• Search for:
    19Dec, 2023
    Five Eyes Agencies Publish Guidance on Eliminating Memory Safety Bugs

    Government agencies in the US, UK, Canada, Australia, and New Zealand have published guidance for software makers to eliminate memory safety vulnerabilities.

    The document, named Case for Memory Safe Roadmaps (PDF), recommends the adoption of memory safe programming languages (MSLs), which will help eliminate well-known and common coding errors that threat actors routinely exploit in malicious attacks.

    The guidance also provides software manufacturers with instructions on “creating and publishing memory safe roadmaps that will show their customers how they are owning security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products”.

    Memory safety bugs, the Five Eyes government agencies note, persist despite significant efforts put into reducing their prevalence. Transitioning to an MSL, however, should eliminate this type of security flaws and reduce their impact, allowing both developers and customers to invest resources in other areas.

    “Eliminating this vulnerability class should be seen as a business imperative likely requiring participation from many departments. The authoring agencies urge executives to lead from the top by publicly identifying senior staff who will drive publication of their roadmap and assist with realigning resources as needed,” the guidance reads.

    Some of the mitigation methods used to reduce memory safety bugs include developer training, code coverage (testing as much code as possible), secure code guidelines, fuzzing, the use of static application security testing (SAST) and dynamic application security testing (DAST) tools, and the use of safer language subsets.

    To reduce the impact of this type of vulnerabilities, defenders have marked memory segments as non-executable, adopted Control Flow Integrity (CFI), Address Space Layout Randomization (ASLR), sandboxing, and other mitigation methods, and are considering the use of hardware to support memory protections.

    “Despite software manufacturers investing vast resources attempting to mitigate memory safety vulnerabilities, they remain pervasive. Customers must then expend significant resources responding to these vulnerabilities through both onerous patch management programs and incident response activities,” the guidance reads.

    The adoption of MSLs should bring benefits to both software makers and their customers, by improving code reliability, reducing the need to patch the reported vulnerabilities and the number of emergency releases, and ultimately reducing the number of urgent updates that customers will need to install, as well as data breaches.

    “In addition to bringing benefits to software manufacturers and their customers, MSLs reduce a product’s attack surface. That reduction in attack surface will increase the cost to malicious actors who then need to invest more resources discovering other exploitable vulnerabilities,” the guidance reads.

    When developing a memory safety roadmap, software manufacturers should consider how to prioritize transition, the use of appropriate MSLs, and how they will train developers. For each of these aspects, the Five Eyes agencies recommend specific steps to follow.

    The guidance also provides an overview of the implementation challenges that software makers will encounter when adopting MSLs, as well as details on the elements that a memory safety roadmap should include.

    “The most promising path towards eliminating memory safety vulnerabilities is for software manufacturers to find ways to standardize on memory safe programming languages, and to migrate security critical software components to a memory safe programming language for existing codebases,” the guidance reads.

    The guide was authored by the US cybersecurity agency CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), Australia’s Cyber Security Centre, the Canadian Centre for Cyber Security, UK’s National Cyber Security Centre, and New Zealand’s National Cyber Security Centre and Computer Emergency Response Team.

    Resource : https://www.securityweek.com/five-eyes-agencies-publish-guidance-on-eliminating-memory-safety-bugs/

    19Dec, 2023
    MITRE Unveils EMB3D Threat Model for Embedded Devices Used in Critical Infrastructure

    MITRE has teamed up with the cybersecurity community and the industrial sector to create EMB3D, a threat model specifically designed for embedded devices used in critical infrastructure.

    EMB3D is the work of MITRE, Red Balloon Security, Narf Industries, and Niyo ‘Little Thunder’ Pearson of ONE Gas. 

    Its goal is to provide a collaborative framework that enables organizations to have a common understanding of the threats targeting embedded devices and how those threats can be mitigated. 

    The new threat model — recommended for manufacturers, vendors, asset owners, testers and security researchers — expands on resources such as ATT&CK, CVE and CWE, with a focus on embedded devices. It provides a knowledge base of threats, including ones seen in the wild and ones demonstrated through theoretic research and proofs of concept. 

    In order to help users create and tailor threat models to specific devices, threats are mapped to device properties. The mitigations suggested by EMB3D are exclusively focused on technical mechanisms that can be implemented by device vendors. 

