Skip to Content

Cybersecurity and Infosec News Headlines Update on February 27, 2022

Microsoft Out-of-Cycle Update for .NET Framework

Microsoft has released an out-of-cycle update to address vulnerabilities in its .NET Framework. In a blog post, Microsoft writes, “After installing updates released January 11, 2022 or later, apps using Microsoft .NET Framework to acquire or set Active Directory Forest Trust Information might fail, close, or you might receive an error from the app or Windows. You might also receive an access violation (0xc0000005) error.” The updates are not available through Windows Update and will not be automatically installed.

Note

  • If you are getting the errors relating to this flaw, you’re going to have to search the Microsoft Update catalog for the KB article for the specific Windows and .NET versions running, then import the updates into your WSUS or Windows Endpoint Configuration Manager. Securing the system to the point where it cannot meet mission objectives isn’t the goal, expect IT staff to push for more regression testing if Microsoft continues to deliver flawed updates.

Read more in

Path Traversal Flaw in Argo CD

Researchers from Apiiro have discovered a supply chain zero-day vulnerability in Argo CD. The open-source continuous delivery platform is used at thousands of organizations around the world. The vulnerability could be exploited to “read and exfiltrate secrets, tokens, and other sensitive information residing on other applications [and could allow] … privilege escalation, sensitive information disclosure, lateral movement attacks, and more.”

Note

  • At core this is a path traversal problem. Code was added to Argo CD to parse input to prevent that sort of attack in 2019. The problem is there were mistaken assumptions about where input was sanitized negating the code which prevented the exploit. Essentially when the input came from a file, the code to check the URI was skipped. There is no workaround, update to a fixed version.

Read more in

Thieves Steal More than $300 Million from Wormhole Blockchain Platform

Thieves exploited a vulnerability in the Wormhole blockchain platform to steal more than $300 million worth of cryptocurrency. Wormhole allows users to transfer cryptocurrency across blockchains. Wormhole temporarily shut down operations while investigating the incident.

Note

  • This is a fascinating vulnerability demonstrating how difficult it is to properly secure cross chain transactions. It is believed that threat actors noted a security fix being uploaded to GitHub that had not yet been deployed to the network. Most decentralized architectures will suffer from this issue where the publication of a security fix can lead to exploitation before the fix can be deployed to the network. One fix used previously has been to publish closed source patches, though this flies in the face of the open source movement (and probably violates licensing). It also exposes additional risk since the code can’t be inspected. Think of how hard vulnerability management is in an organization where you own all the systems. Organizations underpinned by so-called decentralized networks will need to game plan out how they can securely provide updates to a network they do not control before this technology can be more widely adopted.
  • Note: The varying totals for loss amounts can be attributed to fluctuations in the price of Ethereum at different times of reporting.
  • This article is not surprising to me. At Neuvik, we are getting more requests to perform assessments on crypto platforms and marketplaces. We generally find that the bugs are not solely in the blockchain or the protocol stack, such as multi-sig attacks. Instead, the platforms suffer from the same bugs that standard web applications can have around authorization and the like. The major difference? There is a lot of money at stake, and the risk for loss is much higher than in traditional financial environments. Expect to see more of these as time goes on.
  • This cross-chain bridge allows interoperability while maintaining the value of the Ether and Solana blockchains, in a one-to-one ratio. This means the recovery of the lost funds impacts the value of cross-chain tokens. In other words, no funds, no value. This is one of the riskier models for cryptocurrency exchange and may not be viable in the long haul. It will be interesting to see if the attempted laundering of the stolen currency can be detected.

Read more in

DHS Cyber Safety Review Board

The US Department of Homeland Security (DHS) has established the Cyber Safety Review Board (CSRB), pursuant to President Joe Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity. The public-private initiative will “assess past events, ask the hard questions, and drive improvements across the private and public sectors.”

Note

  • Good to see the CSRB get started but the first initiative (looking back at how Log4j vulnerabilities happened and were handled) while valuable does stray from the original vision to model the program after the National Transportation Safety Board and the Department of Transportation Office of Accident Investigation and Prevention that does hands on investigation of airline, train, bus etc. crashes. That approach has been very successful in determining root cause of incidents and driving, not just suggesting, real policy changes to avoid repeat incidents. Many good names on the board; I’d hate to see it turn into another government effort that issues high level reports vs. doing rapid response, hands-on incident analysis and forcing change.
  • DHS has pulled in some heavy hitters, as listed in the DHS press release below, clearly positioning board for a successful outcome. One hopes the analysis of past events will lead to timely & relevant actions for future events. While Log4j is truly a huge deal and will take a very long time to truly put behind us, other issues such as ransomware, health care, and supply chain security may warrant priority due to their active and continued exploitation.
  • This has the potential to become a fantastic resource. I hope the reports are similar to the 2018 congressional report on the Equifax breach. That is to date one of the best public write-ups I know of detailing the how and why of a breach. What made that report so effective is that it addresses not only the technical details, but also the human, strategic, and leadership issues that led to the problem – which is the root cause of so many breaches today.

Read more in

Open Source Security Foundation’s Alpha-Omega Vulnerability Detection Project

The Open Source Security Foundation’s Alpha-Omega Project will take a two-pronged approach to uncovering vulnerabilities in open source software. The Alpha portion of the project “will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture [while] Omega will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.”

