InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Security researchers have apparently discovered more than 1.6 million secrets leaked by websites, including more than 395,000 exposed by the one million most popular domains.
Modern web applications typically embed API keys, cryptographic secrets, and other credentials within JavaScript files in client-side source code.
Aided by a tool developed specifically for the task, researchers from RedHunt Labs sought information disclosure vulnerabilities via a ânon-intrusiveâ probe of millions of website home pages and exceptions thrown by debug pages used in popular frameworks.
âThe number of secrets exposed via the front end of hosts is alarmingly huge,â said Pinaki Mondal, security researcher at RedHunt Labs, in a blog post.
âOnce a valid secret gets leaked, it paves the path for lateral movement amongst attackers, who may decide to abuse the business service account leading to financial losses or total compromise.â
Millions of secrets
The first of two mammoth scans focused on the one million most heavily trafficked websites. It yielded 395,713 secrets, three quarters of which (77%) were related to Google services reCAPTCHA, Google Cloud, or Google OAuth.
Googleâs reCAPTCHA alone accounted for more than half (212,127) of these secrets â and the top five exposed secret types was completed by messaging app LINE and Amazon Web Services (AWS).
Phase two, which involved scanning around 500 million hosts, surfaced 1,280,920 secrets, most commonly pertaining to Stripe, followed by Google reCAPTCHA, Google Cloud API, AWS, and Facebook.
A majority of exposures across both phases â 77% â occurred in frontend JavaScript files.
Most JavaScript was served through content delivery networks (CDNs), with the Squarespace CDN leading the way with over 197,000 exposures.
Mondal blamed the âdecadesâ-old problem of leaked secrets on the âcomplexities of the software development lifecycleâ, adding: âAs the code-base enlarges, developers often fail to redact the sensitive data before deploying it to production.â
âNon-intrusiveâ research
The RedHunt Labs research team told The Daily Swig that they are still âcontinuously reporting the secrets through automation to their source domains provided they have an email [address] mentioned on their home pageâ.
The researchers said they had encountered no legal problems related to the research so far.
âWe received a few abuse reports against the boxes on which the scan was run and we have handled them,â they said.
The âextremely non-intrusiveâ process involved no âmore than a few HTTP requests per domainâ and no written actions â âonly read requests to HTTP URLs and JavaScript files were sentâ.
The captured secrets, meanwhile, are âstored on an encrypted volume with access to very limited folksâ and âwill be disposed of after a monthâ, added the researchers.
Red Hunt Labs has open-sourced the tool developed for the research and created a demonstration video:
Called HTTPLoot, it can crawl and scrape URLs asynchronously, check for leaked secrets in JavaScript files, find and complete forms to trigger error/debug pages, extract secrets from debug pages, and automatically detect tech stacks.
Redhunt Labs has set out four best practices for preventing and mitigating leaked secrets, including setting restrictions on access keys, centrally managing secrets in a restricted environment or config file, setting up alerts for leaked secrets, and continuously monitoring source code for information leakage issues.
Google Project Zero experts disclosed details of a 5-Year-Old Apple Safari flaw actively exploited in the wild.
Researchers from the Google Project Zero team have disclosed details of a vulnerability in Apple Safari that was actively exploited in the wild.
The vulnerability, tracked as CVE-2022-22620, was fixed for the first time in 2013, but in 2016 experts discovered a way to bypass the fix.
âWhenever thereâs a new in-the-wild 0-day disclosed, Iâm very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations.â reads the post published by Google Project Zero. âThis blog is the story of a âzombieâ Safari 0-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022.â
Apple has addressed a zero-day vulnerability, tracked as CVE-2022-22620 (CVSS score: 8.8), in the WebKit affecting iOS, iPadOS, macOS, and Safari that may have been actively exploited in the wild.
The zero-day vulnerability was fixed by Apple in February, it is a use-after-free issue that could be exploited by processing maliciously crafted web content, leading to arbitrary code execution
âProcessing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.â reads the security advisory published by Apple. âA use after free issue was addressed with improved memory management.â the google researcher Maddie Stone added. âThe vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild 0-day in January 2022.â
The vulnerability was reported by an anonymous researcher and the company addressed it by improving memory management.
âWhenever Iâm doing a root cause analysis on a browser in-the-wild 0-day, along with studying the code, I also usually search through commit history and bug trackers to see if I can find anything related. I do this to try and understand when the bug was introduced, but also to try and save time.â she said.
The researcher noticed that the commits dated October 2016 and December 2016 were very large, she discovered that the commit in October changed 40 files with 900 additions and 1225 deletions. The commit in December changed 95 files with 1336 additions and 1325 deletions.
âUsually when we talk about variants, they exist due to incomplete patches: the vendor doesnât correctly and completely fix the reported vulnerability. However, for CVE-2022-22620 the vulnerability was correctly and completely fixed in 2013. Its fix was just regressed in 2016 during refactoring. We donât know how long an attacker was exploiting this vulnerability in-the-wild, but we do know that the vulnerability existed (again) for 5 years: December 2016 until January 2022.â concludes the expert. âThereâs no easy answer for what should have been done differently. The developers responding to the initial bug report in 2013 followed a lot of best-practices.â
If you have planned an ISO 27001 implementation, but you are unsure of whether you should go with the 2013 revision or wait for the 2022 revision to be published, we have a solution for you.
Deep Instinct released the third edition of its annual Voice of SecOps Report, focused on the increasing and unsustainable stress levels among 1,000 C-suite and senior cybersecurity professionals across all industries and roles. The research found that 45% of respondents have considered quitting the industry due to stress, with the primary issues being an unrelenting threat from ransomware and the expectations to always be on call or available.
