State-sponsored cyber espionage actors from Russia and China continue to target WinRAR users with various info-stealing and backdoor malware, as a patching lag plagues the software's footprint.

State-sponsored threat actors from Russia and China continue to throttle the remote code execution (RCE) WinRAR vulnerability in unpatched systems to deliver malware to targets.

Researchers at Google's Threat Analysis Group (TAG) have been tracking attacks in recent weeks that exploit CVE-2023-38831 to deliver infostealers and backdoor malware, particularly to organizations in Ukraine and Papua New Guinea. The flaw is a known and patched vulnerability in RarLab's popular WinRAR file archiver tool for Windows, but systems that haven't been updated remain vulnerable.

"TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations," Kate Morgan from Google TAG wrote in a blog post.

Russia-backed advanced persistent threat (APT) groups are the primary perpetrators of the latest attacks on WinRAR, according to Google TAG. On Sept. 6, Sandworm launched an email campaign impersonating a Ukrainian drone warfare training school using an invitation to join the school as a lure.

The infamous APT28 (aka Frozenlake, Fancy Bear, Strontium, or Sednit), another Russia-backed group, also used the flaw to deliver malware, which was targeting energy infrastructure in Ukraine via a phishing campaign that used a decoy document inviting targets to an event hosted by Razumkov Center, a public policy think tank in Ukraine.

Meanwhile, a phishing campaign from China-backed group IslandDreams (APT40) delivered infostealers to users in Papua New Guinea.

RarLab issued a beta patch for the issue on July 20 and an updated version of WinRAR (version 6.23) on Aug. 2, but many systems remain vulnerable and thus ripe for exploitation, Morgan noted. "After a vulnerability has been patched, malicious actors will continue to rely on n-days and use slow patching rates to their advantage," she wrote.

**Exploiting the WinRAR Flaw**

Group-IB discovered CVE-2023-38831 — a logical vulnerability within WinRAR — in July. However, APT groups already had been exploiting the flaw as a zero-day bug since April — including one by the Russia-backed threat group Evilnum that used weaponized ZIP files to target cryptocurrency traders.

The potential to exploit the flaw comes when the temporary file expansion, during archive processing, is combined with a quirk in the implementation of Windows ShellExecute when attempting to open a file with an extension containing spaces, according to Google TAG.

"The vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive," Morgan wrote.

Later, mere hours after Group-IB posted its blog post outlining its discovery and analysis of the flaw, proof-of-concept exploits (PoCs) — including fake ones — and exploit generators appeared on public GitHub repositories. These fueled further and ongoing attacks on vulnerable systems.

**Latest WinRAR Targeting**

In the Sandworm attack, the messages included a link to an anonymous file-sharing service, fex\[.\]net, which, in turn, delivered a benign decoy PDF document with a drone operator training curriculum and a malicious ZIP file exploiting CVE-2023-38831. The file's payload was Rhadamanthys, a commodity infostealer that can exfiltrate, among other things, browser credentials and session information. Google TAG noted that use of commodity malware is not typical of Sandworm.

Meanwhile, Google TAG observed APT28 using a free hosting provider to serve an initial page that redirected users to a mockbin site to perform browser checks, and then yet again to another stage, which would ensure the visitor was coming from an IPv4 address in Ukraine. At this point the user would be prompted to download a file containing a CVE-2023-38831 exploit.

In late July and early August, the researchers also observed an APT28 attack that dropped the PowerShell script IronJaw, which steals browser login data and local state directories. The attack vector — which drops a BAT file that opens a decoy PDF file and creates a reverse SSH shell to an attacker-controlled IP address — was a new addition to the APT's toolkit, according to Google TAG.

Google TAG has linked a fourth recent WinRAR attack to China-backed IslandDreams — which also is tracked as Bronze Mohawk, GreenCrash, Kryptonite Panda, Periscope, and Mudcarp — through a phishing campaign in late August that targeted users in Papua New Guinea. The phishing emails included a Dropbox link to a ZIP archive containing a CVE-2023-38831 exploit in the form of a password-protected decoy PDF and an LNK file, which led to a next-stage payload known as Islandstager.

