Networking equipment company Netgear has released yet another round of patches to remediate a high-severity remote code execution vulnerability affecting multiple routers that could be exploited by remote attackers to take control of an affected system.

Tracked as CVE-2021-34991 (CVSS score: 8.8), the pre-authentication buffer overflow flaw in small office and home office (SOHO) routers can lead to code execution with the highest privileges by taking advantage of an issue residing in the Universal Plug and Play (UPnP) feature that allows devices to discover each other’s presence on the same local network and open ports needed to connect to the public Internet.

Because of its ubiquitous nature, UPnP is used by a wide variety of devices, including personal computers, networking equipment, video game consoles and internet of things (IoT) devices.

Specifically, the vulnerability stems from the fact that the UPnP daemon accepts unauthenticated HTTP SUBSCRIBE and UNSUBSCRIBE requests — which are event notification alerts that devices use to receive notifications from other devices when certain configuration changes, such as media sharing, happen.

But according to GRIMM security researcher Adam Nichols, there exists a memory stack overflow bug in the code that handles the UNSUBSCRIBE requests, which enables an adversary to send a specially crafted HTTP request and run malicious code on the affected device, including resetting the administrator password and delivering arbitrary payloads. Once the password has been reset, the attacker can then login to the webserver and modify any settings or launch further attacks on the webserver.

images from Hacker News

Organizations have been worrying about cyber security since the advent of the technological age. Today, digital transformation coupled with the rise of remote work has made the need for security awareness all the more critical.

Cyber security professionals are continuously thinking about how to prevent cyber security breaches from happening, with employees and contractors often proving to be the most significant risk factor for causing cyber security incidents. Proactive cyber security professionals will find that an effective security awareness training program can significantly reduce their risk of getting exposed to a cyber incident.

For a security awareness training program to be successful, it must be measurable and yield positive, actionable results over time.

The following looks at what good security awareness looks like and how vital phishing simulations and awareness training is in devising effective cyber security programs.

The essentials of a cyber security awareness training program

Employees represent security risks mainly because they are unaware of how their actions and decisions cause security incidents. To address this cause, enterprises undertake extensive security awareness training efforts to help employees know what they should and shouldn’t do when working digitally.

The mere act of exposing employees to security training is not enough; a program is not effective unless it produces results in building real skills that change employee behavior and empower them to make the right choice in the face of a cyberattack.

To achieve this, companies must select a security awareness training that is data-driven, adaptive per employee location, takes into account role and behavior towards cyber training, is continuous and high-frequency, and engages each employee at least once a month.

Some of the key features organizations should be looking for in a security awareness program can be divided into the following.

Continuous cyber education training and a hands-on approach

The more employees are exposed to real-life phishing emails and other security risks, the more likely they are to succeed in protecting the organization and assets against phishing, malware, and many other threats. However, with cybersecurity awareness, theoretical knowledge becomes even more valuable when put into practice. Therefore training must become a hands-on learning experience with simulations and concrete action.

Identify weakest links and employ real-time feedback

Statistically, fewer than 20 percent of employees in an organization are responsible for most human error-induced mistakes. To make sure all employees are properly trained, organizations must run simulations frequently – at least once a month. This is also where continuous feedback loops come into play. By engaging or disengaging with the content, employees reflect on the security gap that exists between them and the organizational risk, illustrating the need for cybersecurity awareness training in the first place. Moreover, when security events include real-time feedback, employees immediately understand the missteps and how to prevent similar situations in the future.

Culture and the scientific training method

Cyber security awareness must be ingrained in the organization’s daily practices without feeling like a daily grind. Organizations should make training an engaging, effortless, and seamless part of employees’ daily routines, regularly encouraging continuous learning via small digestible security awareness learning bites.

Behind effective cyber security training is often a scientific method. A next gen approach to security awareness training should focus bringing together learning expertise, data science, and automation.

How to Measure Progress

Having a training program in place is a great start, but organizations must ask themselves: how do I know if my security awareness training is working?

Organizations usually rely solely at click rates (e.g. how many employees click on phishing simulations) to measure success. And this is precisely where they go wrong.

Companies must focus on progress over time, and not just measure participation.

When measuring the success of a security awareness program, it’s all about context.

Companies should look for qualitative, not simply quantitative results. For instance, if a company sends out three phishing simulations over a year, there is no way of knowing whether one was sent while an employee was on vacation or if an employee clicked because they were new to the company or whether the email went unnoticed due to a flurry of meetings and other tasks.

images from Hacker News

Nation-state operators with nexus to Iran are increasingly turning to ransomware as a means of generating revenue and intentionally sabotaging their targets, while also engaging in patient and persistent social engineering campaigns and aggressive brute force attacks.

No less than six threat actors affiliated with the West Asian country have been discovered deploying ransomware to achieve their strategic objectives, researchers from Microsoft Threat Intelligence Center (MSTIC) revealed, adding “these ransomware deployments were launched in waves every six to eight weeks on average.”

Of note is a threat actor tracked as Phosphorus (aka Charming Kitten or APT35), which has been found scanning IP addresses on the internet for unpatched Fortinet FortiOS SSL VPN and on-premises Exchange Servers to gain initial access and persistence on vulnerable networks, before moving to deploy additional payloads that enable the actors to pivot to other machines and deploy ransomware.

Another tactic incorporated into the playbook is to leverage a network of fictitious social media accounts, including posing as attractive women, to build trust with targets over several months and ultimately deliver malware-laced documents that allow for data exfiltration from the victim systems. Both Phosphorus and a second threat actor dubbed Curium have been spotted incorporating such “patient” social engineering methods to compromise their targets

“The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target,” MSTIC researchers said. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.”

A third trend is the use of password spray attacks to target Office 365 tenants targeting U.S., E.U., and Israeli defense technology companies, details of which Microsoft publicized last month, while attributing it to an emerging threat cluster DEV-0343.

images from Hacker News

Cybersecurity agencies from Australia, the U.K., and the U.S. on Wednesday released a joint advisory warning of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored actors to gain initial access to vulnerable systems for follow-on activities, including data exfiltration and ransomware.

The threat actor is believed to have leveraged multiple Fortinet FortiOS vulnerabilities dating back to March 2021 as well as a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.’s National Cyber Security Centre (NCSC).

The agencies did not attribute the activities to a specific advanced persistent threat (APT) actor.

Targeted victims include Australian organizations and a wide range of entities across multiple U.S. critical infrastructure sectors, such as transportation and healthcare. The list of flaws being exploited are below —

• CVE-2021-34473 (CVSS score: 9.1) – Microsoft Exchange Server remote code execution vulnerability (aka “ProxyShell“)
• CVE-2020-12812 (CVSS score: 9.8) – FortiOS SSL VPN 2FA bypass by changing username case
• CVE-2019-5591 (CVSS score: 6.5) – FortiGate default configuration does not verify the LDAP server identity
• CVE-2018-13379 (CVSS score: 9.8) – FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests

Besides exploiting the ProxyShell flaw to gain access to vulnerable networks, CISA and FBI said they observed the adversary abusing a Fortigate appliance in May 2021 to gain a foothold to a web server hosting the domain for a U.S. municipal government. The next month, the APT actors “exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children,” the advisory said.

images from Hacker News

Cybersecurity researchers have uncovered as many as 11 malicious Python packages that have been cumulatively downloaded more than 41,000 times from the Python Package Index (PyPI) repository, and could be exploited to steal Discord access tokens, passwords, and even stage dependency confusion attacks.

The Python packages have since been removed from the repository following responsible disclosure by DevOps firm JFrog —

• importantpackage / important-package
• pptest
• ipboards
• owlmoon
• DiscordSafety
• trrfab
• 10Cent10 / 10Cent11
• yandex-yt
• yiffparty

Two of the packages (“importantpackage,” “10Cent10,” and their variants) were found obtaining a reverse shell on the compromised machine, giving the attacker full control over an infected machine. Two other packages “ipboards” and “trrfab” masqueraded as legitimate dependencies designed to be automatically imported by taking advantage of a technique called dependency confusion or namespace confusion.

Unlike typosquatting attacks, where a malicious actor deliberately publishes packages with misspelled names of popular variants, dependency confusion works by uploading poisoned components with names that are the same as the legitimate internal private packages, but with a higher version and uploaded to public repositories, effectively forcing the target’s package manager to download and install the malicious module.

The dependency “importantpackage” also stands out for its novel exfiltration mechanism to evade network-based detection, which involves using Fastly’s content delivery network (CDN) to mask its communications with the attacker-controlled server as communication with pypi[.]org.

The malicious code “causes an HTTPS request to be sent to pypi.python[.]org (which is indistinguishable from a legitimate request to PyPI), which later gets rerouted by the CDN as an HTTP request to the [command-and-control] server,” JFrog researchers Andrey Polkovnychenko and Shachar Menashe explained in a report published Thursday.

images from Hacker News