Tag Archive for: Cyber Threat

CISA and FBI Publishes List of Top Vulnerabilities Currently Targeted by Foreign Sponsored Hacking Groups

RedSeal Cyber Threat Series

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have jointly released a report on the top 10 vulnerabilities consistently being scanned, targeted, and exploited by foreign sponsored hacking groups.

All 10 of the vulnerabilities are known and have patches available from their vendors.

Exploits for many vulnerabilities are available publicly and have been used by various malware and ransomware groups and other nation-state actors.

RedSeal customers should:

  1. Create and run daily reports until all systems with the 10 vulnerabilities are patched
  2. Contact your RedSeal sales representatives or email info@redseal.net for additional details

References:

https://us-cert.cisa.gov/ncas/alerts/aa20-133a

Experts Warn of Attacks on a Cisco ASA Security Flaw due to a new Proof-of-Concept Exploit

RedSeal Cyber Threat Series            

Researchers at Positive Technologies have created a proof-of-concept (PoC) exploit that leverages a 2020 Cisco ASA vulnerability. A Cisco administrator would have to click on a link that takes the unsuspecting user to a web page where the malware is downloaded and the Cisco ASA must not be patched. Cisco released a patch for a Medium Severity web services vulnerability that affects the Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software CVE-2020-3580. This security flaw can allow an unauthenticated attacker to remotely conduct a cross site scripting (XSS) attack against a user of the web services interface.

Enterprises should patch their Cisco ASA Software and Firepower Software as soon as possible.  A successful attack could allow the attacker to execute code or access sensitive browser information.   

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

Cybersecurity Best Practices 

  • Keep your devices patched and up to date 
  • Ensure you are using TLS v1.2 or above; disable lower versions of TLS and HTTP 
  • Disable WebVPN or AnyConnect if not in use on your device  

References 

https://securityaffairs.co/wordpress/119442/hacking/cisco-asa-under-attack.html 

https://nvd.nist.gov/vuln/detail/CVE-2020-3580 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe   

Old Fortinet Flaws are being used to breach federal and commercial networks


RedSeal Cyber Threat Series
            

The Federal Bureau of investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint advisory warning that 3 Fortinet CVEs (CVE 2018-13379, CVE-2020-12812, and CVE-2019-5591) are being leveraged to gain a foothold in government agency and commercial networks to be exploited in the future. The FBI and CISA observed attackers scanning for ports 4443, 8443, and 10443.

Enterprises should immediately patch their FortiOS software and follow the recommended configuration guidance.

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

References:

https://www.ic3.gov/Media/News/2021/210402.pdf

https://www.fortiguard.com/psirt/FG-IR-19-283

https://www.fortiguard.com/psirt/FG-IR-18-384

https://www.fortiguard.com/psirt/FG-IR-19-037

https://kb.fortinet.com/kb/documentLink.do?externalID=FD49410

 

 

F5 Server iControl REST unauthenticated remote command execution vulnerability

RedSeal Cyber Threat Series

F5 has released patches for several BIG-IP and BIG-IQ critical vulnerabilities. CVE-2021-22986 is the most critical since it allows unauthenticated attackers with network access to use the iControl REST interface, via the BIG-IP management interface and self IP addresses, to execute system commands that could lead to complete system compromise. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane.

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

References:

https://support.f5.com/csp/article/K03009991

https://www.tenable.com/blog/cve-2021-22986-f5-patches-several-critical-vulnerabilities-in-big-ip-big-iq

 

Microsoft Releases Fixes for 4 Zero Day Exchange Server Vulnerabilities

RedSeal Cyber Threat Series

Multiple news sources, security researchers and security agencies have reported on a new attack against tens, if not hundreds, of thousands of Internet accessible Exchange servers configured for Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Outlook Web App (OWA) access. These attacks are being carried out by the China nation/state sponsored hacking group known as Hafnium.

The exploit utilizes 4 Zero Day vulnerabilities in Microsoft Exchange software, three in Exchange and one in Unified Messaging Services.

The four Zero Day Microsoft CVEs are as follows:
• CVE-2021-26855 – allows an attacker to send specific HTTP requests and authenticate to the Exchange Server
• CVE-2021-26857 – insecure deserialization in Unified Messaging allows remote code execution on Exchange sever
• CVE-2021-26858 – post authentication arbitrary file write vulnerability in Exchange
• CVE-2021-27065 – post authentication arbitrary file write vulnerability in Exchange

The result is a persistent web shell that allows attackers to steal data and perform other malicious actions.

RedSeal customers should:

1) Track the Hosts that the vulnerability scanner identifies as Exchange servers (this example was done with Rapid7 data).

2) Report to inventory the existence of hosts with any of the four vulnerabilities required for this exploit

3) Report on the access from subnets indicated as Internet to Exchange servers via TCP 443

4) -optional- Report on the access from ALL subnets to Exchange servers via TCP 443

All of these actions will be performed using the RedSeal Java UI.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

References:
https://cyber.dhs.gov/ed/21-02/

NSA publishes list of top vulnerabilities currently targeted by Chinese hackers

RedSeal Cyber Threat Series

 

The U.S. National Security Agency published a report detailing the top 25 vulnerabilities consistently being scanned, targeted, and exploited by Chinese state-sponsored hacking groups.

All 25 vulnerabilities are known and have patches available from their vendors.

Exploits for many vulnerabilities are available publicly and have been used by various malware and ransomware groups and other nation-state actors.

The first three CVEs of this 25 that should be remediated — especially if open to an untrusted network — are:

  • Citrix Netscaler CVE-2019-19781
  • Windows RDP Exploit (aka Bluekeep) CVE-2019-0708
  • Windows Zerologon CVE-2020-1472)

RedSeal customers should:

 Create and run daily reports until all systems with the 25 vulnerabilities are patched.

 For additional details, contact your RedSeal sales representatives or email info@redseal.net

 References:

https://www.zdnet.com/article/nsa-publishes-list-of-top-25-vulnerabilities-currently-targeted-by-chinese-hackers/

 

High Severity Security Flaw with Cisco ASA: Find It and Prioritize Patching Quickly

RedSeal Cyber Threat Series

Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) have a known vulnerability – CVE-2020-3452. This security vulnerability can allow an unauthenticated attacker to remotely conduct a directory traversal attack as well as read sensitive files on a targeted system.

Exploiting this vulnerability, the attacker can view files within target device’s web services file system. The web services files that the attacker can view may have information such as WebVPN configuration, bookmarks, web cookies, partial web content, and HTTP URLs. There are no workarounds that address this vulnerability.

Enterprises should patch their Cisco ASA Software and Firepower Software as soon as possible.  The web services file system is at risk when the WebVPN or AnyConnect functionality is enabled.  Note: The Cisco ASA or FTD system files or underlying Operating System files are not readable.

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices.
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

 

References