    “The EMB3D model will provide a means for ICS device manufacturers to understand the evolving threat landscape and potential available mitigations earlier in the design cycle, resulting in more inherently secure devices,” Pearson said. “This will eliminate or reduce the need to ‘bolt on’ security after the fact, resulting in more secure infrastructure and reduced security costs.” 

    The framework will be continuously updated by its maintainers and the cybersecurity community with new information on threat actors, vulnerabilities and defenses. 

    EMB3D is in a pre-release review period, with device vendors, asset owners, academics and researchers being encouraged to review the framework before its official launch, which is scheduled for early 2024.

    Resource : https://www.securityweek.com/mitre-unveils-emb3d-threat-model-for-embedded-devices-used-in-critical-infrastructure/

    18Dec, 2023
    MongoDB Suffers Security Breach, Exposing Customer Data

    MongoDB on Saturday disclosed it’s actively investigating a security incident that has led to unauthorized access to “certain” corporate systems, resulting in the exposure of customer account metadata and contact information.

    The American database software company said it first detected anomalous activity on December 13, 2023, and that it immediately activated its incident response efforts.

    It further noted that “this unauthorized access has been going on for some period of time before discovery,” but emphasized it’s not “aware of any exposure to the data that customers store in MongoDB Atlas.” It did not disclose the exact time period of the compromise.

    In light of the breach, MongoDB recommends that all customers be on the lookout for social engineering and phishing attacks, enforce phishing-resistant multi-factor authentication (MFA), as well as rotate their MongoDB Atlas passwords.

    That’s not all. The company said it’s also experiencing elevated login attempts that are causing issues for customers attempting to log in to Atlas and its Support Portal. It, however, said the problem is unrelated to the security event.

    When reached for comment, MongoDB told The Hacker News that the incident is a matter of ongoing investigation and that it will “provide updates as soon as we can.”

    Resource : https://thehackernews.com/2023/12/mongodb-suffers-security-breach.html

    18Dec, 2023
    5 Critical Steps to Prepare for AI-Powered Malware in Your Connected Asset Ecosystem

    Despite the hype and the seemingly endless stream of news stories that may have led you to believe that the opposite is already the case, actual hard evidence of criminal use of AI is as rare as the proverbial hobbyhorse-based fertilizer. Though it is impossible to deny that criminal interest abounds, they lack the toolset or skills to do something about it yet.

    Over the course of 2023, there have been multiple Large Language Model (LLM)-based services advertised on cybercriminal forums and Telegram channels, pushing services with names such as WolfGPT, Evil GPT or DarkBARD. However, even these services, it seems, are either scams in themselves or simply short-lived wrapper services that sell access to a legitimate LLM through stolen credentials and jailbroken user prompts. The possible exception to all this was WormGPT, a service that was permanently shuttered after a mere two months when the creators had enough of the media exposure they garnered. Voice synthesis has already been used in a few fake kidnap extortion attempts and possibly in one or two Business Email Compromise attacks as well, but that’s about it.

    So why talk about strategies and steps to prepare for AI-powered malware? Well, to quote Joseph Heller’s Catch-22, “Just because you’re paranoid doesn’t mean they aren’t after you”.

    AI-powered malware (as opposed to AI-generated) represents a new frontier in the ever-expanding portfolio of malicious cyber capability. To me, this category will encompass a wide range of sophisticated techniques where artificial intelligence is utilized to enhance the effectiveness and stealth of malicious activities including:

    Fake content generation

    The capabilities offered by Generative Adversarial Networks (GAN) and LLMs will allow threat actors to create entirely fake, but legitimate looking image and video-based content for social media. This content, used in combination with LLM-enhanced messaging has the potential to convince the unwitting or the highly targeted to click on malicious links and to assist in further propagation through organic sharing.

    Enhanced phishing lures

    AI-powered attacks go beyond traditional phishing methods. AI-powered tools make light work of the research and footprinting activities that were previously reserved for more sophisticated attacks. AI-enhanced phishing will be highly targeted and well. These emails will not only be more convincing, but threat actors will also be able to automate the fine-tuning of content and tactics in near real-time. This level of sophistication increases the likelihood of successful social engineering attacks and credential harvesting.

