CVE-2022-22536: SAP Patches Internet Communication Manager Advanced Desync (ICMAD) Vulnerabilities

Read Time:3 Minute, 30 Second

SAP and Onapsis Research Labs collaborate to disclose three critical vulnerabilities impacting SAP NetWeaver Application Servers. The most severe of the three could lead to full system takeover.

Background

On February 8, SAP disclosed several vulnerabilities in the Internet Communication Manager (ICM), a critical component of its NetWeaver Application Servers in coordination with security researchers at Onapsis who discovered the flaws. SAP and Onapsis have both released write-ups regarding their partnership to discover and patch these flaws. The Cybersecurity and Infrastructure Security Agency also issued an immediate warning about these vulnerabilities, stating that exploitation could result in disrupted operations, data theft, fraud and ransomware attacks.

SAP Netweaver is an application and integration server that acts as the software stack for most of SAP’s applications, including solutions for critical business functions such as enterprise resource planning, customer relationship management and supply chain management.

Analysis

Onapsis Research Labs discovered three critical vulnerabilities in the ICM component of SAP applications. According to the Onapsis Threat Report, the vulnerable ICM component is “present in most SAP products and is a critical part of the overall SAP technology stack,” making these vulnerabilities a major concern for enterprises that deploy SAP products. Because this component connects SAP applications to the internet, it is exposed by default in most deployments.

CVE-2022-22536 is a memory pipes (MPI) desynchronization vulnerability that received the highest CVSSv3 score of 10.0. Onapsis has named this flaw ICMAD for Internet Communication Manager Advanced Desync. An unauthenticated remote attacker could exploit the vulnerability using a simple HTTP request and achieve full system takeover. In addition to being the most critical, CVE-2022-22536 also has the widest effect of all three vulnerabilities, impacting SAP NetWeaver Java or ABAP applications with default configurations.

CVE-2022-22532 is a HTTP request smuggling vulnerability according to SAP in the ICM component. However, Onapsis lists it as a use after free vulnerability. This vulnerability only exists in SAP NetWeaver Java systems. It received a CVSSv3 score of 8.1 and does not require authentication or user interaction to exploit. According to the Onapsis report, certain “more complex [exploit] scenarios” could lead to remote code execution.

CVE-2022-22533 is a memory leak in memory pipe management that could lead to denial of service. It also only affects SAP Application Server Java systems and received a CVSSv3 score of 7.5. An attacker could exploit this flaw using specially crafted HTTP(S) requests to consume all MPI resources.

Proof of concept

Onapsis Research Labs published a scanner script on GitHub for organizations to detect if their SAP instances are vulnerable to CVE-2022-22536. The readme file for the scanner does caution that this script is a best effort attempt at identifying vulnerable instances and cannot provide 100% accuracy.

Solution

As part of its monthly Security Patch Day, SAP published HotNews Security Notes 3123396 and 3123427 (login required) to address CVE-2022-22536 and CVE-2022-22532. The table below lists the SAP products patched. CVE-2022-22533 is not currently listed on the February 2022 Patch Day page.

CVE
Description
Products

CVE-2022-22536
Memory Pipe Desynchronization
SAP Web Dispatcher, Versions: 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87 SAP Content Server, Version: 7.53 SAP NetWeaver and ABAP Platform, Version: KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49

CVE-2022-22532
HTTP Request Smuggling/Use After Free
SAP NetWeaver Application Server Java, Versions: KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

SAP February Security Patch Day Page
Onapsis Threat Report

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

How to Secure Your Digital Wallet

Read Time:4 Minute, 0 Second

The convenience of tapping your phone at the cash register instead of fumbling for loose change in your physical wallet is undeniable. Nearly 40% of Canadians used their mobile wallets more often in 2020 because of the perceived safety of contactless payment, according to one report.1 While digital wallets and tap to pay is becoming more widespread, you may wonder: what exactly is a digital wallet? Are they safe? 

A digital wallet, also known as a mobile wallet, is a smartphone app that stores your payment information and enables tap to pay at most point-of-sale terminals. A digital wallet is perfectly safe, as long as you guard your smartphone just as closely as you would your physical wallet. 

Here’s why you should secure your digital wallet and three tips to help you do so. 

Why You Should Secure Your Digital Wallet 

Think about what you store in your physical wallet: credit cards, debit cards, driver’s license, library cards, gift cards, cash. Now, imagine (or if you’ve been unlucky enough to lose your wallet in the past, think back to) the hassle that would ensue if someone stole your wallet or you misplaced it. Not only do you have to cancel your cards, notify your various banks, and wait for replacements, but the niggling worry that a stranger has access to your personally identifiable information (PII) will likely keep you up at night. 

Just like you store your wallet in your front pocket when about town and check your seat before leaving a taxi or a plane, look after your smartphone just as closely. Unlike a physical wallet, whose absence is noticed quickly, a digital wallet may be compromised by a cyber pickpocket without you knowing for a while. For example, the BBC reported that researchers found a potential shortcoming in Apple Pay’s Express Transit mode where cyber pickpockets could remotely access mobile wallets.2 Luckily, the researchers’ experiment is unlikely to occur in the real world, but it’s a reminder to everyone to check their monthly bank statements for suspicious transactions. Cybercriminals get smarter and bolder by the day, so it’s not unlikely that they’ll find and exploit a digital wallet shortcoming in the future. 

Follow these tips to help you use your digital wallet more confidently.  

Tips to Protect Your Digital Wallet

1. Set a unique passcode

Always protect your digital wallet with a passcode! This is the best and easiest way to deter cybercriminals. It’s best if this combination of numbers is different than the passcode to your phone. Also, make sure the numbers are random. Birthdays, anniversaries, house addresses, and the last digits of your phone number are all popular combinations and are crackable codes to a resourceful criminal.  

Better yet, if your mobile wallet app allows you to protect your account with facial recognition or a fingerprint scan, set it up! If your digital wallet proves difficult or impossible to enter, a cybercriminal may leave it for an easier target, keeping your PII safe. 

2. Update software regularly

Another way to secure your digital wallet is to make sure you always download the latest software updates. Developers are constantly finding and patching security holes, so the most up-to-date software is often the most secure. Turn on automatic updates to ensure you never miss a new release. 

3. Download digital wallet apps directly from official websites 

Before you swap your plastic cards for digital payment methods, make sure you research the digital banking app before downloading. Make sure that any app you download is through the official Apple or Android store or the financial institution’s official website. Then, check out how many downloads and reviews the app has to make sure you’re downloading an official app and not an imposter. While most of the apps on official stores are legitimate, it’s always best practice to check for typos, blurry logos, and unprofessional app descriptions to make sure. 

Be More Confident Online 

The digital era is an exciting time to make the most of the conveniences technology affords; however, constant vigilance is key to keeping your finances and PII private. Whether you’re looking for additional peace of mind or have lost your wallet, consider signing up for an identity monitoring service like McAfee identity protection. McAfee will monitor your email addresses and bank accounts and alert you to suspicious activities up to 10 months sooner than similar services. Are you curious about how secure your current online habits are? Check your Security Protection Score today and see what steps you can take to live more confidently online. 

1Canadian Payment Methods and Trends Report 2021 

2BBC News 

The post How to Secure Your Digital Wallet appeared first on McAfee Blog.

Read More

Breaking 256-bit Elliptic Curve Encryption with a Quantum Computer

Read Time:40 Second

Researchers have calculated the quantum computer size necessary to break 256-bit elliptic curve public-key cryptography:

Finally, we calculate the number of physical qubits required to break the 256-bit elliptic curve encryption of keys in the Bitcoin network within the small available time frame in which it would actually pose a threat to do so. It would require 317 × 106 physical qubits to break the encryption within one hour using the surface code, a code cycle time of 1 μs, a reaction time of 10 μs, and a physical gate error of 10-3. To instead break the encryption within one day, it would require 13 × 106 physical qubits.

In other words: no time soon. Not even remotely soon. IBM’s largest ever superconducting quantum computer is 127 physical qubits.

Read More

What are BEC scams and how to avoid them

Read Time:8 Minute, 19 Second

This blog was written by an independent guest blogger.

To carry out business email compromise (BEC) fraud, a con artist impersonates an organization’s senior manager, business partner, or supplier and tries to manipulate an employee into transferring money to the wrong destination. The rogue message typically comes from a spoofed or previously hacked email address, which makes the foul play highly persuasive. Essentially, BEC is a type of phishing focused on the enterprise.

As the general fraud awareness in the corporate sector grows, malicious actors are constantly refining their tactics to make sure their scams bypass secure email gateways and slip below a vigilant recipient’s radar. Furthermore, the use of untraceable cash-out mechanisms involving gift cards and cryptocurrencies takes their operations security (OPSEC) practices a step further. Combined with clever social engineering tricks that make victims act impulsively, these rogue strategies can be incredibly effective.

The FBI reported more than $1.8 billion in losses over this cybercrime technique in 2020 alone. Companies around the world should interpret these staggering stats as a call to action in terms of hardening their defenses against the threat.

The forms of business email compromise

Whereas the common denominator in all BEC hoaxes is to make money and get away with it, the methods of achieving this goal vary. There are three top scenarios of this exploitation.

Knock-off invoices

When this classic ploy is underway, an attacker requests a wire transfer on behalf of an entity the target organization cooperates with, such as a managed service provider (MSP) or supplier. The narrative often involves an alleged change of the mimicked company’s banking credentials.

Whaling

To perpetrate this stratagem, which is also known as CEO fraud, a crook passes himself off as a person who holds an executive-level position in a company. It is usually preceded by a spear-phishing attack that results in the takeover of the victim’s email account. Sometimes felons use credentials exposed in a data breach to access the account. The impostor then contacts personnel from the finance department with a request to make an urgent payment for fictitious services.

Reaching out to business contacts

Fraudsters may try to expand the attack area by targeting a victim’s partners and contractors whose contact details and additional sensitive information were obtained in the course of the original assault. In this case, a sure-shot way to feign legitimacy is to send a dodgy wire transfer request from a real email account used by an employee of the primary victim.

Newsmaking BEC examples

Counterintuitively, this vector of cybercrime isn’t focused on big-name companies only. Nonprofits, schools, and small municipalities are frequent targets as well due to their low preparedness for such incursions. The following incidents show how intricate these attacks can get.

U.S. town ripped off

The Town of Peterborough, New Hampshire, found itself in the epicenter of a BEC scam in July 2021. Crooks used a number of spoofed email accounts and forged invoices to dupe town employees into submitting a total of $2.3 million to wrong destinations.

The attack took place in three stages. The first transfer amounted to $1.2 million and was intended for the local school district. Two more payments were supposed to go to companies constructing a local bridge. By the time the scam was discovered, the funds had been converted to cryptocurrency in a series of untraceable transactions.

One Treasure Island BEC attack

In late December 2020, scammers sucker-punched One Treasure Island, a San Francisco nonprofit that helps low-income and homeless people. The organization was hoodwinked into sending $650,000 to a party that portrayed itself as a contractor hired to implement affordable housing projects in the San Francisco Bay area.

The hoax was unearthed in January 2021 when it turned out that the intended recipient never got the funds. Investigation showed that the fraud had started with a hack of a third-party accountant’s email system. Then, criminals mishandled this access to gain a foothold in the nonprofit’s communication chains. This allowed them to change the details on the original invoices from the partnering firm, which resulted in several fraudulent transfers to accounts under crooks’ control.

The jaw-dropping Toyota swindle

A European supplier of interior parts for Toyota vehicles fell victim to a massive BEC attack in August 2019. Con artists were able to manipulate the company’s employees into sending out 4 billion Japanese yen (approximately $37 million) to the wrong bank account. There have since been no reports of whether the victim’s efforts to recover these funds were successful.

Oregon school district in the crosshairs of phishers

In August 2019, another attack was executed against Portland Public Schools, the largest school district in Oregon. The fraudster pretended to be a representative of a construction firm the institution cooperated with. The scam zeroed in on two district employees who ended up authorizing a $2.9 million payment to malefactors. The silver lining was that the crook hadn’t moved these funds out of their account by the time the incident was uncovered. The whole sum was frozen and subsequently recovered.

City in Georgia deceived by MSP copycat

A malicious party claiming to be an operator of water treatment facilities bilked the City of Griffin, Georgia, out of $802,000 in June 2019. The self-proclaimed contractor sent an email that informed city authorities about an alleged update of the bank account information. The message also requested two payments for services actually provided to the city.

Investigators found that the criminals had compromised the contractor’s computer system shortly before the raid occurred. This allowed them to concoct a legitimate-looking invoice in which the amounts of money that the firm was expecting to receive were accurate.

Make sure your organization isn’t low-hanging fruit for BEC scammers

Since this type of exploitation largely hinges on social engineering, security awareness is paramount when it comes to avoiding the worst-case scenario. Safe online practices of your employees, combined with automatic protection tools, such as Internet security software, spam filters, and secure email gateways, can forestall most of these scams. Let’s now get into detail on these precautions.

Say no to web-based email. Such services are a lure because they are free to use, but there is a serious caveat. These email addresses are easy for cybercriminals to spoof. Hosting corporate accounts on your company’s domain is a much more reasonable approach. In addition to complicating this type of foul play, it is one of the building blocks of a reputable brand and an element of business communication done right.
Be careful with messages from unknown parties. If an email received from a stranger instructs you to click a link or download an enclosed file, delete it without a second thought and go about your day.
Examine the sender’s address. When trying to impersonate a trusted individual or company, a phisher may use an email address that has minor differences from the genuine one. Pay attention to spelling inaccuracies and redundant characters to identify a hoax.
Cultivate your team’s prudence. Setting up a security awareness program is an investment that pays off.  It will teach your colleagues to pinpoint red flags when working with public Wi-Fi, websites, emails, and documents.
Use the “Reply” option wisely. If you are discussing a sensitive matter over email, consider using the “Forward” button instead. It presupposes that you have to type the correct address or pick it from the address book, which eliminates the risk of engaging with a charlatan who pretends to be someone you trust.
Make the most of two-factor authentication (2FA). This awesome feature pulls the plug on unauthorized attempts to sign in to your corporate email account. If it is enabled, the password alone is not enough. Access is impossible without an extra identifier, such as biometric data or a secret code sent to your smartphone.
Monitor your email server settings. Ask your IT team to keep abreast of changes in the server’s configuration and the email exchange rules that apply to critical accounts.
Be a little paranoid about money transfer requests. Don’t hesitate to verify the legitimacy of any email that tells you to send out funds to a third party, even if it appears to come from your boss. A quick phone call can dot the i’s and cross the t’s. If you work under the same roof, there is no harm in coming up and asking.
Raise the bar for green-lighting big payments. It is a good idea to involve an extra party in the process of authorizing wire transfers where the amount exceeds a certain threshold. This will minimize the odds of a blunder.
Adjust your enterprise policies. Necessitate a thorough verification of any changes in the banking credentials and contact information of contractors, business partners, and other parties your company cooperates with.
Make external emails easy to discern. Configure your email exchange server to display a warning banner in messages that come from outside the organization. This should encourage users to look closer.
Don’t post too much personal data online. Crooks tend to do a good deal of reconnaissance before orchestrating BEC scams. For example, they may collect information about their targets on publicly available sources like social networks and personal blogs. That said, it is in your best interest to restrict the range of sensitive details you share on these services.
Know the peculiarities of your business niche. This will help you distinguish between legitimate emails and sketchy ones that don’t fit the context of your day-to-day activities.
Leverage technology. Modern Internet security applications come with anti-fraud features powered by a comprehensive database of phishing templates that are currently circulating. The use of such tools can undoubtedly add an extra layer of protection to your BEC prevention efforts.

Read More

3 authentication-level protections for remote users and devices

Read Time:50 Second

Do the traditional techniques of protection still work in the age of work from home? Yes, but you need to use different rules and products. Traditional networks have been set up in the same fashion: a traditional Active Directory domain, a variety of domain controllers, workstations under the control of that domain, and all tucked behind a firewall.

Before the pandemic we had roaming laptops or users that gave us the headaches of user profiles and group policies targeted to those who stayed in the network versus those who roamed our domains. The pandemic hit and our workstations are now anywhere and everywhere. Instead of a somewhat nice and tidy domain tucked behind a series of firewalls and defenses, it is now connected to the same network as Alexa devices. The response is often to throw scanning engines and antivirus products at workstations, but all that does is delay boot up times and logging into the network.

To read this article in full, please click here

Read More