Category Archives: Vulnerabilities

Cisco Patches Six Critical Bugs in UCS Gear and Switches

Six bugs found in Cisco’s Unified Computing System gear and its 220 Series Smart switches can allow unauthenticated remote hackers to take over equipment.

Software Vulnerabilities in the Boeing 787

Boeing left its software unprotected, and researchers have analyzed it for vulnerabilities:

At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System. The CIS/MS is responsible for applications like maintenance systems and the so-called electronic flight bag, a collection of navigation documents and manuals used by pilots. Santamarta says he found a slew of memory corruption vulnerabilities in that CIS/MS, and he claims that a hacker could use those flaws as a foothold inside a restricted part of a plane's network. An attacker could potentially pivot, Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane's safety-critical systems, including its engine, brakes, and sensors. Boeing maintains that other security barriers in the 787's network architecture would make that progression impossible.

Santamarta admits that he doesn't have enough visibility into the 787's internals to know if those security barriers are circumventable. But he says his research nonetheless represents a significant step toward showing the possibility of an actual plane-hacking technique. "We don't have a 787 to test, so we can't assess the impact," Santamarta says. "We're not saying it's doomsday, or that we can take a plane down. But we can say: This shouldn't happen."

Boeing denies that there's any problem:

In a statement, Boeing said it had investigated IOActive's claims and concluded that they don't represent any real threat of a cyberattack. "IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," the company's statement reads. "IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation."

This being Black Hat and Las Vegas, I'll say it this way: I would bet money that Boeing is wrong. I don't have an opinion about whether or not it's lying.

Cyberattack Lateral Movement Explained

[Lightly edited transcript of the video above]

Hi there, Mark Nunnikhoven from Trend Micro Research, I want to talk to you about the concept of lateral movement.

And the reason why I want to tackle this today is because I’ve had some conversations in the last few days that have really kind of hit that idea bulb that people don’t truly understand how cybercriminals get away with their crimes in the organization. Specifically how they launch their attacks.

Now don’t get me wrong, this isn’t to blame on defenders. This isn’t to blame of the general public. I’m going to go with Hollywood’s to blame a little bit here, because we’re watching movies in Hollywood inevitably…you know the hackers in their dark hat and with no lighting, underground, Lord knows where they find these places to hack from and they are attacking directly through.

You see a bunch of text go across the screen and they penetrate through the first firewall, through the second firewall in into the data. That’s not how it works at all.

That’s ridiculous. It’s absurd.

[00:59]

It makes for interesting cinema, just like the red code/green code in CSI Cyber, but it’s not a reflection of reality and that’s a real challenge. Because a lot of people don’t have the experience of working with cybersecurity, working in cybersecurity, so their only perception is what they see either through media—you know TV, movies, books—or if they happen to run into somebody at in the industry. So there is an overwhelming amount of sort of information or misinformation.

Not even misinformation, just storytelling that tries to make it far more dramatic than it is. The reality is that cybercriminals are out for profit.

We know this time and time again—yes a bunch of nation-state stuff does happen but the vast majority of you are unaffected by it same with there’s

a massive amount of script-kiddie just sort of scanning random people with random tools that are just seeing what they can get away with that and

if you have solid, automated defenses that doesn’t really impact you.

What does impact you is the vast majority of organized cybercriminals who are out to make a profit. Trend Micro had a great  series and continues to have a great series on the Underground, the Digital Underground that shows just how deep these profit motivations go.

This is very much a dark industry. And with that in mind we come back to the concept of lateral movement.

[02:22]

If an attacker breaches into your systems, whether they come in like a fourth of all attacks do via email whether they come in directly through a server compromise, which is about half of all breaches according to the Verizon data breach investigation report or one of the other methods that is commonly used…then they start to move around within your network.

That’s lateral movement.

We talk about north/south traffic with the network, which is basically inside the network to outside of the network, so out to the the internet and back. East/west is within the network itself. Most defenses, traditional defenses worry about that north/south traffic.

Not enough worry about the east/west and it’s breaking down finally. We are getting rid of this hard perimeter. “It’s mine, I defend everything inside” …and realizing that this is actually how cybercriminals work. Once they’re inside they move around. So we need to defend in-depth and have really great monitoring and protection tools within our networks because of this challenge of lateral movement.

[03:23]

Let me give you a little easier to digest analogy. Most of us in a home have a grocery list and maybe once a week—maybe twice–we head to the grocery store and we try to get everything we want off the list and then we come back. That just makes sense.

