Cyber Readiness Pillars and RedSeal

/by

Cybersecurity readiness is an excellent tool that has the ability to provide you with the right services. It has the ability for identifying, preventing and responding to cyber threats. This tool is required by organizations all over the world, and organizations that lack this strategy are prone to more cybersecurity threats.

The Cybersecurity and Infrastructure Security Agency (CISA) suggested and developed the Cyber Essentials for small businesses. Along with these businesses, the local government leaders are also provided with ideas on how to successfully make an actionable understanding of how to implement organizational cybersecurity practices.

CISA leaders offered a detailed awareness of how the pillars of Cyber Essentials are important. Building a corporate culture is required for cybersecurity and the organization which fails to do so faces cyber-attacks. During a webinar with the U.S. Chamber of Commerce on June 29, CISA provided a starting point for better flexibility considering cyber readiness.

“From human resources to marketing to sales and procurement, it is almost guaranteed that you rely on one or more digital platforms to facilitate the success of your business operations. The Cyber Essentials are a series of tools and practices that we have assembled to provide what we consider to be the basics of cyber organizational readiness,” Trent Frazier, deputy assistant director of the Stakeholder Engagement Division at CISA, said.

Every team requires to have a safe cybersecurity practice. If you don’t have a holistic approach towards it, then, you are one organization that is in danger. Great help from the global leader is what you require in this case. RedSeal is a company that you can depend on for sophisticated cybersecurity.

RedSeal as a force multiplier for every other security device within a network is indulged in cybersecurity. If you have short of skilled cybersecurity personnel, then, don’t forget to connect with us.

The 6 Pillars of Cyber Readiness 

Creation of Cyber Readiness Culture 

Pillar One 

Pillar one of cyber readiness is leadership. The leaders are always the backbone of an organization and a great help in maintaining the business culture.

That is why it is suggested that the leaders shouldn’t forget to keep the essential cybersecurity in mind. The leaders should not overlook the essential investment required in cybersecurity. They should also determine how much work is dependent on IT and have a trusted relationship with the sector partners and government agencies. It is required to have a trusted relationship so that the cyber threat information can get easily accessed.

Pillar Two

The second pillar of cyber readiness is the staff. The people associated with the organization’s system are an essential part of this readiness. This element’s task is developing awareness and alert about cybersecurity.

Systems and Data Environment in Cyber Readiness 

Pillar Three

The third pillar consists of systems and leaders being taught and trained on what is present in their network. Also, they are offered knowledge on how to maintain hardware and software assets inventories. It will help them in letting them know what is there and what things are at risk because of the attack.

Pillar Four 

The fourth pillar advises the leaders to have knowledge on:

  • The network
  • Maintenance of inventories of network connects including user accounts and vendors
  • Multiple-factor authentication for every user, starting with those who have privileged, administrative, and remote access

Pillar Five

The fifth pillar of cyber readiness is the data, intellectual property along with another delicate information present within the organization. In this case, the leaders and staff get tasked with learning how the data can get protected.

Respond to and Recover from a Crisis 

Pillar Six

Crisis response is the sixth and last pillar in the Cyber Essentials. It focuses on restricting the damage and rushing restoration of the normal operations after a cyber-attack.

The Cyber Essentials have given the authority and tasked leaders for the development of an incident response along with a disaster recovery plan. This plan should outline the roles and responsibilities and should get tested often for cybersecurity needs.

Leaders should know and be aware of the cybersecurity of the organization. Their assessment will influence the business impact as well. Also, the leaders should have proper security on which systems should be recovered at the earliest.

As a leader, the person should be well aware of who to call for help if they don’t have sufficient staff for it. Learn who should be the people that you should call for help first. These can include outside partners, government, technical advisors, and law enforcement.

If by any chance you are looking for cybersecurity services, then, our platform is the one. We offer the following cybersecurity services.

