The highly exploitable CVE-2023-4966 vulnerability in Citrix NetScaler at first glance proves incredibly dangerous to NetScaler environments. While initial analyses have highlighted the potential risk and exploitation scenarios, a deeper technical examination is essential to fully comprehend its intricacies and the subsequent steps for mitigation.
Affected Products and Versions:
Affected Product
Affected Version
Fixed Version
NetScaler ADC and NetScaler Gateway
Prior to 13.0-92.19
13.0-92.19 and later releases of 13.0
NetScaler ADC and NetScaler Gateway
Prior to 13.1-49.15
13.1-49.15 and later releases of 13.1
NetScaler ADC and NetScaler Gateway
Prior to 14.1-8.50
14.1-8.50 and later releases
NetScaler ADC 12.1-NDcPP
Prior to 12.1-55.300
12.1-55.300 and later releases of 12.1-NDcPP
NetScaler ADC 12.1-FIPS
Prior to 12.1-55.300
12.1-55.300 and later releases of 12.1-FIPS
NetScaler ADC 13.1-FIPS
Prior to 13.1-37.164
13.1-37.164 and later releases of 13.1-FIPS
Note: Citrix has emphasized that NetScaler ADC and NetScaler Gateway versions 12.1 are End of Life (EOL). Users are strongly advised to upgrade to a supported version immediately.
CVE Details:
CVE
Description
CVSSv3
Severity
CVE-2023-4966
Sensitive information disclosure
9.4
Critical
CVE-2023-4967
Denial of service (DoS)
8.2
High
Note: Apart from CVE-2023-4966, Citrix addressed one additional vulnerability in security bulletin CTX579459.
Technical Analysis of CVE-2023-4966
CVE-2023-4966 is rooted in an information disclosure vulnerability that has far-reaching implications. Although it’s categorized as an information disclosure type, the flaw’s potential to allow session hijacking amplifies its severity. When an attacker exploits this vulnerability, they gain the ability to hijack authenticated sessions, an action that could potentially bypass MFA. This means unauthorized actors could gain full control over NetScaler environments, pivotal in managing application delivery within corporate settings.
Cybersecurity firm Mandiant’s discovery that the flaw has been under active exploitation since August only emphasizes the ongoing issue. The attacks have primarily targeted professional services, technology, and government organizations. Charles Carmakal, Mandiant’s CTO, emphasized the persistence of authenticated sessions even after the application of patches, leading to a scenario where attackers could still utilize stolen session data for unauthorized access. On LinkedIn, he advised all organizations to “terminate all active sessions,” explaining that “these authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed. Therefore, even after the patch is applied, a threat actor could use stolen session data to authenticate to resources until the sessions are terminated.”
The exploitation of CVE-2023-4966 isn’t straightforward, as it leverages the persistence of authenticated sessions post-patch. This means the attackers could potentially maintain control over the sessions until they are manually terminated. The information disclosure mechanism is potent, giving attackers insights into session IDs and other sensitive data pivotal for maintaining unauthorized access.
The Importance of Proactive Security
The patches introduced by Citrix for the CVE-2023-4966 vulnerability are targeted specifically at rectifying issues in certain versions of the NetScaler ADC and NetScaler Gateway. A notable point of concern in these patch notes is the recommendation for users of the 12.1 version to transition to a more recent version, given its designation as End of Life (EOL). This situation accentuates the broader principle that cybersecurity is not just about reactive measures like patching, but also proactive strategies. It’s crucial for organizations to not only apply timely patches but also to be forward-thinking by upgrading to supported and more secure software versions, to avoid issues like this vulnerability. In addition, maintaining a robust security posture necessitates an ongoing and thorough review of security practices and infrastructures to ensure vulnerabilities are identified and addressed promptly, and potential risks are mitigated effectively.
Advisory
The critical nature of this vulnerability, combined with the active exploitation in the wild, calls for an immediate and comprehensive response. Beyond patch application, organizations must follow Carmakal’s advice and terminate all active sessions to nullify the persistence of potential unauthorized access. Citrix has issued patches for the affected versions, but the termination of sessions is a manual step that organizations must undertake to ensure the complete eradication of the risk.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
The GPU.zip vulnerability, discovered by researchers from Carnegie Mellon Software and Societal Systems and detailed in their research paper titled “GPU.zip: On the Side-Channel Implications of Hardware-Based Graphical Data Compression,” jeopardizes the security of numerous graphics processing units (GPUs). This side-channel attack exploits an inherent weakness associated with graphical data compression in integrated GPUs (iGPUs). The vulnerability emanates from the data-dependent nature of the compression algorithms, which inadvertently leak sensitive information through observable patterns in DRAM traffic and cache occupancy. Exposure of this nature leaves a broad spectrum of GPUs, including those manufactured by industry giants like AMD, Apple, Arm, Intel, Nvidia, and Qualcomm, susceptible to unauthorized data access. Browsers like Google Chrome and Microsoft Edge are particularly vulnerable due to their specific architectural and security configurations.
