Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs

Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs

The rush to patch systems affected by the landmark Log4Shell vulnerability has coincided with a wider improvement in patching rates for the most critical flaws, a report has found.

The remote code execution (RCE) flaw in Apache Log4j (CVE-2021-44228), the near-ubiquitous open source Java logging utility, sent organizations across the ecosystem scrambling to fix applications or patch systems after it emerged in December 2021.

Eight months on, the 2022 Trustwave SpiderLabs Telemetry Report has concluded that organizations “finally understand the necessity of having a solid security posture”.

RECOMMENDED Graph-based JavaScript bug scanner discovers more than 100 zero-days in Node.js libraries

Shodan searches performed by Trustwave SpiderLabs researchers revealed a sharp fall in the proportion of affected instances vulnerable to 2022’s highest profile vulnerabilities versus 2021’s equivalent flaws.

“Vulnerability disclosure-to-patch times have decreased,” Alex Rothacker, director of research and security scanning at Trustwave, told The Daily Swig.

**Celebrity factor**

He also noticed that security flaws’ “level of celebrity” was tied to both patching rates and patching speeds, with Log4j and Spring Framework instances outscoring what Rothacker said are lower profile issues in F5’s BIG-IP and Atlassian’s Confluence on these fronts.

For instance, only 0.36% of 405,993 instances of the most popular products running Log4j were vulnerable to the first Log4Shell patch (as opposed to the subsequent bypass) six months after exploits surfaced.

Equivalent numbers were 0.075% of 452,520 instances running unpatched versions of Spring Framework, another popular open source Java component, in regard to ‘Spring4Shell’ (CVE-2022-22965) three months after its disclosure.

Instances vulnerable to RCEs in F5’s BIG-IP (CVE-2022-1388) and Atlassian Confluence Server and Data Center (CVE-2022-26134) were 2.73% of 1,719 after disclosure and 4.44% of 7,074 hosts respectively – although disclosure was much more recent in these cases.

Catch up on the latest Log4j vulnerability news

By contrast, Trustwave’s 2021 report found that more than 50% of instances were vulnerable in relation to each of three similarly impactful vulnerabilities, weeks or months after patch release.

“Log4Shell seems to have been a call to action for many organizations,” said Rothacker. “The volume of questions and requests for remediation help that we received from customers for Log4Shell was unprecedented.”

**Critical mass**

This year is on course to comfortable eclipse 2021 in terms of both number of CVEs published and the proportion of which that are critical, the report found.

For instance, Rothacker said that August has already surpassed all previous months in 2022 and 2021, with 3,779 CVEs published as of August 26, while July and June also saw high numbers of 2,226 and 2,377 respectively.

Critical vulnerabilities account for 18% of 2022 CVEs, up from 13% of CVEs in 2021.

The report also discovered that some affected instances were still vulnerable to CVEs dating back as far as 2016, with the most widespread bug being CVE-2017-15906, an issue in encrypted remote login tool OpenSSH.

Despite being distributed in most Linux distributions by default, the bug’s medium severity means “it is most likely that many organizations do not see it as a significant issue and are de-prioritizing fixing it” said Rothacker.

“Other listed vulnerabilities either are for less commonly deployed software e.g CVE-2018-15199, or do have other mitigations, or constraints e.g CVE-2018-1312, that make it less likely that they will be exploited,” he added.

The top three CWE classifications for 2022 are cross-site scripting (XSS), SQL injection, and out-of-bounds write bugs.

RELATED CWE Top 25: These are the most dangerous software weaknesses of 2022

Log4Shell legacy? Patching times plummet for most critical vulnerabilities – report

The first-of-its-kind campaign threatens to remove code packages if developers don’t submit their code to a "validation" process.

A phishing campaign is targeting users of the Python Package Index (PyPI) by threatening to remove their code packages if they don't put it through a bogus validation process, PyPI administrators have warned.

PyPI administrators are alerting users about the repository — which enables Python developers to publish and find code packages to use for building software — of emails that claim they are implementing a "mandatory 'validation' process," they said in a series of tweets outlining how the scam works.

The messages invite PyPI users to follow a link to perform the validation "or otherwise risk the package being removed from PyPI." The administrators assured users in a post that they would never remove a valid project from the index, and they only take down projects that are found to be malicious or violate the company's terms of service.

The campaign, which the administrators said is the first of its kind, steals users credentials to load compromised packages to the repository. The administrators noted that the phishing campaign does not target code repositories as a way to spread malware through the software supply chain.

The attackers behind the scam already have successfully stolen credentials from several PyPI users and uploaded malware into the projects they maintain to serve as the latest release for those projects, according to PyPI.

"These releases have been removed from PyPI and the maintainer accounts have been temporarily frozen," according to PyPI's Twitter post.

**How the Scam Works**

According to PyPI, the initial phishing message dangles the lure that Google is behind the validation process of new and existing PyPI packages. Ironically, the message claims the new process is due to "a surge in malicious packages being uploaded to the PyPI.org domain."

The link takes the user to a phishing site that mimics PyPI's login page, which steals any credentials entered through a phishing site, "sites\[dot\]google\[dot\]com/view/pypivalidate." The data is sent to a URL on the domain "linkedopports\[dot\]com," according to PyPI.

PyPI administrators have been unable to determine whether the phishing site was designed to relay TOTP-based two-factor codes but noted that accounts protected by hardware security keys are not vulnerable to the attack.

Repository administrators are in the process of actively reviewing reports of new malicious releases and ensuring that they are removed so the accounts that have been compromised are restored and their maintainers can continue to use PyPI.

**Supply Chain in the Crosshairs**

The campaign bucks the trend where threat actors are targeting public code repositories to distribute malware to the software supply chain. Flawed code can be a goldmine for threat actors, expansively widening the impact of malicious campaigns when compromised code is built into numerous applications or websites without developers or users knowing.

