action in network access logs
presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
In September 2022, threat actors were observed targeting unpatched Atlassian Confluence servers as part of an ongoing crypto mining campaign.
Trend Micro researchers warned of a crypto mining campaign targeting Atlassian Confluence servers affected by the CVE-2022-26134 RCE vulnerability disclosed in early June 2022.
Qualcomm recently issued warnings about three zero-day vulnerabilities within its GPU and Compute DSP drivers that are currently being exploited by hackers. These warnings were initiated based on information received from Google’s Threat Analysis Group (TAG) and Project Zero teams. According to their reports, there is limited but targeted exploitation of vulnerabilities identified as CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063.
In response to these imminent threats, Qualcomm has rolled out security updates designed to rectify the issues present within its Adreno GPU and Compute DSP drivers. The company has promptly communicated this information to the affected Original Equipment Manufacturers (OEMs), urging them to implement these security updates without delay.
One of the significant flaws, CVE-2022-22071, which was initially disclosed in May 2022, is categorized as a high-severity issue, with a CVSS v3.1 score of 8.4. This vulnerability is a use-after-free bug that can be exploited locally and affects widely-used chips, including the SD855, SD865 5G, and SD888 5G.
However, Qualcomm has opted to remain tight-lipped regarding the details of the other actively exploited vulnerabilities, namely CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063. Further information on these vulnerabilities is expected to be disclosed in the company’s security bulletin scheduled for December 2023.
In addition to these, Qualcomm’s recent security bulletin also shed light on three other critical vulnerabilities, each with severe implications:
CVE-2023-24855 involves memory corruption within Qualcomm’s Modem component. This occurs when processing security-related configurations prior to the AS Security Exchange and has a CVSS v3.1 score of 9.8.
CVE-2023-28540 relates to a cryptographic issue within the Data Modem component, resulting from insufficient authentication processes during TLS handshakes, with a CVSS v3.1 score of 9.1.
CVE-2023-33028 involves memory corruption in the WLAN firmware which occurs during the copying of pmk cache memory without conducting necessary size checks, and it holds a CVSS v3.1 score of 9.8.
In light of these findings, Qualcomm disclosed an additional 13 high-severity flaws along with three more vulnerabilities classified as critical, all of which were identified by the company’s engineers. In total, Qualcomm has released updates to address 17 vulnerabilities across various components while highlighting that three zero-day vulnerabilities are currently being actively exploited.
Of these identified vulnerabilities, three have been classified as critical, 13 are high-severity, and one is medium-severity. Qualcomm’s advisory noted: “There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation.”
To safeguard against these vulnerabilities, patches for issues in the Adreno GPU and Compute DSP drivers have been issued and are readily available. OEMs have been duly notified and strongly urged to deploy these security patches at the earliest convenience to prevent potential exploitation.
Users of Qualcomm products are advised to stay vigilant and apply updates provided by OEMs as soon as they are released to ensure their devices are protected from these vulnerabilities. This proactive approach to device security is crucial in mitigating the risk of exploitation and maintaining the integrity and functionality of devices that play a pivotal role in various technological applications.
A critical Zip Slip vulnerability was discovered in the open-source data cleaning and transformation tool ‘OpenRefine’, which allowed attackers to import malicious code and execute arbitrary code.
OpenRefine is a strong Java-based, free, open-source tool for handling messy data. This includes cleaning it, converting it into a different format, and expanding it with web services and external data.
According to SonarCloud, the Zip Slip vulnerability in OpenRefine allows attackers to overwrite existing files or the extraction of contents to unexpected locations. This vulnerability is caused by insufficient path validation while extracting archives.
Details of the OpenRefine Zip Slip Vulnerability
The project import feature of OpenRefine versions 3.7.3 and earlier is vulnerable to a Zip Slip vulnerability (CVE-2023-37476) with a CVSS score of 7.8.
Although OpenRefine is only intended to execute locally on a user’s computer, a user can be tricked into importing a malicious project file. Once this file is imported, the attacker will be able to run arbitrary code on the victim’s computer.
Web Interface of OpenRefine Tool
“The vulnerability gives attackers a strong primitive: writing files with arbitrary content to an arbitrary location on the filesystem. For applications running with root privileges, there are dozens of possibilities to turn this into arbitrary code execution on the operating system: adding a new user to the passwd file, adding an SSH key, creating a cron job, and more”, researchers said.
Fix Available
OpenRefine Version 3.7.4, published on July 17, 2023, has a fix for the issue.
In light of this, Users are recommended to update to OpenRefine 3.7.4 as soon as feasible.
