The company announced that employees’ personally identifiable information was exposed in the breach
Daily Archives: May 16, 2022
CVE-2021-25119
The AGIL WordPress plugin through 1.0 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE
Microsoft Identifies Botnet Variant Targeting Windows and Linux Systems
Microsoft advised organizations running Windows or Linux on internet-facing systems to take action
Russian cyber attack on Eurovision foiled by Italian authorities
If pro-Russian hackers had had their way, the Eurovision Song Contest could have been disrupted, potentially preventing the broadcast from being seen or meddling with the vote.
Read more in my article on the Hot for Security blog.
Tenable.io Achieves StateRamp Authorization as Part of Our Commitment to Protect State and Local Governments
StateRamp-authorized cloud solutions like Tenable.io meet stringent security and compliance standards.
Increasingly targeted by cyber criminals, state and local governments (SLGs) need highly-secure cloud solutions. StateRAMP authorization, which involves a rigorous security and compliance evaluation, helps SLGs reduce risk and efficiently verify the security of their cloud solutions.
Today, we’re excited to announce that Tenable.io is StateRamp authorized, meaning our SLG customers can have peace of mind knowing that our vulnerability management solution meets the strict cybersecurity standards required by federal and SLG agencies.
Achieving this milestone is part of our continued commitment to providing secure, compliant products to help our public sector customers keep their data safe and protect against breaches.
Cybersecurity stakes keep climbing for SLGs
SLGs are on the front lines of cybersecurity. They hold access to sensitive databases and PII, and often oversee critical infrastructure. To meet citizens’ needs, SLG agencies are embracing digital technologies from mobile to IoT to cloud. With the increased amount of sensitive data to protect and an expanded attack surface, it’s no surprise that cyber attacks against SLGs are becoming more prevalent.
To help SLG CISOs and security leaders identify truly secure and compliant cloud solutions, the State Risk and Authorization Management Program (StateRAMP) was launched. This new program provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud service providers (CSP) at the state level. The security verification model is based on the NIST SP 800-53 control framework and is modeled, in part, after FedRAMP.
Tenable.io’s StateRamp authorization
Tenable is excited to be a part of StateRAMP’s effort to secure state and local governments. Our StateRAMP active solution, Tenable.io, provides risk-based vulnerability management so you can:
Get full visibility into the assets and vulnerabilities across your attack surface
Continuously track and assess known and unknown assets— and their vulnerabilities, even dynamic assets like mobile devices, virtual machines and cloud instances
Proactively identify and prioritize vulnerabilities with the highest impact to your organization
Get immediate insight and visualizations into your security posture
With both StateRAMP and FedRAMP authorizations, you can be assured that Tenable.io is a secure, effective and tested cloud-based vulnerability management solution that meets the high security and compliance standards of Federal and state and local government agencies. To learn more about how Tenable protects state and local governments read the Solutions Overview.
For more information on StateRAMP read the StateRAMP FAQ.
The NSA Says that There are No Known Flaws in NIST’s Quantum-Resistant Algorithms
Rob Joyce, the director of cybersecurity at the NSA, said so in an interview:
The NSA already has classified quantum-resistant algorithms of its own that it developed over many years, said Joyce. But it didn’t enter any of its own in the contest. The agency’s mathematicians, however, worked with NIST to support the process, trying to crack the algorithms in order to test their merit.
“Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance,” Joyce said. “We’ve worked against all of them to make sure they are solid.”
The purpose of the open, public international scrutiny of the separate NIST algorithms is “to build trust and confidence,” he said.
I believe him. This is what the NSA did with NIST’s candidate algorithms for AES and then for SHA-3. NIST’s Post-Quantum Cryptography Standardization Process looks good.
I still worry about the long-term security of the submissions, though. In 2018, in an essay titled “Cryptography After the Aliens Land,” I wrote:
…there is always the possibility that those algorithms will fall to aliens with better quantum techniques. I am less worried about symmetric cryptography, where Grover’s algorithm is basically an upper limit on quantum improvements, than I am about public-key algorithms based on number theory, which feel more fragile. It’s possible that quantum computers will someday break all of them, even those that today are quantum resistant.
It took us a couple of decades to fully understand von Neumann computer architecture. I’m sure it will take years of working with a functional quantum computer to fully understand the limits of that architecture. And some things that we think of as computationally hard today will turn out not to be.
‘The People Hacker’ Jenny Radcliffe Inducted into Infosecurity Europe’s Hall of Fame
Radcliffe will be officially inducted into the Hall of Fame during a keynote session at this year’s Infosecurity Europe 2022
Stories from the SOC – Persistent malware
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.
