A fossilized ancestor of the vampire squid — with ten arms — was discovered and named Syllipsimopodi bideni after President Biden.

Here’s the research paper. Note: Vampire squids are not squids. (Yes, it’s weird.)

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Read More

The 2021 Threat Landscape Retrospective explored the top five vulnerabilities of the year. Learn about other high-impact vulnerabilities that nearly made our list.

When putting together the Threat Landscape Retrospective (TLR) for 2021, the Security Response Team had a particularly difficult challenge picking the top five vulnerabilities for the year out of the many candidates.

In this blog post, we’re pulling back the curtain on our selection process, both to highlight the high-impact vulnerabilities that almost made the cut and to discuss our methodology for selecting the top five.

Our goal is to complement the TLR, whose mission is to help cybersecurity professionals with ongoing analysis of the threat landscape, including government, vendor and researcher advisories on important vulnerabilities and noteworthy incidents.

How we chose the 2021 Top 5

When we compiled the top five vulnerabilities for the 2020 TLR, it was easier to select distinct, individual CVEs. As a matter of fact, most of 2020’s top five CVEs continue to haunt organizations well into 2021. One of them — CVE-2020-1472, aka Zerologon — even carried over to the 2021 top five).

On the other hand, 2021 was more about clusters of vulnerabilities that illustrated the cybersecurity landscape. Therefore, we selected “representative” CVEs — selecting a single vulnerability out of a cluster that effectively epitomized a class of flaws or a particular product that was highly targeted throughout the year. For example, the full TLR covers eight vulnerabilities in Microsoft Exchange Server, but CVE-2021-26855, aka ProxyLogon, was the first to gain broad exploitation that continues to this day.

That brings us to another key decision criteria for the top five: long term impact. You may notice that CVE-2021-44228, aka Log4Shell, does not appear on the list. That is because the long term effects of the vulnerabilities in Log4j 2.0 remain to be seen. We may see long term exploitation of these flaws but, when we published the 2021 TLR, they were still too new to have that level of impact. In our analysis, we find time and again that the vulnerabilities with a long tail are the biggest risk to organizations.

Zero-day vulnerabilities typically become more problematic for most organizations after they’ve made the transition to legacy status.

In short, here are our key criteria for selecting the top five vulnerabilities:

Representative of a product that has been highly targeted by threat actors
Has had sustained and widespread exploitation
Offers high value in attack chains
Affects ubiquitous products or protocols

Now, let us explore how the vulnerabilities that didn’t make the Top 5 measure up against these criteria.

* Please note Tenable VPR scores are calculated nightly. This blog post was published on March 13, 2022 and reflects VPR at that time.

CVE-2021-20016: SonicWall SMA zero day

In January 2021, SonicWall disclosed that its internal systems were breached by threat actors, and in February it followed up with an advisory for CVE-2021- 20016, a zero-day vulnerability in its Secure Mobile Access (SMA) SSL VPN. Discovered by NCC Group, CVE-2021-20016 is a SQL injection vulnerability that allows a remote, unauthenticated attacker to access login credentials and session information.

The attacks exploiting CVE-2021-20016 were tied to the FiveHands ransomware by Mandiant, though the NCC Group also saw “indication of indiscriminate” exploitation shortly after SonicWall’s initial announcement, before patches were available. NCC Group did not release significant details or a proof-of-concept (PoC) for CVE-2021-20016 because they didn’t want to facilitate future attacks.

Per the @SonicWall advisory – https://t.co/teeOvpwFMD – we’ve identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall – we’ve also seen indication of indiscriminate use of an exploit in the wild – check logs

— NCC Group Research & Technology (@NCCGroupInfosec) January 31, 2021

Why it didn’t make the cut

While CVE-2021-20016 fits many of the criteria used to select the top five, it just barely missed out on inclusion because it did not quite have the same effect as those that made the cut. Perhaps because no PoC was published, we did not see widespread exploitation on the scale of vulnerabilities like ProxyLogon, PrintNightmare or even other vulnerabilities in SSL VPNs. On that note, we felt that the flaw in Pulse Connect Secure was much more illustrative of the risks to VPN products. Because CVE-2021-22893 was already in the top five, we felt the remaining slots were best used for other illustrative vulnerabilities in order to give a full view of the threat landscape.

CVE-2021-40444: Microsoft MSHTML zero day

CVE-2021-40444 is a remote code execution vulnerability in Microsoft’s MSHTML (Trident) platform. Microsoft announced the vulnerability on September 7, 2021, in response to active exploitation but did not release patches until that month’s dedicated Patch Tuesday a week later. By then, nearly two dozen PoC repositories had been published on GitHub. To exploit this vulnerability, an attacker would use social engineering like phishing to convince targets to open a malicious Microsoft Office document.

CVE-2021-40444 was exploited as a zero day in limited, targeted attacks and continues to be exploited, notably in targeted cyberespionage attacks by an advanced persistent threat group. After the full advisory was published, Microsoft confirmed that “multiple threat actors, including ransomware-as-a-service affiliates” had adopted CVE-2021-40444.

