Cyber Division’s assistant director says impact of ransomware has “grown to dangerous proportions”

Read More

Researchers disclose a moderate severity vulnerability in VMware vCenter Server that can be used in an exploit chain with other vCenter Server flaws to take over servers.

Background

On March 29, VMware published an advisory (VMSA-2022-0009) for a moderate severity vulnerability in VMware vCenter Server, its centralized management software for VMware vSphere cloud computing virtualization systems.

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on March 30 and reflects VPR at that time.

The vulnerability is credited to Yuval Lazar, a security researcher at Pentera. Lazar was also credited with discovering and disclosing CVE-2021-22015, a local privilege escalation vulnerability in vCenter Server.

Analysis

CVE-2022-22948 is a local information disclosure vulnerability in vCenter Server. An authenticated, local attacker with non-administrative (low-privileged user) access to the vulnerable vCenter Server instance could exploit this vulnerability to obtain sensitive information from the server, such as credentials for a high-privileged user.

For complete analysis of this vulnerability, please refer to Lazar’s blog.

This isn’t the first information disclosure bug in vCenter Server to warrant attention. In 2020, VMware addressed CVE-2020-3952, an information disclosure vulnerability in vCenter Server that was assigned the maximum CVSSv3 score of 10.0.

Chaining exploits to achieve full server takeover

By itself, CVE-2022-22948 is a moderately severe vulnerability. However, Lazar’s research found that by chaining this vulnerability with previously disclosed VMware vCenter vulnerabilities, including CVE-2021-21972, an unauthorized file upload vulnerability and CVE-2021-22015, a local privilege escalation vulnerability that Lazar also discovered, an attacker could potentially take full control of an organization’s ESXi servers.

Image Source: Pentera

VMware vCenter Flaws popular amongst attackers in 2021

Earlier this year, we featured CVE-2021-21985, a critical remote execution flaw in VMware vCenter and vSphere as one of the top five vulnerabilities exploited by attackers in our 2021 Threat Landscape Retrospective. While we highlighted CVE-2021-21985 specifically in the top five, it reflects a general trend of attackers targeting vCenter and vSphere using multiple flaws including CVE-2021-22005 and the aforementioned CVE-2021-21972.

Most of the VMware vulnerabilities referenced in this blog (with the exception of CVE-2021-22015) are included in the Cyber Security and Infrastructure Agency (CISA)’s catalog of known exploited vulnerabilities.

Ransomware groups in particular favor VMware vulnerabilities in the last few years. For instance, the Conti ransomware group and its affiliates have exploited multiple VMware vulnerabilities as part of their attacks to gain initial access into organizations. Since 2020, researchers have discovered that a number of ransomware groups like RansomEXX/Defray777, HelloKitty, REvil, BlackMatter and Hive have also targeted ESXi. There are also reports of an unknown ransomware group encrypting virtual machines in VMware ESXi servers.

Attack chains like the one identified by Lazar could prove to be valuable for ransomware groups and affiliates.

No in-the-wild exploitation observed

Presently, there are no indications that CVE-2022-22948 has been exploited in the wild. Because it is a local, post-authentication vulnerability, it isn’t feasible to identify exploitation attempts. However, an uptick in attempts to exploit CVE-2021-21972 might be indicative of attackers looking to leverage this exploit chain in the wild.

Because an attacker would need to exploit an initial access vulnerability like CVE-2021-21972 before being able to exploit CVE-2022-22948, we believe it’s important for organizations to ensure their VMware systems are patched and up-to-date to prevent exploitation of legacy vulnerabilities. Based on a previously shared Shodan search query for CVE-2021-21972, we’ve found that there are still nearly 3,400 publicly accessible instances of vCenter Server on the internet. While it is unclear what percentage of these instances are vulnerable to CVE-2021-21972, a cursory search of the Shodan results shows more than a few vCenter Server instances running affected versions that are six to eight years old.

Proof of concept

At the time this blog post was published, no public proof-of-concept exploit existed for CVE-2022-22948. However, Lazar’s blog post includes an example of a Python script successfully decrypting the password for a high-privileged user within the vCenter Server that can be used to take over the ESXi.

Image Source: Pentera

Solution

According to VMware’s advisory, Windows 6.5 and 6.7 versions of vCenter Server are not affected. However, the Windows 7.0 version of vCenter Server and the Virtual Appliance versions of vCenter Server are affected.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be found here.

For Nessus plugin ID 159306, “VMware vCenter Server 6.5 / 6.7 / 7.0 Information Disclosure (VMSA-2022-0009),” users are required to enable the “Show potential false alarms” setting, also known as paranoid mode, in their scan policy in order to enable this plugin in a scan.

We also recommend enabling only this specific plugin in a paranoid scan. Scan policies configured to have all plugins enabled will see an increase in the number of triggers, as it will include all paranoid plugins during the scan.

Enabling Paranoid Mode

To enable this setting for Nessus and Tenable.io users:

Click Assessment > General > Accuracy
Enable the “Show potential false alarms” option

To enable this setting for Tenable.sc (formerly SecurityCenter) users:

Click Assessment > Accuracy
Click the drop-down box and select “Paranoid (more false alarms)”

Get more information

VMware Security Advisory VMSA-2022-0009
Pentera Blog Post for CVE-2022-22948

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

New research shows organizations unprepared for strict new cyber incident reporting requirements

Read More

Grading system hack causes potentially historic breach of students’ personal data

Read More

Day 1 will include a talk from Major General Tom Copinger-Symes CBE, director of strategy and military digitisation with UK Strategic Command

Read More

Palo Alto Networks has launched a new, fully managed “next-generation” firewall (NGFW) service in partnership with Amazon Web Services designed to remove the complexities of securing AWS cloud deployments. The network firewall vendor says its Cloud NGFW for AWS enables organizations to speed up cloud innovation while remaining secure.

Cloud NGFW for AWS shifts security responsibility

In a press release announcing the new service, Palo Alto Networks says it has recognized that its customers need to dedicate time and resources to building applications and running their businesses instead of managing cloud network security infrastructure. Cloud NGFW for AWS therefore shifts operational responsibility for deployment, maintenance, availability, and scale to the security vendor. “A key reason that companies have embraced the cloud is that they want to concentrate on their core competencies and leave other tasks like infrastructure and underlying services to experts like AWS,” says Anand Oswal, senior vice-president, network security at Palo Alto Networks. “As cyberattacks continue to grow in frequency and sophistication, organizations are looking for network security that is as easy to deploy as other native AWS services.”

To read this article in full, please click here

Read More

The malicious uses of these technologies are scary:

Police reportedly arrived on the scene last week and found the man crouched beside the woman’s passenger side door. According to the police, the man had, at some point, wrapped his Apple Watch across the spokes of the woman’s passenger side front car wheel and then used the Watch to track her movements. When police eventually confronted him, he admitted the Watch was his. Now, he’s reportedly being charged with attaching an electronic tracking device to the woman’s vehicle.

Read More

Around two in five businesses experienced breaches or cyber-attacks in the past 12 months

Read More

We’re excited to announce the release of McAfee’s Personal Data Cleanup, a new feature that finds and removes your personal info from data brokers and people search sites. Now, you can feel more confident by removing personal info from data broker sites and keeping it from being collected, sold, and used to: advertise products to you, fill your email box with spam, and can even give criminals the info they need to steal your identity. Let’s look at why we’re offering McAfee Personal Data Cleanup, how it protects your privacy, and why it’s a great addition to the online protection we already offer. 

Does the cost of a connected life have to be your privacy?

There’s so much to enjoy when you live a connected life – free email, online stores that remember what you like, social media that connects you to friends and influencers. It’s a world of convenience, opportunity, and incredible content. It’s also a world where your data is constantly collected.  

“Wait. Did you say my data?” 

That’s right, companies are collecting your personal data. They’re called data brokers and they make money by selling information that specifically identifies you, like an email address. They sell this information to marketers looking to target you with ads. Criminals can also use it to build profiles in service of stealing your identity and accessing your accounts. This activity takes place behind the scenes and often without consumers’ knowledge.  There are also data brokers known as people search sites that compile and sell info like home addresses, emails, phones, court records, employment info, and more. These websites give identity thieves, hackers, stalkers, and other malicious actors easy access to your info. Regardless of how your data is being used, it’s clear that these days a more connected life often comes at the cost of your privacy.  

Consumers are clamoring for more privacy online 

In a recent survey of McAfee customers, we found that 59% have become more protective of their personal data over the past six months. And it’s no wonder. Over the past two years, trends like telehealth, remote working, and increased usage of online shopping and financial services have meant that more of your time is being spent online. Unsurprisingly, more personal data is being made available in the process. This leads us to the most alarming finding of our survey – 95% of consumers whose personal information ends up on data broker sites had it collected without their consent.  

Free to enjoy privacy online with McAfee’s Personal Data Cleanup 

We created Personal Data Cleanup to make it easy for you to take back your privacy online. McAfee’s Personal Data Cleanup regularly scans the riskiest data broker sites for info like your home address, date of birth, and names of relatives. After showing where we found your data, you can either remove it yourself or we will work on your behalf to remove it. Here’s how it works: 

Set up 

Input your name, date of birth, and home address. 

Scan:  

We scan this against some of the riskiest data broker sites 

Review 

Within minutes, we’ll show you where we found your personal info, and what info the sites have. 

Remove 

You can manually go to each site and request that your data be removed OR upgrade to have McAfee manage the removal process on your behalf. 

Ongoing 

Your info can reappear as data brokers continually collect data. To ensure ongoing protection, Personal Data Cleanup enables regular scanning so it can be removed. 

Start using McAfee’s Personal Data Cleanup right now 

Ready to take back your personal info online? Personal Data Cleanup is available immediately with most of our online protection plans. If you have an eligible subscription, you can start using this new feature through McAfee Protection Center, or you can get McAfee online protection here.

The post Introducing Personal Data Cleanup appeared first on McAfee Blog.

Read More

Will Eborall, Asst VP, AT&T Cybersecurity and Edge Solutions Product Management, co-authored this blog.

The AT&T Cybersecurity team’s unwavering focus on managing risk while maximizing customer experience earns high marks from security experts and customers alike. The team garnered some well-earned official recognition of the quality of flexible services they run with the announcement that AT&T won the highest distinction Gold Award in four different service categories of the 2022 Cybersecurity Excellence Awards.

The highly competitive Cybersecurity Excellence Awards is an annual competition run by Cybersecurity Insiders that honors individuals and companies that demonstrate excellence, innovation, and leadership in information security. AT&T Cybersecurity was recognized as the top solution in the following categories:

Managed Security Services
Managed Detection and Response (MDR)
Endpoint Detection and Response
Secure Access Service Edge (SASE)

With over 900 entries across the range of Cybersecurity Excellence Awards categories, the competition award selection consisted of a two-part process. Finalists for each category were selected from the broader pool of nominations based on popular votes and comments received from the cybersecurity community, as well as the strength of the written nomination. Once finalists were winnowed down, Cybersecurity Insider’s award judges took a closer look at the finalist nominations’ demonstrated explanations and examples of the leadership, excellence and results in cybersecurity afforded by the service to determine winners.

Judges awarded each of the following four services the highest Gold Award for some of the reasons described below:

AT&T Managed Security Services picked up a gold award for Managed Security Services. Some of the considerations looked at by the judges included:

As one of the largest MSSPs in the world, AT&T Cybersecurity fosters strong relationships with leading security technology providers while incubating emerging innovators to provide best-in-class services 
AT&T Managed Security Services delivers services through eight global SOCs
AT&T Cybersecurity delivers accountability with thorough communication and comprehensive reporting to clients along with coordinated responses with defined service level agreements on change requests.
During the pandemic, AT&T Cybersecurity has helped customers persevere through the various disruptions caused by COVID-19 with its managed security services.
AT&T Cybersecurity supported customers of its AT&T DDoS Defense service as well as non-subscribing customers with emergency mitigation services.

AT&T Managed Threat Detection and Response won a gold award for Managed Detection and Response (MDR). The judges picked this service based on factors that included:

AT&T Managed Threat Detection and Response combines technology, intelligence, and 24×7 expertise in a service that can be deployed faster and has a starting price that’s less than the cost to hire a single security analyst.
AT&T’s MDR service is priced by the total number of events that are analyzed, so customers don’t have to worry about limitations by assets, environments, or number of employees in their organization.
AT&T Managed Threat Detection and Response is delivered through a unified platform that offers threat intelligence updates from AT&T Alient Labs, native cloud monitoring capabilities for IaaS and SaaS environments, service transparency into SOC operations, and built-in orchestration and automation through a single pane of glass.
NHS Management, a leader in providing consulting and administrative services to individual healthcare facilities and companies gained visibility into emerging threats it didn’t have before through AT&T’s MDR service.

AT&T Managed Endpoint Security earned a gold award for Endpoint Detection and Response. The following were a few of the points that swayed judges in this category:

AT&T Managed Endpoint Security offers users top tier security features the include tamper protection and patented AI algorithms that live on devices, automatic mapping and tracking of all endpoint activity, and IoT discovery and control.
The service offers platform integrations with AT&T Alien Labs Threat Intelligence and AT&T Alien Labs Open Threat Exchange (OTX) for better context about the endpoint threat environment
Through the AT&T Managed Endpoint Security alliance with SentinelOne, customers receive 24×7 threat monitoring and management by AT&T Security Operations Center (SOC) analysts for greater network visibility and faster endpoint threat detection.
AT&T Managed Endpoint Security provides comprehensive endpoint protection against ransomware and other cyberattacks through a unique rollback to safe state feature while also detecting highly advanced threats within an enterprise network or cloud environment.

AT&T SASE won a gold award for Secure Access Service Edge. The judges considered a number of factors, including:

AT&T was the first provider to offer a global managed SASE solution at scale, and most recently, AT&T expanded its SASE portfolio to include a new offering, AT&T SASE with Cisco.
With AT&T SASE’s combined networking and security technology and service expertise, the solutions offer a future-ready, unified solution through a single provider.
With AT&T SASE, businesses can control access for any device, connecting from any network. This enables the dynamic needs of today’s distributed workforce to deliver security-driven networking at every edge.

Winning even one cybersecurity solution award is a great distinction, but when a company is able to deliver four different award-winning offerings, we believe that’s a testament to its ability to put together an expert team that listens to the needs of its customers. AT&T Cybersecurity is proud of its results in the Cybersecurity Excellence Awards, as everyone here believes that they stand as a testament to the networking and security expertise that our customers have come to count on.  Our crack team of security analysts is constantly researching the threat environment to continually defend customer environments. To learn more about some of the trends in the past year that they’ve helped organizations contend with, check out the 2022 AT&T Cybersecurity Insights Report.

Read More