Tag Archive for: Vulnerability Management

“Is that what you’re going to say to the auditor?”

Today’s tale from the trench is brought to you by Brad Schwab, Senior Security Solutions Consultant.


In the high-stakes world of security operations, one question looms larger than most: Are you sure you’re scanning the entire network? It seems straightforward, but for any team dealing with a network of significant scale, answering this question can be a daunting task.

During a pivotal meeting with stakeholders of a large health organization, the focus was squarely on the performance and security of the network. As discussions turned to the scanning program, the head of security operations confidently outlined the procedures in place to ensure comprehensive scanning—scanning that covered the entire network. Wait, scanning that covered the entire network? This is when my skepticism crept in.

“How do you know you’re scanning the entire network?” I interjected, addressing the elephant in the room. The head of security operations deflected to the head of network operations, claiming his assurance. “[Head of network operations] said I could…” she asserted.

Turning to the head of network operations, I couldn’t resist a quip: “Is that what you’re going to say to the auditor? ‘He said I could’?” Though we shared a solid working relationship, I couldn’t let such a critical issue slide with mere assurance. And it was clear that the others in the room shared my same concerns.

With a blend of humor and seriousness, I delved into the complexities and uncertainties inherent in ensuring comprehensive network scanning. Questions rained down from the attendees, making it clear that a deeper exploration of their scanning protocols was necessary to instill confidence in the organization’s security measures. I began to outline critical considerations:

  • Does the scanner have a complete list of all IP space on the network that needs scanned?
  • Are there any overlapping subnets? If so, that overlapped portion of a subnet is not visible to the scanner, thus, creating a possible hiding place for a bad actor.
  • Is there a duplicate IP space in the network? This creates blind spots to any scanner.
  • And finally, the hard part of the answer, does the scanner have logical access to the entire network? Even if the scanner is trying to scan a network subnet, if the network architecture via Access Control Lists and Routing is blocking the access or not granting the access, the scan won’t be complete. On top of that, you will get no indication from the scanner that the scan didn’t work.

Beyond the logical access issue, no one had thought about the other issues. I then explained how RedSeal automatically looks for subnets that have no scan data, thus possibly not part of the IP list giving to the scanner. Also, overlapping subnets and colliding IP space is revealed as a RedSeal finding. Finally, I also explained how a RedSeal Access Query combined with our “show what is missing” feature can give you a list of everything that the scanner can’t reach because of network architecture.

I ended my explanation with “these features will give you comprehensive documentation of complete scanner coverage for your upcoming audit(s)…”

After less than a few days of work, we had provided a list to both network operations and security operations of additions and changes required by both teams to make their vulnerability program complete.

At RedSeal, we’re committed to helping you fortify your digital infrastructure, for good. We proactively help visualize your network, identify attack paths, prioritize risk, and help you stay in compliance to ensure your business and customers stay secure.

Reach out to RedSeal or schedule a demo today.



Tales from the Trenches: When Low-Risk is Actually High-Concern

Since 2004, RedSeal has been instrumental in empowering our clients to comprehensively visualize and fortify their intricate networks. While our customers initially grasped the importance of understanding their network architecture, connections, and identifying potential risks, there’s often an enlightening “aha” moment when the true significance becomes unmistakable. These narratives, cherished within the confines of RedSeal, vividly exemplify the practical value of our platform beyond mere theory. In the words of our dedicated field team, who collaborates directly with our clients, this blog series aims to unveil the instances where the theoretical transforms into tangible reality. 

Today’s post is brought to you by Chris Morgan, Client Engagement Director 


In the realm of cybersecurity, where threats and vulnerabilities lurk aplenty, RedSeal stands as a beacon of innovation. Pioneers in network security analytics, RedSeal delivers actionable insights, enabling customers to close defensive gaps across their entire network. 

While reviewing a large medical provider’s network, we discovered several high- and medium-severity vulnerabilities within the network. However, it was the low-risk vulnerability we found to be of highest concern.  

Delving deeper into our investigation, we unearthed a situation of seismic proportions. Amidst the chaos of the COVID-19 era, the client’s IT team had inadvertently granted unrestricted access to a seemingly mundane printer. However, unbeknownst to them, and visible now only because of RedSeal, this printer served as direct access to more than 14,000 hosts within the client’s expansive network, opening access that could enable bad actors to directly invade much of the network. RedSeal’s comprehensive approach, merging risk and access, empowers genuine prioritization for clients. 

