Most companies have high-risk vulnerabilities on their network perimeter

Positive Technologies performed instrumental scanning of the network perimeter of selected corporate information systems. A total of 3,514 hosts were scanned, including network devices, servers, and workstations.

network perimeter vulnerabilities

The results show the presence of high-risk vulnerabilities at most companies. However, half of these vulnerabilities can be eliminated by installing the latest software updates.

The research shows high-risk vulnerabilities at 84% of companies across finance, manufacturing, IT, retail, government, telecoms and advertising. One or more hosts with a high-risk vulnerability having a publicly available exploit are present at 58% of companies.

Publicly available exploits exist for 10% of the vulnerabilities found, which means attackers can exploit them even if they don’t have professional programming skills or experience in reverse engineering. However, half of the vulnerabilities can be eliminated by installing the latest software updates.

The detected vulnerabilities are caused by the absence of recent software updates, outdated algorithms and protocols, configuration flaws, mistakes in web application code, and accounts with weak and default passwords.

Vulnerabilities can be fixed by installing the latest software versions

As part of the automated security assessment of the network perimeter, 47% of detected vulnerabilities can be fixed by installing the latest software versions.

All companies had problems with keeping software up to date. At 42% of them, PT found software for which the developer had announced the end of life and stopped releasing security updates. The oldest vulnerability found in automated analysis was 16 years old.

Analysis revealed remote access and administration interfaces, such as Secure Shell (SSH), Remote Desktop Protocol (RDP), and Network Virtual Terminal Protocol (Internet) TELNET. These interfaces allow any external attacker to conduct bruteforce attacks.

Attackers can bruteforce weak passwords in a matter of minutes and then obtain access to network equipment with the privileges of the corresponding user before proceeding to develop the attack further.

Ekaterina Kilyusheva, Head of Information Security Analytics Research Group of Positive Technologies said: “Network perimeters of most tested corporate information systems remain extremely vulnerable to external attacks.

“Our automated security assessment proved that all companies have network services available for connection on their network perimeter, allowing hackers to exploit software vulnerabilities and bruteforce credentials to these services.

“Even in 2020, there are still companies vulnerable to Heartbleed and WannaCry. Our research found systems at 26% of companies are still vulnerable to the WannaCry encryption malware.”

Minimizing the number of services on the network perimeter is recommended

Kilyusheva continued: “At most of the companies, experts found accessible web services, remote administration interfaces, and email and file services on the network perimeter. Most companies also had external-facing resources with arbitrary code execution or privilege escalation vulnerabilities.

“With maximum privileges, attackers can edit and delete any information on the host, which creates a risk of DoS attacks. On web servers, these vulnerabilities may also lead to defacement, unauthorized database access, and attacks on clients. In addition, attackers can pivot to target other hosts on the network.

“We recommend minimizing the number of services on the network perimeter and making sure that accessible interfaces truly need to be available from the Internet. If this is the case, it is recommended to ensure that they are configured securely, and businesses install updates to patch any known vulnerabilities.

“Vulnerability management is a complex task that requires proper instrumental solutions,” Kilyusheva added. “With modern security analysis tools, companies can automate resource inventories and vulnerability searches, and also assess security policy compliance across the entire infrastructure. Automated scanning is only the first step toward achieving an acceptable level of security. To get a complete picture, it is vital to combine automated scanning with penetration testing. Subsequent steps should include verification, triage, and remediation of risks and their causes.”

Theory and practice of web application security efforts in organizations worldwide

75% of executives believe their organization scans all web applications for security vulnerabilities, while nearly 50% of security staff say they don’t, a Netsparker survey reveals.

web application security efforts

Web application security efforts are insufficient

Even more concerning, over 60% of DevOps respondents indicate that new security vulnerabilities are being found faster than they can be fixed, indicating that web application security efforts are insufficient.

However, only just over 40% of executives are aware of this situation, and thus most companies are unlikely to be making the required investments to remedy the situation.

Despite this, respondents ranked web application security highest among areas they believe their company should focus. Over 66% of respondents named web application security as a priority – more than any other aspect of IT security, ahead of network security, endpoint security, and patch management.

