InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Gimmick is a newly discovered macOS implant developed by the China-linked APT Storm Cloud and used to target organizations across Asia.
In late 2021, Volexity researchers investigated an intrusion in an environment they were monitoring and discovered a MacBook Pro running macOS 11.6 (Big Sur) that was compromised with a previously unknown macOS malware tracked as GIMMICK. The researchers explained that they have discovered Windows versions of the same implant during the past investigations.
The experts attribute the intrusion to a China-linked APT group tracked as Storm Cloud, which is known to target organizations across Asia.
The macOS version of the implant is written primarily in Objective C, while the Windows ones are in both .NET and Delphi. The implant uses public cloud hosting services (such as Google Drive) for C2 to evade detection.
Volexity worked with Apple to implement protections for the GIMMICK implant, on March 17, 2022, Apple pushed new signatures to XProtect and MRT to remove the malware.
GIMMICK should be launched directly by a user, rather than a daemon, then it installs itself as a launch agent by dropping a PLIST file with contents.
“On macOS, GIMMICK was found to support being launched as a daemon on the system or by a user. Should GIMMICK be launched directly by a user, rather than a daemon, it will install itself as a launch agent by dropping a PLIST file with contents, similar to that shown below, to /Users/<username>/Library/LaunchAgents.” reads the analysis published by Volexity. “The name of the binary, PLIST, and agent will vary per sample. In the case observed by Volexity, the implant was customized to imitate an application commonly launched by the targeted user.”
During the initialization, the implant analyzed by the experts decodes several pieces of data used by the implant for its operation using a rotating addition algorithm.
The implant also supports an uninstall function accessible by adding the argument “uninstall” on the command line. The command instructs the malicious code on removing itself and all associated files, and then kills the process.
“Storm Cloud is an advanced and versatile threat actor, adapting its tool set to match different operating systems used by its targets.” concludes the analysis published by the experts. “The work involved in porting this malware and adapting its systems to a new operating system (macOS) is no light undertaking and suggests the threat actor behind it is well resourced, adept, and versatile.”
“Most of America’s critical infrastructure is owned and operated by the private sector and critical infrastructure owners and operators must accelerate efforts to lock their digital doors,” he noted, and advised those that have not yet done it to harden their cyber defenses by implementing security best practices delineated earlier this year.
“[This warning is] based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks,” he added.
US Deputy National Security Advisor Anne Neuberger has followed up the warning with a press briefing, during which she stated that “there is no certainty there will be a cyber incident on critical infrastructure,” but that owners and operators of critical infrastructre have the ability and the responsibility to harden the systems and networks the country relies on.
She shared that last week, federal agencies hosted classified briefings with several hundred companies in sectors they felt would be most affected, and “provided very practical, focused advice.”
Previously, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance to help critical infrastructure owners and operators identify and mitigate the risks of influence operations that use mis-, dis-, and malinformation (MDM) narratives.
Neuberger also said that US agencies have not yet attributed the recent attack on satellite communications company Viasat. Nevertheless, the attack has been followed by a CISA alert advising SATCOM network providers or customers on how to upgrade their defenses.
You might have heard that the iPhone is almost completely impossible to hack or that Samsung devices have some of the best firewalls in the world built right into the device. While these statements are true, they do not mean that your personal information is automatically safe.
In fact, there are a handful of ways hackers can get into your mobile device. That being said, there are several steps you can take to fight back against it. So, let’s take a look and explore those in a bit more depth today.
The Lapsus$ extortion group claims to have stolen sensitive data from the identity and access management giant Okta solutions.
The gang announced the alleged hack through its Telegram channel and shared a series of screenshots as proof of the hack. Some of the images published by the threat actors appear to be related to the company’s customer data.
The message published by the group claims that the gang had Superuser and Admin access to multiple systems of the company.
The company is investigating claims of a data breach which, if confirmed, could pose serious risks to the customers of the company.
“Okta is aware of the reports and is currently investigating,” states a spokesperson for the company. “We will provide updates as more information becomes available.”
Todd McKinnon, CEO at Okta, confirmed that in late January 2022, the company detected an attempt to compromise the account of a third party customer support engineer working for one of its subprocessors.
We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January. (2 of 2)
By now, we are all familiar with the fact that Log4Shell is just about as critical as a critical vulnerability can get – scoring a 10 out of 10 on the National Institute of Standards and Technology’s CVSS severity scale.
As it targets a library – Apache Log4j2 – that nearly every Java application uses to log requests, this vulnerability is ubiquitous. Many applications use Log4j2 without even realizing it, meaning that even those with no apparent dependency on Log4j2 can still be at risk.
With its massive impact across nearly every industry, Log4Shell has taken its place in the cybersecurity hall of fame – among the likes of HeartBleed, WannaCry and ShellShock.
Difficult to locate but easy to exploit, remediating this vulnerability would prove incredibly complex, with several detection methods required. In fact, three months into Log4Shell, the Qualys Cloud Platform suggests that 30% of the Log4j instances still remain unpatched.
Qualys research team reveals the current state of Log4Shell
When it came to tracking the impact of Log4Shell, Qualys occupies a unique vantage point. The Qualys Cloud Platform indexes more than 10 trillion data points across its installed enterprise customer base and completed 6 billion IP scans per year with 75 million cloud agents deployed in hybrid IT environments globally. With that kind of scale, the Qualys Research Team was able to uncover unique insights into how global enterprises have and are managing Log4Shell:
Log4Shell exposure
Qualys Cloud Platform scanned more than 150 million IT assets, across all geographies, flagging 22 million vulnerable app installations. Of these, more than 80% were open source applications.
Log4Shell was detected in more than 3 million vulnerable instances.
More than two months later, 30% of Log4j instances remain unpatched.
Log4Shell threat landscape
Nearly 68,000 vulnerabilities were found in cloud workloads and containers across the U.S. and EMEA, reinforcing the recommendation that enterprises need to monitor running containers for flaws like Log4Shell.
CISA and NCSC reported 1,495 products vulnerable to Log4Shell, and of those we observed 1,065 products across 52 publishers currently in use. This indexing proved very valuable to Qualys customers as this SBOM mapping is provided out of the box, providing immediate insights into their vulnerable software inventory.
Surprisingly, more than 50% of application installations with Log4j were flagged as “end-of-support.” This means that these publishers will likely NOT be providing Log4Shell security patches for these apps.
The vulnerability was detected in more than 2,800 web applications. Since web apps are publicly facing, this was the first line of defense for many enterprises looking to fend off early attacks. In the U.S., most detections occurred before/during the holiday period, while in the E.U. these spiked after the holidays.
Vulnerability trends
The vast majority of the vulnerable assets (over 80%) were on Linux.
A total of 98 distinct Log4j versions were observed in use, 55% of which were vulnerable versions.
There was a 20% spike in detections as the new year arrived and employees returned to work.
Within the first month after Log4Shell’s disclosure, we observed that 12% of total Log4j installations were vulnerable, while only 5% were not.
Remediation trends
Average time to remediation after detection was 17 days. Systems which could be exploited remotely were patched faster (12 days) while internal systems were slower.
After the first month, remediation efforts plateaued and began trending down, quite likely because security teams are finding it easier to mitigate Log4Shell rather than permanently fixing it.
Attack patterns
Our Multi-Vector EDR solution detected 22,000 potential attacks per week at the height of the crisis. Many of these were scattershot “spray & pray” attacks trying to infect as many systems as possible quickly. Our data indicates that threat actors were trying to take advantage of the holiday season window of opportunity.
Attacks also trended down into January, as mitigating controls and patches were rolled out by enterprise IT teams.
Unpacking Log4Shell’s continued peril
Log4j has been and will continue to be a headache for security professionals due to how difficult it is to fully understand where this vulnerability may be within an organization.
As with most vulnerabilities, understanding how and where the flaw will affect your business is crucial. Discovery processes are unique to each organization – meaning that depending on architecture and deployment, timetables vary.
This paired with obstacles such as the complexities of skeleton IT staff, potential lack of visibility into IT assets and an overall influx of other real-time sophisticated attacks and threats, could present a tumultuous road to immediate remediation.
Why are vulnerable Log4j versions continuing to be downloaded?
The main culprit for why vulnerable versions continue to be downloaded is likely because of automated build systems. These are configured to download a specific version build of their dependencies. Lesser maintained projects may automatically download a specific version to avoid conflicts with updated software, which has the potential to break their code. If the maintainer of that software hasn’t been paying attention to Log4j news their application is left open to the risk of exploitation.
Another scenario is the intentional download by researchers or adversaries to test exploitation of their latest wares. It is useful for both good and bad guys to continually validate that their exploitations or defenses are in working order outside of production areas.
Why are vulnerable Log4j versions still available for download?
Flawed forms of the code are still available because many other pieces of software still rely on them. Removing these downloads could potentially cause breakage in several systems if eliminated.
Further, The Qualys Research team found that more than 50% of application installations with Log4j were flagged as “end of support.” These publishers will likely not be providing Log4Shell security patches for these apps. End of life/support technology is one of the leading factors that put organizations at risk of being exploited by threat actors.
In fact, earlier this year, CISA developed a catalog of “Bad Practices” to showcase what is exceptionally risky. Landing at number one – especially for organizations supporting Critical Infrastructure or NCFs – was the use of unsupported software.
A Ukrainian security researcher has leaked more source code from the Conti ransomware operation to protest the gang’s position on the conflict.
Hacker leaked a new version of the Conti ransomware source code on Twitter as retaliation of the gang’s support to Russia
The attack against the Conti ransomware and the data leak is retaliation for its support for the Russian invasion of Ukraine.
The attack will have a significant impact on the operation of the gang, considering also that many of Conti’s affiliates are Ukrainian groups.
Recently a Ukrainian researcher leaked 60,694 messages internal chat messages belonging to the Conti ransomware operation after the announcement of the group of its support to Russia. He was able to access the database XMPP chat server of the Conti group.
In a second round, the expert leaked the old source code for the Conti ransomware encryptor, decryptor, and builder, along with the administrative panel and the BazarBackdoor API. The leaked old Conti ransomware source code is dated September 15th, 2020.
The source code for the ransomware is contained in a password-protected archive, despite the researcher did not leak the password, another expert cracked it and share it.
The public availability of the source code could temporarily destroy the Conti ransomware operation because security experts could perform reverse engineering to determine how it works and develop a working decrypted.
On the other side, other threat actors could perform reverse engineering to develop their own version of the threat, a circumstance that opens to worrisome scenarios.
Now the Ukrainian security researcher has leaked newer malware source code from the Conti ransomware operation, the code is dated January 25th, 2021.
The code appears to be more recent than the previous leak, according to Bleeping Computer Conti Leaks uploaded the source code for Conti version 3 to VirusTotal and shared a link on Twitter.
“The source code compiles without error and can be easily modified by other threat actors to use their own public keys or add new functionality.” reported BleepingComputer.“BleepingComputer compiled the source code without any issues, creating the cryptor.exe, cryptor_dll.dll, and decryptor.exe executables.”
The Great Resignation is sweeping the world, and the causes and impacts are still being analyzed. Texas A&M University professor Anthony Klotz coined the term, predicting an unusual rise in voluntary resignations as employees anticipated the global pandemic coming to end and life returning to normal. Many employees stayed longer in roles because they were uncertain of the future during the pandemic, while frontline workers experienced an elevated level of burnout due to increased stress. Workers in all industries are looking for new opportunities and leaving past roles behind.
IT and security staff are resigning too, feeling increased stress from managing more remote employees, a rapid transition to the cloud that didn’t allow time for them to gain cloud expertise before making the leap, and a rise in cyberattacks globally. Finding and retaining security talent is an ongoing challenge, one that exposes organizations to increased risk because there simply aren’t enough security experts available.
