InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Google released security updates to address five vulnerabilities in the Chrome web browser, including a high-severity zero-day flaw, tracked as CVE-2021-4102, exploited in the wild.
The CVE-2021-4102 flaw is a use-after-free issue in the V8 JavaScript and WebAssembly engine, its exploitation could lead to the execution of arbitrary code or data corruption.
“Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild.” reads the advisory published by Google which did not share additional info regarding these attacks.
The vulnerability was reported by an anonymous researcher on 2021-12-09.
Google has already addressed 17 zero-day vulnerabilities in Chrome this year, below is the full list:
Over 1 million companies worldwide and over 731,000 companies in the U.S. use Office 365, and though Microsoft offers no hard stats, some sources suggest there are over 90,000 Microsoft partners facilitating services and products for clients. It’s no wonder, then, that vulnerabilities in Microsoft solutions are an attractive attack vector.
So far in 2021, the 12 most notable critical Microsoft vulnerabilities fall within five major threat categories:
CISA adds Log4Shell Log4j flaw to the Known Exploited Vulnerabilities Catalog
The U.S. CISA added 13 new vulnerabilities to the Known Exploited Vulnerabilities Catalog, including Apache Log4Shell Log4j and Fortinet FortiOS issues.
Below is the list of new vulnerabilities added to the Known Exploited Vulnerabilities Catalog, which is the list of issues frequently used as attack vector by threat actors in the wild and that pose significant risk to the federal enterprise.
Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability
6/10/2022
The CVE-2021-44228 flaw made the headlines last week, after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability (aka Log4Shell) that affects the Apache Log4j Java-based logging library.
The impact of the issue is devastating, thousands of organizations worldwide are potentially exposed to attacks and security experts are already reported exploitation attempts in the wild.
CISA also warns of a recently disclosed arbitrary file download vulnerability in FortiOS, tracked as CVE-2021-44168, that is actively exploited.
“A download of code without integrity check vulnerability [CWE-494] in the “execute restore src-vis” command of FortiOS may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages.” reads the advisory published by Fortinet. “Fortinet is aware of an instance where this vulnerability was abused and recommends immediately validating your systems for indicators of compromise”
This books explains how to introduce the security into the SDLC; how to introduce abuse cases and security requirements in the requirements phase; and how to introduce risk analysis (also known as Threat Modeling) in the design phase and software qualification phase. I really think that each software developer should at least read the first chapter of the book where the authors explain why the old way of securing applications (seeing software applications as “black boxes” that can be protected using firewalls and IDS/IPS) cannot work anymore in today’s software landscape.
Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for a critical remote code execution zero-day vulnerability, tracked a CVE-2021-44228 (aka Log4Shell), in the Apache Log4j Java-based logging library.
The Log4j is widely used by both enterprise apps and cloud services, including Apple iCloud and Steam.
A remote, unauthenticated attacker can exploit the CVE-2021-44228 to execute arbitrary code on a vulnerable system leading to a complete system takeover.
The vulnerability was discovered by researchers from Alibaba Cloud’s security team that notified the Apache Foundation on November 24. According to the experts, the vulnerability is easy to exploit and does not require special configuration, for this reason, it received a CVSSv3 score of 10/10. Researchers pointed out that Apache Struts2, Apache Solr, Apache Druid, Apache Flink are all affected by this vulnerability.
Now researchers from cybersecurity firm Cybereason have released a script that works as a “vaccine”(dubbed Logout4Shell) that allows remotely mitigating the Log4Shell vulnerability by turning off the “trustURLCodebase” setting in vulnerable instances of the library.
“While the best mitigation against this vulnerability is to patch log4j to 2.15.0 and above, in Log4j version (>=2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath. Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase are set to “false”, mitigating this risk. However, enabling these system property requires access to the vulnerable servers as well as a restart.” reads the GitHub Page set up for the Log4Shell project.
Cyberreson experts pointed out that enabling these system property requires access to the vulnerable servers, and the servers have to be restarted.
there's a minecraft client & server exploit open right now which abuses a vulerability in log4j versions 2.0 – 2.14.1, there are proofs of concept going around already.
Mass scanning activity detected from multiple hosts checking for servers using Apache Log4j (Java logging library) vulnerable to remote code execution (https://t.co/GgksMUlf94).
Query our API for "tags=CVE-2021-44228" for source IP addresses and other IOCs. #threatintel
The Red Team Field Manual (RTFM) is a no fluff, but thorough reference guide for serious Red Team members who routinely find themselves on a mission without Google or the time to scan through a man page. The RTFM contains the basic syntax for commonly used Linux and Windows command line tools, but it also encapsulates unique use cases for powerful tools such as Python and Windows PowerShell. The RTFM will repeatedly save you time looking up the hard to remember Windows nuances such as Windows wmic and dsquery command line tools, key registry values, scheduled tasks syntax, startup locations and Windows scripting. More importantly, it should teach you some new red team techniques.
There is a way to avoid cybersecurity threats, and that’s incorporating effective practices in your daily use of the internet. Here are a few best tips for improving cybersecurity.
Use Strong and Varied Password
The “one password fits all platforms” philosophy is ideal for hackers. They only need to get a password to one network to access all of the others as well. To prevent this from happening, you need to set different passwords on all your accounts.
Memorizing all those passwords can be difficult, especially when you consider various platforms you use for studying. However, with password management apps, you won’t have to memorize them. In addition, you need to create a strong password. For a quick solution, you can use a strong random password generator.
Give Your Data Only to Proven Websites
Random websites can ask for detailed personal information if you want to get access to more content or download something. This can be a threat.
Take extra precautions when using unknown platforms. Before you decide to sign up, read their privacy policy and do some research on the company. For example, if you’re looking for an essay writing company, you can first read the info on the best ones on a credible Top Writers Review website. Reviews, Google results, and privacy policies can help you get to know the website better.
Don’t Download Attachments from Unknown Email Senders
Email phishing is among the most frequent types of cyberattacks. A simple email attachment such as a supposed e-book can be a gateway for malware or phishing attacks.
Whenever you get an email from an unknown recipient, don’t download the attachments. Even if the email seems legit, clarify first who the sender is and where they got your email before you download anything.
Stay Away from Unprotected Public WiFi
An unsecured public WiFi gives free access to the network to anyone – including the criminals.
If you are on the same network, it’s easier for cybercriminals to leach onto your device and access everything you have. Even if just want to quickly connect to research document translation companies for your study abroad papers, hackers can get to your data before you finish.
In situations when you can’t avoid using public WiFi, use a VPN and be vigilant. Virtual Private Network or VPN will encrypt all your internet activity. You can download a VPN app on your phone with a few clicks.
Use Platforms and Apps that Encrypt Data
Apps, platforms, and websites with encrypted data will keep your personal information and internet activity safe. Messaging apps with encryption are also more secure.
When browsing, pay attention to whether the websites with a padlock and “https” in their URL are encrypted. These types of websites won’t leak your data to unauthorized parties.
The privacy policy is yet another way of checking whether the app, platform or website is encrypted. For example, if you read in the policy that the site is covered by COPPA (Children’s Online Privacy Protection Act), it is secure. To ensure internet safety for its students, many educational institutions use apps and platforms covered by this act.
Be Vary of URLs in Messages
You might not find anything peculiar about your friend, teacher, or well-known company sending you an URL. Especially if the message comes in the form of a text message or WhatsApp message. Unfortunately, this is one of the tricks of cybercriminals.
This type of attack is quite common. Clicking on the links can completely open the door to your data. So, if you receive a message with a suspicious URL, first inquire what it is about. When a company sends you such a message, go to their official website instead of clicking on the link.
Conclusion
These simple steps of precaution will help you keep your data safe. Being more careful of what actions you take, pages you trust, and how you dispose of your data is necessary. A few tips like these can do a lot for your internet security.
Starting Kali Linux 2021.4, the Samba client is now configured for Wide Compatibility so that it can connect to pretty much every Samba server out there, regardless of the version of the protocol in use. This change should make it easier to discover vulnerable Samba servers “out of the box”, without having to configure Kali.
With the latest update of Kaboxer tools no longer look out of place, as it brings support for window themes and icon themes. This allows the program to properly integrate with the rest of the desktop and avoids the usage of ugly fallback themes.
Here is a comparison of how zenmap looks with the default Kali Dark theme, compared to the old appearance:
New Tools in Kali Linux 2021.4
Here’s a quick run down of what’s been added (to the network repositories):
Dufflebag – Search exposed EBS volumes for secrets
The metadata stored on the file led the researchers to several WordPress database dumps, which contained multiple administrator usernames and email addresses, as well as the hashed password for the Microsoft Vancouver website.
Security researchers – us at CyberNews included – routinely use search engines that index publicly accessible Internet of Things (IoT) devices and web servers for threat intelligence. This helps us warn users and organizations that their data is being exposed and help them plug the leaks.
Back in September, while gathering intelligence on an IoT search engine, our security researchers stumbled upon a DS_STORE file that was apparently stored on a web server owned by Microsoft Vancouver.
Leaving DS_STORE files on remote web servers is dangerous because they display their folder structure, which may result in leaks of sensitive or confidential data. This is exactly what happened with the leftover DS_STORE file present on the Microsoft Vancouver web server.
“By analyzing the file, our Investigations team was able to learn about the files hosted on the Microsoft Vancouver server, as well as several database dump files stored on the server.“
These database dumps contained multiple administrator usernames and email addresses, as well as the hashed password for Microsoft Vancouver’s WordPress website.
According to the company’s website, Microsoft Vancouver is home to teams that work on developing a variety of Microsoft products, including “Notes, MSN, Gears of War, Skype, and mixed reality applications, both for desktop and HoloLens.”
On September 27, CyberNews researchers reached out to Microsoft Canada via their official contact email in order to report their findings and help secure the exposed file.
Unfortunately, we did not hear back from the company right away. Even though warnings from security researchers can sometimes get overlooked by large organizations, several additional emails are usually enough to break through and reach the eyes of security teams. As such, we made multiple additional attempts at contacting Microsoft via customer support email addresses and phone numbers listed on the company’s official websites.
On December 2, public access to the DS_STORE file was finally disabled and it is no longer leaking sensitive data. After the file was secured, we reached out to Microsoft for additional comment regarding the incident but have yet to hear back.
There is a serious user problem out there, and whether the user makes a mistake or is intentionally malicious, it can impact the entire system and the organization. But is it really a user problem?
In their session at (ISC)2 Security Congress, Ira Winkler, CISO with Skyline Technology Solutions and Tracy Celaya-Brown, president, Go Consulting International, said the user problem is really a cybersecurity people problem.
“People can’t do things that we don’t give them permission to do,” Winkler said. As long as a user has the ability to do certain tasks, click on links or see a spearphishing email show up in their inbox, they will make mistakes that can take down the network. The problem is not that users cause a loss, but that they can potentially initiate a loss, according to Winkler and Celaya-Brown.
A Failure of Leadership
One mistake shouldn’t take down an entire network. One person shouldn’t have the ability to cause universal panic because of the access permissions they are given. But it happens all the time, and the reason is failure of cybersecurity leadership. Remember the Twitter hack a few years ago where some of the most famous names on the social media site were victims of account takeovers? Winkler pointed out that social engineering techniques coupled with the fact that about one-fifth of Twitter’s employees had permissions to change passwords led to that massive cybersecurity failure. Or, in other words, the human problem was enabled by cybersecurity people and leadership who fell short in their responsibilities. Of course, you want users that will behave the way cybersecurity leadership wants them to, but the cybersecurity team needs to take a closer look at their actions, too.
“We have to take a closer look at why problems occur,” said Winkler. “The problem isn’t a user clicking on a link. The problem occurred when the user received the message.”
A global survey of 5,123 active IT, security and privacy professionals conducted by YouGov on behalf of Cisco found well over a third of organizations (39%) are relying on what they consider to be outdated security technologies.
Overall, the survey found organizations that upgrade IT and security technologies quarterly are about 30% more likely to excel at keeping up with the business than those that upgrade only every few years. The survey also suggested that security operations teams that integrate people, processes and platforms see a 3.5X performance boost over rivals. Automation also more than doubles the performance of less experienced people, the survey suggested.
Wendy Nather, head of advisory chief information security officers (CISOs) for Cisco Duo, a multifactor authentication platform, said the survey makes it clear there is a clear benefit to relying on vendors such as Cisco or a managed service provider (MSP) that automates the update process. However, while outsourced detection and response teams are perceived to be superior, an internal security team is still faster in terms of mean-time-to-respond (MTTR) to a cybersecurity event (six days versus 13 days).
Not surprisingly, the survey also found organizations with integrated technologies are seven times more likely to achieve high levels of process automation. Organizations that claim to have mature implementations of zero-trust or secure access service edge (SASE) architectures are 35% more likely to report strong security operations. In addition, organizations that leverage threat intelligence achieve 50% faster mean-time-to-repair when recovering from a cybersecurity attack.
Finally, the survey found the probability of maintaining business resilience doesn’t improve until business continuity and disaster recovery capabilities cover at least 80% of critical systems and that organizations that regularly test their business continuity and disaster recovery capabilities in multiple ways are 2.5 times are more likely to maintain business resiliency. Organizations that make chaos engineering a standard practice are also twice as likely to achieve high levels of resiliency, according to the survey.
Nather said cybersecurity teams should also invest more in observability and threat intelligence tools. Many cybersecurity teams are overly confident in the level of security they have implemented only to discover that, once provided with access to metrics, that the amount of malware in their environment is much higher than they thought. Until that moment arrives, many organizations are suffering from cybersecurity ‘ignorance is bliss,’ she added.
Regardless of the current level of confidence in cybersecurity, Nater noted that the shift to remote work coupled with investments in digital business transformation initiatives will drive more organizations to revisit their cybersecurity strategies in 2022. Organizations will also need to reconsider their approach to cloud security given the number of misconfigurations that are made by DevOps teams using infrastructure-as-code (IaC) tools to provision infrastructure with little appreciation for DevSecOps best practices.
Ultimately, the issue organizations must come to terms with is that trying to protect legacy infrastructure is much harder than relying on either a cloud service or an as-a-service platform that is continuously updated by someone else. Unfortunately, not every organization can afford to rip and replace all their legacy infrastructure overnight.
Build, automate, and manage your infrastructure on the most popular cloud platform – AWS
Let’s try to understand what CRLF injection is. In response to an HTTP request from a web browser, a web server sends a response, which contains both the HTTP headers and the actual content of the website. There is a special combination of characters that separates the HTTP headers from the HTML response (the website content), namely a carriage return followed by a line feed.
When a header ends with a CRLF, a new header is created on the server. So, a web application or a user will know when a new line begins in a file or text block.
An attacker can inject information into HTTP responses by using the CRLF characters that separate HTTP responses. As long as the header and body end in *CRLF>*CRLF>, the browser will understand that the header ends. Consequently, they have the option to store data in the body of the answer, where HTML is stored.
If an attacker enters the ASCII code for carriage return (%0d) and line feed (%0a) in a HTTPS header, they could identify them easily. The result would look like this:
Developed by experts, ITG staff awareness training courses have been designed to give your employees the knowledge they need to protect your organization’s data while performing their roles, in compliance with relevant standards, laws and cyber security best practices.
2022 is going to be a year of building greater resiliency and integrating this into all aspects of business operations. This will require organizations of all levels to review how they are responding to a larger scale of sophisticated threats. To build on the efforts of 2021, CISOs need to address how they can implement innovation into their business without making themselves more vulnerable to damaging attacks.
