InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Hospitals hold a lot of sensitive data. When they are hacked, patient information is exposed, putting patients at risk because the hackers can use stolen personal information in several identity theft schemes. The Department of Health and Human Services (HHS) has been working hard to protect hospitals from cyberattacks, but the fact is that while they do the best they can, there will always be breaches and more work to be done. The government is trying everything to ensure that hospitals are protected and that patients are aware of any breaches as quickly as possible when they do occur.
Google: Seven zero-days in 2021 developed commercially and sold to governments
Google’s Threat Analysis Group (TAG) released a new report on Thursday chronicling an Italian spyware vendor selling technology used on victims in Italy and Kazakhstan.
The report mirrors another from cybersecurity company Lookout that was published last week covering “Hermit” – a brand of surveillanceware developed by spyware vendor RCS Labs and telecoms company Tykelab Srl.
The Google report examined the spyware from RCS Labs, noting that the Italian vendor “uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android.”
Google TAG researchers Benoit Sevens and Clement Lecigne also touch on the wider commercial spyware industry, noting that Google continues to track the activities of vendors and recently testified at the EU Parliamentary hearing on “Big Tech and Spyware” about the work they’re doing “to monitor and disrupt this thriving industry.”
“Seven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors,” Sevens and Lecigne explained.
“TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. This makes the Internet less safe and threatens the trust on which users depend.”
The Israeli surveillance firm NSO Group revealed that its Pegasus spyware was used by at least five European countries.
The controversial Israeli surveillance vendor NSO Group told the European Union lawmakers that its Pegasus spyware was used by at least five countries in the region.
NSO Group’s General Counsel Chaim Gelfand admitted that the company had “made mistakes,” but that after the abuses of its software made the headlines it has canceled several contracts.
“We’re trying to do the right thing and that’s more than other companies working in the industry,” Gelfand told members of the PEGA committee. “Every customer we sell to, we do due diligence on in advance in order to assess the rule of law in that country. But working on publicly available information is never going to be enough.”
In April, the Parliament set up a new inquiry committee investigating the use of Pegaus spyware and equivalent surveillance software used to spy of phones belonging to politicians, diplomats, and civil society members. The spyware was used to target several European leaders, including Spain’s Prime Minister Pedro Sánchez, and Spanish political groups, Hungary, and Poland.
In February, the European Data Protection Supervisor (EDPS) authority called for a ban on the development and the use of surveillance software like the Pegasus spyware in the EU.
The abuse of this kind of solution poses a serious threat to fundamental rights, particularly on the rights to privacy and data protection.
“It comes from the EDPS’ conviction that the use of Pegasus might lead to an unprecedented level of intrusiveness, which threatens the essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives.” states the European Data Protection Supervisor (EDPS).
“Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy.”
Privacy advocated and cybersecurity experts demonstrated the use of the Pegasus in surveillance campaigns worldwide targeting journalists, political figures, dissidents, and activists.
The bad news is that the business of digital surveillance is growing in scaring and uncontrolled way. Recently, experts spotted other surveillance malware infecting systems worldwide, such as the HERMIT spyware that was linked to an Italian firm.
If you want to read more info on the Pegasus spyware give a look at a report investigating Pegasus spyware impacts on human rights has been launched by the Council of Europe on the occasion of the summer session of the Parliamentary Assembly.
The report was prepared by the Information Society Department with contributions from Tamar Kaldani the former Personal Data Protection Inspector and the State Inspector of Georgia, currently serving as the first Vice-chair of the Consultative Committee of Convention 108 and Zeev Prokopets – an Israeli executive, product designer, software developer and entrepreneur.
“An investigation report released by a global consortium26 revealed that 200 journalists worldwide had been targeted using Pegasus spyware. The Office of the UN Special Rapporteur for Freedom of Expression also noted the number of victims of attempted spying through Pegasus, including Mexican journalists, human rights defenders and opposition leaders.27 “The numbers vividly show the abuse is widespread, placing journalists’ lives, those of their families and associates in danger, undermining freedom of the press and shutting down critical media,” – said Secretary-general of Amnesty International.” concludes the report. “The right to freedom of expression and information, as guaranteed by Article 10 of the Convention, constitutes one of the essential foundations of a democratic society and one of the basic conditions for its progress and the development of every individual.”
Brave Search, the browser developer’s privacy-centric Internet search engine, is celebrating its first anniversary after surpassing 2.5 billion queries and seeing almost 5,000% growth in a year.
To celebrate this success, Brave Software announced that Brave Search is finally exiting its beta phase and will become the default search engine for all users of the Brave browser.
Additionally, a new search results curation feature called “Goggles” will be released in beta and made available to those who wish to test it.
Brave Search grows by almost 5,000%
Since launching in June 2021, Brave Search grew by almost 5,000%, starting with 8.1 Million search queries in June 2021 and growing to 411.7 million by the end of May 2022.
Brave says it grew its current query volume four times quicker than DuckDuckGo, likely assisted by its large community of Brave Browser users.
Brave says that independence has remained at the epicenter of the company’s focus, with Brave Search users receiving 92% of their queries directly from Brave’s independent search index rather than through Bing and Google indexes.
“Search engines that depend too much or exclusively on Big Tech are subject to censorship, biases, and editorial decisions,” explains Brave in the blog post.