With a fresh eye toward restricting access, we worked with the medical provider to remediate the exposure immediately, tightening access controls for printers and implementing access logs, securing them for the future.  

At RedSeal, we’re committed to helping you fortify your digital infrastructure, for good. We proactively help visualize your network, identify attack paths, prioritize risk, and help you stay in compliance to ensure your business and customers stay secure. 

Reach out to RedSeal or schedule a demo today.


5 Critical Steps to Identifying and Remediating Exfiltration Paths

Summary. Cybersecurity risks continue to rise, further increasing the severity of long-term impacts.  

The latest IBM Data Breach Report revealed 82% of breaches involved data stored in the cloud—public, private, or multiple environments, with attackers gaining access to multiple environments 39% of the time. In 2023, the average cost of a data breach reached an all-time high of USD 4.45 million, representing a 15.3% increase (from USD 3.86 million) in 2020.   

It is clear that in today’s interconnected and digital age, safeguarding sensitive information is of paramount importance for any organization. Data breaches not only cause significant financial loss but can also erode the trust of customers and stakeholders. One critical threat an organization faces is ‘data exfiltration’—the unauthorized transfer of data from within an organization to an external location. 

In this article, we’ll explore the concern exfiltration paths cause and important steps you can take to identify and mitigate them. 

Understanding Exfiltration Paths 

Exfiltration paths are like hidden backdoors that malicious actors use to smuggle out sensitive information. These paths can often exploit various vulnerabilities in an organization’s network, be it misconfigured devices, neglected access controls, or compromised endpoints.  

The consequences of overlooking these paths are substantial:  

  • Loss of sensitive data: This can include everything from proprietary business information to customer data.  
    • In March, 1.2% of ChatGPT subscribers’ payment-related and personal information were exposed during an outage. While the actual number of people exposed in the breach was “extremely low” according to OpenAI, the breach exposed a number of areas requiring immediate improvement to ensure safety of subscribers. 
  • Reputation damage: Data breaches can significantly harm an organization’s reputation, leading to a loss of trust. 
    • According to Forbes, nearly half of all organizations that suffer data breaches also suffer damage to their brand – the report identifies data loss as the “fourth most common threat to reputation.” 
  • Financial repercussions: This encompasses both direct losses and potential fines from regulatory bodies. 
    • IBM found the average cost of a data breach reached an all-time high in 2023 of $4.45 million, while the number is more than double in the U.S., averaging $9.44 million.  

Safeguarding Data, Reputation, and the Future   

Designed to provide a detailed and holistic view of an organization’s entire network—including all devices, access paths, and potential vulnerabilities, RedSeal’s platform has helped hundreds of organizations gain an understanding of potential exfiltration paths while identifying and sealing off pathways.  

By the time a breach is detected, the damage is often done. It is almost always less expensive to stop an attack before it starts than to remediate. With tools like RedSeal, organizations can transition from defensive to proactive security.  

5 Steps your organizations can take to identify exfiltration paths: 

  1. Comprehensive network modeling: RedSeal creates a detailed, up-to-date model of an organization’s entire network. By doing so, it highlights all potential data flow paths, including those that might be unintentionally left open or overlooked. 
  2. Visual representation of exfiltration paths: One of RedSeal’s standout features is its ability to visually represent every possible path out of a network, providing IT teams with a clear and intuitive view of how data might be siphoned out to better recognize and address vulnerabilities. 
  3. Highlighting vulnerable access points: Using its sophisticated analytics, RedSeal can pinpoint devices or access points within the network that are susceptible to breaches or have misconfigured settings, allowing for potential data exfiltration. 
  4. Prioritization based on risk: Not all vulnerabilities are equal. RedSeal’s platform ranks potential exfiltration paths based on risk, allowing prioritization of response and patching strategies. 
  5. Simulating attack paths: RedSeal can simulate potential attack vectors, allowing organizations to proactively understand and counteract the strategies that malicious actors might employ.

Understanding potential exfiltration paths is not just a cybersecurity best practice—it’s an organizational imperative. With threats growing in sophistication and number, tools like RedSeal are no longer optional but a necessity. By identifying and sealing off these potential exfiltration pathways, businesses can safeguard their data, reputation, and future. 

Custom Best Practice Check for Detecting Juniper Firewall Vulnerabilities

Name: Juniper Firewall Vulnerability Detection Description: This Custom Best Practice Check (CBPC) detects potential vulnerabilities in Juniper firewalls that could lead to unauthorized access and remote code execution.

Rule: Regex: ^ *web-management \{(\r?\n) *htt.*

 Explanation: This regular expression (regex) is designed to match specific configuration lines within a Juniper firewall’s configuration related to web management settings. It identifies lines that start with zero or more spaces, followed by the string “web-management {” and potentially followed by any characters related to HTTP settings.

 Purpose: Juniper firewalls are known to have vulnerabilities (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847) that can allow unauthenticated attackers to upload arbitrary files and potentially execute remote code. This CBPC aims to identify configurations related to web management, as attackers often exploit such configurations to gain unauthorized access and control over the device. Detecting such configurations will help security teams identify potential vulnerabilities and take appropriate action.


  1. Log in to the RedSeal platform.
  2. Navigate to the “Best Practices Checks” section.
  3. Create a new CBPC and give it a meaningful name and description.
  4. Copy and paste the provided regex (^ *web-management \{(\r?\n) *htt.*) into the “Rule” field.
  5. Save the CBPC and run it against the target Juniper firewall configurations.

 Outcome: When the CBPC is run against Juniper firewall configurations, it will identify any lines that match the provided regex pattern. If matches are found, it indicates potential vulnerabilities related to web management settings that might need further investigation and remediation.

***Please note that while this CBPC can help in identifying potential vulnerabilities, it’s important to have a thorough understanding of your network environment and configurations. Always perform additional assessments and validations to ensure accurate results.***

Vulnerabilities Overview:

  1. CVE-2023-36846 and CVE-2023-36847: Remote Code Execution via J-Web:These two vulnerabilities allow an unauthenticated attacker to exploit the affected Juniper firewall devices. By sending specially crafted requests to the devices, attackers can upload arbitrary files to the file system through the J-Web interface. This can lead to remote code execution and compromise the integrity and availability of the firewall and the network it protects.
  2. CVE-2023-36844 and CVE-2023-36845: Unauthorized Modification of PHP Environment Variables:These vulnerabilities enable an unauthenticated attacker to modify specific PHP environment variables on the vulnerable Juniper firewall devices. By exploiting these flaws, attackers can manipulate the behavior of the firewall’s PHP environment, potentially gaining unauthorized access and control over the device.

Potential Impact: Successful exploitation of these vulnerabilities could result in:

  • Unauthorized remote code execution, enabling attackers to compromise the firewall and the entire network.
  • Unauthorized access to the firewall’s PHP environment, leading to potential data breaches, network disruption, and unauthorized control over the device.

Additional Resources:

RedSeal will continue to monitor and test vulnerabilities, please check back for updated versions with additional refinements. Let’s discuss your concerns and how RedSeal can help, contact us today.

What the Rockwell Automation ThinServer Vulnerabilities Mean for Industrial Cybersecurity

The cybersecurity landscape is an ever-evolving domain with threats sprouting up constantly. The recent revelation concerning vulnerabilities in Rockwell Automation’s ThinManager ThinServer has highlighted the urgency for robust cybersecurity measures in the realm of industrial control systems (ICS).

Understanding the Rockwell Automation ThinServer Vulnerabilities

Rockwell Automation’s ThinManager ThinServer, a product designed for thin client and RDP server management, recently came under scrutiny after researchers from the cybersecurity firm Tenable discovered critical vulnerabilities. Classified as CVE-2023-2914, CVE-2023-2915, and CVE-2023-2917, these vulnerabilities center on improper input validation issues. They can potentially allow attackers, even without prior authentication, to induce a denial-of-service condition, delete, or upload files with system privileges.

What’s most alarming is that an attacker only needs access to the network hosting the vulnerable server for exploitation. This means that if the server is connected and exposed online – against the vendor’s best practices – it becomes susceptible to attacks directly from the internet.

The potential fallout from a successful exploitation? Complete control of the ThinServer. This presents an enormous risk, especially when considering the critical role of ICS in managing and overseeing essential industrial operations.

Enhancing Industrial Cybersecurity with RedSeal Capabilities

This backdrop brings to the fore the vital role of cybersecurity solutions like RedSeal. For existing and prospective customers, leveraging RedSeal’s capabilities can be the game-changer in fortifying their cybersecurity infrastructure.

