Read Time:8 Second
Looking to strengthen your cyber defense program? Check out this new course on Salesforce Trailhead that walks you through the realistic costs of doing so.
Category Archives: News
Walmart Discovers New PowerShell Backdoor Linked to Zloader Malware
Read Time:5 Second
Walmart detailed findings about an unknown PowerShell backdoor, which was potentially utilized alongside a new Zloader variant
Hotjar, Business Insider Vulnerabilities Expose OAuth Data Risks
Read Time:4 Second
Salt Labs also said XSS combined with OAuth can lead to severe breaches
New Research in Detecting AI-Generated Videos
Read Time:55 Second
The latest in what will be a continuing arms race between creating and detecting videos:
The new tool the research project is unleashing on deepfakes, called “MISLnet”, evolved from years of data derived from detecting fake images and video with tools that spot changes made to digital video or images. These may include the addition or movement of pixels between frames, manipulation of the speed of the clip, or the removal of frames.
Such tools work because a digital camera’s algorithmic processing creates relationships between pixel color values. Those relationships between values are very different in user-generated or images edited with apps like Photoshop.
But because AI-generated videos aren’t produced by a camera capturing a real scene or image, they don’t contain those telltale disparities between pixel values.
The Drexel team’s tools, including MISLnet, learn using a method called a constrained neural network, which can differentiate between normal and unusual values at the sub-pixel level of images or video clips, rather than searching for the common indicators of image manipulation like those mentioned above.
Research paper.
Less Than Half of European Firms Have AI Controls in Place
Read Time:5 Second
Sapio Research claims that fewer than 50% of European companies place usage and other restrictions on AI
Why You Need a Web Application Firewall in 2024
Read Time:5 Minute, 50 Second
The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Over the last decade, web applications have become integral to everyday life. This includes business and personal activities, facilitating everything from banking and transactions to marketing and social networking. This rise in popularity has made web applications a prime target for cybercriminals.
According to Verizon’s 2024 Data Breach Investigation Report, nearly 40% of cybersecurity incidents result from web application vulnerabilities. Businesses relying on these applications for everyday operations must implement robust security measures to ensure their app stack is resilient to threats and capable of maintaining uninterrupted service.
One of the most effective tools for safeguarding web applications is a web application firewall (WAF), which provides critical protection against a wide range of cyber threats.
Most Common Threats to Web App Security
Before we dive into how web application firewalls protect our web assets, let’s look at the most pressing security threats facing web applications in 2024. Stolen credentials are top of mind, as millions are available for sale on the dark web.
One of the most significant cyberattacks of the year involved compromised credentials from a third-party application in an attack on UnitedHealth, which jeopardized the data of one-third of Americans. Attackers were nested inside the victim’s systems for months before striking, highlighting how important real-time monitoring capabilities are for detecting suspicious behavior.
Zero-day exploits are also a common vector attackers have used in recent years to breach web applications. A zero-day vulnerability is unknown to the application vendor or the public at the time it is discovered and exploited by attackers. They can be quite dangerous if they’re not identified and patched quickly. In 2023, there were 97 reported zero-day vulnerabilities, a 50% increase from the year before.
Additionally, as web applications increasingly rely on each other to provide maximum functionality to the end user, API-related attacks have also become prevalent. App integrations must be executed correctly with strong authentication and authorization mechanisms. Input validation is also required to prevent injection attacks.
Modern WAF Solutions Are Essential to Improving Security
A web application firewall is a hardware or software-based solution used to monitor and filter HTTP traffic between a web application and the internet. WAFs provide two essential security features: traffic filtering and real-time monitoring.
WAFs use rule-based filters to inspect HTTP requests and responses. These filters detect and block a wide spectrum of attacks, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). By analyzing traffic in real time, a WAF solution can identify and mitigate threats as they occur, foiling attacks before they can exploit vulnerabilities in the web application.
If there is any suspicious behavior from a specific account or unusual traffic patterns indicating a potential attack, the WAF can immediately flag these events and trigger response actions. These could include blocking the identified threat, alerting security teams, or other automated responses to contain and mitigate the threat. With a modern WAF, businesses essentially get an intelligent, adaptive security system that not only defends against known threats but also anticipates and mitigates emerging ones.
The Latest Advancements in WAF Technology
Attackers have become highly proficient in masking their actions. For example, they have access to millions of IPs, which allows them to bypass geolocation-based filters. They also know how to make malicious web requests without using known threat signatures that would trigger a response from security systems.
With rapidly evolving threats, WAFs are also constantly advancing to provide more comprehensive and sophisticated protection. Modern WAF solutions offer advanced features like AI-driven threat detection and automated threat intelligence updates. These technologies help the firewall minimize false positives and facilitate critical functions such as policy and rule creation.
With machine learning, next-generation WAFs leverage behavior analysis to block attacks without relying on known attack patterns and manual security rules. The WAF builds sophisticated behavioral profiles of legitimate clients based on past behavior. By definition, a hostile user will eventually depart from legitimate behavior. As soon as this happens, the WAF will block them from further network access and lateral movement.
These capabilities mark a significant milestone in zero-day attack prevention, enabling detection before vulnerabilities are added to the available rulesets of known attacks. On another note, the growing role of AI for both threat detection and other enterprise purposes can be a double-edged sword. It potentially increases the attack surface and requires extra protections of proprietary machine learning models that harbor sensitive training data.
The use of AI security posture management provides continuous visibility of AI pipelines, helps detect misconfigurations in these services, and combined with WAF capabilities, facilitates proactive risk mitigation across the entire organizational infrastructure.
Other Measures to Secure Your Web Applications
As good as web app firewalls are, a strong cybersecurity program requires a multi-layered approach for comprehensive protection. The data WAFs generate is well-suited for integration with security information and event management (SIEM) software.
There, WAF traffic can be correlated with logs from other sources to help pinpoint the origin of threats, understand their scope, and respond more effectively. Additional measures you should take to maximize the security of your web applications include:
● Regular security audits: Security audits involve thorough testing and analysis of your application’s code, configuration, incoming queries and infrastructure. They help uncover security flaws or vulnerabilities that could be exploited by attackers. Since code and configurations change quite regularly, it’s important to conduct regular security audits, especially after more significant updates.
● Patch management: Application component providers and cybersecurity services regularly release updates and patches to address vulnerabilities or incorporate other security enhancements. Timely updates prevent attackers from exploiting known vulnerabilities. Before making any updates, back up your application data, databases, and configurations to prevent data loss in case something goes wrong.
● Secure coding practices: Implement secure coding practices to minimize vulnerabilities in your application code. Educate developers on secure coding standards and perform regular code reviews. Attacks like SQL injections are still prevalent because of insecure coding practices. Even if fixing these issues is simple, many applications remain vulnerable due to a lack of awareness and bad practices.
Endnote
Web applications are the backbone of nearly everything we do online. The fact that 40% of attacks use a web app as an initial vector is a worrying sign, but it also points out just how reliant we are on them for our daily operations, communication, and transactions.
Security measures like web application firewalls are no longer optional but should be the minimum standard to protect our data and online interactions. WAFs are equipped with the latest technologies to ensure prompt detection and mitigation of threats. This is the only way forward considering how creatively attackers leverage advancements in AI and machine learning to their own advantage.
US Crypto Exchange Gemini Reveals Breach
Read Time:4 Second
Thousands of customers of cryptocurrency exchange Gemini have had personal data compromised
Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services
Read Time:2 Minute, 40 Second
Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google Workspace account, and leverage that to impersonate a domain holder at third-party services that allow logins through Google’s “Sign in with Google” feature.
Last week, KrebsOnSecurity heard from a reader who said they received a notice that their email address had been used to create a potentially malicious Workspace account that Google had blocked.
“In the last few weeks, we identified a small-scale abuse campaign whereby bad actors circumvented the email verification step in our account creation flow for Email Verified (EV) Google Workspace accounts using a specially constructed request,” the notice from Google read. “These EV users could then be used to gain access to third-party applications using ‘Sign In with Google’.”
In response to questions, Google said it fixed the problem within 72 hours of discovering it, and that the company has added additional detection to protect against these types of authentication bypasses going forward.
Anu Yamunan, director of abuse and safety protections at Google Workspace, told KrebsOnSecurity the malicious activity began in late June, and involved “a few thousand” Workspace accounts that were created without being domain-verified.
Google Workspace offers a free trial that people can use to access services like Google Docs, but other services such as Gmail are only available to Workspace users who can validate control over the domain name associated with their email address. The weakness Google fixed allowed attackers to bypass this validation process. Google emphasized that none of the affected domains had previously been associated with Workspace accounts or services.
“The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process,” Yamunan said. “The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third party services using Google single sign-on.”
Yamunan said none of the potentially malicious workspace accounts were used to abuse Google services, but rather the attackers sought to impersonate the domain holder to other services online.
In the case of the reader who shared the breach notice from Google, the imposters used the authentication bypass to associate his domain with a Workspace account. And that domain was tied to his login at several third-party services online. Indeed, the alert this reader received from Google said the unauthorized Workspace account appears to have been used to sign in to his account at Dropbox.
Google said the now-fixed authentication bypass is unrelated to a recent issue involving cryptocurrency-based domain names that were apparently compromised in their transition to Squarespace, which last year acquired more than 10 million domains that were registered via Google Domains.
On July 12, a number of domains tied to cryptocurrency businesses were hijacked from Squarespace users who hadn’t yet set up their Squarespace accounts. Squarespace has since published a statement blaming the domain hijacks on “a weakness related to OAuth logins”, which Squarespace said it fixed within hours.
Friday Squid Blogging: Sunscreen from Squid Pigments
Compromising the Secure Boot Process
Read Time:1 Minute, 33 Second
This isn’t good:
On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what’s known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon/Ryzen2000_4000.git, and it’s not clear when it was taken down.
The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.
[…]
These keys were created by AMI, one of the three main providers of software developer kits that device makers use to customize their UEFI firmware so it will run on their specific hardware configurations. As the strings suggest, the keys were never intended to be used in production systems. Instead, AMI provided them to customers or prospective customers for testing. For reasons that aren’t clear, the test keys made their way into devices from a nearly inexhaustive roster of makers. In addition to the five makers mentioned earlier, they include Aopen, Foremelife, Fujitsu, HP, Lenovo, and Supermicro.