Binary Check Ad Blocker Security News

The pandemic isn’t the only thing shaking up development organizations. Application security is a top concern and security work is “shifting left” and becoming more intertwined with development. In this podcast, Security Ledger Editor in Chief Paul Roberts talks about it with Jonathan Hunt, Vice President of Security at the firm GitLab.


Even before the COVID pandemic set upon us, the information security industry was being transformed. Security was long a matter of hardening organizations to threats and attacks. The goal was “layered defenses” starting with firewalls and gateway security servers and access control lists to provide hardened network perimeter and intrusion detection and endpoint protection software to protect IT assets within the perimeter. 

Spotlight: Synopsys on democratizing Secure Software Development

Security Shifting Left

Jonathan Hunt is the Vice President of Security at GitLab

These days, however,  security is “shifting left” – becoming part and parcel of the development process. “DEVSECOPS”  marries security processes like code analysis and vulnerability scanning to agile application development in a way that results in more secure products. 

That shift is giving rise to a whole new type of security firm, including the likes of GitLab, a web-based DevOps lifecycle tool and Git-repository manager that is steadily building its roster of security capabilities. What does it mean to be a security provider in the age of DEVSECOPS and left-shifted security?

Application Development and COVID

To answer these questions, we invited Jonathan Hunt, the Vice President of Security at GitLab into the Security Ledger studio to talk about it. In this conversation, Jonathan and I talk about what it means to shift security left and marry security processes like vulnerability scanning and fuzzing with development in a seamless way. 

Spotlight Podcast: Intel’s Matt Areno – Supply Chain is the New Security Battlefield

We also discuss how the COVID pandemic has shaken up development organizations – including GitLab itself – and how the changes wrought by COVID may remain long after the virus itself has been beaten back. 


As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

Keyboard to the internet
cisco ios xr exploit

Cisco yesterday released security patches for two high-severity vulnerabilities affecting its IOS XR software that were found exploited in the wild a month ago.

Tracked as CVE-2020-3566 and CVE-2020-3569, details for both zero-day unauthenticated DoS vulnerabilities were made public by Cisco late last month when the company found hackers actively exploiting Cisco IOS XR Software that is installed on a range of Cisco’s carrier-grade and data center routers.

Both DoS vulnerabilities resided in Cisco IOS XR Software’s Distance Vector Multicast Routing Protocol (DVMRP) feature and existed due to incorrect implementation of queue management for Internet Group Management Protocol (IGMP) packets on affected devices.

IGMP is a communication protocol typically used by hosts and adjacent routers to efficiently use resources for multicasting applications when supporting streaming content such as online video streaming and gaming.

“These vulnerabilities affect any Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing and it is receiving DVMRP traffic,” Cisco said in an advisory.

“An administrator can determine whether multicast routing is enabled on a device by issuing the show igmp interface command.”

cisco software update

Successful exploitation of these vulnerabilities could allow remote unauthenticated hackers to send specially crafted IGMP packets to affected devices to either immediately crash the IGMP process or exhaust process memory and eventually crash.

The memory consumption may negatively result in instability of other processes running on the device, including routing protocols for both internal and external networks.

The vulnerabilities affect all Cisco devices running any release of Cisco IOS XR Software if an active interface is configured under multicast routing, and it is receiving DVMRP traffic.

At the time Cisco initially made these vulnerabilities public, the company provided some mitigation to resolve the issues and block the active exploitation attempts, but now it has finally released Software Maintenance Upgrades (SMUs) to address the vulnerabilities completely.

cisco software update

“Although there are no workarounds for these vulnerabilities, there are multiple mitigations available to customers depending on their needs,” the company said.

“When considering mitigations, it should be understood that for the memory exhaustion case, the rate limiter and the access control methods are effective. For the immediate IGMP process crash case, only the access control method is effective.”

Cisco customers are highly recommended to make sure they are running the latest Cisco IOS XR Software release earlier than 6.6.3 and Cisco IOS XR Software release 6.6.3 and later.

Binary Check Ad Blocker Security News
indian-army-virus

Cybersecurity researchers uncovered fresh evidence of an ongoing cyberespionage campaign against Indian defense units and armed forces personnel at least since 2019 with an aim to steal sensitive information.