“Brave Search is committed to openness in search. It does not manipulate its algorithm to bias, filter, or down-rank results (unless it’s compelled by law to do so).”
Besides focusing on privacy and independence, Brave also strived to offer new mechanisms that would enrich the experience of using Brave Search.
Discussions were introduced this April as a new feature on Brave Search to draw results from social media platforms like Reddit.
Sick of the unending stream of email and phone calls you receive from scammers claiming to represent your bank? Amazon? Microsoft? The tax office? The police?
We sympathise – we’re sick of them too, especially landline calls that could be a loved one calling for help or advice, and thus need to be answered…
…but that rarely, if ever, turn out to have a familiar voice at the other end.
Rober makes some alarming but entirely believable claims of just how much money [a] a top call-centre scammer can make if they hit their on-target earnings and [b] just how much a typical call centre of this sort turns over each day.
If you haven’t seen it, the video starts with the words, “I have 100 cockroaches here, and I placed them in this James Bond-style contraption,” so you can probably imagine how things end.
Despite the not-very-threatening outcome when Rober later releases the insects inside a scam call centre where he has access to footage from the CCTV feed, the video gives a good visual indication of just how industriously and unrelentingly these scammers operate. (When not driven from their work pods by roaches, that is.)
Fake refund scams
The scammers in Rober’s video seem to go in mainly for what are known as “fake refund” tricks, which go something like this:
Scammers “refund” you an impressive but believable amount, say $2000, for an “over-billing” for a product or service you actually use.
They then “help” you login to your bank account to ensure that the transaction went through.
They sneakily edit the HTML in your browser so the page shows a transaction for ten times the amount originally mentioned.
They cry out in alarm, claiming they themselves must have typed in an extra zero and that they’ve accidentally refunded too much.
Then they burst into tears, or turn on the emotional blackmail, claiming they (or you!) will be liable for the massive difference, so please, oh! please! won’t you help?
Their goal is to lure, browbeat, wheedle, threaten, cajole, beg and convince you to refund the “extra” money out of your own account.
After all, you can see the giant refund is there… except that it isn’t, because the item on the page is fake, with the HTML modified in memory to show a huge deposit and a vastly increased balance.
You’re scammed into thinking that they’ve made a mistake that will definitely get them in trouble, and could get you into trouble, too.
The crooks therefore hope to persuade you to help them “cover up” their mistake by withdrawing the “excess” from your own account and paying the non-existent “difference” back to them via some other channel.
While you might be sure that no criminal would ever catch you out with an apparently obvious trick like this, you’ll probably admit that, like most things, this sort of scam is only truly obvious the second time you see it or hear about it.
Security researchers have apparently discovered more than 1.6 million secrets leaked by websites, including more than 395,000 exposed by the one million most popular domains.
Modern web applications typically embed API keys, cryptographic secrets, and other credentials within JavaScript files in client-side source code.
Aided by a tool developed specifically for the task, researchers from RedHunt Labs sought information disclosure vulnerabilities via a “non-intrusive” probe of millions of website home pages and exceptions thrown by debug pages used in popular frameworks.
“The number of secrets exposed via the front end of hosts is alarmingly huge,” said Pinaki Mondal, security researcher at RedHunt Labs, in a blog post.
“Once a valid secret gets leaked, it paves the path for lateral movement amongst attackers, who may decide to abuse the business service account leading to financial losses or total compromise.”
Millions of secrets
The first of two mammoth scans focused on the one million most heavily trafficked websites. It yielded 395,713 secrets, three quarters of which (77%) were related to Google services reCAPTCHA, Google Cloud, or Google OAuth.
Google’s reCAPTCHA alone accounted for more than half (212,127) of these secrets – and the top five exposed secret types was completed by messaging app LINE and Amazon Web Services (AWS).
Phase two, which involved scanning around 500 million hosts, surfaced 1,280,920 secrets, most commonly pertaining to Stripe, followed by Google reCAPTCHA, Google Cloud API, AWS, and Facebook.
A majority of exposures across both phases – 77% – occurred in frontend JavaScript files.
Most JavaScript was served through content delivery networks (CDNs), with the Squarespace CDN leading the way with over 197,000 exposures.
Mondal blamed the “decades”-old problem of leaked secrets on the “complexities of the software development lifecycle”, adding: “As the code-base enlarges, developers often fail to redact the sensitive data before deploying it to production.”
‘Non-intrusive’ research
The RedHunt Labs research team told The Daily Swig that they are still “continuously reporting the secrets through automation to their source domains provided they have an email [address] mentioned on their home page”.
The researchers said they had encountered no legal problems related to the research so far.
“We received a few abuse reports against the boxes on which the scan was run and we have handled them,” they said.
The “extremely non-intrusive” process involved no “more than a few HTTP requests per domain” and no written actions – “only read requests to HTTP URLs and JavaScript files were sent”.
The captured secrets, meanwhile, are “stored on an encrypted volume with access to very limited folks” and “will be disposed of after a month”, added the researchers.
Red Hunt Labs has open-sourced the tool developed for the research and created a demonstration video:
Called HTTPLoot, it can crawl and scrape URLs asynchronously, check for leaked secrets in JavaScript files, find and complete forms to trigger error/debug pages, extract secrets from debug pages, and automatically detect tech stacks.
