Cryptocurrency wallets, particularly those created between 2011 and 2015, have recently been thrust into the spotlight due to a significant vulnerability known as “Randstorm.” This vulnerability has raised concerns across the cryptocurrency community, highlighting the risks associated with outdated software and insufficient security measures in digital asset management.
What is the Randstorm Vulnerability?
The Randstorm vulnerability stems from a flaw in BitcoinJS, a JavaScript library used for building Bitcoin and other cryptocurrency applications. Specifically, the issue lies in the library’s use of a now-defunct randomization function, combined with weaknesses in pseudo-random number generators in major web browsers during 2011-2015. This combination resulted in the generation of crypto wallet keys that were not sufficiently random, making them vulnerable to brute-force attacks. The vulnerability is linked to insufficient entropy in the key generation process. Entropy, in this context, refers to the randomness in cryptographic keys, usually derived from random bits of user input like mouse movements and keyboard clicks. The affected keys often utilized less entropy than required, sometimes as low as 48 bits, instead of the recommended 256 bits. This shortfall made the keys easier to guess and crack. Several projects that used the vulnerable BitcoinJS library, like BrainWallet, CoinPunk, and QuickCoin, are no longer operational. However, some platforms that incorporated this library, such as Blockchain.com, Bitgo, Dogechain.info, and Blocktrail, are still active and potentially at risk.
The Discovery and Impact
Researchers at Unciphered, a startup focused on recovering inaccessible cryptocurrency wallets, uncovered the Randstorm vulnerability while assisting a customer in January 2022. The customer had lost access to a Bitcoin wallet created in 2014 on Blockchain.info (now Blockchain.com). Although the recovery attempt failed, it led to the discovery of the vulnerability, which could potentially affect millions of wallets containing hundreds of millions of dollars.
The issue was not entirely unknown, as a security researcher identified similar flaws in 2018. However, the recent findings by Unciphered have brought renewed attention to the problem.
Moving Forward: Recommendations and Precautions
Wallets created before March 2012 are most vulnerable, but those generated up to 2015 remain at risk, albeit to a lesser degree. Unciphered estimates that around 1.4 million bitcoins could be parked in these potentially vulnerable wallets. Unciphered has advised individuals with assets in affected wallets to transfer them to newly generated wallets created with trusted, updated software. They have also been working with various entities to notify affected users and raise awareness about the threat.
The Bigger Picture: Open-Source Software and Security
This situation highlights a critical issue in the realm of open-source software and its security implications. Open-source programs, while beneficial for community collaboration and development, can age and become vulnerable if not adequately maintained and updated. This is a stark reminder for both developers and users to stay vigilant about the software they use, especially when it concerns financial assets like cryptocurrencies.
Conclusion
The Randstorm vulnerability presents a serious security concern in the cryptocurrency world, underscoring the need for continuous vigilance and updates in digital wallet management. As the digital currency landscape evolves, so too must the security measures that protect it. Users of potentially affected wallets are strongly encouraged to take immediate action to secure their assets and contribute to a safer, more secure cryptocurrency environment.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
In a critical update, Microsoft has addressed 63 vulnerabilities in its operating systems as part of its November 2023 Patch Tuesday. This includes the patching of five zero-day vulnerabilities, three of which are currently being exploited by attackers. These updates are vital for securing systems against potential breaches and attacks.
Zero-Day Vulnerabilities in the November Patch
Actively Exploited Zero-Days:
CVE-2023-36025: This vulnerability lies within the Windows SmartScreen, allowing attackers to bypass protective checks against malicious websites and files. The exploitation hinges on user interaction, where clicking on a compromised Internet Shortcut or hyperlink can lead to a security breach.
CVE-2023-36033: An Elevation of Privilege (EoP) flaw in the Windows Desktop Window Manager (DWM) Core Library. If exploited, it could enable attackers to gain SYSTEM privileges, significantly compromising system security.
CVE-2023-36036: Another EoP vulnerability, this time in the Windows Cloud Files Mini Filter Driver, also potentially granting SYSTEM privileges to attackers.
Other Notable Zero-Days:
CVE-2023-36413: Targets Microsoft Office, allowing attackers to bypass the Office Protected View, which usually restricts editing of potentially unsafe documents.
CVE-2023-36038: Affects ASP.NET, potentially leading to denial of service through resource exhaustion by cancelling HTTP requests repeatedly.
Other Patch Tuesday Vulnerabilities
Three critical vulnerabilities were addressed in the patch out of the 58 non-zero days. Firstly, a significant Azure information disclosure vulnerability was patched, which if exploited could have led to sensitive data exposure. Secondly, a flaw in Windows Internet Connection Sharing (ICS) was fixed, previously enabling remote code execution. Lastly, a Hyper-V escape flaw was rectified, which, if exploited, could have allowed attackers to execute programs with SYSTEM privileges on the host machine. In total, the vulnerability category spread is as follows:
16 Elevation of Privilege Vulnerabilities
6 Security Feature Bypass Vulnerabilities
15 Remote Code Execution Vulnerabilities
6 Information Disclosure Vulnerabilities
5 Denial of Service Vulnerabilities
11 Spoofing Vulnerabilities
Organizations using Microsoft Exchange Server should urgently deploy the new patches. The updates include a fix for CVE-2023-36439, a vulnerability that could allow attackers to install malicious software on an Exchange server.