The Islandstager payload executes and decodes several layers of shellcode, the last of which loads and executes the final payload, BOXRAT, a .NET backdoor that uses Dropbox API as a command-and-control mechanism.

**Problematic Patching Delays**

Google TAG included indicators of compromise (IOCs) for the various attack scenarios to help users identify if their system is being exploited.

In the meantime, WinRAR users are urged to update their systems if they haven't already, as the campaigns highlight yet again the importance of timely patching — something that still seems to be a global challenge for software users, Morgan noted.

"These recent campaigns exploiting the WinRAR bug underscore the importance of patching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date," she wrote.

Patch Now: APTs Continue to Pummel WinRAR Bug

The state-sponsored threat actors (aka APT34, Crambus, Helix Kitten, or OilRig) spent months seemingly taking whatever government data they wished, using never-before-seen tools.

The Iranian state-aligned advanced persistent threat (APT) known as MuddyWater used an arsenal of new custom malware tools to spy on an unnamed Middle Eastern government for eight months, in just the latest of its many campaigns in the region.

That's according to Symantec, which describes a, at times, daily effort to steal sensitive government data by MuddyWater, which Symantec tracks as "Crambus." The group is also known variously as APT34, Helix Kitten, and OilRig. 

Despite penetrating a dozen computers, deploying half a dozen different hacking tools, and stealing passwords and files, the campaign managed to stay under the radar, lasting from February until September before being disrupted.

"They accessed quite a broad range of computers on the network, so it seems to be a more general attack, rather than going after anything specific," assesses Dick O'Brien, principal intelligence analyst for Symantec.

**MuddyWater's Malware Arsenal**

MuddyWater's latest campaign began on Feb. 1, when an unknown PowerShell script was executed from a suspicious directory on a targeted machine.

In the months that followed, the group deployed four custom malware tools, three previously unknown to the cybersecurity community.

First there's Backdoor.Tokel, for downloading files and executing arbitrary PowerShell commands. Trojan.Dirps is also used for PowerShell commands, and enumerating files in a directory. Infostealer.Clipog is, as the name would suggest, infostealer malware capable of keylogging, logging processes where keystrokes are entered, and copying clipboard data.

Finally there's Backdoor.PowerExchange, discovered but not specifically attributed to MuddyWater back in May. The PowerShell-based tool logs into Microsoft Exchange Servers with hardcoded credentials, using them for command-and-control (C2), and monitoring for emails sent by the attackers. Mail with "@@" in the subject line conceal instructions for writing and stealing files, or executing arbitrary PowerShell commands.

Alongside its own weaponry, MuddyWater also utilized two popular open source hacking tools: Mimikatz for credential dumping, and Plink for remote shell capabilities.

According to O'Brien, the group's months long staying power can be attributed to its choice of weaponry:

"If you introduce new tools, and if you're using legitimate tools, there are no automatic red flags. \[As an analyst\] you kind of have to wait until there's a notification of potentially malicious activity, and start pulling the threads from there."

**MuddyWater Is Back**

MuddyWater has been around since at least 2014, according to Mandiant. A few years back, though, it was written off. "Crambus was one of those groups that we thought might go away because they were heavily exposed in a leak, seemingly by a former contractor or team member," O'Brien points out.

Now, he adds, "they're definitely back."

Over the years, its spying campaigns have spread throughout most of the Middle East – Saudi Arabia, Israel, Turkey, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, and the United Arab Emirates (as well as the United States) – touching the financial, energy, telecommunications, chemical, government, and critical infrastructure sectors. The APT has been the subject of US sanctions for its cyber espionage activity; and most recently, that activity has included cyberattacks on Saudi Arabia that featured another fresh malware, known as Menorah; and a supply chain attack on the UAE.

Iran-Linked 'MuddyWater' Spies on Mideast Gov't for 8 Months

It's time to build a culture of privacy, one that businesses uphold.