Note

  • I like the approach: a very focused hands-on approach for a small number of critical open-source projects (Alpha); and a more scalable lighter weight approach to finding and remediating vulnerabilities in the large number of “long tail” open source software efforts (Omega). The predecessor to the Linux Foundation OSSF was their Core Infrastructure Initiative which back in 2014 did a good job of funding fixes for OpenSSL after Heartbleed but then fizzled out. Maybe this approach will avoid the previous problems.
  • This will be interesting. Having greater awareness of issues for your open-source software can be both a boon and a burden as you figure out how to repair discovered issues. If your project meets the Alpha requirements, services provided will include analysis of security gaps, threat modeling, automated security testing, and supporting remediation activities. If you’re an Omega project, the focus is on automated tools for mass detection, even so, resources will be available for finding efficient ways to implement security best practices. This means you may see more updates in your CI pipeline, with the hoped tradeoff of fewer security issues overall.

Read more in

Oil Companies Impacted by Cyberattack

Seaports in Germany, Belgium, and the Netherlands have reported IT disruptions following what appears to be a cyberattack. Authorities are investigating the incident, which affects SEA-Tank, Oiltanking, and Evos terminals. Germany’s Federal Office for Information Security (BSI) says the BlackCat ransomware group may be responsible for the attack.

Note

  • I am reminded that one of the root causes for the Colonial Pipeline breach was a VPN user reverting to a discoverable non-unique password. Is your scenario when your MFA tokens are lost/stolen/broken subject to similar risks? The actions taken by the German companies include invoking the “force majeure” clause in their contracts to free them from liabilities arising from the interruptions of services to customers. This is because with the level of automation involved, manual operation is not practical except on a very limited scale. Consider the scale of operations in a similar attack on your business and verify you have sufficient contract language or other agreements with your customers to manage side-effects of radically impacted service delivery.
  • Analysts are claiming BlackCat is a rebrand of BlackMatter which was a rebrand of DarkSide (that ransomed and extorted Colonial Pipeline). Attribution matters and I am looking forward to more details on these attacks.

Read more in

Cisco Releases Fixes for Router Vulnerabilities

Cisco has released updates to address 15 vulnerabilities in its Small Business RV160, RV260, RV340, and RV345 series routers. The vulnerabilities could be exploited to execute arbitrary code and commands, gain elevated privileges, bypass authentication and authorization, cause denial-of-service conditions.

Note

  • Routers/VPN appliances like this have been popular targets. Please expedite patching. These devices are often deployed in smaller branch offices which can make patching difficult to some.
  • There are no workarounds here; you need to update the software. Review the Cisco alert page for information on your product. As these are boundary control devices, you really need to jump on this. While interruptions to remote access services are never appreciated, neither is a successful intrusion. Make sure you have an active support contract so that you can not only apply security fixes but also keep them updated to current versions. Make sure that you are subscribed to Cisco security bulletins, and that they are tracked/acted upon.
  • When I worked at Cisco, I always looked at the model numbers carefully. It’s Cisco in brand, and I believe the PSIRT team looks at these closely, but honestly, this codebase shares almost no code from the traditional codebase. Expect to see many more of these bugs. If you are a network engineer, it would probably make more sense to look at Meraki-Go if you’re looking at these. It’s a shame that actual Cisco enterprise router issues don’t get this level of attention.

Read more in

ESET Fixes Privilege Elevation Vulnerability

ESET has released patches to address a high-severity local privilege elevation issue in its products for Windows. The flaw could be exploited to “misuse the AMSI scanning feature.” ESET learned of the vulnerability through the Zero Day Initiative.

Note

  • The exploit leverages the SeImpersonatePrivilege user right (think run-as) which is available to local administrators and local service accounts, which means the attacker already has one of these accounts on your system. The best fix is to upgrade to a non-vulnerable version of ESET. There is a workaround to disable the advanced scanning via AMSI feature, which seems ill-advised in an endpoint security product. Use this only in situations where you cannot upgrade and can monitor those systems for maleficence.

Read more in

US State Dept. Concerned About Red Cross Breach

The US State Department has issued a press statement calling data breach that compromised sensitive information held by the International Committee of the Red Cross (ICRC) a “dangerous development.” The compromised data include personal information of more than half a million people held on servers belonging to the Red Cross and Red Crescent organizations.

Note

  • While the US and others are lining up to condemn the actions against the ICRC, the ICRC have taken impacted servers offline and are conducting forensics and remediating the issue. They have engaged outside security resources to help, and are also tracking for any data release, particularly on the dark web. The support from these agencies should help restore any loss of trust ICRC suffers because of the breach. More from the ICRC here: www.icrc.org: Cyber-attack on ICRC: What we know

Read more in

FBI Says They Tested but Did Not Use Pegasus Spyware

In a statement to the Washington Post, the FBI confirmed that while it tested the NSA Group’s Pegasus Spyware, they never used it in an investigation. The FBI obtained a license to test the software in 2019, and decided not to use it two years later at roughly the same time that journalists published an investigation about the use of Pegasus to target human rights activists, politicians, and journalists worldwide.

Note

  • Not sure what the fuss is about here. NSO provided capabilities to be used by ethical governments. The general beef with NSO is how its capabilities have been used, not the fact that they exist. It is crazy expensive to develop implants and exploit capabilities against platforms like iOS and WhatsApp. If the federal government can buy those capabilities cheaper than they can develop them, they absolutely should. None of this should be taken to excuse the obviously vacant oversight by NSO on who its technologies were sold to and how they were used.
  • We have all deployed pilots of software we’re investigating for broader use, and they don’t always work out. Make sure you clearly document the scope of the pilot, including any needed authorization from the provider, outcomes, and discoveries, closing it out fully if implementation doesn’t go forward to protect yourself from any claims of impropriety.

Read more in

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. We need money to operate the site, and almost all of it comes from online advertising. Please support us by disabling these ads blocker.

Please disable ad blocker