  1. Network Visualization: RedSeal provides a detailed view of network architectures, including potential access paths. By visualizing these paths, organizations can understand how a potential attacker might navigate through their infrastructure, enabling them to take preventive measures.
  2. Risk Assessment: RedSeal’s platform assesses network risk, helping businesses identify vulnerabilities like the ones discovered in ThinManager ThinServer. By pinpointing these vulnerabilities early, proactive steps can be taken before they are exploited.
  3. Validation of Network Segmentation: Often, best practices dictate that sensitive servers, like ThinManager ThinServer, should be isolated from general network access. RedSeal can validate the effectiveness of this segmentation, ensuring that the server isn’t inadvertently exposed.
  4. Incident Response: In the unfortunate event of a breach, understanding the scope and the affected areas quickly is paramount. RedSeal’s capabilities assist in narrowing down affected segments, making response measures more targeted and effective.
  5. Continuous Monitoring: With RedSeal’s continuous monitoring, organizations can stay abreast of their network’s security posture. This ensures that as networks evolve and change, security measures evolve in tandem.
  6. Compliance Assurance: Adhering to industry standards and compliance requirements is a non-negotiable in the ICS space. RedSeal aids in ensuring that the cybersecurity measures in place align with the requisite standards, thus minimizing potential legal and reputational fallout.

In an era where cyber threats are pervasive and continuously evolving, relying on advanced cybersecurity solutions like RedSeal is no longer a luxury but a necessity. The vulnerabilities in Rockwell Automation’s ThinManager ThinServer underscore the fragility of ICS environments and the dire repercussions of lapses in cybersecurity measures. For businesses operating in the industrial domain, it’s essential to stay a step ahead. By leveraging the multifaceted capabilities of RedSeal, organizations can not only shield themselves from present vulnerabilities but also future-proof their operations against emerging threats. In the battle against cyber adversaries, being prepared and proactive is the key to victory.

The Unique Security Solution RedSeal Brings to Multi-Cloud and Hybrid Network Environments

One of the most significant benefits of implementing a multi-cloud strategy is the flexibility to use the right set of services to optimize opportunities and costs.

As public cloud service providers (CSPs) have evolved, they have started to excel in different areas. For example, programmers often prefer to use Azure because of its built-in development tools. However, they often want their apps to run in AWS to leverage the elastic cloud compute capability.

Adopting a multi-cloud strategy enables enterprises to benefit from this differentiation between providers and implement a “best of breed” model for the services that need to consume. They can also realize significant efficiencies, including cost-efficiency, by managing their cloud resources properly.

But multi-cloud solutions also bring their own challenges from administration to security. This can be especially challenging for organizations that don’t have deep experience and knowledge across all platforms and how they interconnect. It can sometimes seem like speaking a different language. For example, AWS has a term called VPC (virtual private cloud). Google Cloud Platform (GCP) uses that term, too but it means something different. In other cases, the reverse is true. The terminology is different but they do the same things.

Cloud provider solutions don’t always address the needs of hybrid multi-cloud deployments. Besides the terminology of AWS, Azure, GCP, Oracle’s OCI, IBM’s cloud, and others have different user interfaces. In a multi-cloud environment or hybrid environment, it can be far more difficult to secure than a single cloud.

Because of these challenges the need for a platform-independent solution that can understand all of the languages of each platform is needed to translate how your multi-cloud solutions are configured, interconnected, and help mitigate the risks.

How RedSeal Manages Multi-Cloud and Hybrid Cloud

At RedSeal, we provide the lingua franca (or bridge) for multi-cloud and on-premise networks. Security operations center (SOC) teams and DevOps get visibility into their entire network across vendors. RedSeal provides the roadmap for how the network looks and interconnects, so they can secure their entire IT infrastructure without having to be experts on every platform.

In most organizations using multi-cloud and hybrid cloud, however, network engineers and SOC teams are being asked to learn every cloud and on-prem resource and make sure they are all configured properly and secured. Many will deploy virtual cloud instances and use virtual firewalls, but as complexity rises, this becomes increasingly difficult to manage.

RedSeal is the only company that can monitor your connectivity across all of your platforms whether they are on-prem or in the cloud. This allows you to see network topology across all of your resources in one centralized platform.

Proactive Security

Proactive security is also complex. Most security offerings monitor in real-time to alert you when there’s an attack underway. That’s an important aspect of your security, but it also has a fundamental flaw. Once you recognize the problem, it’s already underway. It’s like calling 9-1-1 when you discover an emergency. Help is on the way, but the situation has already occurred.

Wouldn’t you like to know your security issues before an incident occurs?

RedSeal helps you identify potential security gaps in your network, so you can address them proactively. And, we can do it across your entire network.

Network Segmentation

Segmenting your network allows you to employ zero trust and application layer identity management to prevent lateral movement within your network. One of the most powerful things about RedSeal is that it provides the visibility you need to manage network segmentation.

It’s a simple concept, but it can also become incredibly complex — especially for larger companies.

If you’re a small business with 100 employees, segmentation may be easy. For example, you segment your CNC machine so employees don’t have admin rights to change configurations. In a mid-size or enterprise-level company, however, you can have an exponential number of connections and end-points. We’ve seen organizations with more than a million endpoints and connections that admins never even knew existed.

It’s only gotten more complex with distributed workforces, remote workers, hybrid work environments, and more third-party providers.

RedSeal can map it all and help you provide micro-segmentation for both east-west and north-south traffic.

Vulnerability Prioritization

Another area where RedSeal excels is by adding context to network vulnerability management. This allows you to perform true risk-based assessments and prioritization from your scanners. RedSeal calculates vulnerability risk scores that account for not only severity and asset value but also downstream risk based on the accessibility of vulnerable downstream assets.

In many cases, RedSeal uncovers downstream assets that organizations didn’t know were connected or vulnerable. These connections provided open threat surfaces, but never showed up in alert logs or only as low-to-medium risks. So, SOC teams already overwhelmed with managing critical and high-risk alerts may never get to these hidden connections. Yet, the potential damage from threat actors exploiting these connections could be even greater than what showed up as high risk.

RedSeal shows you the complete pictures and helps you prioritize vulnerabilities so you can focus on the highest risks in your unique environment.

Play at Your Best

In the late ’90s, world chess champion Garry Kasparov faced off against Deep Blue, an IBM supercomputer, in a six-game exhibition. Kasparov won the first match. Deep Blue won the second and the next three ended in draws. When Deep Blue won the final match and secured the overall victory, Kasparov was asked to concede that the best chess player in the world is now a computer.

Kasparov responded by saying that people were asking the wrong question. The question isn’t about whether the computer is better, but rather how do you play the best game of chess? Kasparov believes he lost not because the computer was better, but because he failed to perform at his best and see all of the gaps in his play.

You can’t afford to make mistakes in your security and beat yourself. By understanding your entire network infrastructure and identifying security gaps, you can take proactive measures to perform at your best.

RedSeal is the best move for a secure environment.

Learn more about how we can help protect your multi-cloud and hybrid cloud environments. Contact RedSeal today.

The Network Dimension in Vulnerability Management

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) third control for implementing a cybersecurity program is to practice continuous vulnerability management. Organizations that identify and remediate vulnerabilities on an on-going basis will significantly reduce the window of opportunity for attackers. This third control assumes you’ve implemented the first two CIS framework controls — understanding both the hardware that makes up your infrastructure and the software that runs on that infrastructure.

The first two controls are important to your vulnerability management program. When you know what hardware assets you have, you can validate that you’re scanning all of them for vulnerabilities. As you update your IT inventory, you can include new assets in the scanning cycle and remove assets that no longer need to be scanned. And, when you know what software run on your infrastructure, you can understand which assets are more important. An asset’s importance is key to identifying what should be remediated first.

Most vulnerability scanning platforms allow you to rank the importance of systems being scanned. They prioritize vulnerabilities by applying the CVSS (Common Vulnerability Scoring System) score for each vulnerability on an asset and couple it with the asset’s importance to develop a risk score.

The dimension missing from this risk scoring process is understanding if attackers can reach the asset to compromise it. Although you are remediating vulnerabilities, you can still be vulnerable to attacks if what you’re remediating isn’t accessible by an attacker. It may be protected by firewalls and other network security measures. Knowledge of the network security controls already deployed would allow the vulnerability management program to improve its prioritization efforts to focus on high value assets with exposed vulnerabilities that can be reached from an attacker’s location.

Other vulnerability scanning and risk rating platforms use threat management data to augment their vulnerability risk scoring process. While threat management data (exploits actively in use across the world) adds value, it doesn’t incorporate the network accessibility dimension into evaluating that risk.

As you work to improve your vulnerability management program, it’s best to use all the information available to focus remediation efforts. Beyond CVSS scores, the following elements can improve most programs:

  • Information from network teams on new and removed subnets (IP address spaces) to make sure that all areas of the infrastructure are being scanned.
  • Information from systems teams on which systems are most important to your organization.
  • Including network information in the risk scoring process to determine if these systems are open to compromise.

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for meeting your vulnerability management goals by providing network context to existing vulnerability scanning information. Additionally, RedSeal provides pre-built integrations with many security products and easy integration with others via its REST API interface.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your program using the CIS Controls.

Finding Devices Vulnerable and Exposed to CVE-2018-0101 with RedSeal


Cisco has disclosed a critical CVSS 10 vulnerability in ASA that can allow an uncredentialled user to take over the vulnerable device and change access rules. RedSeal has published a custom best practice check for customers to detect vulnerable devices that have the offending service (WebVPN) enabled.

Quick Links:

What is it?

On January 29th, 2018, Cisco disclosed a critical vulnerability (CVE-2018-0101: Cisco Advisory, NVD Link) in the Cisco ASA software that runs on Cisco firewalls and other network devices. On January 30th, the advisory was updated to reflect the newly issues severity score of CVSS 10 – the highest possible score. The vulnerability is in the WebVPN feature of ASA. An uncredentialled attacker with access to the WebVPN portal can exploit the vulnerability to take over the device and execute arbitrary code, or force the device to restart.

What is the impact?

This WebVPN service is often exposed on firewalls, particularly on edge devices mediating access from untrusted networks into organization’s private networks. A successful exploit of this vulnerability can allow the attacker to take over the device, changing any routing or access rules on it to open access from untrusted networks leading to infiltration of the corporate network. Alternatively, the exploited device can be forced to restart resulting in a denial of service for anyone that depends on access which goes through the device.

Impacted Devices:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)

Mitigation and Remediation – How can RedSeal help?

Cisco is currently rolling out patches to the impacted devices. RedSeal has developed a custom best practice check and made it freely available to customers to quickly identify vulnerable devices anywhere on their network with the WebVPN service enabled. This CBPC can be manually imported into RedSeal to quickly and accurately identify which devices are vulnerable and in need of patching or other mitigation.

Being Digitally Resilient in the Face of HIDDEN COBRA

Watch Video: RedSeal and Hidden Cobra Overview, Use Cases and Demo


On November 17th, the United States Computer Emergency Ready Team (US-CERT), in conjunction with the FBI, released a pair of advisories about the North Korean hacking and espionage campaign code named HIDDEN COBRA. The latest advisories describe two pieces of malware called Volgmer and FALLCHILL, which have been actively used to attack enterprises and other commercial entities in the US. Since 2013, organizations in the aerospace, telecommunications, and finance industries have been targeted with spear phishing campaigns.

The US-CERT advisories provide both a detailed analysis of how the underlying malware packages function as well as the detection signatures and the observed IP addresses of the command and control (C2) infrastructure. This data can be used to detect the malware on your network and sever access to its controllers (Volgmer C2 IP Addresses: CSV STIX; FALL CHILL C2 IP addresses: CSV STIX). US-CERT’s previous HIDDEN COBRA advisories from June also reveal several vulnerabilities (CVEs) that North Korean threat actors are known to target and exploit.

This article will describe how the Volgmer and FALLCHILL malware operate, what they target, how they infect those targets, the potential impacts of these infections, and effective mitigation and remediation strategies to protect your enterprise.

Summary of Suggested Actions:

  1. Identify and eliminate outbound network traffic to the C2 infrastructure.
  2. Perform a risk-based prioritization of vulnerabilities to patch on accessible and high-risk endpoints
  3. Run RedSeal’s incident response query to efficiently isolate and contain any observed indicators of compromise.

About the Volgmer and FALLCHILL Malware

Both malware packages are Windows binaries consisting of executable files and DLL counterparts able to be run as a Windows service. The primary method of attack has been through targeted spear phishing campaigns that trick victims into opening malicious attachments or clicking links leading to malicious websites exploiting browser-based vulnerabilities.


The Volgmer package contains four distinct modules, a “dropper”, two remote administration tools (RATs), and a botnet controller.

  • The Volgmer dropper, a Windows executable, creates a Windows registry key containing the IP address of external C2 servers. It then installs its payload (either a RAT or the botnet controller), achieving stealthy persistence by overwriting an existing Windows service DLL with the payload. Finally, it can clean up after itself and remove all traces.
  • The RAT payload, after achieving persistence on the infected Windows machine, communicates back to its C2 infrastructure over ports 8080 or 8088. The RAT enables the attacker to take over the infected computer, executing arbitrary code and exfiltrating data.
  • The botnet controller can direct the activity of other compromised computers to orchestrate DDoS attacks.


The FALLCHILL malware is a remote administration tool demonstrating a heightened degree of sophistication in its ability to remain hidden, as well as an advanced communication mechanism with its C2 infrastructure. FALLCHILL masquerades as a legitimate Windows service randomizing across seemingly innocuous service names. It generates fake TLS traffic over port 443, hiding the C2 commands and communications in the TLS packet headers, which then get routed through a network of proxy servers.

Figure 1: US-CERT visualization of how FALLCHILL communicates with HIDDEN COBRA threat actors


How the Malware Spreads and Impact of Infection

Although both malware packages are primarily distributed via targeted spear phishing campaigns, they have also been observed on malicious websites. This increases the chances for opportunistic drive-by-download infections. These targeted attacks have been seen in the US aerospace, telecommunications, and financial services.

A successful infection will result in the HIDDEN COBRA threat actors having persistent access to and control over compromised computers. The remote administration tools allow them to modify the local file system, upload files, execute files or any arbitrary code, as well as download anything on the file system. The result is that attackers will have a hidden backdoor to your system and can execute any arbitrary code. Thus, in addition to being able to exfiltrate local files such as documents directories or Outlook databases, the infection establishes a beachhead into the rest of the network from which future breaches can be staged.

General Mitigation Advice

Enterprise security organizations can take several steps to mitigate the risk of a successful spear phishing or drive-by-download infection. In the past few years, attackers have, with increasing frequency targeted end user workstations to exfiltrate local data and establish a beachhead into the rest of the corporate network. As a result, it is increasingly important to expand vulnerability management programs to include regular scans of workstations and laptops followed by timely patching of any discovered vulnerabilities. Employees, particularly executives and those exposed to sensitive or proprietary data, should be trained on practicing good email hygiene and being vigilant for possible phishing attacks. User workstations should be configured according to the principle of least privilege, avoiding local administrator level access where possible. Additionally, the US-CERT also advises limiting the applications allowed to execute on a host to an approved whitelist, to prevent malware masquerading as legitimate software.

RedSeal Can Increase Resilience and Decrease Risk

RedSeal users can decrease their risk of exposure by identifying, closing, and monitoring access from their networks to the HIDDEN COBRA C2 infrastructure. Moreover, in the event of a detected IOC, RedSeal allows you to accelerate incident investigation and containment to mitigate the impact of an infection.

1. Identify and close any existing outbound access to the C2 infrastructure

The first step is to make sure you eliminate or minimize outbound access from your networks to the HIDDEN COBRA C2 infrastructure. Since the C2 IP addresses point at proxies across the world that relay commands and data to and from the threat actors, many are associated with legitimate entities whose servers have been exploited, or commercial hosting providers whose servers have been rented. To locate access from the inside of your network to any given C2 address from the advisory, use RedSeal’s security intelligence center to perform an access query from an internal region to the internet, and in the IPs filter box, enter the IP address from the US-CERT data.


Figure 2: Running an Access Query from the Security Intelligence Center from internal to C2 Infrastructure


Figure 3: Access query results shown on map, showing existing access from internal assets to external THREAT COBRA infrastructure


With the results of the access query, the next step is to create additional controls such as firewall or routing rules to block access to the relevant IP address at your perimeter. To decide where to introduce such controls, you can run a RedSeal detailed path query to generate a visual traceroute of the offending access path(s) and identify which devices are along those paths and can be used to close access.


Figure 4: Detailed Path result identifying all network devices and relevant config locations mediating access from an internal asset to the HIDDEN COBRA infrastructure


2. Verify vulnerability scan coverage and perform a risk-based prioritization of vulnerabilities

The HIDDEN COBRA campaign has been known to use a set of five CVEs (CVE-2015-6585; CVE-2015-8651; CVE-2016-0034; CVE-2016-1019; CVE-2016-4117) as the vector for infection. These CVEs include several browser-based vulnerabilities for the Adobe Flash and Microsoft Silverlight plugins as well as a Korean word processing application. It is important to note that while these are the vulnerabilities known to be targeted in the wild to deliver Volgmer or FALLCHILL, any known or unknown Windows-based vulnerability that allows arbitrary code execution and/or privilege escalation can be used as part of a future spear phishing campaign. While it is crucial to locate and remediate the above CVEs first, it is important to perform a vulnerability scan of user workstations for all such vulnerabilities, not just the five enumerated ones.


Figure 5: Using the Security Intelligence Center to execute a Threat Query to reveal which vulnerable assets are directly exploitable from the Internet


After importing the results of a vulnerability scan, vulnerability managers can first verify whether the scanner’s coverage was complete and identify any areas on the network missed by the scanner. This is accomplished by looking for all “Unscanned Subnets” model issues (MI-7) within your RedSeal model. A subsequent detailed path query from the scanner to the unscanned subnet will reveal whether and why access is blocked.

Next, you can perform a risk-based prioritization of the vulnerable hosts to ensure that the highest risk vulnerabilities are remediated first. The CVEs known to be actively exploited by the HIDDEN COBRA threat actors should be patched or otherwise mitigated first. A good start is to target the vulnerabilities that are on hosts that are accessible from untrusted networks, such as the Internet or a vendor’s network.

Since the malware attempts to establish a hidden Windows service with RAT capabilities, the next vulnerabilities to target for remediation are those that are directly or indirectly accessible and exploitable from any potentially compromised host. To find them, a RedSeal threat query can reveal all vulnerable hosts exploitable from a compromised endpoint on your network.


Figure 6: Visual results showing direct (red) and indirect (yellow) threats to the rest of the enterprise from a compromised host.


Figure 7: Threat Query results identifying vulnerable hosts threatened by the compromised endpoint

3. Investigate and contain existing IOCs

Finally, you can achieve greater resilience by accelerating your response to detected indicators of compromise and contain compromised systems while working to eliminate the infection. UC-CERT released several detection signatures to identify potentially compromised systems. By leveraging RedSeal’s incident response query directly or from our integrations with major SIEMs like QRadar, ArcSight, and Splunk, you can quickly assess the potential impact of a compromise and identify the mitigating controls necessary to isolate and contain it. The query allows incident responders to rapidly discover and prioritize by value all assets that are accessible from the vulnerable endpoint. A subsequent detailed path query between the vulnerable endpoint and a downstream critical asset will reveal all network devices mediating access and where controls such as firewall rules can be deployed to reduce downstream risk.


Figure 8: Incident Response query showing accessible groups and assets from the source of an indicator of compromise



The HIDDEN COBRA campaign is sophisticated, recently showing increases in intensity and variety of methods used. Defenders need to be resilient to minimize enterprise risk, efficiently mitigate damage, and recover from a successful compromise.  RedSeal can help you achieve resilience in the face of these changing threats — by assessing ways to block outbound access to C2 nodes, by locating vulnerable and high risk internal machines, and by speeding the investigation of any detected indicators of compromise.


Vulnerabilities: The Weeds of Your Digital Terrain

RedSeal Blog - Vulnerabilities - The Weeds of Your Digital Terrain

In the warmer months when I’m not traveling I often get up early and wander my property pulling and spraying weeds. This is an endless and thankless task, yet a necessary evil to preserve my investment and maintain appearances. I am amazed how quickly weeds grow and by the places they find purchase. In just a few days, given the right conditions whole beds can be overtaken.

A few days ago I was meandering about my yard wondering why I don’t have a gardener when it struck me. My own personal battle for yard supremacy provides a great parallel to the efforts of cybersecurity professionals. It occurred to me that vulnerabilities are the weeds of the digital terrain. They are constantly popping up in the strangest places; you can never seem to get them all; and they can quickly get out of hand if you let your attention slip.

Just like weeds, all vulnerabilities are not created equal. Their type, and more importantly their location, are factors we need to consider. The poison ivy at the far end of the property where no one goes is a concern, but far less of one than the poison ivy on the kids’ play set. In the digital terrain, this is the equivalent of vulnerabilities on assets that don’t provide access to critical data verses those that do — whether directly or via pivot attacks. So, it’s not the type of vulnerability that’s important, it’s the exposure that vulnerability delivers to critical resources that is the true cause of risk. The common practice of focusing on CAT1 vulnerabilities is inherently flawed, since the severity of the vulnerability has little to do with the risk it causes for the organization.

People have been fighting weeds since the first crops were sown sometime around 9000 BC. We know weeds and have developed many tools to fight them, yet they persist. We pull them, spray them and set up lines of defense for them to cross. Sound familiar? This is akin to patching, firewalls, and micro segmentation.

I’m making two points here: first and most importantly I need a gardener, but also it is worth reminding ourselves that vulnerabilities aren’t going away anytime soon. Regardless of how much effort you put in, you’ll never have the necessary resources to patch them all. A better strategy is to prioritize what you patch based on the actual risk it causes for your organization. A CAT1 vulnerability isolated by firewall rules provides little risk, but that CAT3 vulnerability exposed directly to the internet may provide a beachhead that exposes your most important data and systems. To quote the old adage, we need to work smarter not harder. For cyber, that means moving from a patch-based methodology to one that focuses on risk.