Executive summary
One of the most prevalent threats today, facing both organizations and individuals alike, is the use of ransomware. In 2021, 37% of organizations said they were victims of some type of ransomware attack. Ransomware can render large amounts of important data inaccessible nearly instantly. This makes reacting to potential ransomware events in a timely and accurate manner extremely important. Utilizing an endpoint security tool is critical to help mitigate these threats. However, it is vital to maintain vigilance and situational awareness when addressing these threats, and not rely solely on one piece of information when performing analysis.
The AT&T Managed Extended Detection and Response (MXDR) analyst team received an alarm stating SentinelOne had detected ransomware on a customer’s asset. The logs suggested the threat had been automatically quarantined, but further analysis suggested something more sinister was afoot. The same malicious executable had been detected on that asset twice before, both times reportedly being automatically quarantined. This type of persistent malware can be an indicator of a deeper infection such as a rootkit. After a more in-depth analysis and collaboration with the customer, the decision was made to quarantine and power off the asset, and replace the asset entirely due to this persistent malware.
Investigation
Initial alarm review
Indicators of Compromise (IOC)
The initial SentinelOne alarm alerted us to an executable ‘mssecsvc.exe’:
The name of the executable as well as the file path is cleverly crafted to imitate a legitimate Windows program.
Expanded investigation
Events search
Searching events for the file hash revealed it had been repeatedly detected on the same asset over the last 2 weeks. In each instance the event log reports the executable being automatically quarantined by SentinelOne.
Additionally, a seach in USM Anywhere revealed two previous investigations opened for the same executable on the same asset. In both previous investigations the customer noted SentinelOne had automatically quarantined the file but did not take any further action regarding the asset.
Event deep dive
In the new instance of this alarm the event log reports SentinelOne successfully killed any processes associated with the executable and quarantined the file.
This may lead one to believe there is no longer a threat. But the persistent nature of this file raises more questions than the event log can answer.
Reviewing additional indicators
It is important to not rely on a single piece of information when assessing threats and to go beyond just what is contained in the logs we are given. Utilizing open-source threat intelligence strengthens our analysis and can confirm findings. Virus Total confirmed the file hash was deemed malicious by multiple other vendors.
The executable was also analyzed in JoeSandbox. This revealed the file contained a device path for a binary string ‘FLASHPLAYERUPDATESERVICE.EXE which could be used for kernel mode communication, further hinting at a rootkit.
Response
Building the investigation
Despite the event log suggesting the threat had been automatically quarantined, the combination of the repeat occurrence and the findings on open-source threat intel platforms warranted raising an investigation to the customer. The customer was alerted to the additional findings, and it was recommended to remove the asset from the network.
The customer agreed with the initial analysis and suspected something more serious. The analysts then searched through the Deep Visibility logs from SentinelOne to determine the source of the mssecsvc.exe. Deep Visibility logs allow us to follow associated processes in a storyline order. In this case, it appears the ‘mssecsvc.exe’ originated from the same ‘FlashPlayerUpdateService.exe’ we saw in the JoeSandbox analysis. Deep Visibility also showed us that mssecsvc.exe had a Parent Process of wininit.exe, which was likely to be the source of persistence.
Customer interaction
Another notable feature of USM Anywhere is the ability to take action from one centralized portal. As a result of the investigation, the analysts used the Advanced AlienApp for SentinelOne to place the asset in network quarantine mode and then power it off. An internal ticket was submitted by the customer to have the asset replaced entirely.
Limitations and opportunities
Limitations
A limiting factor for the SOC is our visibility into the customer’s environment as well as what information we are presented in log data. The event logs associated with this alarm suggested there was no longer a threat, as it had been killed and quarantined by SentinelOne. Taking a single instance of information at face value could have led to further damage, both financially and reputationally. This investigation highlighted the importance of thinking outside the log, researching historical investigations, and combining multiple sources of information to improve our analysis.
Italian Police Foil Pro-Russia Attacks on Eurovision
USN-5421-1: LibTIFF vulnerabilities
It was discovered that LibTIFF incorrectly handled certain images.
An attacker could possibly use this issue to cause a crash,
resulting in a denial of service. This issue only affects
Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-35522)
Chintan Shah discovered that LibTIFF incorrectly handled memory when
handling certain images. An attacker could possibly use this issue to
cause a crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2022-0561, CVE-2022-0562, CVE-2022-0891)
It was discovered that LibTIFF incorrectly handled certain images.
An attacker could possibly use this issue to cause a crash,
resulting in a denial of service. This issue only affects
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.10. (CVE-2022-0865)