Daily Archives: January 19, 2020

NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance

Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy. To help organizations keep this balance, the National Institute of Standards and Technology (NIST) is offering a new tool for managing privacy risk. Version 1.0 of the NIST Privacy Framework The agency has just released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. … More

The post NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance appeared first on Help Net Security.

Business units and IT teams can no longer function in silos

Over the next two years, 50% of organizations will experience increased collaboration between their business and IT teams, according to Gartner. The dispute between business and IT teams over the control of technology will lessen as both sides learn that joint participation is critical to the success of innovation in a digital workplace. “Business units and IT teams can no longer function in silos, as distant teams can cause chaos,” said Keith Mann, senior research … More

The post Business units and IT teams can no longer function in silos appeared first on Help Net Security.

CyberArk’s new just-in-time access capabilities help reduce risk and improve operational efficiency

CyberArk, the global leader in privileged access management, unveiled new just-in-time access capabilities that help reduce risk and improve operational efficiency as organizations implement broader least privilege strategies. By extending just-in-time support with the ability to remove unnecessary standing access to Linux systems, CyberArk remains the only privileged access management vendor to provide comprehensive just-in-time offerings across cloud and hybrid environments and on the endpoint. Some privileged accounts are granted standing, “always on” access despite … More

The post CyberArk’s new just-in-time access capabilities help reduce risk and improve operational efficiency appeared first on Help Net Security.

You’ve Bought Security Software. Now What?

Many years ago when I first started my career in network security as a support engineer, I received a phone call from a customer. (Let’s call him “Frank.”) He used our vulnerability scanner as a consultant for his own customers, and he was concerned that the scanner came back with 0 results. After reviewing his […]… Read More

The post You’ve Bought Security Software. Now What? appeared first on The State of Security.

NIS Directive: Who are the Operators of Essential Services (OES)?

The NIS Directive is the first EU horizontal legislation addressing cybersecurity challenges and a true game-changer for cybersecurity resilience and cooperation in Europe. The Directive has three main objectives: Improving national cybersecurity capabilities Building cooperation at EU level Promoting a culture of risk management and incident reporting among key economic actors, notably operators providing essential […]… Read More

The post NIS Directive: Who are the Operators of Essential Services (OES)? appeared first on The State of Security.

Apria Healthcare leverages Absolute to protect patient data and ensure HIPAA compliance

To ensure the highest levels of endpoint security across more than 8,000 devices and to help achieve HIPAA compliance in the face of rising data breaches across the healthcare industry, Apria Healthcare leverages Absolute, the leader in endpoint resilience, for comprehensive endpoint visibility and control. Apria Healthcare serves nearly 2 million patients annually across 300 locations in 49 states. They have more than 8,000 laptops, desktops and tablets, many of which regularly leave the organization. … More

The post Apria Healthcare leverages Absolute to protect patient data and ensure HIPAA compliance appeared first on Help Net Security.

Virsec partners with ProtectedIT to offer cybersecurity protections to its clients

Virsec, a cybersecurity company delivering a radically new approach to protect against advanced targeted attacks, announced it has partnered with ProtectedIT, a leader in delivering enterprise security solutions, remote infrastructure, and cloud services to offer advanced cybersecurity protections to its clientele. The Virsec Security Platform stops fileless attacks and in-memory threats that escape detection by conventional security tools. These advanced application attacks have been indefensible, putting many businesses in jeopardy. Virsec stops these threats, protecting … More

The post Virsec partners with ProtectedIT to offer cybersecurity protections to its clients appeared first on Help Net Security.

Fortanix announces record sales year, new partnerships and global expansion in 2019

Fortanix, the Runtime Encryption company, announced it had a record year in 2019, which saw sales climb 285 percent over the previous record year. Important new partnerships with Equinix, Google, IBM and Intel set the stage for both innovation and go-to-market success. The company doubled its workforce and expanded geographically in 2019 with new offices in the United Kingdom and the Netherlands to support its growing European customer base and attract engineering talent. “We believe … More

The post Fortanix announces record sales year, new partnerships and global expansion in 2019 appeared first on Help Net Security.