Dubbed “Operation SideCopy” by Indian cybersecurity firm Quick Heal, the attacks have been attributed to an advanced persistent threat (APT) group that has successfully managed to stay under the radar by “copying” the tactics of other threat actors such as the SideWinder.

Exploiting Microsoft Equation Editor Flaw

The campaign’s starting point is an email with an embedded malicious attachment — either in the form of a ZIP file containing an LNK file or a Microsoft Word document — that triggers an infection chain via a series of steps to download the final-stage payload.

Aside from identifying three different infection chains, what’s notable is the fact that one of them exploited template injection and Microsoft Equation Editor flaw (CVE-2017-11882), a 20-year old memory corruption issue in Microsoft Office, which, when exploited successfully, let attackers execute remote code on a vulnerable machine even without user interaction.

Microsoft addressed the issue in a patch released in November 2017.

As is often the case with such malspam campaigns, the attack relies on a bit of social engineering to bait the user into opening a seemingly realistic Word document that claims to be about the Indian government’s defense production policy.

What’s more, the LNK files have a double extension (“Defence-Production-Policy-2020.docx.lnk”) and come with document icons, thereby tricking an unsuspecting victim into opening the file.

Once opened, the LNK files abuse “mshta.exe” to execute malicious HTA (short for Microsoft HTML Applications) files that are hosted on fraudulent websites, with the HTA files created using an open-sourced payload generation tool called CACTUSTORCH.

A Multi-stage Malware Delivery Process

The first stage HTA file includes a decoy document and a malicious .NET module that executes the said document and downloads a second-stage HTA file, which in turn checks for the presence of popular antivirus solutions before copying Microsoft’s credential back and restore utility (“credwiz.exe”) to a different folder on the victim machine and modifying the registry to run the copied executable every time upon startup.

Consequently, when this file gets executed, not only does it side-load a malicious “DUser.dll” file, it also launches the RAT module “winms.exe,” both of which are obtained from the stage-2 HTA.

“This DUser.dll will initiate the connection over this IP address ‘173.212.224.110’ over TCP port 6102,” the researchers said.

“Once successfully connected, it will […] then proceed for performing various operations based on the command received from C2. For example, if C2 sends 0, then it collects the Computer Name, Username, OS version etc. and sends it back to C2.”

cyber attack vector

Stating the RAT shared code-level similarities with Allakore Remote, an open-sourced remote-access software written in Delphi, Quick Heal’s Seqrite team noted that the Trojan employed Allakore’s RFB (remote frame buffer) protocol to exfiltrate data from the infected system.

Possible Links to Transparent Tribe APT

In addition, a few attack chains are also said to have dropped a previously unseen .NET-based RAT (called “Crimson RAT” by Kaspersky researchers) that comes equipped with a wide range of capabilities, including access files, clipboard data, kill processes, and even execute arbitrary commands.

Although the modus operandi of naming DLL files shares similarities with the SideWinder group, the APT’s heavy reliance on the open-sourced toolset and an entirely different C2 infrastructure led the researchers to conclude with reasonable confidence that the threat actor is of Pakistani origin — specifically the Transparent Tribe group, which has been recently linked to several attacks targeting the Indian military and government personnel.

“Thus, we suspect that the actor behind this operation is a sub-division under (or part of) Transparent-Tribe APT group and are just copying TTPs of other threat actors to mislead the security community,” Quick Heal said.

Keyboard to the internet
chinese-hackers

Cybersecurity researchers on Tuesday uncovered a new espionage campaign targeting media, construction, engineering, electronics, and finance sectors in Japan, Taiwan, the U.S., and China.

Linking the attacks to Palmerworm (aka BlackTech) — likely a China-based advanced persistent threat (APT) — Symantec’s Threat Hunter Team said the first wave of activity associated with this campaign began last year in August 2019, although their ultimate motivations still remain unclear.

“While we cannot see what Palmerworm is exfiltrating from these victims, the group is considered an espionage group and its likely motivation is considered to be stealing information from targeted companies,” the cybersecurity firm said.