The research reinforced that paying a ransom remains a hotly debated topic. 38% of respondents admitted to paying a ransom, with 46% claiming their data was still exposed by the hackers; and 44% could not restore all their data even after a ransom was paid.
The great cybersecurity resignation
The job of defending against increasingly advanced threats on a daily and hourly basis is causing more problems than ever as 46% of respondents felt their stress had measurably increased over the last 12 months. This was especially the case for those working within critical infrastructure. These increased stress levels have led cybersecurity professionals to consider leaving the industry altogether, joining in the âGreat Resignation,â rather than moving to a new cybersecurity role at a new employer.
45% admit to considering quitting the industry on at least one or two occasions
46% know at least one person who left cybersecurity altogether in the past year due to stress
Whoâs stressed and why?
Stress is not only felt by SOC teams and others on the cyber frontlines but also among those in the C-Suite who are making the difficult decisions on how to use their available resources more efficiently.
Biggest stress culprit: Ransomware
45% of respondents said that ransomware was the biggest concern of their companyâs C-Suite. The survey found that 38% of respondents admitted to paying up in order to receive the encryption key primarily to avoid downtime (61%) or bad publicity (53%). However, paying the ransom did not guarantee a resolution post-attack in many cases.
Of those reporting that a payment was made:
46% claimed to still have their data exposed by the hackers
44% couldnât restore all their data
Only 16% claimed to have no further issues to date
In response to these issues with ransomware payment, 73% of respondents claimed they would not pay a ransom in the future.
Among those who claimed they would still pay a ransomware demand in the future, widespread fear remained that they would be trouble-free in the future.
The fear of paying a ransom in the future included the following:
75% do not expect to have all their data restored
54% fear the criminals will still make the exfiltration of data public knowledge, and
52% fear the attackers will have installed a back door and will return
âConsidering that the constant waves of cyber-attacks are likely to become more common and evasive as we move forward, itâs of the utmost importance to ensure that those who dedicate their careers and lives to defending our businesses and country donât become overly stressed and give up,â said Guy Caspi, CEO of Deep Instinct.
âBy adopting and utilizing new defensive techniques, like artificial intelligence and deep learning, we can help the cybersecurity community mitigate one of the most important issues that is often overlooked by many: the people behind the keyboard.â
ALPHV/BlackCat ransomware group began publishing victimsâ data on the clear web to increase the pressure on them and force them to pay the ransom.
ALPHV/BlackCat ransomware group has adopted a new strategy to force victims into paying the ransom, the gang began publishing victimsâ data on the clear web to increase the pressure. Publishing data online will make data indexable by search engines, increasing the potential impact on the victims due to the public availability of the stolen data.
The ALPHA/BlackCat gang has been active since at least December 2021 when malware researchers from Recorded Future and MalwareHunterTeam discovered their operation. The ALPHA/BlackCat is the first professional ransomware strain that was written in the Rust programming language.
BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is âvery sophisticated.
Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.
ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims donât pay.
In the past, many victims of past ransomware attacks were not concerned about the publication of their data on a leak site in the Tor network believing that dark nets are not easy to access to the masses.
The ransomware gangs set up a website on the clear web for each victims and publish the stolen data on it.
Itâs unclear if ALPHV plans to pursue this approach with every victim, but other recent victims of the crime group include a school district and a U.S. city. Most likely, this is a test run to see if it improves results.
Marion County, right in the middle of the US state of Indiana, and home to the stateâs capital Indianapolis, is also currently home to a tragic court case.
(Thanks to fellow writers at The Register for that link â we couldnât get to the official court site while we were writing this up.)
The short version of events is alleged to be as follows:
Accused decides her partnerâs cheating.
Hides an Apple AirTag in the back of his car.
Tells partner sheâs getting ready to boot him out.
Partner makes himself scarce.
Texts him to say she knows where he is.
Drives to the pub she thinks heâs in.
Confronts him and attacks the woman heâs with.
Gets thrown out of pub with the other two because of ruckus.
Drives off a short way but sees partner in parking lot.
Drives back and runs him over.
Traps partner under car.
Partner suffocates to death.
In the sombre and tragic words of the charge sheet, the court alleges that the accused âdid knowingly kill another human being, [âŠ], all of which is contrary to statute and against the peace and dignity of the State of Indiana.â
The charge sheet makes interesting reading, and is a fascinating reminder of how old-school policing, such as promptly interviewing witnesses at the scene and securing relevant property that might be neeed in evidenceâŠ
âŠis mixed in with the need for todayâs investigators to be familiar with modern technology and to how to involve it right from the start in the evidence they collect.
Experts spotted a new Linux rootkit, dubbed âSyslogk,â that uses specially crafted âmagic packetsâ to activate a dormant backdoor on the device.
Researchers from antivirus firm Avast spotted a new Linux rootkit, dubbed âSyslogk,â that uses specially crafted âmagic packetsâ to activate a dormant backdoor on the device.
The experts reported that the Syslogk rootkit is heavily based on an open-source, well-known kernel rootkit for Linux, dubbed Adore-Ng.
Experts highlighted that the kernel rootkit is hard to detect, it enables hiding processes, files, and even the kernel module. The experts pointed out that it also allows authenticated user-mode processes to interact with the rootkit to control it.
Linux rootkits are malware installed as kernel modules in the operating system. Once installed, they intercept legitimate Linux commands to filter out information that they do not want to be displayed, such as the presence of files, folders, or processes.
