All posts by rocco

Oracle January 2022 Critical Patch Update Addresses 266 CVEs

Read Time:4 Minute, 10 Second

Oracle addresses 266 CVEs in its first quarterly update of 2022 with 497 patches, including 25 critical updates.

Background

On January 18, Oracle released its Critical Patch Update (CPU) for January 2022, the first quarterly update of the year. This CPU contains fixes for 266 CVEs in 497 security updates across 39 Oracle product families. Out of the 497 security updates published this quarter, 6.6% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 46.5%, followed by high severity patches at 41.9%.

This quarter’s update includes 33 critical patches across 25 CVEs.

SeverityIssues PatchedCVEsCritical3325High20863Medium231154Low2524Total497266

Analysis

This quarter, the Oracle Communications product family contained the highest number of patches at 84, accounting for 16.9% of the total patches, followed by Oracle MySQL at 78 patches, which accounted for 15.7% of the total patches.

Oracle fixes Log4Shell and associated vulnerabilities across some of its product suites

As part of the January 2022 CPU, Oracle addressed CVE-2021-44228, the Apache Log4Shell vulnerability disclosed in December 2021 as well as associated Log4j vulnerabilities that have been disclosed in the weeks since.

Oracle did not explicitly provide details within this release regarding CVE-2021-44228 and which components were affected. Instead, they broadly highlighted that applying the January 2022 CPU would address CVE-2021-44228 and CVE-2021-45046 across the following products:

Oracle Communications
Oracle Construction and Engineering
Oracle Financial Services Applications
Oracle Fusion Middleware
Oracle Retail Applications
Oracle Siebel CRM

While it’s not clear if Oracle has completed an assessment of all product families to address all occurrences of the recently disclosed Log4j vulnerabilities, we will continue to monitor for further updates. In addition to the broader message, Oracle provided some details around affected products for the other associated Log4j vulnerabilities:

CVEProductComponentRemote Exploit without AuthCVE-2021-45105Oracle Communications WebRTC Session ControllerSignaling Engine, Media Engine (Apache Log4j)YesCVE-2021-45105Oracle Communications Services GatekeeperAPI Portal (Apache Log4j)YesCVE-2021-45105Instantis EnterpriseTrackLogging (Apache Log4j)YesCVE-2021-45105Oracle Retail Integration BusRIB Kernel (Apache Log4j)YesCVE-2021-45105Oracle Financial Services Analytical Applications InfrastructureOthers (Apache Log4j)YesCVE-2021-45105Oracle Retail Invoice MatchingSecurity (Apache Log4j)YesCVE-2021-45105Oracle Retail Service BackboneRSB Installation (Apache Log4j)YesCVE-2021-45105Oracle Retail Order BrokerSystem Administration (Apache Log4j)YesCVE-2021-45105Oracle WebCenter PortalSecurity Framework (Apache Log4j)YesCVE-2021-45105Oracle Managed File TransferMFT Runtime Server (Apache Log4j)YesCVE-2021-45105Oracle Business Intelligence Enterprise EditionAnalytics Server (Apache Log4j)YesCVE-2021-45105Oracle Retail Order Management SystemUpgrade Install (Apache Log4j)YesCVE-2021-45105Oracle Retail Point-of-ServiceAdministration (Apache Log4j)YesCVE-2021-45105Oracle Retail Predictive Application ServerRPAS Server (Apache Log4j)YesCVE-2021-45105Oracle Retail Price ManagementSecurity (Apache Log4j)YesCVE-2021-45105Oracle Communications Service BrokerIntegration (Apache Log4j)YesCVE-2021-45105Oracle Retail Returns ManagementSecurity (Apache Log4j)YesCVE-2021-45105Oracle Financial Services Model Management and GovernanceInstaller & Configuration (Apache Log4j)YesCVE-2021-45105Oracle Retail EFTLinkInstallation (Apache Log4j)YesCVE-2021-45105Oracle Retail Back OfficeSecurity (Apache Log4j)YesCVE-2021-45105Oracle Retail Central OfficeSecurity (Apache Log4j)YesCVE-2021-44832Oracle Communications Interactive Session RecorderRSS (Apache Log4j)NoCVE-2021-44832Primavera UnifierLogging (Apache Log4j)NoCVE-2021-44832Oracle WebLogic ServerCentralized Thirdparty Jars (Apache Log4j)NoCVE-2021-44832Oracle Communications Diameter Signaling RouterVirtual Network Function Manager, API Gateway (Apache Log4j)NoCVE-2021-44832Primavera GatewayAdmin (Apache Log4j)NoCVE-2021-44832Primavera P6 Enterprise Project Portfolio ManagementWeb Access (Apache Log4j)NoCVE-2021-44832Siebel UI FrameworkEnterprise Cache (Apache Log4j)NoCVE-2021-44832Oracle Retail Fiscal ManagementNF Issuing (Apache Log4j)NoCVE-2021-44832Oracle Retail Assortment PlanningApplication Core (Apache Log4j)NoCVE-2021-4104Oracle Retail AllocationGeneral (Apache Log4j)NoCVE-2021-4104Oracle Utilities Testing AcceleratorTools (Apache Log4j)NoCVE-2021-4104Oracle WebLogic ServerCentralized Thirdparty Jars (Apache Log4j)No

Oracle CPU Patch Breakdown

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle Communications8450Oracle MySQL783Oracle Financial Services Applications4837Oracle Retail Applications4334Oracle Fusion Middleware3935Oracle Communications Applications3322Oracle Construction and Engineering2215Oracle Java SE1818Oracle PeopleSoft1310Oracle Utilities Applications137Oracle Systems117Oracle Supply Chain108Oracle E-Business Suite95Oracle Health Sciences Applications88Oracle Enterprise Manager76Oracle Insurance Applications76Oracle Commerce66Oracle TimesTen In-Memory Database53Oracle Database Server40Oracle Essbase43Oracle HealthCare Applications44Oracle Support Tools44Oracle GoldenGate33Oracle Hospitality Applications33Oracle Big Data Graph22Oracle Graph Server and Client22Oracle REST Data Services21Oracle Secure Backup22Oracle Siebel CRM21Oracle Virtualization20Oracle Airlines Data Model11Oracle Communications Data Model11Oracle NoSQL Database10Oracle Spatial Studio11Oracle Food and Beverage Applications11Oracle Hyperion11Oracle iLearning11Oracle JD Edwards10Oracle Policy Automation11

Solution

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the January 2022 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Oracle Critical Patch Update Advisory – January 2022
Oracle October 2021 Critical Patch Update Risk Matrices
Oracle Advisory to CVE Map

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

Supply chain vulnerability allows attackers to manipulate SAP transport system

Read Time:44 Second

A supply chain vulnerability in the SAP transport system that allows attackers to infiltrate the change management or software deployment process has been identified by a cybersecurity provider based in Germany. A patch has been published by SAP SE to fix the issue that threatens all SAP environments that share a single transport directory.

SAP transport system vulnerable to malicious interference

SAP software products are used by companies across the globe, with many providing critical infrastructure, food, energy, and medical supplies. The internal SAP development supply chain is used by customers to request additional functionality and in-house developments to the SAP standard, with changes provided via various staging systems of the respective SAP landscape with SAP transport requests. These requests should not be modified after they have been exported from the central transport directory and released.

To read this article in full, please click here

Read More

The 2021 Threat Landscape Retrospective: Targeting the Vulnerabilities that Matter Most

Read Time:2 Minute, 48 Second

A review of the year in vulnerabilities and breaches, with insights to help guide cybersecurity strategy in 2022 and beyond.

“We do not learn from experience… we learn from reflecting on experience.” – John Dewey, American philosopher

We all know that the best way to improve is by debriefing, especially when it comes to reviewing security events and vulnerabilities. Tenable’s 2021 Threat Landscape Retrospective (TLR) is a valuable resource for security professionals seeking to improve their understanding of the threat landscape in 2021 with a goal to improve their security in 2022. 

The Threat Landscape Retrospective is the result of tracking and analyzing government, vendor and researcher advisories on important vulnerabilities throughout the year. Tenable’s Security Response Team produces the report annually to provide a resource for cybersecurity professionals. 

In 2021, there were 21,957 new CVEs assigned from January to November, a 20% increase over 2020. There were 105 zero-day vulnerabilities disclosed, a 262% increase over the 29 zero-days in 2020. As for data breaches, our count is 1,825 in the 12 months from October 2020 to October 2021. These metrics all represent upticks from 2020’s data.

One element that felt like deja vu as we were compiling this report was the revelation of a major security event just as the year was coming to a close. In 2020 we were disrupted by the NOBELIUM cyberespionage campaign that targeted organizations through SolarWinds in December, and of course in 2021 it was the exposition of the Log4Shell vulnerability.

Similarly to SolarWinds, it is important not to let Log4Shell draw our attention away from the myriad other vulnerabilities and security events reviewed in the TLR. In fact, the study demonstrates the sheer volume of vulnerabilities facing security organizations and illustrates the challenges of reducing risk.

What’s inside the 2021 Threat Landscape Retrospective

Section one of the report reviews high-level events and trends from the year, zero days and legacy vulnerabilities. In this section we analyze the year’s top vulnerabilities and zero-days, including exploring their origin and the systems affected. For example, flaws in Microsoft Exchange and Windows Print Spooler dominated.

Section two is all about what bad actors did this year and how they did it. We review the outcome of their efforts, including data breaches, ransomware and attacks against the supply chain. 

Section three is a valuable list and overview of every major vulnerability from the year and the vendor it affected. There are over 300 vulnerabilities in this list including context such as the criticality of each, the events that took place and the vendor they affected. In the already busy day security personnel, the TLR helps make sense of a cacophony of vulnerabilities from a year that was unlike any other. 

What you’ll learn from Tenable’s 2021 Threat Landscape Retrospective 

The challenges in securing an evolving perimeter
How ransomware groups are leveraging Active Directory vulnerabilities and misconfigurations in their attacks
Context surrounding the surge in supply chain attacks in the wake of the NOBELIUM SolarWinds incident

Get more information

Download the full report here
Attend the webinar: Tenable Research 2021 Recap and Defender’s Guidance for 2022
Blog post about 2021 Threat Landscape Retrospective Tenable.io Dashboard
Blog post about 2021 Threat Landscape Retrospective Tenable.sc Dashboard
Follow Tenable’s Security Response Team on the Tenable Community

Read More

The Prometheus traffic direction system is a major player in malware distribution

Read Time:42 Second

Cybercrime is fueled by a complex ecosystem of criminal groups that specialize on different pieces of the final attack chains experienced by victims. There are the malware developers, the access brokers, the spammers, the private information sellers, the botnet operators, the malvertizers and more.

One service that is often overlooked but still plays an important role in malware delivery are so-called traffic direction systems (TDS). These are networks of compromised websites and other servers whose goal is to direct victims to malware or phishing pages. Due to the decline of web-based exploit kits and drive-by downloads in recent years, such services have fallen out of the spotlight, but an investigation into a TDS called Prometheus shows that they still play a key role in ransomware and other malware distribution.

To read this article in full, please click here

Read More

Are Fake COVID Testing Sites Harvesting Data?

Read Time:1 Minute, 40 Second

Over the past few weeks, I’ve seen a bunch of writing about what seems to be fake COVID-19 testing sites. They take your name and info, and do a nose swab, but you never get test results. Speculation centered around data harvesting, but that didn’t make sense because it was far too labor intensive for that and — sorry to break it to you — your data isn’t worth all that much.

It seems to be multilevel marketing fraud instead:

The Center for COVID Control is a management company to Doctors Clinical Laboratory. It provides tests and testing supplies, software, personal protective equipment and marketing services — online and printed — to testing sites, said a person who was formerly associated with the Center for COVID Control. Some of the sites are owned independently but operate in partnership with the chain under its name and with its guidance.

[…]

Doctors Clinical Lab, the lab Center for COVID Control uses to process tests, makes money by billing patients’ insurance companies or seeking reimbursement from the federal government for testing. Insurance statements reviewed by Block Club show the lab has, in multiple instances, billed insurance companies $325 for a PCR test, $50 for a rapid test, $50 for collecting a person’s sample and $80 for a “supplemental fee.”

In turn, the testing sites are paid for providing samples to the lab to be processed, said a person formerly associated with the Center for COVID Control.

In a January video talking to testing site operators, Syed said the Center for COVID Control will no longer provide them with PCR tests, but it will continue supplying them with rapid tests at a cost of $5 per test. The companies will keep making money for the rapid tests they collect, he said.

“You guys will continue making the $28.50 you’re making for the rapid test,” Syed said in the video.

Read the article for the messy details. Or take a job and see for yourself.

Read More

Exploring influences on SSC grades for insurance companies

Read Time:5 Minute, 6 Second

This blog was written by an independent guest blogger.

There are more online stores and services available than ever, and you are able to shop for almost anything online whether it’s groceries or insurance. There are many ways to protect yourself while browsing the internet, and one of those ways is to choose reputable businesses with strong security. 

Although there are standards for online businesses to follow, some have better safety measures in place than others. In particular, insurance companies are tempting targets for cybercriminals as they hold personal and financial information for numerous clients. Security Scorecard (SSC), uses a variety of factors to assess a company’s cybersecurity. 

Let’s take a look at some of the factors that influence SSC grades among insurance providers and how insurance companies can prioritize cybersecurity.

The vocabulary of cybersecurity

Most businesses these days are paying attention to security and want their clients to know it. Businesses try to build a secure online presence through blogs, webinars, training, and more. But with all companies claiming they have stellar security, it’s important to understand some of the basics of cybersecurity that all insurance companies – and all companies in general – should be implementing. Some key focus areas include:

Network segmentation directs traffic within a system and can be used to create additional roadblocks to slow and or stop scammers in the event of a breach.
Attack surface is the total number of vulnerable points a system has that can be used by criminals to retrieve private data. Businesses must identify these weak points to boost their security efforts.
Endpoint security secures entry points to networks from the various devices connected to said network. This includes phones, laptops, and tablets that are connected by remote workers. Permissions can be revoked remotely so damages can be mitigated.
Digital footprints are traces of information left behind by users while browsing online. This leaves a trail to be followed to understand what information was accessed, but it also gives hackers more info to use when targeting a company.

However, even if insurance companies are aware of these concepts and take measures to address them, there are additional factors that can impact a company’s SSC rating. 

SSC influences

Country of origin

Country of origin may impact the cybersecurity of insurance establishments for a variety of reasons. Developing countries may not have the knowledge or funding to support cybersecurity efforts. Hackers can easily exploit the outdated systems which have resulted from such circumstances. 

These exploits can be seen in the swells of cybercrime that have popped up across various countries in Africa. According to the World Bank’s Cybersecurity Multi-Donor Trust Fund project, losses from Nigeria and Kenya in 2019 were estimated at $650 million and $210 million respectively, with $3.5 billion in losses overall in Africa. The continent suffers from a shortage of cybersecurity personnel, and only 20% of African countries have the basic legal frameworks necessary to address cybercrime.

On the other hand, developed countries have the means to implement continued advancements in protecting confidential information. In addition, users in developed countries tend to be able to select an internet provider that supports faster, more secure options from the variety of providers available. 

Baseline network security and patch updates add to SSC grades, so those with more resources to build a stronger base network and roll out continuous patches are likely to have higher grades. Thus, insurance companies that reside in developed companies are likely to have higher scores than companies in developing countries.

Still, despite data safety innovations, scammers have still been able to break through and steal vital records in every country. Everyone should recognize that, regardless of country of origin, human error is a typical avenue hackers use to penetrate through security efforts. 

Sector

The three main sectors in insurance are property/casualty, life/annuity, and private health insurance. Health insurance and health care have suffered increasing risks during the pandemic. The health insurance sector may be a more appealing mark for criminals because client records can sell for up to $900 more than other personal information like credit card numbers or social security numbers. 

The sector does not directly affect SSC grades, but hacker chatter is part of the scoring system. Health insurers may have access to high ticket items, so it is possible that they may be discussed as targets. This does not mean property/casualty and life/annuity are free from these discussions. According to recent statistics, there has been a 50% uptick in the number of people buying life insurance coverage since the pandemic began, and more targets may mean more gossip about potential hits. 

Irrespective of the sector, insurers must be wary of potential internal and external breaches – usually through individuals. Phishing is one of the most common ways criminals gain entry to private data, sending email attachments that host malicious threats. Every day, insurers send and receive emails with attachments regarding client accounts, so they must properly train employees to detect and delete phishing emails. 

Key financial attributes

Capital strength, profitability, and size all have a role in cybersecurity and SSC grading. Capital strength can help businesses invest in network security, training for employees, patch rollouts, and software and services with better built-in cybersecurity features. 

Profitability and size also have their part in their level of safety. Again, higher profits and a larger client base means more motive for hackers to go after that insurance company. Size could also equate to more employees, which leads to more points of entry for spammers to abuse in the form of individuals and their remotely connected devices. This may lead to misconfiguration – another component of the SSC grading system.  

Conclusion

Insurance companies must contend with countless cyber dangers. SSC grades and the factors that influence them are paramount to understand so you can know which companies will be better able to ensure the safety of your data. Cybercriminals are persistent and will work diligently to steal sensitive information. Break-through breaches are always possible, so companies should have a plan in place to detect and address cyberattacks.

Read More

Microsoft’s Pluton security processor tackles hardware, firmware vulnerabilities

Read Time:24 Second

While this year’s Consumer Electronics Show was impacted by COVID, it didn’t stop Lenovo from announcing the first Microsoft Pluton-powered Windows 11 PCs. First announced in 2020, the Pluton is a security processor that Microsoft developed in partnership with AMD and Qualcomm to provide what they called “chip to cloud” security. Pluton is designed to eliminate opportunities for attackers to reduce the attack surface within Windows PCs.

To read this article in full, please click here

(Insider Story)

Read More

Russian cyberattacks on Ukraine raise IT security concerns

Read Time:52 Second

This past week has seen an inundation of notifications concerning Russia’s overt and covert efforts to set “their” stage to provide it with a pretext to invade Ukraine once again. The realpolitik of the Russian efforts and the media focus is on the likelihood of Russia taking this course of action.

These preparatory actions include a widespread cyber component. CISOs of entities in defense, intelligence, or critical infrastructure should be monitoring what is taking place in Ukraine and heeding the advisories being issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Microsoft and others.

Cyberattacks on Ukraine

On January 14 at approximately 0200 hours the cyberattacks began. Within the hour news of the hacks began appearing within the Russian media. Approximately 70 Ukrainian government websites saw their forward-facing web presence defaced, and a static message posted in Russian, Ukrainian, and Polish in essence told Ukrainians their personal information was compromised and that they should “be afraid and expect the worst.”

To read this article in full, please click here

Read More

How chaos engineering can help DevSecOps teams find vulnerabilities

Read Time:24 Second

The words “chaos” and “engineering” aren’t usually found together. After all, good engineers keep chaos at bay. Yet lately software developers are deploying what they loosely call “chaos” in careful amounts to strengthen their computer systems by revealing hidden flaws. The results aren’t perfect – anything chaotic can’t offer guarantees– but the techniques are often surprisingly effective, at least some of the time, and that makes them worthwhile.

To read this article in full, please click here

(Insider Story)

Read More