Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Protecting Your MSSQL Databases: Defending Against the FreeWorld Ransomware Threat

    Protecting Your MSSQL Databases: Defending Against the FreeWorld Ransomware Threat

    The .txt file generated by FreeWorld ransomware, from Securonix Threat Research

    A new cyberattack campaign named “DB#JAMMER” has emerged, specifically targeting exposed Microsoft SQL Server (MSSQL) databases. The implications of this campaign are nothing short of severe, especially for organizations relying on this technology, as DB#JAMMER is no ordinary cyberattack; it’s a well-choreographed assault that employs intricate tactics, including relentless brute-force attacks aimed at breaching MSSQL servers. Once these digital intruders gain access, they unleash a barrage of malicious payloads, comprising ransomware and the notorious Cobalt Strike. The aftermath of such an attack can be catastrophic, as it wreaks havoc on compromised systems. Securonix, a leading cybersecurity research firm, has been at the forefront of investigating this threat. They’ve diligently uncovered the inner workings of DB#JAMMER, shedding light on its complex attack sequence and the potential havoc it can wreak on businesses worldwide.

    The Attack Sequence

    DB#JAMMER is not your run-of-the-mill cyberattack; it follows a meticulously orchestrated sequence of steps designed to infiltrate and compromise MSSQL databases:

    • Initial Access: The campaign commences with determined brute-force attempts to gain unauthorized access to exposed MSSQL databases. These relentless efforts allow the attackers to breach the first line of defense.
    • Expanding Foothold: Once inside, the attackers embark on expanding their presence within the target system. They capitalize on the compromised MSSQL server as a strategic launching pad for a multitude of malicious payloads.
    • Payload Delivery: The attackers, operating with precision, unleash an array of malicious payloads. Among them are remote-access Trojans (RATs) and a recently discovered ransomware variant known as “FreeWorld.” This ransomware strain earned its moniker due to its distinct characteristics, including file names containing “FreeWorld,” a ransom instruction file titled FreeWorld-Contact.txt, and the “.FreeWorldEncryption” extension used for encrypted files.
    • Establishing Persistence: To ensure they maintain control over the compromised system, the threat actors take further steps. They create a remote SMB share to house their malicious tools. Within this repository, you’ll find a Cobalt Strike command-and-control agent (srv.exe) and AnyDesk. Additionally, they employ a network port scanner and Mimikatz, a tool for extracting credentials and moving laterally within the network.
    • Configuration Changes: The attackers don’t stop at payload delivery; they also make strategic configuration changes. These alterations include creating or modifying user accounts and tweaking registry settings, all intended to hinder the system’s natural defenses.

    An Ongoing Threat

    As of the latest updates, the DB#JAMMER campaign still poses a significant threat. Although it seems to have specific targets initially, the campaign’s risk remains dangerous. This is because there are signs that the attackers might go beyond attacking just MSSQL databases, possibly affecting a wider range of systems and organizations. “At this point, our current assessment indicates a medium to high risk level because there are indications that the infiltration vectors employed by the attackers may extend beyond MSSQL,” emphasized Oleg Kolesnikov, Vice President of Threat Research and Cybersecurity at Securonix. Kolesnikov also mentions that the DB#JAMMER campaign was unique in its complex patterning, which means that if broadened the attacks could be devastating. “This is not something we have been seeing often, and what truly sets this attack sequence apart is the extensive tooling and infrastructure used by the threat actors,” he points out. This evolving threat landscape emphasizes the importance of organizations strengthening their defenses, not only for MSSQL databases but for their entire digital infrastructure, to protect against the growing danger of DB#JAMMER.

    Protecting Your MSSQL Databases

    To fortify your defenses against threats like DB#JAMMER and ransomware in general, consider adopting the following security measures:

    • Limit Internet Exposure: Reduce your attack surface by restricting the exposure of MSSQL services to the internet. If feasible, avoid allowing external connections, as weak account credentials are often exploited through these avenues.
    • Implement Comprehensive Defenses: Develop a profound understanding of the attack progression and behaviors leveraged by malicious actors. Consider disabling or tightly restricting the use of potentially risky features like “xp_cmdshell.”
    • Enhance Logging: Augment your security posture by monitoring common malware staging directories, with particular focus on “C:\Windows\Temp.” Deploy additional process-level logging tools like Sysmon and PowerShell logging to enhance your detection capabilities.
    • Stay Informed: Stay vigilant and informed about the ever-evolving landscape of cybersecurity threats and trends. This knowledge will empower you to adapt your security measures accordingly, ensuring you stay one step ahead of potential attackers.