While RiskIQ did find that initial attacks exploiting CVE-2021-40444 shared common infrastructure with the Ryuk ransomware family, the researchers were careful to note that this overlap is inconclusive.

Why it didn’t make the cut

Despite being adopted by ransomware groups, the primary attacks exploiting CVE-2021-40444 were targeted and leveraged specially tailored phishing lures that require user interaction. This specificity limits the scope of this vulnerability and, while we expect to see it used in ongoing phishing attacks, it did not meet the level of concern we felt for the Microsoft Exchange vulnerabilities.

CVE-2021-30116, CVE-2021-30119, CVE-2021-30120: Kaseya VSA

There is an unfortunate precedent of cybersecurity incidents ruining a holiday weekend. Chief among them in 2021, Kaseya Limited announced on July 5 that three zero-day vulnerabilities in its Virtual System Administrator (VSA) remote monitoring and management software were exploited in a large-scale ransomware attack later tied to the REvil ransomware group.

The disclosure and investigation of this incident was a whirlwind, developing quickly over the Fourth of July holiday weekend in the United States. The attack was first reported on July 2 and patches were released on July 11.

Since the incident in July, more vulnerabilities have been disclosed in Kaseya products, but none have been exploited in the wild, and one (CVE-2021-40386) remains unpatched at the time this blog post was published.

Why it didn’t make the cut

This set of vulnerabilities falls into the subcategory of zero days that made a big splash, but it didn’t have the long tails we have seen on other vulnerabilities in the top five. According to Kaseya, “only a very small percentage of our customers were affected — currently estimated at fewer than 40 worldwide.” Interestingly, only CVE-2021-30116 has been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog. While that doesn’t necessarily mean there hasn’t been known exploitation of the other vulnerabilities, it does offer additional context for evaluating these vulnerabilities against the rest of the top five.

PetitPotam (CVE-2021-36942)

Somewhat unique on this list is PetitPotam, which is a new technology LAN manager (NTLM) relay attack rather than a distinct vulnerability. Originally disclosed by Gilles Lionel, PetitPotam can force domain controllers to authenticate to an attacker-controlled destination. Shortly after disclosure, the PoC was adopted by ransomware groups like LockFile. At first, Microsoft labeled this issue as “won’t fix,” and continues to primarily rely on its general mitigation guidance for defending against NTLM Relay Attacks.

There is a vulnerability associated with this attack, CVE-2021-36942, which is a Windows LSA Spoofing Vulnerability that received a CVSSv3 score of 7.8 and was patched in August’s Patch Tuesday release. However, later reports indicate that this patch was incomplete. It is important to note that, in this case, the vulnerability itself does not represent the true risks of this attack vector.

Why it didn’t make the cut

PetitPotam has seen similar use to Zerologon by threat actors but with a smaller attack surface and more limited adoption. The CVE associated with PetitPotam does have the lowest CVSSv3 score on the list but that wasn’t a factor in our decision. It is perhaps more notable that a vulnerability with a score of 5.3 made it into the top 10 at all.

CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104: Accellion File Transfer Appliance

At the end of 2020 and into the beginning of 2021, a large number of organizations — we have tracked more than 40 — were breached using four zero day vulnerabilities in Accellion’s File Transfer Appliance (FTA).

Almost immediately upon the announcement of these attacks, some were traced back to the Clop/CL0P ransomware group. Disclosures of breaches linked to Accellion FTA continued to occur throughout the beginning of 2021, making these zero days some of the most exploited vulnerabilities in the first half of the year.

Why it didn’t make the cut

While these vulnerabilities had considerable impact on the organizations breached using them, the effects were relatively short-lived. Attacks exploiting Accellion peaked in January 2021 and these vulnerabilities don’t appear to have the long tail that characterize those in the top five.

Common themes among the outliers

One thing that stands out for several of these entries is that they are not a distinct CVE but rather groups or chains of vulnerabilities. While this wasn’t a conscious decision factor when we selected the top five, it shows an important component of our decision criteria. We sought out vulnerabilities that not only represented considerable, long-term risks to organizations but also those that were uniquely illustrative. We could have compiled the top five just out of flaws in Microsoft Exchange Server and Print Spooler but decided to instead highlight a diverse set of products that many organizations might deploy.

Also interesting is that the vulnerabilities that did not make the cut were all zero days, while only two of the final top five were. While we did see more threat actors exploiting zero days in attacks this year, 83% of the zero days we tracked for the 2021 TLR were exploited in the wild, unpatched known vulnerabilities continue to be a fertile ground for attackers.

While the effects of these vulnerabilities were acutely felt by those organizations breached using them, the wide-scale impact was lacking. Attackers have a plethora of vulnerabilities from which to choose, and the vulnerabilities that did make it into the top five represent those that a large number of attackers chose to exploit in a greater number of attacks than those that just missed the cut. That being said, organizations with any of the vulnerabilities discussed here should immediately set a plan to identify and remediate any affected assets.

