Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Understanding Identity and Access Management (IAM)

    Understanding Identity and Access Management (IAM)

    Identity and Access Management (IAM) is essential for ensuring that only authorized individuals have access to sensitive information, helping organizations maintain security, compliance, and efficiency. By centralizing control over user identities and access rights, IAM streamlines the creation, maintenance, and deletion of user identities while enforcing precise access controls.

    What IAM Is and What It Does

    In today’s work environment, employees need access to various resources like applications, files, and data, regardless of their location. Traditionally, most employees worked on-site, with resources protected by a firewall. Once logged in on-site, employees could access the necessary tools and data.

    Now, with hybrid work becoming more common, employees require secure access to company resources whether they’re on-site or remote. IAM addresses this need by controlling what users can and cannot access, ensuring sensitive data and functions are only accessible to those who need them.

    IAM ensures secure access to company resources such as emails, databases, and applications for verified users, ideally with minimal interference. The objective is to manage access so that authorized individuals can perform their jobs effectively while unauthorized access is denied.

    This need for secure access extends beyond employees on company devices; it includes contractors, vendors, business partners, and individuals using personal devices. IAM guarantees that each person with access has the correct level of access at the appropriate time and on the right device. Given its role in cybersecurity, IAM is an integral part of modern IT.

    An IAM system allows organizations to quickly and accurately verify a person’s identity and ensure they have the necessary permissions for the requested resource during each access attempt.

    How IAM Works

    IAM involves two main components: identity management and access management.

    Identity Management

    Identity management verifies login attempts against an identity management database, which is continually updated to reflect changes as people join or leave the organization, or as their roles and projects evolve.

    The identity management database stores information such as employee names, job titles, managers, direct reports, mobile phone numbers, and personal email addresses. Matching login information like usernames and passwords with this database is known as authentication.

    For enhanced security, many organizations use multifactor authentication (MFA). MFA adds an extra step to the login process, requiring users to verify their identity using an alternate method, such as a code sent to a mobile phone. This makes the system more secure than relying on a username and password alone.

    Access Management

    Access management controls which resources a user can access after their identity is authenticated. Organizations grant varying levels of access based on factors like job title, tenure, security clearance, and specific projects.

    Authorization, the process of granting access to resources, ensures that authentication and authorization are handled correctly and securely during each access attempt.

    The Importance of IAM for Organizations

    IAM is vital because it helps balance security and accessibility. It enables IT departments to set controls that grant secure access to employees and devices while making it difficult for unauthorized users to gain entry.

    Cybercriminals are constantly refining their techniques. Phishing emails, for instance, are a common method used to hack and breach data. Without IAM, managing who has access to an organization’s systems is challenging. Breaches can proliferate because it’s difficult to monitor access and revoke it from compromised users.

    While perfect security is unattainable, IAM solutions can prevent and minimize the impact of attacks. Many IAM systems are AI-enabled, capable of detecting and stopping attacks before they escalate.

    Benefits of IAM Systems

    Implementing an effective IAM system brings numerous advantages.

    IAM ensures that the right people have the right access. By creating and enforcing centralized rules and access privileges, IAM systems ensure users can access necessary resources without being able to reach sensitive information they don’t need. Role-based access control (RBAC) allows for scalable restriction of access based on job roles.

    IAM also supports productivity. While security is crucial, so are productivity and user experience. Overly complex security systems can hinder productivity. IAM tools like single sign-on (SSO) and unified user profiles provide secure access to multiple channels, reducing the need for multiple logins and enhancing user convenience.

    IAM significantly reduces the risk of data breaches. Tools like MFA, passwordless authentication, and SSO enable users to verify their identities with more than just a username and password, which can be forgotten, shared, or hacked. IAM solutions add an extra layer of security to the login process, making it harder for unauthorized users to gain access.

    Data encryption is another benefit. IAM systems often include encryption tools that protect sensitive information during transmission. Features like Conditional Access allow IT administrators to set conditions (such as device, location, or real-time risk information) for access, ensuring data remains secure even in the event of a breach.

    IAM also decreases manual workload for IT departments. Automating tasks such as password resets, account unlocking, and access log monitoring saves time and effort. This allows IT teams to focus on strategic initiatives like implementing a Zero Trust security framework, which relies on verifying explicitly, using least privileged access, and assuming breach.

    IAM enhances collaboration and efficiency. It facilitates secure, seamless collaboration between employees, vendors, contractors, and suppliers. Automated workflows speed up permission processes for role changes and new hires, reducing onboarding time.

    IAM and Compliance Regulations

    Managing access manually is time-consuming and labor-intensive. IAM systems automate this process, making auditing and reporting faster and more straightforward. They enable organizations to demonstrate proper governance of sensitive data access during audits, which is required by many contracts and laws.

    Many regulations, laws, and contracts require data access governance and privacy management. IAM solutions verify and manage identities, detect suspicious activity, and report incidents, all essential for compliance. Standards like GDPR in Europe and HIPAA and the Sarbanes-Oxley Act in the U.S. mandate strict security measures. A robust IAM system simplifies compliance with these requirements.

    IAM Technologies and Tools

    IAM solutions integrate with various technologies and tools to enable secure authentication and authorization at an enterprise scale:

    • Security Assertion Markup Language (SAML): SAML enables SSO by notifying applications that a user is verified after authentication. SAML’s cross-platform capability makes secure access possible in diverse contexts.
    • OpenID Connect (OIDC): OIDC adds identity to OAuth 2.0, sending encrypted tokens with user information between identity and service providers. These tokens, containing data like names and email addresses, facilitate authentication for apps and services.
    • System for Cross-Domain Identity Management (SCIM): SCIM standardizes user identity management across multiple apps and providers, ensuring users have access without creating separate accounts.

    Implementing IAM

    Implementing an IAM system requires thorough planning. Start by calculating the number of users needing access and listing the solutions, devices, applications, and services the organization uses. These lists help compare IAM solutions for compatibility with existing IT setups.

    Next, map out the roles and situations the IAM system must accommodate. This framework will form the basis of the IAM documentation.

    Consider the solution’s long-term roadmap. As the organization grows, its IAM needs will evolve. Planning for this growth ensures the IAM solution aligns with business goals and is set up for long-term success.

    IAM Solutions

    IAM solutions can be standalone systems, managed identity services, or cloud-based offerings (Identity as a Service – IDaaS). Red Hat Enterprise Linux, for example, provides comprehensive IAM capabilities that integrate with various third-party solutions.

    Selecting the right IAM solution is crucial for effective implementation and long-term success. Ensure the solution integrates seamlessly with existing systems and supports a wide range of environments, including on-premise, cloud, and hybrid setups. This ensures a smooth transition and avoids operational disruptions.