That’s how we do it. Right? You would never think of going, “Okay. Number one of the list is ketchup. I’m going to drive to the store to get ketchup. I’m going to buy it and I’m going to come back home.

I’m going to look at item number two. I need a loaf of bread. I’m going to drive back to the store. I’m going to buy a loaf of bread and I’m going to come back and we can go to item 3, and I’m going to go and I’m going to come back. I’m going to…” That’s just ridiculous, right? That’s absolutely absurd and cybercrimals agree.

Once they’ve driven to the store. They’re going to buy everything that they need and everything that they see as an opportunity, right? They are really susceptible to those end caps and impulse buys… and then they’re going to leave.

This is how they attack our organizations.

We know that, because of the average time to detect a breach is around 197 days right now and that stat has fluctuated maybe plus or minus 15 days for the last decade.

We also know that it takes almost three…it takes two and a half to three months actually contain a breach once you discover it and the reason for all of this is lateral movement.

Once you’re in as a cybercriminal, once you’ve made headway, once you gained a beachhead or a foothold within that network you’re going to do everything you can to expand it because it’s going to make you the most amount of money.

[04:55]

What do you think? Let us know in the comments below, hit us up on social @TrendMicro or you can reach me directly @marknca.

How are you handling lateral movement? How are you trying to reduce it? How are you looking for visibility across all of your systems?

Let’s continue this conversation because when we talk we all get better and more secure online.

The post Cyberattack Lateral Movement Explained appeared first on .

Puma Australia Hit With Credit Card Hack Malware

Sophisticated malware was planted by hackers on Puma Australia’s website, with the intention to steal customer’s credit card information at checkout, a security researcher found.

A suspicious code tucked away on Puma Australia’s page containing a script that logged people’s credit card numbers, names, and addresses when they typed them in on the website. The code sent victims’ data over to a server registered in Ukraine, said Willem de Groot, Sanguine Security forensic analyst.

To a request for comment, Puma didn’t immediately respond when the security researcher notified them about this attack.

The skimming campaign is made up of multiple hacking groups, and Puma is the latest in a long line of businesses hit with credit card skimming malware. A massive hacking operation is targeting online shops connected to Magecart.

This is the kind of malware that goes after popular websites with vulnerabilities. The earlier victims include the Atlanta Hawks, British Airways, and NewEgg, among many other businesses targeted by Magecart over the past few years.

“The single largest problem with Magecart is that consumers have absolutely no way to know that they got skimmed until it’s too late and that merchants lack the tools to properly deal with this,” de Groot said.

Puma is one of the top sportswear brands in the world, with sales reaching $4 billion in 2018, according to financial reports. In the last year, Puma saw major growth in the Asia/Pacific region, where its Australian team operates.

Puma’s popularity as a worldwide brand makes it a prime target for Magecart attackers. De Groot said he found the malware through a detection tool he developed, which finds Magecart code embedded on hundreds of stores a day.

The security researcher de Groot said, “The skimmer found on Puma Australia’s website was one of the most sophisticated ones he had seen yet.”

This skimmer was able to camouflage itself by using typical code like “optEmbed” and “selectDuration.” Typically, skimmers have to be specifically tailored for the payment system it’s targeting, but de Groot found that this skimmer on Puma Australia’s website was a jack of all trades.

He said he’s found 77 other stores online with this new kind of skimmer from Magecart. It supports payment systems across the world, indicating a collaborative effort between hackers internationally.

“It has adapters for over 50 payment gateways, which means that the owner can deploy it quickly to newly hacked stores,” de Groot said in a message. “It clearly took a massive effort to build support for all these payment systems.”

Related Resources:

Vulnerability Helps Researchers Expose Malware C&C Servers

What’s New With Separ Malware Family in 2019

Hackers Surgically Infected Asus Computers with Malware

4 Most Recognizable Android Antimalware Apps You Can Install Today

The post Puma Australia Hit With Credit Card Hack Malware appeared first on .

The PSIRT Services Framework: Helping the Industry Protect the Ecosystem

At Cisco, our leadership made the decision over twenty four years ago that we would clearly publicly communicate security vulnerabilities or other issues that could potentially expose customers to risk. This is when the Cisco Product Security Incident Response Team (PSIRT) was born. Our team and the security vulnerability process has evolved to meet customer needs for over the last two decades.

The industry has also evolved and many other vendors have created PSIRTs to better protect their customers. However, some vendors are just getting started. This is why the Forum of Incident Response and Security Teams (FIRST) created the Product Security Incident Response Team (PSIRT) Framework. The main purpose of this framework is to help organizations create, maintain, and grow capabilities related to product security and security vulnerability disclosure. This is a collaborative effort that presents different capabilities, services and outcomes of a PSIRT.

The Framework identifies core responsibilities of PSIRT teams, providing guidance on how to build capabilities to investigate and disclose security vulnerabilities, along with remediations, to their customers in a transparent way.

Is This Why There Are So Many Vulnerability Reports Nowadays?

Technology is evolving at a very fast pace. The number of products, software packages, and connected devices will continue to rise. One reason for the increase in reported vulnerabilities is the fact that the industry is definitely getting better at finding vulnerabilities. For instance, the following figure, created by the National Vulnerability Database (NVD), illustrates the distribution of vulnerabilities disclosed in the industry by severity over time.

Vulnerabilities disclosed in the industry by severity over time. Source: NVD

Vulnerabilities disclosed in the industry by severity over time. Source: NVD

 

Because customers are demanding greater transparency, more vendors are creating PSIRTs and becoming more capable of disclosing security vulnerabilities to their customers.

Security vulnerability disclosure and remediation can be disruptive for technology operations, administrators, and end users. Our goal at Cisco is always try to reduce the number of vulnerabilities and continuously enhance our products. With that acknowledgement, it is vital to remember a few factors that drive the purpose behind our vulnerability disclosures. Most importantly, we have a high bar for transparency. At Cisco, we disclose vulnerabilities regardless of how the vulnerability was found or who found it. In fact, the majority of our disclosures are vulnerabilities that we find internally. We disclose these vulnerabilities with a goal of helping customers understand and manage their risk.

We also assign Common Weakness Enumeration (CWE) identifiers to all vulnerabilities disclosed. CWE helps us spot trends across our broad portfolio of hundreds of product lines. Cisco performs root cause analysis to enhance our Cisco Secure Development Lifecycle.

Cisco will continue to provide these resources enable customers protect against cyber threat actors. Our customers can count on our commitment to be transparent, so they can manage their risks.

PSIRTs Working Together

PSIRTs must work together to protect the ecosystem! As stated in the PSIRT Services Framework: “Nurturing relationships between peer PSIRTs can help in information-sharing and potential mutual assistance and/or coordination for incidents. Working with these peer organizations can help fill in vital data to remediate vulnerabilities and exposes the organization to the peer’s expertise as the two groups consult on issues. The PSIRT should establish communication channels (both normal and secured) with key peer PSIRTs. Establishing and nurturing relationships with industry peers is critical for information sharing and coordinating on issues that affect both organizations.”

At Cisco, we work with numerous PSIRTs and other security teams. We also co-founders and active members of the Industry Consortium for Advancement of Security on the Internet (ICASI). Through the Unified Security Incident Response Plan (USIRP) process, ICASI enables PSIRTs from member companies as well as select, invited outside organizations to collaborate quickly and effectively to resolve complex, multi-stakeholder Internet security issues.

Cisco PSIRT works closely with many other PSIRTs, ICASI, several CERTs and coordination agencies, and FIRST on an ongoing basis.

PSIRTs Working With Security Researchers

Security researchers and security research are vital to the ecosystem! PSIRT teams should always positively engage with security researchers while investigating and disclosing security vulnerabilities.  The Framework provides guidance to new PSIRTs on how to collaborate and engage with security researchers in the industry.

At Cisco, we work very closely with numerous security researchers in the industry and we even have our own industry-leading security research organization called Talos. Talos works very closely with Cisco PSIRT and with many other PSIRTs in the industry. Properly engaging with security researchers can speed communications and efforts around vulnerability reporting and remediation.

Setting A Higher Standard

As my colleague Anthony Grieco stated in a recent post, “there should be no such thing as implicit trust in today’s world. In fact, we believe the standards should be set higher, not only for Cisco but for all technology providers around the globe, to shift the role from a vendor to a trusted partner.”

If you are a technology provider, I invite you to become familiar with FIRST’s Product Security Incident Response Team (PSIRT) Framework. If you are a customer, ask your technology vendor about their policy on vulnerability disclosure and become familiar with their PSIRT.

Protect Your WordPress Website from SQL Injection

WordPress websites need to be protected against SQL injection threats. SQL (Structured Query Language) is a widely used database language, a domain specific language that’s designed for managing data in a relational database management system (RDBMS).

SQL injection attacks, which happen by exploiting security vulnerabilities in an application’s software, happen when malicious SQL statements are executed and inserted into entry fields for execution. Since such SQL statements control database servers behind web applications, hackers can, by running SQL commands and constructing, retrieving, updating or deleting the data in the databases, manipulate the working of web applications.

As for WordPress websites, SQL injections are easily executed in direct ways and using various entry points, like Signup forms, Contact forms, Search fields within the site, Login forms, Feedback fields and Shopping carts. When WordPress website owners put different criteria for website visitors to fill empty fields in forms, especially when the developers, being unaware of input validations, set the fields as plain text, hackers inject SQL statements and can request for login credentials and other data.

How to protect WordPress Websites from SQL injections

The following steps could help WordPress website owners in mitigating SQL injection threats in an effective manner…

Scan your website for malware and SQL injection vulnerabilities-

You can use different tools for this. In fact, WordPress has security plugins that could do the scan and detect malware and vulnerabilities. All you need to do is download any of these and do the scan.

Keep your website up-to-date, follow security procedures-

It’s quite natural for many WordPress websites to ignore security procedures and also ignore updating websites with new releases. This is because there are many non-professionals, especially in the case of websites belonging to small businesses or individual users, who don’t know such things and end up being easy targets for hackers. SQL injection attacks are the commonest of such attacks that affect such websites. So, it’s always best to keep your website up-to-date and follow all security procedures.

Keep a close eye on plugins and themes you download, use active ones-

SQL vulnerabilities are mostly seen in WordPress themes and plugins that are not updated regularly. Hence, it’s advisable for any WordPress website user or administrator to keep a close eye on plugins and themes that are downloaded for use and always try to go for those that are active. It’s always best to avoid plugins and themes that go on with the same version for a long period; it’s better to move on to a more active and trusted plugin or theme. Remember, a single malware in a plugin or theme that you use could ruin your website and your entire business. Hence, check the reviews, do some research and go for trusted plugins and themes.

Better keep your WordPress version hidden-

It’s always best to keep your WordPress version hidden. If not, it would be easy for attackers to judge the vulnerabilities and exploit them. Hence, always keep the version undisclosed.

Keep monitoring your SQL server closely-

Right from the initial stage of the development of your WordPress website, keep monitoring your SQL server. Any programming error that you might miss detecting could help hackers in exploiting the same for executing an attack. Hence, keep monitoring your SQL server closely, detect errors as they happen and repair them immediately.

Change database prefix while installing WordPress, disable unnecessary functionalities-

Always change the default WordPress database prefix ‘wp’ while installing WordPress. If you haven’t, you can do it later, but it’s always best to do it as database tables can help hackers in injecting SQL malware. Similarly, it’s advisable to disable unnecessary functionalities which you don’t need for your website. Such unnecessary, irrelevant and unused functionalities could pave the way for SQL injection attacks.

Store website database separately using third-party tools and plugins, for easy backup-

This tip is not for preventing SQL injection attacks, but for bouncing back into action at the earliest after an attack if at all it happens. Use third-party tools and plugins and store the database of your website separately. This would serve as an easy backup. It’s advisable not to rely on the hosting company alone for website backup; some of them may not provide effective backup service.

Related Resources:

Easy, 10-Step Malware Removal Plan for WordPress Websites

Best WordPress Plugins for Small Business Website

WordPress Acting Weird? 10 Signs Your Site May Be Hacked

8 Security Tools That Recovers Hacked Website

The post Protect Your WordPress Website from SQL Injection appeared first on .

Yet Another WordPress Hack Exploiting Plugin Vulnerabilities

Here comes news about another WordPress website security breach carried out by exploiting plugin vulnerabilities.

Reports say that hackers have been exploiting vulnerabilities in a popular social media sharing plugin on WordPress. The Hacker News reports, “Hackers have been found exploiting a pair of critical security vulnerabilities in one of the popular social media sharing plugins to take control over WordPress websites that are still running a vulnerable version of the plugin.”

Hackers have been exploiting vulnerabilities in the Social Warfare plugin, which is downloaded and used on a large scale. There have been over 900,000 downloads of the plugin, which is used to add social share buttons to WordPress websites and blogs.

It was in the last week of March that an updated version of the Social Warfare plugin was released. The updated version, 3.5.3, was released with two security vulnerabilities patched. The vulnerabilities- a stored cross-site scripting (XSS) flaw and a remote code execution (RCE) flaw- were both tracked by the same identifier- CVE-2019-9978. Hackers, by exploiting these vulnerabilities, could run arbitrary PHP code and take complete control over WordPress websites and servers without authentication. They could then use such compromised websites for malicious activities, including cryptocurrency mining, hosting malicious exploit code etc. On the same day that the updated version of Social Warfare was released, an unnamed security researcher published a full disclosure and proof-of-concept for the XSS vulnerability, following which hackers started exploiting the vulnerability.

The Hacker News, in its report, says, “Soon after the full disclosure and PoC release, attackers started attempting to exploit the vulnerability, but fortunately, it was only limited to the injected JavaScript redirect activity, with researchers finding no in-the-wild attempts to exploit the RCE vulnerability.”

However, Palo Alto Network Unit 42 researchers have now found several exploits that take advantage of these two WordPress plugin vulnerabilities in the wild. These include an exploit for the XXL vulnerability that would redirect users of affected websites to an ads website and another exploit for the RCE vulnerability that would manipulate a one-line webshell which would then allow hackers to control affected websites.

Both these vulnerabilities in the Social Warfare plugin had originated as a result of improper input handling, the misuse of a WordPress function that should actually be preventing unauthorized visits. A blog post authored by Palo Alto Network Unit 42 researchers Qi Deng, Zhibin Zhang and Hui Gao says, “The root cause of each of these two vulnerabilities is the same: the misuse of the is_admin() function in WordPress. Is_admin only checks if the requested page is part of admin interface and won’t prevent any unauthorized visit.”

As regards the number of affected websites, the Palo Alto blog post says, “We found about 40,000 sites that have installed this plugin, most of which are running a vulnerable version, including education sites, finance sites, and news sites.” They have clarified that many of these affected websites receive high traffic, based on Alexa’s global traffic-related data).

The researchers also note- “There are many exploits in the wild for the Social Warfare plugin and it is likely they will continue to be used maliciously. Since over 75 million websites are using WordPress and many of the high traffic WordPress websites are using the Social Warfare plugin, the users of those websites could be exposed to malware, phishing pages or miners. Website administrators should update the Social Warfare plugin to 3.5.3 or newer version.”

Related Resources:

How to Check if Your WordPress Website is Hacked

WordPress Websites Attacked via Zero-Day in Abandoned Plugin

The post Yet Another WordPress Hack Exploiting Plugin Vulnerabilities appeared first on .

Vulnerabilities in the WPA3 Wi-Fi Security Protocol

Researchers have found several vulnerabilities in the WPA3 Wi-Fi security protocol:

The design flaws we discovered can be divided in two categories. The first category consists of downgrade attacks against WPA3-capable devices, and the second category consists of weaknesses in the Dragonfly handshake of WPA3, which in the Wi-Fi standard is better known as the Simultaneous Authentication of Equals (SAE) handshake. The discovered flaws can be abused to recover the password of the Wi-Fi network, launch resource consumption attacks, and force devices into using weaker security groups. All attacks are against home networks (i.e. WPA3-Personal), where one password is shared among all users.

News article. Research paper: "Dragonblood: A Security Analysis of WPA3's SAE Handshake":

Abstract: The WPA3 certification aims to secure Wi-Fi networks, and provides several advantages over its predecessor WPA2, such as protection against offline dictionary attacks and forward secrecy. Unfortunately, we show that WPA3 is affected by several design flaws,and analyze these flaws both theoretically and practically. Most prominently, we show that WPA3's Simultaneous Authentication of Equals (SAE) handshake, commonly known as Dragonfly, is affected by password partitioning attacks. These attacks resemble dictionary attacks and allow an adversary to recover the password by abusing timing or cache-based side-channel leaks. Our side-channel attacks target the protocol's password encoding method. For instance, our cache-based attack exploits SAE's hash-to-curve algorithm. The resulting attacks are efficient and low cost: brute-forcing all 8-character lowercase password requires less than 125$in Amazon EC2 instances. In light of ongoing standardization efforts on hash-to-curve, Password-Authenticated Key Exchanges (PAKEs), and Dragonfly as a TLS handshake, our findings are also of more general interest. Finally, we discuss how to mitigate our attacks in a backwards-compatible manner, and explain how minor changes to the protocol could have prevented most of our attack