Redhunt Labs has set out four best practices for preventing and mitigating leaked secrets, including setting restrictions on access keys, centrally managing secrets in a restricted environment or config file, setting up alerts for leaked secrets, and continuously monitoring source code for information leakage issues.
Google Project Zero experts disclosed details of a 5-Year-Old Apple Safari flaw actively exploited in the wild.
Researchers from the Google Project Zero team have disclosed details of a vulnerability in Apple Safari that was actively exploited in the wild.
The vulnerability, tracked as CVE-2022-22620, was fixed for the first time in 2013, but in 2016 experts discovered a way to bypass the fix.
“Whenever there’s a new in-the-wild 0-day disclosed, I’m very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations.” reads the post published by Google Project Zero. “This blog is the story of a “zombie” Safari 0-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022.”
Apple has addressed a zero-day vulnerability, tracked as CVE-2022-22620 (CVSS score: 8.8), in the WebKit affecting iOS, iPadOS, macOS, and Safari that may have been actively exploited in the wild.
The zero-day vulnerability was fixed by Apple in February, it is a use-after-free issue that could be exploited by processing maliciously crafted web content, leading to arbitrary code execution
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” reads the security advisory published by Apple. “A use after free issue was addressed with improved memory management.”the google researcher Maddie Stone added. “The vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild 0-day in January 2022.”
The vulnerability was reported by an anonymous researcher and the company addressed it by improving memory management.
“Whenever I’m doing a root cause analysis on a browser in-the-wild 0-day, along with studying the code, I also usually search through commit history and bug trackers to see if I can find anything related. I do this to try and understand when the bug was introduced, but also to try and save time.” she said.
The researcher noticed that the commits dated October 2016 and December 2016 were very large, she discovered that the commit in October changed 40 files with 900 additions and 1225 deletions. The commit in December changed 95 files with 1336 additions and 1325 deletions.
“Usually when we talk about variants, they exist due to incomplete patches: the vendor doesn’t correctly and completely fix the reported vulnerability. However, for CVE-2022-22620 the vulnerability was correctly and completely fixed in 2013. Its fix was just regressed in 2016 during refactoring. We don’t know how long an attacker was exploiting this vulnerability in-the-wild, but we do know that the vulnerability existed (again) for 5 years: December 2016 until January 2022.” concludes the expert. “There’s no easy answer for what should have been done differently. The developers responding to the initial bug report in 2013 followed a lot of best-practices.”
If you have planned an ISO 27001 implementation, but you are unsure of whether you should go with the 2013 revision or wait for the 2022 revision to be published, we have a solution for you.
Deep Instinct released the third edition of its annual Voice of SecOps Report, focused on the increasing and unsustainable stress levels among 1,000 C-suite and senior cybersecurity professionals across all industries and roles. The research found that 45% of respondents have considered quitting the industry due to stress, with the primary issues being an unrelenting threat from ransomware and the expectations to always be on call or available.
The research reinforced that paying a ransom remains a hotly debated topic. 38% of respondents admitted to paying a ransom, with 46% claiming their data was still exposed by the hackers; and 44% could not restore all their data even after a ransom was paid.
The great cybersecurity resignation
The job of defending against increasingly advanced threats on a daily and hourly basis is causing more problems than ever as 46% of respondents felt their stress had measurably increased over the last 12 months. This was especially the case for those working within critical infrastructure. These increased stress levels have led cybersecurity professionals to consider leaving the industry altogether, joining in the “Great Resignation,” rather than moving to a new cybersecurity role at a new employer.
45% admit to considering quitting the industry on at least one or two occasions
46% know at least one person who left cybersecurity altogether in the past year due to stress
Who’s stressed and why?
Stress is not only felt by SOC teams and others on the cyber frontlines but also among those in the C-Suite who are making the difficult decisions on how to use their available resources more efficiently.
Biggest stress culprit: Ransomware
45% of respondents said that ransomware was the biggest concern of their company’s C-Suite. The survey found that 38% of respondents admitted to paying up in order to receive the encryption key primarily to avoid downtime (61%) or bad publicity (53%). However, paying the ransom did not guarantee a resolution post-attack in many cases.
Of those reporting that a payment was made:
46% claimed to still have their data exposed by the hackers
44% couldn’t restore all their data
Only 16% claimed to have no further issues to date
In response to these issues with ransomware payment, 73% of respondents claimed they would not pay a ransom in the future.
Among those who claimed they would still pay a ransomware demand in the future, widespread fear remained that they would be trouble-free in the future.
The fear of paying a ransom in the future included the following:
75% do not expect to have all their data restored
54% fear the criminals will still make the exfiltration of data public knowledge, and
52% fear the attackers will have installed a back door and will return
“Considering that the constant waves of cyber-attacks are likely to become more common and evasive as we move forward, it’s of the utmost importance to ensure that those who dedicate their careers and lives to defending our businesses and country don’t become overly stressed and give up,” said Guy Caspi, CEO of Deep Instinct.
“By adopting and utilizing new defensive techniques, like artificial intelligence and deep learning, we can help the cybersecurity community mitigate one of the most important issues that is often overlooked by many: the people behind the keyboard.”
ALPHV/BlackCat ransomware group began publishing victims’ data on the clear web to increase the pressure on them and force them to pay the ransom.