âThe rootkit has a hide_module function which uses the list_del function of the kernel API to remove the module from the linked list of kernel modules. Next, it also accordingly updates its internal module_hidden flag.â reads the analysis published by Avast.
However, the researchers explained that the rootkit has a functionality implemented in the proc_write function that exposes an interface in the /proc file system which could be used as an indicator of compromise when the value 1 is written into the file /proc/syslogk.
Upon discovering the rootkit, it is possible to remove it from memory using the rmmod Linux command.
Syslogk is also able to hide the malicious payload by taking the following actions:
The hk_proc_readdir function of the rootkit hides directories containing malicious files, effectively hiding them from the operating system.
The malicious processes are hidden via hk_getpr â a mix of Adore-Ng functions for hiding processes.
The malicious payload is hidden from tools like Netstat; when running, it will not appear in the list of services. For this purpose, the rootkit uses the function hk_t4_seq_show.
The malicious payload is not continuously running. The attacker remotely executes it on demand when a specially crafted TCP packet (details below) is sent to the infected machine, which inspects the traffic by installing a netfilter hook.
It is also possible for the attacker to remotely stop the payload. This requires using a hardcoded key in the rootkit and knowledge of some fields of the magic packet used for remotely starting the payload.
Avast researchers observed the Syslogk rootkit loading a Linux backdoor named Rekoobe, which will be activated on the compromised system when the rootkit receives a âmagic packetâ from the operators.
âWe observed that the Syslogk rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server. Consider how stealthy this could be; a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely âmagicallyâ executed, hidden on the network.â continues the analysis. âEven if it is found during a network port scan, it still seems to be a legitimate SMTP server.â
Syslogk listens for specially crafted TCP packets that include special âReservedâ field values, âSource Portâ numbering between 63400 and 63411 inclusive, âDestination Portâ and âSource Addressâ matches, and a hardcoded key.
Experts believe that the Syslogk rootkit is under development and it will likely implement new features in the next versions.
âOne of the architectural advantages of security software is that it usually has components running in different privilege levels; malware running on less-privileged levels cannot easily interfere with processes running on higher privilege levels, thus allowing more straightforward dealing with malware.â concludes the report which also includes indicators of compromise. âOn the other hand, kernel rootkits can be hard to detect and remove because these pieces of malware run in a privileged layer. This is why it is essential for system administrators and security companies to be aware of this kind of malware and write protections for their users as soon as possible.â
The OWASP Foundation recognizes this fact via the API Security Top 10 list of vulnerabilities and security risks. When we look at the list, there are six common methods of execution. Three of the issues occur due to weak access control and three to business logic abuse, with the remainder existing due to insufficient traffic management, application vulnerabilities, lack of visibility and lack of operational security readiness.
These issues are unique to APIs and make them particularly challenging to secure, so letâs look at each in detail.
1. Broken object level authorisation (BOLA)
Formerly known as Insecure Direct Object References (IDOR), BOLA allows the attacker to perform an unauthorized action by reusing an access token. This method has been widely used to attack IoT devices, for instance, as it can be used to allow the attacker to access other user accounts, change settings and generally wreak havoc much to the embarrassment of the IoT vendor.
The attack relies on the APIâs resource IDs or objects not having sufficient validation measures in place. In some cases, the data used by the API has no user validation and is accessible to the public, while in other cases error messages return too much information, providing the attacker with more information on how to abuse the API.
Defending against BOLA attacks requires the validation of all user privileges for all functions across the API. API authorization should be well defined in the API specification and random/unpredictable IDs. Itâs also important to test these validation methods on a routine basis.
2. Broken user authentication
An attacker can impersonate a genuine user if there are flaws with user authentication. Mechanisms such as log-in, registration, and password reset can be bombarded with automated attacks and, if poorly secured, will allow weak passwords, return error messages to the user with too much information, lack token validation or have weak or non-existent encryption.
Preventing these abuses requires security to be prioritized during development. All the authentication mechanisms mentioned above need to be identified and multi-factor authentication (MFA) needs to be applied. The development team should also look to implement volumetric and account lockout protection mechanisms to prevent brute force attacks.
3. Excessive data exposure
Some published APIs expose more data than is necessary as they rely on the client app rather than back-end systems to filter. Attackers can use this information to carry out enumeration attacks and build up an understanding of what works and what doesnât, allowing them to create a âcookbookâ for stealing data or for orchestrating a large attack at a later stage.
Limiting data exposure requires the business to understand and tailor the API to user needs. The aim is to provide the minimum amount of data needed, so the API needs to be highly selective in the properties it chooses to return. Sensitive or personally identifiable information (PII) should be classified on backend systems and the API should never rely on client-side filtering.
4. Lack of resources and rate limiting
If the API doesnât apply sufficient internal rate limiting on parameters such as response timeouts, memory, payload size, number of processes, records and requests, attackers can send multiple API requests creating a denial of service (DoS) attack. This then overwhelms back-end systems, crashing the application or driving resource costs up.
Prevention requires API resource consumption limits to be set. This means setting thresholds for the number of API calls and client notifications such as resets and lockouts. Server-side, validate the size of the response in terms of the number of records and resource consumption tolerances. Finally, define and enforce the maximum size of data the API will support on all incoming parameters and payloads using metrics such as the length of strings and number of array elements.
5. Broken function level authorization
Effectively a different spin on BOLA, this sees the attacker able to send requests to functions that they are not permitted to access. Itâs effectively an escalation of privilege because access permissions are not enforced or segregated, enabling the attacker to impersonate admin, helpdesk, or a superuser and to carry out commands or access sensitive functions, paving the way for data exfiltration.