A Vulnerability in iGPUs
A common feature in integrated GPUs (iGPUs) is graphical data compression. While it’s instrumental in enhancing memory efficiency and rendering performance, this feature isn’t without drawbacks. The compression process’s data-dependent nature can unintentionally create extremely exploitable security vulnerabilities. Research indicates that it can cause data-dependent traffic in DRAM and cache occupancy, leading to potential side-channel exploits. The GPU.zip vulnerability allows an attacker to exploit this iGPU-based compression channel. By manipulating SVG filters within web browsers, one can execute pixel stealing attacks, which are based on creating specific patterns influenced by a secretive pixel within a browser. When the iGPU processes these patterns, the compression output reveals details about the secret pixel.
Technical Implications of the Vulnerability
In real-world scenarios, this vulnerability can be exploited by malicious webpages to extract pixel values from another webpage, especially in browsers like Google Chrome, sidestepping security protocols like the same-origin policy (SOP). The exploitation pathway works in a simple, direct fashion in which attackers use the GPU data compression leakage channel to their advantage. By observing rendering time differences or using specific metrics, they can extract valuable information. Chrome and Microsoft Edge are particularly vulnerable to the GPU.zip attack; their architecture, which permits certain actions with iframes and delegates rendering to the GPU, makes them susceptible. However, it’s worth noting that the inherent issue isn’t with the Chromium engine itself, suggesting that browsers can potentially mitigate the risk.
GPU.zip Attack Example
In the research paper, the team presents a proof-of-concept, a real-world attack that extracts a username from Wikipedia. The results, as illustrated in the accompanying figure, highlight the attack’s potency on two distinct processors: an Intel i7-8700 (c) and an AMD Ryzen 7 4800U (b). While the assault on the AMD Ryzen was swift, clocking in at a mere 30 minutes and boasting a striking 97 percent accuracy, the Intel i7 variant took a more leisurely 215 minutes but delivered an even more precise accuracy rate of 98.3 percent. Both are terrifyingly close to the original ground truth (a).
A graphic from “GPU.zip: On the Side-Channel Implications of Hardware-Based Graphical Data Compression,” showing the differences between a username extraction using an Intel i7-8700 (c) and an AMD Ryzen 7 4800U (b) respectively
Conclusion
In conclusion, the GPU.zip vulnerability shines a spotlight on the intricate challenges embedded within the very fabric of modern graphical processors. As researchers from Carnegie Mellon Software and Societal Systems have highlighted, the quest for optimization and efficiency in GPUs has inadvertently opened doors to potential security breaches. The demonstrated ability to extract sensitive information like usernames from platforms as ubiquitous as Wikipedia makes evident the pressing need for robust cybersecurity measures. Balancing performance enhancement and data protection is a necessary measure that needs to be taken into account when developing both hardware and software in our future.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Ransomware is quickly becoming the largest cybersecurity threat, with major innovations in both technique and technology over the past few years creating a large and ever-persistent issue. With security researchers and cybersecurity professionals constantly repositioning to face off against new threats, ransomware gangs are forced to invent new problems that haven’t been previously solved, evolving into a greater and greater threat over time. Here are some dangerous innovations, technologies, and strategies that have developed in the ransomware sector:
Data Extortion and Monetization:
The paradigm of ransomware has shifted from merely encrypting data to a more sinister form of extortion. Groups like LAPSU$ have exploited this tactic, targeting heavyweights like Microsoft and Nvidia, causing not only financial loss but also reputational damage. This evolution emphasizes the nefarious potential of ransomware, going beyond encryption to a form of cyber blackmail, making cybersecurity measures increasingly complex and critical.
Exploitation of Cloud Endpoints:
As organizations migrate to cloud platforms, the landscape of vulnerabilities morphs. The decentralized nature of cloud computing provides a ripe environment for ransomware groups to exploit misconfigurations and unpatched vulnerabilities. This evolution reflects the dire need for robust cloud security measures to safeguard against the escalating threat of ransomware in cloud environments.
