Building a Robust Vulnerability Management Program: Bridging the Gaps with RedSeal

/by

Effective vulnerability management is essential for safeguarding your network against evolving cyber threats. Recall the Equifax data breach of 2017, which exposed the personal information of over 140 million people, including Social Security numbers and birth dates. This breach resulted from Equifax’s failure to patch a known vulnerability, despite the patch being available for several months. This oversight allowed attackers to exploit the vulnerability and access sensitive data. The incident highlights the critical need for a robust vulnerability management program to ensure timely identification and remediation of security flaws, preventing similar breaches.

While vulnerability scanners and managers are vital tools, they aren’t foolproof. Without a complete and accurate view of your network, these tools can miss or misjudge critical vulnerabilities, leaving your organization exposed. This is where RedSeal makes a difference. By providing comprehensive network visibility, RedSeal enhances the capabilities of traditional scanners, helping you build a more robust and resilient vulnerability management program.

What can you do with RedSeal?

  1. Report missed network assets and subnets: Vulnerability scanners often overlook network assets and subnets. RedSeal’s comprehensive network visibility identifies these gaps, ensuring that all assets are accounted for and properly scanned.
  2. Visualize reachable assets: Optimizing scanner placement is crucial for effective vulnerability management. RedSeal provides a clear visualization of all reachable assets, allowing you to strategically position your scanners where they are most needed.
  3. Pinpoint access issues: Network devices and rules can sometimes block scanners from accessing certain areas. RedSeal helps identify these obstacles, ensuring that your scanners can reach every critical component of your network.
  4. Enhance risk assessment: Accurate prioritization of vulnerabilities requires additional context beyond what traditional scanners provide. RedSeal offers network and business context, improving the accuracy of your risk assessments and helping you prioritize remediation efforts more effectively.
  5. Contain unpatched vulnerabilities: RedSeal identifies precise access paths and assets for containing unpatched vulnerabilities, reducing the risk of exploitation and enhancing your response capabilities.
  6. Consolidate vulnerability data: Managing data from multiple scanners and vendors can be challenging. RedSeal consolidates this information, providing a unified view of your vulnerability landscape and streamlining your management efforts.
  7. Integrate with third-party solutions: Push scan coverage analysis to third-party solutions like Rapid7 and Tenable. RedSeal enhances the effectiveness of these tools by providing comprehensive network insights that improve scan accuracy and coverage.

Incorporating RedSeal into your vulnerability management program transforms how you approach security. By addressing the limitations of traditional scanners and leveraging RedSeal’s advanced capabilities, you can build a more resilient and responsive vulnerability management strategy.  Reach out to RedSeal or schedule a demo today to learn how to bolster your cybersecurity efforts and make the strategic move that promises long-term benefits and peace of mind.

Cyber News Roundup for September 13, 2024

/by

Recent cybersecurity updates include the National Vulnerability Database (NVD) struggling with a critical backlog, which hampers its effectiveness in vulnerability analysis. SonicWall is dealing with a significant access control vulnerability (CVE-2024-40766) in SonicOS, currently exploited in the wild. Avis has disclosed a breach affecting nearly 300,000 customers. On a positive note, Google Cloud has introduced new air-gapped backup vaults to boost ransomware protection, and MasterCard is set to acquire Recorded Future for $2.65 billion.

Read these stories and more in today’s Cyber News Roundup.

 

The Fall of the National Vulnerability Database

The National Vulnerability Database (NVD) has experienced a significant slowdown, leaving thousands of vulnerabilities without analysis, which is critical for identifying risks. This has raised concerns in the cybersecurity community, especially as many organizations and government contractors rely on NVD for vulnerability management. The issues stem from a backlog, underfunding, and challenges in handling the increasing volume of CVEs. While alternatives like Open Source Vulnerabilities (OSV) exist, NVD remains essential for many, especially under federal requirements​. (Darkreading)

 

SonicWall vulnerability exploited in the wild

A recently patched access control vulnerability (CVE-2024-40766) affecting SonicWall’s SonicOS is being exploited in the wild, BleepingComputer reports. The vulnerability affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions. SonicWall urges customers to apply the patch as soon as possible. The company adds, “SonicWall strongly advises that customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts immediately update their passwords to enhance security and prevent unauthorized access. Users can change their passwords if the ‘User must change password’ option is enabled on their account. Administrators must manually enable the ‘User must change password’ option for each local account to ensure this critical security measure is enforced.” (Bleepingcomputer)

 

Car rental company Avis discloses data breach

According to notification letters sent to customers on Wednesday and filed with California’s Office of the Attorney General, the breach, which was discovered last Thursday, saw the unknown threat actor having access to its business applications from August 3 until August 6, resulting in the theft of “some customers’ personal information, including their names and other undisclosed sensitive data.” This is a developing story. (BleepingComputer)

 

Wisconsin Medicare users had information leaked in MOVEit breach

More fallout from the MOVEIt breach of last year: “the Centers for Medicare & Medicaid Services (CMS), which is a federal agency that manages the Medicare program, as well as the Wisconsin Physicians Service Insurance Corporation (WPS) said on Friday that they have begun notifying people whose personal information leaked after hackers exploited a vulnerability in the MOVEit software.” The discovery follows a second investigation into the breach conducted by WPS in May, after receiving “new information” about the breach. (The Record)

 

1.7 million impacted in payment processing breach

In an ironic twist, payment gateway provider Slim CD says they’ve swiftly initiated an investigation into a breach affecting around 1.7 million individuals. While the company claims to be moving quickly to address the issue, the breach actually occurred in August 2023 but went undetected until almost a year later in June 2024. Information exposed in the attack includes names, physical addresses, credit card numbers, and payment card expiration dates. Despite the impact, Slim CD has not offered any free identity theft protection services to those affected, instead advising individuals to stay vigilant and order a free credit report. (Bleeping Computer)(The Register)

 

Avis breach impacts almost 300,000 customers

An update to a story we first brought to you on Monday: Car rental company Avis is now reporting that a breach discovered last week has impacted over 299,000 of its customers, which, according to Bleeping Computer, is less than 1% of the company’s customer base. The threat actor was able to access business applications last month and stole personal information, including names and other undisclosed data. (Bleeping Computer)

 

New RaaS operation is recruiting criminal affiliates

Palo Alto Networks’ Unit 42 has published a report on Repellent Scorpius, a ransomware-as-a-service operation that surfaced in May 2024. The group distributes the Cicada3301 ransomware and conducts double-extortion attacks by exfiltrating data before deploying the ransomware. The researchers state, “Unit 42 has evidence to suggest that the Repellent Scorpius operators have developed a RaaS affiliate program. It operates a control panel for affiliates and ransom payment pages for victims, and actively recruits initial access brokers (IAB) and network intruders on Russian-language cybercrime forums.” (PalloAlto)

 

Earth Preta deploys new malware in the Asia-Pacific

Trend Micro is tracking new variants of malware used by the China-aligned threat actor Earth Preta (also known as “Mustang Panda”). The threat actor is using spearphishing emails and removable drives to deploy malware against government entities in the Asia-Pacific region. Trend Micro states, “Earth Preta employed a variant of the worm HIUPAN to propagate PUBLOAD into their targets’ networks via removable drives. PUBLOAD was used as the main control tool for most of the campaign and to perform various tasks, including the execution of tools such as RAR for collection and curl for data exfiltration. PUBLOAD was also used to introduce supplemental tools into the targets’ environment, such as FDMTP to serve as a secondary control tool, which was observed to perform similar tasks as that of PUBLOAD; and PTSOCKET, a tool used as an alternative exfiltration option.” (Trendmicro)

 

Slim CD notifies 1.7M customers of data breach

Electronic payment firm, ESlim CD, has notified nearly 1.7 million credit card holders that their data may have been stolen after an attacker accessed their systems between August 17, 2023, and June 15, 2024. A third party investigation uncovered the incident on June 15. Slim CD said it reviewed its data privacy and security policies and implemented additional safeguards following the incident. KnowBe4 awareness advocate, James McQuiggan said, “When organizations realize that cybercriminals are inside their network for long periods, there is a gap with continuous security monitoring. Accompanied by a robust Security Incident Management (SIEM) system integrated with threat intelligence, the breach could have been detected sooner.” (SC Media)

 

Google Cloud introduces air-gapped backup vaults

Google Cloud has introduced air-gapped backup vaults as part of its enhanced Backup and Disaster Recovery (DR) service, now available in preview. These vaults provide robust protection against ransomware and unauthorized data manipulation by creating immutable and indelible backups, preventing modification or deletion until a set retention period elapses. Isolated from the customer’s Google Cloud project, these air-gapped vaults reduce the risk of direct attacks on backups. (Cyber Security News)

 

Lazarus Group’s VM Connect campaign spoofs CapitalOne

New research from Reversing Labs shows that the Lazarus Group is continuing its campaign of tempting targeting developers with malicious software packages on open-source repositories by posing as employees of the financial services firm Capital One. Again seeking to lure developers into downloading the malware by directing them to a GitHub repository containing a “homework task.” This is similar, but different from a story we reported on last week in which the Lazarus Group was seen doing the same thing through LinkedIn using CovertCatch. In this case Reversing Labs researchers says it is connected to a 2023 VMConnect campaign focused on Python modules. They added, “It is clearly intended to create a sense of urgency for the would-be job seeker, thus making it more likely that they would execute the package without performing any type of security or even source code review first.” (InfoSecurity Magazine)

 

Mastercard buys Recorded Future

Financial payment company MasterCard announced yesterday that it will acquire the threat intelligence company Recorded Future for $2.65 billion, adding to its current portfolio of security products, which include risk assessments and transaction protection. In its press release, MasterCard noted that “Recorded Future is a well-known intelligence firm that boasts more than 1,900 clients internationally, including 45 governments and over half of Fortune 500 companies.” The firm will remain an independent subsidiary, and the deal is expected to close in the first quarter of 2025. (Cyberscoop)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

Cyber News Roundup for September 6, 2024

/by

Recent cybersecurity headlines are buzzing with urgent and dramatic developments. From a critical remote code execution flaw in Progress Software’s WhatsUp Gold to a disruptive cyberattack hitting Transport for London’s internal systems, the stakes have never been higher. Sweden is on edge over potential Russian sabotage, while a new Cicada ransomware variant is targeting VMware ESXi systems. Halliburton’s confirmation of a major data breach and the FBI’s alert on North Korean social engineering in the crypto sector only add to the urgency. Dive into these stories and more to discover what they mean for the future of cybersecurity.

 

Critical RCE flaw affects Progress Software’s WhatsUp Gold

Censys has published an advisory on a remote code execution vulnerability affecting Progress Software’s WhatsUp Gold network monitoring and management solution, SecurityWeek reports. The researchers explain, “The vulnerability exists in the GetFileWithoutZip functionality of WhatsUp Gold. An attacker can send a crafted request with directory traversal payloads to upload files to arbitrary locations on the server. By uploading malicious files, the attacker can achieve remote code execution.” Several proof-of-concept exploits have been published on GitHub, and users are urged to update to version 2023.1.3 as soon as possible. (Censys, SecurityWeek)

 

Transport for London suffers cyberattack

The local government body responsible for most of the transport system in Greater London is currently dealing with a cyberattack, but representatives state that there is no evidence that customer information was compromised during the incident. The BBC has stated that the attack mainly impacted the transport provider’s backroom systems at the corporate headquarters. (BBC News)

 

Sweden warns of heightened risk of Russian sabotage

Security companies in Sweden have reported an increase in sabotage attempts, such as flying mapping drones over defense facilities, and other “more aggressive” espionage, cyber-attacks and misinformation activities. This appears to be connected to the fact that Sweden is supporting Ukraine, and has joined NATO, and evidence of increased aggression in espionage as well as disinformation about the reliability of Swedish military products has been seen in large and small companies involved in the manufacture of weapons and related technologies. (The Guardian)

 

New Cicada variant preys on VMWare ESXi systems

This new ransomware-as-a-service group, named Cicada3301 is already quite busy, with 23 victims since mid-June, according to its leak site. Its ransomware is written in Rust and targets Windows and Linux/ESXi hosts. Researchers at Truesec analyzed a variant that targets VMware ESXi systems, and said it appears to be a version of the Windows malware. They added that “the Cicada3301 ransomware has several interesting similarities to the ALPHV ransomware.” (Security Affairs)

 

SlowTempest espionage campaign unfolds within China

Researchers at Securonix are tracking what is being called a highly coordinated espionage operation that is targeting people and organizations within China and appears to be the work of an organization with deep knowledge of Chinese language and culture. The goal of the attackers appears to be espionage, persistent access, and potential sabotage, with the end goal being to infiltrate government or high-profile business sectors. The researchers cannot say where the attacks are ultimately coming from or who is behind them, but they note that the sophisticated attack has been designed not just to gain access to their victims, but to maintain it in order to achieve broader strategic objectives, potentially aligned with state-sponsored activities. (The Record)

 

Threat actors have poisoned GlobalProtect VPN software to deliver WikiLoader

Hackers have been targeting VPNs like GlobalProtect to inject malware and steal sensitive data, compromising private networks without detection. Cybersecurity researchers at Palo Alto Networks discovered that threat actors have poisoned GlobalProtect VPN software to deliver WikiLoader, a sophisticated malware loader. Active since late 2022, WikiLoader primarily spreads via phishing but recently shifted to SEO poisoning, leading users to fake installer pages. The malware uses complex evasion techniques, including DLL sideloading and shellcode decryption, making detection difficult. WikiLoader’s operators utilize compromised WordPress sites and MQTT brokers for command and control. The malware creates persistence through scheduled tasks and hides in over 400 files within a malicious archive. Despite the malware’s complexity, it was detected by Cortex XDR through behavioral indicators. Mitigations include enhanced SEO poisoning detection, robust endpoint protection, and application whitelisting. (Cyber Security News)

 

Voldemort malware delivered via social engineering

Proofpoint describes a social engineering campaign that’s impersonating tax authorities in Europe, Asia, and the US in order to deliver a custom strain of malware dubbed “Voldemort.” The researchers explain, “The attack chain comprises multiple techniques currently popular within the threat landscape as well as uncommon methods for command and control (C2) like the use of Google Sheets. Its combination of the tactics, techniques, and procedures (TTPs), lure themes impersonating government agencies of various countries, and odd file naming and passwords like ‘test’ are notable. Researchers initially suspected the activity may be a red team, however the large volume of messages and analysis of the malware very quickly indicated it was a threat actor.” The researchers don’t attribute the activity to any particular threat actor, but they believe the campaign’s goal is cyberespionage. (Proogpoint)

 

Halliburton confirms data stolen in cyberattack

Following up on a story from last week on Cyber Security Headlines, the U.S. oil service giant confirmed Tuesday that corporate data was stolen from its computer systems during a ransomware attack it suffered in August. Halliburton stopped short of confirming a ransomware extortion scheme but said significant portions of its IT systems were disrupted. The company said it engaged law enforcement to help identify exactly what data was stolen and who they will need to notify. The company’s acknowledgement comes on the heels of CISA, the FBI, and HHS blaming the RansomHub gang for the attack. (SecurityWeek)

 

FBI warns crypto firms of aggressive North Korean social engineering

​On Tuesday, the FBI warned that North Korean hacking groups are aggressively targeting crypto company employees in sophisticated social engineering attacks. After the threat actors identify specific DeFi and crypto businesses, they then target employees with offers of new employment or investment opportunities to deploy crypto-stealing malware. The communications use fluent English and leverage detailed personal information to boost credibility and appeal. The FBI added that the threat actors are also well-versed in technical aspects of cryptocurrency. The FBI provided a list of indicators associated with North Korean social engineering activity and best practices for companies to lower the risk of compromise. (Bleeping Computer and The Record)

 

North Korean social engineering attacks target the cryptocurrency sector

The US Federal Bureau of Investigation (FBI) has issued an advisory on North Korean social engineering campaigns targeting employees in the cryptocurrency industry. The Bureau notes, “North Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency exchange-traded funds (ETFs) over the last several months. This research included pre-operational preparations suggesting North Korean actors may attempt malicious cyber activities against companies associated with cryptocurrency ETFs or other cryptocurrency-related financial products. For companies active in or associated with the cryptocurrency sector, the FBI emphasizes North Korea employs sophisticated tactics to steal cryptocurrency funds and is a persistent threat to organizations with access to large quantities of cryptocurrency-related assets or products.” (FBI)

 

Iran paid at least $3 million in ransom following attack on banking system

POLITICO reports that Iran paid at least $3 million in ransom last month to extortionists who threatened to leak information stolen from up to 20 Iranian banks. The hacking group “IRLeaks” claimed to have stolen personal and financial data belonging to millions of Iranians. Iran hasn’t acknowledged the incident, but the country’s supreme leader said in the wake of the attack that the US and Israel are attempting “to spread psychological warfare to push us into political and economic retreat and achieve its objectives.” POLITICO cites sources as saying that IRLeaks is likely a financially motivated group, unaffiliated with a nation-state. (Politico)

 

Indictments follow swatting attack on CISA boss Easterly

Following up on the story from last December in which a swatting attack was placed on the home of Jen Easterly, two individuals have now been identified as instigating this attack along with about 100 other threats against U.S. politicians, members of Congress and senior Federal law enforcement officials. The two individuals, both in their 20s, are from Romania and Serbia. (The Record)

 

Cisco issues patches for smart licensing utility

These patches deal with two issues regarding the company’s Smart Licensing Utility. The first would allow unauthenticated attackers to access sensitive information or to log in as administrators. It exists due to “an undocumented static user credential for an administrative account present in the Utility.” The second issue is due to “excessive verbosity in a debug log file, which could allow an attacker to send a crafted HTTP request and obtain log files containing sensitive data, including credentials.” Since there are no workarounds available, Cisco recommends migrating to Smart License Utility version 2.3.0. (Security Week)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

Unmasking the Shadows: Proactively Identifying and Minimizing Your Attack Surface

/by

At Black Hat 2024, RedSeal’s CTO Wayne Lloyd and Technical Director Arron Lowe took the stage to unveil strategies designed to fortify your organization’s defenses. During this presentation, they dive deep into innovative methods for reducing your vulnerability landscape, emphasizing how to map your network without relying on traditional scans to uncover hidden threats.

Check out a replay of this informative breakout to discover how to leverage network zones and policies to streamline your defenses and implement effective incident response tactics to mitigate the impact of potential attacks. Witness live demonstrations of attack path modeling, showcasing how adversaries can exploit and navigate your network. This session provides invaluable insights into staying ahead of increasingly sophisticated threats and enhancing your overall security posture.