Most employees, certainly in technology companies but in other industries as well, are required to undergo security training and sign non-disclosure agreements (NDAs) when they join a company. That’s frequently the last time they consider security training, how they use personal devices for company communications and data, and what data belongs to the company and what data they’re permitted to share externally or take with them when they leave. Much of this information is only communicated in an NDA, a document that’s rarely read carefully or reviewed regularly. This may result in reduced adherence to security rules and practices — and, consequently, data losses. Some disgruntled employees may even be tempted to disclose sensitive information or leave security holes to allow them to access the company’s IT infrastructure after departure.
All employees have access to secrets, whether that’s a product strategy document, internal lists of sales prospects or customers, or other internal communications or presentations that aren’t intended for external consumption. Security and engineering teams have access to many internal systems, passwords, and secrets. When many employees leave an organization in a brief period, risks increase because there are so many things to take care of for so many people at the same time.
How to ensure employees, especially security staff, are off-boarded appropriately
Off-boarding employees can pose challenges for any organization. In the past year, data exfiltration incidents increased due to employees taking data, systems access, or both with them when they exit. This is when organizations can refer to their onboarding plan to create a successful off-boarding plan, one that includes people, process, and technology.
Rather than taking a reactive approach to employees leaving the company, embrace a readiness-mindset and prepare for departures in advance. To do that, here are essential steps to take so that you’re ready for employee departures:
Nurture the culture in your organization. This isn’t something you start when your employee gives their notice — it’s something they’re part of from the moment they join your team. Having good interpersonal relationships, sharing values, and identifying and handling personnel issues quickly and appropriately will help you keep your employees and turn them into advocates for your company after they leave. They’ll refer candidates to you, become mentors or contributors in another capacity, or even return for another role in the future. Having a positive relationship makes employees far less likely to pose a threat to your security profile.
Conduct an exit interview through Human Resources to get honest feedback from your employees. When employees are ready to move on to a new opportunity, take the time to ask them for suggestions, learn about problem areas, and build bridges for future relationships even after departure. Whether they’re leaving for a promotion, more flexibility, or because they’re ready to retire, their input can still influence HR decisions around benefits and culture.
Create a knowledge transfer plan. Don’t wait until their last day to find out all the unique knowledge your employees hold. Most of that information probably isn’t in the job description, so documenting it (and having departing employees train your new hires, if possible) will help new employees become productive more quickly.
Review the materials signed during onboarding and security training. Many employees have no idea that the data they take with them increases the security risks for their organizations. Make sure that the person reviewing it with them understands these issues and can communicate them effectively.
Collect company assets. This includes office keys, key cards, laptops, cell phones, badges, corporate credit cards, and any other physical devices that you want returned. Keep a list and track all company assets that you’ve given employees to make sure you get these assets before they leave the building. If employees are keeping an asset, such as a laptop or cell phone, ensure that the data stored on it meets your requirements for employee data retention. For personal devices, former employees need to delete company apps and accounts.
Don’t forget digital access. Whether it’s access to a GitHub repository, Jira, Confluence, the company’s social media accounts, company email and workplace communication platforms, or anything in between, make sure that access ends when employment ends. This helps you make sure that the right people have access even after the employee leaves and reduces the likelihood of you needing to contact them to resolve something when it’s no longer their responsibility. Off-boarding should also include deleting data belonging to former employees and any cloud accounts tied to those employees.
Use single sign-on (SSO) and authentication tools. These technologies can help you manage access in as few places as possible, simplifying your tasks as employees leave. For engineering and security employees, make sure your team doesn’t hard code secrets or embed credentials in code. It’s poor security practice at any time and will allow access even after employees have departed and all other access has been disabled.
Successfully off-boarding security staff introduces some added considerations. While the preceding steps are still critical, security staff have increased access and knowledge when it comes to your systems and infrastructure. Once again, people, process, and technology all play a role. Monitor and audit access to sensitive corporate data, particularly noting whether they’re being accessed by computers or IP addresses outside of the corporate network. Former employees also still have relationships with current staff, so flag and investigate unusual activity there as well.
