Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • RockYou2024: Massive Password Leak Exposes 10 Billion Passwords

    RockYou2024: Massive Password Leak Exposes 10 Billion Passwords

    A recent investigation by Cybernews has uncovered a staggering leak of nearly 10 billion unique passwords on a cybercrime forum, posing a significant threat to online users worldwide. The leak, described as the largest password compilation ever, was posted by a user named ‘ObamaCare’ on July 4. This user, who joined the forum in late May 2024, has previously shared sensitive information from other breaches.

    The compromised data, stored in a file titled ‘rockyou2024,’ consists of passwords from both old and new data breaches. This file expands on a previous compilation from 2021 known as RockYou2021, which contained 8.4 billion passwords. The new dataset adds another 1.5 billion passwords, representing a 15% increase from 2021 to 2024. Researchers believe this latest iteration includes information from over 4,000 databases collected over more than two decades.

    In January 2024, Cybernews also discovered a 12TB database of 26 billion records exposed online from previous breaches, highlighting the vast scale of leaked data circulating on the internet.

    Internet Users at Risk of Credential Stuffing Attacks

    The researchers warned that the publicly available compilation puts affected users at significant risk of brute-force attacks, such as credential stuffing. These attacks involve using automated scripts to try numerous password combinations to gain unauthorized access to accounts.

    “Combined with other leaked databases on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts,” the researchers explained.

    Credential stuffing attacks are a common method used by cybercriminals, ransomware affiliates, and state-sponsored hackers to exploit compromised credentials and access systems and services. The sheer volume of passwords in the RockYou2024 leak substantially heightens the risk of such attacks.

    In October 2023, DNA testing firm 23andMe fell victim to a credential stuffing campaign that impacted almost 7 million users. The company accused some users of negligently recycling and failing to update their passwords. However, experts criticized 23andMe’s response, arguing that it should have made multi-factor authentication (MFA) compulsory for all accounts to prevent such breaches.

    The Implications of the RockYou2024 Leak

    The RockYou2024 leak, hailed as the most extensive collection of stolen and leaked credentials ever seen on the forum, underscores the critical need for robust cybersecurity measures. The compilation of real-world passwords used by individuals globally gives threat actors an immense resource for launching credential stuffing attacks.

    “In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world,” the researchers told Cybernews. “Revealing that many passwords to threat actors substantially heightens the risk of credential stuffing attacks.”

    Cybernews researchers emphasized that threat actors could exploit the RockYou2024 password collection to conduct brute-force attacks against any unprotected system, gaining unauthorized access to various online accounts included in the dataset.

    Protecting Against Credential Stuffing

    To mitigate the risks posed by such massive password leaks, users and organizations should adopt several key security practices:

    • Use Strong, Unique Passwords: Avoid reusing passwords across multiple accounts and use a password manager to generate and store complex passwords.
    • Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security, making it harder for attackers to gain access even if they have a valid password.
    • Monitor Accounts for Unusual Activity: Regularly check accounts for signs of unauthorized access and set up alerts for suspicious activities.
    • Educate Users: Organizations should educate employees and users about the dangers of password reuse and the importance of strong security practices.

    The RockYou2024 leak serves as a reminder of the persistent threat posed by credential leaks and the importance of maintaining robust cybersecurity measures to protect against such risks.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Understanding Rogue Systems: Impact on Security and Detection Methods

    Understanding Rogue Systems: Impact on Security and Detection Methods

    Rogue system detection, also known as rogue system detection and prevention (RSD/RSP), is an essential process in cybersecurity. It involves identifying and mitigating threats from unauthorized computer systems. This practice is critical for protecting organizational data and systems from unauthorized access. This article explores how rogue systems work, their impact on security, and the methods for detecting and preventing them.

    Understanding Rogue Systems

    Rogue systems are unauthorized or compromised systems within a network that can be used for malicious purposes, such as sending spam emails, launching distributed denial-of-service (DDoS) attacks, or stealing sensitive data. Unlike regular computers and servers, rogue systems do not adhere to the security policies of the organization, making them a significant threat. These systems can lead to data breaches, resource depletion, and compliance violations.

    A rogue system can be any device connected to the network without proper authorization, including:

    • Rogue Access Points: Unauthorized wireless access points that can provide an entry point for attackers.
    • Evil Twin Access Points: Malicious access points set up to mimic legitimate ones to steal data.
    • Rogue Wireless Clients: Unauthorized devices connected to the wireless network.
    • Unauthorized Hubs and Switches: Devices that can intercept and reroute network traffic.
    • Network Printers and Other Nodes: Devices with unauthorized configurations that can introduce vulnerabilities.

    Benefits of Rogue System Detection

    Implementing rogue system detection offers numerous benefits, including:

    1. Detecting Potential Threats: Identifies unauthorized systems early, preventing potential attacks before they can cause significant damage.
    2. Staying Ahead of New Threats: Keeps the organization informed about emerging threats and vulnerabilities, allowing for proactive defense measures.
    3. Ensuring Compliance: Helps meet industry regulations such as HIPAA, GDPR, and PCI-DSS, avoiding legal penalties and safeguarding reputation.
    4. Protecting Sensitive Information: Safeguards customer data, intellectual property, and other critical information from unauthorized access and theft.
    5. Preventing Data Loss: Protects against data breaches and ransomware attacks, ensuring business continuity and minimizing financial losses.
    6. Mitigating Unauthorized Access: Prevents unauthorized personnel from accessing confidential information, reducing the risk of insider threats and social engineering attacks.

    Challenges of Rogue System Detection

    Despite its importance, rogue system detection comes with several challenges:

    1. Lack of Standards: Inconsistent software development and testing practices make it difficult to detect and prevent rogue systems effectively.
    2. Adaptive Malware: Malware that changes its behavior based on its environment can evade traditional detection methods.
    3. Antivirus Limitations: Many antivirus solutions struggle to detect new and sophisticated attacks, including zero-day exploits.
    4. Resource Constraints: Many organizations lack the necessary resources, including skilled personnel and financial investments, to implement comprehensive rogue system detection solutions.
    5. Emerging Threats: The rapidly evolving landscape of cyber threats makes it challenging to keep up and ensure continuous protection.
    6. Speed of Cybercriminals: Cybercriminals are often one step ahead, developing new malware and attack techniques faster than security solutions can adapt.