We live in an exposed world — particularly when dealing with our digital presence. People have become desensitized to the transactional nature of exchanging pieces of themselves for access.

Availability to new accounts, social media platforms, educational opportunities, professional forums, and nearly every need and want that exists on the Internet demands an exchange of personal data.

Big data has discovered the keys to the kingdom, and they come in the form of your personal information.

**A Sense of Powerlessness When It Comes to Preserving Privacy**

The data trade has grown into a multibillion-dollar industry. It's a juggernaut that is constantly hurtling toward new profit margins, often at the expense of personal privacy. And one of the most disconcerting aspects of this concept is the public's often lackadaisical response.

What we've discovered is that it's not that people don't care; it's simply that they're existing in a state of information overload that lends itself to decision paralysis. They know that their privacy is being violated, but feel powerless in the face of well-oiled data brokers. The ability to take back control of their information seems just out of reach, especially with new ways to harvest data taking shape with such frequency.

After conducting a 2,000-person consumer privacy survey, we discovered that 50% of respondents would take more privacy action if they had better tools and 44% if they had a better understanding of what happens to their data once it is shared. The survey also revealed the extreme responsibility individuals feel to maintain their privacy, with 81% saying that they hold themselves most accountable to protect their personal information even after it has been shared.

These insights help us understand that to change the privacy landscape as we currently know it, we must unite in aggressive consumer education and advocacy to support actions that can drive new approaches to privacy.

**Education Requires a Collaborative Effort**

As generations of people begin growing up with constant access to the Internet, we're seeing more of the consequences associated with data sharing. Much like new medications that often don't initially display side-effects, we're starting to clearly feel the side-effects of the public presence of our personal information.

Data breaches feel commonplace — because they are. Nearly 422 million (more than the population of the United States) people were impacted by some form of breach in 2022. Yet, the response within the US is usually to wait and see what happens, maybe put a freeze on credit, or sign up for an activity-monitoring program.

**Personal, Organizational, and Systemic Advocacy Is Needed**

There's a certain culture of reactiveness rather than proactiveness when it comes to a violation of our personal privacy.

To activate change, there must be a collaborative effort between consumers, government agencies, and companies. New legislation has been moving forward, and the public has seen companies like Meta being held accountable for data violations. However, the missing piece is a culture of privacy that is founded and upheld by both established and emerging businesses.

People can take control over what they share, but as long as it comes at the cost of access, they'll continue to feel pressured to provide personal information. With this system of exchange still in place, consumers will have a difficult time advocating for themselves in meaningful ways.

Privacy as a human right is a social movement that all entities need to embrace and support through action. Only in doing this can we truly empower people to take control of their data in a lasting and meaningful way.

The Trifecta of Consumer Data Privacy: Education, Advocacy & Accountability

Should CISOs include only known information in the SEC filings for a material security incident, or is there room to include details that may change during the investigation?

As enterprises continue to weigh which security incidents constitute something material enough to be reported under the Securities and Exchange Commission's (SEC) new rules, CISOs face the challenge of deciding which details to report and, far more critically, which ones to omit.

"This \[SEC\] rule puts CISOs in a very delicate position, and they are not being given a lot of guidance or direction," says Merritt Maxim, a Forrester VP and research director. "You know you've been compromised, but you don't have all the facts on day one."

In the case of a material incident, the CISO, along with the security operations center, would have to prepare a memo with all of the incident details and send it to investor relations and legal. Once those departments have reviewed it, the memo would be used to prepare the filing for the SEC.

Although the new SEC rules take effect Dec. 18, CISOs can already look at the disclosures from three enterprises — Caesars, MGM, and two filings from Clorox — to get an idea of how to comply.:

Since the filings deal with very different incidents, it makes sense that the details contained are also very different. However, the filings are consistent in that they focus on what is known and avoid speculations and predictions. The filings do not share any details that are likely to change either.

**Competing Obligations**

CISOs are simultaneously juggling three competing objectives:

*   **Report as much as you can.** Legally, the goal is to share as much information as possible with investors and potential investors.
*   **Report as little as you can.** From a cybersecurity perspective, the goal is to tell potential attackers as little about your threat landscape and your defenses as possible, especially when the attack has not yet been fully contained.
*   **Report only what you are confident about.** Most initial details are wrong, and reports are repeatedly updated as the days, weeks, and months go by. That raises a thorny question: Is the enterprise obligated to disclose information that they consider to be — initially, at least — of very low reliability?

"Only report what you know by 80% to 90% certainty," says Dirk Hodgson, CISO of NTT Australia. "A few days into an incident, you are simply not going to know a great deal. You still are likely not even close to the point of having surveyed your entire global environment."

Douglas Brush, a special master with the US federal courts and the chief visionary officer for Accel Consulting, stresses that choosing which security incident details are material can be challenging. It's one thing to conclude that the incident is material, he says, but selecting which specific details are relevant and meaningful for the investing public is quite different.

"Most enterprises have no idea what impact cyber operations will eventually have on their businesses," Brush says.

Clorox's SEC filings illustrate the "report what you are confident about" point well, says Phil Neray, vice president of cyber defense strategy at Gem Security. The organization "properly walked a fine line between saying what they knew and making basic estimates about how long it would take to restore operations," he says.

Disclosures should be kept simple and to the facts, agrees Rex Booth, CISO of SailPoint.

"Keep it at a super summary level \[to\] things that are tangible and measurable: which operations were interrupted, which systems were compromised," he says. "Talk about observed impact and not causation. And say that 'we will continue to investigate with outside entities.'"

**What You Don't Have to Say**

Another important element is whether the information is truly going to be of any actionable value to shareholders and potential investors. The value of revealing a specific vulnerability needs to be balanced with the potential of providing attackers with more information that they can use against you, Booth advises.

CISOs must also be aware of what details are already public. In the Caesars and MGM incidents, for example, more information was available via social media than from the filings, such as the fact that guests staying at the two casinos were unable to get into their rooms. That's the kind of detail you can't keep secret, even if you want to.

While it makes sense to report only confirmed details, that advice may not necessarily always be the right call. "On the one hand, you do have to make a judgment on the material of the information," says Naj Adib, a risk and financial principal for cyber and strategic risk at Deloitte. "But your obligation is to disclose."

CISOs should separate what happened from what the organization is going to do about it, Adib says. "There is no requirement to go out and discuss remediation," he adds.

**Higher Profile for Breaches**

From a practical perspective, nothing has changed regarding what has to be reported; the SEC has always required every publicly held company to report anything material to the SEC. The change is about timing — within four days — and the emphasis being placed on the disclosures. The fact that the SEC now has a document dedicated just to reporting cybersecurity incidents will bring incidents front and center with every board of directors and, therefore, with every CEO and CFO.

"This will lead to far more internal attention. This is no longer a line buried in hundreds of thousands of lines in a 10K," Booth says.

CISOs should also bring corporate counsel or outside legal advisers into the disclosure discussions and decisions, says Accel's Brush. This action brings necessary legal advice into the discussion and protects the conversations from being legally discoverable due to attorney-client privilege.

"The CISO's communications with the inside security team are all potentially discoverable," Brush says. With a lawyer present and thus protected, he adds, "As you are preparing your final statement, you can have open and frank discussions."

What CISOs Should Exclude From SEC Cybersecurity Filings

The router specialist says the attacker's claims to have heisted millions and millions of records are significantly overblown. But an incident did happen, stemming from a successful phish.

Taiwan-based network equipment vendor D-Link this week confirmed that it was the victim of a recent data breach, but dismissed the seeming perpetrator's claims about the severity of the incident as inaccurate and exaggerated.

On Oct. 1, an individual using the handle "succumb" claimed on the BreachForums online community for cybercriminals about having breached the internal network of D-Link in Taiwan. The individual claimed to have exfiltrated some 3 million lines of customer information and source code pertaining to D-Link's D-View network management software.

The self-proclaimed hacker's post identified the stolen data as including names, emails and physical addresses, phone number, and company information on D-Link's customers. 

"This does include the information of MANY government officials in Taiwan, as well as the CEOs and employees of the company," the hacker's BreachForum post went on to add.

**Nowhere Near in Scale As Hacker's Claims?**

According to D-Link, an investigation of the incident that it conducted with its internal team and with experts from Trend Micro showed that while a breach happened, it was nowhere near the scale the hacker portrayed on BreachForums.

For one thing, D-Link said the data that the hacker obtained was outdated, and did not contain any personally identifiable information (PII) or financial data. The number of records that the attacker appeared to have accessed was also just 700 or so — not remotely near the 3 million records the hacker claimed.

Available evidence suggests that the intruder most likely exfiltrated "archaic" registration related data from a D-View system that reached end of life in 2015, D-Link claimed. None of the records that the hacker obtained appear to be currently active. "However, some low-sensitivity and semi-public information, such as contact names or office email addresses, were indicated," D-Link said.

D-Link said it believes the attacker gained access to the "long-unused and outdated data" via a successful phishing attack on one of its employees." 

Following the incident D-Link noted that it has reviewed its access control mechanisms and will implement additional controls as necessary to mitigate against similar threats. "D-Link believes current customers are unlikely to be affected by this incident. However, please get in touch with local customer service for more information if anyone has concerns," the company advised.

**Signal Breach Claims: A Similar Incident in Recent Days**

The incident is the second in recent days where a company has been forced to initiate a review of its security measures, after a breach claim that turned out to be false of exaggerated. 

Earlier this week, the security team at Signal had to respond to rumors about an alleged zero-day vulnerability in the secure messaging service that allowed for full device takeover. After what the company described as a "responsible investigation" of the claims, it determined the claim was just a viral rumor. 

"We have no evidence that suggests this vulnerability is real nor has any additional info been shared via our official reporting channels," Signal said on X (formerly known as Twitter). As part of its verification efforts, Signal said it checked with people across the US government to see if anyone had encountered issues with the service.

In D-Link's case, the hacker's claims prompted an immediate shut down of servers that its security team thought might be relevant. 

"We blocked user accounts on the live systems, retaining only two maintenance accounts to investigate any signs of intrusion further," the company said. The company also scoured its software test lab systems to determine if any sensitive data had leaked into the environment. During the process, D-Link's security team disconnected the test lab from the company's corporate network.

D-Link Confirms Breach, Rebuts Hacker's Claims About Scope

The sensitive nature of medical records, combined with providers' focus on patient care, make small doctor's offices ideal targets for  cyber extortion.

Cybercriminals are stealing medical records from plastic surgery offices to extort doctors and patients.

On Oct. 17, the FBI published a rather bespoke public service announcement aimed at plastic surgery providers, indicating that hackers have been targeting their industry specifically. Their idea, it seems, is to capitalize on the sensitive nature of these procedures, threatening to publish personal information and explicit photographs in order to get both providers and their patients to pay up.

In the last several months, plastic surgery providers have reported data breaches in California and South Dakota. The trend extends beyond US borders, as plastic surgeons in Brazil and the UK have been hit in recent years with ransomware extortion as well.

It's only the latest evidence of a much broader, deeper issue in healthcare cybersecurity.

"There was a time when malicious actors would 'take it easy' on healthcare providers," says Shawn Surber, senior director of technical account management at Tanium. "However, in the last couple of years, that type of behavior has changed and more healthcare accounts are coming under full attack."

**Plastic Surgery Cyberattacks**

As Surber points out, "targeting plastic surgeons and their patients makes a lot of financial sense. Plastic surgery is a lucrative and largely pay upfront business. This means that both the surgeon and patients generally have significant disposable income and are interested in protecting their privacy more against embarrassment than concerns about identity theft."

Then, there are the issues that plague any independent practice. "They're small offices with limited, usually contracted IT support, and they often partner with private surgery centers who have similar limitations. This means that the physician and the surgery center are also potentially communicating outside of traditionally secure channels — like using personal or Web-based email, for example — creating further opportunities for malicious actors to intercept data, credentials, and intelligence."

Hackers are taking advantage of all of these security shortcomings, with what the FBI is characterizing as three-phase attacks.

First, the attackers conduct phishing attacks, deploying malware for the purposes of harvesting sensitive patient information and photos.

Next, they "enhance" the data they've collected by pulling more information about patients from social media, or via further social engineering.

With everything they need in-hand, the attackers contact both patients and their providers, requesting payment in exchange for not sharing the harvested data online. This is where the data "enhancement" comes into play. Beyond publishing the data to a public-facing website to exert extra pressure on victims, the attackers share some of the data with family, friends, and colleagues, promising to stop only once they've been paid.

**How Doctors and Patients Can Defend Themselves**

In its advisory, the FBI offered a few security tips for patients, including practicing good password hygiene, monitoring for suspicious bank account activity, and applying strict privacy settings on social media accounts, to prevent unknown individuals from learning more about you or even posting to your page.

For providers, on the other hand, a few helpful tips won't be sufficient.

"Unfortunately, their infrastructure remains weaker and less cohesive than that of other industries. Add to that the accelerating mergers and acquisitions process in order to keep health systems afloat, and it's become the perfect hunting ground for malicious attackers," Surber laments.

And as bad as extortion is, cyberattackers with the same kind of access to health systems can also do far worse, putting lives at risk by infecting critical devices or otherwise shutting down entire systems.

In lieu of better protections, more stringent regulations, or more funding, Surber offers one potential direction for the industry to pursue.

"I'm of the opinion that healthcare providers need to be more organized into a critical infrastructure working group, with standards of security and group pricing available to them in a managed service model," he suggests. "It certainly won't be a cheap solution, as there are tens of thousands of providers in the US alone. But perhaps if they were all working together effectively, we could see our way to a future where they're not alone and vulnerable. A future where their systems are maintained and updated continuously, and they're alerted as things happen rather than when they get an extortion demand."

FBI: Hackers Are Extorting Plastic Surgery Providers, Patients

Analysis of more than 1.8 million admin portals reveals IT leaders, with the highest privileges, are just as lazy about passwords as everyone else.

After sifting through more than 1.8 million pages identified as admin portals, researchers made a disheartening discovery — 40,000 of them used "admin" as its password, making it the most popular credential used by IT administrators.

The research was conducted on 2023 passwords between January and September by a team with Outpost24, which also found an increased reliance on default passwords.

The top 10 passwords discovered by the analysis included common defaults and easy-to-guess options:

1.  admin
2.  123456
3.  12345678
4.  1234
5.  Password
6.  123
7.  12345
8.  admin123
9.  123456789
10.  adminisp

"While our top 20 findings are limited to known and predictable passwords, the fact that they were associated with admin portals also tells us that bad actors are well equipped to target privileged users," the Outpost24 team explained.

The researchers highlighted the continuing efforts of "traffers," organized groups of cybercriminals that use malware to target admins and steal their credentials.

"To secure passwords and consequently business data, there are two key takeaways," the report added. "One is securing passwords through standard best practices, and the second is avoiding malware infection."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

The Most Popular IT Admin Password Is Totally Depressing

Under the Security Appraisal Framework and Enablement (SAFE) program, device manufacturers will be able to work with approved auditors to verify firmware.

In a bid to improve data center hardware and firmware security, the Open Compute Project announced the Security Appraisal Framework and Enablement (SAFE) program at OCP Summit event this week.

The program would provide an open source, standardized audit checklist and criteria for selecting third-party auditors to review device firmware. The idea is twofold: have the OCP community develop a device-specific audit checklist and criteria for auditor selection, and then have customers use the criteria to select auditors who use the checklist to verify firmware. The framework is intended to reduce costs and redundancy around device security reviews, according to the OCP.

"The OCP S.A.F.E Program defines and enforces a consistent framework for testing, validating, and assuring the security and integrity of devices at the very heart of today's cloud," said Gunter Ollmann, CTO at IOActive, one of the organizations currently enrolled as a security review provider for the program, in a statement. "Data center owners that have struggled to maintain and enforce their unique security requirements for hardware and firmware, and device vendors that have had to piece together a costly jigsaw of overlapping and inconsistent requirements across their many data center customers, can now align against a single consistent and stringent methodology delivered by an accredited and mutually trusted pool of security auditors."

At the moment, independent third-party audits of firmware are complicated because only a subset of customers ever see audit results. SAFE's objective is to allow device and system manufacturers to commission an OCP-approved security review provider to audit their firmware and then share the results with customers. With this framework, cloud providers and data center operators could increase the pace at which they receive, trust, and deploy critical firmware updates in their environments, according to the OCP.

While the program is a step in the right direction because it draws more attention to underserved areas in cybersecurity, such as firmware security, it might not be enough to impact the ecosystem because the focus is still on costly and slow audits, according to Alex Matrosov, founder and CEO of Binarly.

"I see a combination of the approaches we tried before, but unfortunately, it doesn't change much," he says.

It is not clear how the results of the SAFE audits will be visible in the long term and what type of impact it will create on the ecosystem.

"Relying heavily on manual code reviews is inherently limited in scalability and is deeply influenced by human factors," Matrosov says. "While introducing such workflows might guarantee steady work for code audit shops, I remain skeptical about their efficacy without the support of proper tooling and automation."

Binarly has disclosed more than 400 "high-impact vulnerabilities" during the year, and the timeline for fixing them remains very slow. For example, even after Binarly's joint disclosure with Qualcomm last January, Microsoft has not finished patching its ARM devices.

For things to change, the industry needs to emphasize "automation in vulnerability discovery, risk assessment, and prioritization," Matrosov says.

OCP Launches SAFE to Standardize Firmware Audits

The latest threat to Citrix NetScaler, CVE-2023-4966, was exploited as a zero-day bug for months before a patch was issued. Researchers expect exploitation efforts to surge.

A critical security vulnerability in Citrix NetScaler patched last week is under active attack — and has been since at least August.

Making matters worse, the bug (CVE-2023-4966, CVSS score 9.4), can't be fully remediated by simply applying the patch, Mandiant warns.

To that point, "organizations should ... terminate all active sessions," Mandiant CTO Charles Carmakal explained in a LinkedIn post on the active Citrix exploitation this week. "These authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed. Therefore, even after the patch is applied, a threat actor could use stolen session data to authenticate to resources until the sessions are terminated."

Technically an information-disclosure vulnerability, the flaw allows cyberattackers to hijack existing authenticated sessions and potentially bypass multifactor authentication (MFA). The result is full control over NetScaler environments, which control and manage application delivery within enterprises.

**Zero-Day Exploitation Since August**

Mandiant has traced attacks exploiting the bug back to late summer, carried out by an unknown threat actor. Carmakal said that the ongoing exploitation appears focused on cyberespionage, with professional services, technology, and government organizations so far in the unknown attackers' sights.

"We anticipate other threat actors with financial motivations will exploit this over time," he added.

That's a likely prediction given that organizations have a poor track record when it comes to mitigating known threats against Citrix gear. For instance, earlier in the month it came to light that legions of attackers are still targeting CVE-2023-3519 (CVSS score of 9.8), a critical pre-authentication remote code-execution (RCE) vulnerability in Citrix NetScaler gateways that was addressed in July (but exploited as a zero-day for a month before that).

Thousands of credential-theft attacks ensued after the disclosure, cresting in August as patching lagged. As of early October, according to the Shadowserver Foundation, more than 1,300 backdoored NetScaler instances were still appearing in scans.

As far as the latest critical security bug goes, customer-managed Citrix NetScaler ADC and NetScaler Gateway installations are affected; cloud instances are not, as outlined in the Citrix bug advisory, which also includes information about patched versions. Mandiant on Wednesday also offered updated, detailed remediation guidance for CVE-2023-4966.

Critical Citrix Bug Exploited as a Zero-Day, 'Patching Is Not Enough'

Endpoint management based on open source agents, such as osquery, could simplify IT management and security while giving larger firms more customization options.

A smattering of security startups are building ecosystems around the open source security agent osquery as a way to allow companies to reduce their reliance on proprietary software and to customize the IT monitoring and security tool to their needs.

On Oct. 17, endpoint management firm Fleet updated its lightweight osquery agent with the capability to execute scripts on managed hosts, allowing the agents to not only monitor systems, but to manage them and respond to incidents as well. Enterprises have seen a proliferation of agents over time, with separate agents to manage antivirus, firewalls, logging, data security, and configuration now common, to name a few.

The result has been complexity creeping into IT management and security operations, says Mike McNeil, co-founder and CEO of Fleet.

"On one hand, you've got people that are buying these giant monolithic things, and then on the other hand, you've got the people that are stringing together a bunch of open source tools, and you end up with these architectural diagrams that are a big — frankly, kind of a big mess," he says. "I think that people are looking for a consistent interface to everything, something that's a little bit more modular."

Many companies are fighting back against the creep of complexity by using osquery as the universal endpoint agent, says Santiago Bassett, founder and CEO of Wazuh. Facebook originally developed osquery for internal use and then open-sourced it in 2014. The osquery agent monitors the operating system's state, saves it in an SQL database, and allows administrators to query the agent to receive information about the system, such as log analysis, compliance state, configuration management, and results of security checks.

"That's the trend, where users are consolidating different agents that have very specific purposes, and now they have \[fewer\] agents that are more comprehensive, more horizontal, that deliver more capabilities," he says. "I wouldn't be surprised if there are more initiatives to say — this specific capability that everybody is actually using relies on the same source code, which is open source, so let’' all agree on using that same \[agent\]."

**Osquery, the Universal Endpoint Agent?**

The idea of using osquery as a universal endpoint monitoring agent is one at least as old as the open source agent itself. Other open source tools, such as Sysdig and OSSec, have some overlap in functionality with osquery but different focuses. Sysdig allows the low-level instrumentation of the kernel, which makes it a popular way to monitor containerized applications in the cloud, while OSSec is focused on host-based intrusion detection (HID) and compliance on Linux and Windows systems.

A variety of companies have based their technology on osquery, which works on Windows, MacOS, and Linux systems. In addition to Fleet, open security platform Wazuh, zero-trust solution provider Kolide, open source Apple device manager Zentral, and cloud and endpoint management firm Uptycs all use osquery or integrate with systems already running the agent.

Security and IT management vendors have differentiated their offerings, but much of that differentiation can be accomplished in how the information provided by osquery is operationalized. The basic functionality of instrumenting the endpoint should not be that point of differentiation, says Wazuh's Santiago.

"Vendors are always going to have some interest in differentiating, of course, from other vendors that say, 'Oh, we add value here, we have value there,' but there are things that are already solved in the industry that we all do," he says. "There's really no way to add value to how I collect logs from a Windows system — I just read those logs."

**From Passive Monitoring to Active Response**

But companies do not just want visibility and monitoring, which is why Fleet added the ability to execute scripts using the osquery agent. Using the capabilities, which other providers have as well, helps turn the agent into a tool for managing endpoints as well. Companies can now push patches to remote devices and shut down specific features, such as USB ports, to better secure systems and reduce their attack surface area, says Fleet's McNeil.

The goal is not to replace endpoint detection and response, but to give companies the ability to have greater visibility and, if they detect something odd, to do something about it, he says.

"The idea of self remediation — being able to detect malware with Yara and automatically you'll run a script to remove it or isolate the computer on the network — now you can kind of own all those tools and build that yourself any way you want," he says. "So the more we can simplify this and open it up, the better."

Source

DARKReading