ALPHV/BlackCatransomware group has adopted a new strategy to force victims into paying the ransom, the gang began publishing victims’ data on the clear web to increase the pressure. Publishing data online will make data indexable by search engines, increasing the potential impact on the victims due to the public availability of the stolen data.
The ALPHA/BlackCat gang has been active since at least December 2021 when malware researchers from Recorded Future and MalwareHunterTeam discovered their operation. The ALPHA/BlackCat is the first professional ransomware strain that was written in the Rust programming language.
BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is “very sophisticated.
Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.
ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims don’t pay.
In the past, many victims of past ransomware attacks were not concerned about the publication of their data on a leak site in the Tor network believing that dark nets are not easy to access to the masses.
The ransomware gangs set up a website on the clear web for each victims and publish the stolen data on it.
It’s unclear if ALPHV plans to pursue this approach with every victim, but other recent victims of the crime group include a school district and a U.S. city. Most likely, this is a test run to see if it improves results.
Marion County, right in the middle of the US state of Indiana, and home to the state’s capital Indianapolis, is also currently home to a tragic court case.
(Thanks to fellow writers at The Register for that link – we couldn’t get to the official court site while we were writing this up.)
The short version of events is alleged to be as follows:
Accused decides her partner’s cheating.
Hides an Apple AirTag in the back of his car.
Tells partner she’s getting ready to boot him out.
Partner makes himself scarce.
Texts him to say she knows where he is.
Drives to the pub she thinks he’s in.
Confronts him and attacks the woman he’s with.
Gets thrown out of pub with the other two because of ruckus.
Drives off a short way but sees partner in parking lot.
Drives back and runs him over.
Traps partner under car.
Partner suffocates to death.
In the sombre and tragic words of the charge sheet, the court alleges that the accused “did knowingly kill another human being, […], all of which is contrary to statute and against the peace and dignity of the State of Indiana.”
The charge sheet makes interesting reading, and is a fascinating reminder of how old-school policing, such as promptly interviewing witnesses at the scene and securing relevant property that might be neeed in evidence…
…is mixed in with the need for today’s investigators to be familiar with modern technology and to how to involve it right from the start in the evidence they collect.
Experts spotted a new Linux rootkit, dubbed ‘Syslogk,’ that uses specially crafted “magic packets” to activate a dormant backdoor on the device.
Researchers from antivirus firm Avast spotted a new Linux rootkit, dubbed ‘Syslogk,’ that uses specially crafted “magic packets” to activate a dormant backdoor on the device.
The experts reported that the Syslogk rootkit is heavily based on an open-source, well-known kernel rootkit for Linux, dubbed Adore-Ng.
Experts highlighted that the kernel rootkit is hard to detect, it enables hiding processes, files, and even the kernel module. The experts pointed out that it also allows authenticated user-mode processes to interact with the rootkit to control it.
Linux rootkits are malware installed as kernel modules in the operating system. Once installed, they intercept legitimate Linux commands to filter out information that they do not want to be displayed, such as the presence of files, folders, or processes.
“The rootkit has a hide_module function which uses the list_del function of the kernel API to remove the module from the linked list of kernel modules. Next, it also accordingly updates its internal module_hidden flag.” reads the analysis published by Avast.
However, the researchers explained that the rootkit has a functionality implemented in the proc_write function that exposes an interface in the /proc file system which could be used as an indicator of compromise when the value 1 is written into the file /proc/syslogk.
Upon discovering the rootkit, it is possible to remove it from memory using the rmmod Linux command.
Syslogk is also able to hide the malicious payload by taking the following actions:
The hk_proc_readdir function of the rootkit hides directories containing malicious files, effectively hiding them from the operating system.
The malicious processes are hidden via hk_getpr – a mix of Adore-Ng functions for hiding processes.
The malicious payload is hidden from tools like Netstat; when running, it will not appear in the list of services. For this purpose, the rootkit uses the function hk_t4_seq_show.
The malicious payload is not continuously running. The attacker remotely executes it on demand when a specially crafted TCP packet (details below) is sent to the infected machine, which inspects the traffic by installing a netfilter hook.
It is also possible for the attacker to remotely stop the payload. This requires using a hardcoded key in the rootkit and knowledge of some fields of the magic packet used for remotely starting the payload.
Avast researchers observed the Syslogk rootkit loading a Linux backdoor named Rekoobe, which will be activated on the compromised system when the rootkit receives a “magic packet” from the operators.
“We observed that the Syslogk rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server. Consider how stealthy this could be; a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely ‘magically’ executed, hidden on the network.” continues the analysis. “Even if it is found during a network port scan, it still seems to be a legitimate SMTP server.”
Syslogk listens for specially crafted TCP packets that include special “Reserved” field values, “Source Port” numbering between 63400 and 63411 inclusive, “Destination Port” and “Source Address” matches, and a hardcoded key.
Experts believe that the Syslogk rootkit is under development and it will likely implement new features in the next versions.
“One of the architectural advantages of security software is that it usually has components running in different privilege levels; malware running on less-privileged levels cannot easily interfere with processes running on higher privilege levels, thus allowing more straightforward dealing with malware.” concludes the report which also includes indicators of compromise. “On the other hand, kernel rootkits can be hard to detect and remove because these pieces of malware run in a privileged layer. This is why it is essential for system administrators and security companies to be aware of this kind of malware and write protections for their users as soon as possible.”