    In an era marked by a surge in ransomware attacks, safeguarding your MSSQL databases is no longer just a choice—it’s an absolute necessity. Implementing these proactive security measures can significantly strengthen your defenses against potent threats like FreeWorld ransomware, allowing you to safeguard your invaluable data. In today’s ever-evolving threat landscape, staying ahead is not a luxury; it’s essential to protect the critical assets and operations relying on MSSQL databases.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact

  • Critical Vulnerability in Hikvision Surveillance Cameras Points to Greater Issue Within the IoT

    Critical Vulnerability in Hikvision Surveillance Cameras Points to Greater Issue Within the IoT

    Security researchers from Cyfirma recently discovered that over 80,000 Hikvision surveillance cameras are still susceptible to a critical vulnerability that was patched in a security update over 2 years ago. CVE-2021-36260, which was added to the National Vulnerability Database in January of 2022, allows attackers to exploit Hikvision cameras due to their lack of input validation. Attackers exploiting this vulnerability can send malicious HTTP requests to the camera’s web server through server port 443, allowing them to immediately root the device. The unrestricted root shell gives the attacker access to camera data, enables them to enlist the camera in a botnet, and allows them to attack the camera server further. The vulnerability has a CVSS score of 9.8, just 0.2 points shy of reaching the maximum possible score. 

    The Scope of the Hikvision Vulnerability 

    Despite being an extremely critical vulnerability, the security update that neutralizes CVE-2021-36260 has yet to be implemented by a multitude of organizations, 2300 in total across 100 different countries according to Cyfirma. It spans across several different older versions of Hikvision firmware as well. “The vulnerability affects Hikvision products that use firmware versions V5.5.0 and earlier, V5.6.0 to V5.6.10, and V5.7.0 to V5.7.3,” noted Check Point Research.

    Top 10 Countries Using Vulnerable Hikvision Camera Products | Source: Cyfirma

    IoT Devices Require Stronger Security

    Cyfirma believes that Chinese threat groups such as MISSION2025/APT41, APT10, and even various Russian threat actor groups could potentially exploit the security cameras. “Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale. These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization’s environment,” Cyfirma wrote in their report. It seems that the issues caused by the simple lack of these security firmware updates are extremely expansive in nature, almost too expansive to main unpatched in so many instances. Why haven’t all the companies with outdated firmware pushed out the update to all their cameras? Overall, the organizations that deal with IoT devices like Hikvision cameras require more powerful security measures, including regular password updates and robust access controls, in order to further fortify the security of their systems. 

    The Vulnerability of the IoT 

    The commonality of CVE-2021-36260 2 years after the security patch shows the broader challenge with securing IoT devices. As Paul Bischoff, a privacy advocate with Comparitech, points out, “IoT devices such as cameras are not always as straightforward to secure as mobile applications. Updates are not automated; users must manually download and install them, and many users may never receive the notification.” Additionally, IoT devices may not offer clear indications of their security status and/or whether they require updates, unlike more user-friendly systems like smartphones. This makes the devices much harder to secure, which in the grand scheme of things leaves many devices vulnerable to exploitation. The situation is further exacerbated by the fact that some Hikvision cameras are shipped with preset passwords, which users often neglect to change. Because of these issues, it is imperative for organizations and users to take proactive measures in securing their IoT devices, including promptly applying security updates as soon as they come out and configuring robust access controls to mitigate the risks associated with vulnerabilities like CVE-2021-36260. Failure to do so not only puts your devices risk but also poses potential threats to the broader network and organizational security. 

    Conclusion

    In conclusion, the fact that over 80,000 Hikvision surveillance cameras are still vulnerable to a critical security flaw despite a security update being available for over two years highlights the essential importance of regularly updating your IoT devices, including Hikvision cameras, to the latest firmware. Neglecting security updates not only puts these devices at risk but also leaves them susceptible to exploits. It’s necessary that all owners of Hikvision cameras update their firmware as soon as possible to avoid this issue. Keeping both your firmware and your team updated is the best way to avoid exploitation. 

    How Can Netizen Help? 

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.  

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers. 

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.  

    Questions or concerns? Feel free to reach out to us any time –  

    https://www.netizen.net/contact

  • Netizen Cybersecurity Bulletin (August 28th, 2023)

    Overview:

    • Phish Tale of the Week
    • North Korean Hackers Could be About to Cash Out 41 Million in Stolen Bitcoin
    • New WinRAR Zero-Day Vulnerability Could Install Malware When You Unzip Files
    • How can Netizen help?