Stopping this level-hopping activity requires authentication workflow to be documented and role-based access to be enforced. This requires a strong access control mechanism that flows from âparent to childâ and doesnât permit the reverse.
6. Mass assignment
The attacker discovers modifiable parameters and server-side variables that they then exploit by creating new users with elevated privileges or by modifying existing user profiles. This can be prevented by limiting or avoiding the use of functions that bind inputs to objects or code variables. The API schema should include input data payloads and enforce segregation by whitelisting client-updatable properties and blacklisting those that should be restricted.
7. Misconfiguration
Incomplete, ad-hoc or insecure default configurations, misconfigured HTTP headers, unnecessary HTTP methods, permissive cross-origin resource sharing (CORS), and verbose error messages containing sensitive information are, unfortunately, all too common in APIs. Theyâre usually the result of human error, due to a lack of application hardening, poor patching practices or improper encryption and, when discovered by an attacker, can be exploited, leading to fraud and data loss.
Configuration is all about putting in place the right steps during the API lifecycle, so it is advised to implement a repeatable hardening process, a configuration review and update process, and regular assessments of the effectiveness of the settings. Defining and enforcing responses (including those for errors) can also stop information getting back to the attacker. CORS policies should also be put in place to protect browser-based deployments.
8. Injection
A staple of the OWASP Web Application top 10 list, injection attacks see the untrusted injection of code into API requests to execute commands or to gain unauthorized access to data. These attacks can happen when the database or application lacks filtering or validation of client or machine data, allowing the attacker to steal data or inject malware by sending queries and commands direct to the database or application.
The mitigation of injection attacks requires separation between data/commands and queries. Data types and parameter patterns should be identified, and the number of records returned should be limited. All the data from clients and external integrated systems should be validated, tested, and filtered.
9. Improper asset management
Poorly secured APIs such as shadow, deprecated, or end-of-life APIs are highly susceptible to attack. Other threat vectors include pre-production APIs that may have been inadvertently exposed to the public, or a lack of API documentation that has led to an exposed flaw, such as authentication, errors, redirects, rate limiting, etc.
Here itâs critical to look at the API publication process by replacing or updating risk analyses as new APIs are released. Continuous monitoring of the entire API environment, from dev to test, stage and production, including services and data flow is also advised. Adopting an OpenAPI specification can help simplify the process.
10. Insufficient logging and monitoring
Attackers can evade detection entirely if API activity isnât logged and monitored. Examples of insufficient logging and monitoring include misconfigured API logging levels, messages lacking detail, log integrity not being guaranteed, and APIs being published outside of existing logging and monitoring infrastructure.
Logging and monitoring need to capture enough detail to uncover malicious activity, so it should report on failed authentication attempts, denied access, and input validation errors. A log format should be used that is compatible with standard security tools and API log data should be treated as sensitive whether in transit or at rest.
Unique challenges
All ten attack methods reveal how difficult it can be to secure APIs, which are continuously being spun-up, updated or replaced, sometimes daily. In fact, theyâre so numerous that their security can only be enforced using automation. Consequently, many organizations have tried to use rules-based security solutions and code-scanning tools, although these are not equipped to spot the types of abuses identified in the OWASP list. Web application firewalls (WAFs), for instance, offer limited protection because they look for known threats, while an API gateway can create more problems by acting as a single point of failure.
Itâs for these reasons that Gartner recently created a distinct API security category, separate from these other tools, in acknowledgement of the fact that APIs have their own set of problems (that are also often unique to the business itself).
In the âAdvance your Platform-as-a-Service Securityâ report, analyst Richard Bartley reveals API security tooling for API discovery and protection should be regarded as having equal importance to and sit between internet edge security (i.e., WAF) and the data plane security layers (i.e., the Cloud Workload Protection Platform or CWPP). This new breed of API security is therefore cloud-native and behavior-based, allowing it to spot and respond to API-specific anomalous activity.
These new tools specifically focus on the prevention of automated attacks against public-facing applications and the persistence of API coding errors. They use machine learning to analyze APIs and web applications coupled with behavioral analysis to determine whether the intent behind API interaction is malicious or benign. They can also act by blocking, rate limiting, geo-fencing and even deceiving attackers, thereby buying time to respond. Such capabilities mean that API-specific security solutions can be applied to aid the developer and to monitor the security of the API throughout its entire lifecycle, thereby preventing the automated attacks and vulnerability exploits identified in the OWASP API Security Top 10.
With APIs continuing to outstrip web apps in the rollout of new services, we must attend to how these are secured or risk building these services on shaky foundations. The hope is that with the OWASP Project highlighting how APIs can be exploited and Gartner creating a distinct new category, the tech sector will finally realize that API security is an anomaly that merits its own solution.
Researchers uncovered a high stealth Linux malware, dubbed Symbiote, that could be used to backdoor infected systems.
Joint research conducted by security firms Intezer and BlackBerry uncovered a new Linux threat dubbed Symbiote.
The name comes from the concept of symbiote which is an organism that lives in symbiosis with another organism, exactly like this implant does with the infected systems. For this reason, security researchers defined this threat as nearly impossible to detect.
Unlike other Linux threats, Symbiote needs to infect other running processes to inflict damage on the compromised machines. It is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and like a parasite infects the machine. Once the malware has infected all the running processes, it provides the threat actor with rootkit capability and supports data-stealing capabilities.
The malware was first spotted in November 2021, experts believe it was designed to target the financial sector in Latin America, such as Banco do Brasil and Caixa.