RedSeal Service Offerings 

  • Cloud Cyber Inventory Assessment
  • Cyber Visibility Assessment
  • Health Check Service
  • Secure Remote Work Assessment
  • Managed Service
  • Cyber Cloud Access Assessment

Our professional services are the solution to all your cybersecurity answers. We work as a team and offer skilled and trained cybersecurity personnel. Along with them, we offer cybersecurity products that make your investment more valued.

The Bottom Line 

Organizations need a cybersecurity strategy to protect both infrastructure and customer data from growing cybersecurity threats. The Cybersecurity and Infrastructure Security Agency (CISA) developed the Cyber Essentials as a guide for small businesses and local government leaders to develop an actionable understanding of where to start implementing organizational cybersecurity practices.

Automation, Integration and RedSeal

/by

Automation is one of the trending topics in cybersecurity. The primary reason for automating mundane and repeatable tasks is to allow people to shift focus to problem-solving activities. Organizations can become more resilient to cyber-attacks by directing all the resources to these problem-solving activities.

Integration means the taking multiple tools and combining their processes, whether those tasks are automated or not.

Automation examples include change management collection across a network firewall. Going line by line manually is a tedious and ultimately futile task given the length of log files. Creating a script to identify changes is far easier and more accurate.

In RedSeal, most processes can be automated:

  • Save query
  • Run query
  • Anything scheduled is an automation

Without security automation, analysts must resolve threats manually. This often entails investigating the issue and comparing it against the organization’s threat intelligence to determine its legitimacy, deciding on a course of action, then manually resolving the issue — all on potentially millions of alerts and often with incomplete data.

That means automating individual tools leaves a lot to be desired. That is where the benefits on integration kick in. 30 years ago software applications were rigid and closed off from each other. Fifteen years ago, there were APIs which allowed data to flow easily from one application to another. As of, five years ago, things became more flexible.

Now, integrations are only limited by imagination.

ServiceNow

For security teams using RedSeal, most common integration is ServiceNow for not just ticketing, but identifying stale and missing network assets in the ServiceNow CMDB. RedSeal enriches the ServiceNow inventory data by adding specific location information about the network devices. ServiceNow provides back critical asset information into RedSeal, which in turn identifies risk to these assets—all while the operation is in the ServiceNow Service Management dashboard. RedSeal plus ServiceNow enables network and security teams to automate the resolution of change control requests in a matter of minutes rather than days. Click here to learn more about RedSeal and ServiceNow.

ForeScout

For users of ForeScout, integrating with RedSeal allows them to identify high-risk end points based on RedSeal’s risk score; use RedSeal to identify risk to critical assets; use ForeScout CounterACT to automate risk mitigation; and discover devices that have STIG or other configuration violations. Click here to learn more about RedSeal and ForeScout.

Splunk

The goal of Incident Response is to address and manage a security breach in a way that limits damage and reduces recovery time and costs. Your SIEM solution can identify an Indicator of Compromise (IOC) by analyzing and correlating the massive streams of machine data generated by your IT systems and technology infrastructure.

Through a seamless integration with the Splunk Adaptive Response framework, the combination of RedSeal and Splunk can result in a significant increase in network situational awareness and full visibility of network access paths to/from an IOC to critical assets and contain downstream risk, within minutes. Click here to learn more about RedSeal and Splunk.

Moreover, there are third party tools are custom applications that are grassroots tools that can create specific integrations that provide data exactly when and how they want to meet their enterprises specific requirements.

At the same time you must do what you can to detect and prevent network security incidents, you need a quick response to network attacks that do get through, quickly investigating and containing network security incidents to minimize (or prevent) loss.

Although SIEMs reduce a large volume of data, they still generate more indicators of compromise (IoC) than your team can quickly investigate.  Just locating a compromised device — physically or logically — can be a time-consuming, manual task.

RedSeal’s model of your network provides detailed options.

A RedSeal model of your network — across on-premise, cloud and virtual environments — gives you the detail you need to quickly accelerate network incident response. You will be able to quickly locate a compromised device, determine which assets bad actors can reach from there – and get information to stop them. Since RedSeal’s model includes all possible access paths, you will see the paths a network attacker could take to valuable assets. And, you’ll get specific containment options so you can decide what action to take — from increasing monitoring, to placing honey pots, to changing firewall rules, to simply unplugging the device — decreasing your network incident response time.

What is RedSeal’s Approach to Automation and Integration?

RedSeal has been called by CSO Magazine as a “force multiplier for your existing security products.”

To streamline security teams’ efforts, and further improve network security, RedSeal now integrates into the user interfaces of several leading security products.

The RedSeal security platform integration improves the efficacy of each of these security products, giving their users unprecedented network context within the tools, and in the format they’re already using.

Integrate your technology ecosystem.

RedSeal enhances your existing security investments by adding network topology and connectivity knowledge across all your network environments. You get a comprehensive network-wide view of your security posture.

View our Technology Integration Guide for details on supported devices and software.

Even advanced security systems depend on adjacent solutions to provide a comprehensive and current view into network risk. RedSeal works with Technology Integration Partners to develop deep integrations through integration apps. The apps add value to both products, providing users with exceptional network context within the tools, and in the format, they are already using.

Benefits:

  • Contextual and actionable insights by RedSeal within host applications
  • Relevant and focused data inside the application and the workflow that you are already familiar with
  • No need for another application on your already-crowded desktop
  • The power of RedSeal without additional training/IT resources required
  • Free of cost and available now

Click here to read more about RedSeal’s integrations.

Five Steps to Improve your Multi-Cloud Security

/by

In 2021, the COVID-19 pandemic had a dramatic impact on how and where we do business. For many enterprises, the “where” became the cloud – immediately. This rapid adoption of the cloud – in most cases multiple clouds – created a rapid increase in security issues. Suddenly, enterprises had new cloud security requirements they needed to understand and deploy without the benefit of time to learn. The complexity continued to increase, and this triggered new security issues with potentially costly consequences. These included:

  • Data leakage/exfiltration – Unauthorized movement of sensitive data from inside the enterprise to outside can be accidental or deliberate. Often the discovery that data has been leaked occurs days, weeks, or months later, and can result in a damaged brand, lost customer trust, and fines.
  • Ransomware – Enterprises can pay thousands to millions of dollars to access encrypted data and systems in order to restore operations. Additionally they can be extorted to pay for the recovery of stolen sensitive information.  If they refuse to pay,  enterprises can lose days or weeks of revenue trying to recover their systems, and risk having sensitive data posted on the internet.
  • Non-compliance – Enterprises not adhering to mandatory regulations (PCI-DSS, CMMC, HIPAA) or voluntary cybersecurity frameworks (NIST, GDPR) can incur costly penalties and potential shutdowns that limit their ability to conduct business. Customer relationships may be damaged by the perception that security isn’t a priority.
  • Team collaboration/staffing shortages – DevOps is highly distributed across the enterprise and many teams acknowledge the lack of cloud platform security expertise. Cloud security practices should encourage significant collaboration that leverages both internal and external expertise.

To maintain cloud security and reduce–if not totally eliminate–the impact of these serious security issues, enterprises need a proven cybersecurity framework to address these issue directly.

Steps to strengthen your cloud security

Cloud environments are dynamic and constantly evolving. These 5 steps provide a proven framework to improve your enterprise’s cloud security using a technology driven approach, even in a multi-cloud environment.

  1. Visualize/maintain an accurate inventory of compute, storage and network functions
    Security teams often lack visibility across multi-cloud and hybrid environments. Cloud environments are often managed in disparate consoles in tabular forms. Security teams need to understand controls that filter traffic, including cloud native controls (network security groups and NACLs), and third-party infrastructure (SASE, SD-WAN and third-party firewalls). A single solution that provides a detailed visual representation of the multi-cloud environment is critical.
  2. Continuously monitor for exposed resources
    It is important to understand which cloud resources are publicly accessible or Internet-facing. Unintentional exposure of resources to the Internet is a major cause of cloud breaches. This includes any data resources like AWS S3 buckets or AWS EC2 instances. Security teams need to easily identify and report on exposed resources, and then provide remediation options that include changes to security groups or firewall policy.
  3. Continuously validate against industry best practices
    There are many industry best practice frameworks that can be used to validate cloud security. CIS Benchmarks and Cloud Security Alliance are two of these frameworks. Security teams should continuously validate adherence to best practices and quickly remediate findings to eliminate misconfigurations and avoid excessive permissions.
  4. Validate policies – segmentation within/across clouds and corporate mandates
    Many security teams create segmentation policies to minimize attack service and reduce the risk of lateral movement. Examples may be segmenting one Cloud Service Provider from another (AWS cannot talk to Azure) or segmenting access across accounts in the same CSP. Both segmentation and corporate policies should be continuously monitored for violations and provide detailed information that enables rapid remediation.
  5. Conduct comprehensive vulnerability prioritization
    All vulnerability management solutions provide a severity score, but more comprehensive prioritization can occur by identifying which vulnerabilities in the cloud are Internet-facing (including the downstream impact of these vulnerabilities).

Implementing success

While the risks grew for many enterprises this past year as they rapidly moved to the cloud, several have dodged the bullet. RedSeal has helped many successfully adopt a strong security framework and gained actionable insights into their cloud environments. These insights were often an eye-opener.

  • Underestimated VPC[1] inventory in the cloud – A healthcare customer expected “a few VPCs” in their cloud environment. The implementation of RedSeal revealed they had over 200 VPCs. This helped them see their overall cloud footprint and reduced their attack surface.
  • Exposed cloud resources– An enterprise customer incorrectly believed that all of their cloud resources were protected by a third-party firewall. Consequently, many resources were directly exposed to the Internet. RedSeal identified the exposed resources and the misconfigurations before any exploitation occurred.
  • Risky shadow IT – A technology company’s business unit had cloud instances that did not pass the company’s access security mandate. RedSeal identified these resources and helped determine that employees had bypassed process and created unauthorized cloud resources. The company’s shadow IT with respect to cloud security is now under control.
  • Zone-based segmentation as required by PCI-DSS – A payment card provider validated that card holder data was segregated and protected after their cloud migration. They modeled and monitored their segmentation policy, enabling their audit to be completed quickly and confidently.
  • VPC/VNET without subnets or subnets without instances – A healthcare customer discovered 100s of empty VPC/VNET subnets and subnets without instances in their cloud environment. The default configuration: “ANY/ANY” could have been easily exploited by malicious actors and industry best practices indicate they should be deleted or actively monitored.

 

With RedSeal, all these enterprises, and more, have utilized a multi-cloud security methodology that highlights: Visualization/Inventory, Exposure, Industry Best Practices, Policy Validation, and Vulnerability Prioritization. These 5 steps can bring peace of mind to security teams who have had to act quickly and without warning in response to this most unprecedented year.

Learn More

Looking for more details on how 3rd party firewalls may impact your cloud security framework? Download our whitepaper “How Should I Secure My Cloud?

RedSeal’s Cloud Security Solution -Ensure Your Critical Cloud Resources Aren’t Exposed to the Internet

[1] AWS uses the term VPC (Virtual Private Cloud) and Azure uses the term VNet (Virtual Network). Conceptually, they provide the bedrock for provisioning resources and services in the cloud. However, there is variability in implementation.

The Real Reason for Breaches (and How to Avoid Them)

/by

Security is a tough job – we invest so much effort, and yet the breaches keep on happening.  Why?  In a word, complexity. 

The digital world brings so many great efficiencies and innovations – the pressure to move fast and exploit opportunities is irresistible to every organization.  But crossing all these online frontiers brings the unavoidable frontier challenges – lawlessness, chaos, and rapid change.  Security is easiest in mature, well understood, and above all, in simple infrastructures.  Every added bit of complexity and change moves away from security, and towards chaos.  The security professional has a thankless task – we cannot simply demand that our employers be more orderly or cease changing.  Instead, we have to adapt constantly, and try to keep up with all the new territory that is constantly opening up, with new threats and new ways to get it all wrong.

When you analyze any of the major breaches in detail, you find they are always multi-component – there is never just one simple, single cause.  Attackers are stealthy, persistent, and they move from one foothold to another.  This means that when a breach happens, it’s a system-level failure, not just one component that could have been isolated and fixed.  Worse, even if you put all your effort into fixing as many components as possible, you’ll never get to 100% secure and impervious to attack.  The bad guys will search and search for anything you missed, then exploit it, gain a new foothold, and work outwards from there.

Clearly, the road to security doesn’t come from finding and fixing everything – it’s impossible to fix every issue in your network today, and even if you could, there will be new defects tomorrow, because the rate of change is so high.  Instead, we have to learn to thrive in a world with inherent vulnerability, just the way animals and people do in the biological world.  Biological systems are resilient rather than perfectly protected – they can adapt and bounce back from infection, since Mother Nature long ago learned that blocking every pathogen just wasn’t going to work.  Of course, this doesn’t mean you should give up and just accept every possible attack – biological systems still aim to be hard targets, they just actively maintain an immune system so they can detect, isolate, and remove the inevitable successful attacks.

So the way forward is to find what you have, in the cloud and across your physical sites, see how it’s all connected, and understand where you can block incoming attacks, as well as thwart lateral movement for attackers who do make it past your defenses.  The first goal is a complete inventory – in itself, that’s a hard challenge because of the diverse and changing fabric we use to get the work done.  The second goal is to harden any assets that are exposed.  The third goal is based on recognizing that perfect hardening at step two won’t happen, so instead, it’s essential to understand what is connected to what, so that you can stay ahead of attacks and block them before they get a chance to spread.  This is why RedSeal focuses on these three disciplines – gather and map the network in all its hybrid complexity, then harden the individual elements, then help our customers conduct war games where they can think at a system level, and prioritize their defensive efforts to become a resilient hard target.

For further details on how RedSeal tackles cloud security, check out our solution brief: “Redseal Ensures Your Critical Cloud Resources Aren’t Exposed To The Internet”

Experts Warn of Attacks on a Cisco ASA Security Flaw due to a new Proof-of-Concept Exploit

/by

RedSeal Cyber Threat Series            

Researchers at Positive Technologies have created a proof-of-concept (PoC) exploit that leverages a 2020 Cisco ASA vulnerability. A Cisco administrator would have to click on a link that takes the unsuspecting user to a web page where the malware is downloaded and the Cisco ASA must not be patched. Cisco released a patch for a Medium Severity web services vulnerability that affects the Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software CVE-2020-3580. This security flaw can allow an unauthenticated attacker to remotely conduct a cross site scripting (XSS) attack against a user of the web services interface.

Enterprises should patch their Cisco ASA Software and Firepower Software as soon as possible.  A successful attack could allow the attacker to execute code or access sensitive browser information.   

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

Cybersecurity Best Practices 

  • Keep your devices patched and up to date 
  • Ensure you are using TLS v1.2 or above; disable lower versions of TLS and HTTP 
  • Disable WebVPN or AnyConnect if not in use on your device  

References 

https://securityaffairs.co/wordpress/119442/hacking/cisco-asa-under-attack.html 

https://nvd.nist.gov/vuln/detail/CVE-2020-3580 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe   

Zero Trust Is Here to Stay, So How Can I Prepare My Network?

/by

Whether you agree or not with the concept–zero trust architecture is here for the foreseeable future.

Unless your organization is cloud-native, you are going to have to prepare to implement zero trust on your existing enterprise. If you are the one responsible for deploying and maintaining networks for the Federal government, zero trust is most likely at the top of your to-do list.

The President’s latest executive order, dated May 12, 2021, compels Federal agencies to move to zero trust architectures and adoption of cloud services. This is meant to modernize departmental and agency IT infrastructures, and the security technologies that protect them. However, Federal agencies are not cloud-native companies. Most have large on-premise networks that will need to have their networks inventoried, along with all their applications and services identified, prior to implementing zero trust. Like any good implementation strategy, you are going to have to plan.