    AI-Generated or Assisted Malware

    In more advanced scenarios, AI will be directly involved in the development and execution of malware. While contemporary examples are rare, such the Black Mamba proof of concept from Hyas Labs, they do showcase the potential of AI to assist in crafting malware. In reality, the Black Mamba PoC offered little in the way of new functionality; abuse of legitimate sites for C2, polymorphism, and writing malicious code solely to memory are hardly innovative.

    There is an argument to be made though that this approach was already hamstrung by restricting itself to human thought processes. Asking an AI to develop and idea formulated by a human fails to maximize the innovate potential of AI. Outside of this paradigm, the potential for the development of AI-assisted or AI-generated malware, that is not only evasive but can adapt its behavior based on the target environment, is real. This will pose a significant challenge for traditional cybersecurity measures, equally constrained by human understanding.

    The potential threat isn’t limited to conventional computing systems. Internet of Things (IoT) and Operational Technology (OT) devices, integral components of many connected ecosystems, are increasingly targeted for sophisticated cyberattacks. AI-powered malware could just as easily exploit vulnerabilities in IoT devices, gaining unauthorized access to networks. Malicious actors can leverage AI to craft attacks tailored to the specific vulnerabilities of IoT devices, potentially causing disruptions or unauthorized access.

    OT involved in industrial processes and critical infrastructure is equally at risk. AI-powered malware may target these systems, leading to disruptions in manufacturing, energy production, or even transportation. The ability of AI to analyze and adapt to intricate OT environments poses a unique challenge, overcoming the knowledge-gap that has for so long been a barrier to the widespread dissemination of attacks.

    A comprehensive strategy that recognizes the distinct challenges posed by AI-powered malware in these environments is crucial to ensure the resilience and security of connected ecosystems in the future. Here are five critical steps to optimize defenses and prepare for the challenge.

    Complete visibility

    The ability to see and understand every connected asset in your environment is crucial. It enables the detection of anomalous behavior, identification of risk, and a swift response to potential threats. Effective security relies on the solid foundation of visibility. Know good; detect bad.

    Continuous Risk Assessment

    Traditional risk assessments are point-in-time evaluations, but as AI algorithms learn and adapt, the risks to a system will change dynamically. Continuous risk assessment means evaluating security posture in real time, identifying changes, anomalies, and emerging risk, and adapting defenses accordingly.

    Minimize Attack Surface

    AI-powered attacks will often exploit vulnerabilities in systems and processes. By minimizing the attack surface, organizations can significantly reduce the potential vectors for attack and make it more challenging for malicious actors to find and exploit weaknesses. This means not only securing unnecessary services, closing unused ports, and limiting user privileges, but also evaluating business processes that socially engineered attacks may seek to exploit.

    Build a Defensible Environment

    A defensible environment is one that is designed with security in mind from the ground up, or one that has been holistically re-evaluated from the same perspective. Strong authentication mechanisms, encryption of sensitive data, and properly segmented networks all help to mitigate and contain potential breaches. In the face of AI-powered attacks, a defensible environment means that even if one part of the system is compromised, the overall integrity of the network remains resilient, making it more challenging for attackers to move laterally and escalate privileges.

    Manage, Automate, Monitor, Respond, Archive

    AI-powered attacks will become progressively more common, and a well-rounded security approach involves more than simply managing incidents effectively. Automation helps in responding to threats at machine speed, and archiving data is crucial for post-incident analysis and further response. The knowledge that a specific asset has been compromised facilitates immediate proactive steps in securing all other devices that fit that same risk profile.

    These five points represent an outline for effective preparation to defend against future AI-powered attacks. They emphasize proactive measures, adaptability, and a holistic approach to cybersecurity. As AI continues to evolve, a defensive strategy that is equally dynamic and adaptable is essential for organizations to stay ahead of emerging threats.

    Resource : https://www.securityweek.com/5-critical-steps-to-prepare-for-ai-powered-malware-in-your-connected-asset-ecosystem/

    16Dec, 2023
    How to Analyze Malware’s Network Traffic in A Sandbox

    Malware analysis encompasses a broad range of activities, including examining the malware’s network traffic. To be effective at it, it’s crucial to understand the common challenges and how to overcome them. Here are three prevalent issues you may encounter and the tools you’ll need to address them.

    Decrypting HTTPS traffic

    Hypertext Transfer Protocol Secure (HTTPS), the protocol for secure online communication, has become a tool for malware to conceal their malicious activities. By cloaking data exchange between infected devices and command-and-control (C&C) servers, malware can operate undetected, exfiltrating sensitive data, installing additional payloads, and receiving instructions from the operators.

    Yet, with the right tool, decrypting HTTPS traffic is an easy task. For this purpose, we can use a man-in-the-middle (MITM) proxy. The MITM proxy works as an intermediary between the client and the server, intercepting their communication.

    The MITM proxy aids analysts in real-time monitoring of the malware’s network traffic, providing them with a clear view of its activities. Among other things, analysts can access content of request and response packets, IPs, and URLs to view the details of the malware’s communication and identify stolen data. The tool is particularly useful for extracting SSL keys used by the malware.

    In this example, the initial file, 237.06 KB in size, drops AxilStealer’s executable file, 129.54 KB in size. As a typical stealer, it gains access to passwords stored in web browsers and begins to transfer them to attackers via a Telegram messenger connection.

    The malicious activity is indicated by the rule “STEALER [ANY.RUN] Attempt to exfiltrate via Telegram”. Thanks to the MITM proxy feature, the malware’s traffic is decrypted, revealing more details about the incident.Malware Analysis

    Use a MITM proxy and dozens of other advanced features for in-depth malware analysis in the ANY.RUN sandbox.Request a free trial

    Discovering malware’s family

    Malware family identification is a crucial part of any cyber investigation. Yara and Suricata rules are commonly used tools for this task, but their effectiveness may be limited when dealing with malware samples whose servers are no longer active.

    FakeNET offers a solution to this challenge by creating a fake server connection that responds to malware requests. Tricking the malware to send a request triggers a Suricata or YARA rule, which accurately identifies the malware family.

    Catching geo-targeted and evasive malware

    Many attacks and phishing campaigns focus on specific geographic regions or countries. Subsequently, they incorporate mechanisms like IP geolocation, language detection, or website blocking which may limit analysts’ ability to detect them.

    Alongside geo-targeting, malware operators may leverage techniques to evade analysis in sandbox environments. A common approach is to verify whether the system is using a datacenter IP address. If confirmed, the malicious software stops execution.

    To counter these obstacles, analysts use a residential proxy. This nifty tool works by switching the IP address of the analyst’s device or virtual machine to ordinary users’ residential IPs from different parts of the world.

    This feature empowers professionals to bypass geo-restrictions by mimicking local users and study malicious activities without revealing their sandbox environment.

    Try all of these tools in ANY.RUN

    Setting up and using each of the aforementioned tools individually can take a lot of effort. To access and utilize all of them with ease, use the cloud-based ANY.RUN sandbox.

    The key feature of the service is interactivity, allowing you to safely engage with malware and the infected system just like you would on your own computer.

    You can explore these and numerous other features of ANY.RUN, including private space for your team, Windows 7, 8, 10, 11 VMs, and API integration completely for free.

    Just use a 14-day trial, no strings attached.

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

    Resource : https://thehackernews.com/2023/12/how-to-analyze-malwares-network-traffic.html

    16Dec, 2023
    New Security Vulnerabilities Uncovered in pfSense Firewall Software – Patch Now

    Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances.

    The issues relate to two reflected cross-site scripting (XSS) bugs and one command injection flaw, according to new findings from Sonar.

    “Security inside a local network is often more lax as network administrators trust their firewalls to protect them from remote attacks,” security researcher Oskar Zeino-Mahmalat said.

    “Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network.”

    Impacting pfSense CE 2.7.0 and below and pfSense Plus 23.05.1 and below, the shortcomings could be weaponized by tricking an authenticated pfSense user (i.e., an admin user) into clicking on a specially crafted URL, which contains an XSS payload that activates command injection.

    A brief description of the flaws is given below –

    • CVE-2023-42325 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.
    • CVE-2023-42327 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.
    • CVE-2023-42326 (CVSS score: 8.8) – A lack of validation that allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

    Reflected XSS attacks, also called non-persistent attacks, occur when an attacker delivers a malicious script to a vulnerable web application, which is then returned in the HTTP response and executed on the victim’s web browser.

    As a result, attacks of this kind are triggered by means of crafted links embedded in phishing messages or a third-party website, for example, in a comment section or in the form of links shared on social media posts. In the case of pfSense, the threat actor can perform actions in the firewall with the victim’s permissions.