Among the multiple victims infected by Palmerworm, the media, electronics, and finance companies were all based in Taiwan, while an engineering company in Japan and a construction firm in China were also targeted.

In addition to using custom malware to compromise organizations, the group is said to have remained active on the Taiwanese media company’s network for a year, with signs of activity observed as recently as August 2020, potentially implying China’s continued interest in Taiwan.

cyberattacks

This is not the first time the BlackTech gang has gone after business in East Asia. A 2017 analysis by Trend Micro found the group to have orchestrated three campaigns — PLEAD, Shrouded Crossbow, and Waterbear — with an intent to steal confidential documents and the target’s intellectual property.

Stating that some of the identified malware samples matched with PLEAD, the researchers said they identified four previously undocumented backdoors (Backdoor.Consock, Backdoor.Waship, Backdoor.Dalwit, and Backdoor.Nomri), indicating “they may be newly developed tools, or the evolution of older Palmerworm tools.”

The brand new custom malware toolset alone would have made the attribution difficult if it were not for the use of dual-use tools (such as Putty, PSExec, SNScan, and WinRAR) and stolen code-signing certificates to digitally sign its malicious payloads and thwart detection, a tactic that it has been found to employ before.

Another detail that’s noticeably not too clear is the infection vector itself, the method Palmerworm has used to gain initial access to the victim networks. The group, however, has leveraged spear-phishing emails in the past to deliver and install their backdoor, either in the form of an attachment or through links to cloud storage services.

“APT groups continue to be highly active in 2020, with their use of dual-use tools and living-off-the-land tactics making their activity ever harder to detect, and underlining the need for customers to have a comprehensive security solution in place that can detect this kind of activity,” Symantec said.

Binary Check Ad Blocker Security News

Health care providers and contractors continue to be a popular target for hackers. Recently, CHSPSC LLC (CHSPSC), which provides various services to hospitals and clinics indirectly owned by Community Health Systems, Inc. of Tennessee, agreed to pay $2,300,000 to the Office for Civil Rights (OCR) in settlement of potential violations of HIPAA’s Privacy and Security Rules. The OCR investigation and settlement stemmed from a data breach affecting over six million people.

The services provided by CHSPSC to the health care facilities included legal, compliance, accounting, operations, human resources, information technology, and health information management. In April 2014, the FBI notified CHSPSC that a cyber-hacking group had compromised administrative credentials and remotely accessed CHSPSC’s information system through its virtual private network (VPN). Nevertheless, even after the FBI’s notice of the problem, the hackers continued for several months to access and exfiltrate the protected health information (PHI) of some six million individuals. The information obtained included names, gender, dates of birth, phone numbers, Social Security numbers, emails, ethnicity, and emergency contact information.

OCR’s investigation found longstanding systemic noncompliance with HIPAA at CHSPSC, including failure to conduct a risk analysis as well as failures to implement information system activity reviews, security incident procedures, and access controls. OCR was particularly critical of the organization’s failure to implement security protections even after being notified by the FBI of the potential breach. Apart from the significant monetary penalty, CHSPSC must comply with a corrective action plan (CAP) that includes the following: development of an internal monitoring plan; completion of an enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic systems, data systems, programs and applications that involve ePHI; creation of a risk management plan; review and revision of policies regarding technical access to applications and systems involving ePHI; and training for all employees. Each step must meet with the approval of the Department of Health & Human Services (HHS), and CHSPSC must periodically report to HHS regarding its compliance with the CAP.

Binary Check Ad Blocker Security News
cybersecurity webinar

I am sure that many of you have by now heard of a recently disclosed critical Windows server vulnerability—called Zerologon—that could let hackers completely take over enterprise networks.

For those unaware, in brief, all supported versions of the Windows Server operating systems are vulnerable to a critical privilege escalation bug that resides in the Netlogon Remote Control Protocol for Domain Controllers.

In other words, the underlying vulnerability (CVE-2020-1472) could be exploited by an attacker to compromise Active Directory services, and eventually, the Windows domain without requiring any authentication.