    Phish Tale of the Week

    Phishing attempts can often target specific groups that can be exploited by malicious actors and come in many different forms. In this instance, we see a phishing scam targeting PayPal users with what appears to be a link that’s supposed to “reactivate your account.” PayPal says that our account has been limited, and clicking on this link is supposed to bring everything back to normal. There’s been unauthorized activity on our account, and the email seems urgent, so why don’t we click on that link and find out what’s been going on? Luckily, there’s plenty of reasons that point to this being a phishing scam.

    Here’s how we can tell not to click on this link:

    1. The first red flag in this message is the senders’ addresses. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In this case, the sender utilized email spoofing in order to change their email to “service@intl.limited.com” in order to make it seem more legitimate. In the future, review the sender’s address thoroughly to see if the email could be coming from a threat actor.
    2. The second warning signs in this email is the messaging. This message tries to create a sense of urgency by using different phrases like “we noticed some unusual activity” and “Please take action on your account soon.” Phishing scams commonly attempt to create a sense of urgency in their emails in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the messaging of all emails in your inbox before clicking on a link in your email.
    3. The final warning sign for this email is the lack of legitimate PayPal information. Fortune 500 companies and similar organizations standardize all email communications with customers. Support links, addresses, acceptable use policies, and other information is always provided at the bottom of each email, along with options to unsubscribe or change messaging preferences. This email lacks all of the parts of a credible PayPal email and can be immediately detected as a phishing attempt.


    General Recommendations:

    phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

    • Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    • Verify that the sender is actually from the company sending the message.
    • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    • Do not give out personal or company information over the internet.
    • Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this week’s Cybersecurity Brief:

    North Korean Hackers Could be About to Cash Out 40 Million in Stolen Bitcoin

    The FBI has recently issued a warning concerning several cryptocurrency wallets believed to hold millions of dollars in stolen Bitcoin assets.

    “Over the last 24 hours, the FBI tracked cryptocurrency stolen by the Democratic People’s Republic of Korea (DPRK) TraderTraitor-affiliated actors (also known as Lazarus Group and APT38),” the warning from August 22nd reads. “The FBI believes the DPRK may attempt to cash out the bitcoin worth more than $40 million dollars.”

    This warning isn’t the first time the Lazarus Group has been in crypto-theft news either. The FBI reports that they’ve been behind several recent attacks, including:

    1. June 22, 2023: They stole $60 million worth of virtual currency from Alphapo.
    2. June 22, 2023: Another heist saw them steal $37 million worth of virtual currency from CoinsPaid.
    3. June 2, 2023: They managed to steal $100 million in virtual currency from Atomic Wallet.

    Previously, the hackers also stole assets in attacks against Harmony’s Horizon bridge and Sky Mavis’ Ronin Bridge, and were sanctioned by the U.S. Department of Treasury’s Office of Foreign Assets Control in 2019.

    The agency has pinpointed the six addresses currently being tracked that are holding the 1580 stolen Bitcoin:

    1. 3LU8wRu4ZnXP4UM8Yo6kkTiGHM9BubgyiG
    2. 39idqitN9tYNmq3wYanwg3MitFB5TZCjWu
    3. 3NbdrezMzAVVfXv5MTQJn4hWqKhYCTCJoB
    4. 3AAUBbKJorvNhEUFhKnep9YTwmZECxE4Nk
    5. 3PjNaSeP8GzLjGeu51JR19Q2Lu8W2Te9oc
    6. 34VXKa5upLWVYMXmgid6bFM4BaQXHxSUo

    The FBI’s directive is clear: “Private sector entities should examine the blockchain data associated with these addresses and be vigilant in guarding against transactions directly with, or derived from, the addresses.” Interacting with these addresses, directly or indirectly, could inadvertently support illicit activities and fund criminal operations.

    The Lazarus Group’s cryptocurrency heists make clear the apparent need to upscale security regarding cryptocurrency. It’s imperative that organizations take immediate action to enhance their crypto-related cybersecurity posture. This includes bolstering security training about cryptocurrency for all personnel, keeping record of cryptocurrency transactions, and keeping a close eye to what cryptocurrency wallets you and your organization interact with.

    In these times, staying one step ahead in the ever-evolving world of cybersecurity isn’t just advisable—it’s essential. Your organization’s digital assets and financial future hinge on your proactive efforts to heighten awareness and be informed.