The Log4J case — in which a flaw in a widely used Java logging tool affected millions of applications, many of which are still vulnerable — brought this to light in a big way, and threat actors recently have ramped up attacks on code repositories as a way to spread malicious code quickly through the supply chain.

Earlier this month, PyPI removed 10 malicious code packages from the registry after a security vendor informed it about the issue. Threat actors targeted the registry by embedding malicious code into the package installation script.

PyPI has been aware of the target on its back and in the past few years has enacted several security initiatives to better protect its users.

These measures include the addition of two-factor authentication (2FA) as a login option and API tokens for uploading software to the registry, a dependency resolver to ensure the pip package installer installs the right versions of package dependencies, and the creation of databases of known Python vulnerabilities in PyPI projects.

**Thwarting the Attack**

PyPI is currently working to make 2FA more prevalent across projects on the repository, administrators said, adding that PyPI users with 2FA already implemented should reset recovery codes if they think that their account has been compromised.

To avoid being phished altogether, PyPI users should confirm that the URL in the address bar of any email purporting to come from PyPI is http://pypi.org and that the site's TLS certificate is issued to http://pypi.org. Users also should consider using a browser-integrated password manager, administrators tweeted.

Enabling 2FA by using hardware security keys or WebAuthn 2FA also can help PyPI users avoid being compromised by phishing attempts, they said. In fact, to help facilitate better protection, the repository currently offers free hardware keys for maintainers of the top 1% of projects.

PyPI advised any users who think they've been compromised to contact \[email protected\] with details about the sender email address and URL of the malicious site to help administrators to respond to this issue.

Phishing Campaign Targets PyPI Users to Distribute Malicious Code

To help organizations with their plans, NIST and the Department of Homeland Security developed the Post-Quantum Cryptography Roadmap.

Practically speaking, quantum computers are still years away, but the US Cybersecurity and Infrastructure Agency is still recommending that organizations begin preparations for the migration to the post-quantum cryptographic standard.

Quantum computers use quantum bits (qubits) to deliver higher computing power and speed, and are expected to be capable of breaking existing cryptographic algorithms, such as RSA and elliptic curve cryptography. This would impact the security of all online communications as well as data confidentiality and integrity. Security experts have warned that practical quantum computers could be possible in less than ten years.

The National Institute of Standards and Technology announced the first four quantum-resistant algorithms that will become part of the post-quantum-cryptographic standard in July, but the final standard is not expected until 2024. Even so, CISA is encouraging critical infrastructure operators to begin their preparations in advance.

“While quantum computing technology capable of breaking public key encryption algorithms in the current standards does not yet exist, government and critical infrastructure entities—including both public and private organizations—must work together to prepare for a new post-quantum cryptographic standard to defend against future threats,” CISA says.

To help organizations with their plans, NIST and the Department of Homeland Security developed the Post-Quantum Cryptography Roadmap. The first step should be creating an inventory of vulnerable critical infrastructure systems, CISA said.

Organizations should identify where, and for what purpose, public key cryptography is being used, and mark those systems as quantum-vulnerable. This includes creating an inventory of the most sensitive and critical datasets that must be secured for an extended amount of time, and all systems using cryptographic technologies. Having a list of all the systems would ease the transition when it comes times to make the switch.

Organizations will also need to assess the priority level for each system. Using the inventory and prioritization information, organizations can then develop a systems transition plan for when the new standard is published.

Security professionals are also encouraged to identify acquisition, cybersecurity, and data security standards that will need to be updated to reflect post-quantum requirements. CISA encourages increasing engagement with organizations developing post-quantum standards.

The agency’s focus on the inventory echoes the recommendations made by Wells Fargo at RSA Conference earlier this year. In a session discussing the financial giant’s quantum journey, Richard Toohey, technology analyst at Wells Fargo, suggested that organizations begin their crypto inventory.

"Discover where you have instances of certain algorithms or certain types of cryptography, because how many people were using Log4j and had no idea because it was buried so deep?" Toohey said. "That's a big ask, to know every type of cryptography used throughout your business with all your third parties — that's not trivial. That's a lot of work, and that's going to need to be started now."

Wells Fargo has a “very aggressive goal” to be ready to run post-quantum cryptography in five years, according to Dale Miller, the chief artchitect of information security architecture at Wells Fargo.

Migrating industrial control systems (ICSs) to post-quantum cryptography will be a major challenge for critical infrastructure operators, mainly because the equipment is often geographically dispersed, CISA said in the alert. Even so CISA urged critical infrastructure organizations to include in their strategies the actions needed to address risks from quantum computing capabilities.

CISA is not the only one sounding the alarm about getting started. In March, the Quantum-Safe Working Group of the Cloud Security Alliance (CSA) set a deadline of April 14, 2030, by which companies should have their post-quantum infrastructure in place.

“Do not wait until the quantum computers are in use by our adversaries to act. Early preparations will ensure a smooth migration to the post-quantum cryptography standard once it is available,” CISA said.

A Peek Into CISA's Post-Quantum Cryptography Roadmap

Citizen development allows users to design creative solutions for immediate problems, but it requires training and oversight to avoid security holes.

Microsoft 365 Empowers Business Users to Shoot Themselves in the Foot

Citizen development allows users to design creative solutions for immediate problems, but it requires training and oversight to avoid security holes.

August 29, 2022

Citizen development allows users to design creative solutions for immediate problems, but it requires training and oversight to avoid security holes.

by Michael Bargury, CTO & Co-Founder, Zenity

August 29, 2022

6 min read

Article

Nearly 3 Years Later, SolarWinds CISO Shares 3 Lessons From the Infamous Attack

SolarWinds CISO Tim Brown explains how organizations can prepare for eventualities like the nation-state attack on his company’s software.

August 24, 2022

SolarWinds CISO Tim Brown explains how organizations can prepare for eventualities like the nation-state attack on his company’s software.

by Kolawole Samuel Adebayo, Contributing Writer

August 24, 2022

5 min read

Article

Meta Takes Offensive Posture With Privacy Red Team

Engineering manager Scott Tenaglia describes how Meta extended the security red team model to aggressively protect data privacy.

August 23, 2022

Engineering manager Scott Tenaglia describes how Meta extended the security red team model to aggressively protect data privacy.

by Jeffrey Schwartz, Contributing Writer, Dark Reading

August 23, 2022

6 min read

Article

Expiring Root Certificates Threaten IoT in the Enterprise

What happens when businesses' smart devices break? CSOs have things to fix beyond security holes.

August 22, 2022

What happens when businesses' smart devices break? CSOs have things to fix beyond security holes.

by Julianne Pepitone, Contributing Writer

August 22, 2022

6 min read

Article

NIST Weighs in on AI Risk

NIST is developing the AI Risk Management Framework and a companion playbook to help organizations navigate algorithmic bias and risk.

August 20, 2022

NIST is developing the AI Risk Management Framework and a companion playbook to help organizations navigate algorithmic bias and risk.

by Edge Editors, Dark Reading

August 20, 2022

3 min read

Article

Thoma Bravo Closes $6.9B Acquisition of Identity-Security Vendor SailPoint

All-cash transaction deal that was first announced in April means SailPoint is no longer a publicly traded company.

August 17, 2022

All-cash transaction deal that was first announced in April means SailPoint is no longer a publicly traded company.

by Dark Reading Staff, Dark Reading

August 17, 2022

1 min read

Article

Cybercriminals Weaponizing Ransomware Data for BEC Attacks

Attacked once, victimized multiple times: Data marketplaces are making it easier for threat actors to find and use data exfiltrated during ransomware attacks in follow-up attacks.

August 12, 2022

Attacked once, victimized multiple times: Data marketplaces are making it easier for threat actors to find and use data exfiltrated during ransomware attacks in follow-up attacks.

by Edge Editors, Dark Reading

August 12, 2022

3 min read

Article

Looking Back at 25 Years of Black Hat

The Black Hat USA conference's silver jubilee is an opportunity to remember its defining moments, the impact it has made on the security community, and its legacy.

August 10, 2022

The Black Hat USA conference's silver jubilee is an opportunity to remember its defining moments, the impact it has made on the security community, and its legacy.

by Andrada Fiscutean, Contributing Writer, Dark Reading

August 10, 2022

9 min read

Article

Don't Take the Cyber Safety Review Board's Log4j Report at Face Value

Given the lack of reporting requirements, the findings are more like assumptions. Here's what organizations can do to minimize exposure.

August 09, 2022

Given the lack of reporting requirements, the findings are more like assumptions. Here's what organizations can do to minimize exposure.

by Matt Chiodi, Chief Trust Officer, Cerby

August 09, 2022

5 min read

Article

What Adjustable Dumbbells Can Teach Us About Risk Management

A new workout leads to five smart lessons about the importance of converging security and fraud into a unified risk function.

August 08, 2022

A new workout leads to five smart lessons about the importance of converging security and fraud into a unified risk function.

by Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

August 08, 2022

5 min read

Article

Name That Edge Toon: Up a Tree

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

August 01, 2022

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

by John Klossner, Cartoonist

August 01, 2022

1 min read

Article

Overcoming the Fail-to-Challenge Vulnerability With a Friendly Face

Ahead of their Black Hat USA talk in August, Simon Pavitt and Stephen Dewsnip explain the value of helping people practice cyber defense via a "malicious floorwalker" exercise.

July 27, 2022

Ahead of their Black Hat USA talk in August, Simon Pavitt and Stephen Dewsnip explain the value of helping people practice cyber defense via a "malicious floorwalker" exercise.

by Karen Spiegelman, Features Editor

July 27, 2022

6 min read

Article

Why Layer 8 Is Great

To help discern legitimate traffic from fraud, it helps to understand user intent as shown through their behavior.

July 25, 2022

To help discern legitimate traffic from fraud, it helps to understand user intent as shown through their behavior.

by Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

July 25, 2022

4 min read

Article

Understanding Proposed SEC Rules Through an ESG Lens

Cyber threats are putting environmental, social, and governance discussions at the forefront of board meetings and C-suite discussions around the globe.

July 22, 2022

Cyber threats are putting environmental, social, and governance discussions at the forefront of board meetings and C-suite discussions around the globe.

by Stephen Lawton, Contributing Writer

July 22, 2022

5 min read

Article

Equitable Digital Identity Verification Requires Moving Past Flawed Legacy Systems

Data science can be used to improve access to government assistance while reducing fraud.

July 21, 2022

Data science can be used to improve access to government assistance while reducing fraud.

by Jordan Burris, Senior Director of Product Market Strategy for the Public Sector, Socure

July 21, 2022

5 min read

Article

Microsoft 365 Empowers Business Users to Shoot Themselves in the Foot

Iranian state-sponsored actors are leaving no stone unturned to exploit unpatched systems running Log4j to target Israeli entities, indicating the vulnerability’s long tail for remediation.
Microsoft attributed the latest set of activities to the umbrella threat group tracked as MuddyWater (aka Cobalt Ulster, Mercury, Seedworm, or Static Kitten), which is linked to the Iranian intelligence

Iranian state-sponsored actors are leaving no stone unturned to exploit unpatched systems running Log4j to target Israeli entities, indicating the vulnerability's long tail for remediation.

Microsoft attributed the latest set of activities to the umbrella threat group tracked as MuddyWater (aka Cobalt Ulster, Mercury, Seedworm, or Static Kitten), which is linked to the Iranian intelligence apparatus, the Ministry of Intelligence and Security (MOIS).

The attacks are notable for using SysAid Server instances unsecured against the Log4Shell flaw as a vector for initial access, marking a departure from the actors' pattern of leveraging VMware applications for breaching target environments.

"After gaining access, Mercury establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack," Microsoft said.

The tech giant's threat intelligence team said it observed the attacks between July 23 and 25, 2022.

A successful compromise is said to have been followed by the deployment of web shells to execute commands that permit the actor to conduct reconnaissance, establish persistence, steal credentials, and facilitate lateral movement.

Also employed for command-and-control (C2) communication during intrusions is a remote monitoring and management software called eHorus and Ligolo, a reverse-tunneling tool of choice for the adversary.

The findings come as the U.S. Department of Homeland Security's Cyber Safety Review Board (CSRB) deemed the critical vulnerability in the open-source Java-based logging framework an endemic weakness that will continue to plague organizations for years to come as exploitation evolves.

Log4j's wide usage across many suppliers' software and services means sophisticated adversaries like nation-state actors and commodity operators alike have opportunistically taken advantage of the vulnerability to mount a smorgasbord of attacks.

The Log4Shell attacks also follow a recent report from Mandiant that detailed an espionage campaign aimed at Israeli shipping, government, energy, and healthcare organizations by a likely Iranian hacking group dubbed UNC3890.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations

Microsoft and others say they have observed nation-state actors, ransomware purveyors, and assorted cybercriminals pivoting to an open source attack-emulation tool in recent campaigns.

Enterprise security teams, which over the years have honed their ability to detect the use of Cobalt Strike by adversaries, may also want to keep an eye out for "Sliver." It's an open source command-and-control (C2) framework that adversaries have increasingly begun integrating into their attack chains.

"What we think is driving the trend is increased knowledge of Sliver within offensive security communities, coupled with the massive focus on Cobalt Strike \[by defenders\]," says Josh Hopkins, research lead at Team Cymru. "Defenders are now having more and more successes in detecting and mitigating against Cobalt Strike. So, the transition away from Cobalt Strike to frameworks like Sliver is to be expected," he says.

Security researchers from Microsoft this week warned about observing nation-state actors, ransomware and extortion groups, and other threat actors using Sliver along with — or often as a replacement for — Cobalt Strike in various campaigns. Among them is DEV-0237 (aka FIN12), a financially motivated threat actor associated with the Ryuk, Conti, and Hive ransomware families; and several groups engaged in human-operated ransomware attacks, Microsoft said.

**Growing Use**

Earlier this year, Team Cymru reported observing Sliver being used in campaigns targeting organizations in multiple sectors, including government, research, telecom, and higher education. One campaign, between Feb. 3 and March 4, involved a Russian-hosted attack infrastructure, while another targeted government entities in Pakistan and Turkey. In many of these attacks, Team Cymru observed Sliver being used as part of the initial infection tool chain to deliver ransomware. In other instances, the threat intelligence firm found Sliver being used in opportunistic attacks involving potential exploitation of Log4j and VMware Horizon vulnerabilities.

Researchers from BishopFox developed and released Sliver, as an open source alternative to Cobalt Strike, in 2019. The framework is designed to give red-teamers and penetration testers a way to emulate the behavior of embedded threat actors in their environments. But as with Cobalt Strike, these same features also make it an attractive threat actor tool.

**An Attractive Alternative for Adversaries**

Sliver is written in the Go programming language (Golang), and therefore can be used across multiple operating system environments, including Windows, macOS, and Linux. Security teams can use Sliver to generate implants as Shellcode, Executable, Shared library/DLL, and as-a-Service, Microsoft said. Researchers added that Golang helps adversaries also because of the relatively limited tooling available for reverse engineering of Go binaries.

Sliver also supports smaller payloads — or stagers — with a handful of features that allow operators to retrieve and launch a full implant. 

"Stagers are used by many C2 frameworks to minimize the malicious code that's included in an initial payload (for example, in a phishing email)," Microsoft said. "This can make file-based detection more challenging."

Sliver also offers many more built-in modules than Cobalt Strike, says Andy Gill, adversarial engineer at Lares Consulting; these built-in capabilities make it easier for threat actors to exploit systems and leverage tooling to facilitate access, Gill says. Cobalt Strike, in contrast, is more of a bring-your-own payload/module tool.

"Sliver lowers the barrier of entry for attackers. \[It\] offers more customization in terms of payload delivery and ways of adapting attacks to evade defenses," he notes. 

But the most appealing factor for threat actors currently is its relative obscurity and the lack of work that has been undertaken — so far, at least — in building detections for Sliver, Hopkins from Team Cymru says. "Sliver has a lot of the same capabilities as Cobalt Strike, but without such a large spotlight being shone on it," he says. This has created a potential gap in detection coverage that some attackers are now trying to exploit.

And finally, the fact that it's free, open source, and available on GitHub also makes Sliver attractive compared to Cobalt Strike, which is commercial and therefore requires threat actors to crack the license mechanism each time a new version is released, Gill says.

**Cobalt Strike Remains Gold Standard — but Attackers Have Other Frameworks**

At the same time, it would be a big mistake for organizations to discount adversarial use of Cobalt Strike, researchers warn. 

In the first quarter of this year, for instance, Team Cymru observed some 143 Sliver samples that were likely being used as a first-stage tool in attack campaigns — compared with 4,455 samples of Cobalt Strike being used for potentially malicious purposes. 

"Defenders would be unwise to take their eyes off Cobalt Strike," Hopkins says. "Cobalt Strike is synonymous with — and the gold standard of — command-and-control networks."

Sometimes, the tools are used in tandem. Researchers at Intel 471 earlier this year observed Sliver being deployed along with Cobalt Strike, Metasploit, and the IcedID banking Trojan via a new loader called "Bumblebee". The company's chief intelligence officer Michael DeBolt says the framework has one feature that likely makes it especially useful for threat actors. 

"Sliver has a lot of features, \[but\] one that might be especially useful is its ability to limit execution to specific time frames, hosts, domain-joined machines, or users," he says "This feature can prevent the implant from executing in unintended environments, such as sandboxes, which aids against detection."

Sliver is just one of several C2 frameworks that attackers are using as alternatives to Cobalt Strike. Researchers from Intel 471, for instance, recently added detection for a legitimate red-teaming tool called Brute Ratel, after observing some threat actors using it for C2 purposes. 

Earlier this year, Palo Alto Networks' Unit 42 threat-hunting team uncovered what appeared to be Russia's notorious APT29 (aka Cozy Bear) using Brute Ratel in an attack campaign. 

Meanwhile, Gills from Lares pointed to Posh2, a C2 framework which, though not new, offers threat actors a chance of evading Cobalt Strike-centric detection mechanisms. And Hopkins from Team Cymru says his company is currently tracking a C2 framework called "Mythic" following some initial indications of adoption within the threat-actor community.  

Frameworks tend to vary in capabilities such as lateral movement, injection, and call out, Gill says. 

"\[So\], from a defensive standpoint, operators are better off profiling and generating signatures for techniques than analyzing specific C2 frameworks," he notes.

'Sliver' Emerges as Cobalt Strike Alternative for Malicious C2

Understanding how and why people respond to cyber threats is key to building cyber-workforce resilience.

The complexity, ceaselessness, and increasingly destructive nature of today's cyber threats creates a high cognitive workload. This is why it's crucial to ensure that employees are developing the right cognitive skills and agility to protect against attacks. Doing so will have a powerful impact on an organization's cyber-workforce resilience.

A recent "Cyber Workforce Benchmark" report from Immersive Labs took the pulse of cyber skills, knowledge, and preparedness of organizations and their workforces across numerous industries, including financial services, retail, healthcare, and government. The report examines how prepared certain industries are for cyberattacks, providing results from a psychological standpoint. Here are some key findings from the report and the psychological analysis behind them.

**The frequency of organizations conducting cyber-crisis exercises varies significantly across different industries — and can also impact performance scores.**

An analysis of more than 6,400 crisis response decisions shows that technology and financial services companies prepare the most for cyberattacks, running nine and seven exercises per year, respectively. Critical national infrastructure organizations prepare the least, with just one exercise per year. Healthcare runs a mere two. When it comes to these industries' performance in cyber-crisis exercises, healthcare scored 18%, which is low when compared with technology companies, which scored 80%.

_What it means: The more an organization exercises its abilities, the better they become._

Psychology provides an explanation as to why this is the case. People develop surface-level knowledge of a capability before moving on to more advanced thinking. If these skills aren't reinforced or exercised, they fade. It's like learning a new language: If you don't practice the language and speak it on a regular basis, odds are you will lose your knowledge of it. Only with regular, consistent practice and exercise will crisis response teams be able to develop the ability to make connections between previous decisions and how to apply them — or not — during a cyberattack.

**Ransomware causes great uncertainty for crisis response teams.**

The research asked participants to rate how confident they were in their answers during training, and the simulations that focused on ransomware were the ones where participants lost confidence in their decision-making and judgments. Teams did not want to pay the ransom, with 83% of participants saying they would not do so. However, they were also uncertain about the outcome if they did not pay. Interestingly, the report showed, the industries most likely to pay ransoms were education (25%), consulting (23%), and retail and e-commerce (20%).

_What it means: This lack of decision-making confidence points to a classic issue for crisis response teams, often referred to as a "wicked problem."_

When considering options with no clear-cut resolution, decisions are challenged by data overload and decision fatigue. The sheer amount of information can be overwhelming. Decisions may be rushed, based on uncertainty or even fear. In the end, because the brain becomes overwhelmed, we settle on a compromise that leads to a lack of confidence in the decision.

**High-profile vulnerabilities see a significantly decreased time to capability.**

Four of the top five fastest-developed skills in 2021 came from dealing with the Log4j vulnerability. It took cybersecurity teams an average of two days to develop the knowledge and skills to defend against it. This was a whopping 48 times faster than the average threat intelligence lab. This reflects the severe impact of Log4j. It also demonstrates the scramble many teams faced in understanding and responding to the threat.

_What it means: The human need to take action is an automatic response, hardwired into our brains, and could cause people to rush into making decisions — good or bad._

The brain makes assumptions and takes shortcuts based on previous experiences, which could spell trouble for organizations. These assumptions and shortcuts, known as biases and heuristics, can lead to irrelevant decisions that may end up backfiring or even making situations worse. If people understood how their minds work and how they react in emergencies, they could learn how to eventually counteract their natural instincts. This will help increase confidence and the effectiveness of decision-making in the future.

**The Bottom Line**

Cyber-workforce resilience is more crucial than ever before. Cyber-crisis exercises should not be considered a one-and-done occurrence — nor should they be exclusive to cyber teams. We must shift our mindset to making regular exercises a critical business function, developing cognitive agility across the entire workforce. Continuous professional development needs to become part of the day job. We call this concept "microdrilling." It helps to sharpen teams' skills, bolster their confidence when making decisions, and enable them to make smarter decisions in real-life situations. The goal is not to teach people to respond to a specific crisis, but rather to develop the necessary decision-making skills to respond to _any_ crisis. Organizations will never become truly cyber resilient unless they make regular cyber exercises across the workforce a priority.

What You Need to Know About the Psychology Behind Cyber Resilience

PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.

Original Release: August 4, 2022

****Overview****

Recently, a security vulnerability was discovered in the PrinterLogic Windows Client driver installation process. Vasion has completed remediation for this vulnerability via an updated Windows Client package.

****Vulnerability Description****

The PrinterLogic Windows Client on or before Version 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content. A CVE will be published by Mitre shortly and added to this bulletin when available.

****Investigation and Remediation****

The vulnerability is remediated by updating the PrinterLogic Windows Client to Version 25.0.0.688 or later. Release notes for the new client are found here. Depending on your PrinterLogic platform, the following instructions apply:

*   For PrinterLogic SaaS, information about updating clients is found here.
*   For the PrinterLogic Virtual Appliance, a VA Application Update containing the new Windows client is available. For more information about application updates is available here. Once the update is complete, deploy the new client using the steps found here.
*   For PrinterLogic Web Stack, the latest client download is here.
*   If you prefer to push the new Windows client via third-party software, you’ll find the client installation package (MSI) here.

Original Release: April 5, 2022

****Overview****

A security vulnerability that affects VMware products was reported in CVE-2022-22965. The issue does not impact Vasion software.

****Description****

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment.

****Impact****

While some customers run their PrinterLogic Virtual Appliance on VMware hypervisors, the VA itself is not at risk. Information about remediations for VMware software is available here.

Original Release: Mar 24, 2022

****Overview****

Recently, an out-of-bounds vulnerability assigned to CVE-2021-44142 was disclosed in Samba versions prior to 4.13.17. This flaw involves an out-of-bounds heap read-write event in which remote attackers could execute arbitrary code as root on affected Samba installations that use the VFS module vfs\_fruit. The PrinterLogic Virtual Appliance (VA) is susceptible to this vulnerability and was remediated. This issue does not affect PrinterLogic SaaS.

****Vulnerability Description****

Samba is an implementation of SMB protocol that provides file and printer interoperability for Windows platforms over the network. It is a widely installed software package, and many Linux-based IoT and network devices include publicly open SMB services by default.

The specific flaw exists in EA metadata parsing when opening files in smbd, the Samba server daemon that provides file sharing and printing services to Windows clients. Access as a user with write access to a file’s extended attributes is required to exploit this vulnerability. A guest or unauthenticated user could do this if they are allowed write access to file extended attributes.

The problem in vfs\_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to settings other than the default values, the system is not affected by the security issue. The PrinterLogic VA Host has vfs\_fruit enabled and required remediation.

****Vasion Investigation and Remediation****

Vasion has removed the VA\_Fruit module from the PrinterLogic Virtual Appliance. Therefore, we recommend that PrinterLogic VA customers with host versions 1.0.735 and earlier update their VA Host, which includes the latest application release. This update includes other new functionality as well described in the release notes. The update and release notes can be found in our PrinterLogic VA Admin Guide here.

Original Release: Feb 7, 2022

****Overview****

In late January, Vasion became aware of a vulnerability that affects many Linux distributions. The company has completed remediations in its PrinterLogic SaaS and PrinterLogic Virtual Appliance (VA) platforms.

****Vulnerability Description****

Polkit (formerly known as PolicyKit) is a systemd SUID-root program and is installed by default in every major Linux distribution. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. 

In the version of Polkit that resulted in this vulnerability discovery, the pkexec application doesn’t handle the calling parameters count correctly and ends by trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in a way that induces pkexec to execute arbitrary code. This can result in a local privilege escalation and give unprivileged users administrative rights on the target machine.

A new version of Polkit was released that addresses this vulnerability. More information can be found in the CVE-2021-4034 detail document found here.

****Vasion Investigation and Remediation****

Vasion completed its investigation to determine how this vulnerability affects PrinterLogic SaaS and the PrinterLogic Virtual Appliance (VA). It was found that servers for both platforms contained the affected version of Polkit.  

Both PrinterLogic products have been patched with the latest version of Polkit recommended by Linux (0.105-20 Ubuntu 0.18.04.05 changed to 0.105-20 Ubuntu 0.18.04.06). 

Because PrinterLogic SaaS updates occur automatically, this remediation is already live.

PrinterLogic VA customers with host versions 1.0.730 and earlier will need to update their VA host, which includes the latest application release as well. The VA update and release notes can be found in our Admin Guide here.

Original Release: Jan 21, 2022

****Overview****

Recently, security vulnerabilities were discovered in PrinterLogic Web Stack versions 19.1.1.13 SP9 and below. PrinterLogic has completed corrective measures to remediate each vulnerability, and updates are available now for PrinterLogic Web Stack and the Virtual Appliance. Updates occurred automatically with PrinterLogic SaaS and are live worldwide. A summary of the vulnerabilities and corrective actions PrinterLogic has taken are below. Links to the respective CVEs will be added once they are available.

****Vulnerabilities (CVEs) and Remediation Summary****

*   **CVE-2021-42631:** Object Injection leading to RCE CVSS 8.1

– The affected endpoints were reorganized so they no longer use objects passed as parameters (removing the vulnerability). The vulnerable function “unserialize()” is no longer used.

– Affected Web Stack, the VA, and SaaS. Remediations completed.

*   **CVE-2021-42635:** Hardcoded APP\_KEY leading to RCE CVSS 8.1

– The Web Stack installers were adjusted to generate random keys on installation and on updates.

– In addition, we performed scans for other keys and credentials that may have been leaked, and any findings were also corrected.  Measures were furthermore put in place to prevent any leaked secrets from accidentally    being included in future releases.

– Affected Web Stack only. Remediations completed.

*   **CVE-2021-42638:** Misc command injections leading to RCE CVSS 8.1

– The affected areas were completely removed where possible (e.g., no longer supported features, printer models, etc.), and escaping/sanitation was corrected for items that could not be removed.

– Affected Web Stack only. Remediations completed.

*   **CVE-2021-42633:** SQLi may disclose audit logs CVSS 0

– The SQLi code was never used. The offending pages were removed.

– Affected Web Stack, the VA, and SaaS. Remediations completed.

*   **CVE-2021-42637:** Blind SSRF CVSS 4.0

– The test page causing this issue was removed.

– Affected Web Stack only. Remediations completed.

*   **CVE-2021-42639:** Misc reflected XSS CVSS 4.0

– All RCSS vulnerabilities were identified and removed or inputs were escaped or sanitized.

– Affected Web Stack, the VA, and SaaS. Remediations completed.

*   **CVE-2021-42640:** Driver assignment IDOR CVSS 3.8

– RBAC security was added to routes that were allowing access to sensitive objects/data.  

– Affected Web Stack, the VA, and SaaS. Remediations completed.

*   **CVE-2021-42641:** Username/email info disclosure CVSS 2.0

– RBAC security was added to routes that were allowing access to sensitive objects/data.  

– Affected Web Stack, the VA, and SaaS. Remediations completed.

*   **CVE-2021-42642:** Printer console username/password info disclosure CVSS 4.0

– RBAC security was added to routes that were allowing access to sensitive objects/data.  

– Affected Web Stack, the VA, and SaaS. Remediations completed.

****Affected PrinterLogic Software Versions:****

*   **PrinterLogic Web Stack**

– **Version 19.1.1.13 SP9 and earlier**, when operating with macOS or Linux endpoint client software. See new install and update links below.

*   **PrinterLogic Virtual Appliance**

– **Version 20.0.1304 and earlier,** when operating with macOS or Linux endpoint client software.

a. Application update is required. See links below.  

b. Host update not required if you have **VA Host v1.0.674 or later.** 

*   **PrinterLogic SaaS**

– Our SaaS platform does automatic updates. Remediations are now live worldwide. No customer action is needed.

****Updated Files and Documentation****

*   **PrinterLogic Web Stack**

– Link to file for new installs

– Link to file for updates

– Online documentation for these updates

– Only admin server updates are required; no client updates are needed.

*   **PrinterLogic Virtual Appliance**

– Online documentation and file(s) for these updates

– No client software updates are required.

Original Release: Dec 14, 2021

****Overview****

The Log4j vulnerability, documented in CVE-2021-44228, is a remote code execution vulnerability in Log4j. This framework is used for logging within many software solutions. The Log4j library is vulnerable to Remote Command Execution (RCE), which means a remote attacker can execute commands over the network on software that contains the vulnerable Log4j versions.

****Vasion Security Response****

Vasion is aware of the issue and has not found any evidence of exploitation or vulnerability with our products. Vasion products including PrinterLogic SaaS, PrinterLogic VA, and Vasion ST do not utilize, or have dependencies on, the affected Log4j libraries. Therefore, these products are not vulnerable to the referenced CVE-2021-44228.

Our security team will continue to monitor the situation. If our assessment changes, we will publish our findings and subsequent recommendations in this bulletin.

Original Release: Jul 13, 2021

****Overview****

PrintNightmare, documented in CVE-2021-34527, is a remote code execution vulnerability in the Windows Print Spooler. This vulnerability is exposed through specific inbound Remote Procedure Calls (RPC), which are used to add printers and related drivers. This can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

****PrinterLogic Solution****

With PrinterLogic’s Managed Direct IP Printing solution, print jobs are always spooled locally using the local print spooler on the originating workstation. Since PrinterLogic does not use  RPC to access the Windows Print Spooler, a PrinterLogic Managed Direct IP print environment is entirely unaffected when the mitigation steps detailed in the CVE **(option 2)** are followed as recommended by Microsoft. This ensures that the attack vector is closed on all machines running the Windows Print Spooler, while allowing users to continue to safely print using PrinterLogic’s Managed Direct IP solution.

Microsoft has released a patch for this vulnerability. PrinterLogic highly recommends all customers install the July 2021 Out-of-band update on all Windows systems. For details, see KB5004945 and KB5004946.

****What about Point and Print?****

According to Microsoft documentation, Point and Print is a term that refers to the capability of allowing a user on a Windows 2000 and later client to create a connection to a remote printer without providing disks or other installation media. All necessary files and configuration information are automatically downloaded from the print server to the client.

This specifically applies to print queues installed from a Windows print server and does not impact a user’s ability to install print queues from the PrinterLogic Self-Service Portal.

As part of the July 2021 Out-of-band update, a registry setting is checked that will restrict the installation of new unsigned printer drivers to Administrators only. Since PrinterLogic only allows signed Type 3 drivers to be used, and since the PrinterLogic Client is solely responsible for managed print driver installation, this setting will not adversely affect PrinterLogic customers.

While this registry setting does not impact a PrinterLogic Managed Direct IP environment, in accordance with security best practices, PrinterLogic still recommends that all customers enable this registry setting as recommended by Microsoft:

Key: HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint

Value: RestrictDriverInstallationToAdministrators

Type: REG\_DWORD

Data: 1

For more information, please see KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.

****Caveats****

Printers that are configured as shared printers or with Windows Print Server Links will cease to function properly if inbound remote printing is disabled on the Windows print server. PrinterLogic highly recommends that these printers be converted to Managed Direct IP print queues to avoid this and future Windows Print Spooler vulnerabilities.

****References****

Security Update Guide – Microsoft Security Response Center – CVE-2021-34527

VU#383432 – Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx()

KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates

July 6, 2021—KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083) Out-of-band

July 6, 2021—KB5004946 (OS Build 18363.1646) Out-of-band

Introduction to Point and Print – Windows drivers

Original Release: May 3, 2019 | Last Revised: May 9, 2019

**Description**

Using an exploit to forcibly update configuration data, the PrinterLogic Client can be directed to bypass HTTPS hardening or directed to another PrinterLogic Server. The PrinterLogic Client does not correctly verify the origin and integrity of updates. An attacker who successfully exploits these vulnerabilities could run arbitrary code in the context of the Local System Account.

**Solution**

**CVE-2018-5408**

This solution prevents Man-in-the-Middle (MITM) attacks where bad actors may attempt to spoof a trusted entity by tricking the PrinterLogic Server into connecting to a malicious host. To reduce any attempt at MITM attacks, you must configure your PrinterLogic Server to use the HTTPS protocol as described below:

1\. Follow the steps outlined here: HTTP and HTTPS Configuration Steps.

2\. Next, make sure your homeURL is updated to HTTPS. For more information, see Update the Client’s HomeURL.

3\. In addition, you need to apply the client update described below to secure your PrinterLogic environment.

**CVE-2018-5409, CVE-2019-9505**

This solution addresses vulnerabilities related to properly verifying the origin and integrity of the PrinterLogic Client code, as well as sanitizing special characters that could lead to unauthorized changes to configuration files. To address these issues, apply the latest PrinterLogic software update as described below:

1\. Download the update from: PrinterLogic Security Update.

2\. On the PrinterLogic Server, navigate to C:\\inetpub\\wwwroot\\public\\client\\setup.

3\. Make a backup copy of your existing PrinterLogic Client files before replacing them.

4\. Copy and replace the PrinterLogic Client installation files with the new files provided in the download.

5\. Navigate to your PrinterLogic Admin Console and enable the automatic update option to update your clients. If you want to push out the clients via GPO or using a software deployment tool, follow these instructions.

6\. To validate the update, check to see that the client for each workstation has been updated to the new version by navigating to **Tools** → **Reports** → **Workstations** from the PrinterLogic Admin Console. Click **Search** to run a report for workstations in your environment. Verify that the numbers in the Client Version column are **at least** as recent as the numbers shown below  
– Windows: **25.0.0.49** or higher– Mac: **25.1.0.274** or higher– Linux: **25.1.0.274** or higher

If you have questions about these solutions, contact PrinterLogic Product Support for assistance.

**References**

CVE-2018-5408, CVE-2018-5409, CVE-2019-9505

CVE-2022-32427: Security Bulletin | Printerlogic

It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed. This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6.

'2033121?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-4125: Invalid Bug ID

Spring4Shell and Veeam RCE exploit topped the list in Q1 2022

Spring4Shell and Veeam RCE exploit topped the list in Q1 2022

API-related security vulnerabilities continue to be a thorn in the side of organizations, with access control flaws now associated with high-severity CVEs.

According to a new whitepaper published by API security firm Wallarm, titled ‘API vulnerabilities discovered and exploited in Q1-2022’, a total of 48 API-related vulnerabilities were found and reported in the first quarter.

Based on industry standards, 18 were considered high-risk and 19 were labeled as of medium severity, the report (PDF) says.

The critical vulnerabilities disclosed publicly earned themselves CVSS v3 scores ranging from 8.1 and 10.

**Top API threats**

Merging both OWASP Top 10 and OWASP API Security Top 10 standards, the cybersecurity firm categorized the most significant API threat disclosures as issues relating to broken access controls (or broken function level authorization, depending on the OWASP standard), as well as injection attacks.

While security flaws including cryptographic failures, insecure design, excessive data exposure, and misconfigurations also made the list, the most dangerous, exploited API vulnerabilities disclosed in Q1 2022 relate to injection attacks, incorrect authorization or a complete bypass, and incorrect permission assignment.

Topping the list of the four most dangerous API vulnerabilities disclosed and reported in the first quarter of 2022 is CVE-2022-22947, also known as ‘Spring4Shell.’

**BACKGROUND** Spring4Shell: Microsoft, CISA warn of limited, in-the-wild exploitation

Spring4Shell is linked to two vulnerabilities – CVE-2022-22963, a SpEL expression injection bug in Spring Cloud Function, and CVE-2022-22947, a code injection attack leading to remote code execution (RCE) in Spring Framework’s Java-based Core module.

A developer publicly released exploit code for the critical bug in March, and although promptly deleted, the release of working RCE code ensured Spring4Shell became a headache for developers who needed to apply Spring’s emergency patch quickly.

The vulnerability was compared to Log4j due to the Spring Framework’s popularity. Before long, Microsoft and CISA warned of active exploitation of the zero-day flaw. Attackers then harnessed the bug to grow the Mirai botnet.

**Enterprise technologies targeted**

The second vulnerability at the top of the API vulnerability list is CVE-2022-26501 (CVSS 9.8), an improper authentication bug in Veeam Backup and Replication that allows attackers to execute arbitrary code remotely without authentication. Veeam supports over 400,000 customers, many of which are enterprise firms.

According to Nikita Petrov, the Positive Technologies researcher who disclosed the critical bug alongside two others, CVE-2022-26501 had the potential to “be exploited in real attacks and put many organizations at significant risk”.

The third flaw, another assigned a CVSS score of 9.8, impacts Zabbix, an enterprise-grade open source network tool. Tracked as CVE-2022-23131, when a non-default setting to enable SAML SSO authentication was in use, the tool’s front end was susceptible to privilege escalation and admin session hijacking – as long as an attacker knew the admin’s username.

**YOU MIGHT ALSO LIKE** SOS.dev program launched to help protect critical upstream software

Fourth is CVE-2022-24327, a lower-grade bug assigned a CVSS score of 7.8 but still considered a severe vulnerability. Found in the JetBrains suite hub, the bug related to developer accounts integrated into the hub which inadvertently exposed API keys with excessive permissions, potentially leading to account takeover or hijacking.

Finally, Wallarm has bundled a category of API security threats as a common denominator in many cyber-attacks today. Described by Mitre as “CWE-639: Authorization Bypass Through User-Controlled Key”, the issues surround system authorization functionality which allows key values to be tampered and users to access other users’ data or records without permission.

APIs, as key communication methods between functions, will remain a target for cyber-attackers as long as they are in use due to their critical roles in modern networks and services.

In recent API security news, open source hacking tool GoTestWAF has introduced API security platform evaluation capabilities, emulating OWASP and API exploits to test API security defenses.

**RECOMMENDED** Vulnerability in open source identity management system Free IPA could lead to XXE attacks

Tag

#log4j