Bitglass released a report which uncovers whether organizations are properly equipped to defend themselves in the cloud. IT and security professionals were surveyed to understand their top security concerns and identify the actions that enterprises are taking to protect data in the cloud.
Orgs struggling to use cloud-based resources safely
93% of respondents were moderately to extremely concerned about the security of the public cloud. The report’s findings suggest that organizations are struggling to use cloud-based resources safely. For example, a mere 31% of organizations use cloud DLP, despite 66% citing data leakage as their top cloud security concern.
Similarly, organizations are unable to maintain visibility into file downloads (45%), file uploads (50%), DLP policy violations (50%), and external sharing (55%) in the cloud.
Many still using legacy tools
The report also found that many still try to use tools like firewalls (44%), network encryption (36%), and network monitoring (26%) to secure the use of the cloud–despite 82% of respondents recognizing that such legacy tools are poorly suited to do so and that they should instead use security capabilities designed for the cloud.
“To address modern cloud security needs, organizations should leverage multi-faceted security platforms that are capable of providing comprehensive and consistent security for any interaction between any device, app, web destination, on-premises resource, or infrastructure,” said Anurag Kahol, CTO at Bitglass.
“According to our research, 79% of organizations already believe it would be helpful to have such a consolidated security platform; now they just need to choose and implement the right one.”
Remote work has left many organizations lagging in productivity and revenue due to remote access solutions. 19% of IT leaders surveyed said they often or always experience network performance and latency issues when using legacy remote access solutions, with an additional 43% saying they sometimes do.
Those issues have resulted in a loss of productivity for 68% of respondents and a loss of revenue for 43%, a Perimeter 81 report reveals.
According to the report, organizations securely connect to internal networks in a variety of ways when working remotely. Some 66% reported using VPNs, 58% said they use a cloud service through a web browser, 48% rely on a remote access solution, and 34% use a firewall.
The many organizations still using legacy solutions like VPNs and firewalls will struggle to scale, face bottlenecks, and lack network visibility.
security solutions and remote work
33% of respondents said a password is the only way they authenticate themselves to gain access to systems. And while 62% of IT managers said they are using cloud-based security solutions to secure remote access, 49% said they’re still using a firewall, and 41% a hardware VPN.
But there are signs of progress, as organizations increasingly favor modern cloud-based solutions over outdated legacy solutions. Following the pandemic and a switch to remote work, 72% of respondents said they’re very or completely likely to increase adoption of cloud-based security solutions, 38% higher than before the pandemic.
“It’s no surprise that companies are increasingly moving to cloud-based cyber and network security platforms. As corporations of all sizes rely on the cloud to run their businesses, they need new ways of consuming security to effectively prevent cyberattacks regardless of their location or network environment.”
Other key findings
- 74% of respondents are adopting cloud-based security solutions over hardware due to security concerns. 44% are doing so due to scalability concerns, and 43% cited time-saving considerations.
- 61% of organizations believe that having to protect new devices is the greatest security concern in light of remote work, while 56% said their greatest concern was lack of visibility into remote user activity.
- 39% of respondents reported that scalability is their greatest challenge in securing the remote workforce, while 38% said budget allocation was their greatest challenge.
Earlier this week SonicWall patched 11 vulnerabilities affecting its Network Security Appliance (NSA). Among those is CVE-2020-5135, a critical stack-based buffer overflow vulnerability in the appliances’ VPN Portal that could be exploited to cause denial of service and possibly remote code execution.
The SonicWall NSAs are next-generation firewall appliances, with a sandbox, an intrusion prevention system, SSL/TLS decryption and inspection capabilities, network-based malware protection, and VPN capabilities.
CVE-2020-5135 was discovered by Nikita Abramov of Positive Technologies and Craig Young of Tripwire’s Vulnerability and Exposures Research Team (VERT), and has been confirmed to affect:
- SonicOS 126.96.36.199-79n and earlier
- SonicOS 188.8.131.52-4n and earlier
- SonicOS 184.108.40.206-93o and earlier
- SonicOSv 220.127.116.11-44v-21-794 and earlier
- SonicOS 18.104.22.168-1
“The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access,” Tripwire VERT explained.
“This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet.”
By using Shodan, both Tripwire and Tenable researchers discovered nearly 800,000 SonicWall NSA devices with the affected HTTP server banner exposed on the internet. Though, as the latter noted, it is impossible to determine the actual number of vulnerable devices because their respective versions could not be determined (i.e., some may already have been patched).
A persistent DoS condition is apparently easy for attackers to achieve, as it requires no prior authentication and can be triggered by sending a specially crafted request to the vulnerable service/SSL VPN portal.
VERT says that a code execution exploit is “likely feasible,” though it’s a bit more difficult to pull off.
Mitigation and remediation
There is currently no evidence that the flaw is being actively exploited nor is there public PoC exploitation code available, so admins have a window of opportunity to upgrade affected devices.
Aside from implementing the offered update, they can alternatively disconnect the SSL VPN portal from the internet, though this action does not mitigate the risk of exploitation of some of the other flaws fixed by the latest updates.
71% of CISOs believe cyberwarfare is a threat to their organization, and yet 22% admit to not having a strategy in place to mitigate this risk. This is especially alarming during a period of unprecedented global disruption, as 50% of infosec professionals agree that the increase of cyberwarfare will be detrimental to the economy in the next 12 months.
CISOs and infosec professionals however are shoring up their defenses — with 51% and 48% respectively stating that they believe they will need a strategy against cyberwarfare in the next 12-18 months.
These findings, and more, are revealed in Bitdefender’s global 10 in 10 Study, which highlights how, in the next 10 years, cybersecurity success lies in the adaptability of security decision makers, while simultaneously looking back into the last decade to see if valuable lessons have already been learnt about the need to make tangible changes in areas such as diversity.
It explores, in detail, the gap between how security decision makers and infosec professionals view the current security landscape and reveals the changes they know they will need to make in the upcoming months and years of the 2020s.
The study takes into account the views and opinions of more than 6,724 infosec professionals representing a broad cross-section of organizations from small 101+ employee businesses to publicly listed 10,000+ person enterprises in a wide variety of industries, including technology, finance, healthcare and government.
The rise and fall (and rise again) of ransomware
Outside of the rise of cyberwarfare threats, an old threat is rearing its head — ransomware. During the disruption of 2020, ransomware has surged with as much as 43% of infosec professionals reporting that they are seeing a rise in ransomware attacks.
What’s more concerning is that 70% of CISOs/CIOs and 63% of infosec professionals expect to see an increase in ransomware attacks in the next 12-18 months. This is of particular interest as 49% of CISOs/CIOs and 42% of infosec professionals are worried that a ransomware attack could wipe out the business in the next 12-18 months if they don’t increase investment in security.
But what is driving the rise in ransomware attacks? Some suggest it’s because more people are working from home — which makes them an easier target outside of the corporate firewall. The truth might however be tied to money.
59% of CISOs/CIOs and 50% of infosec professionals believe that the business they work for would pay the ransom in order to prevent its data/information from being published — making ransomware a potential cash cow.
A step change in communication is in high demand
Cyberwarfare and ransomware are complex topics to unpack, amongst many others in infosec. The inherent complexity of infosec topics does however make it hard to gain internal investment and support for projects. This is why infosec professionals believe a change is needed.
In fact, 51% of infosec professionals agree that in order to increase investment in cybersecurity, the way that they communicate about security has to change dramatically. This number jumps up to 55% amongst CISOs and CIOs — many of whom have a seat at the most senior decision-making table in their organizations.
The question is, what changes need to be made? 41% of infosec professionals believe that in the future more communication with the wider public and customers is needed so everyone, both in and organization and outside, better understands the risks.
In addition, 38% point out that there is a need for the facilitation of better communication with the C-suite, especially when it comes to understanding the wider business risks.
And last, but not least, as much as 31% of infosec professionals believe using less technical language would help the industry communicate better, so that the whole organization could understand the risks and how to stay protected.
“The reason that 63% of infosec professionals believe that cyberwarfare is a threat to their organization is easy,” said Neeraj Suri, Distinguished Professorship and Chair in Cybersecurity at Lancaster University.
“Dependency on technology is at an all-time high and if someone was to take out the WiFi in a home or office, no one would be able to do anything. This dependency wasn’t there a few years back–it wasn’t even as high a few months back.
“This high dependency on technology doesn’t just open the door for ransomware or IoT threats on an individual level, but also to cyberwarfare which can be so catastrophic it can ruin economies.
“The reason that nearly a quarter of infosec pros don’t currently have a strategy to protect against cyberwarfare is likely because of complacency. Since they haven’t suffered an attack or haven’t seen on a wide scale–the damage that can be done–they haven’t invested the time in protecting against it.”
Diversity, and specifically neurodiversity, is key to future success
Outside of the drastic changes that are needed in the way cybersecurity professionals communicate, there’s also a need to make a change within the very makeup of the workforce. The infosec industry as a whole has long suffered from a skills shortage, and this looks to remain an ongoing and increasingly obvious issue.
15% of infosec professionals believe that the biggest development in cybersecurity over the next 12-18 months will be the skills gap increasing. If the skills deficit continues for another five years, 28% of CISOs and CIOs say they believe that it will destroy businesses.
And another 50% of infosec professionals believe that the skills gap will be seriously disruptive if it continues for the next 5 years.
Today, however, it will take more than just recruiting skilled workers to make a positive change and protect organizations. In 2015, 52% of infosec workers would have agreed that there is a lack of diversity in cybersecurity and that it’s a concern.
Five years later, in 2020, this remains exactly the same — and that is a significant problem as 40% of CISOs/CIOs and infosec professionals say that the cybersecurity industry should reflect the society around it to be effective.
What’s more, 76% of CISOs/CIOs, and 72% of infosec professionals, believe that there is a need for a more diverse skill set among those tackling cybersecurity tasks. This is because 38% of infosec professionals say that neurodiversity will make cybersecurity defenses stronger, and 33% revealed a more neurodiverse workforce will level the playing field against bad actors.
While it’s clear that the cybersecurity skills gap is here to stay, it’s also clear why changes need to be made to the makeup of the industry.
Liviu Arsene, Global Cybersecurity Researcher at Bitdefender concludes, “2020 has been a year of change, not only for the world at large, but for the security industry. The security landscape is rapidly evolving as it tries to adapt to the new normal, from distributed workforces to new threats. Amongst the new threats is cyberwarfare.
“It’s of great concern to businesses and the economy — and yet not everyone is prepared for it. At the same time, infosec professionals have had to keep up with new threats from an old source, ransomware, that can affect companies’ bottom lines if not handled carefully.
“The one thing we know is that the security landscape will continue to evolve. Changes will happen, but we can now make sure they happen for better and not for worse. To succeed in the new security landscape, the way we as an industry talk about security has to become more accessible to a wider audience to gain support and investment from within the business.
“In addition, we have to start thinking about plugging the skills gap in a different way — we have to focus on diversity, and specifically neurodiversity, if we are to stand our ground and ultimately defeat bad actors.”
DDoS Attacks, bots, targeted attacks based on application vulnerabilities, have created a new wave of security challenges. Attackers are constantly targeting internet-connected endpoints and specifically web servers to steal data, crash sites, and hold the business for ransom. A web application is a lucrative target for the attackers as they are critical for most businesses.
One of the key risk mitigation steps for defending the business from web application attacks is to have a Web Application Firewall (WAF). Many businesses do have traditional WAF solutions deployed. WAF does provide the capability and platform to ensure threat protection against attacks like cross-site scripting, SQL injections, and OWASP Top 10. However, without having the ability to keep the WAF tuned continuously based on the current risk posture, the technology is ineffective. Tuning it requires special expertise and an understanding of application risk.
To shore up yesterday’s defense against today’s and tomorrow’s threats, defend your application by leveraging a new generation of risk-based fully managed cloud WAF.
Why do you need a risk-based cloud WAF?
- It provides continuous visibility of the risk and vulnerabilities in your application. Attackers are always on the look for doing a targeted attack, so getting visibility before them is the first step in a risk-based approach to security.
- Many attackers rely on automated tools to discover weaknesses. As a business you must use automated tools to take care of your application. A risk-based approach makes it more effective by ensuring it is done frequently and is free of false positives with security experts validating the automated findings.
- Hackers do not have the time to do deeper security assessments unless they find weaknesses via automated tools. You can stay one step ahead of the hackers by doing periodic manual penetration testing to get a deeper business logic assessment.
- Once you get visibility of risks, you can take steps to instantly fix them, not just in your application, but also in the managed cloud WAF service. This not only ensures that the risk is mitigated but also will help track on attempted attack and get more insights about the hacker and dynamically have policies to increase the defense and block rules.
- Having a cloud WAF also ensures attacks that are targeted to just get the site down can be absorbed and scrubbed off by the cloud WAF infrastructure before it hits your web application. A cloud WAF can auto-scale and have alerts in place that can look at traffic to ensure instant updates are made.
Overall, a risk-based cloud WAF solution is the most effective option to ensure you have accurate, relevant protection with zero false positives and do it continuously in sync with your web application lifecycle.
AppTrana: Risk-based fully managed cloud WAF
Indusface‘s AppTrana is a cloud-based WAF that accumulates and tracks risks to protect your web apps from web exploits, which could compromise security and affect application availability. Its continuous risk analysis offers critical insights into the site behavior. It provides you control over which traffic to block or allow your application with defined acceptable risk based on industry-standard security rules.
You can use AppTrana to make custom rules, which block common cyberattack patterns like cross-site scripting, SQL injection, bots, application vulnerabilities, OWASP top 10 vulnerabilities, and suspicious data-type patterns & URL patterns. You can also deploy new rules within minutes, allowing you to respond instantly to the changing web traffic patterns.
AppTrana key features
1. No false positives and virtual patching
Traditional WAFs have been troubled by false positives. AppTrana brings together application profiling, signatures, active engagement, attacker profiling, tracking across various phases of attack and most importantly includes 24×7 Security experts as part of the service to update rules, write virtual patches.
2. DDoS and bot protection
By combining the most intelligent methodologies and 24/7 monitoring of security experts, block a volumetric DDoS attack before it happens. It also tracks targeted application layer attacks and takes instant steps before they can bring the application down. It ensures that all traffic to your domain is routed through the AppTrana WAF, which acts as a secure reverse proxy. It filters the incoming web traffic, blocks DDoS traffic, and alerts the 24×7 managed security team if there are anomalies to scrub of the bad traffic, and passes only legitimate requests.
AppTrana’s DDoS filtering process is based on a set of security rules, which observes the HTTP footprint, client behavior, and reputation.
3. Accelerate application performance
While intelligently profiling web traffic to block DDoS attacks, AppTrana also accelerates the outgoing traffic. Being optimized with advanced optimization and caching techniques, you no longer required to compromise the website speed for protection. AppTrana comes bundled with a CDN or can work with any existing CDN you may have already subscribed to.
4. Bundled web application scanner and penetration testing
As part of the risk-based managed service promise, AppTrana includes a security assessment of your website with an automated web application scanner as well as on-demand manual penetration testing. Besides providing visibility of vulnerabilities and patching them, AppTrana portal will also show the co-relation between the risks, its protection status and the attacks targeting those risks and where they are coming from.
5. Security expertise for complete detection and remediation
To complement the power-packed features, the AppTrana WAF service is backed by the rapid response capabilities of Indusface’s world-class cybersecurity experts. The resources provide proactive 24/7/365 threat monitoring as well as reporting to defend customers from insidious threats like web fraud, phishing, and malware.
AppTrana offers cloud-based web application security services, which leverages the leading cybersecurity intelligence and cloud WAF rules to resolve issues faced by a traditional WAF like zero-day attacks and advanced risk detection and mitigation.
Web application becomes an easy target for cybercriminals. Don’t let web application threats rain on your business parade. Protect yours by starting a free trial with AppTrana.
Palo Alto Networks remediated vulnerabilities in PAN-OS (operating systems version 8.1 or later).
Attackers can use these vulnerabilities to gain access to sensitive data or develop the attack to gain access to the internal segments of the network of a company that uses vulnerable protection tools. Today, over 66,000 companies in 150 countries around the world (comprising 85% of the Fortune 100) use Palo Alto Networks NGFW.
Vulnerability CVE-2020-2037 (Сommand Injection) has a score of 7.2. It allows executing arbitrary OS commands in the firewall. The attack requires authorization in the software data management web interface. After that, attackers can access a special firewall section, place malicious code in one of the web forms, and obtain maximum privileges in the OS.
“We performed black-box testing of the NGFW management web interface to detect this vulnerability, which results from the lack of user input sanitization. During a real attack, hackers can, for example, bruteforce the password for the administrator panel, perform RCE, and gain access to the Palo Alto product, as well as the company’s internal network,” said Mikhail Klyuchnikov, researcher at Positive Technologies.
“The administrator panel may be located both inside and outside the corporate network, whichever is more convenient for the admins. But, of course, for security reasons, it’s better to have it inside. And therefore, such attacks may be conducted both from the internal and external networks.”
The second vulnerability, CVE-2020-2036 (XSS), has a score of 8.8. If a potential victim authorizes in the administrator panel and clicks a specially crafted malicious link, attackers will be able to perform any actions on behalf of this user in the context of the Palo Alto application, spoof pages, and develop attacks.
The attack can be conducted from the Internet, but if the administrator panel is located inside, attackers will have to know its address inside the network.
One more vulnerability, CVE-2020-2038, with a score of 7.2 was detected in the PAN-OS software interface. It extends the set of system commands enabling a variety of potential attacks (as the first vulnerability, it is Command Injection).
By default, when working with this interface, there are restrictions on the system command call. The exception is some basic commands (such as ping); however, attackers can inject any OS commands using insufficient filtering of user data. Attackers having the API key or user data for its generation can run arbitrary system commands with maximum privileges.
Finally, the fourth vulnerability (CVE-2020-2039, score 5.3) allows an unauthorized user to upload arbitrary files of any size to a certain directory on the server, which might lead to denial of service. To exploit this vulnerability, attackers can upload an unlimited number of files of various sizes, which may completely deplete free space in the system making the administrator panel unavailable.
The total security appliance market delivered solid unit shipment and revenue growth in the second quarter of 2020 (2Q20), according to IDC.
Worldwide revenue increased 7.5% year over year in 2Q20 to $4.2 billion. Unit shipments experienced similar growth, increasing 8.0% year over year to a little over 1.1 million units.
The unified threat management (UTM) market segment accounted for the most significant revenue growth. This segment saw an increase of $250 million in revenue for 2Q20 when compared to the same quarter a year ago.
UTM continues to drive market expansion and as the largest overall segment, accounting for 61.8% of the worldwide security appliance market, it is still showing double-digit growth at 10.7% year over year in 2Q20.
In addition to UTM, the Web security segment continues to show strong signs of growth, increasing by 10% year over year. The intrusion detection and intrusion prevention segments (IDS and IPS) declined by similar amounts year over year at -6.2% and -5.1% respectively.
The United States accounted for 44.3% of the total security appliance market revenue in 2Q 2020, up from 42.7% a year ago and with double-digit annual growth of 11.6%. The two other regions showing double-digit growth compared to 2Q19 are Asia/Pacific (excluding Japan and China) and Japan with growth of 10.2% and 14.1% respectively.