    To read more about this article, click here.

    New WinRAR Zero-Day Vulnerability Could Install Malware When You Unzip Files

    If you’re a WinRAR user, it’s crucial to stay informed about a recent security concern that demands your immediate attention. Reports have surfaced regarding a zero-day vulnerability within WinRAR, a widely used software for compressing and decompressing files. This particular vulnerability, assigned the identifier CVE-2023-40477, stems from an issue related to the validation of user-supplied data when opening an archive file. It can lead to memory access beyond allocated buffers, a serious problem that enables attackers to exploit it, earning the vulnerability a high CVSS severity rating of 7.8.

    This vulnerability was initially discovered by a vigilant security researcher known as “goodbyeselene” on June 8. In response, the software maintainers took swift action and released an updated version, WinRAR 6.23, on August 2, 2023, before the vulnerability was publicly disclosed by ZDI on August 17. This new version not only fixes the critical zero-day vulnerability but also addresses other security flaws that have come to light in recent months, including a flaw where “WinRAR could start a wrong file after a user double clicked an item in a specially crafted archive,” according to Group-IB researcher Andrey Polovinkin.

    This zero-day vulnerability had significant implications, with threat actors using it to their advantage. They crafted ZIP archives designed to serve as carriers for various malware families. These weaponized ZIP archives were distributed on trading forums, and once extracted and executed, the embedded malware enabled threat actors to withdraw money from broker accounts. “By exploiting a vulnerability within this program, threat actors were able to craft ZIP archives that serve as carriers for various malware families,” Polovinkin stated. “This vulnerability has been exploited since April 2023.”

    To safeguard your personal or business computer, it’s imperative to take action immediately. Upgrade to WinRAR version 6.23, the release that addresses the vulnerability and several other security concerns. By keeping your software up to date and remaining cautious when dealing with unfamiliar files, you can reduce the risk of falling victim to such threats.

    In conclusion, the WinRAR zero-day vulnerability serves as a reminder that threats are constantly updating, and that being safe from these threats requires you to stay up to date on recent vulnerabilities. Stay proactive, keep your software current, and exercise caution to protect your system from evolving threats. Your system’s security is in your hands.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Google Dorking: How a Simple Google Search Can Expose Your Sensitive Data

    Google Dorking: How a Simple Google Search Can Expose Your Sensitive Data

    We’re all so used to searching for things on Google—It’s almost second nature to us. Want to know tomorrow’s weather? Google it. Need a recipe for dinner? Google’s got your back. But here’s the thing: Google can do a lot more than we realize. Instead of just typing in something like ‘easy homemade recipes,’ which might return tons of pages that aren’t exactly what you need, you can add more to your search to narrow down your results. For example, you could type ‘intitle:”homemade” intitle:”recipe” site:allrecipes.com.’ Using these additional search parameters, a basic example of the tactic called “Google Dorking,” helps you find pages on allrecipes.com that have ‘homemade’ and ‘recipe’ in the title. Pretty efficient, right? Maybe even a bit too efficient. While it’s extremely helpful for refining your searches, Google Dorking is also a tool that attackers can use to probe for potential vulnerabilities on your websites, namely sensitive information inadvertently left accessible to the public.

    Understanding the Power of Google Dorking

    Google Dorking, as illustrated by the above example, is a method that capitalizes on Google’s search capabilities in order to refine and target specific search results. While the ‘intitle’ and ‘site’ operators were highlighted in the earlier example, other operators can be combined to produce a variety of specific outcomes. For example, the search ‘filetype:pdf intext:”payroll” site:yourcompany.com’ (where yourcompany.com represents a company website) would return every single pdf document on the site that includes the word “payroll” in it, possibly exposing sensitive employee payroll information to an attacker. This can be easily prevented if your website’s private documents are kept inaccessible by the public, which is why it’s so important to take preventative measures against these attacks.

    The Dangerous Simplicity of Dorking

    The danger of Dorking doesn’t necessarily lie in its power, but rather in its simplicity and ease of use. Hamid Firoozi’s case is a great example of this. Firoozi used Google Dorking to identify an unguarded computer in the Bowman Avenue Dam’s network. After discovering said computer, he gained remote access to it and was luckily unable to cause damage to the dam as the sluice gates had been offline for maintenance. Nonetheless, the simplicity of his approach was alarming; a few well-crafted search terms revealed a pathway to a potentially disastrous breach. This case serves as a potent reminder that Google Dorking empowers even those with limited technical prowess to uncover weak points in seemingly secure systems; It exemplifies the necessity to keep your systems updated and secure, and most importantly your network’s information inaccessible to the public.

    Safeguarding Against Google Dorking Exploits

    To defend against potential threats posed by Google Dorking, the following steps can be taken:

    • Regular Security Audits: Conduct periodic audits of your website’s security to identify potential vulnerabilities that could be exploited through advanced search queries.
    • Utilize Robots.txt: Utilize the robots.txt file to restrict search engine access to sensitive sections of your website, limiting exposure to Dorking techniques.
    • Stay Vigilant: Consistently monitor your website’s exposure to potential Dorking techniques and take swift action if any sensitive information is inadvertently accessible.
    • Educate Yourself and Others: Educating your team about the risks of Google Dorking and preventative measures to counteract it can help prevent unintended data exposure.

    Conclusion

    While search engines constantly optimize and innovate in order to bring the most relevant results to our screens, the tools they provide to specify our searches carry a strong power in their colons and operators, a power utilized negatively in Google Dorking. By understanding this technique, remaining informed, and implementing anti-Dorking cybersecurity measures, we can strike a balance between utilizing the power of advanced searches and safeguarding our digital realms against potential threats.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – 

    https://www.netizen.net/contact

  • Netizen: August Vulnerability Review

    Netizen: August Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five vulnerabilities from July that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2023-3600:

    Use-after-free condition could lead to a potentially exploitable crash. This vulnerability has a NIST CVSSv3 base score rating of 8.8/10 and it affects Mozilla Firefox & Firefox ESR in versions prior to 115.0.2 as well as Mozilla Thunderbird in versions prior to 115.0.1. The vulnerability allows a use-after-free condition to occur which can potentially create a memory problem during the operation of a program causing an exploitable crash. The attack complexity is low but does require user interaction. There are no public technical details or exploits available.

    CVE-2023-37268:

    On Warpgate, when logged in as a user with SSO enabled an attacker can authenticate as another user. This vulnerability has a NIST CVSSv3 base score rating of 8.8/10. Warpgate is an SSH, HTTPS, and MySQL bastion host (A server that manages access to an internal or private network from an external network) for Linux and it doesn’t need special client apps. This is an improper authentication vulnerability where the software does not sufficiently authenticate an identity that is provided by an attacker. If a user account does not have MFA enabled, the account can be compromised. The suggested mediation is to upgrade to a newer version. A proof of concept is located at this Github website: https://github.com/warp-tech/warpgate/security/advisories/GHSA-868r-97g5-r9g4

    CVE-2023-33012:

    A command injection vulnerability in the configuration parser of the Zyxel ATP could allow an unauthenticated, LAN-based attacker to execute some OS commands. This vulnerability has a NIST CVSSv3 base score rating of 8.8/10 and affects the GRE Configuration Handler of the Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2, USG FLEX series firmware versions 5.00 through 5.36 Patch 2, USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2, USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2, and VPN series firmware versions 5.00 through 5.36 Patch 2. The vulnerability allows an attacker to execute OS command injections leading to a system compromise. There is a high impact on the CIA Triad.

    CVE-2023-24019:

    A stack-based buffer overflow vulnerability exists in the urvpn_client http_connection_readcb functionality of Milesight UR32L v32.3.0.5. This vulnerability has a NIST CVSSv3 base score rating of 8.1/10. A manipulation of the Network Request Handler component can lead to a buffer overflow [the amount of data in the buffer exceeds the storage capacity of the buffer] exploit leading to unauthorized access to a system. The complexity of this attack is rated high, privileges are not required and there is no user interaction required. The technical details and public exploit are known and a proof of concept is available at Talos Intelligence: https://vuldb.com/?advisory_url.233143

    CVE-2023-23546:

    Milesight UR32L v32.3.0.5 misconfiguration vulnerability in the urvpn_client functionality can lead to increased privileges. This vulnerability has a NIST CVSSv3 base score rating of 8.1/10. There is a vulnerability in the urvpn_client function which can lead to a certificate authority [a trusted entity that issues SSL certificates] vulnerability. A man-in-the-middle attack [an attacker is in between a victim and an application/website to listen in or impersonate to steal information such as credentials] can trigger the vulnerability which leads to privilege escalation. This vulnerability requires user interaction and there is a low impact to confidentiality and integrity.

