Multiple Vulnerabilities in Aruba EdgeConnect Enterprise Orchestrator Could Allow for Remote Code Execution

Read Time:36 Second

Multiple vulnerabilities have been discovered in Aruba EdgeConnect Enterprise Orchestrator’s Web-Based Management Interface, the most severe of which could allow for remote code execution. Aruba EdgeConnect Enterprise Orchestrator is a widely used WAN management solution. Critical and easily exploitable flaws in this product introduce risks for systems and networks. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

Kolide, endpoint security for teams that want to meet SOC 2 compliance goals without sacrificing privacy

Read Time:22 Second

Graham Cluley Security News is sponsored this week by the folks at Kolide. Thanks to the great team there for their support! In 2021, our company went through the SOC 2 Type 1 audit, and we found out just how challenging it can be to prove compliance to a third-party auditor. We also learned firsthand … Continue reading “Kolide, endpoint security for teams that want to meet SOC 2 compliance goals without sacrificing privacy”

Read More

Stories from the SOC:  Feeling so foolish – SocGholish drive by compromise

Read Time:6 Minute, 32 Second

Executive summary:

SocGholish, also known as FakeUpdate, is a JavaScript framework leveraged in social engineering drive by compromises that has been a thorn in cybersecurity professionals’ and organizations’ sides for at least 5 years now. Upon visiting a compromised website, users are redirected to a page for a browser update and a zip archive file containing a malicious JavaScript file is downloaded and unfortunately often opened and executed by the fooled end user. 

An AT&T Managed Extended Detection and Response (MXDR) client with Managed Endpoint Security (MES) powered by SentinelOne (S1) received an alert regarding the detection and mitigation of one of these JavaScript files. The MXDR Threat Hunter assigned to this client walked them through the activity resulting from the execution of the malicious file, as well as provide additional guidance on containment and remediation of the host involved in the incident.

Investigation

Upon detection of the follow up activity of the malicious file executed by the end user, S1 created an Incident within the S1 portal. This in turn creates an Alarm within the USM Anywhere platform, where the MXDR SOC team works, reviews, and creates Investigations for client notification as necessary. Since this activity was observed all within S1, this analysis will be out of there.

The best way to start looking into a S1 event is to go to the Storyline of the Incident within Deep Visibility.

Once we have all the events related to the Incident, we can also create a new Deep Visibility search for all activity related to the affected host from about an hour before right up to the first event for the incident. This will let us try to see what happened on the host that lead to the execution of the malicious JavaScript file.

Reviewing the events from both the overall logs on the host and the events related to the Storyline, we can build out a rough timeline of events. Note there are close to 15k events on the host in the timeframe and 448 events in total in the Storyline; I’m just going over the interesting findings for expediency sake.

12:07:08 The user is surfing on Chrome and using Google search to look up electricity construction related companies; we see two sites being visited, with both sites being powered by WordPress. The SocGholish campaign works by injecting malicious code into vulnerable WordPress websites. While I was unable to find the injected code within the potentially compromised sites, I see that one of the banners on the page contains spam messages; while there are no links or anything specifically malicious with this, it lets us know that this site is unsafe to a degree.

12:10:46 The user was redirected to a clean[.]godmessagedme[.]com for the initial download. It likely would have looked like this:

We can assume the URI for the request looks like the /report as seen in VirusTotal and described in open-source intelligence (OSI). Note that the subdomain “clean” has a different resolution than the root domain; this is domain shadowing performed by the attackers by creating a new A-record within the DNS settings of the legitimate domain:

12:12:19 Chrome creates on disk: “C:Users[redacted]DownloadsСhrome.Updаte.zip”.
12:13:11 User has opened the zip file and is executing the JavaScript file inside: “C:Users[redacted]AppDataLocalTempTemp1_Сhrome.Updаte.zipAutoUpdater.js”. The first thing that triggers is a POST request to hxxps://2639[.]roles[.]thepowerofgodswhisper[.]com/updateResource – this is the first check in.