âOnce the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges.â reads the report published by Blackberry. âSince it is extremely evasive, a Symbiote infection is likely to âfly under the radar.â In our research, we havenât found enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks.â
Experts reported that one interesting technical features implemented by Symbiote is the Berkeley Packet Filter (BPF) hooking functionality, it is the first Linux malware to use this feature to hide malicious network traffic.
âWhen an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesnât want the packet-capturing software to see.â continues the report.
Symbiote can be loaded by the linker via the LD_PRELOADdirective before any other shared objects allowing to âhijack the importsâ from the other library files loaded for the application.
Symbiote hides its presence by hooking libc and libpcap functions.
âSymbiote is a malware that is highly evasive. Its main objective is to capture credentials and to facilitate backdoor access to infected machines. Since the malware operates as a userland level rootkit, detecting an infection may be difficult.â concludes the report. âNetwork telemetry can be used to detect anomalous DNS requests, and security tools such as antivirus and endpoint detection and response (EDR) should be statically linked to ensure they are not âinfectedâ by userland rootkits.â
Experts also shared indicators of compromise (IoCs) for this threat.
China-linked threat actors have breached telecommunications companies and network service providers to spy on the traffic and steal data.
US NSA, CISA, and the FBI published a joint cybersecurity advisory to warn that China-linked threat actors have breached telecommunications companies and network service providers.
The nation-state actors exploit publicly known vulnerabilities to compromise the target infrastructure.
The attackers also targeted Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices to use them as additional access points to route command and control (C2) traffic and midpoints to carry out attacks on other entities.
Below is top network device CVEs exploited by PRC nation-state actors since 2020:
Chinese hackers employed open-source tools for reconnaissance and vulnerability scanning, according to the government experts, they have utilized open-source router specific software frameworks, RouterSploit and RouterScan [T1595.002], to identify vulnerable devices to target.
The RouterSploit Framework allows operators to scan for vulnerable embedded devices, while RouterScan allows for the scanning of IP addresses for vulnerabilities. Both tools could be used to target SOHO and other routers manufactured by major industry providers, including Cisco, Fortinet, and MikroTik.
âUpon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting. After identifying a critical Remote Authentication Dial-In User Service (RADIUS) server, the cyber actors gained credentials to access the underlying Structured Query Language (SQL) database [T1078] and utilized SQL commands to dump the credentials [T1555], which contained both cleartext and hashed passwords for user and administrative accounts.â reads the advisory published by the US agencies. âHaving gained credentials from the RADIUS server, PRC state-sponsored cyber actors used those credentials with custom automated scripts to authenticate to a router via Secure Shell (SSH), execute router commands, and save the output [T1119].â
The agencies also provide a list of recommendations to mitigate and detect these attacks:
Keep systems and products updated and patched as soon as possible after patches are released [D3-SU] . Consider leveraging a centralized patch management system to automate and expedite the process.
Immediately remove or isolate suspected compromised devices from the network [D3-ITF] [D3-OTF].
Segment networks to limit or block lateral movement [D3-NI].
Disable unused or unnecessary network services, ports, protocols, and devices [D3-ACH] [D3-ITF] [D3-OTF].
Enforce multifactor authentication (MFA) for all users, without exception [D3-MFA].
Enforce MFA on all VPN connections [D3-MFA]. If MFA is unavailable, enforce password complexity requirements [D3-SPP].
Implement strict password requirements, enforcing password complexity, changing passwords at a defined frequency, and performing regular account reviews to ensure compliance [D3-SPP].
Perform regular data backup procedures and maintain up-to-date incident response and recovery procedures.
Disable external management capabilities and set up an out-of-band management network [D3-NI].
Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network [D3-NI].
Enable robust logging of Internet-facing services and monitor the logs for signs of compromise [D3-NTA] [D3-PM].
Ensure that you have dedicated management systems [D3-PH] and accounts for system administrators. Protect these accounts with strict network policies [D3-UAP].
Enable robust logging and review of network infrastructure accesses, configuration changes, and critical infrastructure services performing authentication, authorization, and accounting functions [D3-PM].
Upon responding to a confirmed incident within any portion of a network, response teams should scrutinize network infrastructure accesses, evaluate potential lateral movement to network infrastructure and implement corrective actions commensurate with their findings.
Mandiant: âNo evidenceâ we were hacked by LockBit ransomware
American cybersecurity firm Mandiant is investigating LockBit ransomware gang’s claims that they hacked the company’s network and stole data.
The ransomware group published a new page on its data leak website earlier today, saying that the 356,841 files they allegedly stole from Mandiant will be leaked online.
“All available data will be published!” the gang’s dark web leak site threatens under a timer showing just under three hours left until the countdown ends.
LockBit has yet to reveal what files it claims to have stolen from Mandiantâs systems since the file listing on the leak page is empty.
However, the page displays a 0-byte file named ‘mandiantyellowpress.com.7z’ that appears to be related to a mandiantyellowpress.com domain (registered today). Visiting this page redirects to the ninjaflex.com site.
When BleepingComputer reached out for more details on LockBit’s claims, the threat intel firm said it hadn’t yet found evidence of a breach.
“Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops,” Mark Karayan, Mandiant’s Senior Manager for Marketing Communications, told BleepingComputer.
Mandiant says it's looking into Lockbit ransomware gang's claims:
âMandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops.â pic.twitter.com/JLM5ob1yCi
These claims come after Mandiant revealed in a report published last week that the Russian Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets’ networks to evade U.S. sanctions.
Mandiant announced in March that it entered into a definitive agreement to be acquired by Google in an all-cash transaction valued at roughly $5.4 billion.
The LockBit ransomware gang has been active since September 2019 as a ransomware-as-a-service (RaaS) and relaunched as the LockBit 2.0 RaaS in June 2021 after ransomware actors were banned from posting on cybercrime forums [1, 2].
Accenture, a Fortune 500 company and one of LockBit’s victims, confirmed to BleepingComputer in August 2021 that it was breached after the gang asked for a $50 million ransom not to leak data stolen from its network.
During the bug hunting activity, Red Team Research (RTR) detected 2 zero-day bugs on GEMINI-NET, a RESI Informatica solution.
Itâs been detected an OS Command Injection, which has been identified from NIST as a Critical one, its score is 9,8. This vulnerability comes from a failure to check the parameters sent as inputs into the system before they are processed by the server.
Due to the lack of user input validation, an attacker can ignore the syntax provided by the software and inject arbitrary system commands with the user privileges of the application.
RESI S.p.A. has been for over thirty years a technological partner of the largest Italian organizations such as the Ministry of Defence, the Presidency of the Council of Ministers, the Italian Post Office, Leonardo, Ferrovie dello Stato, TIM, Italtel. Plus RESI S.p.A. Is one of the few Italian companies, that creates national technology.
Please note that patches for these specific vulnerabilities have been released by Resi.
What GEMINI-NET from Resi is
GEMINI-NET™ is a Resi product that allows active and passive monitoring of networks and communication services, used in many networks, both old and new generation. This platform is an OSS system that can be integrated, modular and scalable.
It monitors in real time all the needs related to typical network services and infrastructure issues and is able to optimize resources and data traffic on the network.
According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.
Below are the details that have been published on the institutional website and NIST ratings.
CVE-2022-29539 â RESI S.p.A
Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection â CWE-78) Software Version: 4.2 NIST:
CVSv3: 9.8 Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.
According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.
Below are the details that have been published on the institutional website and NIST ratings.
CVE-2022-29539 â RESI S.p.A
Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection â CWE-78) Software Version: 4.2 NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-29539 CVSv3: 9.8 Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.
We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed âbug huntingâ activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.
In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.
In two years, more than 70 CVEs have been published, 4 of them with a Critical severity (9.8 of CVSSv3 scores), 23 of them with a High severity and 36 of them with a Medium severity.
Speaking about a vulnerability detected on Johnson & Controlâs Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: âCRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERSâ.
It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, and contributing to the security of the products used by many organizations and several individuals.
We all know that cyberthreats have become more frequent, stealthier and more sophisticated. Whatâs more, the traditional, reactive approach to detecting threats by hunting indicators of compromise (IoCs) using markers like IP addresses, domains and file hashes is quickly becoming outdatedâthreats are only detected once a compromise is achieved and attackers are readily able to alter these markers to evade detection.
To overcome this issue, the cybersecurity community came up with the concept of anomaly-based detection, a technique that leverages statistical analysis, big data and machine learning to detect atypical events. However, this approach often results in a high rate of false positives. What is considered normal versus what is anomalous is not always precise. To identify malicious trends and patterns, vast amounts of data must be captured from sources across the entire computing environment, requiring large-scale investments in data collection and processing.
TTPs: Behavior-Based Detection
The concept of TTPs (tactics, techniques and procedures) was popularized by David Biancoâs The Pyramid Of Pain. Bianco stressed that threat hunters must move away from static IoCs like domains and IPs, as those are difficult to keep up with. For example, attackers can easily use a domain generation algorithm (DGA) to generate fake domain names and IP addresses to evade detection. Additionally, the cybersecurity industry also must shift from signature-based malware detection, as todayâs malware is polymorphic; which means the same malware is capable of creating different signatures with each infection. Therefore, the focus should be on the TTPs of attackers because these are difficult to change quickly.
What is the MITRE ATT&CK Framework?
Researchers at MITRE Corporation and security vendors noted that, unlike IoCs, adversary techniques do not change frequently because of the limitations of targeted technologies (e.g., Windows, macOS, mobile devices), and are common across multiple adversaries. Thatâs why in 2013, they created the MITRE ATT&CK framework. ATT&CK stands for adversarial tactics, techniques and common knowledgeâone of the industryâs most curated and globally-accessible knowledge bases of common adversary behavior. The sole aim of the project is to map typical adversary TTPs so that there is a common language for both red and blue teams while proactively hunting for cybersecurity threats.
The framework consists of 14 different tactics along with several techniques attackers use to achieve those tactics. A tactic refers to a general goal the adversary is trying to establish while the technique refers to the means the adversary will adopt to accomplish the tactic. Tactics explain the âwhyâ while techniques explain the âhow.â Each technique is further divided into sub-techniques that explain in greater detail how an adversary executes a specific technique.
Tactics listed in the ATT&CK matrix are presented in a linear format, starting from the time an adversary conducts reconnaissance to the point when they achieve their final goalâ exfiltration or impact. ATT&CK not only provides appropriate categorization for adversary actions but also details recommendations on how organizations can defend against them.
Why is ATT&CK Important?
The MITRE ATT&CK framework can be used worldwide across multiple security disciplines such as intrusion detection, threat hunting and intelligence, security engineering and risk management. Some key benefits or use cases for the ATT&CK framework can include:
Attacker emulation: Simulates attack scenarios to test security solutions and verify defense capabilities.
Penetration testing: Acts as a frame of reference when conducting red team or purple team exercises and studying or mapping adversarial behaviors.
Forensics and investigations: Aids Incident Response teams in finding missing attacker activity.
Behavioral analytics: Provides contextual, behavioral information that security teams and vendors can use to identify hidden, unrelated anomalies and patterns.
Security maturity and gap assessments: Helps determine what parts of the enterprise lack defenses against adversary behaviors and what parts of the organization need prioritized investments.
Product evaluations: Helps evaluate a security toolâs detection capabilities and breadth of detection coverage.
The standard for technology integrations: Serves as a common standard that helps connect and communicate disparate security tools, leading to an integrated defense approach.
ATT&CK is truly a gold mine of resources when it comes to adversary techniques and MITRE welcomes contributions from the cybersecurity industry to keep the framework updated with the latest TTPs (ATT&CK just announced their latest version, v11, in April 2022).
That said, ATT&CK isnât perfect. MITRE acknowledges that sometimes biases exist in the minds of security analysts. Thatâs why in addition to ATT&CK, it is recommended that you leverage other threat intelligence reports as well as tools that allow full visibility into the network and security posture of your organization.
Regardless of where you are in your cybersecurity maturity journey, it is never too late to realign your security, redefine your security processes and rethink your security metrics in terms of the MITRE ATT&CK framework.
Cybersecurity is required to be a dynamic industry because cybercriminals donât take days off. Cybersecurity professionals must be innovative, creative, and attentive to keep gaining the upper hand on cybercriminals. Unfortunately, there are millions of unfilled cybersecurity job openings around the globe.
The gender divide
The problem of not enough cybersecurity professionals is exacerbated by a lack of diversity in the sector. There is a disproportionately low ratio of women to men within the entire technology industry. In the science, technology, engineering and math (STEM) industries, women make up only 24% of the workforce, and while this has increased from just 11% in 2017, there is clearly still a sizeable disparity.
The cybersecurity industry is performing only marginally better than STEM, with women making up roughly 24% of cybersecurity jobs globally, according to (ISC)ÂČ.
There is also a parallel trend here: women have superior qualifications in cybersecurity than their male counterparts. Over half of women â 52% â have postgraduate degrees, compared to just 44% of men. More importantly, 28% of women have cybersecurity-related qualifications, while only 20% of men do. This raises one important point, which is that women feel that they must be more qualified than men to compete for and hold the same cybersecurity roles. The industry is, therefore, losing a significant pool of talent because of this perception. Untapped talent means less innovation and dynamism in the products and services businesses offer.
Unfortunately, the challenges for women do not appear to stop once they enter the cybersecurity workforce. Pay disparity continues to blight the industry. Women reported being on smaller salaries at a higher proportion than men. 17% of women reported earning between $50,000 and $99,000 compared to 29% of men. However, there are signs that this disparity in pay is closing. For those in cybersecurity who earned over $100,000, the difference in percentage between men and women was much closer. This is encouraging and shows that once women are in the industry, they can enjoy as much success as men.
Nevertheless, reaching these higher levels of the cybersecurity industry is far from straightforward for women at present. It is an unavoidable fact that women still struggle to progress as easily compared to male counterparts. A key reason for this is cultural: women are disinclined to shout about their achievements, as such they regularly go unnoticed when promotions and other opportunities come round.
The cybersecurity industry is starting to embrace diversity in the workforce, but there is a long way to go before women are as valued in cybersecurity as men. With the current skills deficit hampering the growth of cybersecurity providers, this is a perfect opportunity for the industry and individual providers to break the bias and turn to women to speed up innovation and improve defense against cybercriminals.
Welcome to our May 2022 review of data breaches and cyber attacks. We identified 77 security incidents during the month, resulting in 49,782,129 compromised records.
You can find the full list below, with incidents affecting UK organisations listed in bold.
âWise is not the one who knows all the answers but the one who knows what questions to askâ
More than an article, this is a conversation starter for the CISO and his/her team: What are your answers for this list of essential question that any information security department must deal with?
Obviously there are many other questions, these are just the foundation for a security program.
These questions are ordered, it will be hard to answer the last ones without having answers for the first ones.
For your organization:
Who are the clients of the information security team?
What are the drivers for security? This will include Business, Technical and Compliance aspects.
What are the business significant security objectives? Have these been agreed with the clients of the information security team?
How do you model your organization and the systems it relies on?
What are the third parties you exchange information with?
What is the list of assets that need to be protected? Who owns them? Who controls them?
What are the threats or risks?
What is the list of security controls or processes you have in place? What is the success criteria for each? How frequently do you check that they are not just effective but successful?
What is the list of non-compliances that need to be remediated?
What is your level of compliance?
What is the list of vulnerabilities that need to be remediated?
What is your level of security (or risk)?
How do you maintain your knowledge base?
What is your level of security maturity? This measures not your security but your ability to maintain and improve your security.
How do you report the activity of the information security team?
How do you report the value of security to your clients?
How do you prove to third parties your level of security?
What do you plan to do to improve the level of security (or decrease risk)?
How easy or difficult was for you and your team to formulate an answer?
If you find these questions too easy, either you are truly great CISO (please share answers) or your suffer a severe case of Duning-Kruger. I will leave to those readers to find out which.
Researchers uncovered 3.6M accessible MySQL servers worldwide that represent a potential attack surface for their owners.
Researchers from Shadow Server scanned the internet for publicly accessible MySQL server instances on port 3306/TCP and uncovered 3.6M installs worldwide responding to their queries.
These publicly accessible MySQL server instances represent a potential attack surface for their owners.