Identifying affected systems

Tenable has released scan templates for Tenable.io, Tenable.sc and Nessus Professional which are pre-configured to allow quick scanning for the vulnerabilities discussed in this report. In addition, Tenable.io customers have a new dashboard and widgets in the widgets library and Tenable.sc users also have a new dashboard covering the 2021 Threat Landscape Retrospective.

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

Cybersecurity firm joins growing list of companies pulling out of Russia following invasion of Ukraine

Read More

BNP Paribas rescinds access privileges for its Russia-based workers over cyber-attack fears

Read More

US to try former Canadian government employee accused of ransomware attacks

Read More

As their cities suffered more intense bombardment by Russian military forces this week, Ukrainian Internet users came under renewed cyberattacks, with one Internet company providing service there saying they blocked ten times the normal number of phishing and malware attacks targeting Ukrainians.

John Todd is general manager of Quad9, a free “anycast” DNS platform. DNS stands for Domain Name System, which is like a globally distributed phone book for the Internet that maps human-friendly website names (example.com) to numeric Internet addresses (8.8.4.4.) that are easier for computers to manage. Your computer or mobile device generates DNS lookups each time you send or receive an email, or browse to a webpage.

With anycast, one Internet address can apply to many servers, meaning that any one of a number of DNS servers can respond to DNS queries, and usually the one that is geographically closest to the customer making the request will provide the response.

Quad9 insulates its users from a range of cyberattacks by blocking DNS requests for known-bad domain names, i.e., those confirmed to be hosting malicious software, phishing websites, stalkerware and other threats. And normally, the ratio of DNS queries coming from Ukraine that are allowed versus blocked by Quad9 is fairly constant.

But Todd says that on March 9, Quad9’s systems blocked 10 times the normal number of DNS requests coming from Ukraine, and to a lesser extent Poland.

Todd said Quad9 saw a significant drop in traffic reaching its Kyiv POP [point of presence] during the hostilities, presumably due to fiber cuts or power outages. Some of that traffic then shifted to Warsaw, which for much of Ukraine’s networking is the next closest significant interconnect site.

“While our overall traffic dropped in Kyiv — and slightly increased in Warsaw due to infrastructure outages inside of .ua — the ratio of (good queries):(blocked queries) has spiked in both cities,” he continued. “The spike in that blocking ratio [Wednesday] afternoon in Kyiv was around 10x the normal level when comparing against other cities in Europe (Amsterdam, Frankfurt.) While Ukraine always is slightly higher (20%-ish) than Western Europe, this order-of-magnitude jump is unprecedented.”

Quad9 declined to further quantify the data that informed the Y axis in the chart above, but said there are some numbers the company is prepared to share as absolutes.

“Looking three weeks ago on the same day of the week as yesterday, we had 118 million total block events, and of that 1.4 million were in Ukraine and Poland,” Todd said. “Our entire network saw yesterday on March 9th 121 million blocking events, worldwide. Of those 121 million events, 4.6 million were in Ukraine and Poland.”

Bill Woodcock is executive director at Packet Clearing House, a nonprofit based in San Francisco that is one of several sponsors of Quad9. Woodcock said the spike in blocked DNS queries coming out of Ukraine clearly shows an increase in phishing and malware attacks against Ukrainians.

“They’re being targeted by a huge amount of phishing, and a lot of malware that is getting onto machines is trying to contact malicious command-and-control infrastructure,” Woodcock said.

Both Todd and Woodcock said the smaller spike in blocked DNS requests originating from Poland is likely the result of so many Ukrainians fleeing their country: Of the two million people who have fled Ukraine since the beginning of the Russian invasion, more than 1.4 million have made their way to Poland, according to the latest figures from the United Nations.

The increase in malicious activity detected by Quad9 is the latest chapter in an ongoing series of cyberattacks against Ukrainian government and civilian systems since the outset of the war in the last week of February.

As Russian military tanks and personnel began crossing the border into Ukraine last month, security experts tracked a series of destructive data “wiper” attacks aimed at Ukrainian government agencies and contractor networks. Security firms also attributed to Russia’s intelligence services a volley of distributed denial-of-service (DDoS) attacks against Ukrainian banks just prior to the invasion.

Thus far, the much-feared large scale cyberattacks and retaliation from Russia haven’t materialized. But the data collected by Quad9 suggest that a great deal of low-level cyberattacks targeting Ukrainians remain ongoing.

It is unclear to what extent — if any — Russia’s vaunted cyber prowess may be stymied by mounting economic sanctions enacted by both private companies and governments. In the past week, two major backbone Internet providers said they would stop routing traffic for Russia.

Earlier today, the London Internet Exchange (LINX), one of the largest peering points where networks around the world exchange traffic, said it would stop routing for Russian Internet service providers Rostelecom and MegaFon. Rostelecom is Russia’s largest ISP, while MegaFon is Russia’s second-largest mobile phone operator and third largest ISP.

Doug Madory, director of research for Internet infrastructure monitoring firm Kentik, said LINX’s actions will further erode the connectivity of these large Russia providers to the larger Internet.

“If the other major European exchanges followed suit, it could be really problematic for Russian connectivity,” Madory said.

Read More