Cyber News Roundup for November 8, 2024

/by

In this week’s cybersecurity roundup, we delve into the latest threats and vulnerabilities impacting organizations worldwide. From North Korean hacking campaigns targeting remote workers with fake job offers to alarming ransomware attacks on the healthcare sector, the landscape of cyber threats continues to evolve. We also highlight critical vulnerabilities in major software platforms, phishing schemes exploiting copyright claims, and the potential misuse of AI in uncovering security flaws. Stay informed as we explore these developments and their implications for your organization’s security posture.

 

North Korean campaigns pursue fake jobs and remote workers

Hackers are increasingly exploiting vulnerabilities among remote workers, often using tactics like “vishing” to impersonate IT staff and steal sensitive information. Recently, Zscaler uncovered two North Korean campaigns, “Contagious Interview” and “WageMole,” aimed at bypassing financial sanctions by securing remote jobs under false identities. The Contagious Interview campaign lures developers with fake job postings, infecting them with JavaScript-based malware BeaverTail and Python-based InvisibleFerret, which exfiltrates data via encrypted HTTP protocols. This malware targets developers on Windows, Linux, and macOS, affecting victims primarily in India, Pakistan, Kenya, and Nigeria.

Stolen identities from these attacks fuel the WageMole campaign, allowing operatives to land remote jobs in Western firms. These operatives use AI-generated documents, portfolios, and even voice-over tools to pass interviews, impersonating experienced developers. Zscaler advises companies to verify employment history, use virtual environments for suspicious files, and authenticate applicant identities to combat these tactics. (Cyber Security News)

 

Interlock ransomware gang aims at U.S. healthcare, IT and government

This is apparently a new ransomware group which has been observed conducting targeted attacks across numerous sectors including healthcare, IT, and government in the U.S. and manufacturing sectors in Europe. Researchers at Cisco Talos state, in a report published yesterday, that Interlock employs both “big-game hunting” and double extortion tactics. The group operates a leak site known called Worldwide Secrets Blog to publish stolen data. Access currently is gained comes through a fake Google Chrome browser updater that installs a remote access tool disguised as a legitimate update. This RAT establishes a secure C2 connection and also “installs a credential-stealing component, allowing Interlock to capture login details for online accounts. Interlock’s arsenal extends beyond simple data collection. The group effectively evades detection by disabling Endpoint Detection and Response and clearing event logs.” Cisco Talos has also noted a potential connection between Interlock and Rhysida ransomware groups, citing overlapping attack techniques, tools and code. (InfoSecurity Magazine)

Hewlett Packard warns of critical RCE flaws in Aruba Networking software

The company has released updates for Instant AOS-8 and AOS-10 software “to address two critical vulnerabilities in Aruba Networking Access Points, which could allow a remote attacker to perform unauthenticated command injection by sending specially crafted packets to Aruba’s Access Point management protocol (PAPI) over UDP port 8211.” The flaws, which have CVE numbers have severity score of 9.8 and 9.0, and exist in the command line interface service, which is accessed via the PAPI protocol. (BleepingComputer)

 

Malware delivered in copyright violations notifications

Researchers at cybersecurity firm Check Point are warning of a large-scale campaign under the name targeting entertainment, media and technology companies in the United States, Europe, East Asia, and South America, in which spear-phishing emails claim copyright violations. They are sent from Gmail accounts and appear to be from the legal representatives of the well-known companies. The messages accuse recipients of misusing their brand on social media platforms, along with a request for removal. The removal instructions are in a password-protected file, which of course deploys the malware, in this instance, deployment of version 0.7 of the Rhadamanthys stealer, which, as Recorded Future’s Insikt Group notes, incorporates artificial intelligence (AI) for optical character recognition (OCR). (The Hacker News)

 

CISA observed no significant malicious activity impacting election

US Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly said yesterday that the agency has “seen no evidence of malicious activity impacting the security or integrity of election infrastructure,” the Record reports. Easterly stated in a press call, “While at the national level we saw some minor disruptive activity throughout the day, that activity was largely expected and planned for.” The FBI issued a statement on a series of bomb threat hoaxes against polling centers, noting that many of the threats were sent from Russian email addresses. Easterly pointed out that this doesn’t necessarily mean the threats originated from Russia, and the federal government hasn’t made any official attributions. Easterly added that Americans should be prepared “for continued attempts by our foreign adversaries to use false narratives and disinformation to undermine American confidence and the legitimacy of election.” (The Record)

 

Nokia says it has no evidence that hackers breached company data

On Tuesday, known Serbian threat actor, IntelBroker, claimed they swiped Nokia’s internal data, including SSH keys, source code, and internal credentials, and intend to sell it on BreachForums for $20,000. IntelBroker claims they breached a third-party contractor that develops some of Nokia’s internal tools. Nokia confirmed they are investigating the report, and said they have “found no evidence” of their systems or data being impacted. Given that IntelBroker has carried out a number of high-profile data thefts from entities including Apple, the US House of Representatives, Europol, and GE, odds are good that the threat actor’s claims are legitimate. (Dark Reading)

 

Cisco bug lets hackers run commands as root on access points

Cisco has fixed a maximum severity vulnerability (CVE-2024-20418) in Unified Industrial Wireless Software’s (URWB) interfaces used to provide connectivity for industrial wireless automation. The issue allows an unauthenticated threat actor to run low-complexity command injection attacks with root privileges on vulnerable access points, without requiring any user interaction. Cisco’s advisory says affected Catalyst access points and clients would need to have the URWB operating mode enabled to be vulnerable. Cisco’s Product Security team (PSIRT) has yet to discover evidence of publicly available exploit code or attacks in the wild. (Bleeping Computer)

 

Hackers increasing use of Winos4.0 in attacks

On Wednesday, Fortinet reported that hackers are targeting Chinese-speaking Windows users with the malicious Winos4.0 framework through seemingly benign gaming apps. The attacks leverage Search Engine Optimization (SEO) tactics, social media, and messaging platforms like Telegram to distribute the malware. When victims execute the installers, they initiate a multi-step infection process. Ultimately, Winos4.0 collects system and environment information (e.g., IP address, OS details, CPU), checks the host for anti-virus and monitoring software, gathers crypto wallet extensions, maintains a backdoor connection to the C2 server, and exfiltrates user data files. (Bleeping Computer and The Hacker News)

 

Volt Typhoon breached Singtel as ‘test-run’ for U.S. telecom attacks

Over the summer, Chinese threat actors, Volt Typhoon, reportedly breached the Singaporean telecom company, Singtel. According to Bloomberg, “two people familiar with the matter” told the news outlet that the Singtel breach was “a test run by China for further hacks against US telecommunications companies.” Bloomberg said its sources confirmed that Volt Typhoon used a web shell in the Singtel breach. This aligns with an August report from Lumen Technologies, which warned that Volt Typhoon had abused a Versa SD-WAN vulnerability (CVE-2024-39717) to plant credential-harvesting web shells on customers’ networks. More recently, another Chinese-government-backed group, Salt Typhoon, was accused of breaching the infrastructure of Verizon, AT&T, and Lumen Technologies, although all three companies have declined to comment on those incidents. China has repeatedly denied these accusations. (The Register)

 

Okta vulnerability affects accounts with long usernames 

Okta has disclosed an authentication bypass vulnerability affecting accounts with usernames that are 52 characters or longer, the Register reports. When certain conditions were met, an attacker could log into one of these accounts without a password. The company issued a patch for the flaw on October 30th.

The vulnerability could be exploited if the following conditions were met:

  • “Okta AD/LDAP delegated authentication is used
  • “MFA is not applied
  • “The username is 52 characters or longer
  • “The user previously authenticated creating a cache of the authentication
  • “The cache was used first, which can occur if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic
  • “The authentication occurred between July 23rd, 2024 and October 30th, 2024”

(Okta, The Register)

 

Schneider Electric breached for second time this year

Schneider Electric confirmed a breach on its developer platform after a threat actor named “Grep” claimed to have stolen 40GB of data from the company’s JIRA server. The intruder reportedly used exposed credentials and a MiniOrange REST API to scrape 400,000 rows of user data, including 75,000 unique email addresses and full names of Schneider Electric employees and customers though the company emphasized their products and services remain unaffected. Grep, who is part of a newly formed hacking group called International Contract Agency (ICA), had threatened to leak the data if the company did not acknowledge the breach, so we’ll have to wait and see what the threat actor does next. This is not the first time Schneider Electric was breached this year, in January the company sustainability division was ransomed and terabytes of data was allegedly stolen. (Bleeping Computer)

 

Google claims first vulnerability found using AI 

Google’s Big Sleep project, a collaboration between Project Zero and DeepMind, recently uncovered its first real-world vulnerability: a stack buffer underflow in SQLite. Found with the help of an AI model in October, this flaw went undetected by traditional fuzzing, sparking interest in AI as a supplementary tool for vulnerability research. Though an argument could be made as to whether this was actually the first time a learning language model (LLM) was used to discover a vulnerability, a security researcher with Neuroengine said he discovered a zero-day using an LLM in April, publishing his results in June, but tells InfoSecurity Magazine he believes Google’s announcement was a “honest mistake.”  (InfoSecurity Magazine)(Security Week)

 

New phishing attack infects Windows with Linux VMs 

A phishing campaign named CRON#TRAP is deploying Linux virtual machines via phishing emails to infiltrate Windows systems with minimal detection. This attack, identified by Securonix, uses a fake “OneAmerica survey” email that installs a 285MB ZIP file containing a QEMU VM preloaded with a backdoor. Using the tool Chisel for tunneling, attackers can communicate covertly with the VM, bypassing traditional security due to QEMU’s legitimate status. (Bleeping Computer)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

Securing the IC: Major Cybersecurity Takeaways from DoDIIS 2024

/by

Last week at the 2024 DoDIIS conference in Omaha, along with RedSeal experts Jeff Spugnardi and Steve Terrell, we engaged in critical discussions about the latest advancements and challenges in cybersecurity. Zero Trust continues to dominate conversations across the Intelligence Community (IC), solidifying its role as more than a buzzword—no longer an exploration, Zero Trust is a fundamental shift in cyber defense strategies for federal agencies.

The push for Zero Trust in the federal government officially began in 2021 when an executive order directed agencies to enhance their cybersecurity posture by adopting a Zero Trust architecture. This order marked a significant shift, emphasizing stringent access controls, identity verification, and data protection to defend against increasingly sophisticated cyber threats. Following this, the Office of Management and Budget (OMB) outlined a Federal Zero Trust Strategy in early 2022, establishing a five-pillar framework: Identity, Devices, Networks, Applications and Workloads, and Data. These pillars provide a comprehensive structure for agencies to implement Zero Trust principles across their networks and secure sensitive data effectively.

One key takeaway from the conference was the emphasis on moving from network-centric to data-centric defenses. As Major General John Phillips from EUCOM discussed, defending data requires a mindset that goes beyond traditional perimeter-based security. This change is particularly relevant in the era of cloud adoption and remote work, where information assets are dispersed across a wider digital landscape. The shift to a data-centric Zero Trust model aligns with the IC’s goal to ensure that sensitive data remains protected, even within highly controlled environments like the JWICS network used by the Department of Defense. RedSeal can proactively protect networks that are disconnected. There are no agents or bots on your networks.

It also aligns with RedSeal’s focus on helping organizations to visualize, monitor, and analyze complex network infrastructures, gaining a comprehensive view of potential vulnerabilities across cloud, hybrid, and on-premises environments. The first step in security is knowing what you have, RedSeal’s comprehensive model ensures that security teams have a clear understanding of how data flows within and across these environments.

As Major General John Phillips noted, data protection goes beyond traditional perimeter defenses. RedSeal’s continuous network assessment and risk prioritization tools help identify and secure sensitive data at every point in its lifecycle. By mapping the network’s entire digital terrain, RedSeal allows agencies to enforce access policies and detect areas of potential compromise before they’re exploited.

This proactive approach directly supports the IC’s goal to protect sensitive data in dispersed and high-risk environments, such as JWICS and other airgap networks. In short, RedSeal empowers cybersecurity teams to operationalize Zero Trust principles effectively, moving from a reactive to a resilient security stance in line with today’s complex digital landscapes.

Speakers at the conference, including NSA’s Jennifer Kron, highlighted that Zero Trust is a journey, not a one-time deployment. As agencies operationalize cyber defenses, they’re also striving to create a maturity model to assess progress across Zero Trust pillars, from identity management to data protection. Leaders underscored the importance of training cyber defenders to adapt to this paradigm, equipping them with skills to safeguard information, not just networks.

RedSeal’s solutions play a pivotal role in supporting these Zero Trust efforts, as our platform provides continuous visibility into complex network environments and helps agencies assess the maturity of their Zero Trust architecture. Recently recognized with a Breakthrough Award for our innovation in cybersecurity, RedSeal is committed to empowering organizations to secure their critical assets, map their attack surface, and identify vulnerabilities before adversaries do. For those looking to bolster their Zero Trust strategies, RedSeal offers the tools and expertise needed to stay ahead in today’s evolving threat landscape.

Contact us to learn how we can support your organization’s Zero Trust journey.

 

 

 

Cyber News Roundup for November 1, 2024

/by

Recent events underscore the pressing challenges and threats facing both public and private sectors. From allegations of foreign interference in U.S. telecom networks to significant data breaches affecting millions, the need for enhanced security measures and proactive strategies has never been more critical. Today’s roundup of cyber news from around the globe explores key developments, including government investigations into hacking incidents, initiatives aimed at safeguarding tech startups, and the urgent call for better healthcare security practices, highlighting the global implications of these cybersecurity concerns.

 

US government investigates Chinese hacking of US telecom infrastructure

The US Department of Homeland Security’s Cyber Safety Review Board (CSRB) will investigate alleged Chinese hacking into US telecom networks, which may have targeted presidential campaign communications, BankInfoSecurity reports. The New York Times reported on Friday that Chinese hackers targeted phones belonging to former president Trump and his running mate Senator JD Vance as part of “a wide-ranging intelligence-collection effort.” The operation also targeted staffers of Vice President Kamala Harris and prominent politicians on Capitol Hill. The FBI and CISA issued a joint statement saying that the US government “is investigating the unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China.” (BankInfoSecurity, NYT)

 

Five Eyes launches startup security program

Last year, the UK’s GCHQ National Cyber Security Centre and MI5’s National Protective Security Authority launched Secure Innovation, a program designed to help secure tech startups from state-backed threats. After the first-ever public meeting of the heads of the Five Eyes domestic intelligence agencies, the UK, US, Canada, New Zealand, and Australian governments agreed to launch regionalized versions. Secure Innovation provides basic advice on protecting technology, using simple questions to create a personalized action plan. The UK found over 500 startups engaged with the Secure Innovation program in its first year. (Infosecurity Magazine)

 

Russia might fork the Linux community

In a statement to local media, the Russian digital ministry said it plans to create an “alternative structure” and an independent development community around Linux. This statement came after the Linux community delisted 11 Russian kernel maintainers, later explaining that it would add restrictions to developers whose companies are controlled by anyone named on the US Office of Foreign Assets Control list. Russia called this “an act of discrimination.” Linux creator Linus Torvalds doubled down on the action, saying the decision “is not getting reverted.” (The Record)

 

A call for a proactive approach to healthcare security

In an op-ed for Cyberscoop, US Representative Mark Green made the case for a proactive approach to healthcare security with closer collaboration between the public and private sectors. He called for greater accountability from the small group of vendors that dominate most IT systems and asked for a mandate for CISA to identify cross-sector points of vulnerability. The piece also made the case for treating basic cybersecurity hygiene as a critical investment, noting that almost 40% of healthcare providers have no data leak contingency plans. He closed by calling for collaboration to streamline federal cybersecurity hiring and better secure the open-source supply chain. (Cyberscoop)

 

Change Healthcare data breach confirmed as largest-ever in U.S. healthcare history

UnitedHealth Group (UHG) has confirmed that more than 100 million individuals were impacted during the ransomware attack on its subsidiary, Change Healthcare, in February making it the largest known digital theft of U.S. medical records in history. UHG’s CEO confirmed cybercriminals broke into employee systems using stolen credentials that were not protected with multi-factor authentication (MFA). Stolen data varied by victim but included sensitive health treatment data as well as personal details like names, dates of birth, contact info, government IDs, as well as Social Security, driver’s license, and passport numbers. United Health began notifying victims in July and continues to do so as “the investigation is still in its final stages.” The ramifications are likely to be lifelong for the millions of Americans whose private medical information was exposed. (TechCrunch)

 

Authorities investigate telecom hacks following reports of campaign intrusions

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said Friday that they are investigating allegations that Chinese government-linked hackers, Salt Typhoon, breached systems at ​​AT&T, Verizon and Lumen, and targeted systems used by U.S. law enforcement for wiretaps. Friday’s statement coincided with reports from several news outlets claiming that Salt Typhoon used their access to the telecoms to target phones used by Vice President Harris and several other top Democrats as well as former President Trump and J.D. Vance. Investigators and law enforcement indicated, “they are deeply concerned about the potential extent of compromised data” and indicated that the hackers may still have access to Verizon systems. (The Record)

 

Massive breach impacts French telecom giant

France’s second-largest telecom provider, Free, has confirmed it suffered a cyberattack that compromised personal data, though it claims that passwords, banking details, and communications content were unaffected. The breach targeted an internal management tool and led to an attempted sale of customer information on BreachForums, with hackers claiming to possess data for over 19 million customers, including certain International Bank Account Numbers (IBANs). The telecom company is currently in the process of informing those affected, which, according to the threat actors who stole the data, could be nearly a third of France’s population. (Bleeping Computer)(The Record)

 

Black Basta leverages Microsoft Teams

ReliaQuest researchers report that Black Basta ransomware affiliates have switched tactics, now using Microsoft Teams to gain initial access to target networks by impersonating IT support. By overwhelming employees with spam emails and then posing as help desk personnel on Teams, the attackers attempt to trick users into downloading remote monitoring tools like AnyDesk. In recent incidents, they have also incorporated malicious QR codes into their communications. The report highlights a significant increase in message volume, with one user receiving around 1,000 emails in just under an hour. (Security Affairs)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

A Discussion with CISOs: Strengthening Board Accountability, Metrics, and Standards for Cybersecurity

/by

RedSeal, along with Renee Guttmann and Chris Hetner, hosted a CISO dinner in New York City last week, bringing together industry leaders to discuss cybersecurity’s evolving landscape, from advanced AI threats to board-level oversight challenges. This conversation focused on three key areas: board accountability, the demand for standardized metrics, and the need for better cyber hygiene.

Enhancing board accountability

One of the central themes was the growing role of the board in cybersecurity. Many CISOs noted that board members often have only a cursory understanding of cybersecurity’s impact. With only a few minutes annually dedicated to cyber matters, it’s no surprise that accountability suffers. Discussions revealed that only 30% of board members feel adequately equipped to make informed cybersecurity decisions, with 75% unsure about the accuracy of their organization’s security data. In response to this knowledge gap, organizations like the NACD, which has over 24,000 members, are actively working to enhance board oversight on cyber risks. The NACD’s Director’s Handbook on Cyber Risk Oversight provides valuable resources for boards to improve their understanding and engagement in cybersecurity matters. For further insights, you can access their latest Cyber Risk document here.

Yet, the disconnect goes beyond understanding risks; boards often lack clarity on how cyber risks align with business strategy and financial health. Discussions highlighted the need for frameworks to contextualize cyber threats in terms of company assets, capital deployment, and potential financial losses. By 2026, it’s projected that cyber incidents could lead to hundreds of millions in losses, affecting not only cybersecurity but entire business operations—as seen with recent high-profile cases like Clorox and MGM Resorts.

RedSeal bridges this gap, providing comprehensive insights and tools that enable organizations to see 100% of what is on their digital environment, empowering boards and leaders to make informed decisions.

The case for standards, metrics, and regular reporting

The group emphasized the need for clear metrics and standardized reporting to guide both CISO and board actions. NACD’s quarterly cyber risk reporting program outlines the expectations boards have for their organizations. These reports detail:

  • An organization’s overall financial exposure to cyber risks and cyberattacks
  • A view of the cyber threats most likely to cause financial losses to a business
  • Insights on the cyber controls most effective in mitigating financial losses
  • Insights on cyber risk transfer/cyber insurance, including “stress testing” existing policies across a range of potential cyber incidents

Without consistency in how cyber risks are measured, many boards remain unaware of the critical issues and resources needed to address them. Regulatory bodies and trade associations could play a pivotal role in creating baseline metrics, particularly in areas like third-party security, cloud configurations, and vulnerability scanning.

RedSeal plays a pivotal role in establishing baseline metrics and developing a “cyber hygiene” checklist. Our digital resilience score offers a benchmark for security posture, helping teams grasp the essentials of cyber resilience and set proactive security strategies to mitigate opportunistic threats. This approach, akin to standards like ISO and NIST, can also help boards understand the basics of cyber resilience. As one attendee noted, “Cyber hygiene today might not prevent a nation-state attack, but it will protect from opportunistic threats, ensuring foundational security.”

Reinforcing cyber hygiene and addressing compliance fatigue

The concept of cyber hygiene emerged as an area of both opportunity and frustration. While some board members see it as a mere checkbox exercise, CISOs stressed its importance for both regulatory compliance and practical risk reduction. Cyber hygiene basics—like identifying assets, scheduling updates, and implementing phishing safeguards—are still overlooked by many organizations. But it’s these essentials, along with clear accountability, that prevent costly breaches.

Chris’s analogy of “The Sandlot”, the 1993 movie, and cyber security teams struck a cord. In this classic movie, boys of all different abilities were accepted on the team, all were needed to field the team. They governed themselves, made rules that were fair and consistent, stood up for what is right, accepted responsibility if something went wrong. In many organizations, only a few key players tackle security issues while others remain on the sidelines. A more uniform approach across all teams will significantly strengthen the organization’s overall security.

The call for a unified approach to cyber hygiene resonates deeply with RedSeal’s mission to foster a security-first culture within organizations and knowing the entirety of a network. Just like in cybersecurity, if everyone isn’t committed to playing their part, vulnerabilities are left open, and breaches occur.

Moving forward: A collaborative approach

The evening concluded with consensus around the need for collaboration. Board members and CISOs alike must work to build an organization-wide commitment to cybersecurity. This collaboration fosters regular, open communication, ensuring cybersecurity is prioritized strategically, not merely as a compliance obligation.

The dinner served as a reminder that cyber resilience requires a shared commitment. With the rapid growth of cyber threats, a united approach to accountability, standardization, and proactive action will help safeguard the future of every organization.

Reach out to RedSeal or schedule a demo today to learn how to bolster your cybersecurity efforts and make the strategic move that promises long-term benefits and peace of mind.

 

Reduce IT/OT Convergence Risks with RedSeal

/by

Cyberattacks on cyber-physical systems (CPS), which include operational technology (OT) and the Internet of Things (IoT), are becoming increasingly more common, largely due to the convergence of Information Technology (IT) and OT environments. Historically, CPS operated in isolation, disconnected from broader networks. Now, many of these systems are intentionally or unintentionally linked, providing hackers with new avenues to infiltrate critical assets that are vital to our daily lives.

While the integration of IT and OT can enhance efficiency and performance, it also brings inherent risks that must be managed. The strategic importance of these interconnected systems makes them prime targets for threat actors looking to extort ransom, steal sensitive data, or disrupt operations. Therefore, understanding the dynamics of IT/OT convergence is crucial.

Understanding IT/OT convergence

IT refers to the technologies used for information management and processing, whereas OT includes the hardware and software that govern physical processes in industrial settings. Traditionally, these domains functioned independently, each with distinct systems and security protocols. However, the push for digital transformation has fostered an environment where IT and OT must collaborate more closely, prompting the need for comprehensive strategies to address both the benefits and vulnerabilities of this convergence.

Why is IT/OT convergence important?

  1. Increased operational efficiency: By integrating IT and OT, organizations can streamline operations, reduce downtime, and enhance productivity. This synergy enables real-time data sharing and more informed decision-making.
  2. Enhanced cybersecurity: A unified approach allows for better visibility into potential vulnerabilities and threats. By leveraging insights from both IT and OT environments, organizations can develop a more robust security strategy that addresses risks in a comprehensive manner.
  3. Improved incident response: With a converged infrastructure, organizations can respond to incidents more effectively. Enhanced collaboration between IT and OT teams ensures that threats are identified and mitigated swiftly, minimizing potential damage.

 Challenges of IT/OT convergence

Despite the advantages, organizations face several challenges in achieving successful IT/OT convergence:

  • Legacy systems: Many OT environments rely on legacy systems that lack modern security capabilities. Integrating these systems with IT networks can introduce vulnerabilities if not managed properly.
  • Emerging threats: The combined landscape of IT and OT environments results in a more extensive and intricate attack surface. This includes hardware, software, and both on-premises and cloud infrastructures sourced from various vendors. Additionally, the rising prevalence of unsecured IoT devices and remote access to OT systems further complicates the security landscape.
  • Evolving compliance landscape: Compliance requirements continue to increase, such as those related to the EU’s NIS2 Directive and Cyber Resilience Act and the updated NIST Cybersecurity Framework in the US.
  • Complexity of environments: Human error poses significant challenges when organizations prioritize continuity over security. While patching vulnerabilities in IT may be manageable, doing so in CPS often disrupts critical operations. As a result, creative mitigation strategies are frequently necessary instead of direct remediation.

RedSeal’s approach to IT/OT convergence

At RedSeal, we recognize the unique challenges organizations face in converging IT and OT. Our solutions provide a comprehensive framework to support this integration effectively. Let’s review the key features:

  1. Holistic asset inventory: RedSeal creates a detailed inventory of an organization’s IT and OT assets. This visibility is essential for identifying vulnerabilities and ensuring appropriate security measures are in place.
  2. Creating a network digital twin: RedSeal delivers a comprehensive model of the hybrid IT and CPS environment, acting as a network digital twin. With RedSeal, organizations understand how different components, devices, and systems are connected, ensuring that no part of the network is overlooked.
  3. Mapping all attack paths: Our platform assesses internal and external factors to prioritize threats, enabling organizations to focus on the most critical vulnerabilities resulting from convergence.
  4. Regulatory compliance support: By providing tools for monitoring and reporting, RedSeal simplifies compliance with industry regulations, making it easier for organizations to meet their obligations.

RedSeal benefits

As the digital landscape evolves, the convergence of IT and OT is becoming increasingly important for organizations looking to enhance their cybersecurity and operational resilience. While challenges exist, leveraging RedSeal’s solutions can empower businesses to navigate this complex environment effectively.

With RedSeal, gain a comprehensive and shared understanding of your entire hybrid IT/OT environment, including all assets, access and connectivity, and potential exposures. By proactively and efficiently closing defensive gaps, you can harden your network against threats using actionable exposure intelligence. This approach not only helps you measurably reduce risk and build resilience but also accelerates IT/OT convergence while ensuring compliance with new mandates.

By investing in IT/OT convergence, organizations can achieve greater visibility, improve incident response, and foster collaboration between IT and OT teams. As you embark on your journey towards a unified infrastructure, consider how RedSeal can support you in realizing the full benefits of IT/OT convergence.

For more insights on how RedSeal can help you with IT/OT convergence, explore our solutions today.

Cyber News Roundup for October 25, 2024

/by

In this week’s roundup of cybersecurity news, we dive into significant developments, including investigations into restricted chips found in Huawei products, the confirmation of a zero-day vulnerability in Fortinet’s FortiManager, and CISA’s addition of a critical Microsoft SharePoint flaw to its Known Exploited Vulnerabilities catalog. We also explore active attacks on Cisco’s ASA software and the U.S. Defense Department’s initiative to harness tech talent for military cyber roles. Stay informed as we uncover the latest threats, vulnerabilities, and responses shaping the cybersecurity landscape.

 

Officials investigate how restricted chips ended up in products from Huawei

Taiwan Semiconductor Manufacturing Co. (TSMC) discovered this month that chips it made for a specific client ended up in Huawei Technologies products, potentially violating U.S. sanctions aimed at restricting technology to the Chinese company. TSMC halted shipments to the client in mid-October and notified both U.S. and Taiwanese authorities. It’s unclear if the client was working on behalf of Huawei or where they are based, but the incident raises questions about how Huawei accessed advanced chips despite sanctions.

Huawei, blacklisted since 2020, has relied on Semiconductor Manufacturing International Corp. (SMIC) for chip production. However, recent reports suggest Huawei’s latest AI servers contain processors made by TSMC. TSMC had previously stated it stopped all shipments to Huawei in 2020. U.S. officials are now investigating whether third-party distributors played a role in bypassing export restrictions. This development adds pressure on TSMC and the U.S. Bureau of Industry and Security to address potential loopholes in export controls.(Bloomberg)

Fortinet confirms a recently rumored zero-day

For over a week, rumors of a zero-day vulnerability in Fortinet’s FortiManager have been circulating online. Today, the flaw, dubbed “FortiJump” (CVE-2024-47575), was officially disclosed by Fortinet, confirming it has been actively exploited since June 2024. The vulnerability, a missing authentication issue in the FortiGate to FortiManager Protocol (FGFM) API, allows attackers to execute commands on FortiManager servers and steal data from managed FortiGate devices.

Cybersecurity firm Mandiant revealed that a threat actor, tracked as UNC5820, has been exploiting the flaw in attacks affecting more than 50 servers. Attackers used their own FortiManager and FortiGate devices with valid certificates to register on vulnerable FortiManager servers. Once connected, even in an unauthorized state, these devices could access sensitive data, including configuration details and hashed passwords of managed devices.

Fortinet has released patches and advised customers to restrict IP connections and block unauthorized FortiGate devices. The company’s advisory includes mitigation measures, indicators of compromise, and logs to help detect affected systems. Organizations are urged to apply these patches and update credentials to prevent further breaches. So far, no additional malicious activity has been reported since the initial attacks. (Bleepingcomputer)

 

CISA adds Microsoft SharePoint flaw to its KEV catalog

The flaw in question is the Microsoft SharePoint Deserialization Vulnerability, which has a CVSS v4 score of 7.2 and a CVE number: CVE-2024-38094.This means “an authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server.” Federal agencies must fix this vulnerability by November 12, and of course it is recommended that private organizations review the Catalog and address this vulnerability. (Security Affairs)

 

Cisco warns of ASA and FTD software vulnerability under active attack

Cisco is in the news for a second time this week, this time in regard to a flaw in its Adaptive Security Appliance (ASA) that could lead to a denial-of-service (DoS) condition. This flaw impacts the Remote Access VPN (RAVPN) service of Cisco ASA and Cisco Firepower Threat Defense (FTD) Software. The company says, “an attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device…resulting in a DoS of the RAVPN service on the affected device.” This is also known as resource exhaustion. Cisco has released updates to address this flaw. (The Hacker News)

 

Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland

On the first day of the first ever Pwn2Own contest held in Ireland, hackers demonstrated 52 zero-day vulnerabilities across a wide range of devices, earning a total of $486,250 in cash prizes. The biggest prize of the day went to a group named Summoning Team who revealed “a chain of nine vulnerabilities to go from QNAP QHora-322 router to TrueNAS Mini X device. This earned them a $100,000 payout and 10 Master of Pwn points. The event concludes today. (BleepingComputer)

 

Cisco Patches Vulnerability Exploited in Large-Scale Brute-Force Campaign

Cisco has released patches for multiple vulnerabilities affecting its Adaptive Security Appliance (ASA), Secure Firewall Management Center (FMC), and Firepower Threat Defense (FTD) products, including one that has been actively exploited. The exploited vulnerability, tracked as CVE-2024-20481 (CVSS score: 5.8), impacts the Remote Access VPN (RAVPN) service on ASA and FTD devices, allowing remote attackers to cause a denial-of-service (DoS) condition through resource exhaustion by sending numerous VPN authentication requests.Cisco linked this issue to a large-scale brute-force attack campaign it first reported in April 2024, which targets various VPN and SSH services, not only Cisco products but also those from other vendors like Checkpoint, Fortinet, and Ubiquiti.

Alongside CVE-2024-20481, Cisco’s October 2024 security advisory bundle addressed 50 other flaws, including three critical vulnerabilities (CVE-2024-20329, CVE-2024-20424, and CVE-2024-20412) that could allow attackers to execute commands with root privileges or log in using static credentials. Additionally, proof-of-concept code has been released for three information disclosure vulnerabilities (CVE-2024-20377, CVE-2024-20387, CVE-2024-20388). Cisco urges organizations to apply the patches immediately to avoid potential exploits. Further details are available in Cisco’s security advisories. (SecurityWeek)

 

Fortinet patches actively exploited zero-day

On October 13th, Fortinet began privately notifying impacted customers about a critical flaw in its FortiManager API. This flaw allowed an attacker with a valid certificate from any owned or compromised Fortinet device to execute arbitrary code and take complete control of attached firewalls. Some customers reported the flaw under active exploitation for weeks before any notice from the company. This notification included mitigations until a patch was formally released. Security researcher Kevin Beaumont posted on social media about the flaw the same day Fortinet sent its initial notification, dubbing it FortiJump. Fortinet released a patch for the vulnerability as well as indicators of compromise. (Ars TechnicaBleeping Computer)

 

DeFi game used to exploit Chrome zero-day

Researchers from Kaspersky detailed a North Korea’s Lazarus Group campaign that used an NFT-based game as a lure to install its tried and true Manuscrypt backdoor. Lazarus promoted the game DeTankZone through spearphishing and ads on X and LinkedIn DMs. The game loads to a login screen, which then points users to the game’s website to complete registration. The site uses a hidden script to trigger a Chrome V8 Javascript confusion vulnerability, used to overwrite sections of Chrome’s compiler to get access to the browser’s entire address space. Lazarus used this for reconnaissance to see if the victim was valuable enough to continue attacking. Chrome patched the flaw in V8 in March. (Bleeping Computer)

 

Samsung zero-day under active exploit

A zero-day vulnerability (CVE-2024-44068) has been discovered in Samsung’s mobile processors and is being used in an exploit chain for arbitrary code execution. NIST said the use-after-free bug is in the m2m scaler driver in Samsung Mobile and Wearable Processors (Exynos 9820, 9825, 980, 990, 850, and W920) and leads to privilege escalation. The vulnerability was rated critical and scored 8.1 out of 10 on the CVSS scale.  Samsung issued a patch along with its October set of security fixes. (Dark Reading)

 

Exploit released for new Windows Server “WinReg” attack

Proof-of-concept exploit code is now public for a vulnerability in Microsoft’s Remote Registry client (CVE-2024-43532) that falls back to old transport protocols if SMB transport is not present. An attacker could use the issue to authenticate to Active Directory Certificate Services (ADCS) where they could then obtain a user certificate for further domain authentication. The flaw affects all Windows server versions 2008 through 2022 as well as Windows 10 and Windows 11. Akamai researcher Stiv Kupchik originally disclosed the issue back in February after which Microsoft dismissed the report as a documentation issue. In mid-June, Kupchik resubmitted the report with a better proof-of-concept (PoC) and explanation leading Microsoft to confirm the issue in early July and issue a fix earlier this month. Akamai provided methods of detecting vulnerable services and recommends orgs use Event Tracing for Windows (ETW) to monitor for related RPC calls. (Bleeping Computer)

 

The DoD wants to offer senior cyber executives part-time roles as military reservists

The U.S. Defense Department is looking to tap into Silicon Valley’s tech talent by offering senior executives part-time roles as military reservists. These tech pros, like chief technology officers, would serve in high-ranking positions and be called in for short-term projects in areas like cybersecurity and data analytics. Brynt Parmeter, the Defense Department’s chief talent management officer, is spearheading the effort, aiming to bring dozens of tech professionals on board by next September, with plans to grow the program significantly over the next few years.

This initiative marks a shift in Silicon Valley’s relationship with the military, as tech companies increasingly see national security opportunities as beneficial. Parmeter hopes to place these tech experts in roles equivalent to major or lieutenant colonel in the Army and Air Force Reserves. The goal is to strengthen the military’s capabilities by leveraging private-sector expertise, without pulling these tech pros away from their keyboards and into combat. (WSJ)

 

Proposed rules ban U.S. companies from selling sensitive data

The Biden administration has formally proposed new regulations that would restrict the sale and transfer of sensitive personal data, such as health, financial, and geolocation data, to six adversarial nations: China, Russia, Iran, North Korea, Cuba, and Venezuela. These rules, which stem from a February executive order, aim to address national security risks posed by foreign actors exploiting bulk data to carry out cyberattacks and espionage. The new regulations set strict thresholds for data transactions and impose compliance requirements based on cybersecurity frameworks, with exemptions for certain telecommunications and clinical trial data. Though with congressional and presidential elections just weeks away there is doubt as to whether there will be any forward movement on the bill this year.  (CyberScoop)(The Record)

 

APT41 group linked to months-long attack 

The Chinese nation-state hacking group APT41 has been linked to a months-long cyberattack on a company in the gambling and gaming industry, where they stole sensitive data including network configurations and passwords. The group used a sophisticated, evolving toolkit to bypass security defenses, maintain persistent access, and escalate privileges. The attackers’ custom tools allowed them to establish covert channels for further malware deployment. While exact initial access vector is unknown, security researchers believe spear-phishing emails may be the point of access. (The Hacker News)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

Prioritize to Protect: RedSeal’s Methodology for Effective Threat Exposure Management

/by

In the fast-paced world of cybersecurity, the sheer volume of threat exposures can overwhelm even the most diligent security teams. Effective prioritization is not just a best practice; it’s essential for safeguarding your organization’s assets and ensuring a robust security posture.

The importance of prioritization

Prioritization in Continuous Threat Exposure Management (CTEM) goes beyond vulnerabilities and assessing CVSS scores or severity levels. RedSeal navigates the complexity by providing a comprehensive approach to prioritizing exposures based on the risk to the organization. By considering a multitude of internal, external, business, and technical factors, RedSeal focuses teams on high-impact, exploitable exposures that align with high-priority systems and assets, transforming how organizations manage their cybersecurity efforts.

How RedSeal enhances prioritization

At RedSeal, we understand that effective prioritization requires a nuanced approach. Our platform evaluates a wide array of factors to determine risk and prioritize exposures accurately. While traditional CTEM programs prioritize then validate threat exposures, RedSeal uniquely combines these steps—automatically validating all exposures before prioritizing them. After all, if an exposure isn’t actually exploitable, it shouldn’t be a priority. RedSeal evaluates all possible access—from north, south, east, and west—across the entire network to assess the viability of exploitation and measure the true impact (blast radius) of each exposure. Then, all possible consequences from direct and indirect (downstream) threats are considered. The platform calculates risk scores by combining vulnerability and business data with unmatched network context, ensuring exposures with greater business impact take higher priority.

RedSeal CTEM prioritization in action:

  1. Comprehensive risk assessment: RedSeal calculates risk scores by integrating data from security controls, asset criticality, and vulnerability assessments, along with network context. This approach ensures that no critical threat goes unnoticed.
  2. Network contextualization: Our unique capability to provide unmatched network context is a game-changer. By factoring visibility, exploitability, potential exploitation, and the likely impact of exposures into the prioritization process, RedSeal offers a complete picture of the true threat.
  3. Network digital twin: The concept of a network digital twin is crucial in our prioritization process. It allows us to visualize both direct attack paths and the indirect, downstream consequences of potential threats. This holistic view helps organizations understand the broader implications of vulnerabilities and focus on exposures that could have the greatest impact.
  4. Business impact focus: At the heart of our prioritization strategy is a commitment to business impact. Exposures with the potential for greater repercussions on the organization are given higher priority, aligning cybersecurity efforts with overarching business objectives.

In today’s complex security environment, effective prioritization of threat exposures is vital for successful Continuous Threat Exposure Management. RedSeal provides the tools necessary to assess risks comprehensively and focus on what truly matters. By considering a range of internal, external, business, and technical factors, we empower organizations to navigate their threat landscape with confidence and precision.

A partnership with RedSeal ensures that your CTEM efforts are strategically focused on high-impact exposures that protect your business and its future.

Read our blog on scoping, the first step in CTEM management and discovery, the second step in CTEM management.

Reach out to RedSeal today to schedule a demo and learn about RedSeal’s crucial role in supporting CTEM programs.

 

 

Cyber News Roundup for October 18, 2024

/by

In an increasingly interconnected and technologically advanced world, the scope and complexity of cyber threats and security challenges have never been greater. From drones probing military bases to critical vulnerabilities in widely used software and hackers exploiting outdated physical access controls, organizations and governments face a wide range of risks that demand immediate attention and action. This week’s articles highlight the latest cybersecurity challenges, emphasizing the urgent need for proactive defenses against these emerging threats.

 

Mystery Drones Swarmed a U.S. Military Base for 17 Days. The Pentagon Is Stumped

In December, a fleet of advanced drones, suspected to be of Chinese origin, swarmed U.S. military installations near Norfolk, Virginia, including the home of Navy SEAL Team 6. These drones, capable of speeds over 100 mph and synchronized via AI, flew for 17 days, causing concern within the Biden administration. Due to legal restrictions preventing the military from shooting them down unless an imminent threat was posed, no decisive action was taken, even though the drones hovered over one of the most sensitive U.S. military bases.

A month later, a Chinese student was arrested after flying a drone near the base. The incident, along with similar drone sightings near nuclear facilities and other sensitive military sites, raised alarms about possible espionage or reconnaissance missions to test U.S. defenses. Critics argue that the administration’s inaction demonstrated weakness and missed an opportunity to send a strong message to China. This series of incidents is seen as part of a broader pattern of probing U.S. responses to potential threats. (WSJ, Fox News )

A critical vulnerability in Veeam Backup & Replication software is being exploited

A critical vulnerability in Veeam Backup & Replication software (CVE-2024-40711) is being exploited by hackers to deploy ransomware, including Fog and Akira variants. The flaw allows unauthenticated remote code execution, enabling attackers to create unauthorized accounts and gain privileged access. Attackers initially gained access through compromised VPN gateways without multifactor authentication. Sophos reported several attacks over the past month, highlighting the need for patching, updating outdated VPNs, and implementing strong security measures. Veeam has released a patch (version 12.2.0.334), and administrators are urged to apply it immediately. (Cyber Security News)

 

Iranian hackers exploit Windows flaw to elevate privileges

An Iranian state-sponsored hacking group named APT34 and also known as OilRig, is targeting government and critical infrastructure entities in the United Arab Emirates and the Gulf Region with an enhanced campaign. As reported by researchers at Trend Micro, the group is deploying a backdoor that uses Microsoft Exchange servers to steal credentials and which exploits a known Windows flaw to elevate their privileges on compromised devices. This flaw is a high-severity privilege escalation vulnerability with a CVE number that Microsoft fixed in June. According to BleepingComputer, “Microsoft has acknowledged a proof-of-concept exploit for this CVE numbered flaw, but has not yet marked it as actively exploited, nor has CISA reported it in its Known Exploited Vulnerability catalog.” (BleepingComputer)

 

Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server

These two tunneling protocols are being officially deprecated by Microsoft for future versions of Windows Server, along with a recommendation that admins move to different protocols that offer increased security. The Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) have been in use for more than 20 years to allow remote access to corporate networks and Windows servers. However, PPTP has “become vulnerable to offline brute force attacks of captured authentication hashes, and L2TP provides no encryption unless coupled with another protocol, like IPsec, and even then, weaknesses can appear. Microsoft now recommends users move to the newer Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2) protocols, which provide better performance and security. (BleepingComputer)

 

Organizations Slow to Protect Doors Against Hackers

A recent study reveals that many organizations have been slow to secure vulnerable door access controllers, leaving them open to remote attacks. Researcher Shawn Merdinger, through his project “Box of Rain,” identified exposed systems in sectors such as healthcare, education, and law enforcement. Despite warnings and reports, many controllers remain vulnerable due to default credentials or unprotected web interfaces, potentially allowing hackers to gain unauthorized access. The findings highlight the ongoing risks posed by outdated physical access controls. (SecurityWeek)

Multiple Splunk Enterprise Vulnerabilities Let Attackers Execute Remote Code

Splunk has patched multiple high-severity vulnerabilities in its Enterprise and Cloud Platform products that allow remote code execution. These flaws, including CVE-2024-45733 (CVSS 8.8), affect Windows versions below 9.2.3 and 9.1.6. Another issue, CVE-2024-45731, allows file writing to the system root, while CVE-2024-45732 could enable unauthorized access to data. Splunk recommends upgrading to the latest versions and applying mitigations, such as disabling Splunk Web and ensuring proper installation configurations. These vulnerabilities highlight the critical need for timely security updates to protect sensitive systems. (Cyber Security News)

 

Must patch flaw exposes tens of thousands

We are now getting a clearer idea of just how many IPs are vulnerable to the Fortinet vulnerability that CISA placed on its critical patch list last week. According to CyberScoop, around 87,000 IPs are likely susceptible to the vulnerability, which has a 9.8 rating on the CVSS scale. Fortinet released a fix in February, but the issue remains widespread, with the majority of vulnerable IPs located in Asia, North America, and Europe. Federal agencies are required to address the issue by the end of October. (CyberScoop)

 

Firefox zero-day update to include Tor

Shortly after Firefox rolled out version 131.0.2 with a fix for a critical zero-day vulnerability (CVE-2024-9680), the Tor browser was also updated to patch the issue. The bug, which could lead to remote code execution via a use-after-free flaw in the Animation timeline, had been actively exploited in the wild, as confirmed by Mozilla and reported by ESET. Both Firefox and Tor quickly responded to the exploit, delivering fixes within 25 hours of identifying the issue. (Security Week)

 

Nearly 400 U.S. healthcare institutions hit with ransomware over past 12 months

On Tuesday, Microsoft released a report revealing that between July 2023 and June 2024, 389 U.S.-based healthcare institutions were successfully hit with ransomware. The attacks caused network and system outages, delays in critical medical operations and rescheduled appointments. Microsoft customers reported a 2.75x increase in human-operated ransomware encounters. The researchers said that the motives of Russian, North Korean and Iranian cybercriminals appear to have shifted from destruction to financial gain. The report did yield some positive news, showing that the percentage of ransomware attacks that reached the encryption stage has decreased significantly over the past two years. (The Record and The Register)

 

Encryption flaws found in WeChat

Researchers at Citizen Lab investigated the MMTLS encryption protocol used by the massively popular WeChat app. They found that MMTLS was a modified version of TLS 1.3 that introduced cryptographic weaknesses. While the researchers could not craft an attack to exploit these weaknesses, they noted that MMTLS uses deterministic initialization vectors, which opens the door to a brute force attack and goes against NIST recommendations. The protocol also lacks forward secrecy due to its heavy use of session-resuming pre-shared keys. The researchers published full findings and methodologies on GitHub. (Citizen Lab)

 

CISA refines SBOM guidance

The US Cybersecurity and Infrastructure Security Agency published a new edition of its Framing Software Component Transparency document, providing new guidance on creating software bill of materials (SBOMs). This now sets out SBOM attributes into minimum expected, recommended, and aspirational categories. The baseline requirements primarily focus on transparency and interoperability with existing SBOM formats. CISA also pointed out that to make SBOMs useful, the industry needs coordinated and automated methods to share SBOM data. (Infosecurity Magazine)

 

Hackers steal data from Verizon’s push-to-talk (PTT) system

Hackers have stolen data from Verizon’s push-to-talk (PTT) system, which is marketed to government agencies and first responders, and are now selling the data on a Russian cybercrime forum. 404 Media reports the breach did not affect Verizon’s main consumer network, but it targeted a third-party provider supporting the PTT system. The stolen data includes call logs, emails, and phone numbers. Verizon confirmed that a small subset of customer data was exposed but noted that no sensitive information such as Social Security numbers was leaked. The hackers, including Cyberphantom and Judische, are part of a cybercriminal group known as the “Com,” responsible for numerous high-profile breaches. The hackers are selling the stolen data instead of extorting Verizon. (CyberInsider)

 

CISA and its partners warn of Iranian brute force password attempts

A joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, and other international authorities warns that Iranian cyber actors are increasingly using brute force methods like password spraying and “push bombing” to target global critical infrastructure sectors. These attackers focus on healthcare, government, IT, and energy sectors to steal credentials and gain deeper access to systems. The advisory highlights that Iranian actors have exploited MFA vulnerabilities and sold stolen credentials, urging organizations to enhance security by implementing phishing-resistant MFA and monitoring for suspicious logins and behaviors. (Gov Info Security)

 

F5 publishes quarterly security notification, addressing BIG-IP and BIG-IQ vulnerabilities

News about the fixes for these vulnerabilities came in the company’s October edition of its quarterly security notification. The update for BIG-IP, a collection of hardware platforms and software solutions address a high-severity security defect affecting the appliance’s monitor functionality. The update for BIG-IQ, which centralizes management, licensing, monitoring, and analytics for a dispersed BIG-IP infrastructure, is described as “a stored cross-site scripting (XSS) bug in an undisclosed page of the appliance’s user interface.” F5 makes no mention of either of these vulnerabilities being exploited in the wild. Further details are available in the F5 quarterly security notification, a link to which is available in the show notes to this episode. (F5 Quarterly Security Notification)

 

Vulnerability warning from Kubernetes and VMWare, plus new KEV catalog entries

Finally, just a quick summary of some vulnerabilities of note this week, a Kubernetes Image Builder vulnerability could allow attackers to gain root access if exploited under specific conditions. This applies only to Kubernetes clusters with nodes using VM images from the Image Builder project and its Proxmox provider. VMware has fixed “a high-severity SQL injection flaw in HCX allowing non-admin users to remotely execute code on the HCX manager,” and CISA has added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: a Microsoft Windows Kernel TOCTOU race condition vulnerability, a Mozilla Firefox use-after-free vulnerability, and a SolarWinds Web Help Desk hardcoded credential vulnerability. Links to details on these is available in the show notes. (Security Affairs, Security Affairs and Security Affairs)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

Navigating Cybersecurity Risks: RedSeal’s Discovery Solutions for CTEM

/by

In today’s cybersecurity landscape, simply knowing your assets isn’t enough; you must be able to uncover hidden vulnerabilities that put your organization at risk. As cyber threats become increasingly sophisticated, the discovery phase of Continuous Threat Exposure Management (CTEM) takes center stage. This critical process involves not just identifying what assets you have, but also continuously monitoring their connections and assessing them for both known vulnerabilities and emerging threats. It’s the distinction between simply getting by and actively safeguarding your digital environment. 

 The importance of discovery in CTEM 

Gartner recommends running discovery against scopes outlined in the previous stage to increase awareness of risks among relevant business teams and to make exposure management successes more impactful in later stages. By running discovery against clearly defined scopes, businesses can significantly enhance awareness of risks among relevant teams. This awareness not only aids in identifying potential threats but also ensures that any successes in exposure management are meaningful and impactful in later stages. 

 How RedSeal supports discovery 

At RedSeal, we recognize that automation is vital for keeping track of asset exposures. Our platform goes beyond traditional external exposure hunting tools that only provide a snapshot of vulnerabilities. Instead, RedSeal builds a reliable, comprehensive digital twin of your entire environment, automating the analysis of complex layers of network infrastructure. This approach allows organizations to continuously identify exposures caused by various factors, including: 

  • Unmanaged assets: Detecting assets that may not be adequately monitored or secured. 
  • Misconfigurations: Identifying incorrect settings that could leave systems vulnerable. 
  • Unintended connections: Uncovering both direct and indirect links that could pose risks. 
  • Firewall rules and policy violations: Ensuring that security policies are properly enforced. 
  • Vulnerabilities: Continuously scanning for known vulnerabilities and emerging threats. 

RedSeal continuously identifies all assets and exposures, including those due to hidden assets, misconfigurations, unintended connections (direct and indirect), firewall rules, and policy violations, as well as known and unknown vulnerabilities. It also runs automated attack path analysis and compliance checks against external regulations/standards, internal policies, and best practices to keep exposure assessments current.  This ensures that exposure assessments remain current, enabling organizations to stay ahead of potential threats. 

Effective discovery is a cornerstone of an effective CTEM program. By leveraging RedSeal’s robust capabilities, organizations can confidently navigate the complexities of their networks, ensuring that they are prepared to mitigate risks and protect their valuable assets. With a reliable digital twin and automated assessments, RedSeal is pivotal in enhancing an organization’s security posture, making exposure management a proactive and ongoing endeavor. 

 Read our blog on scoping, the first step in CTEM management. 

 Reach out to RedSeal today to schedule a demo and learn about RedSeal’s crucial role in supporting CTEM programs. 

Make Network Security a Zero Trust Priority

/by

The National Security Agency’s (NSA) Cybersecurity Information Sheet (CSI) titled “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar” and the CISA Zero Trust Maturity Model version 2 underscore the importance of securing network environments in line with zero trust principles. Both documents emphasize an integrated approach to zero trust, placing network security alongside identity management, data protection, and continuous monitoring.

John Kindervag, the creator of zero trust, recently cautioned the cybersecurity industry about its overemphasis on identity management, reminding us of the critical role that network security plays in the zero trust framework. As organizations continue to mature their zero trust architectures, the NSA and CISA outline clear guidelines on how network security fits into the overall security strategy.

Key insights from the CISA and NSA zero trust guidance

1. Data flow mapping

The CISA Zero Trust Maturity Model v2 emphasizes the importance of understanding data flows across the network to enforce zero trust effectively. RedSeal’s network mapping capabilities align perfectly with this requirement. By visualizing network paths, RedSeal helps organizations identify unprotected data flows, ensuring that sensitive information does not traverse insecure network paths. This visibility is crucial for implementing micro- and macro-segmentation strategies.

2. Macro-segmentation and micro-segmentation

Both the NSA and CISA documents stress the need for segmentation as a core component of zero trust. Macro-segmentation involves dividing networks into broad security zones to limit lateral movement by attackers. RedSeal’s “Zones and Policies” feature supports this by enforcing policies that prevent unauthorized access between different zones, such as between departments or IT and operational technology environments.

Micro-segmentation, on the other hand, focuses on further reducing the attack surface within network segments. RedSeal’s policy management capabilities assist organizations in enforcing precise controls at a granular level. With RedSeal’s advanced network modeling, you can identify the most critical areas for micro-segmentation and ensure policies are applied effectively.

3. Software-defined networking (SDN)

RedSeal’s capabilities complement SDN implementations, which are highlighted by CISA and NSA as essential for creating dynamic, adaptable zero trust environments. SDN allows for more granular and flexible control over network traffic. RedSeal enhances these SDN strategies by providing deep insights into network structure and identifying potential vulnerabilities, which is crucial for crafting effective SDN policies.

4. Threat visibility and continuous monitoring

Continuous monitoring is a cornerstone of zero trust, as outlined by both the NSA and CISA. RedSeal’s continuous network visibility and monitoring allow organizations to stay vigilant and identify potential risks. The ability to verify network configurations continuously ensures that security policies remain effective and adaptive as threats evolve.

Advancing zero trust maturity with RedSeal

RedSeal is uniquely positioned to help organizations mature their zero trust architectures, particularly within the network and environment pillar. By delivering comprehensive network visibility, enabling effective segmentation, and supporting SDN strategies, RedSeal plays a critical role in limiting attack surfaces and strengthening an organization’s security posture.

Zero trust is not a one-size-fits-all approach, but by leveraging RedSeal’s capabilities, you can ensure your network security is robust, dynamic, and capable of meeting the stringent requirements outlined by both CISA and NSA.

Discover how RedSeal can enhance your zero trust journey by scheduling a demo or attending one of our free monthly Cyber Threat Hunt workshops.