Conclusion
Given the severity and active exploitation of some vulnerabilities, it’s crucial for users and administrators to apply these updates promptly. Delaying could leave systems exposed to security breaches, data theft, and operational disruptions. For a detailed understanding of all vulnerabilities and their impacts, check out the full Patch Tuesday report here.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
In a landmark operation in early 2023, the FBI, along with German and Dutch authorities, dismantled Hive, a prolific ransomware group. This collective had extorted over $100 million since June 2021, targeting a wide range of sectors. The FBI’s operation infiltrated Hive’s network over seven months, obtaining decryption keys for over 300 recent victims and an additional 1,000 keys for previous victims. This effort saved around $130 million in potential ransom payments. However, no arrests were made, and the dismantling of Hive’s infrastructure left a void in the ransomware landscape. Hunters International, another ransomware group, appeared soon after Hive’s fall, initially suspected of being a rebranded version of Hive. However, investigations revealed otherwise.
How is Hunters International Different From Hive?
While Hunters International has a 60% code overlap with Hive, the ransomware group has made key changes to the traditional Hive MO. To begin with, Hunters International has simplified Hive’s encryption method. They embed the encryption key within the encrypted files, using a ChaCha20-Poly1305 and RSA OAEP combination, unlike Hive’s more complex key generation and storage process. The group streamlined Hive’s extensive command-line arguments, indicating an effort to simplify operations. This change could enhance the malware’s usability for attackers. A significant aspect of their operation involves aggressive attacks on backup and recovery systems, notably targeting the Shadow Copy service, to undermine data recovery efforts. This new group, equipped with Hive’s advanced toolkit and an opportunistic approach, poses a significant challenge. Their focus on data exfiltration represents a shift in ransomware tactics, prioritizing data theft over mere encryption.
Versatility of Ransomware Groups in Utilizing Others’ Source Code
One of the most striking aspects of modern ransomware operations, as demonstrated by the situation with Hive and Hunters International, is the versatility and adaptability of ransomware groups, particularly in their use of other groups’ source codes. By acquiring Hive’s source code and infrastructure, Hunters International demonstrated how ransomware groups can rapidly evolve and sustain their operations, even after major law enforcement disruptions. Below are some key points on ransomware code sharing and adaptation, and how it allows ransomware groups to evolve and rapidly become more powerful.
Resource Acquisition and Adaptation: Ransomware groups often acquire resources from dismantled groups, not just for convenience, but also to capitalize on the established reputation and proven effectiveness of existing tools. This approach allows them to hit the ground running with a mature and tested toolkit.
Strategic Evolution: The use of another group’s source code isn’t merely a copy-paste endeavor. Groups like Hunters International strategically evolve and adapt the code to suit their specific operational goals and tactics, as seen in their shift from data encryption to data exfiltration.
Rapid Deployment and Learning Curve: Leveraging existing ransomware code reduces the development time and technical learning curve. This enables new or rebranded groups to deploy sophisticated attacks much faster than if they were developing their tools from scratch.
Collaborative and Competitive Nature: The ransomware ecosystem operates both collaboratively and competitively. While groups may share, sell, or acquire code, they also compete for targets and reputation within the dark web community. This dynamic fosters continuous innovation and adaptation among these groups.
Challenge for Cybersecurity: This trend poses a significant challenge for cybersecurity professionals and organizations. The ability of ransomware groups to quickly adapt and evolve using existing resources means that defense strategies must be equally agile and proactive, focusing on both prevention and rapid response to emerging threats.
Network Segmentation and Regular Audits: Segmentation can limit internal movement post-breach, while routine security audits help identify and fix vulnerabilities.
Access Control and Employee Training: Regular access reviews and employee awareness programs are crucial to prevent unauthorized data access and recognize phishing attempts.
Conclusion
In conclusion, the use of other groups’ source code by ransomware entities like Hunters International underscores the need for continuous vigilance and adaptation in cybersecurity strategies. With the popularity of ransomware comes constant innovation, and the existence of groups like Hunters International that are able to constantly build off of existing ransomware strategy requires a constantly adapting field of network defenders.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
The discovery of CVE-2023-22518 presents a significant concern for organizations using Confluence Data Center and Server. Atlassian has granted the vulnerability a 10/10 CVSS score based on an internal assessment, however the NVD has yet to provide a score. This is the second major vulnerability discovered in Atlassian Confluence over the past few weeks; CVE-2023-22515, which the NVD rated a 9.8/10 on the CVSS v3.1 scale, is a broken access control bug that’s been generating major concern throughout the cybersecurity community over the past few weeks. Exploitation of Improper Authorization Vulnerability CVE-2023-22518 “allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account,” according to the NVD’s summary. Using said account, attackers can perform all tasks typically available to an administrator, leading to a full compromisation of the CIA triad. Atlassian, the company behind Confluence, has acknowledged the vulnerability and released patches to address the issue.
Threat Detection
Signs of a potential compromise include:
Loss of login access.
Suspicious requests to /json/setup-restore* endpoints in access logs.
Installation of unknown plugins, particularly any named web.shell.Plugin.
Encrypted files or corrupted data.
Unusual entries in the confluence-administrators group or newly created user accounts
Rapid7 Managed Detection and Response also created a list of indicators of compromise associated with the exploitation of CVE-2023-22518:
If you detect any of these indicators, assume that your instance has been compromised and enact your security incident response plan.
Advisory and Immediate Action Steps
On discovering the vulnerability, Atlassian’s Chief Information Security Officer issued a statement urging immediate action. Given the potential for significant data loss, it’s critical that organizations utilizing affected Confluence versions respond as soon as possible.
In order to secure your systems:
Patch Immediately: Update to one of the fixed versions provided by Atlassian, which includes 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1.
Temporary Mitigations: If patching is not feasible immediately, you should:
Backup your instance.
Remove your instance from public internet access, if possible.
Apply interim mitigation measures by blocking specific endpoints (/json/setup-restore.action, /json/setup-restore-local.action, /json/setup-restore-progress.action) at the network layer or by updating the web.xml configuration file in your Confluence installation.
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
The Common Vulnerability Scoring System (CVSS) serves as a standard for assessing the severity of computer system security vulnerabilities. Its latest iteration, CVSS version 4.0, was originally shown in a public preview on June 8, 2023, at the 35th Annual FIRST Conference in Montreal, and was officially launched in General Availability (GA) on November 1st, 2023. With its release come numerous changes that seek to improve upon shortcomings from the previous edition CVSS v3.1. CVSS v4.0’s updates to the vulnerability scoring system include new nomenclature to reflect comprehensive scoring, a streamlined approach to threat metrics, refined user interaction details, and the retirement of the Scope metric for clearer impact assessments. Additionally, it offers cross-sector guidance and the ability to support multiple scores for varied industry challenges. These enhancements aim to improve the precision, clarity, and applicability of the CVSS framework.
The figure above from Qualys highlights the differences between CVSS v3.1 vs CVSS v4.0
What’s Changed in CVSS v4.0?
Nomenclature Adjustment for Clearer Metric Representation
CVSS v4.0 addresses the misconception that the overall CVSS score is synonymous with the Base Score. The new nomenclature — CVSS-B for Base metrics, CVSS-BE for Base and Environmental metrics, CVSS-BT for Base and Threat metrics, and CVSS-BTE for the combination of all three — highlights the importance of considering all aspects of a vulnerability rather than just base metrics. This change aids in a more comprehensive vulnerability assessment by encouraging consideration of the environmental and threat-related aspects that affect severity.
Threat Metrics Overhaul for Simplification and Relevance
The transition from Temporal to Threat Metrics represents a significant overhaul. By retiring the Remediation Level and Report Confidence metrics and consolidating the Exploit Code Maturity values into a single “Attacked” value, CVSS v4.0 simplifies the metric group and enhances its relevance. This consolidation aims to provide a more straightforward approach to assessing threats, focusing on the actual exploitation of vulnerabilities rather than future exploit potential.
Enhanced User Interaction Metric for Detailed Exploit Context
The User Interaction (UI) metric in CVSS v4.0 now differentiates between Passive (requiring minimal or no user interaction) and Active (requiring deliberate action) user involvement. This distinction is crucial as it affects the likelihood of an exploit’s success. By offering a granular view of user interaction, organizations can better gauge the need for user education and awareness in preventing security breaches.
Retirement of the Scope Metric for Consistent Scoring
The retirement of the Scope (S) metric is a move made in order to eliminate inconsistencies that arose from its ambiguous nature. CVSS v4.0 replaces it with two distinct sets of impact metrics: one for the vulnerable system (VC, VI, VA) and one for subsequent systems (SC, SI, SA). This change ensures a clearer and more consistent assessment of the impact on both the directly vulnerable system and any affected collateral systems.
Additional Guidance for Cross-Sector Vulnerability Assessment
CVSS v4.0 extends beyond a one-size-fits-all approach by offering additional guidance in order to produce consistent scores across different industry sectors and supporting multiple scores for the same vulnerability when it affects various products, platforms, or operating systems. This is a forward-thinking move that acknowledges the complex and varied nature of the digital ecosystem.
Conclusion
The release of CVSS v4.0 is a significant advancement in the realm of vulnerability scoring. By providing clearer metrics, retiring ambiguous ones, and adding new layers of detail, CVSS v4.0 enhances both the accuracy and clarity of vulnerability assessments. Collective adoption of the CVSS v4.0 scoring system by the cybersecurity community will lead to improved vulnerability assessment and enhance remediation efforts in vulnerable systems. For more information on CVSS v4.0, refer to the official documentation on the First website.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
The phrase “deepfake”, an amalgamation of the words “deep learning” and “fake,” is defined as any method of synthetic media, images, or video, that is manipulated in order to create a piece of media that conveys a different message. Using machine learning algorithms, malicious actors compile images and sounds from various sources, creating hoax videos and/or pictures. Made up of neural networks, a type of machine learning technology, deepfakes are most commonly used to mislead the public by spreading misinformation or propaganda, typically with the ultimate goal of swaying public opinion on a person or idea. As deepfakes pose a major risk to our cybersecurity, Netizen has created an overview of the security threats the emerging technology poses, an analysis of the technology itself, and an advisory on how to deal with deepfakes.
Deepfake Technology as a Cybersecurity Threat
Emerging technology can and always will be utilized by threat actors to gain a foothold in systems and overall achieve various other malicious goals. Here are some security threats associated with the emergence of deepfake technology:
Social Engineering: Deepfakes significantly enhance the effectiveness of social engineering attacks by providing visual or auditory proof, making deceptive claims more believable. For example, a deepfake video could be created to show a fake endorsement from a trusted figure, thereby tricking individuals into taking actions such as clicking on malicious links or providing sensitive information.
Difficulty of Authentication: The sophistication of deepfakes creates a challenge in authenticating digital media. Traditional methods of verifying the authenticity of images or videos may become obsolete, necessitating the development of advanced detection and verification technologies. This raises the bar for cybersecurity measures and could lead to increased operational costs for organizations.
Misinformation Campaigns: Deepfakes can be used to fabricate realistic-looking media to spread misinformation, stir public discord, or manipulate opinions on a large scale. They can be deployed to create fake news, alter public perception, or even influence elections and other significant events. The potential for deepfakes to spread virally on social media platforms amplifies the risks associated with misinformation campaigns.
Identity Theft: By creating realistic representations of individuals saying or doing things they never did, deepfakes enable a new form of identity theft. This could be used for fraud, defamation, or to cause reputational damage. For instance, malicious actors could create deepfake videos of executives making false statements to manipulate stock prices or deceive stakeholders.
In order to be a part of the threats above, deepfake technology utilizes a subset of machine learning known as “deep learning,” comprised of neural networks, to synthesize the media it creates.
What is a Neural Network?
A neural network is a computing model inspired by the human brain’s interconnected neuron structure, designed to analyze and interpret data. Basic neural networks are comprised of three layers that each have a different role in processing.
Input Layer: The layer where the network receives its data. Each neuron in this layer corresponds to one element in the input data.
Hidden Layers: These are the layers between the input and output layers, where the computation happens. They help in extracting and refining input data.
Output Layer: This is where the network makes a decision or prediction based on the input data and the computations that have occurred in the hidden layers.
Deep neural networks are more complicated than typical neural networks, they’re comprised of more than 3 layers to ensure higher degrees of accuracy in synthesis. Deep learning networks are capable of automatically discovering, learning, and extracting features from data without any manual feature engineering, which is what makes them highly effective for various complex tasks, for example creating a realistic deepfake of a celebrity or political candidate.
Different Types of Neural Networks in Deepfake Technology
Due to the complexity of deep learning, many different types of neural networks are behind the creation of deepfake visual media.
Generative Adversarial Networks (GANs): Deepfakes primarily employ Generative Adversarial Networks (GANs), a class of machine learning frameworks, where two neural networks, namely the Generator and the Discriminator, contest with each other. The Generator creates new data instances that resemble a given dataset, while the Discriminator evaluates the generated data, distinguishing between real and fake. Through iterative training, the Generator becomes proficient at producing realistic data, capable of fooling the Discriminator.
Autoencoders and Variational Autoencoders (VAEs): Besides GANs, autoencoders, especially Variational Autoencoders (VAEs), are used to decompose and reconstruct images, enabling the modification of facial features in videos. These networks learn to encode the data into a lower-dimensional space and decode it back to its original form, with modifications as required to create deepfakes.
Recurrent Neural Networks (RNNs) and Long Short-Term Memory (LSTM): For audio synthesis or manipulation, technologies like Recurrent Neural Networks (RNNs) and Long Short-Term Memory Networks (LSTMs) are employed. They are adept at handling sequential data, making them suitable for audio and video processing.
All 3 types of neural networks are utilized heavily in deep learning, and through deep learning deepfake technology. By utilizing these different neural networks in a larger artificial intelligence model, threat actors can create extremely convincing photos, audio, and video for malicious purposes.
Advisory:
Preventing deepfakes from affecting personal and organizational cybersecurity is a multi-step process that requires both continuous effort and awareness. Here are several advisory steps that can be taken to ensure you’re protected:
Education and Awareness: Raise awareness about deepfakes among employees and stakeholders. Conduct training sessions to educate them on how deepfakes can be used maliciously, and how to recognize potential deepfake attempts.
Verification Procedures: Implement robust verification procedures for sensitive communications. For instance, use multi-factor authentication, and confirm requests for sensitive information or transactions through a secondary communication channel.
Deepfake Detection Tools: Invest in or develop deepfake detection tools that can analyze digital media to determine its authenticity. Keep these tools updated as deepfake technology evolves.
Regular Audits: Conduct regular audits to check the integrity of digital media and communications within your organization.
Secure Communication Channels: Employ secure communication channels with end-to-end encryption to ensure that the data being shared remains confidential and unaltered.
Cybersecurity Policies: Update your cybersecurity policies to address the risks posed by deepfakes. This includes defining procedures for verifying and handling digital media, especially in critical or sensitive situations.
Incident Response Plan: Develop an incident response plan for handling potential deepfake attacks. This plan should outline how to verify the authenticity of suspicious communications, how to contain and mitigate the impact of a deepfake attack, and how to communicate with stakeholders during and after an incident.
Continuous Monitoring: Establish a continuous monitoring system to detect unusual activities, and keep abreast of the latest developments in deepfake technology and detection techniques.