What’s worse is that a proof-of-concept exploit for this flaw was released to the public last week, and immediately after, attackers started exploiting the weakness against unpatched systems in the wild.

zerologon

As described in our coverage based on a technical analysis published by Cynet security researchers, the underlying issue is Microsoft’s implementation of AES-CFB8, where it failed to use unique, random salts for these Netlogon messages.

The attacker needs to send a specially crafted string of zeros in Netlogon messages to change the domain controller’s password stored in the Active Directory.

For THN readers willing to learn more about this threat in detail, including technical information, mitigations, and detection techniques, they should join a live webinar (register here) with Aviad Hasnis, CTO at Cynet.

The free cybersecurity educational webinar is scheduled for September 30th at 5:00 PM GMT, and also aims to discuss exploits deployed in the wild to take advantage of this vulnerability.

Besides this, the Cynet team has also released a free detection tool that alerts you to any Zerologon exploitation in your environment.

Register for the live webinar here.

Binary Check Ad Blocker Security News
red-team-pentest

What is the difference between a penetration test and a red team exercise? The common understanding is that a red team exercise is a pen-test on steroids, but what does that mean?

While both programs are performed by ethical hackers, whether they are in-house residents or contracted externally, the difference runs deeper.

In a nutshell, a pen-test is performed to discover exploitable vulnerabilities and misconfigurations that would potentially serve unethical hackers. They primarily test the effectiveness of security controls and employee security awareness.

The purpose of a red team exercise, in addition to discovering exploitable vulnerabilities, is to exercise the operational effectiveness of the security team, the blue team. A red team exercise challenges the blue team’s capabilities and supporting technology to detect, respond, and recover from a breach. The objective is to improve their incident management and response procedures.

The challenge with pen-testing and red team exercises is that they are relatively high-resource intensive. A pen test can run for 1 to 3 weeks and a red team exercise for 4 to 8 weeks and are typically performed annually, if at all.

Today’s cyber environment is one of rapid and constant change. It is driven by evolving threats and adversarial tactics and techniques, and by the accelerated rate of change in IT and adaptations to the security stack. This has created a need for frequent security testing and demand for automated and continuous security validation or breach and attack simulation (BAS).

These solutions discover and help remediate exploitable vulnerabilities and misconfigurations, and they can be performed safely in the production environment. They enable security teams to measure and improve the operational effectiveness of their security controls more frequently than pen-testing. But can they be used in a red team exercise?

There are two approaches that need to be considered. The first, red team automation, has the obvious advantage of increasing the operational efficiency of a red team. It enables them to automate repetitive and investigative actions, identify exploitable weaknesses and vulnerabilities, and it provides them a good picture of what they are up against, fast.

In principle, this is not too far from what BAS provides today by supporting a broad set of attack simulations and providing a rich library of atomic executions codified to the MITRE ATT&CK framework. They even provide red teams the capability to craft their own executions. Red team automation can support red team activities, but the value is limited, and most red teams have their own set of homegrown tools developed for the same purpose.

A new approach, red team simulation, takes these capabilities a step further. It enables a red team to create complex attack scenarios that execute across the full kill chain, basically creating custom APT flows. Instead of executing a bank of commands to find a weakness, it performs a multi-path, sequenced flow of executions.

The primary advantage of this approach is that it incorporates logic into the flow. As the simulation progresses, it leverages the findings of previous executions in addition to external data sources and tools. It will even download tools on a target machine, based on the dependencies of an execution.

For example, a sample flow could include Mimikatz providing credential input to a PSexec based technique and drop to disk PSexec on the target machine if it’s missing. A red team simulation can include all the stages of an attack from initial access to impact and even reconnaissance performed in the pre-attack stage.

The benefits of red team simulation extend beyond operational efficiency for both in-house red teams and companies that provide red team services. Scenarios can be replayed to validate lessons learned from previous exercises. Red teams that operate in global companies can cover more geographies.

Even with red team simulation, the human factor remains key in assessing the result of an exercise and providing guidance to improve incident management and response procedures, but it makes red team exercises accessible and achievable to a larger market, where cost is a limiting factor.

For more information, visit www.cymulate.com and register for a Free Trial.