Targeting Uncommon Platforms:
The focus on uncommon platforms highlights the relentless innovation of ransomware groups. By targeting business-critical devices lacking robust backups, adversaries exploit the unique vulnerabilities inherent in such platforms. This trend underscores the imperative of having a comprehensive cybersecurity strategy that encompasses all aspects of an organization’s digital infrastructure.
Supply Chain Attacks and Double Extortion:
Supply chain attacks exemplify the extensive reach of modern ransomware operations. Similarly, double extortion magnifies the threat by adding data leakage to encryption, forcing organizations to re-evaluate and bolster their cybersecurity frameworks to counter these evolving ransomware tactics.
Ransomware as a Service (RaaS):
RaaS democratizes the realm of cyber extortion, enabling even less technical individuals to launch ransomware campaigns. This model amplifies the ransomware threat manifold, necessitating advanced cybersecurity solutions to tackle the burgeoning menace posed by RaaS platforms.
Weaponization of Vulnerabilities:
The exploitation of vulnerabilities to deliver ransomware signifies a growing sophistication among cyber adversaries. The weaponization of zero-day vulnerabilities, in particular, presents a formidable challenge for cybersecurity, demanding proactive and predictive security measures to stay ahead of the threat curve.
Sectoral Focus Shift:
The shift in focus towards sectors like healthcare, marked by high-value sensitive data, epitomizes the calculated approach of ransomware operators. This sectoral focus amplifies the need for industry-specific cybersecurity frameworks to thwart the ever-evolving ransomware threat.
Emergence of New Ransomware Groups:
The constant emergence of new ransomware groups forces organizations to prepare for not only an ever-evolving threat, but an ever-growing one. The continuous influx of new players with varying tactics necessitates a robust and adaptive cybersecurity strategy to mitigate these ransomware threats.
Technological Innovations:
The adoption of new programming languages like Go and Rust for crafting ransomware variants demonstrates the technological innovation driving the evolution of ransomware. This tech-savvy approach by ransomware groups threatens to outpace the cybersecurity measures in place, calling for continual advancements in cybersecurity technologies.
Geographic Focus:
The consistent targeting of specific regions like the United States accentuates the geopolitical dimension of ransomware threats. The evolving tactics employed by ransomware groups pose a significant challenge to national and global cybersecurity efforts, emphasizing the need for cross-border cooperation and enhanced cybersecurity measures to safeguard against these transnational cyber threats.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Web 3.0, often referred to as the Semantic or Decentralized Web, has emerged over the past few years as a both an ideological and technological shift from the current state of the internet, referred to as Web 2.0. The new technology is defined by decentralized databases and distributed ledgers across nodes, reducing the risks in Web 2.0 associated with centralized honeypots of sensitive information. The underpinning blockchain technology of Web 3.0 facilitates a unique representation of transactions, interactions, or identifications, enabling tokenization and creating a digital economy where assets, content, and credentials are user-controlled, independent of centralized authorities. While the emerging technology is powerful and aims to create a more decentralized, user-driven Internet, the future implementation of Web 3.0 comes with several risks to our cybersecurity. Here’s a deep dive into how Web 3.0 functions and the benefits and threats it poses to our networks.
Security Benefits in Web 3.0
Identity and Tokenization:
Within the Web 3.0 framework, identity management takes a more user-centric approach, known as self-sovereign identity, in which individuals have control over their data and credentials. Through unique hashes and blockchain technology, Web 3.0 allows for the authentication and control of digital assets by users. This form of identity management is made possible through smart contracts which determine user privileges and eligibility based on various metrics tied to their digital identities. By having a decentralized identity management system, risks associated with centralized data storage such as data breaches and identity theft can be significantly reduced.
Distributed Ledger Technology (DLT):
Distributed Ledger Technology forms the backbone of Web 3.0’s decentralized framework. Unlike the centralized databases of Web 2.0, DLT distributes digital information across a network of computers, ensuring transparency, and reducing the likelihood of data tampering and fraud. Every transaction on the network is recorded in a ledger that’s distributed across all nodes, making unauthorized alterations extremely difficult. This feature enhances the security and trustworthiness of digital interactions on the web.
Zero Trust:
The Zero Trust security model, which treats everything on a network as untrusted by default, aligns well with the decentralized paradigm of Web 3.0. Using the Zero Trust security model, data travels from peer to peer in decentralized applications rather than passing through trusted intermediaries like in Web 2.0. This shift towards a trustless web minimizes reliance on central authorities, which in turn reduces the overall potential attack surfaces for a potential attacker.