By taking a comprehensive approach that combines education, technical solutions, and proactive monitoring, you can significantly mitigate the risks posed by deepfakes to your or your organization’s cybersecurity.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Intrusion Detection Systems (IDS) serve as a critical layer in the cybersecurity infrastructure of organizations. These systems monitor network traffic or host activities for malicious actions or policy violations. Deployed as software or hardware, IDS are categorized into Network Intrusion Detection Systems (NIDS) and Host Intrusion Detection Systems (HIDS). The former scrutinizes the traffic on networks, identifying suspicious patterns that may signify a network breach, while the latter monitors a host for anomalous activities, such as system calls or file modifications. The core functionality of an IDS lies in its ability to detect intrusions, log events, and send alerts. Many modern IDS have evolved to include response features, transitioning them into Intrusion Prevention Systems (IPS). They operate by comparing the observed network or system activities against a database of known attack signatures or employing heuristic analysis to identify unknown threats based on behavior.
Benefits of Implementing an IDS
Implementing IDS offers a plethora of benefits to organizations, some of which are delineated below:
Early Detection of Security Incidents:
Intrusion Detection Systems (IDS) are designed to provide real-time monitoring and alerting, making them indispensable for early detection of security incidents. When malicious activity is detected, the IDS alerts the security personnel, allowing for immediate action. This swift detection and response can be the linchpin in averting substantial damage, data breaches, or system compromises which could otherwise have severe financial and reputational repercussions.
Documentation and Compliance:
Regulatory compliance is a paramount concern for many organizations, especially those in highly regulated industries like healthcare and finance. IDS contribute to compliance efforts by meticulously logging security incidents and abnormal activities. These logs can be utilized to generate automated compliance reports, demonstrating an organization’s adherence to requisite legal and industry standards, thus mitigating the risk of penalties and fines associated with non-compliance.
Forensic Analysis:
In the aftermath of a security incident, forensic analysis is crucial for understanding the scope and impact of the intrusion. The data captured by IDS during the incident provides a wealth of information that can be analyzed to identify the exploited vulnerabilities, the origin of the attack, and the extent of the damage. This analysis is instrumental in devising remediation strategies and enhancing the organization’s security measures to thwart similar incidents in the future.
Enhanced Situational Awareness:
IDS equip organizations with enhanced situational awareness regarding their security posture. By providing insights into network and system activities, they furnish a clearer understanding of the operational environment. This heightened awareness is crucial for making informed security decisions, optimizing resource allocation, and ensuring that the organization’s security strategies are commensurate with the prevailing threat landscape.
Trend Analysis:
The continuous data collection facilitated by IDS can be harnessed for trend analysis. Over time, analyzing this data can unveil recurring issues, anomalous patterns, and potential vulnerabilities. This trend analysis is invaluable for proactive security measures, allowing organizations to anticipate and prepare for potential threats, and to evaluate and refine their existing security protocols.
Threat Intelligence Integration:
Modern IDS can seamlessly integrate with threat intelligence feeds, thereby enriching their signature databases and heuristic algorithms. This integration amplifies the system’s ability to identify and respond to emerging threats by staying updated on the latest malicious tactics, techniques, and procedures. It fosters a more robust and adaptive security posture capable of contending with the evolving threat landscape.
Resource Optimization:
By automating the mundane yet critical task of monitoring and analyzing network or system activities, IDS liberate valuable human resources. This automation allows security personnel to channel their focus towards more strategic, high-level tasks, thus optimizing the utilization of resources and enhancing the overall efficacy and efficiency of the organization’s security operations.
Cost Reduction:
The early detection, automated reporting, and enhanced efficiency afforded by IDS contribute to significant cost reduction. By averting or mitigating security incidents and streamlining compliance management, organizations can curtail the associated financial burdens. Furthermore, the optimized utilization of human resources and the refined operational efficiency can lead to long-term cost savings.
Conclusion
The deployment of Intrusion Detection Systems is a quintessential component in fortifying an organization’s cybersecurity framework. It not only acts as a deterrent against malicious activities but also furnishes a robust foundation for a resilient security posture, which is indispensable in the contemporary digital landscape fraught with evolving threats. Through continuous monitoring, alerting, and reporting, IDS empower organizations to uphold their integrity, safeguard their assets, and maintain the trust and confidence of their stakeholders.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five vulnerabilities from October that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2023-22515:
A Broken Access Control issue could lead to unauthorized administrative access and potential data exfiltration. This vulnerability has a NIST CVSSv3 base score rating not provided in the information and it affects Atlassian Confluence Data Center and Server versions 8.0.0 through 8.5.1. The vulnerability allows unauthenticated remote threat actors to create unauthorized Confluence administrator accounts, by triggering a vulnerability via a request on the unauthenticated /server-info.action endpoint, subsequently accessing the /setup/setupadministrator.action endpoint to create a new administrator user. Attacks utilizing this CVE require no user interaction as it can be exploited remotely. Exploit details and proof of concepts have been observed in open source publications as of October 10, 2023. The recommended mitigation is to immediately upgrade to fixed versions as per Atlassian’s upgrading instructions. If upgrading is not immediately feasible, restricting untrusted network access is advised until upgrades can be applied. For more technical details or proof of concept, refer to Atlassian’s security advisory for CVE-2023-22515 and the CISA advisory AA23-289A.