Additional highlights

  • While just 20% of developers believe that development teams are resistant to incorporating security, close to half of security professionals say they encounter developer resistance.
  • Just under 40% of developers indicated that critical security issues get automatically escalated, showing that organizations still have a long way to go to fully integrate security into the software development process.
  • Just under 35% of developers report friction caused by security false positives, compared to over 54% of security staff. This suggests that security teams bear the bulk of extra work caused by false alarms.

Disconnect between theory and practice

The survey shows a worrying disconnect between the theory and practice of web application security. While most organizations appreciate the importance of web security, many still don’t scan all their applications and an even greater number struggle to deal with vulnerabilities in a timely manner.

web application security efforts

This research shows that perceptions and expectations of web application security vary widely depending on the role. This misalignment between perception and reality creates dangerous threats to the security of organizations and their customer’s data as well.

GitHub envisions a world with fewer software vulnerabilities

After five months in beta, the GitHub Code Scanning security feature has been made generally available to all users: for free for public repositories, as a paid option for private ones.

GitHub code scanning

“So much of the world’s development happens on GitHub that security is not just an opportunity for us, but our responsibility. To secure software at scale, we need to make a base-level impact that can drive the most change; and that starts with the code,” Grey Baker, GitHub’s Senior Director of Product Management, told Help Net Security.

“Everything we’ve built previously was about responding to security incidents (dependency scanning, secret scanning, Dependabot) — reacting in real time, quickly. Our future state is about fundamentally preventing vulnerabilities from ever happening, by moving security core into the developer workflow.”

GitHub Code Scanning

The Code Scanning feature is powered by CodeQL, a powerful static analysis engine built by Semmle, which was acquired by GitHub in September 2019.

The engine can analyze code written in C, C++, C#, Java, JavaScript, TypeScript, Python and Go, but since the Code Scanning feature built on the open SARIF standard, it can also work with third-party analysis engines available from the GitHub Marketplace.

“We want developers to be able to use their tools of choice, for any of their projects on GitHub, all within the native GitHub experience they love. We’ve partnered with more than a dozen open source and commercial security vendors to date and we’ll continue to integrate code scanning with other third-party vendors through GitHub Actions and Apps,” Baker noted.

GitHub Actions

Among the third parties that offer automated security scans via GitHub Actions are Checkmarx and DefenseCode.

GitHub code scanning

“The major value add here is that developers can work, and stay within, the code development ecosystem in which they’re most accustomed to while using their preferred scanning tools,” explained James Brotsos, Senior Solutions Engineer at Checkmarx.

“GitHub is an immensely popular resource for developers, so having something that ensures the security of code without hindering agility is critical. Our ability to automate SAST and SCA scans directly within GitHub repos simplifies workflows and removes tedious steps for the development cycle that can traditionally stand in the way of achieving DevSecOps.”

Checkmarx’s SCA (software composition analysis) help developers discover and remedy vulnerabilities within open source components that are being included into the application and prioritizing them accordingly based on severity. Checkmarx SAST (static application security testing) scans proprietary code bases – even uncompiled – to detect new and existing vulnerabilities.

“This is all done in an automated fashion, so as soon as a pull request takes place, a scan is triggered, and results are embedded directly into GitHub. Together, these integrations paint a holistic picture of the entire application’s security posture to ensure all potential gaps are accounted for,” Brotsos added.

Leon Juranic, CTO at DefenseCode, said that they are very excited by this initiative, as it provides access to security analysis to over 50+ million Github users.

“Having the security analysis results displayed as code scanning alerts in GitHub provides an convenient way to triage and prioritize fixes, a process that could be cumbersome usually requiring scrolling through many pages of exported reports, going back and forth between your code and the reported results, or reviewing them in dashboards provided by the security tool. The ease of use now means you can initiate scans, view, fix, and close alerts for potential vulnerabilities in your project’s code in an environment that is already familiar and where most of your other workflows are done,” he noted.