    Rogue System Detection Mechanisms

    A multi-layered approach is essential for effective rogue system detection, utilizing various mechanisms:

    Network Access Control (NAC) Systems:

    • Device Authentication and Authorization: Verifies device identity, ensuring that only approved devices can access the network.
    • Role-based Access Control: Grants access based on the device function, limiting exposure to sensitive areas.
    • Network Segmentation: Isolates unauthorized devices, reducing the potential impact of a breach.

    Monitoring and Alerting Tools:

    • Wireless Intrusion Detection Systems (WIDS): Detects unauthorized wireless devices by monitoring network traffic and identifying anomalies.
    • Wireless Intrusion Prevention Systems (WIPS): Extends WIDS capabilities with automated remediation actions, such as disconnecting rogue devices.
    • Advanced Firewalls: Combines traditional firewall functionality with Intrusion Detection and Prevention Systems (IDS/IPS) to detect rogue devices through pattern recognition.
    • Endpoint Detection and Response (EDR): Monitors endpoint activities and traffic, identifying abnormal behavior that may indicate the presence of rogue devices.
    • Security Information and Event Management (SIEM): Analyzes log files and other network data to detect security events and abnormalities, flagging potential rogue devices.

    Third Line of Defense: Handheld Analyzers

    Handheld analyzers provide a portable and flexible solution for rogue device detection. They offer several benefits:

    • Portability: Easy to deploy across various locations, from central offices to remote sites.
    • Real-time Detection: Capable of detecting devices in real-time using a combination of network scanners, protocol analyzers, packet analyzers, and spectrum analyzers.
    • Wide Range of Features: Includes functionality such as network scanning, protocol analysis, and packet inspection, helping to identify and locate rogue devices quickly.
    • Edge Network Connectivity: Connects to edge network nodes, such as wireless access points and switches, enhancing detection capabilities.

    Implementing a Multi-layered Approach

    For effective rogue system detection, organizations should implement a multi-layered approach that includes:

    Defining Rogue Devices: Clearly outline what constitutes a rogue device within the organization. This involves establishing criteria for device approval, such as authentication methods, use of digital certificates, and compliance with security policies.

    Permissions and Policies: Develop and enforce network access security policies that define the approval process for devices, including registration and compliance requirements. Ensure that any device not meeting these criteria is considered rogue.

    Combining Tools: Utilize a combination of NAC systems, monitoring and alerting tools, and handheld analyzers to create a comprehensive detection framework. This layered approach maximizes the ability to detect and remove rogue devices from the network.

    Practical Steps for Organizations

    To effectively detect and mitigate rogue devices, organizations should:

    1. Define Rogue Devices: Establish a clear definition of what constitutes a rogue device, based on the organization’s security policies and requirements.
    2. NAC Actions: Determine the specific actions that the NAC system will take when rogue devices are detected, such as blocking access, quarantining the device, or notifying administrators.
    3. Use Monitoring Tools: Leverage monitoring and alerting tools to continuously scan the network for patterns and anomalies that indicate the presence of rogue devices.
    4. Utilize Portable Analyzers: Deploy handheld analyzers for localized detection, enabling security staff to physically locate and mitigate threats in real-time.

    Conclusion

    Rogue system detection is a crucial component of an organization’s cybersecurity strategy. Despite the challenges, such as adaptive malware and resource constraints, implementing a multi-layered approach can provide significant benefits. By staying proactive and utilizing various detection mechanisms, organizations can effectively minimize the risks posed by rogue systems and ensure the security of their networks.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Chinese State-Backed Hackers Exploit Newly Patched Zero-Day Vulnerability in Cisco Nexus Switches

    Chinese State-Backed Hackers Exploit Newly Patched Zero-Day Vulnerability in Cisco Nexus Switches

    A newly patched zero-day vulnerability has been exploited by Chinese state-backed hackers to compromise Cisco Nexus switches, researchers have revealed. Cisco released a patch for CVE-2024-20399 on July 2, 2024. This flaw, found in the Command Line Interface (CLI) of Cisco NX-OS software, could allow an authenticated local attacker to execute arbitrary commands as root on a targeted device.

    Vulnerability Details and Exploit Mechanics

    CVE-2024-20399 is a critical vulnerability stemming from insufficient validation of arguments passed to specific configuration CLI commands. An attacker could exploit this flaw by providing crafted input as the argument of an affected configuration command. A successful exploit would enable the attacker to execute arbitrary commands on the underlying operating system with root privileges. Despite the severe potential impact, the vulnerability has been assigned a CVSS score of 6 due to the requirement for the attacker to have administrator privileges and access to specific configuration commands.

    “This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands,” the advisory noted. “An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root.”

    Discovery and Impact

    The exploitation of CVE-2024-20399 was first discovered in April by security vendor Sygnia, which identified that the Chinese threat group known as Velvet Ant had leveraged the vulnerability. This group has a history of sophisticated cyber-espionage campaigns, previously compromising F5 BIG-IP load balancers for persistence.

    Sygnia’s investigation revealed that the exploitation led to the deployment of a previously unknown custom malware. This malware allowed Velvet Ant to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on these devices. The attack underscores the persistent nature of sophisticated threat actors and their ability to exploit network appliances that are often inadequately protected and monitored.

    “Despite the substantial pre-requisites for exploiting the discussed vulnerability, this incident demonstrates the tendency of sophisticated threat groups to leverage network appliances – which are often not sufficiently protected and monitored – to maintain persistent network access; the incident also underscores the critical importance of adhering to security best practices as a mitigation against this type of threat,” Sygnia explained.

    Previous Exploits and Threat Actor Profile

    Velvet Ant has been previously linked to a multi-year cyber-espionage campaign, wherein the group maintained persistent access to target networks by compromising network infrastructure devices like F5 BIG-IP load balancers. This sophisticated threat actor is believed to be state-sponsored and exhibits robust capabilities, including the deployment of custom malware and advanced persistence mechanisms.

    During the recent attack on Cisco Nexus switches, Velvet Ant demonstrated agility and adaptability, using the vulnerability to establish a foothold and execute custom malware for remote operations. The malware facilitated the upload of additional malicious files and execution of commands, allowing the group to maintain control over compromised devices.