CVE-2023-4966
A Sensitive Information Disclosure issue, nicknamed Citrix Bleed, could lead to unauthorized access to sensitive data. This vulnerability has a NIST CVSSv3 base score rating of 9.4/10 and it affects Citrix NetScaler ADC and NetScaler Gateway versions: 14.1 before 14.1-8.50, 13.1 before 13.1-49.15, 13.0 before 13.0-92.19, 13.1-FIPS before 13.1-37.164, 12.1-FIPS before 12.1-55.300, and 12.1-NDcPP before 12.1-55.300. The vulnerability allows malicious actors to disclose sensitive information if the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Exploits of CVE-2023-4966 on unmitigated appliances have been observed. The recommended mitigation is to install the relevant updated versions of NetScaler ADC and NetScaler Gateway. For more information, refer to this Citrix Security Bulletin or the NVD.
CVE-2023-4911
A Buffer Overflow issue, nicknamed Looney Tunables, could lead to local privilege escalation. This vulnerability has a NIST CVSSv3 base score rating of 7.8/10 and it affects GNU C Library (glibc) version 2.34 and specific backported versions in RHEL-8.5 and onwards. The vulnerability arises from a buffer overflow in the GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable, which could allow a local attacker, by crafting malicious GLIBC_TUNABLES environment variables when launching binaries with SUID permission, to execute code with elevated privileges. The attack complexity is Low and requires Low privileges but does not require user interaction. There have been mitigations provided such as a SystemTap script to prevent setuid programs from being invoked with GLIBC_TUNABLES in the environment, requiring users to unset or clear the GLIBC_TUNABLES envvar to invoke the setuid program. This mitigation will need to be re-applied upon system reboot. Once the glibc package is updated to a version containing the fix, the systemtap generated kernel module can be removed. For more technical details or proof of concept, refer to this link from the NVD.
CVE-2023-46747
A Critical Authentication Bypass issue could lead to remote code execution (RCE) by unauthenticated attackers. This vulnerability has a NIST CVSSv3 base score rating of 9.8/10 and it affects F5 BIG-IP, specifically the Traffic Management User Interface (TMUI). The vulnerability allows attackers to send arbitrary requests to bypass authentication and execute system commands with full administrative privileges. An attack utilizing CVE-2023-46747 does not require user interaction. No proof of concept has been released as of October 27, however, past vulnerabilities in BIG-IP have seen prompt exploitation and release of PoCs by researchers. The recommended mitigation is to apply patches provided by F5 for affected versions of BIG-IP as soon as possible. In case patching cannot be performed immediately, F5 has provided some mitigation guidance in article K000137353, though this comes with certain warnings regarding its applicability. For more technical details or proof of concept, refer to the NVD.
CVE-2023-43208
A Remote Code Execution (RCE) issue could lead to unauthorized access and execution of commands. This vulnerability has a NIST CVSSv3 base score rating of N/A as the score is not yet provided. It affects Mirth Connect versions prior to 4.4.1. The vulnerability allows attackers to execute arbitrary code on the system due to an incomplete patch for a previous vulnerability (CVE-2023-37679). The attack complexity has not been provided but does require no user interaction as it’s an unauthenticated vulnerability. There’s no publicly available technical details or exploits as of now. The recommended mitigation is to upgrade to Mirth Connect version 4.4.1. For more technical details, check out this link from the NVD.
Conclusion:
In conclusion, software vulnerabilities are a common nuisance to IT and security teams everywhere. Organizations that prioritize the remediation and patching of these vulnerabilities will drastically reduce their attack surface and ensure no doors into their environment are left unlocked.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Google Launches AI Security Initiatives Including Bug Bounty Program and $10 Million AI Safety Fund
VMware Releases Patches for Critical vCenter Server RCE Vulnerability CVE-2023-34048
How can Netizen help?
Phish Tale of the Week
Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as USPS, the United States Postal Service, and informing you that action needs to be taken regarding your delivery. The message politely explains that “USPS” is holding our package at a warehouse, and that we just need to update our address in order to receive it. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.
Here’s how we can tell not to click on this smishing link:
The first red flag in this message is the senders’ address. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In this case, the actors neglected to spoof their messaging address, and a simple look at the sender’s address makes it very apparent that the email is not from USPS. In the future, review the sender’s address thoroughly to see if a text could be coming from a threat actor.
The second warning signs in this text is the messaging. This message tries to create a sense of urgency by using language such as “cannot be delivered” and “within 12 hours.” Phishing scams commonly attempt to create a sense of urgency in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link sent through SMS.
The final warning sign for this email is the lack of legitimate USPS information. Fortune 500 companies, the government and similar organizations standardize all communications with customers. This text includes a small “thank you” message at the bottom in an attempt to gain credibility, but it lacks all of the parts of a credible USPS message and can be immediately detected as a phishing attempt.
General Recommendations:
A smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages.
Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
Verify that the sender is actually from the company sending the message.
Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
Do not give out personal or company information over the internet.
Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.
Cybersecurity Brief
In this week’s Cybersecurity Brief:
Google Launches AI Security Initiatives Including Bug Bounty Program and $10 Million AI Safety Fund
In a move to bolster the security of Artificial Intelligence (AI) technologies, Google has unveiled a series of initiatives that underscore its commitment to AI safety. These include an AI-specific vulnerability reporting program (VRP), a $10 million fund, and the introduction of a Secure AI Framework (SAIF).
One of the standout features of this announcement is the AI-Specific VRP, which promises rewards to security researchers identifying vulnerabilities in generative AI. These vulnerabilities could range from unfair biases and hallucinations to tampering with model behaviors. With increasing concerns about the misuse of generative AI, Google is keen to harness the expertise of the global research community to highlight and mitigate potential threats. Google’s expanded VRP focuses on both conventional security vulnerabilities and threats specific to AI-powered tools. The company stated, “Reward amounts are dependent on the severity of the attack scenario and the type of target affected.”
To tackle potential threats in the AI supply chain, Google introduced the Secure AI Framework (SAIF). This aims to fortify critical components within the machine learning supply chain, essential for building trustworthy AI applications. Google’s initial efforts under SAIF spotlight the model signing and attestation verification prototypes, leveraging tools like Sigstore and SLSA. These tools work in tandem to verify software identities, thereby enhancing supply chain resilience. Amid a surge in supply chain attacks, Google is intent on increasing transparency in the machine learning supply chain throughout its development lifecycle. Drawing parallels between traditional software and machine learning models, Google proposes adopting supply chain solutions in order to protect ML models. The Google Open Source Security Team (GOSST) will utilize SLSA and Sigstore to enhance the overall integrity of AI supply chains. This collaborative endeavor builds upon Google’s earlier alliance with the Open Source Security Foundation.
Additionally, in collaboration with industry giants Anthropic, Microsoft, and OpenAI, Google is setting up a $10 million AI Safety Fund. The fund aims to stimulate further research in AI safety, reflecting a collective commitment to ensuring the secure development and deployment of AI technologies. Below is a chart detailing Google’s scope on what constitutes a reward in their AI bug bounty program.
Category
Attack Scenario
Guidance
Prompt Attacks
Crafting adversarial prompts that allow an adversary to influence the behavior of the model, and hence the output in ways that were not intended by the application.
In Scope
Prompt Attacks
Prompt injections that are invisible to victims and change the state of the victim’s account or any of their assets.
In Scope
Prompt Attacks
Prompt or preamble extraction in which a user is able to extract the initial prompt used to prime the model only when sensitive information is present in the extracted preamble.
In Scope
Prompt Attacks
Using a product to generate violative, misleading, or factually incorrect content in your own session: e.g., ‘jailbreaks’. This includes ‘hallucinations’ and factually inaccurate responses. Google’s generative AI products already have a dedicated reporting channel for these types of content issues.
Out of Scope
Training Data Extraction
Attacks that are able to successfully reconstruct verbatim training examples that contain sensitive information. Also called membership inference.
In Scope
Training Data Extraction
Extraction that reconstructs nonsensitive/public information.
Out of Scope
Manipulating Models
An attacker able to covertly change the behavior of a model such that they can trigger pre-defined adversarial behaviors.
In Scope (Only when a model’s output is used to change the state of a victim’s account or data.)
Manipulating Models
Attacks in which an attacker manipulates the training data of the model to influence the model’s output in a victim’s session according to the attacker’s preference.
In Scope (Only when a model’s output is used to change the state of a victim’s account or data.)
Adversarial Perturbation
Inputs that are provided to a model that results in a deterministic, but highly unexpected output from the model.
In Scope (In contexts where an adversary can reliably trigger a misclassification in a security control for malicious use or adversarial gain.)
Adversarial Perturbation
Contexts in which a model’s incorrect output or classification does not pose a compelling attack scenario or feasible path to Google or user harm.
Out of Scope
Model Theft / Exfiltration
Attacks in which the exact architecture or weights of a confidential/proprietary model are extracted.
In Scope
Model Theft / Exfiltration
Attacks in which the architecture and weights are not extracted precisely, or when they’re extracted from a non-confidential model.
Out of Scope
Other Issues
A bug or behavior that clearly meets our qualifications for a valid security or abuse issue.
In Scope
Other Issues
Using an AI product to do something potentially harmful that is already possible with other tools. For example, finding a vulnerability in open source software (already possible using publicly-available static analysis tools) and producing the answer to a harmful question when the answer is already available online.
Out of Scope
Other Issues
Issues that we already know about are not eligible for reward.
Out of Scope
Other Issues
Potential copyright issues: findings in which products return content appearing to be copyright-protected. Google’s generative AI products already have a dedicated reporting channel for these types of content issues.
Out of Scope
Google’s reward criteria for reporting bugs in AI products
VMware Releases Patches for Critical vCenter Server RCE Vulnerability CVE-2023-34048
Recently, a highly critical vulnerability surfaced in VMware’s vCenter Server, a pivotal component in VMware’s vSphere suite, widely recognized for overseeing virtualized environments. This flaw, indexed as CVE-2023-34048, has garnered significant attention due to its severe implications and the inherent risks it presents.
This vulnerability revolves around an out-of-bounds write condition in vCenter Server’s implementation of the Distributed Computing Environment / Remote Procedure Calls (DCERPC) protocol. For those unfamiliar, DCERPC serves as a fundamental protocol for remote procedure call (RPC) systems, enabling inter-process communication.
To understand the magnitude of this flaw, one should note that if successfully exploited, it allows an attacker – even without authentication – to induce a remote code execution (RCE) scenario. This essentially hands over the complete reins of the affected system to the malicious actor. The vulnerability was given a CVSSv3 base score of 9.8 after being disclosed on October 25th.
The actual threat of this vulnerability lies mainly in its exploitation parameters, which shockingly require little to no effort to achieve:
Authentication: Not required.
Attack Complexity: Low.
User Interaction: None.
This essentially means that attackers can execute the exploit remotely without necessitating any user interaction, making it a lucrative target for cybercriminals. Moreover, the vulnerability facilitates a pathway for a potential cascading attack, where an intruder can pivot from the compromised vCenter Server to other interconnected systems and in using this lateral movement amplifying the breach’s ramifications.
In response to the detection of this flaw, VMware demonstrated commendable proactiveness. The intriguing aspect of their response was the decision to roll out patches for multiple end-of-life products. It’s rare for companies to revisit phased-out versions, but given the exceptional threat this vulnerability poses, VMware deemed it essential to provide patches even for outdated versions. VMware’s advisory said patches have been issued for vCenter Server versions 6.7U3, 6.5U3, VCF 3.x, and vCenter Server 8.0U1.
Organizations and system administrators leveraging VMware’s products must be cognizant of the following action points:
Prompt Patching: Considering the absence of viable workarounds, applying the security patches for the affected versions of vCenter Server and VMware Cloud Foundation becomes paramount.
Network Vigilance: Heightened monitoring of network traffic is advised, with emphasis on the potential exploitation vectors like ports 2012/tcp, 2014/tcp, and 2020/tcp.
Access Control: Implementing stringent access controls and firewall rules can significantly mitigate the risk of a potential breach.
Continuous Monitoring: Ensure that the systems are monitored in real-time for any signs of breaches or unusual activities. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) should be up-to-date and operational.
User Education: While this specific vulnerability doesn’t require user interaction for exploitation, cultivating a culture of security awareness can safeguard against other potential threats.
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Cisco IOS XE Software, a critical component of many Cisco network devices, has recently been found to have vulnerabilities in its Web UI feature. These vulnerabilities, if exploited, can provide attackers with significant access and control over affected devices. The vulnerabilities are particularly concerning for systems where the web UI feature is activated in the Cisco IOS XE Software. The activation of this feature is typically done using the ip http server or ip http secure-server commands. If a system administrator has used either of these commands, the device is potentially vulnerable. Cisco’s internal investigation has uncovered two distinct vulnerabilities: CVE-2023-20198 and CVE-2023-20273, which in tandem can result in a privilege escalation and system compromisation.
CVE-2023-20198: Privilege Escalation in Cisco IOS XE Software Web UI
This vulnerability allows attackers to gain initial access to the device. Specifically, attackers exploit this vulnerability to issue a privilege 15 command, which in turn allows them to create a local user with a specific password. This user can then log in with standard user access rights.
Technical Details:
Nature of Vulnerability: CVE-2023-20198 is a privilege escalation flaw in the web UI feature of Cisco IOS XE software. Both physical and virtual devices with the HTTP or HTTPS Server feature enabled are vulnerable.
Exploitation Path: The exploitation allows an attacker to gain full administrative rights and unauthorized access to the system. Once the attacker has secured this privileged account, they can create a secondary local user account with standard access rights. This user serves as a pivot for further exploits, particularly to leverage the subsequent vulnerability, CVE-2023-20273.
CVE-2023-20273: Command Injection in Cisco IOS XE Software Web UI
Once initial access is secured, attackers can exploit this second vulnerability. Leveraging the previously created local user, they can elevate their privileges to the ‘root’ level. With root access, they can write malicious implants to the device’s file system.
Technical Details:
Nature of Vulnerability: CVE-2023-20273 is a command injection flaw within the Web UI feature of Cisco’s IOS XE software. While it can be exploited independently, its potential is significantly amplified when used in tandem with CVE-2023-20198.
Exploitation Path: With a local user account, attackers can exploit this vulnerability to inject arbitrary commands. This ability becomes particularly concerning when these commands are executed with root privileges, offering the attacker almost unrestricted control over the device’s functionalities and data.
Sequential Exploitation
As per the sequence outlined, after obtaining initial access and creating a privileged account via CVE-2023-20198, an attacker creates a local user account with normal privileges. Utilizing this local user account, the attacker exploits CVE-2023-20273 to run commands with elevated (root) privileges on the device, further consolidating their hold on the system. Both vulnerabilities are being actively tracked by Cisco under the identifier CSCwh87343.
Mitigation and Recommendations
Given the seriousness of the vulnerabilities discovered in the Cisco IOS XE Software’s Web UI feature, we urge all stakeholders to take immediate and decisive action, including the following steps:
Check for Affected Systems: System administrators should immediately verify if the HTTP Server feature is operational on their devices. This can be achieved by logging into the system and using specific CLI commands. If the ip http server or ip http secure-server command is present in the global configuration, the device is potentially at risk.
Disable the HTTP Server Feature: Cisco’s primary recommendation is to disable the HTTP Server feature on all devices that are accessible from the internet. This can be achieved using the no ip http server and no ip http secure-server commands in the global configuration mode.
Limit Access: If disabling the HTTP Server feature is not feasible, it’s crucial to restrict its access only to trusted source addresses. Cisco believes that access lists applied to the HTTP Server feature, which limit access from untrusted hosts and networks, can effectively mitigate risks.
Upgrade: Cisco advises all customers to upgrade to a fixed software release that addresses these vulnerabilities. They have provided a detailed table in their advisory to guide customers on the appropriate software versions.
Stay Informed: As this is an evolving situation, it’s essential to stay updated with announcements from Cisco. The company has committed to updating their advisory as more information becomes available.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Netizen Blog and News 
You must be logged in to post a comment.