Cybersecurity Risks in Web 3.0
Smart Contract Logic Hacks:
Smart contracts, self-executing contracts with the terms directly written into code, are a hallmark of blockchain technology underpinning Web 3.0. However, they are not immune to cyber threats. Hackers can target the logic encoded in these smart contracts to exploit various functions and services like interoperability, crypto-loan services, and cryptocurrency wallet functions. These hacks could lead to financial losses and pose significant legal challenges as smart contracts often operate in a legal grey area with a complicated jurisdictional system.
Enhanced Spam:
The interconnectedness of data in Web 3.0 creates channels through which spam attacks can thrive. Adversaries can target, exploit, and pollute specific resources to distribute spam across websites, search engines, and applications. These spam campaigns could carry malicious JavaScript code or ransomware, delivering it to every user interacting with the contaminated resources. The capability to distribute spam at this scale could be leveraged for widespread dissemination of malware or disinformation.
Social Engineering:
Even though blockchain records are essentially tamper-proof, the human element will always remain a weak link. Phishing attacks and other social engineering tactics can and will be employed by malicious actors to impersonate legitimate entities and harvest confidential information from both individuals and businesses. The proposed use of self-sovereign identity in Web 3.0 also presents identity risks where insecure authentication mechanisms could lead to identity theft risks, and hackers could piece together sensitive information about individuals from identifiers used across different interactions on the web.
How do I Utilize Web 3.0?
Utilizing Web 3.0 involves a shift from traditional centralized online platforms to decentralized applications (dApps) and services. To get started, you typically need a blockchain wallet which will act as your digital identity. This wallet can be used to manage cryptocurrencies, digital assets, and interact with dApps on various blockchain networks. Popular blockchain wallets currently include MetaMask and Coinbase Wallet. Once set up, you can explore a wide range of Web 3.0 platforms and dApps that offer services in finance (DeFi), gaming, social media, and more, all while maintaining a higher degree of control over your data compared to traditional web services.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
A notable security vulnerability has been flagged and cataloged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in Adobe Acrobat Reader, making a critical entry in its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2023-21608 with a CVSS (Common Vulnerability Scoring System) score of 7.8, is categorized as high-severity due to its potential for active exploitation.
Exploitation of the Vulnerability
The root cause of this vulnerability is a use-after-free bug, a type of memory corruption flaw that can lead to serious issues such as remote code execution (RCE). In this case, exploitation of the bug could lead to RCE with the privileges of the logged-in user. Essentially, a malicious actor could exploit this flaw to execute arbitrary code remotely on the affected system, which could further lead to unauthorized access or even data exfiltration. Adobe promptly addressed this flaw by releasing a patch in January 2023. The credit for discovering and reporting this vulnerability goes to HackSys security researchers Ashfaq Ansari and Krishnakant Patil. Their timely reporting has significantly contributed to the mitigation of the potential risks associated with this flaw.
Software Versions Affected
The versions of the software impacted by this vulnerability include:
Acrobat DC: Versions 22.003.20282 (Win), 22.003.20281 (Mac) and earlier, with the patch released in version 22.003.20310.
Acrobat Reader DC: Versions 22.003.20282 (Win), 22.003.20281 (Mac) and earlier, with the patch released in version 22.003.20310.
Acrobat 2020: Version 20.005.30418 and earlier, with the patch released in version 20.005.30436.
Acrobat Reader 2020: Version 20.005.30418 and earlier, with the patch released in version 20.005.30436.
Conclusion
As of now, the exact details surrounding the exploitation and the identity of the threat actors exploiting CVE-2023-21608 remain elusive. However, the disclosure of a proof-of-concept (PoC) exploit for this flaw in late January 2023 significantly raises concerns regarding potential active exploitation in the wild. This vulnerability is the second major flaw discovered in Adobe Acrobat and Reader that has been exploited in the wild, following CVE-2023-26369. The latter was an out-of-bounds write issue that could lead to code execution by opening a specially crafted PDF document. Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply the vendor-supplied patches by October 31, 2023, to secure their networks against potential threats that these vulnerabilities pose. The directive underlines the critical importance of timely patch management in thwarting exploitation attempts and ensuring the security and integrity of network infrastructures.
A critical vulnerability within the GNU C Library (glibc) has recently come to light, putting a spotlight on the inherent complexities and potential oversights in system security, even within well-established, widely used open-source software. This vulnerability granted the name “Looney Tunables” by the researchers from Qualys, resides in glibc’s dynamic loader, a crucial component in the process of executing binary files on Linux systems.
The Looney Tunables Overflow Attack
The crux of the vulnerability lies in the mishandling of memory within a sanitizing parser function, specifically when parsing the GLIBC_TUNABLES environment variable, hence the name. This environment variable is a feature of glibc allowing runtime adjustments without the need for recompiling the application or the library, a vital flexibility for developers and system administrators. The parsing logic fumbles when it encounters malformed strings like tunable1=tunable2=AAA, which leads to a buffer overflow.
The timeline for a Looney Tunables buffer overflow attack is as follows:
Initialization: The sanitizing parser is initiated to process the GLIBC_TUNABLES environment variable
Searching: It begins iterating through the variable, searching for key=value pairs formatted like tunable1=aa, with each pair separated by colons.
Buffering: Upon finding valid key=value pairs, these strings are copied into a sanitized buffer for subsequent processing.
Encounter with Malformed String: The parser encounters a malformed string tunable1=tunable2=AAA.
First Equals Sign Processing: The first equals sign is processed as expected, interpreting tunable1 as the key and tunable2 as the value, and copies tunable2 into the buffer.
Misinterpretation Triggered: The second equals sign is encountered, which the parser misinterprets as indicating another key=value pair.
Buffer Overflow: Due to this misinterpretation, the parser continues to copy characters beyond the second equals sign into the buffer, leading to a buffer overflow.
Escalation of the Tunables Vulnerability
The intrigue surrounding this buffer overflow escalates owing to the privileges associated with the binary being executed. If a Set-User-ID (SUID) root application is the binary in question, the dynamic loader operates with root privileges as well, paving a smooth path for privilege escalation if the overflow is exploited for code execution. This exploitation becomes feasible by overwriting the pointer to the library search path, determining the directories where the dynamic loader seeks libraries. By manipulating this pointer to direct towards an attacker-controlled location, a malicious libc.so can be loaded effortlessly, leading to instant code execution.
That’s All, Folks:
This vulnerability, identified as CVE-2023-4911, extends its threat to numerous Linux distributions. With a Proof of Concept (PoC) already in the public domain, the urgency for patching this vulnerability cannot be overstated. The key takeaway from the “Looney Tunables” vulnerability is the pivotal role played by meticulous memory handling and robust parsing logic, especially in security-sensitive components like the dynamic loader of glibc. It’s paramount for system administrators and developers to expedite the patching process by seeking updates addressing CVE-2023-4911, strengthening their systems against potential exploitation. This “Looney Tunables” episode reinforces the notion that a seemingly innocuous misstep in code logic can unveil doors to grave security threats.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
As technology advances, so do both cyberattacks and cybersecurity, both are constantly evolving in order to surpass the other. As new, cutting edge technology develops, like quantum computing, network defenders have a substantial problem on their hands, as quantum decryption could be a powerful tool for attackers. While it’s a thrilling shift with the promise to completely change how we solve complex problems, quantum computing also brings a hefty challenge to how we keep our online data safe and sound. In this exploration of the quantum computing world, we’ll uncover the risks it brings to encryption, and how the big players like the Cybersecurity and Infrastructure Security Agency (CISA) are preparing to tackle this challenge through their Post-Quantum Cryptography (PQC) Initiative.
The Quantum Issue:
Network systems are currently guarded by encryption algorithms, complex mathematical locks that keep intruders at bay. However, quantum computers, armed with the power of qubits, threaten to become skeleton keys, capable of unlocking these defenses with ease. Traditional stalwarts of encryption like RSA and ECC rely on the difficulty of certain mathematical problems (like factoring large numbers) for their security. Quantum computers, leveraging principles of quantum mechanics, can solve these problems exponentially faster than the best-known algorithms running on classical computers. This quantum advantage could shatter the existing encryption standards, laying bare the data they were designed to protect.
On the Frontlines: CISA’s PQC Initiative:
Recognizing the storm brewing on the horizon, CISA has marshaled the Post-Quantum Cryptography (PQC) Initiative. This is a clarion call to arms to the cryptographers, beckoning them to forge new locks and keys capable of withstanding quantum assaults. The initiative endeavors to unify efforts across agencies and industry sectors to develop and transition to quantum-resistant cryptographic standards. A significant cornerstone of this initiative is a roadmap developed in collaboration with the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST). This roadmap sketches the path towards new cryptographic standards that would remain robust against the quantum threat.
The Reality of our Quantum Future:
The shift towards post-quantum cryptography is a marathon requiring a detailed inventory of vulnerable systems and data, followed by rigorous testing of new cryptographic algorithms in controlled environments. The roadmap also underscores the importance of a thorough interdependence analysis to ascertain the ripple effects of transitioning to new cryptographic standards across various systems and sectors. Progress made to prepare for the dangers of quantum computing are not a solo endeavor but rather a collaborative expedition involving government agencies, private sectors, and the academic community. It’s about nurturing a synergy where stakeholders across various sectors contribute to the development, testing, and implementation of new quantum-resistant cryptographic standards.
In Conclusion:
As the reality of quantum computing gets closer, initiatives like CISA’s PQC are our strong defense against the threats it poses. The effort to strengthen our online security against quantum challenges is not just a technical hurdle but a joint mission to ensure the safety of our digital lives in the coming quantum era. Through united efforts and a common goal, the cybersecurity community is stepping up to make sure our online safety remains strong, even as we step into the new and uncharted territory of quantum computing.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
The FBI recently released a PIN (Private Industry Notification) in order to “highlight emerging ransomware trends,” in this case “dual ransomware attacks,” a type of attack that targets the same organization twice with two different types of ransomware, resulting in a significantly more encrypted system for the victims. A dual ransomware attack is classified by the FBI as an attack “against the same victim occurring within 10 days, or less, of each other,” most of which “occurred within 48 hours of each other.”
What is a Dual Ransomware Attack?
In these attacks, the FBI warned, “cyber threat actors deployed two different ransomware variants against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. Variants were deployed in various combinations.” Typical ransomware attacks have a simpler timeline, one that begins with an initial intrusion, escalation, encryption, and then a pay-day. This new ransomware trend, labeled as a “dual ransomware attack,” results in higher layers of encryption, causing the timeline to become initial intrusion, escalation, encryption, further encryption, and then, because of the two different deployed ransomware variants, two pay-days. “Second ransomware attacks against an already compromised system could significantly harm victim entities,” the PIN points out, reiterating the threat that a second layer encryption attack could have on a company.
Dual Ransomware Mitigation Recommendations
The FBI has created a set of recommendations for all network defenders in order to fortify organizations against the rising menace of dual ransomware attacks. Central to these guidelines is establishing strong liaisons with regional FBI Field Offices for identifying vulnerabilities and mitigating threats.
Offline Data Backups: Maintaining regular, encrypted, and immutable offline backups to ensure data integrity and availability during cyber incidents.
Vendor Security Review: Rigorous security assessment of third-party vendors and monitoring connections for suspicious activities.
Enhanced Access Management: Adherence to National Institute of Standards and Technology (NIST) standards for password policies, coupled with phishing-resistant multifactor authentication.
Network Segmentation: Implementing network segmentation to curb ransomware spread and control traffic flows between subnetworks.
Proactive Monitoring: Employing network monitoring tools and Endpoint Detection and Response (EDR) tools for identifying abnormal activities and potential ransomware traversal.
Timely Patching: Ensuring all systems are updated to the latest security patches to minimize exposure to cyber threats.
By embracing these measures, organizations can significantly bolster their defense mechanisms, making it exceedingly challenging for cyber adversaries to exploit system and network vulnerabilities.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five vulnerabilities from September that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2023-41993
This vulnerability, rated at a critical NIST CVSSv3 score of 9.8/10, pertains to the handling of web content in Safari, iOS, iPadOS, and macOS Sonoma. Processing web content posed a risk of arbitrary code execution, a concern that Apple addressed through enhanced checks. The issue is resolved in Safari 17, iOS 16.7, iPadOS 16.7, and macOS Sonoma 14. Notably, there have been reports of active exploitation targeting iOS versions prior to 16.7.
CVE-2023-38205
Adobe ColdFusion versions 2018u18 and earlier, 2021u8 and earlier, and 2023u2 and earlier are affected by an Improper Access Control vulnerability. This vulnerability, rated at a high NIST CVSSv3 score of 7.5/10, could potentially lead to a Security feature bypass, allowing attackers to access the administration CFM and CFC endpoints. Importantly, exploitation of this issue does not necessitate user interaction.
CVE-2023-5174
This critical vulnerability exclusively impacts Firefox on Windows under non-standard configurations, such as ‘runas.’ With a NIST CVSSv3 score of 9.8/10, it stems from a situation where Windows fails to duplicate a handle during process creation, inadvertently leading to a use-after-free scenario. It’s essential to note that this bug does not affect other operating systems. This vulnerability can result in a potentially exploitable crash. It is relevant to Firefox versions less than 118, Firefox ESR versions less than 115.3, and Thunderbird versions less than 115.3.