A week ago, GitHub also announced additional support for container scanning and standards and configuration scanning for infrastructure as code, with integration by 42Crunch, Accurics, Bridgecrew, Snyk, Aqua Security, and Anchore.

The benefits and future plans

“We expect code scanning to prevent thousands of vulnerabilities from ever existing, by catching them at code review time. We envisage a world with fewer software vulnerabilities because security review is an automated part of the developer workflow,” Baker explained.

“During the code scanning beta, developers fixed 72% of the security errors found by CodeQL and reported in the code scanning pull request experience. Achieving such a high fix rate is the result of years of research, as well as an integration that makes it easy to understand each result.”

Over 12,000 repositories tried code scanning during the beta, and another 7,000 have enabled it since it became generally available, he says, and the reception has been really positive, with many highlighting valuable security finds.

“We’ll continue to iterate and focus on feedback from the community, including around access control and permissions, which are of high priority to our users,” he concluded.

Nmap 7.90 released: New fingerprints, NSE scripts, and Npcap 1.0.0

Over a year has passed since Nmap had last been updated, but this weekend Gordon “Fyodor” Lyon announced Nmap 7.90.

Nmap 7.90

About Nmap

Nmap is a widely used free and open-source network scanner.

The utility is used for network inventorying, port scanning, managing service upgrade schedules, monitoring host or service uptime, etc.

It works on most operating systems: Linux, Windows, macOS, Solaris, and BSD.

Nmap 7.90

First and foremost, Nmap 7.90 comes with Npcap 1.0.0, the first completely stable version of the raw packet capturing/sending driver for Windows.

Prior to Npcap, Nmap used Winpcap, but the driver hasn’t been updated since 2013, didn’t always work on Windows 10, and depended on long-deprecated Windows APIs.

“While we created Npcap for Nmap, it turns out that many other projects and companies had the same need. Wireshark switched to Npcap with their big 3.0.0 release last February, and Microsoft publicly recommends Npcap for their Azure ATP (Advanced Threat Protection) product,” Lyon explained.

“We introduced the Npcap OEM program allowing companies to license Npcap OEM for use within their products or for company-internal use with commercial support and deployment automation. This project that was expected to be a drain on our resources (but worthwhile since it makes Nmap so much better) is now helping to fund the Nmap project. The Npcap OEM program has also helped ensure Npcap’s stability by deploying it on some of the fastest networks at some of the largest enterprises in the world.”

Nmap 7.90 also comes with:

  • New fingerprints for better OS and service/version detection
  • 3 new NSE scripts, new protocol libraries and payloads for host discovery, port scanning and version detection
  • 70+ smaller bug fixes and improvements
  • Build system upgrades and code quality improvements

“We also created a special ‘Nmap OEM Edition’ for the companies who license Nmap to handle host discovery within their products. We have been selling such licenses for more than 20 years and it’s about time OEM’s have an installer more customized to their needs,” Lyon added.

Google offers high-risk Chrome users additional scanning of risky files

Google is providing a new “risky files” scanning feature to Chrome users enrolled in its Advanced Protection Program (APP).

Chrome scanning risky files

About the Advanced Protection Program

Google introduced the Advanced Protection Program in 2017.

It’s primarily aimed at users whose accounts are at high risk of compromise through targeted attacks – journalists, human rights and civil society activists, campaign staffers and people in abusive relationships, executives and specific employees – but anyone can sign up for it.

It offers:

  • Anti-phishing protection, as attackers can steal users’ credentials, but they need the security key/smartphone that’s in the user’s possession to gain access to the account
  • Extra protection from harmful downloads
  • Protection from malicious third-party apps that may want to access users’ Google Account.

Some features, like the one announced on Wednesday, will work only if the user uses Google Chrome and is signed into it with their Advanced Protection Program identity.

Additional scanning

Chrome started warning APP users when a downloaded file may be malicious last year, but now it will also give them the ability to send risky files for additional scanning by Google Safe Browsing’s full suite of malware detection technology before opening them.

“When a user downloads a file, Safe Browsing will perform a quick check using metadata, such as hashes of the file, to evaluate whether it appears potentially suspicious. For any downloads that Safe Browsing deems risky, but not clearly unsafe, the user will be presented with a warning and the ability to send the file to be scanned,” Chrome engineers explained.