MITRE ATT&CK, a common language for cybersecurity professionals to communicate with each other and better understand real-world adversary behaviors, celebrates its 10th anniversary this fall. In this Help Net Security interview, project leader Adam Pennington discusses the framework, how defenders can best use it, and what’s next.
What were the main drivers behind the creation of the MITRE ATT&CK framework back in 2013?
The framework was born out of an internal exercise performed at MITRE’s Ft. Meade, Md. site in 2013. We put sensors on desktop computers to analyze a series of red and blue team cyber operations, which wasn’t common back then. White team observers noticed that the red team’s actions weren’t representative of real-world adversary behavior. When they requested that the red team adjust their tactics, they lacked a unified language to explain themselves.
The white team changed course by pulling actual cyber-attack scenarios from honey pots of real data for the blue and red teams to design operations around. Ultimately, the exercise culminated with a basic Excel spreadsheet outlining different intrusion techniques using a common language. It was incredibly helpful to us internally, so on the chance it would be useful to the rest of the world, we released it publicly as MITRE ATT&CK.
How has the framework evolved over the past decade, especially in the last five years, where we’ve seen a surge in its popularity?
What started out as an Excel spreadsheet identifying one adversary and one tactic has transformed into a framework referenced and contributed to by users across the world. By the time it reached the public, there were around 100 behaviors, and in 2016 we began tracking groups and software based on open-source threat intelligence reporting. In 2018, we amassed enough interest to launch ATT&CKcon (the fourth iteration of the user conference will run Oct. 24-25 at MITRE’s McLean, Va., headquarters).
In the last five years, we’ve expanded the core framework with ATT&CK for industrial control systems, mobile, Linux, various cloud platforms (Office 365, Azure, etc.), network devices (computer switches and routers), and more. We continue to make information digestible and user friendly by including both what adversary tactics are, and techniques users can employ to defend against them. To that end, we recently added pseudocode analytics directly to ATT&CK that people can use in their defenses as an “easy button.”
How does the framework stay up to date with real-world observations and contributions? How often is it updated?
As I’m answering this question, we’ve gotten at least one contribution from a community member via email—evidence that we receive updates often! ATT&CK is heavily community driven. Our framework isn’t effective without users keeping us abreast of the latest threats.
Additionally, we monitor social media, public reports from various government entities, and updates from incident response firms. Behind the scenes, we have large teams maintaining and organizing information for each respective arena.
We release a new version of ATT&CK every six months. After trying out shorter and longer timeframes, we found six months to be the sweet spot satisfying both organizations that bake ATT&CK into their products and defenses and those who want information fast.
Given the evolving nature of cyber threats, what long-term value does the MITRE ATT&CK framework offer to cybersecurity professionals?
ATT&CK continues to evolve right alongside adversaries, but historically this is a space that changes slowly over time. Bad actors exhibit relatively routine methods once they’ve gained entry into a network. Even though the exact piece of software, IP address, or even the human on the other end may differ, there are fundamental attack sequences that don’t often fluctuate. Behaviors documented in ATT&CK a decade ago are still seen today.
On the other hand, there are new spaces ripe for intrusion like cloud-based products. We’re expanding the framework in step with new technologies.
For organizations that find the initial implementation process complex, what advice do you have to ease this learning curve?
Start with bite size pieces. Time and time again, we’ve seen cybersecurity teams from small organizations attempt to comprehensively integrate ATT&CK into their defenses, just to quickly realize they’re in over their heads. The framework is not one-size-fits-all.
To solve for this challenge, we recommend multiple strategies focused on starting small. The framework is divided into techniques, so an organization may begin with a single tactic relevant to their system. For example, if you’re concerned with identity management, you can dig into how adversaries are stealing passwords and identify overlap between their behaviors. Once you reach those prioritization points, it’s easier work backwards and add protections against them.
What are some of the less obvious applications of the framework that professionals in the cybersecurity industry should be aware of?
We’re pleasantly surprised to see how ATT&CK is being leveraged in academic environments, from high schools to universities. One high school in Virginia invited our team to come in and speak to the work, which they previously integrated into their curriculum.
Several private sector organizations also have woven the framework into employee education. I recently spoke to somebody whose company regularly discusses a “technique of the week” pulled from the ATT&CK database.
What future enhancements or expansions do you envision for the MITRE ATT&CK framework?
As adversaries explore new exploitation methods, we’ll be there cataloging their every move. Our team continues to advance threat intelligence reporting on spaces growing in popularity, such as Linux and operating systems beyond Windows.
The goal is, and has always been, to build a community of cyber defenders. We know ATT&CK is a boon for larger organizations, but we’re working on ways to make it more accessible for smaller and less-resourced entities.