    Choose a solution that can grow with your organization. As your business expands, your IAM system should accommodate an increasing number of users and access requests. Look for advanced security features like MFA, PAM, and encryption, and ensure the solution supports compliance with relevant regulations and standards.

    FAQ: Identity and Access Management (IAM)

    What is Identity and Access Management (IAM)?

    IAM is a framework of policies and technologies that ensures the right individuals have appropriate access to an organization’s resources. It manages user identities and regulates access to sensitive data and systems.

    Why is IAM important?

    IAM enhances security by reducing the risk of data breaches, ensures compliance with regulatory requirements, improves operational efficiency, and provides a seamless user experience by managing and controlling access to critical resources.

    How does IAM work?

    IAM works by verifying user identities through authentication (e.g., passwords, biometrics, multi-factor authentication) and managing their access to resources through authorization, which defines permissions based on roles within the organization.

    What are the key components of IAM?

    The key components of IAM include Identity Management (authentication), Access Management (authorization), Single Sign-On (SSO), and Privileged Access Management (PAM).

    What is authentication in IAM?

    Authentication is the process of verifying a user’s identity before granting access to a system or resource. It typically involves methods like passwords, biometrics, or multi-factor authentication (MFA).

    What is authorization in IAM?

    Authorization is the process of determining what resources an authenticated user can access and what actions they can perform. It is managed through policies that define user permissions based on their roles.

    What is Single Sign-On (SSO)?

    SSO is an IAM feature that allows users to log in once and gain access to multiple systems without needing to re-authenticate, enhancing user convenience and reducing the burden of managing multiple passwords.

    What is Privileged Access Management (PAM)?

    PAM provides additional security for users with elevated privileges, such as system administrators. It ensures that their activities are closely monitored and controlled to prevent abuse.

    How does IAM improve compliance?

    IAM helps organizations meet regulatory requirements by providing detailed records of who accessed what and when, simplifying audits and reporting. It ensures that access to sensitive data is properly governed.

    What are the benefits of IAM systems?

    IAM systems enhance security, improve compliance, increase operational efficiency, and simplify the user experience by managing and controlling access to critical resources.

    How do IAM systems protect against data breaches?

    IAM systems reduce the risk of data breaches by implementing strong authentication and authorization mechanisms, such as MFA and PAM, to ensure that only authorized users can access sensitive information.

    What role does data encryption play in IAM?

    Many IAM systems offer encryption tools that protect sensitive information when it’s transmitted to or from the organization. Features like Conditional Access ensure that data is safe even in the event of a breach.

    How does IAM reduce manual work for IT departments?

    IAM automates tasks like password resets, account unlocking, and access log monitoring, saving IT departments time and effort. This allows IT staff to focus on more critical tasks like implementing a Zero Trust strategy.

    How does IAM improve collaboration and efficiency?

    IAM enables secure and fast collaboration between employees, vendors, contractors, and suppliers. It also allows IT administrators to build role-based automated workflows to speed up permissions processes for role transfers and new hires.

    How does IAM help with compliance regulations?

    IAM systems automate the process of tracking access to sensitive data and generate audit logs and reports, making it easier to demonstrate compliance with regulations like GDPR, HIPAA, and the Sarbanes-Oxley Act.

    What are some IAM technologies and tools?

    IAM solutions integrate with technologies like Security Assertion Markup Language (SAML), OpenID Connect (OIDC), and System for Cross-Domain Identity Management (SCIM) to enable secure authentication and authorization across various platforms.

    How should an organization implement IAM?

    Implementing IAM involves thorough planning, including calculating the number of users, mapping out roles, and considering the long-term roadmap. It’s important to choose an IAM solution that aligns with the organization’s IT setup and business goals.

    What types of IAM solutions are available?

    IAM solutions can be standalone systems, managed identity services, or cloud-based offerings (Identity as a Service – IDaaS). The right solution should integrate seamlessly with existing systems, be scalable, and offer advanced security features.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • SIPRNet and Its Role in Military Communication Security

    SIPRNet and Its Role in Military Communication Security

    In the realm of modern military operations, the ability to securely and reliably communicate classified information is paramount. The Secret Internet Protocol Router Network (SIPRNet) was developed to address this need, providing a robust platform for transmitting sensitive data while avoiding the vulnerabilities of public internet systems. This article delves into the evolution, significance, and security measures of SIPRNet, highlighting its indispensable role in U.S. national defense.

    The Evolution of Secure Military Networks

    The origins of secure military communication networks trace back to the Defense Information Systems Network (DISN), which has been operational for over 40 years. DISN was established to provide secure telecommunications services, including data, video, and phone communications, to all branches of the U.S. military and other key government entities such as the White House.

    DISN supports several specialized networks designed to handle various levels of classified information:

    • Non-Classified Internet Protocol Router Network (NIPRNet): This network facilitates the transmission of unclassified but sensitive information, ensuring privacy and security for defense agencies and contractors.
    • Secret Internet Protocol Router Network (SIPRNet): A secure network for transmitting information classified at the SECRET level.
    • Joint Worldwide Intelligence Communications System (JWICS): An even more secure network handling TOP SECRET information.

    The Backbone of Classified Communications

    SIPRNet is a global network of interconnected computer systems used by the Department of Defense (DoD) and the Department of State. It is designed to handle and protect classified information, supporting services like HTML document access, email, and file transfers. Unlike the public internet, SIPRNet operates in a completely secure environment, isolated from public networks to prevent unauthorized access.

    The development of SIPRNet was driven by the need to replace the outdated DSNET1 portion of DISN. The newer network infrastructure offered a more secure and efficient way to manage and transmit SECRET-level information, utilizing familiar internet protocols and interfaces but within a protected framework.

    Security Measures and Compliance

    To connect to SIPRNet, organizations must adhere to stringent security protocols and compliance requirements. This comprehensive process ensures that only authorized entities can access the network, minimizing the risk of breaches and unauthorized disclosures. The key steps involved in gaining access to SIPRNet include:

    1. Approval and Authorization: Organizations must obtain circuit approval from the DoD Chief Information Officer (CIO) and complete the connection request process for non-DoD agencies. This step involves rigorous vetting to ensure that only trusted entities are granted access.
    2. Hardware and Software Setup: Proper infrastructure must be in place, including secure workstations, mobile devices, network equipment, firewalls, routers, and servers. These components must meet specific security standards to ensure they do not introduce vulnerabilities into the network.
    3. Documentation and Audits: Detailed documentation through the Enterprise Mission Assurance Support Service (eMASS) is required, along with preparation for on-site audits to obtain DoD Authorization to Operate (ATO). These audits verify that all security measures are correctly implemented and maintained.
    4. Security Measures: Implementing Host-Based Security System (HBSS) and Assured Compliance Assessment Solution (ACAS) connectivity is essential. These systems provide host intrusion prevention, policy audits, vulnerability scanning, and risk assessment, ensuring compliance with operational directives and task orders.
    5. Continuous Compliance: Maintaining adherence to Cyber Command Readiness Inspections (CCRI), operational directives (OPORD), and task orders (TASKORD) is crucial. Regular updates, upgrades, and audits ensure ongoing compliance and the integrity of the network.