    Recommendations for Mitigation

    In light of these events, Sygnia has urged Cisco customers to enhance their security measures, particularly in the areas of centralized logging and network monitoring related to switches. Key recommendations include:

    1. Regular Patching: Ensure that all devices are updated with the latest security patches to mitigate vulnerabilities.
    2. Good Password Hygiene: Implement strong, unique passwords and regularly update them to prevent unauthorized access.
    3. Restricted Admin Access: Limit administrative privileges to essential personnel only and regularly review access controls.
    4. Enhanced Monitoring: Improve centralized logging and network monitoring to detect and respond to suspicious activities promptly.

    Sygnia’s advisory emphasizes the importance of a comprehensive security strategy that includes these measures to protect against sophisticated threat actors.

    Conclusion

    The exploitation of CVE-2024-20399 by Velvet Ant highlights the ongoing threat posed by state-sponsored cyber-espionage groups. The incident serves as a reminder of the critical importance of robust security practices, including regular patching, strong password management, restricted access controls, and enhanced monitoring. By adhering to these best practices, organizations can better defend against advanced persistent threats and maintain the integrity of their network infrastructure.

    For more detailed insights and cybersecurity strategies, visit Sygnia’s advisory.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • 4th of July Cybersecurity: Proactive Measures to Safeguard Your Business

    4th of July Cybersecurity: Proactive Measures to Safeguard Your Business

    As we celebrate the 4th of July, it’s important to remember that holidays can be prime opportunities for cybercriminals to strike. With many businesses operating with limited IT and security staff, the holiday season is a golden opportunity for hackers to exploit vulnerabilities.

    The Perfect Storm: Why Holidays Are Prime Time for Cyberattacks

    Cyberattackers know that businesses often have reduced staffing and relaxed vigilance over the holidays. Here are a few reasons why the 4th of July (and all holidays) are an attractive target for cybercriminals:

    • Limited Threat Monitoring: With many IT and security staff taking time off, overall monitoring and response capabilities may be limited.
    • Delayed Incident Response: Even if alerts are generated, response times can be slower, giving attackers more time to exploit vulnerabilities.
    • Increased Security Vulnerabilities: Regular maintenance and updates might be postponed, leading to potential security gaps.

    Don’t Let Your Guard Down: Enhance Cybersecurity During 4th of July

    To mitigate cyber risks, take proactive steps to ensure your cybersecurity posture remains strong during the holidays. Here’s what you can do:

    • Ensure Comprehensive System Coverage: Double-check that your monitoring systems are fully operational and cover all mission-critical assets, including network traffic, endpoint protection, and server logs.
    • Use Automated Threat Detection Tools: Utilize automated tools to detect and respond to threats. Automated incident response can significantly reduce the impact of an attack when human resources are limited.
    • Implement Alert Escalation Policies: Ensure that alerts are set up to escalate appropriately. If the primary on-call staff member is unavailable, alerts should be escalated to secondary or tertiary contacts.
    • Educate Employees on Cybersecurity Vigilance: Remind all employees of the importance of maintaining cybersecurity vigilance, even while on holiday. Simple actions like being cautious with email links and avoiding public Wi-Fi can prevent breaches.
    • Test Your Security Systems: Conduct a pre-holiday check of all security systems, including running tests on alerting mechanisms to ensure they are functioning correctly and will notify the right personnel in case of a security incident.

    After the Holiday: Review Your Monitoring Logs & Alert Systems

    Once the holiday period is over, conduct a thorough review of your monitoring logs and alerting systems. Look for any unusual activity that occurred during the break and review it for potential threats. This post-holiday review can help identify any attempted breaches and provide insight into how you can enhance your cybersecurity posture for future holidays.

    Stay safe, stay vigilant, and enjoy a secure 4th of July!

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Chrome 127 and Above to Block Entrust and AffirmTrust Certificates Starting November 2024

    Chrome 127 and Above to Block Entrust and AffirmTrust Certificates Starting November 2024

    Google has announced that starting November 1, 2024, Chrome version 127 and higher will no longer trust new TLS server authentication certificates from Entrust and AffirmTrust. This decision follows a series of reported compliance failures, unfulfilled improvement commitments, and insufficient progress in addressing publicly disclosed incident reports observed over the past six years.

    According to a blog post published by Google on June 27, website owners are advised to transition to a new publicly trusted Certification Authority (CA) before the deadline to avoid disruptions. Certification Authorities play a crucial role in securing encrypted connections between browsers and websites, adhering to stringent security and compliance standards. Google’s decision underscores the importance of these standards. More specifically, the Chrome Root Program Policy mandates that CA certificates must provide value that exceeds their risk.

    “When these factors are considered in aggregate and against the inherent risk each publicly trusted CA poses to the Internet ecosystem, it is our opinion that Chrome’s continued trust in Entrust is no longer justified,” the blog post reads.

    Background of Entrust and AffirmTrust

    Entrust and AffirmTrust are established players in the field of digital security, providing critical infrastructure for secure communications over the internet. Entrust, founded in 1994, has a long history of offering identity-based security solutions, including public key infrastructure (PKI), digital certificates, and encryption technologies. The company has been a trusted certification authority (CA), ensuring the authenticity and security of digital transactions and communications. AffirmTrust, though newer, has also made significant contributions to the industry by providing a range of trusted digital certificates for securing online interactions. Both companies have played pivotal roles in enabling encrypted connections and ensuring data integrity and privacy across the web. However, recent compliance issues and security lapses have led to a reassessment of their roles as trusted entities in the digital ecosystem, culminating in Google’s decision to phase out trust in their certificates.

    Impact on Website Operators

    As a result of this update, after November 1, Chrome users visiting websites with certificates issued by Entrust or AffirmTrust will encounter security warnings. Website operators are encouraged to review their certificates and transition to a different CA to prevent service interruptions. This change will apply to Chrome on multiple platforms, including Windows, macOS, ChromeOS, Android, and Linux.

    “The Entrust news is a sharp reminder of why it is so important for CAs to take their role as stewards of public trust very seriously. CAs have to hold themselves to the highest of standards, not only for the sake of their business but for all the people and businesses that depend on them,” commented Tim Callan, chief experience officer at Sectigo, an Arizona-based provider of certificate lifecycle management (CLM) solutions.

    Background of the Decision

    Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of Google’s expectations. These behaviors have eroded confidence in their competence, reliability, and integrity as a publicly trusted CA owner. In response to these concerns and to preserve the integrity of the Web PKI ecosystem, Chrome will take definitive action.