12:13:15 The script follows up commands to pull system information, such as the Computer Name, Username, User Domain, Computer Manufacturer, BIOS information, Security Center status and Antispyware Product, Network Adapter information, MAC address, and OS version. There is a POST request again, but this is to pull down additional JavaScript that it will evaluate and execute:

The information is collected to build the URI:

12:13:20 POST request goes through to hxxps://2639[.]roles[.]thepowerofgodswhisper[.]com/updateResource.
A new URL is now leveraged: hxxps://2639[.]roles[.]thepowerofgodswhisper[.]com/settingsCheck

12:13:23 Additional commands are now flying through:

12:13:24 We see whoami as one of the commands leveraged. Whoami.exe is run on the host and the information is written to “radDCADF.tmp” in the Temp folder for exfiltration.

12:31:36 Commands for nltest /domain_trusts to tmp file:

12:34:19 nltest /dclist:[redacted] observed:

12:37:36 Command to pull domain information into the path tmp file and POSTed up observed:

12:48:39 Commands to create “rad0A08F.tmp”, which is a data stream on the C2 server. The file is then renamed to 81654ee8.js and executed with wscript.exe:

The activity that follows is a mix of this new script and the previous script.
12:49:11 Creation of a file from a data stream to “C:ProgramDatarad6598E.tmp” then rename “rad6598E.tmp” to “jdg.exe”.

Activity by the attackers ends there as S1 has prevented additional actions related to this Storyline and pivoting across the environment with the executable name and hash yields no additional results. The client has since removed the host from the network and rebuilt it.

Response

Customer interaction

The MXDR SOC created an Investigation within USM Anywhere and notified the customer about this incident. The Threat Hunter assigned to the customer then followed up to provide them with additional context, findings, and recommendations for containment and remediation.

The host in question was removed from the network and rebuilt, and the user’s credentials were reset. Domains and IP addresses related to the compromise were provided to the customer and were promptly blocked on the proxy and firewall. While unlikely we will see the same file hashes again, the hashes of all files related to the incident were blocklisted within S1.

Protecting against SocGholish

Death, taxes, and SocGholish are certainties in life but there are steps organizations can take to prevent infections. Of course, partnering with the AT&T MXDR service, especially with the MES would be a great way to protect your organization and users, but here are steps to consider to not only prevent SocGholish but to reduce your overall attack surface:

Educate employees on the following sorts of social engineering attacks:

Fake browser or operating system updates
Fake operating system errors or messages telling them to call in for assistance
Phishing and vishing attacks where the employee is asked to download tools or software updates

Turn off “Hide Known File Extension” across the environment via Group Policy

The JavaScript file inside the zip archive has a higher chance of being clicked by a user because they cannot see the file is a .js file, versus an executable. Of course, this is a moot point if the attacker file is an executable to start, but this setting across the user base can help more savvy users recognize potential double extension trickery or icon manipulation.

Prevent execution of .js files

Removing the file association of JavaScript files, as well as other common attack file formats such as .iso, .cab, .wsf, and others can prevent users from just executing files that are uncommonly used.

Implement rules within EDR platform or application blocking software

Detection of wscript.exe activity where the command line contains .zip and .js
Detection of nltrust.exe and whoami.exe from cmd.exe where the parent process is wscript.exe
Detection of executables running out of the ProgramData folder directly, e.g. C:ProgramDatajdg.exe

Execution of executables out of other uncommon folders as well, such as Public, Music, Pictures, etc.

Detection of POST requests for URI: /updateResource and /settingsCheck
Detection of when URIs contain information such as hostnames matching your organization’s format, MAC addresses, and other information related to your domain, such as domain controller hostnames

Read More

Top skill-building resources and advice for CISOs

Read Time:36 Second

The role of the CISO has evolved, and so have the responsibilities. Some believe a CISO must have technical knowledge and experience as a cybersecurity professional, others think leadership skills such as being able to communicate with boards are what matters most.

Ultimately, the hiring organisations will define what it needs in terms of cybersecurity to find the right person. In finance and insurance, for example, there will be specific rules that must be followed in different countries and cybersecurity leaders in such organisations may even be liable. In telecommunications, the skills required are likely to be more technical, whereas in government knowledge around governance and risk are top of the list.

To read this article in full, please click here

Read More

True Security Requires a Holistic Approach

Read Time:4 Minute, 30 Second

In the eyes of hackers, scammers, and thieves, your online privacy and identity look like a giant jigsaw puzzle. One that they don’t need every piece to solve. They only need a few bits to do their dirty work, which means protecting every piece you put out there—a sort of holistic view on your personal security. One that protects you, not just your devices. 

Here’s what’s at stake: we create and share loads of personal information simply by going about our day online, where each bit of information makes up a piece of that giant jigsaw puzzle. Some pieces directly identify us, like our tax returns, bank account information, or driver’s licenses. Other pieces of information indirectly identify us, like the IP addresses assigned to our computers, tablets, and phones—or device ID numbers, location information, and browsing history. And bad actors only need a few key pieces to do you harm, such as committing identity crime in your name or selling your personal information on sketchy websites or the dark web. 

While people show great concern about their personal information, who has it and what’s done with it, our research shows that 70% of people feel like they have little or no control over the data that’s collected about them. However, you have plenty of ways that you can indeed take control—ways that can prevent, detect, and correct attacks on your privacy and identity. That’s where holistic protection comes in. 

What do we mean by holistic protection? 

You can think of holistic protection as layers of shields that protect you and the devices you use. It gives you three layers in all—a Prevention Layer, Detection Layer, and a Correction Layer. 

A holistic and comprehensive security solution like McAfee+ combines those three layers in a way that protects your personal information and keep your identity private, showing you how it does it along the way, so you can see exactly how safe you are. Let’s take a quick look of some of the protections you’ll find in each layer … 

In the Prevention Layer, you’ll see:  

A virtual private network (VPN), allowing you to connect securely on a public Wi-Fi network by encrypting, or scrambling, your data while in transit so no one else sees it. It’ll also make your activity far more private, making it harder for advertisers and data collectors to track. 
Safe browsing that warns you if a website is risky before you enter your information and can steer you clear of risky links, while a download scanner can prevent downloads of malware or malicious email attachments. 
An integrated password managerthat can create and store strong and unique passwords for each of your accounts. This way if one of your accounts is hacked, your other accounts won’t be at risk. 
A security freeze service that can prevent hackers and thieves from opening of new credit, bank, and utility accounts in your name.​ 
Real-time antivirus that protects your data and devices. 

In the Detection Layer, you have … 

Identity monitoring that keeps tabs on everything from email addresses to IDs and phone numbers for signs of breaches so you can take action to secure your accounts before they’re used for identity theft. 
McAfee’s industry-first Protection Score that monitors the health of your online protection and shows you ways you can improve your security and stay safe online. 

In the Correction Layer, several other protections have your back … 

Identity theft protection & restoration that aids with many of the costs associated with restoring one’s identity through up to $1 million in coverage—along with the services of a licensed recovery pro to help restore your identity.​ 
Personal data cleanup that scans some of the riskiest data broker sites and shows you which ones are selling your personal info so that you can remove it on your own or with our help, depending on your plan. 

These are just a few examples of the protections in each layer. And you’ll find our most comprehensive holistic protection in McAfee+ Ultimate, covering your privacy, identity, and devices. 

A Unified Solution for your Privacy, Identity, and Devices 

While your online privacy and identity may look a jigsaw puzzle, protecting it shouldn’t be as complicated. With a holistic security solution for your personal protection, you can minimize your exposure with layers of security that do much of the work for you. 

Antivirus on your PC is not enough. It has not been enough for many decades now. And this becomes more evident as we continue to spend more time online, with the average person spending 6 hours and 54 minutes online each day, leaving clouds of personal information in their wake. 

While standalone apps like a password manager, a VPN app, and an identity solution from different vendors can be piecemealed together with your device security, these are difficult to keep track of and burdensome to maintain. 

We have combined the important tools you need into a seamless and comprehensive experience because good security software is something that you use daily to feel safer online. This is why we are working on your behalf to redefine security, so you can enjoy your connected life with confidence. 

The post True Security Requires a Holistic Approach appeared first on McAfee Blog.

Read More