Skyview Capital acquires Fidelis Cybersecurity to expand portfolio and accelerate growth

Global private investment firm Skyview Capital has added to its software technology portfolio with the acquisition of Bethesda, MD-based Fidelis Cybersecurity from a consortium of investors in a stock transaction. Fidelis Cybersecurity is a leading provider of Network Traffic Analysis and Digital Forensics and Incident Response solutions that enable enterprises and government organizations to detect, hunt and respond to advanced threats that evade traditional security solutions. Fidelis solutions are delivered as standalone network, endpoints and … More

The post Skyview Capital acquires Fidelis Cybersecurity to expand portfolio and accelerate growth appeared first on Help Net Security.

Security Compass secures funding to enhance solutions portfolio and accelerate growth

Security Compass, a leading provider of enterprise DevSecOps software solutions, announced it has secured growth equity funding from FTV Capital, a sector-focused growth equity investment firm. This investment will enable Security Compass to enhance its position as a global leader in empowering organizations to achieve agility at scale by streamlining software risk management. By leveraging FTV’s deep expertise and access to its Global Partner Network, Security Compass will further enhance its solutions portfolio and accelerate … More

The post Security Compass secures funding to enhance solutions portfolio and accelerate growth appeared first on Help Net Security.

Bill Staples joins New Relic as chief product officer

New Relic, the industry’s largest and most comprehensive cloud-based observability platform built to help customers create more perfect software, announced that Bill Staples will join New Relic as chief product officer on February 14, 2020. Reporting directly to CEO and Founder Lew Cirne, Staples will be responsible for driving the company’s market-leading platform strategy and will lead the Product Management, Engineering and Design functions. Staples has spent his career building and scaling cloud-based businesses. He … More

The post Bill Staples joins New Relic as chief product officer appeared first on Help Net Security.

Zscaler elects David Schneider to its Board of Directors

Zscaler, the leader in cloud security, announced that Zscaler stockholders elected David Schneider to its Board of Directors at the annual stockholder meeting held January 10, 2020. Schneider is President, Global Customer Operations at ServiceNow. Mr. Schneider’s term will expire at the 2022 annual stockholder meeting. “David is an inspirational technology leader with deep experience scaling and growing disruptive SaaS companies. ServiceNow is one of the greatest cloud businesses in history, and he has been … More

The post Zscaler elects David Schneider to its Board of Directors appeared first on Help Net Security.

ISACA appoints Julia Kanouse as senior vice president of membership

Bringing a rich tech background and executive experience in the association sector, Julia Kanouse has joined ISACA’s leadership team as senior vice president of membership. ISACA has more than 145,000 members in 188 countries working in information and cyber security, governance, audit and assurance, risk and privacy, and in Kanouse’s new role, she will lead the strategy to elevate their experiences through diverse membership and chapter initiatives. In doing so, she will oversee a dynamic … More

The post ISACA appoints Julia Kanouse as senior vice president of membership appeared first on Help Net Security.

Peter Leav joins McAfee as Chief Executive Officer

McAfee, the device-to-cloud cybersecurity company, announced that its Board of Managers has appointed Peter Leav to the role of Chief Executive Officer, effective February 3, 2020. Leav will succeed Chris Young, who has decided to step down as Chief Executive Officer of McAfee. Young will remain at McAfee in an advisory role to assist with the transition and will become a Senior Advisor at TPG Capital. Leav will also be appointed to McAfee’s Board of … More

The post Peter Leav joins McAfee as Chief Executive Officer appeared first on Help Net Security.

ioXt appoints Gregory Guez to its board of directors

ioXt, the global standard for IoT security and preeminent IoT security alliance, announces the appointment of Gregory Guez, Senior Director of Product Marketing, IoT Security at Silicon Labs, to its board of directors. As a founding member of the ioXt Alliance, Guez has been instrumental in shaping ioXt’s work towards creating the internet of secure things. “The need for a universal security standard is critical to enabling the exponential growth of the IoT market,” said … More

The post ioXt appoints Gregory Guez to its board of directors appeared first on Help Net Security.

Resolve Systems promotes Vijay Kurkal to Chief Executive Officer

Resolve Systems, the leader in enterprise IT automation and AIOps, announced the promotion of Vijay Kurkal to Chief Executive Officer, effective immediately. Since joining the company as Chief Operating Officer in 2018, Kurkal has been instrumental in the company’s global growth and product development as Resolve has delivered on heightened demand for its transformative technologies. He also drove company investments in sales, marketing, and channel programs. “It is an incredibly exciting time for Resolve, and … More

The post Resolve Systems promotes Vijay Kurkal to Chief Executive Officer appeared first on Help Net Security.

Bot list with Telnet credentials for more than 500,000 servers and IoT devices leaked online

The availability online of a new collection of Telnet credentials for more than 500,000 servers, routers, and IoT devices made the headlines.

A hacker has published online a massive list of Telnet credentials for more than 515,000 servers and smart devices, including home routers. This is the biggest leak of Telnet passwords even reported.

According to ZDNet that first published the news, the list was leaked on a popular hacking forum by the operator of a DDoS booter service.

The list includes the IP address, username and password for the Telnet service for each device.

The list appears to be the result of an Internet scan for devices using default credentials or easy-to-guess passwords.

“As ZDNet understands, the list was published online by the maintainer of a DDoS-for-hire (DDoS booter) service.” reported ZDNet.

“When asked why he published such a massive list of “bots,” the leaker said he upgraded his DDoS service from working on top of IoT botnets to a new model that relies on renting high-output servers from cloud service providers.”

The lists leaked online are dated October-November 2019, let’s hope that Internet Service Providers will contact ZDNet to receive them and check if the devices belong to their network and secure them.

In August 2017, security researchers Ankit Anubhav found a list of more than 1,700 valid Telnet credentials for IoT devices online

The list of thousands of fully working Telnet credentials was leaked online on Pastebin since June 11, 2017.

Many IoT devices included in the list have default and well-known credentials (i.e., admin:admin, root:root, or no authentication required).

Top five credentials included in the list were:

  • root:[blank]—782
  • admin:admin—634
  • root:root—320
  • admin:default—21
  • default:[blank]—18

The popular researcher Victor Gevers, the founder of the GDI Foundation, analyzed the list and confirmed it was composed of more than 8200 unique IP addresses, about 2.174 are accessible via Telnet with the leaked credentials.

Pierluigi Paganini

(SecurityAffairs – Telnet credentials, hacking)

The post Bot list with Telnet credentials for more than 500,000 servers and IoT devices leaked online appeared first on Security Affairs.

Week in review: Windows crypto flaw, API security risks, exploits for Citrix security hole abound

Here’s an overview of some of last week’s most interesting news and articles: Cable Haunt: Unknown millions of Broadcom-based cable modems open to hijacking A vulnerability (CVE-2019-19494) in Broadcom‘s cable modem firmware can open unknown millions of broadband modems by various manufacturers to attackers, a group of Danish researchers has warned. High-risk Google account owners can now use their iPhone as a security key Google users who opt for the Advanced Protection Program (APP) to … More

The post Week in review: Windows crypto flaw, API security risks, exploits for Citrix security hole abound appeared first on Help Net Security.

Security Affairs newsletter Round 247

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Google removed 1.7K+ Joker Malware infected apps from its Play Store
MageCart attack hit Australia bushfire Donors
New Bill prohibits intelligence sharing with countries using Huawei 5G equipment
5G – The Future of Security and Privacy in Smart Cities
Facebook quickly fixed a bug exploited in attacks that exposed Page Admins info
Hacker that hit UK National Lottery in 2016 was sentenced to prison
Maze Ransomware operators leak 14GB of files stolen from Southwire
US officials meet UK peers to remark the urgency to ban Huawei 5G tech
China-linked APT40 group hides behind 13 front companies
Cisco addressed a high-severity bug in Webex that could allow Remote Code Execution
January 2020 Adobe Patch Tuesday updates fix issues in Illustrator, Experience Manager
Why Russian APT Fancy Bear hacked the Ukrainian energy firm Burisma?
Hacker offers for sale 49 million user records from US data broker LimeLeads
Iranian Threat Actors: Preliminary Analysis
Microsoft addresses CVE-2020-0601 flaw, the first issue ever reported by NSA
P&N Bank data breach may have impacted 100,000 West Australians
VMware addresses flaws in VMware Tools and Workspace ONE SDK
5ss5c Ransomware emerges after Satan went down in the hell
Critical auth bypass issues affect InfiniteWP Client and WP Time Capsule WordPress plugins
Hundreds of million users installed Android fleeceware apps from Google Play
Two PoC exploits for CVE-2020-0601 NSACrypto flaw released
Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity
Expert released PoC exploits for recently disclosed Cisco DCNM flaws
Hack the Army bug bounty program paid $275,000 in rewards
Law enforcement seized WeLeakInfo.com for selling access to data from data breaches
Cybercrime Statistics in 2019
Microsoft provides mitigation for actively exploited CVE-2020-0674 IE Zero-Day
Turkish Hackers hit Greek Government websites and local stock exchange

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 247 appeared first on Security Affairs.

Hackers patch Citrix servers to deploy their own backdoor

Attacks on Citrix servers are intensifying, one of the threat actors behind them is patching them and installing its own backdoor to lock out other attackers.

Security experts are monitoring a spike in the number of attacks against Citrix servers after that researchers announced the availability online of proof-of-concept exploits for the CVE-2019-19781 flaw in Citrix NetScaler ADC and Citrix NetScaler Gateway servers.

Researchers from FireEye noticed that one of the threat actors involved in the attacks is patching the vulnerable Citrix servers, installing their own backdoor, tracked as NOTROBIN, to clean up other malware infections and to lock out any other threat from exploiting the CVE-2019-19781 Citrix flaw.

“One particular threat actor that’s been deploying a previously-unseen payload for which we’ve created the code family NOTROBIN.” reads a report published by FireEye.

“Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign.”

The popular expert Kevin Beaumont first reported the scans for vulnerable systems earlier in January, but only last week the exploits were made public.

The issue affects all supported product versions and all supported platforms:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

It has been estimated that 80,000 companies in 158 countries are potentially at risk, most of them in the U.S. (38%), followed by the UK, Germany, the Netherlands, and Australia. 

CVE-2019-19781 Citrix

The CVE-2019-19781 vulnerability was discovered by Mikhail Klyuchnikov from Positive Technologies. 

The NOTROBIN backdoor was designed to prevent subsequent exploitation of the flaw on Citrix servers and also to establish backdoor access, a circumstance that suggests that attackers are preparing future attacks. 

Experts pointed out that the threat actor exploits CVE-2019-19781 to execute shell commands, attackers send the malicious payload to the vulnerable newbm.pl CGI script through an HTTP POST request from a Tor exit node.

Below a web server access log entry reporting the exploitation attemp:

127.0.0.2 – – [12/Jan/2020:21:55:19 -0500] “POST
/vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1″ 304 – “-” “curl/7.67.0”

The experts have yet to recover the POST body contents and analyze them.

Then attackers execute one-line bash script to remove crypto-miners, create a hidden staging folder (/tmp/.init) and download NOTROBIN to it, and install /var/nstmp/.nscache/httpd for persistence via the cron daemon. 

NOTROBIN is written in Go, it scans every second for specific files and delete them. If the filename or file content includes a hardcoded key, the files are not deleted. 

“The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked. However, when the actor provides the hardcoded key during subsequent exploitation, NOTROBIN does not remove the payload. This lets the actor regain access to the vulnerable device at a later time,” continues the analysis. 

The experts from FireEye noticed threat actors deploying NOTROBIN with unique keys, they observed nearly 100 keys from different binaries.

The keys look like MD5 hashes, the use of unique keys makes it difficult for third parties, including competing attackers, to scan for NetScaler devices already infected with NOTROBIN.

FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix security bulletin CTX267027.” concludes FireEye.”NOTROBIN mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows.”

Further technical details are reported in the analysis published by FireEye, including Indicators of Compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – Citrix Servers, CVE-2019-19781)

The post Hackers patch Citrix servers to deploy their own backdoor appeared first on Security Affairs.