The vulnerability–tracked as CVE-2023-27997–is a heap-based overflow flaw that could allow a remote attacker to execute arbitrary code or commands via specially crafted requests, says the Sunnyvale, Calif.-based firewall and endpoint security firm.

According to Fortinet, its Product Security Incident Response Team, following a previous incident from January also impacting FortiOS SSL VPN with exploitation, initiated a code audit of the SSL-VPN module, leading to the identification of issues that have been remediated in the company’s patch.

The investigation found that CVE-2023-27997 “may have been exploited in a limited number of cases.”

In the company’s blog, Fortinet says the attacks mimic the activity of Volt Typhoon, a suspected China-sponsored hacking group that has been targeting critical infrastructure organization. However, Fortinet doesn’t go as far to link exploitation of the vulnerability to that group, but does expect Volt Typhoon and other threat actors to leverage the bug in unpatched software and devices.

FortiGate devices were identified by the U.S. National Security Agency as being targeted by Volt Typhoon as an initial intrusion vector.

Organizations should apply the patch immediately. If they aren’t able to do so, disabling SSL-VPN is a legitimate workaround, the company says.

These devices and other SSL VPN products from Citrix, Pulse Secure and others have been popular targets in recent years, says Satnam Narang, senior staff research engineer at vulnerability management firm Tenable.

According to Narang, these flaws have not only been exploited by ransomware groups but also by nation-state aligned threat actors with a particular focus on flaws in Fortinet devices.

“SSL-VPNs are attractive targets due to their internet-facing nature, providing access to a company’s intranet,” Narang says. “They became even more popular at the beginning of the pandemic, as organization’s shifted towards allowing for remote work.”

Narang adds that pre-authentication bugs like CVE-2023-27997 are especially valuable to remote attackers because they don’t need to have valid credentials.

“Despite patches being available, the inherent value of the flaw remains significant, considering the ongoing success threat actors achieve by exploiting known, unpatched vulnerabilities,” Narang says. “It’s not a question of ‘if’, but rather ‘when’ a public proof-of-concept exploit for this flaw is made public, that we can expect more widespread scanning and exploitation of vulnerable assets.”

The post Patch FortiGate SSL-VPN Devices Immediately appeared first on My TechDecisions.

That includes Microsoft, which is attributing the attacks exploiting the bug, tracked as CVE-2023-34362, to a group it calls “Lace Tempest,” which is known for ransomware operations and running the Clop extortion site.

The Redmond, Wash. tech giant says the group has used similar vulnerabilities in file transfer tools to steal data and extort victims in the past.

In a series of tweets, the Microsoft Threat Intelligent Twitter account revealed several details on the attacks, saying exploitation is typically followed by deployment of a web shell with data exfiltration capabilities.

Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims. pic.twitter.com/q73WtGru7j

— Microsoft Threat Intelligence (@MsftSecIntel) June 5, 2023

According to Progress Software, the vulnerability in MOVEit Transfer could lead to escalated privileges and potential unauthorized access to the environment. MOVEit Transfer customers are advised to take immediate action to help protect their environment. Organizations are urged to apply the patch immediately.

According to a statement from a MOVEit spokesperson, the company promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps. “We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit.”

Affecting all supported MOVEit Transfer versions, CVE-2023-34362 is an SQL injection vulnerability that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database.

“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements,” the company says.

In the meantime, the MOVEit says its continuing to work with cybersecurity experts to investigate the issue. A company spokesperson said in a statement, “We have engaged with federal law enforcement and other agencies with respect to the vulnerability. We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products. Additional details are available on our knowledge base articles for MOVEit Transfer and MOVEit Cloud.”

Experts Weigh in On MOVEit Vulnerability

On Monday, reports of widespread exploitation came pouring in, as several security firms say their customers are under active attack.

Caitlin Condon, senior manager for security research at Rapid7, says the company has responded to alerts across a range of organizations from small businesses to enterprises with “tens of thousands of assets.”

There doesn’t appear to be any particular target vertical of organizational profile, Condon says, as victim organizations have so far included technology, insurance, manufacturing, municipal government, healthcare and financial services. The amount of data varies case by case, but Rapid7 has responded to “multiple incidents where several dozen gigabytes of data was stolen,” Condon says.

In a Rapid7 blog, the company says it has observed an uptick in related cases since the bug was disclosed last week, and the company’s researchers say the vulnerability was exploited at least four days prior to Progress Software’s first advisory on May 31.

These updates confirm what Satnam Narang, senior staff research engineer at Tenable, said last week, attributing the exploitation of file transfer tools to double extortion ransomware groups like Clop.

“While we don’t know the specifics around the group behind the zero day attacks involving MOVEit, it underscores a worrisome trend of threat actors targeting file transfer solutions,” Narang said last week. “Organizations that use MOVEit software should assume compromise and engage in incident response to determine the potential impact, if any.”

MOVEit customers are advised to check for indicators of compromise and unauthorized access over at least the past 30 days.

The post Ransomware Groups Confirmed to be Exploiting MOVEit Bug appeared first on My TechDecisions.

According to the company, this integration is designed to streamline exposure management for hybrid vulnerability management deployments and can help on-premises organizations transition to the cloud more quickly. Tenable now claims to be the only vendor that offers exposure management for both on-premises and hybrid deployment models.

Tenable One customers can now get access to both Tenable Vulnerability Management and Tenable Security Center, giving them flexibility to deploy vulnerability management assets in the cloud, on-premises or both in a hybrid approach. In addition, Tenable Security Center customers can leverage Tenable One’s advanced exposure management features such as Lumin Exposure View, Attack Path Analysis and Asset Inventory.

The Tenable One platform includes vulnerability management, cloud security, external attack surface management, identity exposure, web app scanning and attack path analysis data. With the integration, Tenable Security Center customers can use Tenable One for a single view of their exposure data. Both Tenable Security Center Plus and Security Center Director are integrated to deliver enhanced visibility and simplified management, the company says.

Glen Pendley, Tenable’s chief technology officer, says in a statement, that visibility into cyber risk factors should be a right and not a privilege. However, on-premises vulnerability management solutions aren’t giving organizations the full picture of where their threats exist.

“Tenable’s platform approach with Tenable One is continuing to expand its reach throughout the security stack and not only creating economies of scale but flexibility for customers as well,” Pendley says.

Tenable Security Center 6.1 will be generally available later in the second quarter of 2023, and the company is holding a webinar to go over the new capabilities on May 11.

The post Tenable Launches Integration Between Tenable One Platform, Security Center 6.1 appeared first on My TechDecisions.

The end goal is to encourage Microsoft customers to stop using persistently vulnerable versions of Exchange, which are a favorite target of hackers, including from Hafnium, a state-sponsored hacking group out of China that has leveraged Exchange vulnerabilities in the past.

According to Microsoft, admins will also see alerts about unsupported or unpatched Exchange servers in their on-premises environment that need to be upgraded or patched. However, if a server remains out of date and unpatched, mail from that server will be throttled and eventually blocked, the company says in a Tech Community blog.

“We don’t want to delay or block legitimate email, but we do want to reduce the risk of malicious email entering Exchange Online by putting in place safeguards and standards for email entering our cloud service,” Microsoft says in the blog. “We also want to get the attention of customers who have unsupported or unpatched Exchange servers and encourage them to secure their on-premises environments.”

Alerting

In addition to the existing Exchange Server health Check tool, Microsoft is adding a new mail flow report to the Exchange admin center in exchange Online that provides details to a tenant admin about unsupported or out-of-date Exchange servers in their environment that connect to Exchange Online to send mail.

The new report will also provide details on any throttling or blocking of messages, along with information about what happens next if the server isn’t made current.

Throttling

If servers aren’t remediated after a period of time, Exchange Online will begin to throttle messages from it, issuing a retriable SMTP 450 error to the sending sever, which will cause the sending server to queue and retry the message later, resulting in a delayed delivery.

The error messages will read, “450 4.7.230 Connecting Exchange server version is out-of-date; connection to Exchange Online throttled for 5 mins/hr. For more information see https://aka.ms/BlockUnsafeExchange.”

Throttling durations will increase progressively over time to encourage admins to remediate the server. However, if the server isn’t upgraded or patched within 30 days after throttling begins, emails will be blocked.

Blocking

In the blocking scenario, Exchange Online will issue a permanent SMTP 550 error to the sender, triggering a non-delivery report. In this case, a sender will need to re-send the message, the company says.

That error will read, “550 5.7.230 Connecting Exchange server version is out-of-date; connection to Exchange Online blocked for 10 mins/hr. For more information see https://aka.ms/BlockUnsafeExchange.”

When will this enforcement action begin?

According to Microsoft, the report will release in private preview this month, and the first affected customers will see the generally available version of the report beginning May 23. Throttling for that first wave will begin in June, and blocking will begin in July.

These steps will be taken progressively for 90 days from initial detection of the unsupported server to 100% blocking, Microsoft says.

However, admins can pause throttling and blocking for up to 90 days per year in the Exchange admin center. Doing so puts the sever in report-only mode for the duration specified. Admins can use those 90 days however they want throughout the year, and don’t have to use the entire 90 days consecutively.

Begins with Exchange 2007

The throttling and blocking of old Exchange Servers will eventually apply to all versions and all email coming into Exchange Online, but Microsoft will start with Exchange 2007 servers that connect to Exchange Online over an inbound connector type of OnPremises. This is the oldest version of Exchange from which you can migrate in a hybrid configuration to Exchange Online, Microsoft says.

The company will then incrementally bring Exchange Sever versions into the enforcement scope until all versions are included, regardless of how they send mail to Exchange Online.

Microsoft’s intentions

In the Tech Community blog, commenters opined about the reasons behind the move, with some speculating that Microsoft is essentially forcing organizations to migrate to the cloud or pay to continue using Exchange.

However, Chris Goettl, vice president of product management for security products at Ivanti, says this move is another that Microsoft is taking to prevent the malicious use of its solutions. Similar to how the company began blocking macros in Office documents by default, these moves are intended to close security loopholes.

According to Goettl, security researchers have essentially concluded that on-premises Exchange architectures are fundamentally overprivileged and are a security liability.

“There is clear evidence that exchange on prem is not being well maintained by the companies that are still running it,” Goettle says. When there are thousands of Exchange servers that get exploited within a matter of days when a new exploit comes out, there’s kind of a systemic issue.”

Exchange vulnerabilities are typically among the most commonly exploited security bugs. In fact, two recent research reports from Tenable and Rezilion concluded that Exchange zero days such as ProxyShell and ProxyLogon are still among the most exploited vulnerabilities.

It can sometimes take admins several weeks to patch vulnerabilities like those, but the throttling and blocking action Microsoft is taking is aimed at old, vulnerable Exchange infrastructure.

“So they’re not saying you have to stop using on-prem Exchange and start paying for their online services,” Goettl says. “What they are saying, is if you don’t keep it up to date, they reserve the right to throttle then block you if you’re not keeping the ecosystem secure.”

The post What is Going on With Microsoft Exchange Server Throttling and Blocking? appeared first on My TechDecisions.

However, new research shows that some organizations are prioritizing defending against those trending, newsworthy threats at the expense of the threats actually facing their organization.

According to Mike DeNapoli, director of cybersecurity architecture at security posture management platform Cymulate, organizations are focusing on those headline-grabbing threats too often.

While staying current on new and emerging attack techniques is essential for any IT and security professional, organizations are doing so at the expense of the threats they are more likely to encounter on a daily basis, DeNapoli says.

Citing the company’s “2022 Cybersecurity Effectiveness Report,” DeNapoli says 40% of the exploits vulnerability managers are discovering are over two years old. New attacker tools and techniques such as AI-assisted polymorphic ransomware attacks should of course garner attention, but not at the expense of proven attack vectors.

“(Polymorphic ransomware) is not something we should be ignoring in any way, but at the same time, ProxyShell and ProxyNotShell vulnerabilities are still visible on Exchange Server,” DeNapoli says. “Attackers…are going to go for the low-hanging fruit when it’s available.”