Binary Check Ad Blocker Security News
windows xp source code download

Microsoft’s long-lived operating system Windows XP—that still powers over 1% of all laptops and desktop computers worldwide—has had its source code leaked online, allegedly, along with Windows Server 2003.

Yes, you heard that right.

The source code for Microsoft’s 19-year-old operating system was published as a torrent file on notorious bulletin board website 4chan, and it’s for the very first time when source code for Microsoft’s operating system has been leaked to the public.

Several reports suggest that the collection of torrent files, which weigh 43GB in size, also said to include the source code for Windows Server 2003 and several Microsoft’s older operating systems, including:

  • Windows 2000
  • Windows CE 3
  • Windows CE 4
  • Windows CE 5
  • Windows Embedded 7
  • Windows Embedded CE
  • Windows NT 3.5
  • Windows NT 4
  • MS-DOS 3.30
  • MS-DOS 6.0

The torrent download also includes the alleged source code for various Windows 10 components that appeared in 2017 and source code for the first operating system of the original Xbox that appeared online in May.

While Microsoft has not officially confirmed or denied the leak yet, several independent security researchers have since begun analyzing the source code and spoken of its legitimacy (1, 2).

Using the name billgates3, the leaker claims to have compiled the collection of leaked Microsoft source code over the course of the last few months.

The leaker also said that many Microsoft operating system source code files had been passed around privately between hackers for years.

So, the leaker decided to share the source code to the public, saying that “information should be free and available to everyone.”

“I created this torrent for the community, as I believe information should be free and available to everyone, and hoarding information for oneself and keeping it secret is an evil act in my opinion,” the leaker said, adding that the company “claims to love open source so then I guess they’ll love how open this source code is now that it’s passed around on BitTorrent.”

Besides containing source code, the torrent also includes a media folder (files and videos) related to conspiracy theories about Bill Gates.

The leaked source code should not come as a surprise as Microsoft does have a history of providing its OS source code to governments worldwide via a special Government Security Program (GSP) the company runs that allows governments and organizations controlled access to the source code.

Needless to say, Microsoft ended its support for Windows XP back in 2014, so its source code leak doesn’t make the systems running the outdated OS version more of a target, because there’s probably a ton of other unpatched vulnerabilities already exist.

But since operating systems may share code, exploitable flaws found in the Windows XP source code still present in Windows 10 can allow hackers to target newer versions of Windows operating system altogether, which would be a real threat to billions of users.

Binary Check Ad Blocker Security News
Fortigate-VPN-security

As the pandemic continues to accelerate the shift towards working from home, a slew of digital threats have capitalized on the health concern to exploit weaknesses in the remote work infrastructure and carry out malicious attacks.

Now according to network security platform provider SAM Seamless Network, over 200,000 businesses that have deployed the Fortigate VPN solution—with default configuration—to enable employees to connect remotely are vulnerable to man-in-the-middle (MitM) attacks, allowing attackers to present a valid SSL certificate and fraudulently take over a connection.

“We quickly found that under default configuration the SSL VPN is not as protected as it should be, and is vulnerable to MITM attacks quite easily,” SAM IoT Security Lab’s Niv Hertz and Lior Tashimov said.

“The Fortigate SSL-VPN client only verifies that the CA was issued by Fortigate (or another trusted CA), therefore an attacker can easily present a certificate issued to a different Fortigate router without raising any flags, and implement a man-in-the-middle attack.”

To achieve this, the researchers set up a compromised IoT device that’s used to trigger a MitM attack soon after the Fortinet VPN client initiates a connection, which then steals the credentials before passing it to the server and spoofs the authentication process.

SSL certificate validation, which helps vouch for the authenticity of a website or a domain, typically works by verifying its validity period, digital signature, if it was issued by a certificate authority (CA) that it can trust, and if the subject in the certificate matches with the server the client is connecting to.

The problem, according to the researchers, lies in the use of default self-signed SSL certificates by companies.

Given that every Fortigate router comes with a default SSL certificate that is signed by Fortinet, that very certificate can be spoofed by a third-party as long as it’s valid and issued either by Fortinet or any other trusted CA, thus allowing the attacker to re-route traffic to a server their control and decrypt the contents.