Zero trust is not a destination, but a continuous journey that is going to require rigorous configuration management and continuous monitoring.  RedSeal is not a magic zero trust platform, but it can help you on your journey to prepare and maintain specific aspects.

One major step of this journey is just understanding what you have (network devices, mobile, desktops, IOT, etc.) and how your data moves through the network, as well as existing segmentation policies to comply with standards and regulations. One of the first steps in this journey will require enumeration of all the possible pathways, from every source to every destination, and you will have the challenge of also having to account for NAT IP address, along with load balancers. That is a daunting task by itself.

This is where the power of RedSeal’s Netmap analysis comes in. RedSeal automatically calculates every possible path through the network accounting for the effect of NATs and load balancing. Then you can ask RedSeal to show you these pathways to determine if they are approved and needed for business and mission success.

A side benefit of this analysis is RedSeal creates an inventory of all your network gear and IP space, as well as your cloud and software defined network (SDN) assets.  You cannot secure it if you do not know about it, and the output of RedSeal gives you a great start on understanding what you have.  Remember, with zero trust you are going to have to identify not only who, but what can, or should have access, so an inventory is an absolute must have.

As you move along this journey, and if your journey takes some, or most of your assets to the cloud, you can test the network segmentation of your cloud configuration in RedSeal before you deploy to the cloud to verify it is configured securely. Finally, RedSeal can continuously monitor your network segmentation and micro segmentation policies to make sure they stay compliant with your zero-trust architecture goals.

If you’d like to learn more about securing both your cloud and on-premise networks, visit our Cloud Security page.

We’ve also partnered with MeriTalk on a new infographic report on “Braving the Cloud Storm” – a look at how agencies are addressing cybersecurity across a multitude of clouds and on-premise environments.

Cloud Security Posture Management and RedSeal

/by

Pilots know that to fly safely means keeping track of the weather. They track storm fronts because that is where the turbulence is. Pilots lose their wings if they fly blindly into the air.

Gaps in your security posture are where the cyber storm fronts are. The cyber storm is both on-prem and in the cloud. To do your job correctly, you need to get an accurate forecast today of the cyber weather.

The rush to move assets into the cloud has created all sorts of new stormy weather to contend with.

Pilots and Weather

A nationally recognized financial institution, a large well-resourced company, did not check the security gaps and was caught off guard when Paige Thompson, former AWS software engineer, exploited a misconfigured web application firewall to access one of their servers. That server contained 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, and an undisclosed number of customers’ personal information. Thompson then attempted to share access to the information with others online, per CNN.

Had the organization’s cyber team acted like safety-conscious pilots and checked the weather first, they would have noticed the misconfigurations before someone on the outside did.

So, what is the cyber equivalent of checking the weather?

Cloud Security Posture Management

Cloud security posture management (CSPM) automates the identification and remediation of risks across cloud infrastructures, including Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS).

Without CSPM, developers can create any number of instances in the cloud, and deploy them, with little oversight.

According to Threatpost, the team at Imperva created an internal compute instance that was misconfigured and publicly accessible. Worse, it had an AWS API key that enabled attackers to access a database snapshot and exfiltrate customer information.

It was reported that security researchers found MongoDB database, run by a vendor, that was left unprotected on a cloud server and contained 2.8 million CenturyLink data records belonging to several hundred thousand of the tech company’s customers.

Why? Most companies have a lack of central control and value speed over security.

If large companies like these are messing up the necessary security configurations in their cloud services, then medium and small sized firms are unquestionably doing the same thing, given their lack of resources.

How is the RedSeal Approach to CSPM Different?

The thing is, most enterprise networks are hybrid, spanning both public and private cloud environments along with physical network infrastructure. While you may have security tools for each environment, you probably cannot see how your whole network is woven together.

RedSeal’s cloud security solution is the only product that brings complex hybrid multi-cloud networks into one unified model. You’ll be able to understand all your network environments in one dynamic visualization, where your high-value assets are, and all the ways they are vulnerable to attack.

RedSeal shows you all possible network access — across, within and between public cloud, private cloud and physical network environments — whether the access is intended or not.

RedSeal allows SMBs to compete and defend themselves and overcome their lack of experience. The responsibility for security is different on different platforms, and smaller companies automatically assume that it has been taken care of, when it’s not. Moreover, different providers use different terminology for the same services.

You are only milliseconds away from the bad guy.

Pilots are grounded when they fly willy-nilly into a dangerous storm, if they are lucky enough to still be alive. Gaps in your security posture are the cyber storms you have to contend with and plan for. These storms are both on-prem and in the cloud. Today’s accurate forecast of the cyber weather comes from RedSeal.

Happy flying!

For more information, visit our page Understand Your Hybrid Multi-Cloud Network.

Old Fortinet Flaws are being used to breach federal and commercial networks

/by


RedSeal Cyber Threat Series            

The Federal Bureau of investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint advisory warning that 3 Fortinet CVEs (CVE 2018-13379, CVE-2020-12812, and CVE-2019-5591) are being leveraged to gain a foothold in government agency and commercial networks to be exploited in the future. The FBI and CISA observed attackers scanning for ports 4443, 8443, and 10443.

Enterprises should immediately patch their FortiOS software and follow the recommended configuration guidance.

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

References:

https://www.ic3.gov/Media/News/2021/210402.pdf

https://www.fortiguard.com/psirt/FG-IR-19-283

https://www.fortiguard.com/psirt/FG-IR-18-384

https://www.fortiguard.com/psirt/FG-IR-19-037

https://kb.fortinet.com/kb/documentLink.do?externalID=FD49410

 

 

F5 Server iControl REST unauthenticated remote command execution vulnerability

/by

RedSeal Cyber Threat Series

F5 has released patches for several BIG-IP and BIG-IQ critical vulnerabilities. CVE-2021-22986 is the most critical since it allows unauthenticated attackers with network access to use the iControl REST interface, via the BIG-IP management interface and self IP addresses, to execute system commands that could lead to complete system compromise. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane.

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

References:

https://support.f5.com/csp/article/K03009991

https://www.tenable.com/blog/cve-2021-22986-f5-patches-several-critical-vulnerabilities-in-big-ip-big-iq

 

Microsoft Releases Fixes for 4 Zero Day Exchange Server Vulnerabilities

/by

RedSeal Cyber Threat Series

Multiple news sources, security researchers and security agencies have reported on a new attack against tens, if not hundreds, of thousands of Internet accessible Exchange servers configured for Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Outlook Web App (OWA) access. These attacks are being carried out by the China nation/state sponsored hacking group known as Hafnium.

The exploit utilizes 4 Zero Day vulnerabilities in Microsoft Exchange software, three in Exchange and one in Unified Messaging Services.

The four Zero Day Microsoft CVEs are as follows:
• CVE-2021-26855 – allows an attacker to send specific HTTP requests and authenticate to the Exchange Server
• CVE-2021-26857 – insecure deserialization in Unified Messaging allows remote code execution on Exchange sever
• CVE-2021-26858 – post authentication arbitrary file write vulnerability in Exchange
• CVE-2021-27065 – post authentication arbitrary file write vulnerability in Exchange

The result is a persistent web shell that allows attackers to steal data and perform other malicious actions.

RedSeal customers should:

1) Track the Hosts that the vulnerability scanner identifies as Exchange servers (this example was done with Rapid7 data).

2) Report to inventory the existence of hosts with any of the four vulnerabilities required for this exploit

3) Report on the access from subnets indicated as Internet to Exchange servers via TCP 443

4) -optional- Report on the access from ALL subnets to Exchange servers via TCP 443

All of these actions will be performed using the RedSeal Java UI.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

References:
https://cyber.dhs.gov/ed/21-02/