The OWASP Foundation recognizes this fact via the API Security Top 10 list of vulnerabilities and security risks. When we look at the list, there are six common methods of execution. Three of the issues occur due to weak access control and three to business logic abuse, with the remainder existing due to insufficient traffic management, application vulnerabilities, lack of visibility and lack of operational security readiness.
These issues are unique to APIs and make them particularly challenging to secure, so let’s look at each in detail.
1. Broken object level authorisation (BOLA)
Formerly known as Insecure Direct Object References (IDOR), BOLA allows the attacker to perform an unauthorized action by reusing an access token. This method has been widely used to attack IoT devices, for instance, as it can be used to allow the attacker to access other user accounts, change settings and generally wreak havoc much to the embarrassment of the IoT vendor.
The attack relies on the API’s resource IDs or objects not having sufficient validation measures in place. In some cases, the data used by the API has no user validation and is accessible to the public, while in other cases error messages return too much information, providing the attacker with more information on how to abuse the API.
Defending against BOLA attacks requires the validation of all user privileges for all functions across the API. API authorization should be well defined in the API specification and random/unpredictable IDs. It’s also important to test these validation methods on a routine basis.
2. Broken user authentication
An attacker can impersonate a genuine user if there are flaws with user authentication. Mechanisms such as log-in, registration, and password reset can be bombarded with automated attacks and, if poorly secured, will allow weak passwords, return error messages to the user with too much information, lack token validation or have weak or non-existent encryption.
Preventing these abuses requires security to be prioritized during development. All the authentication mechanisms mentioned above need to be identified and multi-factor authentication (MFA) needs to be applied. The development team should also look to implement volumetric and account lockout protection mechanisms to prevent brute force attacks.
3. Excessive data exposure
Some published APIs expose more data than is necessary as they rely on the client app rather than back-end systems to filter. Attackers can use this information to carry out enumeration attacks and build up an understanding of what works and what doesn’t, allowing them to create a “cookbook” for stealing data or for orchestrating a large attack at a later stage.
Limiting data exposure requires the business to understand and tailor the API to user needs. The aim is to provide the minimum amount of data needed, so the API needs to be highly selective in the properties it chooses to return. Sensitive or personally identifiable information (PII) should be classified on backend systems and the API should never rely on client-side filtering.
4. Lack of resources and rate limiting
If the API doesn’t apply sufficient internal rate limiting on parameters such as response timeouts, memory, payload size, number of processes, records and requests, attackers can send multiple API requests creating a denial of service (DoS) attack. This then overwhelms back-end systems, crashing the application or driving resource costs up.
Prevention requires API resource consumption limits to be set. This means setting thresholds for the number of API calls and client notifications such as resets and lockouts. Server-side, validate the size of the response in terms of the number of records and resource consumption tolerances. Finally, define and enforce the maximum size of data the API will support on all incoming parameters and payloads using metrics such as the length of strings and number of array elements.
5. Broken function level authorization
Effectively a different spin on BOLA, this sees the attacker able to send requests to functions that they are not permitted to access. It’s effectively an escalation of privilege because access permissions are not enforced or segregated, enabling the attacker to impersonate admin, helpdesk, or a superuser and to carry out commands or access sensitive functions, paving the way for data exfiltration.
Stopping this level-hopping activity requires authentication workflow to be documented and role-based access to be enforced. This requires a strong access control mechanism that flows from “parent to child” and doesn’t permit the reverse.
6. Mass assignment
The attacker discovers modifiable parameters and server-side variables that they then exploit by creating new users with elevated privileges or by modifying existing user profiles. This can be prevented by limiting or avoiding the use of functions that bind inputs to objects or code variables. The API schema should include input data payloads and enforce segregation by whitelisting client-updatable properties and blacklisting those that should be restricted.
7. Misconfiguration
Incomplete, ad-hoc or insecure default configurations, misconfigured HTTP headers, unnecessary HTTP methods, permissive cross-origin resource sharing (CORS), and verbose error messages containing sensitive information are, unfortunately, all too common in APIs. They’re usually the result of human error, due to a lack of application hardening, poor patching practices or improper encryption and, when discovered by an attacker, can be exploited, leading to fraud and data loss.
Configuration is all about putting in place the right steps during the API lifecycle, so it is advised to implement a repeatable hardening process, a configuration review and update process, and regular assessments of the effectiveness of the settings. Defining and enforcing responses (including those for errors) can also stop information getting back to the attacker. CORS policies should also be put in place to protect browser-based deployments.
8. Injection
A staple of the OWASP Web Application top 10 list, injection attacks see the untrusted injection of code into API requests to execute commands or to gain unauthorized access to data. These attacks can happen when the database or application lacks filtering or validation of client or machine data, allowing the attacker to steal data or inject malware by sending queries and commands direct to the database or application.
The mitigation of injection attacks requires separation between data/commands and queries. Data types and parameter patterns should be identified, and the number of records returned should be limited. All the data from clients and external integrated systems should be validated, tested, and filtered.
9. Improper asset management
Poorly secured APIs such as shadow, deprecated, or end-of-life APIs are highly susceptible to attack. Other threat vectors include pre-production APIs that may have been inadvertently exposed to the public, or a lack of API documentation that has led to an exposed flaw, such as authentication, errors, redirects, rate limiting, etc.