    Lessons from Insider Threats

    Despite its robust security measures, SIPRNet has faced significant challenges from insider threats. Two notable incidents illustrate the potential risks and the importance of continuous vigilance:

    • Chelsea Manning: In 2010, Manning exploited her access to SIPRNet to download and release approximately 400,000 documents to WikiLeaks, revealing sensitive information about U.S. military operations. This breach highlighted vulnerabilities in access controls and the need for stricter monitoring and auditing of network activities.
    • Edward Snowden: In 2013, Snowden used his SIPRNet access to steal thousands of classified documents, which he then leaked to the media. These disclosures exposed extensive government surveillance programs and underscored the critical need for comprehensive security measures to prevent insider threats.

    SIPRNet’s Role in National Defense

    SIPRNet is an integral component of the U.S. defense infrastructure, enabling secure communication and data transfer for classified information. Its design and security measures ensure that sensitive information remains protected from both external threats and insider breaches. As technology and cyber threats continue to evolve, SIPRNet’s security protocols and compliance requirements are continually updated to maintain its effectiveness.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Ransomware Group LockBit Threatens Federal Reserve, Alleges Theft of Banking Secrets

    Ransomware Group LockBit Threatens Federal Reserve, Alleges Theft of Banking Secrets

    The notorious ransomware group LockBit has claimed responsibility for hacking the Federal Reserve Bank and alleges it has stolen 33 terabytes of sensitive data. The group announced this in a post on the dark web, stating it would release the data on Tuesday if a ransom is not paid.

    Background on LockBit

    Just last month, the U.K.’s National Crime Agency revealed the alleged identity of LockBit’s leader, Dmitry Khoroshev, a Russian national. Following this revelation, Khoroshev has been sanctioned by the U.S., U.K., and Australia. The U.S. government has offered a $10 million reward for information leading to his arrest or conviction.

    LockBit, despite facing significant law enforcement actions, continues to pose a threat in the cybersecurity landscape. The group’s latest claims, whether true or false, highlight the persistent danger ransomware organizations present to global financial institutions.

    Details of the Alleged Breach

    LockBit, which rose to prominence in 2019 by amassing millions of dollars in ransom payments, stated that it had been in negotiations with the bank. The group demanded a higher ransom and disparaged the current negotiator, describing him as a “clinical idiot” who valued Americans’ banking secrets at a mere $50,000.

    Despite these claims, cybersecurity experts remain skeptical. Dominic Alvieri, a cybersecurity analyst, and researcher who frequently reports on ransomware groups, expressed doubts about the authenticity of LockBit’s allegations. Similarly, the malware sample hosting service vx_underground remarked humorously that if the Federal Reserve had indeed been compromised, it would warrant an extreme response, suggesting the claims might be exaggerated.

    Expert Opinions

    Brett Callow, a threat analyst at cybersecurity firm Emsisoft, also dismissed the claims as likely nonsense. He suggested that LockBit’s announcement might be a tactic to regain attention and reinvigorate its Ransomware-as-a-Service (RaaS) operations, which had suffered setbacks after their infrastructure was shut down by the FBI and other law enforcement agencies in February.

    The situation remains uncertain, with answers expected soon as LockBit has threatened to release the data if the ransom is not paid by Tuesday.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Alleged Leader of Scattered Spider Hacking Group Arrested in Spain

    Alleged Leader of Scattered Spider Hacking Group Arrested in Spain

    Spanish authorities, in collaboration with the FBI, have arrested a 22-year-old British national in Palma de Mallorca. This individual, identified as Tyler Buchanan from Dundee, Scotland, is believed to be the ringleader of the notorious Scattered Spider hacking group, also known as 0ktapus or UNC3944.

    A Prolific Cybercrime Group

    Scattered Spider has gained notoriety over the past two years for its audacious and highly effective cyber-attacks against a wide range of high-profile targets. The group has been linked to breaches at major organizations, including Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other companies. The hacking group is known for its sophisticated use of social engineering techniques, particularly phishing and SIM-swapping, to gain access to sensitive information and cryptocurrency wallets.

    The Arrest

    The Spanish daily Murcia Today reported that Buchanan was apprehended at Palma airport as he attempted to board a flight to Italy. A video released by the Spanish national police shows Buchanan in custody, marking the culmination of a coordinated effort by law enforcement agencies. According to investigators, Buchanan and his associates used stolen corporate credentials to access critical information and execute multi-million-dollar cryptocurrency thefts.

    The cybercrime-focused Twitter account vx-underground identified Buchanan as a SIM-swapper known by the alias “Tyler.” SIM-swapping is a technique where attackers transfer a victim’s phone number to a device they control, allowing them to intercept text messages and phone calls, including one-time passcodes for authentication. This method has proven effective in bypassing security measures and gaining unauthorized access to accounts.

    The Scope of the Investigation

    The investigation into Scattered Spider’s activities has been extensive. In January 2024, U.S. authorities arrested another alleged member of the group, 19-year-old Noah Michael Urban from Palm Coast, Florida. Urban, who went by the nicknames “Sosa” and “King Bob,” was charged with stealing at least $800,000 from five victims over several months. Both Urban and Buchanan are believed to be part of a larger, loosely affiliated cybercriminal community known as “The Com,” where hackers frequently boast about their exploits and share techniques.

    Modus Operandi

    Scattered Spider’s operations are characterized by their reliance on social engineering and phishing tactics. The group often targets employees of major corporations with SMS-based phishing attacks, tricking them into providing credentials on fake login pages that mimic their employer’s authentication systems. These phishing sites are designed to capture login details and multi-factor authentication codes, which are then used to gain access to corporate networks.

    One notable incident involved the encrypted messaging app Signal, which reported that attackers had re-registered the phone numbers of about 1,900 users. Another significant breach occurred at Mailchimp, where the attackers accessed data from 214 customers involved in cryptocurrency and finance. The password manager service LastPass also fell victim, with attackers stealing source code and technical information, eventually leading to the theft of encrypted password vaults.

    Physical Reprisals and Turf Wars

    The cybercriminal underworld is not without its dangers. Both Buchanan and Urban have reportedly been targets of physical attacks by rival SIM-swapping gangs. In one incident, Urban’s family home in Florida was vandalized, and in another, a junior member of his crew was kidnapped and held for ransom. Buchanan himself was assaulted in a home invasion in February 2023, during which his mother was injured, and he was threatened with severe violence if he did not surrender the keys to his cryptocurrency wallets. Following this attack, Buchanan fled the United Kingdom.