CVE-2023-4760
In Eclipse RAP versions from 3.0.0 to 3.25.0, a critical vulnerability exists that permits Remote Code Execution on Windows when utilizing the FileUpload component. This vulnerability is attributed to an insecure extraction of file names within the FileUploadProcessor.stripFileName(String name) method. When a forward slash (/) is detected in the path, everything preceding it is removed, but potentially present backslashes () are retained. This flaw allows for the upload and execution of malicious files, posing a significant threat. An illustrative example is the upload of a file with the name /….\webapps\shell.war, which under Windows is saved as ….\webapps\shell.war in the webapps directory and can subsequently be executed. The NIST CVSSv3 score for this vulnerability is 9.8/10.
CVE-2023-2262
A critical vulnerability with a NIST CVSSv3 score of 9.8/10 exists in Rockwell Automation select 1756-EN* communication devices. This vulnerability is characterized by a buffer overflow, which, if exploited, could enable a threat actor to perform remote code execution. To exploit this vulnerability, a maliciously crafted CIP request must be sent to the device. The consequences of this vulnerability are severe, as successful exploitation could result in unauthorized access, control, or manipulation of these industrial devices, potentially leading to operational disruptions and damage.
Conclusion:
In conclusion, software vulnerabilities are a common nuisance to IT and security teams everywhere. Organizations that prioritize the remediation and patching of these vulnerabilities will drastically reduce their attack surface and ensure no doors into their environment are left unlocked.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Deceptive Cyberattack Strikes GitHub’s Software Supply Chain via Impersonation of Dependabot
Chinese State-Sponsored Cyber Espionage Campaign Targets South Korean Organizations Over Multiple Years
How can Netizen help?
Phish Tale of the Week
Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as LastPass, the password manager company, and informing you that action needs to be taken on your account in order to avoid deactivation, in this case updating personal information. The email explains that “LastPass” takes our security very personally, so we should confirm our information in order to maintain full access to our account. It seems both urgent and genuine, so why shouldn’t we click the “Confirm My Information” button? Luckily, there’s plenty of reasons that point to this being a phishing scam.
Here’s how we can tell not to click on this link:
The first red flag in this message is the senders’ addresses. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In this case, the actors neglected to spoof their email address, and a simple look at the sender’s address makes it very apparent that the email is not from LastPass. In the future, review the sender’s address thoroughly to see if the email could be coming from a threat actor.
The second warning signs in this email is the messaging. This message tries to create a sense of urgency by using different phrases in bold like “Warning” and “To avoid the deactivation” Phishing scams commonly attempt to create a sense of urgency in their emails in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the messaging of all emails in your inbox before clicking on a link in your email.
The final warning sign for this email is the lack of legitimate LastPass information. Fortune 500 companies and similar organizations standardize all email communications with customers. Support links, addresses, acceptable use policies, and other information is always provided at the bottom of each email, along with options to unsubscribe or change messaging preferences. While this specific email includes a small footer at the bottom, a quick investigation proves that it’s just for show. This email lacks all of the parts of a credible LastPass email and can be immediately detected as a phishing attempt.
General Recommendations:
A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email.
Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
Verify that the sender is actually from the company sending the message.
Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
Do not give out personal or company information over the internet.
Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.
Cybersecurity Brief
In this week’s Cybersecurity Brief:
Deceptive Cyberattack Strikes GitHub’s Software Supply Chain via Impersonation of Dependabot
In a recent cyberattack targeting software supply chains, hackers successfully inserted malicious code updates into hundreds of GitHub repositories by exploiting stolen passcodes to commit unauthorized changes. They cleverly used the name of a well-known tool, Dependabot, to deceive developers into accepting these tainted updates.
The attackers exploited stolen personal access tokens (PATs), which are security credentials used to authenticate code updates, to push code changes into the GitHub repositories. They employed a known technique to impersonate the contributor’s identity, making it appear as if Dependabot had made the changes. This tactic added malicious code to the end of JavaScript files, enabling it to load and execute code from the attacker’s site.
This deception technique, involving the impersonation of Dependabot, is a new twist in the realm of software supply chain attacks and could easily mislead unsuspecting developers, according to Guy Nachshon, a security researcher at Checkmarx.
“The attacker plants code changes to appear as if they were made by Dependabot — so the victim won’t deep dive into the code changes,” he says. “This is a software supply chain attack and the first time we’ve witnessed such a deception technique with the impersonation of Dependabot.”
This incident is the latest in a series of attacks targeting developers and the GitHub platform itself, aiming to inject malicious code into the software supply chain. For instance, in previous incidents, attackers stole code from Dropbox’s GitHub repositories by tricking a developer into divulging their credentials and two-factor authentication code on a phishing site. Another attacker created a malicious Python package that masqueraded as a software development kit for a popular security client.