Here it’s critical to look at the API publication process by replacing or updating risk analyses as new APIs are released. Continuous monitoring of the entire API environment, from dev to test, stage and production, including services and data flow is also advised. Adopting an OpenAPI specification can help simplify the process.
10. Insufficient logging and monitoring
Attackers can evade detection entirely if API activity isn’t logged and monitored. Examples of insufficient logging and monitoring include misconfigured API logging levels, messages lacking detail, log integrity not being guaranteed, and APIs being published outside of existing logging and monitoring infrastructure.
Logging and monitoring need to capture enough detail to uncover malicious activity, so it should report on failed authentication attempts, denied access, and input validation errors. A log format should be used that is compatible with standard security tools and API log data should be treated as sensitive whether in transit or at rest.
Unique challenges
All ten attack methods reveal how difficult it can be to secure APIs, which are continuously being spun-up, updated or replaced, sometimes daily. In fact, they’re so numerous that their security can only be enforced using automation. Consequently, many organizations have tried to use rules-based security solutions and code-scanning tools, although these are not equipped to spot the types of abuses identified in the OWASP list. Web application firewalls (WAFs), for instance, offer limited protection because they look for known threats, while an API gateway can create more problems by acting as a single point of failure.
It’s for these reasons that Gartner recently created a distinct API security category, separate from these other tools, in acknowledgement of the fact that APIs have their own set of problems (that are also often unique to the business itself).
In the “Advance your Platform-as-a-Service Security” report, analyst Richard Bartley reveals API security tooling for API discovery and protection should be regarded as having equal importance to and sit between internet edge security (i.e., WAF) and the data plane security layers (i.e., the Cloud Workload Protection Platform or CWPP). This new breed of API security is therefore cloud-native and behavior-based, allowing it to spot and respond to API-specific anomalous activity.
These new tools specifically focus on the prevention of automated attacks against public-facing applications and the persistence of API coding errors. They use machine learning to analyze APIs and web applications coupled with behavioral analysis to determine whether the intent behind API interaction is malicious or benign. They can also act by blocking, rate limiting, geo-fencing and even deceiving attackers, thereby buying time to respond. Such capabilities mean that API-specific security solutions can be applied to aid the developer and to monitor the security of the API throughout its entire lifecycle, thereby preventing the automated attacks and vulnerability exploits identified in the OWASP API Security Top 10.
With APIs continuing to outstrip web apps in the rollout of new services, we must attend to how these are secured or risk building these services on shaky foundations. The hope is that with the OWASP Project highlighting how APIs can be exploited and Gartner creating a distinct new category, the tech sector will finally realize that API security is an anomaly that merits its own solution.
Researchers uncovered a high stealth Linux malware, dubbed Symbiote, that could be used to backdoor infected systems.
Joint research conducted by security firms Intezer and BlackBerry uncovered a new Linux threat dubbed Symbiote.
The name comes from the concept of symbiote which is an organism that lives in symbiosis with another organism, exactly like this implant does with the infected systems. For this reason, security researchers defined this threat as nearly impossible to detect.
Unlike other Linux threats, Symbiote needs to infect other running processes to inflict damage on the compromised machines. It is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and like a parasite infects the machine. Once the malware has infected all the running processes, it provides the threat actor with rootkit capability and supports data-stealing capabilities.
The malware was first spotted in November 2021, experts believe it was designed to target the financial sector in Latin America, such as Banco do Brasil and Caixa.
“Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges.” reads the report published by Blackberry. “Since it is extremely evasive, a Symbiote infection is likely to “fly under the radar.” In our research, we haven’t found enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks.”
Experts reported that one interesting technical features implemented by Symbiote is the Berkeley Packet Filter (BPF) hooking functionality, it is the first Linux malware to use this feature to hide malicious network traffic.
“When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.” continues the report.
Symbiote can be loaded by the linker via the LD_PRELOADdirective before any other shared objects allowing to “hijack the imports” from the other library files loaded for the application.
Symbiote hides its presence by hooking libc and libpcap functions.
“Symbiote is a malware that is highly evasive. Its main objective is to capture credentials and to facilitate backdoor access to infected machines. Since the malware operates as a userland level rootkit, detecting an infection may be difficult.” concludes the report. “Network telemetry can be used to detect anomalous DNS requests, and security tools such as antivirus and endpoint detection and response (EDR) should be statically linked to ensure they are not “infected” by userland rootkits.”
Experts also shared indicators of compromise (IoCs) for this threat.
China-linked threat actors have breached telecommunications companies and network service providers to spy on the traffic and steal data.
US NSA, CISA, and the FBI published a joint cybersecurity advisory to warn that China-linked threat actors have breached telecommunications companies and network service providers.
The nation-state actors exploit publicly known vulnerabilities to compromise the target infrastructure.
The attackers also targeted Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices to use them as additional access points to route command and control (C2) traffic and midpoints to carry out attacks on other entities.
Below is top network device CVEs exploited by PRC nation-state actors since 2020:
Chinese hackers employed open-source tools for reconnaissance and vulnerability scanning, according to the government experts, they have utilized open-source router specific software frameworks, RouterSploit and RouterScan [T1595.002], to identify vulnerable devices to target.
The RouterSploit Framework allows operators to scan for vulnerable embedded devices, while RouterScan allows for the scanning of IP addresses for vulnerabilities. Both tools could be used to target SOHO and other routers manufactured by major industry providers, including Cisco, Fortinet, and MikroTik.
“Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting. After identifying a critical Remote Authentication Dial-In User Service (RADIUS) server, the cyber actors gained credentials to access the underlying Structured Query Language (SQL) database [T1078] and utilized SQL commands to dump the credentials [T1555], which contained both cleartext and hashed passwords for user and administrative accounts.” reads the advisory published by the US agencies. “Having gained credentials from the RADIUS server, PRC state-sponsored cyber actors used those credentials with custom automated scripts to authenticate to a router via Secure Shell (SSH), execute router commands, and save the output [T1119].”
The agencies also provide a list of recommendations to mitigate and detect these attacks:
Keep systems and products updated and patched as soon as possible after patches are released [D3-SU] . Consider leveraging a centralized patch management system to automate and expedite the process.
Immediately remove or isolate suspected compromised devices from the network [D3-ITF] [D3-OTF].
Segment networks to limit or block lateral movement [D3-NI].
Disable unused or unnecessary network services, ports, protocols, and devices [D3-ACH] [D3-ITF] [D3-OTF].
Enforce multifactor authentication (MFA) for all users, without exception [D3-MFA].
Enforce MFA on all VPN connections [D3-MFA]. If MFA is unavailable, enforce password complexity requirements [D3-SPP].
Implement strict password requirements, enforcing password complexity, changing passwords at a defined frequency, and performing regular account reviews to ensure compliance [D3-SPP].
Perform regular data backup procedures and maintain up-to-date incident response and recovery procedures.
Disable external management capabilities and set up an out-of-band management network [D3-NI].
Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network [D3-NI].
Enable robust logging of Internet-facing services and monitor the logs for signs of compromise [D3-NTA] [D3-PM].
Ensure that you have dedicated management systems [D3-PH] and accounts for system administrators. Protect these accounts with strict network policies [D3-UAP].
Enable robust logging and review of network infrastructure accesses, configuration changes, and critical infrastructure services performing authentication, authorization, and accounting functions [D3-PM].
Upon responding to a confirmed incident within any portion of a network, response teams should scrutinize network infrastructure accesses, evaluate potential lateral movement to network infrastructure and implement corrective actions commensurate with their findings.
Mandiant: “No evidence” we were hacked by LockBit ransomware
American cybersecurity firm Mandiant is investigating LockBit ransomware gang’s claims that they hacked the company’s network and stole data.
The ransomware group published a new page on its data leak website earlier today, saying that the 356,841 files they allegedly stole from Mandiant will be leaked online.
“All available data will be published!” the gang’s dark web leak site threatens under a timer showing just under three hours left until the countdown ends.
LockBit has yet to reveal what files it claims to have stolen from Mandiant’s systems since the file listing on the leak page is empty.
However, the page displays a 0-byte file named ‘mandiantyellowpress.com.7z’ that appears to be related to a mandiantyellowpress.com domain (registered today). Visiting this page redirects to the ninjaflex.com site.
When BleepingComputer reached out for more details on LockBit’s claims, the threat intel firm said it hadn’t yet found evidence of a breach.
“Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops,” Mark Karayan, Mandiant’s Senior Manager for Marketing Communications, told BleepingComputer.
Mandiant says it's looking into Lockbit ransomware gang's claims:
“Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops.” pic.twitter.com/JLM5ob1yCi
These claims come after Mandiant revealed in a report published last week that the Russian Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets’ networks to evade U.S. sanctions.
Mandiant announced in March that it entered into a definitive agreement to be acquired by Google in an all-cash transaction valued at roughly $5.4 billion.
The LockBit ransomware gang has been active since September 2019 as a ransomware-as-a-service (RaaS) and relaunched as the LockBit 2.0 RaaS in June 2021 after ransomware actors were banned from posting on cybercrime forums [1, 2].
Accenture, a Fortune 500 company and one of LockBit’s victims, confirmed to BleepingComputer in August 2021 that it was breached after the gang asked for a $50 million ransom not to leak data stolen from its network.
During the bug hunting activity, Red Team Research (RTR) detected 2 zero-day bugs on GEMINI-NET, a RESI Informatica solution.
It’s been detected an OS Command Injection, which has been identified from NIST as a Critical one, its score is 9,8. This vulnerability comes from a failure to check the parameters sent as inputs into the system before they are processed by the server.
Due to the lack of user input validation, an attacker can ignore the syntax provided by the software and inject arbitrary system commands with the user privileges of the application.
RESI S.p.A. has been for over thirty years a technological partner of the largest Italian organizations such as the Ministry of Defence, the Presidency of the Council of Ministers, the Italian Post Office, Leonardo, Ferrovie dello Stato, TIM, Italtel. Plus RESI S.p.A. Is one of the few Italian companies, that creates national technology.
Please note that patches for these specific vulnerabilities have been released by Resi.
What GEMINI-NET from Resi is
GEMINI-NET™ is a Resi product that allows active and passive monitoring of networks and communication services, used in many networks, both old and new generation. This platform is an OSS system that can be integrated, modular and scalable.