“If the user chooses to send the file, Chrome will upload it to Google Safe Browsing, which will scan it using its static and dynamic analysis techniques in real time. After a short wait, if Safe Browsing determines the file is unsafe, Chrome will warn the user. As always, users can bypass the warning and open the file without scanning, if they are confident the file is safe. Safe Browsing deletes uploaded files a short time after scanning.”

Aside from helping users, the new feature is expected to help Google improve their ability to detect malicious files.

Study of global hackers and the economics of security research

Human ingenuity supported by actionable intelligence were found to be critical ingredients to maintaining a resilient infrastructure, Bugcrowd reveals. In fact, 78% of hackers indicated AI-powered cybersecurity solutions alone aren’t enough to outmaneuver cyber attacks over the next decade.

economics of security research

87% of hackers say that scanners cannot find as many critical or unknown assets as humans. While 2019 was a record year for data breaches, the report found that hackers prevented $8.9B of cybercrime in 2019 and earned 38% more than they did in the previous period.

In the next five years, hackers are projected to prevent more than $55 billion in cybercrime for organizations worldwide.

“Hackers will always be one step ahead of AI when it comes to cybersecurity because humans are not confined by the logical limitations of machine intelligence,” said Jasmin Landry, top-ranked Bugcrowd hacker.

“For example, hackers can adapt four to five low-impact bugs to exploit a single high-impact attack vector that AI would likely miss without the creative flexibility of human decision-making.

“Experience allows hackers to recognize vulnerable misconfigurations that represent a true risk to organizations without all of the false positives that typically come with AI-powered solutions.”

The next generation of hackers are younger and neurologically diverse

Hacking as a profession is lucrative and highly attractive to young people, with 53% of hackers under the age of 24.

Remarkably, the report uncovered that 13% of hackers are neurodiverse and possess neurological advantages that help them provide extraordinary depth and dimension in security testing. These unique strengths include exceptional memory skills, heightened perception, a precise eye for detail, and an enhanced understanding of systems.

6% of neurodiverse hackers experience Attention-Deficit/Hyperactivity Disorder (AD/HD) and thrive in environments of rapid change, such as security research, where creativity and out-of-the-box thinking are rewarded generously.

Career hacking and the economics of security research

The research found that hackers live on six continents and reside in more than 100 countries worldwide. Most notably, the report identified an 83% growth in respondents living in India and 73% of hackers speak two or more languages.

“Having started my career as a hacker, I understand that cybersecurity is inherently a human problem. ‘The power of the crowd’ in crowdsourced cybersecurity is rooted in being able to look at the same thing as everyone else and see something else”, said Adrian Ludwig, CISO at Atlassian.

Social responsibility on the rise among businesses, hackers

A growing social responsibility trend among businesses and hackers was uncovered. 93% of hackers primarily hack out of care for the well-being of the organizations with which they work. Additionally, organizations made five-times the number of coordinated disclosures in the last twelve months.

“The exponential growth of these disclosures highlights the value of transparency to stakeholders and demonstrates organizations are taking social responsibility more seriously than ever,” said Casey Ellis, CTO of Bugcrowd.

COVID-19 increasing demand for career hackers

The FBI reported a 400% rise in cybercrime after COVID-19 was declared a pandemic and organizations are investing more in bug bounty programs as a result. 61% of hackers have noticed an increase in available bug bounty programs to participate in due to widespread remote working conditions related to the COVID-19.

“We are in unprecedented territory – and COVID-19 has forced many businesses to accelerate digital transformation efforts,” said Ashish Gupta, CEO and president of Bugcrowd.

“The rush to digitize businesses can create serious lapses in security and organizations are turning to bug bounty programs to proactively safeguard new products and applications against vulnerabilities.”

Like the larger security industry, career hackers also noted concerns about COVID-related fraud. 48% of hackers believe the healthcare industry is the most vulnerable to cybercrime during the unfolding crisis, followed by education and community support (17%) and government and military (16%).