    Conclusion:

    In conclusion, software vulnerabilities are a common nuisance to IT and security teams everywhere. Organizations that prioritize the remediation and patching of these vulnerabilities will drastically reduce their attack surface and ensure no doors into their environment are left unlocked.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact

  • Voice Synthesis: The Growing Threat of Vishing with AI Technology

    Voice Synthesis: The Growing Threat of Vishing with AI Technology

    A few months ago, a song called “Heart on My Sleeve” went viral on social media: a collaboration between artists Drake and The Weeknd. It was quickly met with excitement from hip-hop fans, not only because of the song’s impressive vocal performances or the catchy lyrics from both artists, but because it was entirely AI-generated.

    A Dangerous Trend:

    Impersonating an artist or famous person’s voice is as easy as going online, finding one of the several AI models trained in replicating voices, and telling it what you want it to say. These models work with large training sets of vocal data in order to replicate speech, down to the different inflections and emphasis one puts on syllables. Modern vocal synthesis is pretty convincing too; “Heart on My Sleeve” got most of its hype from social media users being tricked into thinking they were actually listening to a leaked song, not an AI-generated one. AI voice cloning has become extremely trendy, fun, and easy to do, but not many realize the unseen implications this powerful software now has on the security of our identities.

    Why Voice Synthesis Poses a Risk

    Phishing, and more specifically vishing (phishing through voice communication), has always been an issue, but now that impersonation technology runs rampant, vishers seemed to have made a major breakthrough. Utilizing cheap, easily-accessible AI software and an audio clip of just a few sentences, an attacker can easily synthesize a person’s speech, and make them say anything they want. Vishers are beginning to use this technology to conduct more powerful vishing scams on a large scale basis, in which they’ll call vulnerable targets, just like a typical vishing attempt– except this time they’ll be using the voice of a loved one. This recognizable voice, combined with a sense of urgency, utilizes familiarity to trick victims into divulging sensitive information or large amounts of money.

    Preventing Attacks That Use Voice Synthesis

    In order to protect yourself and those around you from the dangers of impersonation technology and AI-driven vishing attacks, there are several preventative measures you can take. First of all, it’s always important to remain skeptical of unprompted phone calls, especially those requesting you share sensitive information or send them money, even if they do appear to be someone you trust. Verifying the identity of the caller is as easy as hanging up and calling your contact back or in the case of it being a business call, calling the company line and asking to speak with your contact.

    Conclusion:

    As technology, specifically artificial intelligence, continues to advance, scammers will continue to develop creative ways to attempt to defraud and impersonate their victims. By taking steps to protect both yourself and those around you, we can all stay secure against the new wave of digital attackers. Staying vigilant and informed about new styles of cyber-attacks is the best way to stay both updated and safe in this rapidly-advancing age.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact

  • Netizen: July Vulnerability Review

    Netizen: July Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled four vulnerabilities from June that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2023-3422:

    Potential exploit heap corruption via a crafted HTML page can convince a user to install a malicious extension. This vulnerability has a NIST CVSSv3 base score rating of 8.8/10. In Google Chrome quest view, there is a UAF (Use After Free) vulnerability that allows an attacker to convince a user, with a well-crafted HTML page, to install a malicious extension and possibly cause a heap corruption. A UAF vulnerability involves an incorrect use of dynamic memory. If a program doesn’t properly clear the memory pointer after a memory location is cleared, an attacker can use this vulnerability to exploit/hack the program. This affects Google Chrome versions prior to 114.0.5735.198. The technical details of this vulnerability are listed as unknown and there is no known public exploit available.

    CVE-2022-29144:

    Chromium-based Microsoft Edge Privilege Escalation Vulnerability. This vulnerability has a NIST CVSSv3 base score rating of 8.3/10 and the attack complexity is rated high, which means there are conditions that are required for a successful exploit that are beyond the attacker’s control. The technical details of this vulnerability are not publicly available and to exploit this vulnerability, there needs to be a user interaction. If an exploit is successful, it poses a high risk to the CIA Triad.

    CVE-2023-25055:

    Cross-Site Request Forgery (CSRF) vulnerability in Google XML Sitemap for Videos plugin that is in versions 2.6.1 or earlier. This vulnerability has a NIST CVSSv3 base score rating of 8.8/10. This is a Google XML Sitemap video plugin for WordPress. The video_sitemap_generate function is affected. The web application doesn’t sufficiently verify the input given which leads to a CSRF exploit and allows an attacker to trick a user of a web application to execute actions such as transferring funds, changing mail addresses, etc.