    Technical Details

    TLS server authentication certificates validating to the following Entrust roots whose earliest Signed Certificate Timestamp (SCT) is dated after October 31, 2024, will no longer be trusted by default:

    • CN=Entrust Root Certification Authority – EC1, O=Entrust, Inc., C=US
    • CN=Entrust Root Certification Authority – G2, O=Entrust, Inc., C=US
    • CN=Entrust.net Certification Authority (2048), O=Entrust.net Limited
    • CN=Entrust Root Certification Authority, O=Entrust, Inc., C=US
    • CN=Entrust Root Certification Authority – G4, O=Entrust, Inc., C=US
    • CN=AffirmTrust Commercial, O=AffirmTrust, C=US
    • CN=AffirmTrust Networking, O=AffirmTrust, C=US
    • CN=AffirmTrust Premium, O=AffirmTrust, C=US
    • CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US

    Certificates validating to these roots with SCTs on or before October 31, 2024, will be unaffected by this change. This approach attempts to minimize disruption to existing subscribers by using a recently announced Chrome feature to remove default trust based on the SCTs in certificates.

    Actions for Website Operators

    Website operators are strongly encouraged to transition to a new publicly trusted CA as soon as possible to avoid disruptions. Delaying action could result in service interruptions if certificates expire after October 31, 2024. While website operators could delay the impact by obtaining new TLS certificates from Entrust before November 1, 2024, this is only a temporary solution. Ultimately, they will need to secure certificates from other CAs included in the Chrome Root Store.

    To determine if their website is affected, operators can use the Chrome Certificate Viewer. If the “Organization (O)” field under the “Issued By” heading contains “Entrust” or “AffirmTrust”, action is required.

    Enterprise Considerations

    For internal enterprise networks using Entrust certificates, administrators can override Chrome Root Store constraints by installing the corresponding root CA certificate as a locally trusted root on the platform Chrome is running. This ensures continued trust within enterprise environments.

    Testing the Changes

    Administrators and power users can simulate the effect of the SCTNotAfter distrust constraint by using a command-line flag in Chrome 128. This allows them to evaluate the impact of the changes before they take effect.

    Industry Implications

    The move by Google highlights the critical role CAs play in maintaining internet security. With the advent of a 90-day certificate lifecycle and the implications of quantum computing on the horizon, it is more important than ever for CAs and CLM providers to adhere to the highest standards and fully comply with CA/Browser Forum rules and baseline requirements.

    Conclusion

    Google’s decision to block Entrust certificates underscores the importance of maintaining high standards in the certification process. Website operators must act promptly to transition to new CAs to avoid disruptions. The integrity of the web ecosystem relies on the stringent adherence to security and compliance standards by all CAs.

  • Netizen Cybersecurity Bulletin (June 31st, 2024)

    Netizen Cybersecurity Bulletin (June 31st, 2024)

    Overview:

    • Phish Tale of the Week
    • P2PInfect Botnet Evolves: New Miner and Ransomware Payloads Detected
    • Lurie Children’s Hospital Says 791,000 Impacted by Ransomware Attack
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as CareCix. The message politely gives us an opportunity to sign up for some healthcare, even giving us a login page to speed up the process to signing in to our new account. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to click on this link:

    1. The first warning sign for this email is the formatting. Immediately, it’s apparent that different text boxes in the email have different alignments and different sizes, as well as strange spacing. The “go to login page” button is a great example of this strange spacing: the white space above the button is significantly larger than the white space below. It’s important to be wary of small inconsistencies such as this as they can be key indicators that the sender of the email may not be who they seem.
    2. The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “get started” and “this link is valid for 30 days.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through email.
    3. The final warning sign for this email is the fact that we didn’t sign up for this healthcare. Receiving an email asking you to log into an account you didn’t create should always be a warning sign. Do not click on any “log in” or “sign up” button in any email you weren’t expecting, no matter how trustworthy it looks. With all of these 3 warning signs, it’s incredibly apparent that we are being phished.


    General Recommendations:

    phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    P2PInfect Botnet Evolves: New Miner and Ransomware Payloads Detected

    The notorious P2PInfect botnet, known for targeting misconfigured Redis servers, has evolved into a formidable threat with the addition of ransomware and cryptocurrency miners. This transformation signifies a shift from a seemingly dormant botnet to a financially motivated operation.

    Recent updates have significantly increased the threat level posed by P2PInfect. Initially perceived as a dormant threat, the botnet now deploys crypto miners, ransomware payloads, and rootkit elements. This development highlights the malware author’s intent to profit from illicit access and expand their network. Additionally, P2PInfect has been updated to target MIPS and ARM architectures, broadening its scope and potential impact.

    P2PInfect primarily spreads by exploiting the replication feature of Redis servers, transforming victim systems into follower nodes under the attacker’s control. This allows the attacker to execute arbitrary commands on infected systems. The botnet also includes a feature to scan the internet for additional vulnerable servers and incorporates an SSH password sprayer module to gain access using common passwords.

    The behavioral changes in P2PInfect are noteworthy. The botnet now drops miner and ransomware payloads, encrypting files with specific extensions and demanding a ransom of 1 XMR (approximately $165). Furthermore, a new usermode rootkit uses the LD_PRELOAD environment variable to hide malicious processes and files from security tools, a technique similar to those used by other cryptojacking groups.

    Given the nature of targeted servers, which often store ephemeral in-memory data, the ransomware’s impact is limited. Therefore, the botnet likely sees more profit from its crypto miner due to its extensive use of system resources. Evidence suggests that P2PInfect might be a botnet-for-hire service, deploying other attackers’ payloads in exchange for payment. This theory is supported by the different wallet addresses used for miner and ransomware processes.

    To secure its foothold, P2PInfect takes several defensive measures. It changes user passwords, restarts SSH services with root permissions, and performs privilege escalation to prevent other attackers from targeting the same servers.

    In conclusion, the P2PInfect botnet represents a significant threat in the cybersecurity landscape, especially with its recent updates. Organizations must remain vigilant and employ robust security measures to protect against such sophisticated attacks. Regularly patching systems, monitoring for unusual activities, and implementing strong access controls are crucial steps in defending against botnet infections and their evolving payloads.

    To read more about this article, click here.

    Lurie Children’s Hospital Says 791,000 Impacted by Ransomware Attack

    Ann & Robert H. Lurie Children’s Hospital of Chicago has announced that a recent ransomware attack has compromised the personal and health information of 791,000 individuals. The hospital took many of its systems offline in late January in response to the cyberattack, which led to limited access to medical records, disruptions to a patient portal, and hampered communications.

    An investigation revealed that cybercriminals had access to Lurie Children’s systems between January 26 and January 31, 2024. A wide range of information was compromised, including names, addresses, dates of birth, dates of service, driver’s license numbers, Social Security numbers, email addresses, phone numbers, health claims information, medical conditions or diagnoses, medical record numbers, medical treatments, and prescription information.

    Although the hospital did not explicitly state that it was targeted by a ransomware group, it confirmed in a data breach notification on its website that it refused to pay a ransom. “Experts have advised that making a payment to cybercriminals does not guarantee the deletion or retrieval of data that has been taken. Once our investigation team identified an amount of data that was impacted by the cybercriminals, we worked closely with law enforcement to retrieve that data,” Lurie Children’s said.

    The Rhysida ransomware group, which claimed responsibility for the attack, has stated on its website that the data stolen from the hospital has been sold, indicating that a ransom was not paid. The cybercriminals allege they stole 600 GB of data from the organization.

    A notice published by the Maine Attorney General’s office on Thursday reveals that the incident has affected more than 791,000 people. Impacted individuals are being notified and offered 24 months of identity and fraud protection services at no cost.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Understanding the ‘regreSSHion’ OpenSSH Vulnerability (CVE-2024-6387)

    Understanding the ‘regreSSHion’ OpenSSH Vulnerability (CVE-2024-6387)

    Source: Qualys report on CVE-2024-6387

    Cybersecurity researchers from the Qualys Threat Research Unit (TRU) have uncovered a critical flaw in OpenSSH, dubbed ‘regreSSHion’ (CVE-2024-6387), marking a significant threat to the security of Linux-based systems worldwide. This article provides an in-depth exploration of the technical intricacies, impact assessment, and recommended mitigation strategies concerning this vulnerability.

    Understanding ‘regreSSHion’

    ‘RegreSSHion’ is classified as an unauthenticated remote code execution (RCE) vulnerability within OpenSSH’s server (sshd) on glibc-based Linux systems. This flaw allows attackers to exploit a signal handler race condition in sshd, triggered when a client fails to authenticate within the specified LoginGraceTime (typically 120 seconds, or 600 in older versions). Upon expiration, sshd’s SIGALRM handler asynchronously invokes functions like syslog(), which are not async-signal-safe. This asynchronous invocation creates a window of opportunity for attackers to inject malicious code and potentially gain full root access to the affected system.

    Historical Context and Regression

    The term ‘regreSSHion’ derives from its nature as a regression bug, reintroducing a vulnerability (CVE-2006-5051) that was previously patched. This regression occurred due to changes or updates in OpenSSH’s codebase, inadvertently undoing prior security fixes. Such regressions underscore the challenges in maintaining secure software development practices over time, highlighting the critical need for thorough regression testing and ongoing security scrutiny.

    Impact Assessment

    Qualys’ research estimates that over 14 million OpenSSH server instances are potentially vulnerable, with approximately 700,000 exposed directly to the internet. The severity of ‘regreSSHion’ lies in its ability to grant unauthenticated attackers full root privileges, enabling them to execute arbitrary commands, install malware, manipulate data, and establish persistent backdoors. This capability poses significant risks to both enterprise environments and individual users, potentially leading to widespread system compromise and unauthorized access.

    Exploit Scenario

    An attacker can exploit this vulnerability by sending a carefully crafted request to the vulnerable OpenSSH server. By causing a buffer overflow through improper input validation, the attacker can manipulate memory contents and potentially execute arbitrary code with the privileges of the sshd process, typically running with elevated permissions.

    CVSS v3 Vector Breakdown:

    • Attack Vector (AV): Network (AV) – Attackers can exploit the vulnerability remotely.
    • Attack Complexity (AC): High (AC) – The exploit requires conditions beyond attacker control, such as timing and system configuration.
    • Privileges Required (PR): None (PR) – The vulnerability can be exploited without needing privileges.
    • User Interaction (UI): None (UI) – Exploitation does not require user interaction.
    • Scope (S): Unchanged (S) – The vulnerability’s impact is limited to the vulnerable system.
    • Confidentiality (C): High (C), Integrity (I): High (I), Availability (A): High (A) – Successful exploitation can result in full compromise of confidentiality, integrity, and availability.

    Impact Assessment

    • Base Score: 8.1 (High) – Calculated severity based on CVSS v3 metrics, reflecting the potential for severe system compromise and data breaches.
    • Vulnerable OpenSSH versions include those prior to 4.4p1 and from 8.5p1 up to, but not including, 9.8p1. Linux-based systems utilizing these versions are particularly at risk.

    Industry Response

    The cybersecurity community has responded swiftly with advisories urging immediate patching and implementation of mitigating controls. Organizations and vendors have issued alerts, emphasizing the criticality of addressing this vulnerability due to its potential widespread impact.

    Mitigation and Remediation

    Patch Management:

    • Organizations are strongly advised to update affected OpenSSH installations to version 9.8 or later, which includes fixes for regreSSHion. Patching closes the vulnerability by addressing the improper input validation and signal handling issues.

    Access Control and Monitoring:

    • Implement strict access controls, limiting SSH access to trusted networks and users.
    • Deploy intrusion detection systems (IDS) to monitor for signs of exploitation attempts and anomalous SSH activity.
    • Disable password-based logins where possible and enforce key-based authentication for enhanced security.

    Conclusion

    The emergence of ‘regreSSHion’ highlights the ongoing challenge of securing critical infrastructure against evolving cybersecurity threats. Despite the robustness of OpenSSH as a secure networking utility, vulnerabilities like CVE-2024-6387 underscore the necessity for continuous vigilance and proactive mitigation strategies. By staying informed, promptly applying patches, and implementing layered security measures, organizations can effectively protect their systems from potential exploitation and safeguard sensitive data.

    References and Additional Resources

    About OpenSSH

    OpenSSH continues to play a pivotal role in enabling secure communication across Unix-like systems. It remains a cornerstone of secure network management, providing robust encryption and authentication mechanisms essential for maintaining confidentiality and integrity in network operations globally. Despite vulnerabilities like ‘regreSSHion,’ OpenSSH’s commitment to security and ongoing community support underscores its critical importance in modern cybersecurity practices.

    FAQ: regreSSHion (CVE-2024-6387) Remote Code Execution Vulnerability in OpenSSH

    What is regreSSHion (CVE-2024-6387)?

    regreSSHion, CVE-2024-6387, is a critical remote code execution vulnerability discovered in OpenSSH’s server (sshd) on glibc-based Linux systems. It allows remote attackers to execute arbitrary code without authentication, potentially leading to system compromise.

    How does regreSSHion (CVE-2024-6387) impact OpenSSH users?

    regreSSHion affects OpenSSH versions prior to 4.4p1 and versions from 8.5p1 up to, but not including, 9.8p1. Systems running these versions are vulnerable to exploitation if exposed to untrusted networks or the internet, posing significant risks to confidentiality, integrity, and availability.

    Has regreSSHion (CVE-2024-6387) been exploited in the wild?

    As of the latest reports, there have been no confirmed instances of active exploitation in the wild. However, the nature of the vulnerability and the widespread use of OpenSSH necessitate immediate action to mitigate potential risks.

    How can organizations protect themselves against regreSSHion (CVE-2024-6387)?

    • Patch Management: Update affected OpenSSH versions to 9.8 or later, which includes fixes for regreSSHion.
    • Access Control: Limit SSH access to trusted networks and users. Implement strong authentication methods such as key-based authentication.
    • Monitoring: Regularly monitor SSH access logs for unusual activity and deploy intrusion detection systems (IDS) to detect exploitation attempts.

    What should I do if I suspect my system is vulnerable to regreSSHion (CVE-2024-6387)?

    Immediately apply the latest patches provided by OpenSSH. If patching is not feasible immediately, consider implementing temporary mitigations such as setting LoginGraceTime to 0 in the OpenSSH configuration file to reduce the risk of exploitation.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Microsoft Engineer Leaks 4GB of PlayReady Internal Code on Developer Community Forum

    Microsoft Engineer Leaks 4GB of PlayReady Internal Code on Developer Community Forum

    On June 11, 2024, a significant data leak occurred involving Microsoft’s PlayReady digital rights management (DRM) technology. An engineer at Microsoft inadvertently leaked 4GB of internal code, including sensitive libraries and configurations, on the Microsoft Developer Community forum. This breach has raised concerns over the security practices within the company and the potential exploitation of the leaked data.

    What is Microsoft PlayReady?

    Microsoft PlayReady is a comprehensive digital rights management (DRM) technology designed to protect and securely distribute digital content across a wide range of devices. Developed by Microsoft, PlayReady enables content providers to safeguard their media assets, including movies, music, and eBooks, ensuring that only authorized users can access and consume the protected content. The technology supports various business models, such as subscription services, rentals, and purchases, and is widely adopted by major content distributors and device manufacturers worldwide. With robust security features and extensive compatibility, Microsoft PlayReady plays a crucial role in the digital media ecosystem, facilitating the seamless and secure delivery of high-quality content to consumers.

    Details of the Leak

    The leak included a variety of critical components related to Microsoft’s PlayReady technology:

    • WarBird configurations and libraries for code obfuscation functionality.
    • Libraries with symbolic information related to PlayReady.

    Researchers from AG Security Research Lab successfully built the Windows PlayReady DLL library from the leaked code. Their efforts were notably facilitated by a forum post that provided step-by-step instructions on how to begin the build process.

    Unintended Consequences

    A particularly concerning aspect of the leak is the exposure of PDB (Program Database) files. The Microsoft Symbol Server, which hosts these files, did not block requests for PDB files corresponding to Microsoft WarBird libraries. This oversight inadvertently leaked additional information, potentially aiding malicious actors in reverse-engineering and exploiting the PlayReady technology.

    Discovery and Response

    Adam Gowdiak of AG Security Research Lab reported the issue to Microsoft. Following the report, Microsoft removed the problematic forum post. However, as of this writing, the download link for the leaked code remains active, posing an ongoing security risk.

    Compliance and Security Implications

    The recent leak of PlayReady internal code has significant compliance and security implications. Such a breach exposes proprietary information, potentially undermining the trust of content providers and users. It raises concerns about the effectiveness of Microsoft’s internal security measures and adherence to industry standards and regulations. This incident not only poses a risk to intellectual property but also necessitates a thorough review of compliance with data protection laws and DRM standards. For Microsoft, addressing this breach promptly and transparently is essential to mitigate potential legal and reputational repercussions.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: June 2024 Vulnerability Review

    Netizen: June 2024 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five vulnerabilities from June that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2024-30103

    CVE-2024-30103 is classified as a Remote Code Execution (RCE) vulnerability affecting various editions of Microsoft Outlook. This critical security flaw allows attackers to execute arbitrary code remotely without the need for direct interaction with the victim, other than the victim having the Preview Pane open in Outlook. The vulnerability is identified under CWE-184 for an incomplete list of disallowed inputs, allowing such remote execution by bypassing Outlook’s registry block lists and facilitating the creation of malicious DLL files. The vulnerability scores a CVSS v3.1 base score of 8.8, indicating a high severity. According to the CVSS vector CVSS:3.0/AV/AC/PR/UI/S/C/I/A, the attack can be launched from the network (AV), has low complexity (AC), requires low privileges (PR), and does not need user interaction (UI). This makes it a critical issue as it impacts the confidentiality, integrity, and availability of the system highly (C/I/A). Microsoft has recognized the severity of this issue and released security updates on June 11, 2024, to mitigate the vulnerability across several versions of Outlook and Office products. The updates are crucial as the Preview Pane acts as an attack vector, and the exploitation likelihood, although rated as less likely, presents significant risk if accomplished. Users and administrators are urged to apply these security updates immediately to protect against potential exploits targeting this vulnerability. For detailed guidance on the updates and to ensure the security of your systems, you should visit this Microsoft advisory. This proactive update is part of Microsoft’s ongoing effort to safeguard its user base against evolving cybersecurity threats.

    CVE-2024-37081

    CVE-2024-37081 describes a series of local privilege escalation vulnerabilities found in VMware’s vCenter Server Appliance, attributed to a misconfiguration in the sudo settings. This vulnerability allows authenticated local users with non-administrative privileges to escalate their privileges to root. The technical specifics indicate that the flaw stems from the improper configuration settings within sudo, a common utility in Unix-like operating systems that allows users to run programs with the security privileges of another user, typically the superuser or root. The vulnerability has been given a high severity rating with a CVSS v3 base score of 7.8, according to the vector CVSS:3.0/AV/AC/PR/UI/S/C/I/A. This scoring reflects the fact that the vulnerability is locally exploitable, has low attack complexity, requires low privileges, and does not need user interaction. The high scores in confidentiality, integrity, and availability imply that successful exploitation of this vulnerability could lead to significant impacts on the affected systems. As of the latest updates, no CVSS v4 score has been provided, and the vulnerability is still awaiting further analysis by NVD analysts. However, the existence of this vulnerability underscores the importance of proper configuration and privilege management within critical systems like vCenter Server. VMware and other security sources have likely provided advisories and patches to address this vulnerability, urging users to update or reconfigure their systems as necessary to mitigate the risks associated with this flaw. Users of vCenter Server Appliance are advised to review the security advisories and apply VMware’s recommended security patches or updates promptly to protect their systems from potential attacks exploiting this vulnerability. For detailed guidance and updates, administrators should refer to VMware patch notes and this Tenable advisory.

    CVE-2024-5035

    CVE-2024-5035 highlights a critical remote command execution vulnerability found in the TP-Link Archer C4500X device. This issue arises due to an exposed network service known as “rftest” on TCP ports 8888, 8889, and 8890, which is susceptible to unauthenticated command injection. An attacker can exploit this flaw to execute arbitrary commands on the device with elevated privileges, without requiring authentication. The vulnerability has been assigned a high severity rating with a CVSS v3 base score of 9.8 and a CVSS vector of CVSS:3.0/AV/AC/PR/UI/S/C/I/A. This scoring indicates that the vulnerability is exploitable from the network without any form of user interaction or privilege, and it poses a high threat to the confidentiality, integrity, and availability of the system. Given the critical nature of this vulnerability, it is essential for administrators and users of affected devices to take immediate action to mitigate the risk. This can typically involve updating the firmware of the device to a version that addresses this specific vulnerability. TP-Link has likely released such updates, and users should consult the TP-Link support page or the provided security advisories for detailed instructions on how to secure their devices. For ongoing protection, users should also consider implementing additional security measures such as network segmentation and strict access controls to minimize the potential impact of such vulnerabilities in the future. Regularly reviewing and updating device configurations and firmware can help in maintaining security against newly discovered threats. For further documentation on this vulnerability, refer to the NVD’s entry and the relevant Tenable advisory

    CVE-2024-22267

    CVE-2024-22267 is a critical use-after-free vulnerability identified in VMware’s Workstation and Fusion products, specifically within the vBluetooth device component. This vulnerability allows a malicious actor, who already has local administrative privileges on a virtual machine, to execute code on the host machine as the VMX process that runs the virtual machine. This ability to execute code on the host machine elevates the potential impact of the exploitation, bridging the virtual environment to the host system, which could lead to a full compromise of the host’s security integrity. The vulnerability has been assessed with a high CVSS v2 base score of 7.2, which emphasizes its potential impact due to the high levels of confidentiality, integrity, and availability it can compromise (Vector: CVSS2#AV/AC/Au/C/I/A). Furthermore, under CVSS v3, the vulnerability achieves a base score of 9.3 with a vector of CVSS:3.0/AV/AC/PR/UI/S/C/I/A, highlighting the critical nature of the vulnerability due to its low attack complexity, no required user interaction, and the high potential impact on confidentiality, integrity, and availability. This vulnerability was prominently addressed by VMware following its exploitation at the Pwn2Own Vancouver 2024 competition, demonstrating the practical and immediate threat it posed. VMware has provided fixes and advisories via their official support channels. Users and administrators are strongly advised to apply the provided patches or updates to mitigate the vulnerability effectively. Given the severity and the nature of this vulnerability, it is crucial for organizations utilizing VMware Workstation and Fusion to review their systems for this specific vulnerability and apply VMware’s security updates without delay. Doing so will help safeguard their systems from potential exploits that seek to leverage this vulnerability for malicious purposes. For detailed guidance, affected parties should refer to the advisories posted on VMware’s official support website or the Tenable documentation.

    CVE-2024-22270

    CVE-2024-22270 details a significant information disclosure vulnerability located within the Host Guest File Sharing (HGFS) functionality of VMware Workstation and Fusion. This vulnerability enables a malicious actor, who has local administrative privileges on a virtual machine, to access privileged information stored in the hypervisor’s memory. Such access can lead to exposure of sensitive data, which should normally be securely isolated within the hypervisor environment. The vulnerability has been assigned a CVSS v3 base score of 7.1, with a vector of CVSS:3.0/AV/AC/PR/UI/S/C/I/A, reflecting its potential severity. The score indicates that while the attack requires local access with low attack complexity and no privileges or user interaction, it has a high impact on confidentiality and does not affect integrity or availability. This discrepancy in scoring between CVSS v2 and v3, where v2 gives a lower severity score, highlights the importance of considering the most appropriate scoring system contextually, as v3 provides a more nuanced understanding of the risks posed by this type of vulnerability in a virtualized environment. This issue was disclosed and addressed as part of VMware’s response to vulnerabilities demonstrated at the Pwn2Own Vancouver 2024 event. VMware has since released updates and patches to mitigate this vulnerability, ensuring that unauthorized information disclosure is prevented. Users and administrators are strongly advised to apply these updates to VMware Workstation and Fusion to protect their systems from potential exploits that could leverage this vulnerability. For comprehensive mitigation, users should ensure that all virtual machines have restricted administrative access and that the latest security patches are applied. Additionally, monitoring and logging all access and activities within virtual environments can help in early detection of attempts to exploit such vulnerabilities. For detailed patching instructions and further advisories, users should refer to the links provided in VMware’s security advisory linked above and the Tenable documentation.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • CISA Publishes New Guidelines for Transitioning from VPNs to Advanced Security Models

    CISA Publishes New Guidelines for Transitioning from VPNs to Advanced Security Models

    The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI, New Zealand’s Government Communications Security Bureau (GCSB), New Zealand’s Computer Emergency Response Team (CERT-NZ), and the Canadian Centre for Cyber Security (CCCS), has published a comprehensive report on modern network access security approaches. This report, released on June 18, 2024, addresses the vulnerabilities and risks associated with traditional VPN solutions and advocates for more secure alternatives.

    Overview

    CISA has frequently identified incidents involving the compromise of virtual private network (VPN) solutions, often exploited by cybercriminals and nation-state actors. With over 22 Known Exploited Vulnerabilities (KEVs) associated with VPNs, there is a pressing need to transition to modern network access security solutions. The increasing shift of services to the cloud further emphasizes the importance of adopting Secure Access Service Edge (SASE) over traditional on-premises security stacks. This report aims to guide organizations in enhancing their security postures by integrating more secure, cloud-based solutions that align with zero trust (ZT) principles.

    Remote Access and VPN Limitations

    While VPNs provide encrypted tunnels for remote access to corporate networks, they pose several security risks. These include vulnerabilities inherent in network design, such as IP address spoofing and DNS spoofing, as well as the complexity of implementation and misconfiguration issues. Additionally, the integration of third-party access and poor cyber hygiene practices can further expose networks to threats. Traditional VPNs often lack the granular access control required to enforce zero trust principles effectively.

    Impact

    Exploited vulnerabilities in VPN systems can lead to widespread access across enterprise networks, resulting in significant operational disruptions and data breaches. Recent examples include:

    • CVE-2023-46805 and CVE-2024-21887: Affecting Ivanti Connect Secure (ICS) VPNs, these vulnerabilities allowed attackers to reverse tunnel from the ICS VPN appliance, modify JavaScript files used by the Web SSL VPN component, and compromise credentials.
    • CVE-2023-4966 (Citrix Bleed): Affecting Citrix NetScaler web application delivery controllers and NetScaler Gateway appliances, this vulnerability allowed threat actors to bypass password requirements and multifactor authentication (MFA), leading to the hijacking of legitimate user sessions and subsequent credential harvesting.

    These vulnerabilities underscore the critical need for organizations to move beyond traditional VPN solutions to more advanced, secure access technologies.

    Solutions

    To address these challenges, CISA recommends several modern network access security solutions:

    • Zero Trust (ZT): Defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-207, zero trust is a security model that requires continuous verification of user, device, and application authenticity. It enforces least privilege access and continuous reauthentication, operating under the assumption that no user or asset should be implicitly trusted.
    • Secure Service Edge (SSE): A collection of cloud security capabilities that enable safe browsing, secure access to software as a service (SaaS) applications, and validation of users accessing network data. SSE integrates security and access control into a single platform, encompassing Zero Trust Network Access (ZTNA), Cloud Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Firewall-as-a-Service (FWaaS).
    • Secure Access Service Edge (SASE): A cloud architecture that combines network and security as a service capabilities, including software-defined wide area networking (SD-WAN), SWG, CASB, next-generation firewall (NGFW), and ZTNA. SASE provides comprehensive security and network management from a unified cloud-based platform.
    • Hardware-Enforced Network Segmentation: Adds a layer of hardware protection to enhance defense-in-depth strategies, using technologies like unidirectional gateways and data diodes to ensure robust network segmentation.

    Best Practices

    To effectively transition to modern network access security solutions, CISA and its partner organizations recommend the following best practices:

    • Implement Centralized Management Solutions: Centralized management allows system administrators to control remote access to applications and servers, manage privileged access, and simplify network control. This approach is critical for modern network defenses due to the underlying issue that no VPN can guarantee absolute security.
    • Enforce Network Segmentation: Implement strict network segmentation, denying all connections to operational technology (OT) networks by default unless explicitly allowed. Use unidirectional technologies for the most consequential systems to ensure strong protection against cyber threats.
    • Automate Security Orchestration, Automation, and Response (SOAR): Implement automated responses to certain security events to enhance incident detection and response capabilities.
    • Maintain and Regularly Drill Cybersecurity Incident Response Plans: Develop, update, and regularly drill IT and OT cybersecurity incident response plans for both common and organizationally specific scenarios. Update these plans based on lessons learned from exercises and drills.
    • Automate and Validate Vulnerability Scans: Conduct automated vulnerability scans on all public-facing enterprise assets, implement appropriate compensatory controls, and disable unnecessary OS applications and network protocols.
    • Use Well-Tested Cybersecurity Solutions: Deploy high-performing cybersecurity solutions to automate the detection of unsuccessful login attempts and integrate incident detection systems to prioritize incidents and disconnect compromised devices.
    • Deploy Security.txt Files: Ensure all public-facing web domains have a security.txt file conforming to the recommendations in RFC 9116 to allow security researchers to submit discovered weaknesses or vulnerabilities promptly.
    • Regularly Back Up Critical Systems: Store backups separately from the source systems and test them on a recurring basis to ensure data recovery capabilities.
    • Conduct Annual Security Training: Provide mandatory annual training on basic security concepts, such as phishing, business email compromise, and password security, for all employees and contractors.
    • Implement Strong Identity and Access Management Solutions: Use phishing-resistant MFA and ensure strict identity verification for each access request.
    • Adopt Hardware-Enforced Unidirectional Technologies: Use hardware-enforced unidirectional technologies to push forensic, audit, and other security data from sensitive networks to IT-based or cloud-based SOAR systems.
    • Establish a SASE Adoption Roadmap: Develop a flexible SASE adoption roadmap, combining IT and business-oriented goals, and test collaboration strategies, technologies, and applications in a testing environment before full deployment.
    • Implement Technical Security Measures: Use measures like Mail Transfer Agent Strict Transport Security (MTA-STS) and DNS-based authentication of named entities (DANE) to enhance mail traffic security.

    Conclusion

    By transitioning from traditional VPN solutions to modern network access security approaches like zero trust, SSE, and SASE, organizations can significantly enhance their cybersecurity postures. These solutions offer improved security, better user experiences, and reduced complexities, aligning with zero trust principles and ensuring robust protection for critical infrastructure. Organizations are encouraged to carefully assess their security needs and adopt these best practices to mitigate risks and strengthen their defenses against cyber threats.

    For more detailed information, readers are encouraged to review the full CISA report and the associated references and resources.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact