Update 1/11 – “What is the Status of Coverage” section updatedFortiGuard Labs is aware of newly discovered vulnerability in H2 Database software. The vulnerability is an unauthenticated remote code execution in the H2 database console and similar to Log4j, it is JNDI-based and has an exploit vector similar to it. This vulnerability has been assigned CVE-2021-42392 and was found by security researchers at JFrog. What is H2 Database?H2 is a relational database management system written in Java and is open source. It can be embedded in Java applications or run in client-server mode and data does not need to be stored on disk. What are the Technical Details?In a nutshell, the vector is similar to Log4Shell, where several code paths in the H2 database framework pass unfiltered attacker controlled URLs to the javax.naming.Context.lookup function, which allows for remote codebase loading (remote code execution). The H2 database contains a web based console which listens for connections at http://localhost:8082. The console will contain parameters that are passed by JdbcUtils.getConnection and a malicious URL controlled by the attacker.This vulnerability affects systems with H2 console installed. The vulnerability does not affect machines with H2 database installed in standalone mode. The vulnerability (by default) looks for connections from localhost, or a non remote connection. However, this vulnerability can be modified to listen for remote connections, therefore allowing susceptibility to remote code execution attacks. How Severe is This? Is it Similar to Log4j?According to the report, this is not believed to be as severe as Log4j, because of several factors. The first factor requires H2 console to be present on the system as both the console and database are able to operate independently of each other. Second, the default configuration of accepting connections from localhost must be edited to listen for external connections, which means that default installations are safe to begin with. What is the CVSS score?At this time, details are not available. What Mitigation Steps are Available?FortiGuard Labs recommends that users of H2 database software upgrade to version 2.0.206 immediately. If this is not possible, placing a vulnerable instance behind a firewall or removing access from the public facing internet is suggested. For further details on mitigation, please refer to the JFrog blog “The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console” located in the APPENDIX. What is the Status of Coverage?Customers running the latest IPS definitions (19.237) are protected against exploitation of CVE-2021-42392 with the following signature:H2.Database.Console.JNDI.Remote.Code.Execution
Monthly Archives: February 2022
Wormable Windows Vulnerability (CVE-2022-21907) Patched by Microsoft
UPDATE January 13 2022: Protection section has been updated with a IPS signature information.FortiGuard Labs is aware that a total of 96 vulnerabilities were patched by Microsoft on January 11th, 2022 as part of regular MS Patch Tuesday. In those vulnerabilities, CVE-2022-21907 (HTTP Protocol Stack Remote Code Execution Vulnerability) is one of the nine vulnerabilities that are rated critical. In the advisory, Microsoft warned that CVE-2022-21907 is wormable and “recommends prioritizing the patching of affected servers”.Why is this Significant?This is significant because CVE-2022-21907 is considered wormable as such malware can exploit the vulnerability to self-propagate without any user interaction nor elevated privilege. CVE-2022-21907 targets the HTTP trailer support feature that is enabled by default in various Windows 10 and 11 versions, as well as Windows Server 2022. The vulnerability also has a CVSS score of 9.8 (max score 10).What is CVE-2022-21907?CVE-2022-21907 is a remote code execution vulnerability in HTTP protocol stack (http.sys). HTTP.sys is a legitimate Windows component that is responsible for parsing HTTP requests. An unauthenticated attacker could craft and send a malicous packet to an affected server utilizing the HTTP Protocol Stack (http.sys) to process packets, which leads to remote code execution.Which Versions of Windows are Vulnerable?Per the Microsoft advisory, the following Windows versions are vulnerable:Windows Server 2019Windows Server 2022Windows 10Windows 11Note that the HTTP trailer support feature is inactive by default in Windows Server 2019 and Windows 10 version 1809. As such, they are not vulnerable unless the feature is enabled.Is the Vulnerability Exploited in the Wild?FortiGuard Labs is not aware of CVE-2022-21907 being exploited in the wild at the time of this writing.Has the Vendor Released a Fix?Yes. Microsoft released a fix for CVE-2022-21907 on January 11th, 2022 as part of regular Patch Tuesday.What is the Status of Coverage? (Updated January 13 2022)FortiGuard Labs has released the following IPS signature in version 19.241:MS.Windows.HTTP.Protocol.Stack.CVE-2022-21907.Code.Execution (default action is set to pass)Any Mitigation?Microsoft provided the following mitigation in the advisory:In Windows Server 2019 and Windows 10 version 1809, the the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:HKEY_LOCAL_MACHINESystemCurrentControlSetServicesHTTPParameters”EnableTrailerSupport”=dword:00000001This mitigation does not apply to the other affected versions.
Meta May Quit Europe Over Data Regulations
Meta May Quit Europe Over Data Regulations
Meta has said that it “will likely” stop Facebook and Instagram from operating in Europe unless the company is allowed to transfer, store and process Europeans’ data on servers based in the United States.
The possibility of the social media networks being withdrawn from the continent was included in Meta Platforms, Inc.’s annual report to the US Securities and Exchange Commission on Thursday.
Meta claimed that processing user data transnationally was vital for its business and targeted advertising.
The company said: “If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services, the manner in which we provide our services or our ability to target ads.”
Previously, Meta operated under an EU-US data transfer framework named the Privacy Shield, but the European Court of Justice invalidated the treaty in July 2020 over data protection violations. While a successor arrangement to the Privacy Shield remains under negotiation, companies in the United States have had to execute standard contractual clauses (SCCs) to send or receive data to the EU.
In August 2020, a draft decision from the Irish Data Protection Commission (IDPC) preliminarily concluded that Meta Platforms Ireland’s reliance on SCCs in respect of European user data does not achieve compliance with the General Data Protection Regulation (GDPR).
In light of this finding, the IDPC proposed that such transfers of user data from the EU to the US should be suspended. A final decision in this inquiry is due to be issued in the first six months of 2022.
Meta stated in its report that: “If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations.”
News Corp Discloses Cyber-Attack
News Corp Discloses Cyber-Attack
Publishing company News Corp has disclosed that it was the victim of a cyber-attack last month.
Threat actors compromised email accounts belonging to journalists and other employees at the company, which Australian-born American media tycoon Rupert Murdoch owes.
In an email sent to staff members on Friday and viewed by The New York Times, News Corp’s chief technology officer David Kline wrote that “a limited number” of email accounts and documents belonging to News Corp headquarters, News Technology Services, Dow Jones, News UK and The New York Post had been impacted by the incident.
The security incident was discovered on January 20. It was reported to the relevant authorities and is now being investigated by US law enforcement and by cybersecurity firm, Mandiant.
Kline wrote that the attack is believed to have originated from outside the United States.
“Our preliminary analysis indicates that foreign government involvement may be associated with this activity, and that some data was taken,” wrote Kline.
“Mandiant assesses that those behind this activity have a China nexus and believes they are likely involved in espionage activities to collect intelligence to benefit China’s interests.”
Commenting on the attack, iboss CEO Paul Martini said: “This is an early example of what we believe will be a broader escalation of cyber-attacks by nation-state actors in the coming year.
“Just days ago, the FBI labeled Chinese cyber aggression more ‘brazen and damaging’ than ever before and we’re seeing that play out in real time.”
Martini conjectured that the attack was part of an “intelligence gathering campaign that could have broader impacts on US journalism and politics for years to come.”
Liu Pengyu, a spokesman for the Chinese Embassy in Washington, reportedly wrote in an email: “We hope that there can be a professional, responsible and evidence-based approach to identifying cyber-related incidents, rather than making allegations based on speculations.”
Tripwire’s VP of strategy, Tim Erlin, commented: “Cyber-attack attribution is extremely difficult, and while the casual reader may draw the conclusion here that China is responsible (which may be true), it’s worth noting the language that Mandiant uses.