    “Because the pfSense process runs as root to be able to change networking settings, the attacker can execute arbitrary system commands as root using this attack,” Zeino-Mahmalat said.

    Following responsible disclosure on July 3, 2023, the flaws were addressed in pfSense CE 2.7.1 and pfSense Plus 23.09 released last month.

    The development comes weeks after Sonar detailed a remote code execution flaw in Microsoft Visual Studio Code’s built-in integration of npm (CVE-2023-36742, CVSS score: 7.8) that could be weaponized to execute arbitrary commands. It was addressed by Microsoft as part of its Patch Tuesday updates for September 2023.

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

    Resource : https://thehackernews.com/2023/12/new-security-vulnerabilities-uncovered.html

    14Dec, 2023
    New AI Safety Initiative Aims to Set Responsible Standards for Artificial Intelligence

    Several major artificial intelligence software vendors have signed on to a new security initiative out of the not-for-profit Cloud Security Alliance (CSA) to create trusted best practices for generative-AI technology.

    The new AI Safety Initiative has attracted participation from tech heavyweights Microsoft, Amazon and Google OpenAI and Anthropic and plans to work on tools, templates and data for deploying AI/LLM technology in a safe, ethical and compliant manner.

    “The AI Safety Initiative is actively developing practical safeguards for today’s generative AI, structured in a way to help prepare for the future of much more powerful AI systems. Its goal is to reduce risks and amplify the positive impact of AI across all sectors,” the group said in a statement.

    The immediate plan is to create security best practices for AI use and deployment and make them freely available.  According to the CSA, the goal is to give customers of all sizes confidence to accelerate responsible adoption due to the presence of guidelines for usage that mitigate risks.

    The AI Safety initiative will complement AI assurance programs within governments “with a healthy degree of industry self-regulation,” and provide what is described as “forward thinking program to address critical ethical issues and impact to society resulting from significant advances in AI over the next several years.”

    Veteran cybersecurity executive Caleb Sima, who is chairing the new initiative, said generative-AI technology like chatbots and image manipulation tools have begun to reshape the world but warns that it comes with immense risk.

    “Uniting to share knowledge and best practices is crucial. The collaborative spirit of leaders crossing competitive boundaries to educate and implement best practices has enabled us to build the best recommendations for the industry,” Sima said.

    The group has exceeded 1,500 expert participants, the largest in the 14-year history of the Cloud Security Alliance. 

    Resource : https://www.securityweek.com/new-ai-safety-initiative-aims-to-set-responsible-standards-for-artificial-intelligence/

    14Dec, 2023
    Cloud engineer gets 2 years for wiping ex-employer’s code repos

    Miklos Daniel Brody, a cloud engineer, was sentenced to two years in prison and a restitution of $529,000 for wiping the code repositories of his former employer in retaliation for being fired by the company. 

    First Republic Bank was a commercial bank in the U.S., employing over seven thousand people and having an annual revenue of $6.75 billion. The bank closed on May 1, 2023, and was sold to JPMorgan Chase.

    According to the U.S. Department of Justice (DoJ) announcement, Brody was fired on March 11, 2020, from First Republic Bank (FRB) in San Francisco, where he worked as a cloud engineer.

    The court documents state that Brody’s employment was terminated after he violated company policies by connecting a USB drive containing pornography to company computers.

    Following his dismissal, Brody allegedly refused to return his work laptop and instead used his still-valid account to access the bank’s computer network and cause damages estimated to be above $220,000

    “Among other things, Brody deleted the bank’s code repositories, ran a malicious script to delete logs, left taunts within the bank’s code for former colleagues, and impersonated other bank employees by opening sessions in their names,” describes the U.S. DOJ announcement.

    “He also emailed himself proprietary bank code that he had worked on as an employee, which was valued at over $5,000.”

    Until his access to FRB’s network was eventually terminated on March 12, 2020, Brody had performed the following actions:

    • Ran a malicious script named “dar.sh” to wipe FRB’s servers
    • Deleted git logs and git commit history for the particular script
    • Accessed FRB’s GitHub repository and deleted the hosted code
    • Inserted ‘taunts’ in the code, including references to “grok”
    • Impersonated another cloud engineer at FRB to access the firm’s network and make configuration changes

    After the incident, Brody falsely reported to the San Francisco Police Department that the FRB-issued laptop had been stolen from his car.

    He continued to uphold this story when interviewed by United States Secret Service agents following his arrest in March 2021.

    Eventually, in April 2023, Brody pleaded guilty to lying about the laptop and to two charges concerning violation of the Computer Fraud and Abuse Act.

    In addition to the two-year prison term and the payment of the restitution, Brody will serve three years of supervised release.

    Resource : https://www.bleepingcomputer.com/news/security/cloud-engineer-gets-2-years-for-wiping-ex-employers-code-repos/

    13Dec, 2023
    Scaling Security Operations with Automation

    In an increasingly complex and fast-paced digital landscape, organizations strive to protect themselves from various security threats. However, limited resources often hinder security teams when combatting these threats, making it difficult to keep up with the growing number of security incidents and alerts. Implementing automation throughout security operations helps security teams alleviate these challenges by streamlining repetitive tasks, reducing the risk of human error, and allowing them to focus on higher-value initiatives.

    While automation offers significant benefits, there is no foolproof method or process to guarantee success. Clear definitions, consistent implementation, and standardized processes are crucial for optimal results. Without guidelines, manual and time-consuming methods can undermine the effectiveness of automation.

    This blog explores the challenges faced by security operations teams when implementing automation and the practical steps needed to build a strong foundation for successful implementation.

    The Automation Challenge

    Organizations often struggle with automation due to a lack of well-documented processes and limited resources. With constant alerts and fires to put out, security teams are often spread thin, and only have time to focus on the task in front of them. This leaves them little to no time for proper documentation of processes and procedures. This, along with other factors such as maturity and process monitorability, contributes to the challenges security teams face when implementing automation. Successful automation requires a pragmatic approach, where teams identify and prioritize processes that are feasible and provide the greatest impact on efficiency and risk reduction.

    When considering the feasibility of automation, it becomes crucial to assess whether the processes and procedures in place can be seamlessly automated from start to finish. Not all tasks are suitable for complete end-to-end automation. The decision to automate certain processes should be based on factors like the organization’s maturity level, the available time and resources, and the ability to monitor and ensure the feasibility of the automation efforts. It requires careful evaluation to determine if automation makes sense and can effectively streamline security operations.

    Identifying Automation Maturity

    To reach effective security automation, organizations must assess their readiness and maturity level. A comprehensive assessment involves evaluating three critical investigation processes.

    Evidence Gathering

    This process involves querying information across the organization’s technology environment. Historically, the biggest problem with this process is that it has been manual. Organizations usually have a multitude of different technologies, all of which speak their own different languages, resulting in extensive amounts of time spent pivoting from tool to tool gathering data for any given investigation.

    Automation can greatly enhance this stage by unifying and simplifying queries, thereby eliminating the complexities associated with different logging systems and query nomenclatures. A security orchestration, automation, and response (SOAR) solution can prove to be extremely useful here. However, the main hurdle with implementing SOARs lies in integration, maintenance, and upkeep. If organizations are already facing resource constraints, attempting to set up a SOAR becomes even more challenging as they may not have sufficient people available to handle incidents effectively while also maintaining a SOAR.

    Analysis

    Once evidence is gathered, the analysis stage takes the output of evidence gathering and analyzes it against internal and external. Automation can help extract insights, identify patterns, and accelerate the detection of potential threats, but it is important to note that the analysis process often requires human intervention to ensure accuracy and effectiveness.

    Depending on what is being analyzed, human involvement may be necessary. For instance, when dealing with critical assets, vulnerability scanning, or identifying all the root and admin accounts within a system, it’s essential to have internal human intelligence reviewing and verifying the information.

    Remediation

    This process involves responding effectively to true-positive alerts within an environment. Remediation greatly depends on the efficacy of everything built before that. It’s going to be extremely difficult to have confidence in your remediation process if you don’t have all the data, you need or if there are gaps in your internal or external intelligence.

    Practical Automation Development

    It’s crucial to understand what processes and procedures are in place when responding to threats. Depending on where an organization is in their maturity journey, it might be hard to know where to start with implementing automation. Building a solid foundation for automation involves following a systematic and iterative approach. Below are five steps organizations can use to better implement automation:

    1. Interview Security Teams: Engage with security teams about their existing processes and identify use cases suitable for automation.
    2. Identify Use Cases: Identify automation use case opportunities based on those interviews. Prioritize high-volume, repetitive tasks or those with significant human effort. Focus on one process at a time to avoid complications caused by rushing through multiple processes without proper understanding and development.
    3. Document Findings: During the documentation phase, analyze actions in consoles and compare them with the corresponding API endpoints. Changing technologies and unexpected variables can disrupt processes. To mitigate any disruptions, it’s crucial to have a solid understanding of the APIs being used and document the findings thoroughly. By integrating this documentation into the overall workflow, any deviations from the initial assumptions can be identified and addressed promptly.
    4. Develop a Feedback Loop: Incorporate the security operations team’s insights, suggestions, and expertise throughout the development process to ensure the automation solution aligns with the organization’s needs and enhances productivity.
    5. Measure and Assess: After implementing automation, measure its effectiveness and efficiency. Continuously assess the impact and gather feedback from the security team. Use these insights to fine-tune the automation techniques and address any emerging edge cases.

    To have a successful automation foundation, it’s not enough to simply create and deploy automation solutions. It’s also important to integrate automation into existing security operations workflows. This process of operationalization ensures that automated processes and human decision-making can work together seamlessly.

    Conclusion

    Implementing automation is crucial for organizations to combat the increasing security threats in today’s digital landscape. It streamlines tasks, reduces human errors, and enables security teams to focus on higher-value initiatives. However, success in automation requires clear definitions, consistent implementation, and standardized processes. Organizations should assess feasibility, readiness, and maturity level, and follow a systematic approach for practical automation development. By integrating automation into existing workflows and identifying relevant use cases, security teams can maximize the benefits and leverage the expertise of professionals. A solid foundation for automation can reduce response times, improve accuracy, minimize errors, and enhance threat detection in various security processes for organizations.

    Resource : https://thehackernews.com/2023/12/scaling-security-operations-with.html

    13Dec, 2023
    50K WordPress sites exposed to RCE attacks by critical bug in backup plugin

    A critical severity vulnerability in a WordPress plugin with more than 90,000 installs can let attackers gain remote code execution to fully compromise vulnerable websites.

    Known as Backup Migration, the plugin helps admins automate site backups to local storage or a Google Drive account.

    The security bug (tracked as CVE-2023-6553 and rated with a 9.8/10 severity score) was discovered by a team of bug hunters known as Nex Team, who reported it to WordPress security firm Wordfence under a recently launched bug bounty program.

    It impacts all plugin versions up to and including Backup Migration 1.3.6, and malicious actors can exploit it in low-complexity attacks without user interaction.

    CVE-2023-6553 allows unauthenticated attackers to take over targeted websites by gaining remote code execution through PHP code injection via the /includes/backup-heart.php file.

    “This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server,” Wordfence said on Monday.

    “By submitting a specially-crafted request, threat-actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance.”

    In the /includes/backup-heart.php file used by the Backup Migration plugin, an attempt is made to incorporate bypasser.php from the BMI_INCLUDES directory (defined by merging BMI_ROOT_DIR with the includes string) at line 118.

    However, BMI_ROOT_DIR is defined through the content-dir HTTP header found on line 62, thereby making BMI_ROOT_DIR subject to user control.

    Patch released within hours

    Wordfence reported the critical security flaw to BackupBliss, the development team behind the Backup Migration plugin, on December 6, with the developers releasing a patch hours later.

    However, despite the release of the patched Backup Migration 1.3.8 plugin version on the day of the report, almost 50,000 WordPress websites using a vulnerable version still have to be secured nearly one week later, as WordPress.org org download stats show.

    Admins are strongly advised to secure their websites against potential CVE-2023-6553 attacks, given that this is a critical vulnerability that unauthenticated malicious actors can exploit remotely.

    WordPress administrators are also being targeted by a phishing campaign attempting to trick them into installing malicious plugins using fake WordPress security advisories for a fictitious vulnerability tracked as CVE-2023-45124 as bait.

    Last week, WordPress also fixed a Property Oriented Programming (POP) chain vulnerability that could allow attackers to gain arbitrary PHP code execution under certain conditions (when combined with some plugins in multisite installations).

    Resource : https://www.bleepingcomputer.com/news/security/50k-wordpress-sites-exposed-to-rce-attacks-by-critical-bug-in-backup-plugin/?&web_view=true