    The Arrest and Ongoing Investigation

    Buchanan’s arrest was the result of a tip-off from the FBI, leading to an international arrest warrant and a coordinated operation by Spanish police. His laptop and mobile phone were confiscated for forensic examination, which is expected to yield further insights into the activities of Scattered Spider.

    While the connection between Buchanan and Scattered Spider has yet to be officially confirmed by authorities, the details of his arrest and the tactics described by the Spanish police strongly align with the group’s known activities. Buchanan’s arrest is a significant blow to the group, which has caused substantial financial and reputational damage to numerous organizations.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • China-Linked Velvet Ant Uses F5 BIG-IP Malware in Cyber Espionage Campaign

    China-Linked Velvet Ant Uses F5 BIG-IP Malware in Cyber Espionage Campaign

    Chinese cyberespionage group Velvet Ant has been observed using custom malware to target F5 BIG-IP appliances in a sophisticated campaign aimed at breaching and persisting within target networks.

    In late 2023, Sygnia researchers responded to an incident at a large organization, attributing the attack to Velvet Ant. The cyberspies deployed custom malware on F5 BIG-IP appliances to gain persistent access to the internal network and exfiltrate sensitive data.

    Persistent Threat

    Velvet Ant maintained access within the organization’s on-premises network for approximately three years. They achieved persistence by establishing multiple footholds within the environment, exploiting a legacy F5 BIG-IP appliance exposed to the internet, which served as an internal Command and Control (C&C) server. When one foothold was discovered and remediated, the threat actor quickly adapted, demonstrating their agility and deep understanding of the target’s network infrastructure.

    “The compromised organization had two F5 BIG-IP appliances providing services such as firewall, WAF, load balancing, and local traffic management. Both appliances, running outdated and vulnerable operating systems, were directly exposed to the internet. The threat actor likely leveraged these vulnerabilities to gain remote access,” reads the analysis published by Sygnia. “A backdoor hidden within the F5 appliance can evade detection from traditional log monitoring solutions.”

    Malware Deployment

    Once the attackers compromised the F5 BIG-IP appliances, they accessed internal file servers and deployed the PlugX remote access Trojan (RAT), a tool commonly used by multiple Chinese APT groups in cyberespionage campaigns.

    Forensic analysis of the F5 appliances revealed four additional malware binaries deployed by Velvet Ant:

    1. VELVETSTING: Connects to the threat actor’s C&C server once an hour, searching for commands to execute via ‘csh’ (Unix C shell).
    2. VELVETTAP: Captures network packets.
    3. SAMRID (EarthWorm): An open-source SOCKS proxy tunneler used by other China-linked APT groups such as Volt Typhoon, APT27, and Gelsemium.
    4. ESRDE: Similar to VELVETSTING but uses ‘bash’ instead of ‘csh’.

    Recommendations for Mitigation

    To mitigate attacks from groups like Velvet Ant, organizations should:

    • Limit outbound internet traffic.
    • Restrict lateral movement within the network.
    • Enhance security hardening of legacy servers.
    • Mitigate credential harvesting.
    • Protect public-facing devices.

    The Sygnia report also includes indicators of compromise (IoCs) for the analyzed attack, providing valuable insights for organizations to strengthen their defenses against similar threats.

    Key Takeaways

    Velvet Ant’s campaign highlights the importance of securing legacy systems and implementing robust monitoring and response strategies to detect and mitigate advanced persistent threats (APTs). Organizations must remain vigilant and proactive in addressing vulnerabilities within their networks to prevent espionage and data breaches by sophisticated threat actors.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • What is the Value of a Virtual Chief Information Security Officer (vCISO)?

    What is the Value of a Virtual Chief Information Security Officer (vCISO)?

    In today’s world, where technology touches every aspect of business, security has become a top priority for organizations of all sizes. A cybersecurity breach can lead to huge financial losses, tarnished reputations, and legal troubles. This is where a Virtual Chief Information Security Officer (vCISO) steps in. A vCISO is responsible for managing and improving an organization’s cybersecurity program, often working remotely. Despite not being physically present, these experts provide essential guidance and make significant improvements in security practices.

    In this blog post, I will take you through the role of a vCISO, what they bring to the table, and how they help businesses manage cybersecurity risks effectively. Whether you’re a startup with limited resources, a growing company, or a large organization looking to strengthen your security measures, understanding the value of a vCISO can be a game-changer.

    Understanding vCISO

    A vCISO, or Virtual Chief Information Security Officer, offers cybersecurity expertise to businesses on a part-time or temporary basis. This setup is ideal for companies that can’t afford or don’t need a full-time, in-house CISO.

    A vCISO takes charge of the company’s information security plans, identifies potential security threats, develops strategies to mitigate those threats, and ensures compliance with cybersecurity standards and regulations. Since they work remotely, businesses can access top-notch cybersecurity talent without needing the executive to be on-site. This not only saves money but also broadens the pool of available experts.

    The Growing Importance of vCISO Roles

    Cyber threats are growing in number and complexity, making strong cybersecurity strategies essential. This has led to the rising importance of vCISOs in businesses across various sectors.

    A vCISO offers expert cybersecurity knowledge without the high costs of a full-time, in-office CISO, making them perfect for startups and small to medium-sized enterprises (SMEs). As businesses continue their digital transformations, they face more cybersecurity risks, and an experienced professional to manage these risks becomes crucial.

    vCISOs provide timely threat responses, cost savings, extensive expertise, and help maintain compliance with cybersecurity regulations. They also promote a security-focused mindset within the organization, aligning cybersecurity with business goals and enabling growth with peace of mind.

    The Covid-19 pandemic has highlighted the flexibility of vCISOs, who can work remotely and ensure critical security services continue despite disruptions. This adaptability makes them an essential part of modern business operations.

    Roles and Responsibilities of a vCISO

    A vCISO plays a senior role in ensuring a company’s information and technology are protected. Here are the key responsibilities:

    • Developing Cybersecurity Strategies: The vCISO leads the creation of the organization’s cybersecurity strategy, identifying and mitigating potential risks.
    • Managing Policies and Procedures: They develop, implement, and update information security policies and procedures to align with industry regulations and the company’s risk tolerance.
    • Risk Management: The vCISO conducts regular security risk assessments, compliance audits, and manages risk mitigation strategies.
    • Training and Awareness: They ensure all staff are educated about cybersecurity threats through comprehensive training and awareness programs.
    • Incident Response: In the event of a security incident, the vCISO coordinates a quick and effective response to minimize damage.
    • Vendor and Partner Management: They evaluate third-party service providers’ security practices and protect shared data.
    • Regulatory Compliance: The vCISO ensures the organization stays compliant with changing cybersecurity regulations.
    • Budget Management: They oversee cybersecurity budgets, ensuring investments in security infrastructure provide value and protection.
    • Metrics and Reporting: They measure, analyze, and report on key security and compliance metrics to help the organization understand its security posture.