âThese are instances that respond to our MySQL connection request with a Server Greeting. Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well (though mostly associated with a single Autonomous System).â states the report published by the researchers.
Most of the accessible IPv4 MySQL servers are in the United States (740.1K), China (296.3K), Poland (207.8K) and Germany (174.9K).
Accessible IPv4 MySQL servers
Most of the accessible IPv6 MySQL servers are in the United States (460.8K), Netherlands (296.3K), Singapore (218.2K) and Germany (173.7K).
âIt is unlikely that you need to have your MySQL server allowing for external connections from the Internet (and thus a possible external attack surface). If you do receive a report on your network/constituency take action to filter out traffic to your MySQL instance and make sure to implement authentication on the server.â concludes the report.
Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly announced the formation of a joint ransomware task force, plans for which were originally outlined in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
Easterly announced the news at an Institute for Security and Technology (IST) event on May 20 in Washington, D.C., and also said the task force would have its first official meeting within the next few months.
âWeâre very excited about it,â Easterly said during an event interview. âWe think that this will actually build really nicely on the infrastructure and the scaffolding that weâve developed with the [Joint Cyber Defense Collaborative] to use what we have as part of the federal cyber ecosystem and the companies that are part of the JCDC alliance to plug into the hub as envisioned in the Ransomware Task Force Report.â
She added that the FBI will co-chair the task force, which means the operational leads will be Eric Goldstein, CISAâs head of cyber and Bryan Vorndran, the assistant director of the FBIâs Cyber Division.
CIRCIAâs Reporting Requirements
Passed as part of the omnibus spending bill in March, CIRCIA focuses on critical infrastructure companiesâranging from financial services firms to energy companies, or other entities where a cybersecurity event would impact economic security or public health and safety.
CIRCIA would require these entities to report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively.
The Institute for Security and Technology issued a report last year that included a framework to combat the rising threat of ransomware.
Former State Department cybersecurity coordinator Chris Painter, also a co-chair of the ransomware task force working groups, explained during the IST event that combating ransomware threats requires a high degree of coordination and cooperation between government agencies.
âEstablishing the new task force signals that this issue continues to be a priority and is a recognition that combating ransomware will take a sustained, long-term effort,â he said. âIt should work to leverage federal and private sector capability to disrupt the major ransomware actors in any way possible.â
Easterly said the focus would be on operationalizing progress in an agile way and disrupting these bad actors, with CISA on the resilience/defense side.
âWe want to work with all of our partners across the federal cyber ecosystem and the industry to actually be able to go after these actors in a very agile way at scale,â she said.
She said the days of holding threat report briefings on a quarterly basis are long over; it is no longer a realistic way of protecting critical infrastructure threats.
âWe all have to be in the room all the time, sharing information constantly so that we can create that picture together, because itâs very likely that industry is going to see a cyberattack on the homeland before we see it,â Easterly said. âSo, we have to be in the same roomâwe have to trust each other.â
Beyond Ransomware
The event also featured a keynote address from Deputy Attorney General Lisa Monaco, who announced twin initiatives from the Department of Justice.
The first is aimed at tackling illegal cryptocurrency transactions while the second concerns the establishment of a cybersecurity operations international liaison position to speed up international operations aimed at disrupting the activities of cybersecurity threat actors globally
âWeâve got to evolve to keep pace with the threat and the nation-states and criminal actors driving it,â Monaco said.
Matthew Warner, CTO and co-Founder at Blumira, a provider of automated threat detection and response technology, said as attacks against businesses and infrastructure have continued to grow, so has the impact of these attacks.
âRansomware is a systemic risk to all computing at this point, which requires a unique response from governments,â he said. âTo do this, however, requires a task force that can respond in a way that we have not seen before in cybersecurity.â
He explained if governments wanted to defend their and their alliesâ infrastructuresâcommercial or notâthen reducing ransomware across the globe is paramount.
Alex Ondrick, director of security operations at BreachQuest, an incident response specialist, noted that information-sharing and trust-building between government and private business is long overdue by at least a decade, but that initiatives such as JRTF could improve upon a growing private-public partnership.
âGovernments have come to increasingly rely on the private sector, yet governments are only just beginning to reciprocate information-sharing,â he said. âGiven new legislation and interest, CISAâs JRTF has an opportunity to increase the lines of communication and improve information-sharing.â
Ondrick added that an increasingly decentralized ransomware threat landscape has created an opportunity for more ransomware-as-a-service (RaaS) attackers and more ransomware attacks overall.
âRansomware has become a key fixture of cybercrime as we move towards a post-COVID-19 world, and ransomwareâas related to critical infrastructureâcontinues to evolve,â he said. âPreventing a ransomware attack against critical infrastructure is of the utmost seriousness and urgency.
Regarding the DoJâs initiative tackling illegal cryptocurrency transfers, Warner pointed out that the nature of blockchainâand therefore, cryptocurrenciesâmeans every transaction is available for the world to see.
âWhile attackers will try to move this money around through tumblers, in the end, it must end up somewhere to convert to usable currency,â he said. âGovernment and NGO initiatives have the opportunity to track cryptocurrency use and look for clusters of ransomware payments being funneled through the blockchain.â
If the target wallets and/or transfers in and out of these potential ransomware wallets can be identified, then governments can disrupt the actors by seizing cryptocurrency from themâthis was the case when the U.S. seized $30 million in cryptocurrency from the NetWalker ransomware group in early 2021.
âRansomware will only continue to grow, as will new attacks leveraged by ransomware, which means that not only the government but also all private entities must level up quickly to defend properly,â Warner said.