    CVE-2023-34121:

    Improper input validation in the Zoom may allow information disclosure. This vulnerability has a NIST CVSSv3 base score rating of 8.8/10, requires no user interaction, and poses a high risk to the CIA Triad. An improper validation of input in the Zoom for Windows, Zoom Rooms, and Zoom VDI Windows Meeting clients before 5.14.0 can lead to information disclosure. This disclosure allows an attacker to see sensitive information that they are not authorized to see. The MITRE ATT&CK has declared this attack technique as T1592 (Gather Victim Host Information).

    Conclusion:

    In conclusion, software vulnerabilities are a common nuisance to IT and security teams everywhere. Organizations that prioritize the remediation and patching of these vulnerabilities will drastically reduce their attack surface and ensure no doors into their environment are left unlocked.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact

  • Netizen: June Vulnerability Review

    Netizen: June Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five vulnerabilities from May that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2022-3405:

    Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. This vulnerability has a NIST CVSSv3 base score rating of 8.8/10 and affects Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545. The default configuration of the Acronis Cyber Protect appliance allows an anonymous registration of a new backup/protection for a new endpoint agent. An attacker with network access can use this anonymous registration to create an authentication token which can then be used to make changes in the appliance through the web console to gain privilege escalation resulting in the ability to get RCE and sensitive information disclosure. There is a POC (Proof of Concept) for this vulnerability and is rated high import on the CIA Triad.

    CVE-2023-22693:

    Cross-Site Request Forgery (CSRF) vulnerability in conlabzgmbh WP Google Tag Manager plugin <= 1.1 versions. This vulnerability has a NIST CVSSv3 base score rating of 8.8/10 and affects this WordPress plugin in versions <= 1.1. The vulnerability in this plugin doesn’t sufficiently verify a request was intentionally given by the user who submitted the request. In order to successfully exploit this vulnerability user interaction is required. It is not known to be exploited in the wild.

    CVE-2023-32069:

    User to execute anything with the right of the author of the XWiki.ClassSheet document. This vulnerability has a NIST CVSSv3 base score rating of 8.8/10 and affects the XWiki Platform starting in version 3.3-milestone-2 and prior to versions 14.10.4 and 15.0-rc-1. This has been patched in XWiki 15.0-rc-1 and 14.10.4 with no known workarounds. This platform does not correctly perform an authorization check when an attacker tries to access a resource or perform an action that allows the attacker to bypass the access restrictions. This vulnerability does have a high impact on the CIA Triad.

    CVE-2023-2723:

    Use after free in DevTools in Google Chrome prior to 113.0.5672.126 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. This vulnerability has a NIST CVSSv3 base score rating of 8.8/10. This is a use-after-free vulnerability that allows the incorrect use of dynamic computer memory during the operation of a program. If you reference this freed memory it is possible to crash the program or execute code. In order to successfully exploit this vulnerability, user interaction and has a high impact on the CIA Triad.

    CVE-2023-24903:

    Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. This vulnerability has a NIST CVSSv3 base score rating of 8.1/10. The program contains a race condition in which code sequences can run concurrently (at the same time) with other code and a modification of shared resources can lead to RCE. User interaction is not required for exploitation. There is a vendor patch available.

    Conclusion:

    In conclusion, software vulnerabilities are a common nuisance to IT and security teams everywhere. Organizations that prioritize the remediation and patching of these vulnerabilities will drastically reduce their attack surface and ensure no doors into their environment are left unlocked.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact

  • Netizen: May Vulnerability Review

    Netizen: May Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five vulnerabilities from April that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2023-23801:

    HasThemes provides more than 170,000 customers with custom web development and design services. Their ‘Really Simple Google Tag Manager’ serves to help track and update marketing tags and has over 2,000 active installations on WordPress sites. This vulnerability has a NIST CVSSv3 base scoring of 8.8/10. Versions <= 1.0.6 are subject to a Cross-Site Request Forgery (CSRF) vulnerability. The recommended patch process is updating to version 1.0.7, previously released four weeks ago.

    CVE-2023-24877:

    Microsoft PostScript and PCL6 Printer Drivers are home to a Remote Code Execution (RCE) vulnerability. This vulnerability has a NIST CVSSv3 base scoring of 8.8/10. Authenticated attackers with basic privileges could send a modified XPS file, a file type similar to PDF, to a shared printer. The processing of this modified XPS file may result in the execution of rogue code. Microsoft notes that applicable exploit code has not been spotted in the wild. An official fix for CVE-2023-24887 does exist through Microsoft.