Adopting a zero-trust framework will help you protect resources even when critical security staff members leave the organization. Putting clear and easily repeatable processes in place can also help you reduce security risks due to departing staff, such as turning off email access but automatically forwarding all email and voicemail to a supervisor so that nothing gets missed. Your process should also include rolling any secrets they have access to promptly, rotating access, and removing their accounts from every system.
Researchers uncovered a new Linux botnet, tracked as B1txor20, that exploits the Log4J vulnerability and DNS tunnel.
Researchers from Qihoo 360’s Netlab have discovered a new backdoor used to infect Linux systems and include them in a botnet tracked as B1txor20.
The malware was first spotted on February 9, 2022, when 360Netlab’s honeypot system captured an unknown ELF file that was spreading by exploiting the Log4J vulnerability.
The name B1txor20 is based on the file name “b1t” used for the propagation and the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes.
The B1txor20 Linux backdoor uses DNS Tunnel technology for C2 communications, below is the list of the main features implemented by the threat:
SHELL
Proxy
Execute arbitrary commands
Install Rootkit
Upload sensitive information
The researchers also noticed the presence of many developed features that have yet to be used, and some of them are affected by bugs. Experts believe the B1txor20 botnet is under development.
“In short, B1txor20 is a Backdoor for the Linux platform, which uses DNS Tunnel technology to build C2 communication channels. In addition to the traditional backdoor functions, B1txor20 also has functions such as opening Socket5 proxy and remotely downloading and installing Rootkit.” reads the analysis published by the experts.
Once the system has been compromised, the threat connects the C2 using the DNS tunnel and retrieves and executes commands sent by the server. The researchers noticed that the bot supports a total of 14 commands that allows it to execute arbitrary commands, upload system information, manipulate files, starting and stopping proxy services, and creating reverse shells.
“Generally speaking, the scenario of malware using DNS Tunnel is as follows: Bot sends the stolen sensitive information, command execution results, and any other information that needs to be delivered, after hiding it using specific encoding techniques, to C2 as a DNS request; After receiving the request, C2 sends the payload to the Bot side as a response to the DNS request. In this way, Bot and C2 achieve communication with the help of DNS protocol.” continues the analysis.
The post includes additional technical details along with Indicators of Compromise (IoCs) for this threat.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
The new vulnerabilities added to the catalog include one SonicWall SonicOS issue, tracked as CVE-2020-5135, and 14 Microsoft Windows flaws addressed between 2016 and 2019.
The CVE-2020-5135 is a stack-based buffer overflow that affects the SonicWall Network Security Appliance (NSA). The vulnerability can be exploited by an unauthenticated HTTP request involving a custom protocol handler.
The flaw resides in the HTTP/HTTPS service used for product management as well as SSL VPN remote access.
All the flaws added in this round have to be addressed by federal agencies by April 5.
The CISA Catalog has reached a total of 504 entries with the latest added issues.
President Joe Biden on Tuesday signed into law a $1.5 million government funding bill that includes legislation mandating critical infrastructure owners report if their organization has been hacked or made a ransomware payment.
Biden signed the legislation during a White House ceremony that was attended by administration officials and top Democratic lawmakers, including including House Speaker Nancy Pelosi (Calif.), Senate Majority Leader Chuck Schumer (N.Y.).
The Strengthening American Cybersecurity Act — which was attached to the spending deal that keeps the federal government open until September — requires that critical infrastructure operators alert the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a breach and 24 hours if the organization made a ransomware payment. It also grants CISA the power to subpoena entities that don’t report a cyber incident or ransomware payment.
CISA will have up to two years to publish a notice in the Federal Register on proposed rulemaking to implement the reporting effort, though it may move faster due to heightened concerns about Russian cyberattacks bleeding out of Moscow’s invasion of Ukraine.
“This historic, new law will make major updates to our cybersecurity policy to ensure that, for the first time ever, every single critical infrastructure owner and operator in America is reporting cyber-attacks and ransomware payments to the federal government,” Senate Homeland Security Committee Chair Gary Peters (D-Mich.), who authored and championed the legislation along with Sen. Rob Portman (R-Ohio), said in a statement.
Portman, the panel’s top Republican said the legislation will “give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks.”
A recent study by MITRE and DTEX revealed that despite years of industry efforts against insider threats, there isn’t enough data – or systems advanced enough – to spot all malicious behavior. As companies work to build a corporate culture of cybersecurity, they’ve begun investing in zero-trust architectures to proactively cover all attack surfaces.
While this is a step in the right direction, this security method also has the potential to raise fear and generate negative responses from employees. This is especially a concern amid the Great Resignation; countless employees are leaving their jobs due to issues centered around work culture that no longer meets the demands of the modern employee. If taken as a sign of mistrust and poor faith, zero-trust security could spread resentment and demotivation among employees, potentially accelerating turnover rates and bringing the Great Resignation to its peak.
How can companies effectively navigate zero trust without creating friction among employers and employees? And how do they get there without the luxury of trust-building exercises in the close quarters of an in-office environment?
The thing is, zero trust doesn’t mean seeding mistrust throughout an organization’s networks. Companies shouldn’t have to rely on technologies alone for protection. Security is best applied when it’s a team effort. In other words, successful zero trust relies on a culture of transparency, communication, and consistency across the board. When appropriately understood and applied, these efforts can create a sustainable zero-trust work environment. So, how do we get there?
Many organisations have been considering a network transformation initiative to support the adoption of SaaS, cloud-based applications, and an increasingly remote workforce. Given the connectivity needs of a remote workforce – and knowing a hybrid workforce is here to stay – many IT teams have had to make sudden changes in the way workers connect to corporate systems that could introduce new cyber risks and vulnerabilities.
When developing a security strategy for supporting a hybrid workforce, it is essential to identify risks, as well as any potential blind spots. As CISOs embark on their transformational journeys, identifying these areas of weakness should be the top priority. Keeping business data safe everywhere is crucial to enabling employees to work anywhere. However, enforcing the same policies consistently from the endpoint, network, web, and cloud requires a new approach.
Cloud dominance
For instance, cloud vulnerabilities and misconfigurations continue to be a concern, particularly as the demand for more cloud integration has increased. This has led to CISOs shifting how they approach protecting the corporate perimeter with additional controls and monitoring tools being used to scan any access to the network. Security leaders are beginning to understand that legacy detection tools that would have traditionally been used for data centres, do not extend to the cloud which is why a shift in strategy is required. As a result, identifying and remediating cloud system vulnerabilities and misconfiguration errors is a top priority for the modern CISO when protecting the remote workforce.
Security landscape requires adaptation
Keeping up with security threat landscape is another area in which CISOs have had to adapt. Hackers have evolved in their tactics to evade detection while using techniques that require less effort and reap a higher reward. Their end result is to obtain money or steal sensitive data which normally involves ransomware schemes, state-sponsored methods or just nefarious individuals looking to make a name for themselves in the online underworld. Either way, they are more devious and better equipped than 12 months ago. Cybercrime has become commercialised, with many cybercriminals selling their tools, stolen details and ransomware kits across the dark web which is giving easy access for others to replicate and cause more disruption.
With the ability to launch cyberattacks more quickly with little effort, we are witnessing CISOs and security teams adopting a proactive mindset to cybersecurity. This approach helps to avoid being overwhelmed by the number of threats, especially those targeting workers who are outside the traditional perimeter and are accessing corporate files remotely.
Those that are not taking a proactive stance are at risk as even the most sophisticated defence strategies will become ineffective if they’re not regularly tested and kept current. While being able to mimic human behaviour with artificial intelligence, hackers are outpacing many organisations when it comes to the technology and hacking techniques used to attack them.
Other security initiatives to leverage
The job is never finished when it comes to the cybersecurity of an organisation. This means staying one step ahead of the next potential threat. Looking ahead now means better preparation for the future. Mitigating third-party risk, embedding security into the development process, and defending against ransomware attacks are just a few things that CISOs should be incorporating as part of the future-proofing cybersecurity strategy for a hybrid workforce.
Key initiatives should include adopting multi-factor authentication, achieving greater response time through automation, and extending Zero Trust to applications. The rapid adoption of cloud services, IoT, application containers, and other technologies is helping drive organisations forward. However, it also means that security teams must work harder to maintain visibility. To do so, they need to continuously see and catalogue every asset in their environments and accurately determine the security status of their devices.
In addition to the initiatives mentioned, secure access service edge (SASE) is a framework that CISOs are beginning to embrace as it is a convergence of key security capabilities including software-defined area networking (SD-WAN), Firewall-as-a-Service (FWaaS), Secure Web Gateway (SWG), Cloud-Access Security Brokers (CASB) and Zero-Trust Network Access (ZTNA). It supports the organisation’s cloud-based computing environments while providing security professionals the necessary information to secure the digital transformation journey as well as its remote workforce.
Organisations are feeling a shift in networking and security with the realities of mobile working, particularly as they rapidly adopt and embrace the cloud. With this, CISOs are seeking further efficiency, visibility, and stronger security for their enterprises. SASE and Zero trust implementations can provide more comprehensive security capabilities to support digital transformations.
The freight logs of two major Chinese shipping ports have been leaking data, a problem which if left unresolved could disrupt the supply chain of up to 70,000 tonnes of cargo a day, with potentially serious consequences for international shipping.
The cybernews® research team identified an open ElasticSearch database, which contained more than 243GB of data detailing current and historic ship positions that is exposed to the public. Analyzing the data, the team determined that it is highly likely to belong to the Yangtze river ports of Nanjing and Zhangjiagang.
The discovery is especially timely, given the escalation of the geopolitical situation caused by Russia’s recent decision to invade Ukraine. “This could have gone very badly if bad guys had found it before we did,” said a spokesperson for Cybernews.
ElasticSearch lacks a default authentication and authorization system – meaning the data must be put behind a firewall, or else run the risk of being freely accessed, modified or deleted by threat actors. The push access logs of the zjgeport.com found on the database contained user IDs and, most importantly, API keys that could in theory permit universal access, allowing a cybercriminal to write new data about current ship positions.
In layman’s terms, what this means is that if left unplugged, the gap could allow threat actors to read, delete or alter any of the entries in the exposed databases – or even create new ones for cargoes or ships that don’t exist. Moreover, conventional criminals could physically hijack a ship and jam its communications, leaving the port that controls and tracks its movements unaware that the vessel had been boarded.
That in turn could jeopardize up to 3,100 vessels that transport more than 250 million tonnes of cargo annually to and from the two ports – not to mention putting at risk the lives of the estimated 40,000 passengers a year that use Nanjing for sea travel.
The Cybernews team said: “Because of the way ElasticSearch architecture is built, anybody with access to the link has full administrator privileges over the data warehouse, and is thus able to edit or delete all of the contents and, most likely, disrupt the normal workflow of these ports.
“Because both of these ports directly connect factories based in China to international waters, it’s more than likely that they carry international cargo, thus creating a butterfly effect likely to affect the whole supply chain worldwide if the open instance is not closed.”
Zhangjiagang’s main cargoes include steel, timber, coal, cement and chemical fertilizers, while Nanjing typically trades in goods such as metal ore, light industrial goods, petroleum and pharmaceutical products. With Russia having incurred global sanctions as a result of its invasion of Ukraine, the fate of China’s economy will be more important than ever as it seeks to fill the vacuum created by its superpower neighbor’s expulsion from the world stage.
Since being alerted to the problem by Cybernews, the owners of the ElasticSearch database have enforced HTTP Authentication as a requirement for access, effectively cutting it off from the public side of the internet.
The flaws can allow remote attackers to manipulate the power of millions of enterprise devices carrying out extreme cyber-physical attacks.
Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical systems.
“If exploited, these vulnerabilities, dubbed TLStorm, allow for complete remote take-over of Smart-UPS devices and the ability to carry out extreme cyber-physical attacks. According to Armis data, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities.” reads the analysis published by Armis.
APC has over 20 million devices worldwide, according to the researchers, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities.
Two of the TLStorm vulnerabilities reside in the TLS implementation used by Cloud-connected Smart-UPS devices, while the third one is a design flaw in the firmware upgrade process of Smart-UPS devices.
The researchers discovered that the firmware upgrades are not properly signed and validated.
This third flaw could be exploited by an attacker to achieve persistence by planting a malicious update on vulnerable UPS devices.
Below is the list of the flaws discovered by the experts:
CVE-2022-22806 – TLS authentication bypass: A state confusion in the TLS handshake leads to authentication bypass, leading to remote code execution (RCE) using a network firmware upgrade.
CVE-2022-22805 – TLS buffer overflow: A memory corruption bug in packet reassembly (RCE).
CVE-2022-0715 – Unsigned firmware upgrade that can be updated over the network (RCE).
An attacker can trigger one of the above issues to gain remote code execution on vulnerable devices and interfere with the operation of the UPS to cause physical damage.
“The fact that UPS devices regulate high voltage power, combined with their Internet connectivity—makes them a high-value cyber-physical target. In the television series Mr. Robot, bad actors cause an explosion using an APC UPS device.” continues Armis. “However, this is no longer a fictional attack. By exploiting these vulnerabilities in the lab, Armis researchers were able to remotely ignite a Smart-UPS device and make it literally go up in smoke.”
Experts pointed out that vulnerabilities in the firmware upgrade process are often abused by sophisticated APT groups.
Armis reported the flaws to Schneider Electric’s APC on October 31, 2021, the vendor addressed them with the release of Patch Tuesday security updates on March 8, 2022.
“UPS devices, like many other digital infrastructure appliances, are often installed and forgotten. Since these devices are connected to the same internal networks as the core business systems, exploitation attempts can have severe implications.” concludes the report. It’s important for security professionals to have complete visibility of all assets, along with the ability to monitor their behavior, in order to identify anomalies and/or exploit attempts. However traditional security solutions do not cover these assets. As a result, they remain “unseen” and therefore expose the organization to significant risk.”
Are you planning a career as a DPO (data protection officer)?
Are you planning a career as a DPO (data protection officer)? Our unique combined GDPR (General Data Protection Regulation) and DPO training course is now available in a low-cost self-paced online format.
Work at your own pace with self-paced online training – a more affordable, flexible and less disruptive way to study. Designed by GDPR experts, this course features pre-recorded video modules supported by a learner guide and interactive exercises and tests.
The course includes essential elements of our GDPR / Data Privacy Roles Learning Path, which provides a unique guide to which training courses and qualifications will help you enhance your GDPR or DPO career.
Researchers disclosed 16 high-severity flaws in different implementations of Unified Extensible Firmware Interface (UEFI) firmware impacting multiple HP enterprise devices.
Researchers from cybersecurity firm Binarly discovered 16 high-severity vulnerabilities in various implementations of Unified Extensible Firmware Interface (UEFI) firmware impacting multiple HP enterprise devices.
An attacker can exploit these vulnerabilities to implant a firmware that survives operating system updates and bypasses UEFI Secure Boot, Intel Boot Guard, and virtualization-based security.
Impacted devices include multiple HP enterprise devices, including laptops, desktops, point-of-sale systems, and edge computing nodes.
“By exploiting the vulnerabilities disclosed, attackers can leverage them to perform privileged code execution in firmware, below the operating system, and potentially deliver persistent malicious code that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot and Virtualization-Based Security isolation.” reads the analysis published by Binarly.
Below is the list of vulnerabilities discovered by the researchers:
“Binarly believes that the lack of a knowledge base of common firmware exploitation techniques and primitives related to UEFI firmware makes these failures repeatable for the entire industry. We are working hard to fill this gap by providing comprehensive technical details in our advisories. This knowledge base is crucial for developing effective mitigations and defense technologies for device security.”, said Alex Matrosov, Founder and CEO at Binarly.
The most severe of the vulnerabilities discovered by the researchers are memory corruption issues affecting the System Management Mode (SMM) of the firmware. An attacker could trigger them to gain arbitrary code execution with the highest privileges.