Additionally, as the government faces the potential impact of COVID-19 on the upcoming 2020 US Presidential election, 72% of hackers independently reported that they do not trust alternative polling methods, like electronic polling or mail-in ballots.

UPnP vulnerability lets attackers steal data, scan internal networks

A vulnerability (CVE-2020-12695) in Universal Plug and Play (UPnP), which is implemented in billions of networked and IoT devices – personal computers, printers, mobile devices, routers, gaming consoles, Wi-Fi access points, and so on – may allow unauthenticated, remote attackers to exfiltrate data, scan internal networks or make the devices participate in DDoS attacks.

CVE-2020-12695

About UPnP

UPnP is a set of networking protocols that allows networked devices to automatically discover and interact with each other when on the same network.

UPnP is intended primarily for residential and SOHO wireless networks. It is designed to be used in a trusted local area network (LAN) and so the protocol does not implement any form of authentication or verification. That’s one of the reasons why some UPnP devices are shipped with the protocol turned off by default and it’s on administrators to enable it, if needed.

The development of the UPnP protocol is managed by the Open Connectivity Foundation (OCF), a standards organization whose goal is to promote the interoperability of connected devices.

About the vulnerability (CVE-2020-12695)

CVE-2020-12695 (aka “CallStranger”) was discovered by security researcher Yunus Çadırcı and privately reported to the OFC in late 2019.

“The vulnerability (…) is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices,” Çadırcı explained.

More technical details are available here but, in short, the vulnerability can be used to bypass DLP and network security devices to exfiltrate data, scan internal ports, and force millions of Internet-facing UPnP devices to become a source of amplified reflected TCP DDoS.

What now?

The Open Connectivity Foundation fixed the vulnerability and updated the UPnP specification on April 17, 2020. They also contacted some affected vendors (those included in Çadırcı’s report).

A Shodan search shows that there are around 5,5 million Internet-facing devices with UPnP enabled out there.

Among the confirmed vulnerable devices are computers running Windows 10, Xbox One, Belkin WeMo home automation devices, printers manufactured by Canon, HP and Epson, Samsung smart TVs, routers and modems manufactured by Broadcom, Cisco, D-Link, Huawei, Zyxel, and more.

CMU’s Software Engineering Institute has also published a vulnerability note for CVE-2020-12695 and will be updating it to list affected devices and links to available patches. They’ve also noted that, in general, making UPnP available over the Internet should be avoided.

“Device manufacturers are urged to disable the UPnP SUBSCRIBE capability in their default configuration and to require users to explicitly enable SUBSCRIBE with any appropriate network restrictions to limit its usage to a trusted local area network,” they advised.

“Vendors are urged to implement the updated specification provided by the OCF. Users should monitor vendor support channels for updates that implement the new SUBSCRIBE specification.”

Çadırcı noted that because CallStranger is a protocol vulnerability, it may take a long time for vendors to provide patches.

“Home users are not expected to be targeted directly. If their internet facing devices have UPnP endpoints, their devices may be used for DDoS source,” he added.

He advised enterprises to check whether devices they use are vulnerable and provided a script that can help them do that, as well as laid out several mitigation actions they can perform.

“We see data exfiltration as the biggest risk of CallStranger. Checking logs is critical if any threat actor used this in the past,” he noted. “Because it also can be used for DDoS, we expect botnets will start implementing this new technique by consuming end user devices. Because of the latest UPnP vulnerabilities, enterprises blocked Internet-exposed UPnP devices so we don’t expect to see port scanning from Internet to Intranet but Intranet to Intranet may be an issue.”

Healthcare industry at greatest risk of data breach

The healthcare industry has significantly more exposed attack surfaces than any other industry surveyed, according to Censys’s research findings of cloud risks and cloud maturity by industry, revealed at RSA Conference 2020.

Leveraging the Censys SaaS Platform, company researchers measured the occurrence of exposed databases and exposed remote login services – two key indicators of modern security risks – for the ten largest companies by revenue in seven major industries (Automotive, Energy, Hotels, Insurance, Manufacturing, Healthcare and Financials).

The healthcare industry showed significantly more exposed databases and more exposed remote login services.

Exposed databases by industry

Composed of pharmacies, healthcare providers, insurance providers and pharmaceutical manufacturers, the healthcare industry had an average of 13 exposed databases per company. The energy industry proved the least at-risk with only one exposed database per company.

healthcare exposed databases

Exposed Remote Desktop Protocol (RDP)

Healthcare also had the most exposed RDP servers per company with an average of eight. However this average is caused by one outlier with ten times the number of exposed RDP servers than the next highest company.

healthcare exposed databases

While cloud databases and remote working solutions provide a great deal of convenience and enable modern web applications, both provide attackers a common entry point and drive data breach attacks. Internet exposed databases put customer data at risk and RDPs pose risks of credential stuffing, reuse of stolen credentials, and specific software exploits.

“Along with enormous agility for the modern enterprise, the rise of cloud infrastructure in high-tech industries has created an incredible security challenge that only continues to grow,” said Jose Nazario, Ph.D., Principal R&D Engineer at Censys. “While all industries have guilty parties, healthcare’s attack surface is simply much bigger than they realize.”

In order to protect against breaches, companies must first gain visibility using a continuous attack surface monitoring platform. This enables businesses to be alerted to risks when they occur. Companies can then remediate the issue by reconfiguring an application to listen on a private network, employing VPN software, or simply ensuring a firewall ruleset is properly configured.

IoC Scanner shows if Citrix appliances have been compromised via CVE-2019-19781

Citrix and FireEye have teamed up to provide sysadmins with an IoC scanner that shows whether a Citrix ADC, Gateway or SD-WAN WANOP appliance has been compromised via CVE-2019-19781.

CVE-2019-19781 IoC scanner

Finding evidence of compromise

By now it should be widely known that CVE-2019-19781 – aka “Shitrix” – is a real and present danger: exploits for it abound and attackers are using them, while we wait for fixes for all affected devices to be released.

Though the number of vulnerable Citrix endpoints is declining rather quickly, we don’t know have many have been compromised since the start of the attacks.

Nearly two weeks ago, TrustedSec created a list of locations and indicators to search for on potentially compromised Citrix ADC hosts and shared instructions on how to check for them.

Citrix’s and FireEye’s new tool makes the search for IoCs much easier.

About the CVE-2019-19781 IoC scanner

The IoC Scanner (as they call it) can be run directly on a live Citrix ADC, Gateway, or SD-WAN WANOP system, or can be used to inspect a mounted forensic image.

The tool can be used to inspect a mounted forensic image or on a live system. If used on the latter, it will scan files, processes, and ports for known indicators, and analyze available log sources and system forensic artifacts to identify evidence of successful exploitation of the flaw.

Its output will tell users whether there is:

  • Strong evidence of compromise (e.g., unexpected processes, listening UDP ports, web access logs showing exploit HTTP requests, etc.)
  • Evidence of the system having been successfully probed for the flaw
  • Evidence of unsuccessful vulnerability scanning (attempts to scan or exploit the system did not succeed).

CVE-2019-19781 IoC scanner

Caveats

“Remember, the tool will not make an assertion that a system has not been compromised. The tool will only state when IoCs are identified,” FireEye made sure to point out.

“It will also not provide formal malware family names of all malicious tools and scripts identified on compromised systems, nor will it identify the existence of all malware or evidence of compromise on the system. The tool is limited to the tool-related indicators that FireEye is aware of at the time of release of the tool or tool-related indicators.”

They did not say whether they intend to update it with new indicators as they become aware of them.

Also, they noted that “there are limitations in what the tool will be able to accomplish and therefore executing the tool should not be considered a guarantee that a system is free of compromise. For example, log files on the system with evidence of compromise may have truncated or rolled, the system may have been rebooted, or an attacker may have tampered with the system to remove evidence of compromise and/or installed a rootkit that masks evidence of compromise.”

But if the tool shows that IoCs are present, admins should definitely initiate a forensic investigation to determine the scope of the compromise.