It monitors in real time all the needs related to typical network services and infrastructure issues and is able to optimize resources and data traffic on the network.
According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.
Below are the details that have been published on the institutional website and NIST ratings.
CVE-2022-29539 – RESI S.p.A
Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78) Software Version: 4.2 NIST:
CVSv3: 9.8 Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.
According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.
Below are the details that have been published on the institutional website and NIST ratings.
CVE-2022-29539 – RESI S.p.A
Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78) Software Version: 4.2 NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-29539 CVSv3: 9.8 Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.
We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed “bug hunting” activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.
In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.
In two years, more than 70 CVEs have been published, 4 of them with a Critical severity (9.8 of CVSSv3 scores), 23 of them with a High severity and 36 of them with a Medium severity.
Speaking about a vulnerability detected on Johnson & Control’s Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERS”.
It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, and contributing to the security of the products used by many organizations and several individuals.
We all know that cyberthreats have become more frequent, stealthier and more sophisticated. What’s more, the traditional, reactive approach to detecting threats by hunting indicators of compromise (IoCs) using markers like IP addresses, domains and file hashes is quickly becoming outdated—threats are only detected once a compromise is achieved and attackers are readily able to alter these markers to evade detection.
To overcome this issue, the cybersecurity community came up with the concept of anomaly-based detection, a technique that leverages statistical analysis, big data and machine learning to detect atypical events. However, this approach often results in a high rate of false positives. What is considered normal versus what is anomalous is not always precise. To identify malicious trends and patterns, vast amounts of data must be captured from sources across the entire computing environment, requiring large-scale investments in data collection and processing.
TTPs: Behavior-Based Detection
The concept of TTPs (tactics, techniques and procedures) was popularized by David Bianco’s The Pyramid Of Pain. Bianco stressed that threat hunters must move away from static IoCs like domains and IPs, as those are difficult to keep up with. For example, attackers can easily use a domain generation algorithm (DGA) to generate fake domain names and IP addresses to evade detection. Additionally, the cybersecurity industry also must shift from signature-based malware detection, as today’s malware is polymorphic; which means the same malware is capable of creating different signatures with each infection. Therefore, the focus should be on the TTPs of attackers because these are difficult to change quickly.
What is the MITRE ATT&CK Framework?
Researchers at MITRE Corporation and security vendors noted that, unlike IoCs, adversary techniques do not change frequently because of the limitations of targeted technologies (e.g., Windows, macOS, mobile devices), and are common across multiple adversaries. That’s why in 2013, they created the MITRE ATT&CK framework. ATT&CK stands for adversarial tactics, techniques and common knowledge—one of the industry’s most curated and globally-accessible knowledge bases of common adversary behavior. The sole aim of the project is to map typical adversary TTPs so that there is a common language for both red and blue teams while proactively hunting for cybersecurity threats.
The framework consists of 14 different tactics along with several techniques attackers use to achieve those tactics. A tactic refers to a general goal the adversary is trying to establish while the technique refers to the means the adversary will adopt to accomplish the tactic. Tactics explain the “why” while techniques explain the “how.” Each technique is further divided into sub-techniques that explain in greater detail how an adversary executes a specific technique.
Tactics listed in the ATT&CK matrix are presented in a linear format, starting from the time an adversary conducts reconnaissance to the point when they achieve their final goal— exfiltration or impact. ATT&CK not only provides appropriate categorization for adversary actions but also details recommendations on how organizations can defend against them.
Why is ATT&CK Important?
The MITRE ATT&CK framework can be used worldwide across multiple security disciplines such as intrusion detection, threat hunting and intelligence, security engineering and risk management. Some key benefits or use cases for the ATT&CK framework can include:
Attacker emulation: Simulates attack scenarios to test security solutions and verify defense capabilities.
Penetration testing: Acts as a frame of reference when conducting red team or purple team exercises and studying or mapping adversarial behaviors.
Forensics and investigations: Aids Incident Response teams in finding missing attacker activity.
Behavioral analytics: Provides contextual, behavioral information that security teams and vendors can use to identify hidden, unrelated anomalies and patterns.
Security maturity and gap assessments: Helps determine what parts of the enterprise lack defenses against adversary behaviors and what parts of the organization need prioritized investments.
Product evaluations: Helps evaluate a security tool’s detection capabilities and breadth of detection coverage.
The standard for technology integrations: Serves as a common standard that helps connect and communicate disparate security tools, leading to an integrated defense approach.
ATT&CK is truly a gold mine of resources when it comes to adversary techniques and MITRE welcomes contributions from the cybersecurity industry to keep the framework updated with the latest TTPs (ATT&CK just announced their latest version, v11, in April 2022).
That said, ATT&CK isn’t perfect. MITRE acknowledges that sometimes biases exist in the minds of security analysts. That’s why in addition to ATT&CK, it is recommended that you leverage other threat intelligence reports as well as tools that allow full visibility into the network and security posture of your organization.
Regardless of where you are in your cybersecurity maturity journey, it is never too late to realign your security, redefine your security processes and rethink your security metrics in terms of the MITRE ATT&CK framework.
![Why you should download Brave Browser NOW! by [Eddie Lance]](https://m.media-amazon.com/images/I/41dDRaRp9EL.jpg)