    The expertise and guidance of a vCISO are crucial in maintaining the security and integrity of an organization’s information and technology assets.

    Benefits and Cost-Effectiveness of a vCISO

    Hiring a vCISO offers organizations a cost-effective solution for their cybersecurity needs, thanks to their expertise and flexibility.

    • Expertise at a Fraction of the Cost: A vCISO provides extensive cybersecurity knowledge and experience without the high costs of hiring a full-time CISO. They operate on a contract or part-time basis, offering expert services without the full-time salary commitment.
    • Flexibility and Scalability: A vCISO tailors their services to your needs, ramping up involvement during critical projects or high-risk periods and scaling back during quieter times. This approach is particularly cost-effective for small and medium-sized businesses.
    • Reduced Overhead Costs: Hiring a vCISO minimizes overhead costs like office space, equipment, and training, which are associated with full-time employees.
    • Quick Implementation: A vCISO can quickly assess risks and implement strategies, saving time and money compared to a traditional CISO.
    • Avoiding Major Breaches: By ensuring a strong security posture, a vCISO reduces the potential cost of a cyber breach.

    In summary, a vCISO strengthens an organization’s cybersecurity in a cost-effective manner, merging expertise, flexibility, efficiency, and scalability.

    How to Find and Select a vCISO

    Finding a competent and expert vCISO can be challenging, but following these steps can help:

    • Identify Your Needs: Determine what specific security gaps a vCISO could help fill. Your needs will guide your selection process.
    • Determine Your Budget: Decide how much your organization is willing to invest in a vCISO and be upfront about your budget when speaking with candidates.
    • Search for Qualified Candidates: Use professional networking platforms, specialized cybersecurity staffing agencies, and recommendations from industry peers.
    • Evaluate Qualifications and Experience: Look for a vCISO with a proven track record in your sector and familiarity with relevant challenges and regulations.
    • Interview Potential vCISOs: Use the interview process to gauge the vCISO’s approach to security management and ask about past experiences.
    • Ask for References: Reputable vCISOs should provide references from similar clients. Reach out to get feedback on their abilities and work ethic.
    • Consider Cultural Fit: Ensure the vCISO meshes well with your corporate culture and can integrate into your teams.
    • Discuss Expectations: Clearly define goals, deliverables, and measurement criteria to build a successful relationship.

    By following these steps, you can find a vCISO that fits your specific needs and requirements, becoming a strategic partner in fortifying your company’s cybersecurity.

    Conclusion

    A vCISO is an essential investment for businesses of any size, especially those dealing with digital information. This approach allows SMEs to access the expertise of a high-ranking professional without the costs of a full-time officer.

    A vCISO keeps your cybersecurity measures up to date with the latest trends and threats, ensuring your company is well-protected. They help instill a security-focused culture, educate employees, and guide best practices, saving your company from costly breaches and protecting your reputation and operations.

    Opting for a vCISO instead of a traditional in-house CISO offers a dynamic, cost-effective way to manage your information security needs. Leveraging their flexible services allows your organization to focus on core competencies without compromising data security, a critical aspect of modern business.

    vCISO FAQ: Frequently Asked Questions

    What is a vCISO?

    A Virtual Chief Information Security Officer (vCISO) is a cybersecurity expert who provides strategic guidance and oversight for an organization’s security program on a part-time or remote basis. This role is designed to deliver high-level expertise without the cost of a full-time executive.

    How does a vCISO differ from an in-house CISO?

    A vCISO operates on a contract or part-time basis, offering flexibility and cost savings. In contrast, an in-house CISO is a full-time employee, which can be more expensive but offers dedicated, day-to-day involvement in the company’s operations.

    What are the benefits of hiring a vCISO?

    Hiring a vCISO provides access to top-tier cybersecurity expertise at a fraction of the cost of a full-time CISO. Benefits include tailored security strategies, compliance support, risk management, incident response, and the ability to scale services as needed.

    What services does a vCISO provide?

    A vCISO offers a range of services, including:

    • Cybersecurity strategy development
    • Risk management and compliance audits
    • Incident response planning and management
    • Security policy and procedure development
    • Employee training and awareness programs
    • Vendor and third-party risk management
    • Ongoing security monitoring and reporting

    How can a vCISO help with regulatory compliance?

    A vCISO ensures that your organization meets industry-specific regulatory requirements, such as GDPR, HIPAA, and PCI-DSS. They conduct compliance audits, develop policies, and implement procedures to keep your business compliant with evolving regulations.

    Is a vCISO suitable for small businesses?

    Yes, a vCISO is ideal for small to medium-sized businesses that need high-level cybersecurity expertise but cannot justify the expense of a full-time CISO. The flexible, scalable nature of vCISO services makes them a perfect fit for businesses of all sizes.

    How do I choose the right vCISO for my organization?

    To choose the right vCISO, consider the following:

    • Identify your specific security needs and goals.
    • Look for a vCISO with experience in your industry.
    • Check their qualifications, certifications, and track record.
    • Evaluate their ability to integrate with your company culture.
    • Ask for references and case studies from previous clients.
    • Ensure clear communication of expectations and deliverables.

    How quickly can a vCISO start working with my organization?

    A vCISO can often begin working with your organization relatively quickly, usually within a few weeks of the initial consultation. This rapid deployment allows them to address urgent security needs and start improving your security posture without delay.

    What are the costs associated with hiring a vCISO?

    The cost of hiring a vCISO varies based on the scope of services, the complexity of your security needs, and the duration of the engagement. Generally, vCISO services are more cost-effective than hiring a full-time CISO, providing high-level expertise without the long-term salary and benefits commitment.

    How does Netizen provide vCISO services?

    Netizen offers a comprehensive vCISO service that includes:

    • Executive-level cybersecurity expertise
    • Compliance support
    • Vulnerability assessments and penetration testing
    • Continuous security monitoring with an automated assessment tool
    • Actionable risk and compliance insights through an intuitive dashboard

    Netizen’s vCISO service helps businesses of all sizes build and maintain a strong security posture, ensuring that security is built-in, not bolted on.

    Why should I consider Netizen for vCISO services?

    Netizen is an ISO 27001:2013, ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. As a Service-Disabled Veteran-Owned Small Business, we are recognized for our commitment to hiring and retaining military veterans. Our advanced solutions, including “CISO-as-a-Service,” provide expert cybersecurity support without the cost of a full-time hire. With Netizen, you gain access to top-tier security professionals and tools designed to protect your critical IT infrastructure.

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Sophisticated Smishing Scheme Utilizing Makeshift Cellphone Tower Uncovered in London

    Sophisticated Smishing Scheme Utilizing Makeshift Cellphone Tower Uncovered in London

    London authorities have recently uncovered a sophisticated smishing scheme involving the deployment of a makeshift cellphone tower to flood unsuspecting victims with malicious text messages. This novel approach to smishing, a form of cybercrime that utilizes SMS text messages to deceive and defraud individuals, marks a concerning escalation in digital fraud tactics.

    The Incident

    Officers have made two arrests in connection with an investigation into the use of a “text message blaster,” believed to have been used to send thousands of smishing messages, posing as banks and other official organizations, to members of the public. In what is thought to be the first of its kind in the UK, an illegitimate telephone mast is believed to have been used as an “SMS blaster” to send messages that bypass mobile phone networks’ systems in place to block suspicious text messages.

    One arrest was made on 9 May in Manchester and on 23 May, a further arrest was made in London. Huayong Xu, 32, of Alton Road, Croydon, was charged on 23 May with possession of articles for use in fraud and was remanded in custody. He will appear at Inner London Crown Court on 26 June. The other arrested person was bailed.

    Response and Collaboration

    Detective Chief Inspector David Vint, leading the investigation from the Dedicated Card and Payment Crime Unit (DCPCU), emphasized the increasing sophistication of cybercriminals in their quest to defraud the public. He underscored the importance of collaborative efforts between law enforcement agencies and industry partners to combat evolving threats and safeguard individuals from falling victim to fraud schemes. Officers from the DCPCU worked with mobile network operators, Ofcom, and the National Cyber Security Centre (NCSC).

    Recommendations for Protection

    In response to this incident, authorities have urged the public to remain vigilant and take proactive measures to protect themselves against smishing attacks.

    1. Exercise Caution: Be wary of unsolicited text messages, especially those requesting personal or financial information. If a message seems suspicious or too good to be true, it likely is.
    2. Avoid Clicking Links: Refrain from clicking on links or downloading attachments from unknown or untrusted sources. These could lead to phishing websites or malware installation on your device.
    3. Verify Sender Authenticity: Verify the authenticity of the sender before responding to any text message, especially those claiming to be from banks, government agencies, or service providers. Use official contact information to reach out and confirm the legitimacy of the message.
    4. Report Suspected Smishing: Report any suspected smishing attempts to your mobile service provider by forwarding the message to 7726 (or “SPAM”). This helps carriers identify and block fraudulent numbers.
    5. Stay Informed: Stay informed about the latest smishing tactics and trends. Regularly update yourself on common scams and security best practices to better protect yourself and your personal information.

    Smishing FAQs

    Q: How to prevent smishing?
    A: Preventing smishing involves staying vigilant and employing security best practices. Be cautious of unsolicited messages, avoid clicking on suspicious links, and verify the authenticity of senders before responding.

    Q: How to respond to smishing?
    A: If you receive a suspected smishing text, do not respond to it. Instead, report it to your mobile service provider by forwarding the message to 7726 (or “SPAM”). Additionally, consider reporting the scam to relevant authorities, such as the Federal Trade Commission (FTC).

    Q: What is smishing versus vishing?
    A: Smishing involves fraudulent text messages, while vishing involves fraudulent phone calls (voice phishing). Both tactics aim to deceive individuals into providing sensitive information, but they use different communication channels.

    Q: What happens if I click on a smishing text?
    A: Clicking on a smishing text can lead to various consequences, including phishing website redirection, malware installation on your device, or data theft. It’s crucial to avoid clicking on links in suspicious text messages to protect your personal information and device security.

    Conclusion

    By remaining vigilant and adopting proactive security measures, individuals can fortify themselves against the pervasive threat of smishing and mitigate the risk of falling victim to fraudulent schemes.

    This incident serves as a stark reminder of the evolving tactics employed by cybercriminals and the critical importance of ongoing collaboration between law enforcement agencies, industry stakeholders, and the public in combating cyber threats and preserving digital security.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Microsoft’s Patch Tuesday, June 2024: ‘Recall’ Edition

    Microsoft’s Patch Tuesday, June 2024: ‘Recall’ Edition

    Microsoft released updates addressing over 50 security vulnerabilities in Windows and related software this past Tuesday. This month’s Patch Tuesday is relatively light for Windows users. Additionally, Microsoft has responded to widespread criticism of a new feature in Windows that takes constant screenshots of user activity, announcing it will no longer be enabled by default.

    Recall’ Feature Changed to be Disabled by Default

    Last month, Microsoft introduced Copilot+ PCs, an AI-enhanced version of Windows. A controversial feature of Copilot+ called Recall continuously takes screenshots of user activity. Security experts criticized Recall as a sophisticated keylogger, warning that it could be a treasure trove for attackers if the user’s PC is compromised with malware.

    Microsoft assured users that Recall snapshots never leave the system and cannot be exfiltrated by attackers. However, former Microsoft threat analyst Kevin Beaumont revealed that any user, even a non-administrator, can export Recall data stored in a local SQLite database. Beaumont criticized the feature on Mastodon, calling it “the dumbest cybersecurity move in a decade.”

    Patrick Gray, host of the Risky Business podcast, noted that Recall’s indexed screenshots would greatly aid attackers in understanding and exploiting unfamiliar environments. He likened it to the screen recordings used in past SWIFT attacks against central banks. Following the backlash, Microsoft announced that Recall will no longer be enabled by default on Copilot+ PCs.

    Critical Vulnerabilities Addressed

    Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability (CVE-2024-30080)

    Among the patches released this week, only CVE-2024-30080 received Microsoft’s critical rating. This vulnerability in the Microsoft Message Queuing (MSMQ) service allows attackers to remotely control a user’s system without interaction. With a CVSS score of 9.8, Microsoft urges users to disable MSMQ if updates are not immediately possible. Kevin Breen, senior director of threat research at Immersive Labs, noted that MSMQ is not a default Windows service but emphasized the need to patch quickly, as thousands of internet-facing MSMQ servers could be vulnerable. The vulnerability allows an attacker to send a series of specially crafted MSMQ packets over HTTP to an MSMQ server, potentially resulting in remote code execution. Microsoft acknowledges the efforts of k0shl with Kunlun Lab in discovering this flaw.

    Windows Wi-Fi Driver Remote Code Execution Vulnerability (CVE-2024-30078)

    Another critical vulnerability, CVE-2024-30078, is a remote code execution flaw in the Windows WiFi Driver, also with a CVSS score of 9.8. This bug can be exploited by sending a malicious data packet to others on the same network, assuming the attacker has local network access. To exploit this vulnerability, an attacker must be within proximity to send and receive radio transmissions. Microsoft credits Wei in Kunlun Lab with Cyber KunLun for identifying this issue.

    Office Vulnerabilities

    Microsoft also addressed serious security issues in its Office applications, including two remote-code execution flaws. CVE-2024-30101, which affects Outlook, requires the user to open a malicious email and perform specific actions. The attack involves a race condition and the Preview Pane is an attack vector, though additional user interaction is required. CVE-2024-30104, another Office vulnerability, requires the user to open a malicious file, but the Preview Pane is not an attack vector in this case.

    Additional Updates from Adobe

    Additionally, Adobe released security updates for Acrobat, ColdFusion, Photoshop, and other products. For detailed information on the patches, including severity and exploitability, visit the SANS Internet Storm Center. Windows administrators should also monitor AskWoody.com for early reports on potential issues with Windows patches.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • MathJax LaTeX Exploit: GitHub Users Use CSS Injection for Profile Customization

    MathJax LaTeX Exploit: GitHub Users Use CSS Injection for Profile Customization

    This vulnerability allows arbitrary CSS injection through the Math mode of README files, effectively permitting attackers to manipulate the style of GitHub pages. Recently, this exploit gained significant attention on X (formerly Twitter), with users showcasing their customized GitHub profiles using this method. This article details the vulnerability, how it can be exploited, and provides a historical overview of similar vulnerabilities, including insights into MathJax’s code to understand why this issue exists.

    X users @cloud11665 and @Benjamin_Aster demonstrating the changes they made to their GitHub profiles, part of the large number of users showcasing their CSS-customized profiles on June 7th.

    How to Achieve the Injection

    GitHub employs MathJax to render math expressions in markdown content, such as README files, issue comments, and pull request comments. One of the LaTeX macros supported by MathJax is \unicode, which allows the rendering of a Unicode character with a customizable font style:

    latexCopy code\unicode[myfont](x0000)

    It turns out that any inline CSS can be injected within the square brackets:

    latexCopy code\unicode[myfont; color: red; position: fixed; top: 0](x0000)

    The CSS is injected into the style attribute of the <mtext> element that displays the Unicode character, allowing attackers to style their GitHub profile pages arbitrarily.

    Diving into MathJax’s Source Code

    To understand how this injection is possible, we need to examine MathJax’s source code, specifically the code handling the \unicode macro.

    The Unicode Macro

    javascriptCopy codeUnicodeMethods.Unicode = function (parser: TexParser, name: string) {
  let HD = parser.GetBrackets(name);
  let HDsplit = null;
  let font = null;
  if (HD) {
    if (HD.replace(/ /g, '').match(/^(\d+(\.\d*)?|\.\d+),(\d+(\.\d*)?|\.\d+)$/)) {
      HDsplit = HD.replace(/ /g, '').split(/,/);
      font = parser.GetBrackets(name);
    } else {
      font = HD;
    }
  }

  let def: EnvList = {};
  let variant = parser.stack.env.font as string;

  if (font) {
    UnicodeCache[N][2] = def.fontfamily = font.replace(/'/g, '\'');
    if (variant) {
      if (variant.match(/bold/)) {
        def.fontweight = 'bold';
      }
      if (variant.match(/italic|-mathit/)) {
        def.fontstyle = 'italic';
      }
    }
  } else if (variant) { /* ... */ }

  let node = parser.create('token', 'mtext', def, numeric(n));
  NodeUtil.setProperty(node, 'unicode', true);
}

    Here’s a breakdown of the code:

    • parser.GetBrackets(name) retrieves the string within the square brackets and stores it in HD.
    • font also stores the string, depending on certain conditions applied to HD.
    • def.fontfamily holds the font value, with single quotes escaped.
    • The code then creates a parser node representing an <mtext> element, passing def as its attributes.

    This process allows def.fontfamily to hold any string, including inline CSS, without proper sanitization.

    The LaTeX Parser

    The create method of TexParser is invoked to create nodes:

    javascriptCopy codepublic create(kind : string, ...rest : any[]): MmlNode {
  return this.configuration.nodeFactory.create(kind, ...rest);
}

    The nodeFactory is responsible for constructing the node representation of the Unicode macro. This leads to the AbstractMmlNode class where attributes are set:

    javascriptCopy codeexport abstract class AbstractMmlNode extends AbstractNode implements MmlNode {
  constructor(factory : MmlFactory, attributes : PropertyList = {}, children : MmlNode[] = []) {
    super(factory);
    if (this.arity < 0) {
      this.childNodes = [factory.create('inferredMrow')];
      this.childNodes[0].parent = this;
    }
    this.setChildren(children);
    this.attributes = new Attributes(
      factory.getNodeClass(this.kind).defaults,
      factory.getNodeClass('math').defaults,
    );
    this.attributes.setList(attributes);
  }
}

    The attributes object holds the styles, including fontfamily.

    Outputting to the DOM

    MathJax then converts the compiled expressions into DOM nodes. This is handled by the CHTML class, which extends CommonOutputJax:

    javascriptCopy codeexport class CHTML<N, T, D> extends
CommonOutputJax<N, T, D, CHTMLWrapper<N, T, D>, CHTMLWrapperFactory<N, T, D>, CHTMLFontData, typeof CHTMLFontData> {
  protected processMath(math: MmlNode, parent: N) {
    this.factory.wrap(math).toCHTML(parent);
  }
}

    The processMath method invokes toCHTML of the node wrapper class, which is CHTMLmtext for <mtext>:

    javascriptCopy codeexport class CHTMLWrapper<N, T, D> extends
CommonWrapper<CHTML<N, T, D>, CHTMLWrapper<N, T, D>, CHTMLWrapperClass, CHTMLCharOptions, CHTMLDelimiterData, CHTMLFontData> {
  public toCHTML(parent: N) {
    const chtml = this.standardCHTMLnode(parent);
    for (const child of this.childNodes) {
      child.toCHTML(chtml);
    }
  }

  protected handleStyles() {
    if (!this.styles) return;
    const styles = this.styles.cssText;
    if (styles) {
      this.adaptor.setAttribute(this.chtml, 'style', styles);
    }
  }
}

    The handleStyles method sets the style attribute using this.styles.cssText, which is generated from a Styles object:

    javascriptCopy codepublic get cssText(): string {
  const styles = [] as string[];
  for (const name of Object.keys(this.styles)) {
    const parent = this.parentName(name);
    if (!this.styles[parent]) {
      styles.push(name + ': ' + this.styles[name] + ';');
    }
  }
  return styles.join(' ');
}

    The vulnerability lies in how cssText is constructed. The fontfamily value, which includes the injected CSS, is converted to a string without proper sanitization, allowing the CSS injection to occur.

    Mitigation

    A safer approach involves directly manipulating the style object of the DOM element, which prevents invalid CSS values from being set:

    javascriptCopy codedocument.getElementById('my-elem').style.fontFamily = "open-sans";

    Attempting to inject invalid CSS through this method will be ignored by the browser.

    Historical Context and Related Exploits

    Past Exploits and Related Bugs

    The CSS injection in MathJax, that @cloud11665 exploited in GitHub was public a year ago MathJax Issue #3129. Much before that, @SecurityMB found a similar bug (\unicode{}) but it was an XSS back then XSS in Google Colaboratory.

    Bug Report: CSS Injection through Font-Family in Unicode Command (Issue #3129)

    • Reported by: @opcode86 on Nov 12, 2023
    • Summary: A user is able to inject custom CSS even if commands like \style are disabled. The style gets rendered into the style attribute of the element containing the Unicode character.
    • Steps to Reproduce:
      1. Go to any website that uses MathJax and allows the \unicode command.
      2. Enter the following code into the parser: \unicode[some-font; color:red; height: 100000px;]{x1234}.
    • Technical Details:
      • MathJax Version: 3.2.2 (latest commit: 8565f9da973238e4c9571a86a4bcb281b1d98d9b)
      • Client OS: Windows 10 Education 19045.3570
      • Browser: Chrome 119.0.6045.123

    @dpvc (MathJax maintainer) acknowledged the report and suggested using the safe extension to help reduce problems caused by malevolent users. However, this extension does not handle the specific issue of CSS injection. A proposed configuration to filter the fontfamily attribute was provided:

    javascriptCopy codeMathJax = {
  loader: {load: ['ui/safe']},
  startup: {
    ready() {
      MathJax.startup.defaultReady();
      const safe = MathJax.startup.document.safe;
      safe.filterAttributes.set('fontfamily', 'filterFamily');
      safe.filterMethods.filterFamily = function (safe, family) {
        return family.split(/;/)[0];
      };
    }
  }
};

    This configuration filters the fontfamily attribute to remove the first ; and anything following it. The issue was promptly addressed and fixed by the MathJax team.

    XSS in Google Colaboratory + Bypassing Content-Security-Policy

    Michał Bentkowski discovered an XSS vulnerability in Google Colaboratory, which uses the Jupyter Notebook framework, in February 2018. The issue involved the \unicode macro of MathJax. Despite initial protection mechanisms, such as Content-Security-Policy (CSP), the vulnerability persisted due to inadequate sanitization of the \unicode macro. Bentkowski demonstrated how to bypass CSP using script gadgets in popular JS frameworks like Polymer.

    The Significance of These Findings

    These findings highlight the critical importance of input sanitization and security practices in web applications. The history of this vulnerability shows that even widely used and respected libraries like MathJax can have security flaws that persist over time. The ongoing discovery of such vulnerabilities and the efforts to fix them underscore the need for continuous vigilance and improvement in security practices.

    Conclusion

    This incident highlights the importance of sanitizing user inputs to prevent injection attacks. Libraries like DOMPurify can help sanitize HTML, MathML, and SVG. Always use library-provided mechanisms for handling user input to avoid similar vulnerabilities.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • PHP CVE-2024-4577 Vulnerability Analysis: Impact and Mitigation

    PHP CVE-2024-4577 Vulnerability Analysis: Impact and Mitigation

    On June 6, 2024, PHP maintainers released critical updates addressing a severe vulnerability affecting PHP installations in CGI mode. Concurrently, researchers at DEVCORE published a comprehensive analysis detailing the vulnerability’s impact. This vulnerability, identified as CVE-2024-4577, has a CVSSv3 score of 9.8, highlighting its critical nature. This article provides an in-depth exploration of CVE-2024-4577, its origins, potential impacts, and the necessary steps for mitigation.

    Background

    CVE-2024-4577 is an argument injection vulnerability in PHP, which can lead to remote code execution (RCE). This flaw stems from errors in character encoding conversions, particularly affecting the “Best Fit” feature on Windows. The vulnerability is notable as it bypasses the patch for an older vulnerability, CVE-2012-1823, which was believed to be resolved more than a decade ago.

    Vulnerability Details

    The vulnerability arises when PHP is configured to run in CGI mode, a mode considered insecure and prone to various attacks. DEVCORE’s analysis identified two primary scenarios that increase the risk of exploitation:

    1. PHP in CGI Mode: Systems with PHP running in CGI mode are inherently vulnerable. CGI mode exposes the server to various security risks, making it a target for attackers.
    2. Exposed PHP Binary: When the PHP binary is accessible via a web-accessible directory, it increases the likelihood of exploitation. XAMPP, a widely-used PHP development environment, exposes the PHP binary by default, further exacerbating the risk.

    Historical Context

    CVE-2024-4577 bypasses protections introduced in response to CVE-2012-1823. CVE-2012-1823, discovered during a capture the flag (CTF) event in 2012, allowed remote code execution via argument injection in PHP CGI mode. Despite being patched in PHP versions 5.13.12 and 5.4.2, the new vulnerability demonstrates how minor oversights in features like Windows’ encoding conversion can reopen old security issues.

    Active Exploitation and Proof of Concept

    Following the disclosure of CVE-2024-4577, the cybersecurity community has observed active scanning and exploitation attempts. The Shadowserver Foundation reported multiple IPs testing this vulnerability against their honeypots shortly after the public disclosure.

    On June 7, 2024, researchers at watchTowr released a proof-of-concept (PoC) script on GitHub, demonstrating the ease with which this vulnerability can be exploited. This underscores the urgency for administrators to apply patches immediately.

    Mitigation and Recommendations

    PHP has released versions 8.1.29, 8.2.20, and 8.3.8 to address this vulnerability. Administrators unable to patch immediately should follow DEVCORE’s mitigation guidance, which includes:

    • Disable CGI Mode: Transition from CGI mode to more secure alternatives such as Mod-PHP, FastCGI, or PHP-FPM.
    • Restrict Access: Ensure the PHP binary is not exposed in web-accessible directories.
    • Locale Configuration: Avoid using vulnerable locales (Traditional Chinese, Simplified Chinese, Japanese) on Windows systems running PHP.

    Conclusion

    CVE-2024-4577 highlights the persistent nature of security vulnerabilities and the importance of continuous vigilance in cybersecurity. Despite previous patches, minor oversights can lead to significant security breaches. Administrators must promptly apply the latest PHP updates and consider transitioning away from insecure configurations like CGI mode to mitigate risks effectively.

    For further details and mitigation measures, refer to the DEVCORE blog and the PHP changelogs.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact