Connect with us
https://cybersecuritynews.site/wp-content/uploads/2021/11/zox-leader.png

Published

on

The Ultimate Managed Hosting Platform

Risk actors already are exploiting vulnerability, dubbed ‘Follina’ and initially recognized again in April, to focus on organizations in Russia and Tibet, researchers stated.

The Ultimate Managed Hosting Platform

Source link

Continue Reading

Vulnerabilities

CISA Log4Shell warning: Patch VMware Horizon installations immediately

Published

on

CISA Log4Shell warning: Patch VMware Horizon installations immediately

The Ultimate Managed Hosting Platform

CISA warns of log4shell being actively exploited to compromise VMware Horizon systems. We take a look at their warning.

CISA and the United States Coast Guard Cyber Command (CGCYBER) are warning that the threat of Log4Shell hasn’t gone away. It’s being actively exploited and used to target organisations using VMware Horizon and Unified Access Gateway servers.

Log4Shell: what is it?

Log4Shell was a zero-day vulnerability in something called Log4j. This open source logging library written in Java is used by millions of applications, many of them incredibly popular. The easy to trigger attack could be used to perform remote code execution (RCE) on vulnerable systems. If successful, attackers could gain full control over a target system. If they managed to have affected apps log a special string, then it was a case of game over. The system(s) at this point would be ripe for exploitation.

Discovered in November 2021, the exploit was estimated to potentially affect hundreds of millions of devices. With so much potential for damage, fixes were quickly developed and released on December 6, three days before the vulnerability was published.

Related bugs and additional vulnerabilities were also discovered and subsequently patched.

Broadening Log4Shell’s horizons

According to CISA and CGCYBER, Log4Shell has been used to exploit unpatched, public-facing VMWare Horizon and UAG servers. Suspected APT threat actors…

…implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.

Attackers not only make use of malware and HTTP, but also PowerShell scripts and Remote Desktop Protocol (RDP). In the latter’s case, this was to further move around the network and other hosts inside the organisation’s production environment.

Compromised administrator accounts were used to run several additional forms of loader malware. Here are some of the samples found by CISA during one investigation:

  • SvcEdge.exe is a malicious Windows loader containing encrypted executable f7_dump_64.exe. When executed, SvcEdge.exe decrypts and loads f7_dump_64.exe into memory.
  • odbccads.exe is a malicious Windows loader containing an encrypted executable. When executed, odbccads.exe decrypts and loads the executable into memory.
  • praiser.exe is a Windows loader containing an encrypted executable. When executed, praiser.exe decrypts and loads the executable into memory.
  • fontdrvhosts.exe is a Windows loader that contains an encrypted executable. When executed, fontdrvhosts.exe decrypts and loads the executable into memory.
  • winds.exe is a Windows loader containing an encrypted malicious executable and was found on a server running as a service. During runtime, the encrypted executable is decrypted and loaded into memory. winds.exe has complex obfuscation, hindering the analysis of its code structures.

Advice for securing installations

CISA/CGCYBER are quite clear about this. Organisations which haven’t applied patches released back in December should treat any and all affected VMware systems as compromised:

  • Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.
  • Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services.
  • See VMware Security Advisory VMSA-2021-0028.13 and VMware Knowledge Base (KB) 87073 to determine which VMware Horizon components are vulnerable.
  • Note: Until the update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible.
  • If upgrading is not immediately feasible, see KB87073 and KB87092 for vendor-provided temporary workarounds. Implement temporary solutions using an account with administrative privileges. Note that these temporary solutions should not be treated as permanent fixes; vulnerable components should be upgraded to the latest build as soon as possible. 
  • Prior to implementing any temporary solution, ensure appropriate backups have been completed. 
  • Verify successful implementation of mitigations by executing the vendor supplied script Horizon_Windows_Log4j_Mitigations.zip without parameters to ensure that no vulnerabilities remain. See KB87073 for details. 

Log4Shell, rated a 10 in the Common Vulnerability Scoring System (CVSS), is not to be trifled with. We advise affected organisations to pay heed to the warnings above and set about patching as soon as possible.

The Ultimate Managed Hosting Platform

Source link

Continue Reading

Vulnerabilities

Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug

Published

on

Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug

The Ultimate Managed Hosting Platform

The APT is pairing a recognized Microsoft flaw with a malicious doc to load malware that nabs credentials from Chrome, Firefox and Edge browsers.

The Ultimate Managed Hosting Platform

Source link

Continue Reading

Vulnerabilities

Discovery of 56 OT Device Flaws Blamed on Lackluster Security Culture

Published

on

Discovery of 56 OT Device Flaws Blamed on Lackluster Security Culture

The Ultimate Managed Hosting Platform

Researchers found 56 vulnerabilities affecting gadgets from 10 operational expertise (OT) distributors, most of which they’ve attributed to inherent design flaws in tools and a lax strategy to safety and threat administration which were plaguing the business for many years, they stated.

The vulnerabilities–present in gadgets by reputed distributors Honeywell, Emerson, Motorola, Siemens, JTEKT, Bentley Nevada, Phoenix Contact, Omron, Yogogawa in addition to an unnamed producer–range by way of their traits and what they permit menace actors to do, in keeping with the analysis from Forescout’s Vedere Labs.

Nonetheless, general the “impression of every vulnerability is excessive depending on the performance every machine affords,” in keeping with a blog post in regards to the flaws printed Tuesday.

Researchers broke down the kind of flaw that they present in every of the merchandise into 4 fundamental classes: insecure engineering protocols; weak cryptography or damaged authentication schemes; insecure firmware updates; or distant code execution by way of native performance.

Among the many actions that menace actors can have interaction in by exploiting the failings on an affected machine embody: distant code execution (RCE), with code executed in numerous specialised processors and completely different contexts inside a processor; denial of service (DoS) that may take a tool fully offline or block entry to a sure perform; file/firmware/configuration manipulation that enables an attacker to vary necessary features of a tool; credential compromise permitting entry to machine features; or authentication bypass that enables an attacker to invoke desired performance on the goal machine, researchers stated.

Systemic Downside

That the failings—which researchers collectively dubbed OT:ICEFALL in a reference to Mount Everest and the mountain machine makers have to climb by way of safety–exist in key gadgets in networks that management vital infrastructure in and of itself is dangerous sufficient.

Nonetheless, what’s worse is that the failings may have been averted, as 74 p.c of the product households affected by the vulnerabilities have some form of safety certification and thus have been verified earlier than being despatched to market, researchers discovered. Furthermore, most of them ought to have been found “comparatively rapidly throughout in-depth vulnerability discovery,” they famous.

This free move OT distributors have been giving to susceptible merchandise demonstrates a persistent lackluster effort by the business as an entire in terms of safety and threat administration, one thing researchers hope to vary by shining a light-weight on the issue, they stated.

“These points vary from persistent insecure-by-design practices in security-certified merchandise to subpar makes an attempt to maneuver away from them,” researchers wrote within the submit. “The purpose [of our research] is as an example how the opaque and proprietary nature of those techniques, the suboptimal vulnerability administration surrounding them and the often-false sense of safety supplied by certifications considerably complicate OT threat administration efforts.”

Safety Paradox

Certainly, safety professionals additionally famous the paradox of the lax safety technique of distributors in a subject that produces the techniques operating vital infrastructure, attacks on which might be catastrophic not only for the networks on which the merchandise exist however for the world at giant.

“One might incorrectly assume that the commercial management and operational expertise gadgets that carry out a few of the most significant and delicate duties in critical infrastructure environments can be among the many most closely secured techniques on the planet, but the fact is usually the precise reverse,” famous Chris Clements, vp of options structure for Cerberus Sentinel, in an e mail to Threatpost.

Certainly, as evidenced by the analysis, “too many gadgets in these roles have safety controls which are frighteningly straightforward for attackers to defeat or bypass to take full management of the gadgets,” he stated.

The findings of researchers are one more sign that the OT business “is experiencing an extended overdue cybersecurity reckoning” that distributors should tackle in the beginning by integrating safety on the most elementary stage of manufacturing earlier than continuing additional, Clements noticed.

“Producers of delicate operational expertise gadgets should undertake a tradition of cybersecurity that begins on the very starting of the design course of however continues via to validating the ensuing implementation within the closing product,” he stated.

Challenges to Threat Administration

Researchers outlined a few of the causes for the inherent points with safety design and threat administration in OT gadgets that they counsel producers treatment in swift trend.

One is the shortage of uniformity by way of performance throughout gadgets, which implies that their inherent lack of safety additionally varies broadly and makes troubleshooting sophisticated, they stated. For instance, in investigating three major pathways to gaining RCE on stage 1 gadgets by way of native performance–logic downloads, firmware updates and reminiscence learn/write operations—researchers discovered that particular person expertise dealt with these pathways otherwise.

Not one of the techniques analyzed help logic signing and greater than 50 p.c compiled their logic to native machine code, they discovered. Furthermore, 62 p.c of the techniques settle for firmware downloads by way of Ethernet, whereas solely 51 p.c have authentication for this performance.

In the meantime, generally the inherent safety of the machine wasn’t straight the fault of the producer however that of “insecure-by-design” elements within the provide chain, which additional complicates how producers handle threat, researchers discovered.

“Vulnerabilities in OT provide chain elements are inclined to not be reported by each affected producer, which contributes to the difficulties of threat administration,” they stated.

Lengthy Highway Forward

Certainly, managing threat administration in OT and IT gadgets and techniques alike requires “a standard language of threat,” one thing that’s tough to attain with so many inconsistencies throughout distributors and their safety and manufacturing methods in an business, famous Nick Sanna, CEO of RiskLens.

To treatment this, he urged distributors quantify threat in monetary phrases, which may allow threat managers and plant operators to prioritize decision-making on “responding to vulnerabilities – patching, including controls, growing insurance coverage — all based mostly on a transparent understanding of loss publicity for each IT and operational belongings.”

Nonetheless, even when distributors start to handle the elemental challenges which have created the OT:ICEFALL situation, they face a really lengthy highway forward to mitigate the safety downside comprehensively, Forescout researchers stated.

“Full safety in opposition to OT:ICEFALL requires that distributors tackle these elementary points with modifications in machine firmware and supported protocols and that asset homeowners apply the modifications (patches) in their very own networks,” they wrote. “Realistically, that course of will take a really very long time.”

The Ultimate Managed Hosting Platform

Source link

Continue Reading
Advertisement

Trending