    CVE-2023-22913 / CVE-2023-27991:

    Zyxel Networks, a technology provider, specializes in network solutions for small to medium-sized businesses. Applicable firmware versions of their USG Flex, versions 4.50 through 5.35, and ATP, versions 4.32 through 5.35, series firewalls were victims of post-authentication critical command injection last month. These vulnerabilities have a NIST CVSSv3 base scoring of 8.1/10 and 8.8/10 respectively. While the USG Flex vulnerability produces closer to DoS conditions, OS command injection is available for their ATP series. Version 5.36 has been released for both series of firewalls and remedies these vulnerabilities successfully. 

    CVE-2023-1812:

    Google Chrome before version 112.0.5615.49 is susceptible to maliciously crafted HTML pages. This vulnerability has a NIST CVSSv3 base scoring of 8.8/10. Google noted that crafted HTML pages could lead to a remote attacker gaining access to out-of-bounds memory. Google hastily delivered an update remediating this vulnerability along with fifteen others.

    Conclusion:

    In conclusion, software vulnerabilities are a common nuisance to IT and security teams everywhere. Organizations that prioritize the remediation and patching of these vulnerabilities will drastically reduce their attack surface and ensure no doors into their environment are left unlocked.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact

  • Netizen: Breaking Into Cybersecurity

    Netizen: Breaking Into Cybersecurity

    The cyber workforce is all around us, from the business that provides you the internet connection allowing you to view this article to the security professionals that safeguard our private information. It can be intimidating to start with such a vast array of opportunities present. Pair a career challenge with an overall bearish job market, and a true sense of despair may arise.

    However, your dream-cyber job is out there, and it’s worth pursuing. While an initial challenge, and learning curve, may be met, nothing worthwhile comes easy. Often the most challenging aspect of overcoming anything is learning the unknown. What credentials do you need? What field is right for you?

    Decide Which Field Is Best For You:

    The beauty of the cyber field is that everybody fits in somewhere. Each presents its unique challenges and rewards. Are you a logic-driven individual that enjoys watching projects come together? Software engineering may be for you. Do you take pride in problem-solving and maintaining an environment? You may consider becoming a network administrator. Taking the time to figure out where you uniquely fit in will only lead to higher success and fulfillment. Now is a great time to remember that your career is never a short sprint but a steady jog. Rushing short-term gains can have negative consequences on long-term goals.

    With your desired field in mind, it is crucial to work out the optimal process to get there. Field-to-field requirements for education, work experience, and capabilities can vary greatly. Becoming the CIO (Chief Information Officer) of a Fortune 500 company can prove impossible without adequate experience and formal education. These requirements, or those that apply to your chosen field, should be seen as obstacles that will only push you further, not discourage you.

    Consider Displayed Learning:

    Relevant certifications are a great way to prove your capabilities to employers and, equally important, yourself. While certifications will vary by your chosen field, there is an overlap between them. Those determined to virtually work hands-on with IT systems, such as network engineers or security professionals, should consider CompTIA Network+ or Security+ certifications. These certifications will force you to display, at the very least, a basic understanding of desired concepts.

    As for those that work amongst more software than hardware, certifications are not so readily available. Software position requirements will typically be formal education and varying amounts of work experience. For these positions, it’s still important to display your learning and efforts. Side projects are invaluable to upcoming software engineers, no matter the size of the project. Getting your side projects onto sites like Github will allow employers to see your skill level and passion for the craft.

    Engage In The Community:

    Social media apps such as LinkedIn are a highly underrated resource for upcoming cyber professionals. With the ability to engage with hiring managers, industry leaders, and peers, there is no reason not to stay active in the community. While a single conversation is unlikely to net a position opportunity immediately, building relationships and getting your name on the radar is invaluable. LinkedIn is also a fantastic place to display your achievements, whether certifications or projects.

    Prepare For The Interviewing Phase:

    Interviewing is hands-down the tallest hurdle of pursuing a career in cyber. The interviewing process should not discourage you since there is an abundance of hidden value in meeting with various companies. Rarely does your first interview turn into a long-term career. Regardless of the answer or offer, remember that this is another opportunity for a relationship. Keep an open mind to constructive criticism and inquire how to improve next time. 

    Conclusion:

    An often-misunderstood notion of the cyber workforce is that an offer from an employer does not mark the end of your journey. Technology has and will continue to evolve, regardless of your current position. Remain informed and consider subscribing to popular blogs or news sources in your field. Take online courses to learn new concepts and better understand topics you already know. Being a life-long learner and committing to staying updated will ensure you always have a position now and in the future.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact