All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of April 25, 2022. I’ve also included some comments on these stories.
Homeland Security bug bounty program uncovers 122 holes in its systems
The first bug bounty program by America's Department of Homeland Security has led to the discovery and disclosure of 122 vulnerabilities, 27 of which were deemed critical, states The Register. In total, more than 450 security researchers participated in the Hack DHS program and identified weaknesses in "select" external Dept of Homeland Security (DHS) systems.
DYLAN D’SILVA | Security Researcher at Tripwire
An interesting and proactive take on pen-testing, vulnerability management and bug bounty programs. It's great to see an organization "walk the talk" and publicly disclose that through their new program, properly vetted Security Researchers were able to identify 122 vulnerabilities with the Department of Homeland Security's systems, with 27 of those being deemed critical.
For those who are unfamiliar with what a bug bounty program is, most large technology companies offer a program where individuals who find and responsibly disclose bugs (especially ones that relate to security exploits and vulnerabilities) found in software are rewarded with recognition and compensation. Google, Apple, Microsoft, Facebook, Yahoo, Reddit, Square/Block all offer private bug bounty programs that can be quite lucrative for researchers. Apple recently paid $100K to one researcher who discovered 4 flaws related to a webcam hack (see my comments here).
Digging into the article a bit further, it looks like this is modeled after the DoD's "Hack the Pentagon" program, and broken into three phases:
- Find and remediate vulnerabilities with payouts
- Participate in a live in-person hacking event
- Identify lessons learned so future bug bounty programs can benefit
The goal is to create a model that can be used by other government organizations to shore up their cyber resilience. Also noted in the article is that cybercriminals are "upping their game" when it comes to exploiting zero-day vulnerabilities, which hit an all-time high last year.
All companies and organizations, no matter the size, need to take Vulnerability Management seriously. I cannot stress this enough. It is a critical piece of your overall cybersecurity strategy. If you're not sure where to start, CISA offers free cyber hygiene services including:
- Vulnerability Scanning
- Web Application Scanning
- Phishing Campaign Assessment
- Remote Penetration Testing
See https://www.cisa.gov/cyber-hygiene-services for more information. It should be noted that these services will most likely be available to American companies and government. You should look at your own country’s cyber resources to see what is available. One additional resource from CISA that any company can take advantage of is the Free Cyber Resilience Review, found here.
Experts warn of a surge in zero-day flaws observed and exploited in 2021
The number of zero-day vulnerabilities exploited in cyberattacks in the wild exploded in the last years, reports Security Affairs. Google and Mandiant have published two reports that highlight a surge in the discovery of zero-day flaws exploited by threat actors in attacks in the wild.
SAMANTHA ZEIGLER | Security Researcher at Tripwire
There has been a significant increase in the number of zero-day vulnerabilities being exploited in 2021 as compared to previous years. Google reports this is in part due to better detection of exploitation rather than just an increase in zero-day vulnerabilities as a whole. The distribution of exploitation seems to trend toward financially motivated exploitation such as ransomware with the majority of the exploits being memory corruption.
Atlassian Patches Critical Authentication Bypass Vulnerability in Jira
Atlassian last week announced that its popular issue and project tracking software Jira is affected by a critical vulnerability and advised that customers take action. The security flaw, identified as CVE-2022-0540, is an authentication bypass issue that affects Seraph, the web authentication framework of Jira and Jira Service Management, Security Week reports.
ANDREW SWOBODA | Senior Security Researcher at Tripwire
Atlassian Jira is subject to an authentication bypass vulnerability. This vulnerability would allow a remote unauthenticated attacker to bypass authentication. To exploit this issue an attacker has to send a specially crafted to a vulnerable version of Atlassian Jira. This vulnerability is referred to as CVE-2022-0540. It should be noted that Jira Cloud and Jira Service Management Cloud are not affected. Atlassian has released fixes that are included in the following versions: 8.13.18, 8.20.6, and 8.22.0. For a system to be vulnerable it requires apps to be configured with the webwork1 namespace and does not have a specified action level.
DYLAN D’SILVA | Security Researcher at Tripwire
For companies that leverage Atlassian and Jira, note that a new CVE has been identified that bypasses Seraph, the web authentication framework for Jira and Jura Service Management.
It was hard to track down any reliable data as to the overall market-share of Jira to get an idea of how many companies this could affect (estimates ranged anywhere from 20% to 80%+), but according to their website, they have 200K+ customers, including AirBnB, Cisco, eBay, Toyota, Redfin, NASA, Kaiser Permanente, and the list goes on.
Coming back to the flaw itself, security researchers found that a remote, unauthenticated attacker can exploit this vulnerability to bypass authentication by sending specially crafted HTTP Requests. For those unfamiliar with what an HTTP Request is, it is made by a client to a named host, usually located on a server, in which the aim of the request is to access resources on a server. Put plainly, whenever your browse different websites, click on links, download materials, etc., you are making different types of HTTP Requests.
It's been reported that many different versions of Jira are affected, but Cloud instances specifically are not. 1st and 3rd party applications (200+ located on the Marketplace) look to be affected, including two of Jira's own applications: Insight - Asset Management and Mobile Plugin for Jira; please see specifics below.
Two bundled Atlassian apps are affected:
- Insight - Asset Management; bundled in Jira Service Management Server and Data Center 4.15.0 and later.
- Mobile Plugin for Jira, bundled in Jira Server, Jira Software Server and Data Center 8.0.0 and later, Jira Service Management Server and Data Center 4.0.0 and later.
One standalone Atlassian app is affected:
- Insight - Asset Management version (Server, Data Center) versions < 8.10.0; available from the Atlassian Marketplace
Remediations and Recommendations
Before we get into how to patch this issue, let's talk about why I think this is a critical issue. Some of the top companies in the world leverage this product to be more productive. While not all companies are affected, as certain conditions must be met, and certain applications must be in use, take a moment to think about the amount and types of data that might be available to an attacker after they have exploited this vulnerability and bypassed authentication.
If you do not think Vulnerability Management applies to you/your company, look at some past events such as the Home Depot and Target Data Breaches, and in more recent weeks, the Lapsus$ hacking group which successfully targeted Microsoft, Samsung, Nvidia, Ubisoft, Okta, and now T-Mobile. While the methodologies of gaining access were different, these examples underscore the importance of having a sound Vulnerability and Risk Management program as a part of an overall Cybersecurity strategy.
- Atlassian has published a thorough FAQ for this security flaw, found here.
- Update to the fixed version as recommended, or if that is not possible, you may need to consider disabling the specific applications affected until a fix is available.
- If your company does not have a vulnerability management program/strategy in place to address new vulnerabilities as they are discovered, how can you protect your business? Vulnerability Management is a critical, key piece to the success of your overall cybersecurity strategy. Check out this article a more detailed, in-depth look on how to create an effective vulnerability management program.
- Switching over to a Critical Infrastructure lens, this could have large consequences for the CI Sectors and companies and use Atlassian and Jira to manage their workflow and development. I am not sure if this will make it onto the CISA BOD-22-01, but it would be best to keep an eye out.
American Dental Association hit by new Black Basta ransomware
The American Dental Association (ADA) was hit by a weekend cyberattack, causing them to shut down portions of their network while investigating the attack, Bleeping Computer reports. The ADA is a dentist and oral hygiene advocacy association providing training, workshops, and courses to its 175,000 members.
DYLAN D’SILVA | Security Researcher at Tripwire
Here is yet another attack on a healthcare agency/healthcare adjacent agency. This past weekend, the American Dental Association was hit with Ransomware. Based on what's been reported, it looks like they took the appropriate steps, in short order, to start dealing with the situation, including taking systems offline such as phone, email and webchat. This also looks to have a "trickle down" effect, as New York, Virginia and Florida State Dental associations all rely on the ADA's online services to register accounts and pay dues.
On a positive note, the ADA started proactively emailing members (using a backup email system) with an update about the attack, which is a critical piece, as transparency and open communication during incidents are key to maintaining good working relationships with your customers and partners. From this outside perspective, it looks like they followed standard incident response, including taking systems offline (to limit further damage), notifying law enforcement, and working with 3rd party cybersecurity specialists to triage and resolve.
While initial reports state that member information and other data had not been compromised, the ransomware gang, named Black Basta claimed responsibility for the attack and has begun leaking data stolen from the attack. From what's been reported so far, 2.8GB of data has been released, which the gang claims is only 30% of the stolen data, which includes: W2s, NDAs, spreadsheets, and screenshots.
Thoughts and Recommendations
- As noted in the article, ADA members need to be cognizant of targeted spear-phishing campaigns/emails that will attempt to steal login credentials and other sensitive data, as well as avoid exposing any remote desktop services.
- Review your incident response plans and just as importantly, practice them! You don't need additional confusion during an actual incident.
- Review your Vulnerability Management Program and Risk Identification Program frequently. This should be an ongoing exercise for your team ensuring all your systems (hardware, software, cloud etc.) are patched.
- Review your network architecture to ensure there is proper segmentation between systems and departments. This will help limit damage in the event of an actual cyberattack.
- Review your Backup and DRP plans. If you need to restore systems and data, do you know where this is all stored, what the procedures are, and when the last good known backups were produced?
- Provide ongoing education and training for your employees on phishing and email scams. This will help them to spot and stop potential attempts before they start.
- Revisit your cybersecurity policies and procedures. Compare them against the current best practices, frameworks, and controls, such as NIST, and CIS (Controls & Benchmarks). See resources:
- I am acutely aware that all these recommendations take time and money and people resources to implement, which are typically in short supply for small to medium businesses. The Canadian Government has published some great starter information, including Baseline Cyber Security Controls for Small and Medium Organization. I would posit though, that the time and resources spent investing in securing your business would pale in comparison to an actual cyberattack perpetrated against your business, both from monetary and reputational perspectives; There is a reason that companies purchase Cybercrime Insurance.
CISA Adds Seven Known Exploited Vulnerabilities to Catalog
CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise, notes CISA.
SAMANTHA ZEIGLER | Security Researcher at Tripwire
CISA, with the Binding Operational Directive 22-01, has a catalog that is routinely updated to add vulnerabilities that are being exploited in the wild. This list is a powerful tool to significantly reduce the risk of vulnerabilities by creating a targeted list for people to protect against. Seven new vulnerabilities have been recently added, so make sure to check it frequently.
76% of Organizations Worldwide Expect to Suffer a Cyberattack This Year
A new study shows that ransomware, phishing/social engineering, denial of service (DoS) attacks, and the business fallout of a data breach rank as the top concerns of global organizations, explains Dark Reading.
DYLAN D’SILVA | Security Researcher at Tripwire
If this is not a giant red flag, I don't know what is. In a new study published by Trend Micro and Ponemon Institute which polled a number of global organizations, the results found that 76% of them expect to be a victim of a cyberattack within the next 12 months. In 2021, 80% of the 3400 professionals stated that their organization had suffered from one or more cyberattacks within the year. 35% of those stated their organization had suffered from seven or more attacks.
Cybersecurity and Cyber Resilience are ongoing exercises that never sleep; which is unfortunate. My hope would be that at a minimum, all 76% of those organizations are updating their policies and procedures as the threat landscape continues to shift and evolve. My real hope though would be that all organizations are taking the necessary steps required to reduce their attack vectors and shrink their attack surfaces, which are not easy and simple things to accomplish as they require time, money and people resources. As your business evolves and grows, so too should your cybersecurity and risk management strategy.
If you/your company are not familiar with the best places to start building your cybersecurity strategy, take a look at some well thought out frameworks such as NIST and CIS Controls. These are great starting places to develop your plan. Different companies and industries are going to have different priorities, and cybersecurity may not always be at the top of that list. I would argue though, that priorities should be re-evaluated in order to prioritize cybersecurity, as it's not a matter of if your company is going to be attacked, it's simply a matter of when.
Microsoft Discovers New Privilege Escalation Flaws in Linux Operating System
Microsoft on Tuesday disclosed a set of two privilege escalation vulnerabilities in the Linux operating system that could potentially allow threat actors to carry out an array of nefarious activities, notes The Hacker News.
SAMANTHA ZEIGLER | Security Researcher at Tripwire
The attack vector for malicious actors is ever expanding on all operating systems. One recently published example is this Linux attack vector that is compounded by multiple vulnerabilities in the network-dispatcher. Allowing attackers root access opens them to run any code they wish on the machine.
Millions of Java Apps Remain Vulnerable to Log4Shell
Four months after the critical flaw was discovered, attackers have a massive attack surface from which they can exploit the flaw and take over systems, researchers found. Threat Post reports.
ANDREW SWOBODA | Senior Security Researcher at Tripwire
Log4Shell vulnerabilities are still present and are being exploited. This occurs because users may not even know that they have vulnerable versions of the product. Containers are easy to deploy and users may not even consider the vulnerabilities that are present in it. Users that are deploying a container should manually review or scan for known vulnerabilities. With Log4Shell being remote code execution users should easily find this vulnerability.
Hands on with Microsoft Edge's new built-in VPN feature
Microsoft is working on a built-in VPN functionality for the Edge browser called 'Edge Secure Network', but there's a catch - it is not a regular VPN. Bleeping Computer notes that Edge's Secure Network is powered by Cloudflare - one of the most trusted DNS hosts in the industry - and it aims to protect your device and sensitive data as you browse.
ANDREW SWOBODA | Senior Security Researcher at Tripwire
Microsoft Edge will be getting a built-in VPN for security. This VPN will have a 1 GB limit on the connection and traffic will be routed through Cloudflare.
Internet traffic is normally encrypted when using HTTPS because TLS provides protection. TLS encrypts internet traffic and removes the chance of an attacker intercepting usable information. Most personal information that is sent over the internet should be protected by TLS. However, normal HTTP transmission will occur without encryption. HTTP requests do not encrypt data and users should verify that the site provides TLS encryption.
A VPN can provide local network protection against attackers intercepting usable personal information, but HTTP and other unencrypted traffic can usually be intercepted after the VPN endpoint. This means if you are connected to a public hotspot the data will be locally encrypted, but it will still be visible after it exits the VPN. This means that the VPN carrier or any attackers in between the VPN endpoint and the site would still be able to capture data that is not encrypted.
Cybercriminals Using New Malware Loader 'Bumblebee' in the Wild
Cybercriminal actors previously observed delivering BazaLoader and IcedID as part of their malware campaigns are said to have transitioned to a new loader called Bumblebee that's under active development, noted The Hacker News on April 28.
SAMANTHA ZEIGLER | Security Researcher at Tripwire
Malware is always evolving and a new example of this is Bumblebee, a new malware loader. This new loader is speculated to be replacing BazaLoader and IcedID and appears to still be under active development. As malware adapts, so must security and learning about malware as it changes helps teams to improve their approach.
Keep in Touch with Tripwire VERT
Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.