The main reason for this is that the bundled default SSL certificate uses the router’s serial number as the server name for the certificate. While Fortinet can use the router’s serial number to check if the server names match, the client appears to not verify the server name at all, resulting in fraudulent authentication.

In one scenario, the researchers exploited this quirk to decrypt the traffic of the Fortinet SSL-VPN client and extract the user’s password and OTP.

“An attacker can actually use this to inject his own traffic, and essentially communicate with any internal device in the business, including point of sales, sensitive data centers, etc,” the firm said. “This is a major security breach that can lead to severe data exposure.”

For its part, Fortinet said it has no plans to address the issue, suggesting that users can manually replace the default certificate and ensure the connections are safe from MitM attacks.

Fortigate VPN

Currently, Fortinet provides a warning when using the default certificate: “You are using a default built-in certificate, which will not be able to verify your server’s domain name (your users will see a warning). It is recommended to purchase a certificate for your domain and upload it for use.”

“The Fortigate issue is only an example of the current issues with security for the small-medium businesses, especially during the epidemic work-from-home routine,” Hertz and Tashimov noted.

“These types of businesses require near enterprise grade security these days, but do not have the resources and expertise to maintain enterprise security systems. Smaller businesses require leaner, seamless, easy-to-use security products that may be less flexible, but provide much better basic security.”

UPDATE: In a statement provided to The Hacker News, the company said: “The security of our customers is our first priority. This is not a vulnerability. Fortinet VPN appliances are designed to work out-of-the-box for customers so that organizations are enabled to set up their appliance customized to their own unique deployment.”

“Each VPN appliance and the set up process provides multiple clear warnings in the GUI with documentation offering guidance on certificate authentication and sample certificate authentication and configuration examples. Fortinet strongly recommends adhering to its provided installation documentation and process, paying close attention to warnings throughout that process to avoid exposing the organization to risk.”

Binary Check Ad Blocker Security News

Amnesty International today exposed details of a new surveillance campaign that targeted Egyptian civil society organizations with previously undisclosed versions of FinSpy spyware designed to target Linux and macOS systems.

Developed by a German company, FinSpy is extremely powerful spying software that is being sold as a legal law enforcement tool to governments around the world but has also been found in use by oppressive and dubious regimes to spy on activists.

FinSpy, also known as FinFisher, can target both desktop and mobile operating systems, including Android, iOS, Windows, macOS, and Linux, to gain spying capabilities, including secretly turning on their webcams and microphones, recording everything the victim types on the keyboard, intercepting calls, and exfiltration of data.

According to the human rights organization Amnesty International, the newly discovered campaign is not linked to ‘NilePhish,’ a hacking group known for attacking Egyptian NGOs in a series of attacks, involving an older version of FinSpy, phishing technique, and malicious Flash Player downloads.

finspy malware for linux hacking
finspy malware for macos hacking

Instead, the new versions of FinSpy for Linux and macOS, along with Android and Windows, were used by a new unknown hacking group, which they believe is state-sponsored and active since September 2019.

Uploaded on VirusTotal, all new malware samples were discovered as part of an ongoing effort by Amnesty International to actively track and monitor NilePhish’s activities.

The new binaries are obfuscated and stop malicious activities when it finds itself running on a virtual machine to make it challenging for experts to analyze the malware.

Moreover, even if a targeted smartphone isn’t rooted, the spyware attempts to gain root access using previously disclosed exploits.

“The modules available in the Linux sample are almost identical to the MacOS sample,” the researchers said.

“The modules are encrypted with the AES algorithm and compressed with the aplib compression library. The AES key is stored in the binary, but the IV is stored in each configuration file along with a MD5 hash of the final decompressed file.”

“The spyware communicates with the Command & Control (C&C) server using HTTP POST requests. The data sent to the server is encrypted using functions provided by the 7F module, compressed using a custom compressor, and base64 encoded.”

Meanwhile, the researchers have also provided indicators of compromise (IoC) to help researchers further investigate these attacks and users check whether their machines are among compromised ones.

Kaspersky researchers last year revealed a similar cyber-espionage campaign where ‘then-new’ FinSpy implants for iOS and Android were being used to spy on users from Myanmar.