The Middle East and Africa (MEA) region grew 8.9% year over year, while Central and Eastern Europe (CEE) saw a 7.2% annual expansion. Western Europe grew 5.5% year over year.
Canada and Latin America showed growth for 2Q20 as well with a 5.4% and 4.6% annual increase respectively. The only region showing a slight decline for the quarter was China with the total security appliance market in the region declining 3%.
“Despite the ongoing pandemic, network security appliances experienced a strong 10.0% growth rebound in 2Q20 over the previous 1Q20 decline. This was due to the increased spending to enable the expanded remote workforce and to secure on-premise resources,” said Pete Finalle, senior research analyst, Security and Trust at IDC.
An unauthenticated file read vulnerability (CVE-2020-3452) affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software is being exploited by attackers in the wild.
For the moment, it seems that it is being used just to read LUA source files, but it can be used to view files that may contain information such as WebVPN configuration, bookmarks, web cookies, partial web content, and HTTP URLs.
There’s a proof of concept doing the rounds for directory path traversal (yes, it’s 1998 again) in Cisco AnyConnect SSL VPN.
It’s already being mass spammed across internet.
As far as I can see people can only read LUA source files so far, so not terribly problematic as is. https://t.co/kSIFQdz1go
— Kevin Beaumont (@GossiTheDog) July 24, 2020
About the vulnerability (CVE-2020-3452)
CVE-2020-3452 affects the web services interface of Cisco ASA and Cisco FTD software and can be exploited by remote unauthenticated attackers to read sensitive files within the web services file system on the targeted device (but not to obtain access to ASA or FTD system files or underlying operating system files).
“The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device,” Cisco explained.
Devices are vulnerable only if they are running a vulnerable release of the software AND are configured with either WebVPN or AnyConnect features.
The vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies and Abdulrahman Nour and Ahmed Aboul-Ela of RedForce. Cisco patched it last week by releasing security updates and hotfixes. Shortly after, Aboul-Ela published a PoC for it:
Here is POC of CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.
For example to read “/+CSCOE+/portal_inc.lua” file.
Happy Hacking! pic.twitter.com/aBA3R7akkC
— Ahmed Aboul-Ela (@aboul3la) July 22, 2020
Cisco confirmed that wxploitation attempts started the day after. Rapid7 scanned the internet-accessible ASA/FTD devices and found 85,000.
“Since it is difficult (if not impossible) to legally fingerprint Cisco ASA/FTD versions remotely, Rapid7 Labs revisited the ‘uptime’ technique described in a 2016 blog post for another Cisco ASA vulnerability, which shows that only about 10% of Cisco ASA/FTD devices have been rebooted since the release of the patch. This is a likely indicator they’ve been patched,” noted Bob Rudis, Chief Data Scientist at Rapid7.
There are growing concerns around the number of businesses vulnerable to cyberattacks due to hackers’ ability to bypass their Web Application Firewall (WAF), Neustar reveals.
Cyberattacks bypass the WAF
49% of security professionals reported more than a quarter of attempts to sidestep their WAF protocols had been successful in the last 12 months. In addition, as many as four in ten respondents disclosed that 50% or more of attacks had managed to get around their application layer firewall.
These findings come at a pivotal time, as organizations continue to adapt their security strategies to cope with the increase in malicious web activity associated with COVID-19.
29% of respondents admitted they had found it difficult to alter their WAF policies to guard against new web application attacks, while just 15% said they had found the process very easy.
No fully integrated WAF
Despite many having already been on the receiving end of a successful web-application attack, 39% of respondents declared they do not have a WAF that is fully integrated into other security functions; a technique that is critical in developing a holistic defense against a variety of attack types. Three in ten also claimed that half of network requests have been labelled as false positives by their WAF in the last year.
“As members of the public, we have witnessed the steady and significant growth of volumetric DDoS attacks, fake domains, malicious malware and harmful misinformation. However, while these may be the security concerns capturing headlines, those within the community have also seen the unsettling rise in application-layer attacks,” said Rodney Joffe, Senior VP and Fellow at Neustar.
“Often unleashing destruction before they are even recognized, these attacks are equally as damaging, targeting specific vulnerabilities to cause a multitude of complications for those on the receiving end.”
“Due to their ‘under-the-radar’ nature, application-layer attacks are difficult to detect and therefore require a security posture that is always-on in order to be identified and mitigated. Only by providing protection across the entire network can organizations respond to the type of threats we are seeing today.
“For full-protection that doesn’t hinder business performance or add unnecessary complexities, organizations should opt for a cloud-based WAF, underpinned by curated, actionable threat data.
“Not only is this approach guaranteed to safeguard against the most common web threats, it also delivers visibility into application traffic, no matter where the applications themselves are hosted,” added Joffe.
DDoS attacks and system compromise ranked as the greatest concerns
There has also been a steep 12-point increase on the International Cyber Benchmarks Index year-on-year. Calculated based on the changing level of threat and impact of cyberattacks, the Index has maintained an upward trend since May 2017.
During March – April 2020, DDoS attacks and system compromise were ranked as the greatest concerns for security professionals (both 21%), followed by ransomware (17%) and intellectual property (16%). To date, 68% of enterprises surveyed indicated that they had been on the receiving end of a DDoS attack at any given time, up 3% on previous reports.
Palo Alto Networks has patched a critical and easily exploitable vulnerability (CVE-2020-2021) affecting PAN-OS, the custom operating system running on its next generation firewalls and enterprise VPN appliances, and is urging users to update to a fixed version as soon as possible.
The US Cyber Command has echoed the call for immediate action, saying that nation-state-backed attackers are likely to try to exploit it soon.
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
About the vulnerability (CVE-2020-2021)
CVE-2020-2021 is an authentication bypass vulnerability that could allow unauthenticated, remote attackers to gain access to and control of the vulnerable devices, change their settings, change access control policies, turn them off, etc.
Affected PAN-OS versions include versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). Version 7.1 is not affected.
Also, the vulnerability is exploitable only if:
- The device is configured to use SAML authentication with single sign-on (SSO) for access management, and
- The “Validate Identity Provider Certificate” option is disabled (unchecked) in the SAML Identity Provider Server Profile
“Resources that can be protected by SAML-based single sign-on (SSO) authentication are GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, and Prisma Access,” Palo Alto Networks shared.
While the aforementioned configuration settings are not part of default configurations, it seems that finding vulnerable devices should not be much of a problem for attackers.
“It appears that notable organizations providing SSO, two-factor authentication, and identity services recommend this [vulnerable] configuration or may only work using this configuration,” noted Tenable researcher Satnam Narang.
“These providers include Okta, SecureAuth, SafeNet Trusted Access, Duo, Trusona via Azure AD, Azure AD and Centrify.
Even the PAN-OS 9.1 user guide instructs admins to disable the “Validate Identity Provider Certificate” option that when setting up Duo integration:
The PAN-OS 9.1 user guide, which was apparently last updated 4 days ago (June 25), instructs admins to do just that when setting up DUO integration.
“Disable Validate Identity Provider Certificate, then click OK.” pic.twitter.com/KLd78oImzs
— Will Dormann (@wdormann) June 29, 2020
Palo Alto Networks says that there is currently no indication of the vulnerability being under active attack.
But given that SSL VPN flaws in various enterprise solutions have been heavily exploited in the last year or so – both by cybercriminals and nation-state attackers – it is expected that this one will be as soon as a working exploit is developed.
What to do?
As mentioned before, implementing the security updates is the best solution.
Enterprise admins are advised to upgrade to PAN-OS versions 9.1.3, 9.0.9 or 8.1.15 if possible. Palo Alto Networks has provided instructions for doing that in a way that doesn’t break the authentication capability for users.
If updating is not possible, the risk can be temporarily mitigated by using a different authentication method and disabling SAML authentication.
Admins can check for indicators of compromise in a variety of logs (authentication logs, User-ID logs, GlobalProtect Logs, etc.)
RiskIQ released a report analyzing the company’s internet-wide telemetry and massive internet data collection to reveal the true extent of the modern corporate digital attack surface.
Digital attack surface challenges
“Today, organizations are responsible for defending not only their internal network but also their digital presence across the internet and the cloud,” said Lou Manousos, CEO, RiskIQ.
“Bringing the massive scope of an organization’s attack surface into focus helps frame the challenges of extending cybersecurity outside the corporate firewall, especially as staff forced to work from home in response to COVID-19 push that boundary farther out.”
When brands understand what they look like from the outside-in, they can begin developing an attack surface management program that allows them to discover everything associated with their organization on the internet—both legitimate and malicious—and investigate the threats targeting them.
- The global attack surface is much bigger than you think: 2,959,498 new domains (211,392 per day) and 772,786,941 new hosts (55,199,067) were observed across the internet over two weeks, each representing a possible target for threat actors.
- Sometimes hackers know more about your attack surface than you do: Looking at the attack surfaces of FT-30 companies, each organization had, on average, 324 expired certificates and 46 Web frameworks with known vulnerabilities.
- The hidden attack surface: In Q1 2020, 21,496 phishing domains across 478 unique brands were identified.
- The mobile attack surface: In 2019, 170,796 blacklisted mobile apps were discovered across 120 mobile app stores and the open internet.
Sophos has released an emergency hotfix for an actively exploited zero-day SQL injection vulnerability in its XG Firewalls, and has rolled it out to all units with the auto-update option enabled.
Aside from plugging the security hole, the hotfix detects if the firewall was hit by attackers and, if it was, stops it from accessing any attacker infrastructure, cleans up remnants from the attack, and notifies administrators about it so that they can perform additional remediation steps.
About the vulnerability and the attack
The flaw, which has yet to be assigned a CVE identification number, was previously unknown to Sophos and turned out to be a pre-auth SQL injection vulnerability that was exploited for remote code execution.
The zero-day affects all versions of XG Firewall firmware on both physical and virtual Sophos firewalls.
“Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units,” the company shared.
“The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected.”
The company says that the attack used a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for SFOS, the Sophos Firewall Operating System (i.e., the firmware).
The goal of the attack was to deliver malware that is able to collect information such as:
- The firewall’s public IP address
- Its license key
- The email addresses of user accounts that were stored on the device as well as that of the administrator account
- Firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password
- A list of the user IDs permitted to use the firewall for SSL VPN and accounts that were permitted to use a “clientless” VPN connection
- Additional information about the firewall (e.g., firmware version, CPU type, etc.)
- A list of the IP address allocation permissions for the users of the firewall
All this information was written in a file, which was compressed, encrypted, and uploaded to a remote machine controlled by the attacker(s).
Those admins that have disabled the (default) auto-update option are advised to implement the hotfix.
The admins whose firewalls have been compromised should reset device administrator accounts, reboot the affected device(s), reset passwords for all local user accounts and for any accounts where the XG credentials might have been reused.
Sophos also advises admins to reduce attack surface by disabling HTTPS Admin Services and User Portal access on the WAN interface (if possible).
“While customers should always conduct their own internal investigation, at this point Sophos is not aware of any subsequent remote access attempts to impacted XG devices using the stolen credentials,” the company added.
News coverage of the recent uptick in cyber threat activity is showing an incomplete picture. Despite the focus on VPN hacks and attacks at home, computers at more than 50,000 organizations in the US had been infected prior to stay-at-home orders, according to Team Cymru and Arctic Security.
Researchers say they are witnessing previously infected computers being activated now that their malicious communications are no longer being blocked by corporate firewalls.
Failure of internal security tools and processes
The number of compromised organizations in the US, Finland and across Europe has doubled, tripled or even quadrupled, between January and the end of March. Researchers believe this demonstrates a systemic problem facing organizations – a failure of internal security tools and processes and an inability to prepare for mobile workforces.
“Our analysis indicates that the employees’ computers were already hacked before COVID-19 made the news, but were lying dormant behind firewalls, blocking their ability to go to work on behalf of the threat actors,” explained Lari Huttunen, Senior Analyst at Arctic Security. “Now those zombies are outside firewalls, connected to their corporate networks via VPNs, which were not designed to prevent malicious communications.”
This analysis offers an unsettling data point that puts numbers to the foothold threat actors have gained within public and private sector organizations. The findings may also correlate with recent public warnings, such as the FBI’s advisory on March 30 alerting of increased vulnerability probing activity. The implications are serious.
Enterprise doesn’t end at the firewall
These same researchers have also found that many large companies have not managed to remedy the infrastructure vulnerabilities that have exposed them to data breaches in past years.
Experts say this research shines a light on a cyber pandemic and provides an opportunity for organizations to assess the extent of compromise within their organizations, rather than hiding behind a “block and forget” security mentality.
The only way to comprehensively identify whether an organization has been compromised is to observe internet threat traffic from outside the enterprise, monitoring these threat actors in the wild.
“Cybersecurity teams still approach security as though their enterprise ends at the firewall. This has not been the case for a long time, and this massive work-from-home movement has exposed the weakness of that approach,” stated Arctic Security CEO, David Chartier.
A wide variety of Zyxel and LILIN IoT devices are being conscripted into several botnets, researchers have warned.
Users are advised to implement the provided firmware updates to plug the security holes exploited by the botmasters or, if they can’t, to stop using the devices altogether or to put them behind network firewalls.
Zyxel devices affected
According to Palo Alto Networks’ Unit 42, botmasters using a new Mirai strain dubbed Mukashi are exploiting CVE-2020-9054, a pre-authentication command injection flaw, to compromise and “zombify” network-attached storage devices, firewalls, business VPN firewalls and unified security gateways.
CVE-2020-9054 is considered to be a critical vulnerability as it can be exploited by a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device.
The vulnerability was fixed in late February and Zyxel has provided firmware updates for the following affected devices that are still supported:
- Network-attached storage devices (NAS326, NAS520, NAS540, NAS542)
- Firewalls, business VPN firewalls and unified security gateways (ATP100, ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, ZyWALL1100)
“Owners of NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 as well as some other ZyXEL devices may not be able to install firmware updates, as these devices are no longer supported,” CERT/CC warned.
“Be cautious when updating firmware on affected devices, as the ZyXEL firmware upgrade process both uses an insecure channel (FTP) for retrieving updates, and the firmware files are only verified by checksum rather than cryptographic signature. For these reasons, any attacker that has control of DNS or IP routing may be able to cause a malicious firmware to be installed on a ZyXEL device.”
Workarounds available for those who can’t update the firmware include:
- Blocking access to the web interface (80/tcp and 443/tcp) of any vulnerable ZyXEL device
- Restricting access to vulnerable devices (i.e., not exposing them on the internet).
“Note however, that it is still possible for attackers to exploit devices that are not directly connected to the internet. For example, by way of viewing a web page,” CERT/CC added.
LILIN devices affected
LILIN digital video recorders (DVRs) and IP cameras have been under attack for months, by botmasters of the Chalubo, FBot and Moobot botnets, say researchers from Qihoo 360’s Netlab team.
They are exploiting a number of security flaws, including hard-coded login credentials, command injection (via NTP and FTP) and arbitrary file reading vulnerabilities.
According to the researchers, firmware running on a dozen LILIN devices is affected:
- DVRs (LILIN DHD516A, LILIN DHD508A, LILIN DHD504A, LILIN DHD316A, LILIN DHD308A, LILIN DHD304A)
- IP cameras (LILIN DHD204, LILIN DHD204A, LILIN DHD208, LILIN DHD208A, LILIN DHD216, LILIN DHD216A)
The manufacturer has released firmware that fixes the flaws (2.0b60_20200207) back in February.
Users of all the affected devices, both Zyxel’s and LILIN’s, are advised to update their device firmware or implement available workarounds.
Despite the inevitability of security-related incidents, few organizations currently protect against the spread of breaches with segmentation – only 19 percent of the 300 IT professionals surveyed by Illumio currently implement segmentation solutions today.
While approximately 25 percent are actively planning a project, more than half are not protecting with segmentation at all or planning to in the next six months.
While unprepared, organizations are hoping for the best
Security segmentation limits the ability for attacks to move laterally inside an organization by breaking data center and campus networks or clouds into smaller segments. It is widely recognized as a cyber security best practice, although it is drastically underutilized in organizations today.
“The results from this survey confirm what we have long known. Despite the fact that organizations realize the likelihood of a security incident is high, they do not leverage segmentation because it is too hard and costly to implement, especially with firewalls, preventing wider adoption.
“This is why we have spent years developing a purpose-built segmentation solution used for security. It is simpler, more effective and drives the cost out of segmentation projects so organizations can consider a future free of high-profile breaches,” said Matt Glenn, VP of Product Management at Illumio.
A somewhat positive finding showed that 45 percent of respondents currently have a segmentation project in flight or are planning to begin one in the next six months.
Of those who are planning a project, the survey found that 81 percent of respondents will leverage firewalls for segmentation, despite the fact that they are slow to implement, don’t adapt, are complex to work with, and were not built to serve this function.
Firewalls are falling short
Companies still wisely rely on firewalls for perimeter security, however most cited difficulties with how costly they are to implement and manage for segmentation. 68 percent of respondents struggle with securing initial capital expenditure budgets for firewalls and 66 percent find it challenging to secure ongoing operating expenditure budgets.
The size and complexity of firewalls also cause problems for organizations. The average time for respondents to deploy and tune firewalls for segmentation was one to three months.
In addition, more than two thirds of respondents acknowledge that firewalls make it hard to test rules prior to deploying, making it easier to accidentally misconfigure rules and break applications. Regardless of these downfalls, 57 percent cite potential risk induced by change as the leading reason why they do not stop using firewalls.
Segmentation as a practice is foundational to security frameworks like Zero Trust. According to Forrester Research’s Zero Trust website, “defending the perimeter is no longer an effective strategy. Zero Trust implements methods to localize and isolate threats through microcore, microsegmentation, and deep visibility to give you an organized approach to identify threats and limit the impact of any breach.”
Host-based security segmentation is more cost-effective and reliable
Host-based security segmentation offers a more cost-effective and reliable approach to segmentation and is more effective at protecting data centers and cloud ecosystems against lateral data breaches. Since host-based, security segmentation is software-based and isn’t tied to the network, it offers several strong benefits:
- At least 200% more cost effective than firewalls.
- Deploys four to six times faster than firewalls.
- Has up to 90% fewer rules than firewalls.
- Easy to test before deployment and can be updated in hours.
- Low risk of breaking an application.
Organizations reported an average 32% reduction in threat responder workload when they deployed a managed SIEM solution, according to CenturyLink and IDG. Improve incident response The research shows security leaders are turning to managed security services to help augment limited internal resources and bridge the security technology gap. “Security is an inherent ingredient in networking today; however, limited resources and budget constraints make it difficult for companies to develop with their own staff,” says Chris … More
The post To improve incident response, you need to consider 3rd party solutions appeared first on Help Net Security.
Enterprises are slow to abandon manual processes, despite being short staffed, as the lack of automation, coupled with increasing network complexity risk and lack of visibility contribute to costly misconfigurations and increased risk, a FireMon report reveals. The report features feedback from nearly 600 respondents, including 20% from the executive ranks, detailing ongoing firewall operations in the spectrum of digital transformation initiatives. “In an age of increasing data breaches caused by human error, it is … More
The post Network complexity and lack of visibility contribute to misconfigurations and increased risk appeared first on Help Net Security.