He added: “The term ‘China nexus’ and the phrase ‘benefit China’s interests’ are both ways of softening the conclusion. In these types of reports, language matters.”
Washington Warns of POLARIS Breach
Washington Warns of POLARIS Breach
The Washington State Department of Licensing (DOL) has shuttered its Professional Online Licensing and Regulatory Information System (POLARIS) after detecting suspicious activity.
POLARIS stores information about license holders and applicants. The type of information varies for different licenses and may include Social Security numbers, dates of birth, driver license numbers and other personally identifying information (PII).
In a statement posted to its website, the DOL said it became aware of unusual goings involving professional and occupational license data during the week commencing January 24 2022. The decision was taken to shut down POLARIS as a precaution while the activity was investigated.
The department said the Washington Office of Cybersecurity was assisting in the safe recovery of the system and in the investigation to determine whether a data breach had occurred.
“At this time, we have no indication that any other DOL data was affected, such as driver and vehicle licensing information. All other DOL systems are operating normally,” stated the DOL.
It added: “With the support and assistance of nationally recognized cybersecurity experts, we are investigating what happened and what data and people may be affected.”
The department has created an Intent to Renew form to help those professionals who have tried to renew their licenses while POLARIS is down. A call center was set up on February 4 to answer questions by individuals who were impacted by the outage.
DOL has said it will not act against individuals whose license expired while POLARIS was inaccessible.
The department issues over 40 types of licenses. These include driver and vehicle licenses and professional licenses for cosmetologists, real estate brokers, architects, driving instructors and bail bondsmen.
DOL said that the security incident only appeared to potentially impact professional and occupational license data.
“At this time, we are not aware of any suspicious activity involving other DOL systems, such as the driver and vehicle licensing system (DRIVES),” stated the DOL.
“DRIVES is operating normally. We are monitoring all our systems very carefully.”
The department said it will notify any individuals whose personal data was accessed during the incident and provide them with “further assistance.”
Who dropped the DB? Find out with Teleport Database Access
Graham Cluley Security News is sponsored this week by the folks at Teleport. Thanks to the great team there for their support! You’re woken up at 3 am, only to discover your worst nightmare. The new intern just deleted the production database during routine maintenance by accident. You quickly restore from a backup. During the … Continue reading “Who dropped the DB? Find out with Teleport Database Access”
Twitter blackout for Vodafone customers
Vodafone customers in the UK are spitting tacks after an “issue” has left them unable to use Twitter properly for days, after the display of images and movie files, and – in some cases – the entire website, was blocked.
Argo CD flaw puts cloud infrastructure at risk
A high-risk vulnerability that could allow attackers to steal sensitive information secrets from software projects was found and fixed in Argo CD, a widely used continuous delivery platform for applications deployed via Kubernetes.
According to researchers from cloud application security Apiiro, who found and reported the vulnerability, attackers could feed a maliciously crafted Kubernetes application deployment configuration file to Argo that can expose files, environment settings and secret tokens from the central repository server. This could potentially lead to privilege escalation and further lateral movement into the organization’s cloud infrastructure.
Savvy cryptomining malware campaign targets Asian cloud service providers
Asian cloud service providers have been targeted by a sophisticated malware campaign designed to steal computing power for mining cryptocurrency. The attack techniques deployed by the CoinStomp malware include timestomping (modification of a file’s timestamp), removal of system cryptographic policies, and use of a reverse shell to initiate command and control communications with the malicious software.
“Timestomping has been used by the Rocke group in prior cryptojacking attacks,” Matt Muir, a researcher for Cado Security, wrote at the company’s website. “However, it’s not a technique commonly seen in the wild. Generally, this technique is employed as an anti-forensics measure to confuse investigators and foil remediation efforts.”
Information systems and cybersecurity: Connections in UX and beyond
Image source: Pexels
This blog was written by an independent guest blogger.
Information systems and cybersecurity go hand in hand. Understanding the relationship between the two is paramount for enterprises to optimize the user experience (UX).
How information systems transform enterprises
Enterprises use information systems to organize, process, analyze, and disseminate data. In doing so, enterprises can transform information into insights. Then, they can leverage these insights to find ways to become more productive and efficient than ever before.
Information systems can deliver immense value to enterprises. As such, hackers frequently target these systems. This can lead to revenue losses, brand reputation damage, and compliance penalties. It can also result in UX issues.
Accuracy and agility drive information systems management
When it comes to information systems management, enterprises must balance accuracy and agility. But doing so can be difficult.
Enterprise data must be consistent across information systems. Otherwise, data can become suspect and of little value. Thus, enterprises need processes to verify data accuracy.
Furthermore, data must be both secure and accessible to authorized users. Safeguards can protect against unauthorized access to information systems. Yet they can force enterprise users to commit significant time, energy, and resources to access data.
Discover how cybercriminals target information systems
Enterprises must account for a wide range of information systems threats, including:
Privilege Escalation: Occurs when a cybercriminal exploits a system vulnerability to illegally access data and/or perform actions.
Virus: Refers to any computer program used to alter system files.
Trojan: Lets a hacker remotely access a system.
Cybercriminals will attack information systems repeatedly, without notice, and until they are successful — and enterprises must plan accordingly. That way, enterprises can protect their information systems against current and emerging cyber threats.
Why sustainable UX design is key
A sustainable UX design offers many benefits relative to information systems management. First, the design ensures data is easily discoverable. It limits load times, so users won’t have to wait long to access the information they need when they need it. At the same time, the design helps an enterprise limit its carbon footprint. The design thereby provides cost savings. Also, the design highlights an enterprise’s commitment to sustainability. As such, it helps an enterprise build goodwill with consumers and can lead to sales and revenue growth.
Developing and launching a sustainable UX design for information systems requires research. Designers must consider the current environmental impact of the existing UX, along with ways to minimize data use. Moreover, designers must account for cybersecurity.
Build security into information systems management
UX design for information systems can be sustainable and secure. However, planning for a sustainable and secure UX design requires attention to detail. And an enterprise must look beyond the design itself to ensure cybersecurity is incorporated into all aspects of information systems management.
The development and implementation of policies surrounding information systems management are critical. Enterprises must consider physical threats and other data security dangers. From here, they can create policies to secure their information systems. They can also fine-tune associated processes, so users can manage them with speed and precision.
Offer information systems management training
Education plays a vital role in information systems management. Teaching users about ransomware, malware, and other cyber threats can help an enterprise guard against cyberattacks. It empowers users with insights they can use to identify such attacks and respond to them accordingly.
Enterprises can leverage training sessions and tabletop exercises to teach users about information systems security. They can offer regular tutorials throughout the year to keep users up to date about new cyber threats. And they can provide staff with opportunities to earn an information systems management degree as well.
Additionally, enterprises can update their information systems policies, processes, and training programs in conjunction with one another. This ensures consistency across all areas of information systems management.
Perform ongoing information systems analysis
Enterprises must seek out ways to enhance their information systems. Audits can be conducted periodically to learn about information systems security issues that disrupt the UX.
With audits, enterprises understand their information systems’ strengths and weaknesses. They can then produce reports that deliver insights into information systems security. These insights can provide the basis for information systems upgrades.
Explore ways to get the most value out of information systems
Information systems management and optimization is a continuous process. Enterprises must consider the functionality of their information systems and ensure it meets the needs of their stakeholders. Meanwhile, they must balance security and UX, to the point where users can leverage the systems without putting enterprises or their data at risk.
There is no one-size-fits-all approach to ensure an enterprise can maximize the value of its information systems. By evaluating security and UX in combination with each other, an enterprise is well-equipped to streamline information systems management. This enterprise can ensure users can safely and seamlessly access data. It can be persistent in its efforts to constantly improve its information systems and the way they are managed, too.
Make information systems management a priority. Work diligently to incorporate security into UX design, and vice versa. This empowers an enterprise to get the most value out of its information systems, now and in the future.