What organizations are testing for vs. what is actually being exploited

According to Cymulate’s research, 40% of the top CVEs identified most by vulnerability management platforms were over two years old, and a significant number of organizations are not testing against more widely recognized threats such as those Exchange Server vulnerabilities and malware such as Emotet.

Other known vulnerabilities in organizations’ environments include poorly configured identity and access management and privileged access management, as well as reliance on legacy infrastructure.

However, the top 10 immediate threats simulated last year share many characteristics, including being carried out by known threat actors; using phishing, watering hole and supply chain attacks; using known attack tools; having a clear motive; and being highly sophisticated and evasive.

Another top characteristic is that they were all abundantly reported on in specialized and mainstream press.

According to Cymulate, the top 10 most tested threats include:

• Manjusaka: a cyber-attack framework of Chinese origin, likely created for criminal use, it includes Windows and Linux implants and a ready-made command and control server.
• Powerless Backdoor: a cyber threat popular among Iranian hackers, designed to avoid detection by PowerShell, and can download a browser info stealer, keylogger, encrypt and decrypt data, execute arbitrary commands, and kill processes.
• APT 41 targeting U.S. State Governments: a Chinese state-sponsored hacking group that has been targeting US state governments using various tools and techniques such as Acunetix, Nmap, and SQLmap, and attack methods like phishing, watering hole attacks, and supply-chain attacks.
• Lazarus Phishing Attack on DoD Industry: a phishing campaign carried out by the North Korean hacking group Lazarus, targeting job applicants in the US defense sector with malicious documents containing macros.
• Industroyer 2: An APT-style malware that specifically targets industrial control systems (ICS) and critical infrastructure. A spinoff of the 2016 attack on Ukraine power grid.
• Spring4Shell: Exploiting the Spring Framework vulnerability (CVE-2022-22965), it allows for remote code execution without authentication.
• Follina Office Attack: Weaponizing Microsoft vulnerability (CVE-2022-30190), it allows for remote code execution without authentication.
• Ransomexx: A ransomware-as-a-service (RaaS) model, financially motivated and believed to be related to the sprite Spider ransomware group based in Russia.
• Quantum Ransomware: One of the fastest cases of time-to-ransom ever observed with initial access to domain-wide ransomware in just 3 hours and 44 minutes. The initial access vector for this attack was an IcedID payload delivered via email.
• Mikubot: A new variant of bot malware that is being offered for sale in threat actor forums, written in C++ and works on Windows operating systems from Vista to Windows 11. The malware is standalone and is being sold for $1300 for 1.5 months of access or $2200 for a three-month subscription.

However, the company’s list of most detected vulnerabilities configured by vulnerability management tools includes bugs that keep making appearances in threat research, such as Exchange Server vulnerabilities, PrintNightmare, and others.

• CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability. Used in Follina attacks.
• CVE-2021-34527 – A remote code execution (RCE) vulnerability that allows threat actors to remotely inject DLLs. Used in conjunction with CVE-2021-1675 in PrintNightmare attacks
• CVE-2013-3900 – A WinVerifyTrust signature validation vulnerability that allows remote attackers to execute arbitrary code via specially crafted portable executables by appending the malicious code snippet while still maintaining the validity of the file signature.
• CVE-2022-2190 – Microsoft HTTP protocol stack remote code execution vulnerability
• CVE-2021-1675 – Allows an attacker with low access privileges to use a malicious DLL file to escalate privilege. Used in conjunction with CVE-2021-34527 in PrintNightmare Attacks.
• CVE-2021-31956 – Windows NTFS Elevation of Privilege Vulnerability
• CVE-2018-0798 – A Microsoft Office memory corruption vulnerability that allows remote code execution due to the way objects are handled in memory.
• CVE-2018-0802 – A Microsoft Office memory corruption vulnerability that allows remote code execution due to the way objects are handled in memory.
• CVE-2017-11882 – A Microsoft Office memory corruption vulnerability that allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory.
• CVE-2022-3786 – A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the character (decimal 46) on the stack and cause a denial of service.

Assess your environment first

When IT and security professionals see these new attacks making headlines, they should first assess whether they have the vulnerable assets in their environment, and if they would be a target of the threat actor, if one was identified.

According to DeNapoli, that means getting a handle on shadow IT and cloud sprawl, which is admittedly difficult to do.

“But, it’s necessary, because if there is something like a Log4J, you don’t know what is running within the environment and it becomes incredibly difficult to determine if you could be attacked by that type of technique,” DeNapoli says. “Having those sort of catalogs or inventories of what’s there and what could be a target is going to help a lot.”

However, organizations should not be ignoring the things that came before, as threat actors have proven that leveraging old vulnerabilities–some of which are more than a decade old–is still successful.

The U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog is a prime example of this issue, as 481 of the 914 vulnerabilities on the list are from before 2020.

“Nation-state actors are using this backlog to successfully attack organizations,” DeNapoli says. “Always compare what’s coming out in the news to what you’ve got running to determine if this is something you should deal with immediately, or if it can be put on the backburner in favor of something much more likely to happen.”

The post Is Your Organization Testing Against the Right Cyber Threats? appeared first on My TechDecisions.

The company released patches to fix 97 vulnerabilities in its products, which was in addition to three Edge bugs patches earlier this month. Of the new patches, 45 of them intend to fix remote code execution bugs.

Let’s take a look at some of the more serious Microsoft bugs that IT admins should prioritize this month, in addition to others from Apple and Adobe, with information sourced from Microsoft, Zero Day Initiative (ZDI), Tenable, and others.

CVE-2023-28252 – Windows Common Log File System Driver Elevation of Privilege Vulnerability

Microsoft lists this bug as under active attack, and it was reported by threat intelligent firm Mandiant, so right away this patch is of elevated importance. Although only rated “important” by Microsoft with a CVSS of 7.2, Microsoft lists the attack complexity and privileges requires as low. The company says the bug could allow an attacker to gain SYSTEM privileges. The bug is similar to one patched in CLFS in February, which implies that the first patch wasn’t completely successful.

According to Satnam Narang, senior staff research engineer at vulnerability management firm Tenable, this is also the fourth CLFS elevation of privilege bug exploited in the last two years, dating back to April 2022.

CVE-2023-21554 – Microsoft Message Queuing Remote Code Execution Vulnerability

This is another very important bug to prioritize, as it receives a CVSS score of 9.8 and appears to be very easy to exploit, requiring no user interaction and a low attack complexity. According to Microsoft, a remote unauthenticated attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server, resulting in remote code execution on the server side. The Messaging Queue service is disabled by default, but many contact center applications use it.

According to ZDI, the service listens to TCP port 1801 by default, so blocking this at the perimeter would prevent external attacks.

CVE-2023-23384 – Microsoft SQL Server Remote Code Execution Vulnerability

This vulnerability was actually patched in February, but Microsoft is just now documenting the bug. According to ZDI, the patch fixes an out-of-bounds write bug in the SQLcmd tool, which could allow a remote, unauthenticated attacker to exploit code with elevated privileges. The CVSS is only 6.4, which ZDI says may be due to a high attack complexity. Organizations running SQL server should make sure they have both February and April updates installed.

CVE-2013-3900 – WinVerifyTrust Signature Validation Vulnerability

If you took a look at the CVE number and figured it was just a typo, you’d be wrong. Unfortunately, this decade-old vulnerability is being reissued, likely because it’s being exploited as part of the 3CX attacks. ZDU calls the 2013 patch an “opt-in” fix, meaning that admins had to choose to get the bug patched. The revised patch adds fixes for additional platforms and adds other recommendations for enterprises.

According to Microsoft, an anonymous attacker can exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This is especially dangerous for users with administrative rights.

Exploitation of this vulnerability requires that a user or application run or install a specially crafted, signed PE file. An attacker could modify an existing signed file to include malicious code without invalidating the signature. This code would execute in the context of the privilege in which the signed PE file was launched.

In an email attack scenario, an attacker could exploit this vulnerability by sending a user an email message containing the specially crafted PE file and convincing the user to open the file.

There is a lot of information to digest for this bug, so click on the CVE number in this subhead.

Apple Patches

In addition to Microsoft, Apple released fixes for two CVEs last week that were listed as under active attack, including CVE-2023-28205, a use-after-free bug in WebKit that impacts Safari, macOS and iOS. It can lead to code execution at the level of the logged-on user.

The first bug would need to be paired with a privilege escalation flaw to take over a system, and another bug patched by Apple this month does just that, according to ZDI. That bug, CVE-2023-28206, is a privilege escalation in the IOSurfaceAccelerator component in macOS and iOS.

Adobe Patches

Adobe released fixes for 56 vulnerabilities this month, including 16 in Reader alone that could lead to arbitrary code execution if a user is tricked into opening a specially crafted PDF.

The post April 2023 Patch Tuesday: CLFS Under Active Attack Again; 10-Year-Old Bug Reissued appeared first on My TechDecisions.

Despite that awareness campaign and emphasis on vulnerabilities that have been exploited in the wild, new research from software supply chain security company Rezilion shows that there are over 15 million vulnerable instances of vulnerabilities in the KEV catalog.

According to Rezilion’s report, the company analyzed the vulnerabilities in the KEV catalog using Shodan and GreyNoise and found that many of them are involved in active campaigns, many of which are being carried out by nation-state actors.

Widely publicized vulnerabilities such as Log4Shell, ProxyLogon, ProxyShell, and bugs in Atlassian Confluence and FortiOS make up some of the most commonly exploited bugs in ongoing campaigns, the company found.

Rezilion’s research found that the top most vulnerable products include Microsoft Windows, Adobe Flash Player, Internet Explorer, Google Chromium V8 Engine, Microsoft Office, Microsoft Win32k, Google Chrome, Apple iOS, Exchange Server and other widely used business tools.

The vast majority of the bugs in CISA’s KEV catalog have existing patches, which would indicate that finding systems still susceptible to these issues would be challenging. However, that is far from the case, Rezilion found.

The company’s researchers used Shodan to identify publicly facing assets still vulnerable to the bugs in the KEV catalog, and found vulnerable instances for over 200 of them, amounting to more than 15 million vulnerable instances.

As is the case with the state of vulnerability remediation, many of the top 10 results in terms of publicly accessible vulnerable instances are several years old, including the Heartbleed vulnerability from 2014, SMBGhost from 2020 and BlueKeep from 2019. Other date back to 2012, 2015 and 2018.

In fact, four of the top 10 bugs are more than five years old, which translates to more than 800,000 machines still exposed to those dangerous vulnerabilities, Rezilion found.

Further, more than 4.5 million internet-facing devices were identified as vulnerable to KEVs discovered between 2010 and 2020, which suggests that users and organizations are still not grasping the dangers of leaving devices unpatched and out of date.

According to Rezilion, the company discovered vulnerable instances for these vulnerabilities, among others:

ProxyShell — CVE-2021-34523, CVE-2021-34473, CVE-2021-31207

• Shodan appearances: 14,554

ProxyLogon — CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065

• Shodan appearances: 4,990

Log4Shell — CVE-2021-44228

• Exploitation attempts in last 30 days: 68

Apache HTTP Server-Side Request Forgery — CVE-2021-40438

• Shodan appearances: 6.5 million

Heartbleed — CVE-2014-0160

• Shodan appearances: 190,446

Rezilion recommends that organizations identify vulnerabilities in the KEV catalog in their environment and leverage the list as part of a vulnerability management strategy to identify which vulnerabilities require immediate patching.

“It is important to recognize that assuming all systems are up to date all the time is impractical, particularly in larger and more complex organizations,” Rezilion says in the report. “Therefore, prioritizing patches that matter most is necessary using the two step process laid out here is important.”

The post These Dangerous Vulnerabilities on CISA’s KEV List Are Still Being Widely Exploited appeared first on My TechDecisions.

According to Tenable, the Cyber Insurance Report will enable insurers, for the first time, to measure preventative security programs by sharing vulnerability data that resides within the firewall. The Cyber Insurance Report is free with a Tenable Vulnerability Management account.

The Columbia, M.D.-based company says it has also partnered with Measured Analytics and Insurance on a referral program designed to provide qualifying Tenable customers with savings on cyber insurance policies.

The company says the relationship represents a new data-drive model for the cyber insurance business, with tangible savings offered to customers.

The Tenable Cyber Insurance Report comes as cyber insurance policy premiums are rising and as obtaining a cyber insurance policy is no longer guaranteed. With the Cyber Insurance Report, customers can share data hat shows the insurance companies clear data that they maintain good security hygiene.

Measured Insurance CEO Jack Vines says the company was founded on the principle that not just any data can be used to underwrite cyber insurance policies.

“By enhancing our AI-driven underwriting models with ‘inside-out’ data from Tenable and other partners, we’re able to build a holistic understanding of a client’s risk profile, which often results in savings on cyber insurance,” Vines says. “Our integrated partner approach provides distinctive insight on risk, making all participants more secure and cyber resilient.”

According to Tenable’s announcement, incident response companies have been major partners for insurance providers investigating claims, but not much as been done to reduce exposure by helping to prevent the core issue that leads to security incidents.

Tenable hopes to provide a way for customers to reduce their exposure and assess their exposure management proficiency with metrics that show how well prepared a company is to prevent a breach rather than simplify responding to one.

“Most of the focus to date on assessing cyber risk for cyber insurance policies has been on whether a company has an adequate breach detection and response capability. But incident response means something has already gone wrong,” says Ray Komar, vice president of technical alliances at Tenable. “There’s never been a way for insurers to measure preventive security, until now.”

Cyber insurance policies with Measured are available for qualifying customers in the U.S. only. Tenable will continue to work with insurance partners to further refine data sources and reporting as part of the ongoing program, Tenable says.

The post Tenable Launches Cyber Insurance Report, Partners With Insurance Provider appeared first on My TechDecisions.

The Washington, D.C.-based internet scanning traffic analysis firm’s recently released report, the 2022 Mass Exploitation Report, dives deep into the most significant threat detection events of the past year, including touching on CISA’s growing catalog of Know Exploited Vulnerabilities, and other high-profile vulnerabilities in Atlassian and Apache products.

However, the Log4j vulnerability garners significant attention in GreyNoise’s report, with the company saying the full scope of attacks involving the bug will never be known.

There were many high-profile attacks against government, financial institutions, and other organizations, and Log4Shell has found its way into toolkits by a variety of hacking groups. In fact, the company has published blogs about a few instances, such as when hackers began using the exploit to target the Belgian Defense Ministry in late 2021, ransomware actors leveraging the bug and a North Korean group using it to hack U.S. energy companies.

While the brunt of Log4Shell activity came in December 2021 and January 2022, GreyNoise warns that organizations should expect to see “persistent internet-facing exploit attempts” as Log4j attack payloads become part of the new background noise of the internet. The exploit code has been baked into numerous hacking kits of threat actors at every level.

“It’s very low risk for attackers to look for newly- or reexposed hosts, with the weakness unpatched or unmitigated,” GreyNoise says in the report. “This means organizations must continue to be deliberate and diligent when placing services on the internet.”

The firm also urges vigilance of most post-initial access internal attacks using the Log4j exploit. CISA’s database of software affected by the vulnerability has stopped receiving regular updates, and about 35% of about 1,550 products are listed as either “unknown” or “still affected.”

“Attackers know what existing products have embedded Log4j weaknesses, such as the popular VMWare Horizon, and have already used the exploit in ransomware campaigns,” the company says in the report. “If you have not yet dealt with your internal Log4j patching, now would be a good time to get that into Q4 2022 and H1 2023 plans.”

According to a July 2022 report from the U.S. Department of Homeland Security’s Cyber Safety Review Board on the Log4j vulnerability, the bug will remain an issue for a decade or more, and GreyNoise seem to concur. The company says to expect “at least a handful of headline-grabbing Log4j-centric attacks” this year.

“Organizations have to strive for perfection, while attackers need only persistence and luck to find that one device/service still exposing this weakness,” the company says. “We will see more organizations impacted by this, and it is vital you do what you can to ensure yours isn’t one of them.”

The post Expect ‘Headline-grabbing’ Log4j Attacks in 2023 appeared first on My TechDecisions.

According to Microsoft’s Security Threat Intelligence team, the vulnerability, it calls Achilles, could allow attackers to bypass Gatekeeper and use it as a vector of initial access by malware and other threats to help increase the success rate of malicious campaigns and attacks on macOS.

Apple addressed the CVE-2022-42821 issue in several macOS products after Microsoft shared the vulnerability with the company in July, but Microsoft notes that Apple’s Lockdown Mode in macOS Ventura does not defend against Achilles since it only protects against zero-click remote code execution exploits.

In a blog, Microsoft says many macOS infections are due to users running malware inadvertently as a result of fake app bundles that masquerade as different apps or legitimate files. To combat that infection vector, Apple uses security mechanisms when downloading apps from a browser that assigns a special extended attribute to the extended file. That attribute is named com.apple.quarantine and is later used to enforce policies such as Gatekeeper or other mitigations designed to prevent sandbox escapes.

Apple, in recent years, has improved its security policies with the current Gatekeeper design prompting users to give their consent is the app is validly approved by Apple or preventing the app from running.

Microsoft says extended attributes are a filesystem feature supported on common macOS filesystems, such as AFPS and HFS+, and their main purpose is to save file metadata.

While Gatekeeper is a helpful security feature that is effective at blocking untrusted downloaded files and apps, there have been numerous bypass techniques targeting the feature in the past, Microsoft says. Doing so could hare “dire implications” as malware authors sometimes leverage those techniques for initial access.

In fact, Microsoft calls out two Gatekeeper bypass approaches observed in recent years, including misusing the com.apple.quarantine extended attribute assignment and finding a vulnerability in the components that enforce policy checks on quarantined files.

Microsoft lists six total Gatekeeper bypass bugs discovered over the last several years, including one, CVE-2021-1810, which intrigued researchers and got them thinking about what mechanism could be leveraged in archives. That vulnerability exploits assignment of the quarantine attribute, so paths longer than 886 characters were not assigned extended attributes.

“Therefore, creating a symbolic link that points to an app that resides in a long path results in a Gatekeeper bypass,” Microsoft researchers say.

With symbolic links not assigned quarantine attributes, it was possible to completely bypass Gatekeeper.

With that knowledge, Microsoft researchers began looking for a mechanism that could persist different kinds of metadata over archives. They eventually discovered a way to persist important file metadata through AppleDouble. Microsoft describes the mechanism as such:

Even though extended attributes are common on different filesystems, they might be implemented differently or even not supported, so copying files with their metadata becomes a challenging task. To solve this problem, back in 1994, Apple introduced the concept of AppleSingle and AppleDouble formats. In a nutshell, AppleSingle is a binary blob that is added as a part of the original file contents so that there’s only a “single” file to process, whereas AppleDouble saves the metadata in a different file side-by-side next to the original file, with a “._” prefix.

Researchers began looking into how they could use AppleDouble to trick Gatekeeper, which narrowed in on using Access Control Lists (ACLs), a mechanism in macOS that extends the traditional permission model and allow fine-grained permissions to files and directories. That includes controlling the ability to write attributes and extended attributes to the file, as well as setting ACLs to the file, and more.

Researchers began adding very restrictive ACLs to downloaded files, which prohibited Safari or other programs from setting new extended attributes, including the com.apple.quarantine attribute.

Microsoft describes the exploitation steps as follows:

1. Create a fake directory structure with an arbitrary icon and payload.
2. Create an AppleDouble file with the com.apple.acl.text extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of “everyone deny write,writeattr,writeextattr,writesecurity,chown”). Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.
3. Create an archive with the application alongside its AppleDouble file and host it on a web server.

Fake apps are still one of the top entry vectors on macOS, and Gatekeeper bypasses are a useful tool used by attackers, Microsoft researchers say.

“Nonetheless, through research-driven protections and collaboration with customers, partners, and industry experts, we strive to enrich our protection technologies to defend against such issues—regardless of the platform or device in use,” the company says.

The post Microsoft Discovers macOS Security Bypass Bug appeared first on My TechDecisions.