It’s essential to note that these types of attacks are not exclusive to GitHub, as various threat actors have attempted to exploit impersonation tactics to manipulate users into trusting a fraudulent code commit, often coupled with stolen PATs. GitHub emphasizes that its systems were not compromised in this attack, and there’s no evidence to suggest that GitHub users are at risk. Nevertheless, malicious actors continue to seek opportunities to compromise personal data and sensitive information wherever they can find it.
Dependabot, a tool purchased by GitHub in 2019, automates regular software and security checks for projects hosted on the GitHub platform. Attackers could have submitted their malicious code under any name, but by masquerading as Dependabot, they gained a level of trust among developers. Nicolas Danjon, a security researcher at GitGuardian, highlights this point: “Dependabot is an automated process that will add some merge requests to your projects to update your dependencies. As a developer, if you see a request that comes from Dependabot, you’re not even going to check the code — you just accept it because you trust the source.”
However, it’s important to stress that the actual code submission is made possible by the theft of PATs. Without these stolen credentials, the threat would be significantly diminished, according to Checkmarx’s Nachshon. Developers are urged to secure their accounts and adopt the principle of least privilege by using fine-grained tokens instead of classic tokens.
To safeguard software development pipelines against attacks, developers should prioritize enhancing security measures. This includes ensuring that the theft of a single credential cannot lead to code compromise. GitHub has already taken steps in this direction by scanning all public repositories for developer secrets like passwords and security tokens and mandating two-factor authentication for all developer accounts.
The impersonation attack underscores the importance of not relying solely on project attributes, such as the number of developers and commits, to determine project trustworthiness. In 2022, researchers demonstrated that some of the signals and metadata used for assessing a software project’s trustworthiness could be forged, potentially deceiving developers into downloading malicious code.
To enhance security, organizations should not only protect their development secrets but also employ honey tokens, a deception defense strategy that scatters fake credentials throughout developers’ environments. This helps detect when attackers attempt to use invalid identities. Additionally, developers should thoroughly analyze the code from the packages they use to check for any signs of malicious code infiltrating the supply chain.
Checkmarx’s Nachshon also recommends that GitHub allows every user to access their security access logs, a feature currently limited to enterprise users. This would empower users to monitor and track their security activities more effectively, potentially identifying suspicious activities or unauthorized access more promptly.
Chinese State-Sponsored Cyber Espionage Campaign Targets South Korean Organizations Over Multiple Years
A sustained and extensive cyber espionage campaign, believed to be orchestrated by Chinese state-sponsored actors, has come to light. This ongoing campaign, referred to as TAG-74 by Recorded Future’s Insikt Group, has been identified as a significant threat to a range of entities in South Korea, including academic institutions, political bodies, and government organizations. The adversaries behind TAG-74 have strong links to Chinese military intelligence, making their activities of concern to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia.
This targeted cyber campaign has a specific focus on South Korean academic institutions, aligning with China’s broader objectives of intellectual property theft and expanding its influence. Additionally, it is motivated by strategic considerations, including China’s relations with the United States.
The attackers employ social engineering tactics, using Microsoft Compiled HTML Help (CHM) files as lures to deliver a custom variant of an open-source Visual Basic Script backdoor named ReVBShell. Subsequently, this backdoor serves as the entry point for deploying the Bisonal remote access trojan. ReVBShell is designed to go dormant for specific periods, as dictated by commands from a remote server, with the ability to modify these time intervals. Furthermore, it employs Base64 encoding to obfuscate its command-and-control (C2) communications.
The usage of ReVBShell has been associated with two other Chinese-linked clusters, known as Tick and Tonto Team. AhnLab Security Emergency Response Center (ASEC) also reported an identical infection sequence involving Tonto Team in April 2023. Bisonal, the remote access trojan employed in this campaign, is a versatile threat capable of gathering information about processes and files, executing commands and files, terminating processes, downloading and uploading files, and deleting files on disk. The connections between TAG-74 and other Chinese threat groups, particularly Tick, underscore the prevalent sharing of tools and techniques among these actors.
Recorded Future notes that the TAG-74 campaign reflects a long-term strategy aimed at collecting intelligence from South Korean targets. Given the group’s sustained focus on South Korean entities over many years and its likely affiliation with the Northern Theater Command, it is anticipated that TAG-74 will continue to remain highly active in gathering intelligence from strategic targets within South Korea, as well as in Japan and Russia.
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Netizen Blog and News 
You must be logged in to post a comment.