More than 1 million instances of firewalls running Cisco Adaptive Security Appliance (ASA) software have four vulnerabilities that undermine its security, a researcher finds.

BLACK HAT USA — Las Vegas — Cisco's enterprise-class firewalls have at least a dozen vulnerabilities — four of which have been assigned CVE identifiers — that could allow attackers to infiltrate networks protected by the devices, a security researcher from vulnerability management firm Rapid7 plans to say in a presentation at the Black Hat USA conference on Aug. 11.

The vulnerabilities affect Cisco's Adaptive Security Appliance (ASA) software, the operating system for the company's enterprise-class firewalls, and its ecosystem. The most significant security weakness (CVE-2022-20829) is that the Adaptive Security Device Manager (ASDM) binary packages are not digitally signed, which — along with the failure to verify a server's SSL certificate — allows an attacker to deploy customized ASA binaries that can then install files onto administrators' computers.

Because administrators just expect the ASDM software to come preinstalled on devices, the fact that the binaries are not signed gives attackers a significant supply chain attack, says Jake Baines, lead security researcher at Rapid7.

"If someone buys an ASA device on which the attacker has installed their own code, the attackers don't get shell on the ASA device, but when an administrator connects to the device, now \[the attackers\] have a shell on \[the administrator's\] computer," he says. "To me, that is the most dangerous attack."

The dozen security weaknesses include issues that impact devices and virtual instances running the ASA software, as well as vulnerabilities in the Firepower next-generation firewall module. More than 1 million ASA devices are deployed worldwide by Cisco's customers, although a Shodan search shows that only about 20% have the management interface exposed to the Internet, Baines says.

As a supply chain attack, the vulnerabilities would give threat actors the ability to compromise a virtual device at the edge of the network — an environment that most security teams would not analyze for security threats, he says.

**Full Access**

"If you have access to the virtual machine, you have full access inside the network, but more importantly, you can sniff all the traffic going through, including decrypted VPN traffic," Baines says. "So, it is a really great place for an attacker to chill out and pivot, but probably just sniff for credentials or monitor the traffic flowing into the network."

Baines discovered the issue when he was investigating the Cisco ASDM to get "a level set on how the GUI (graphical user interface) works" and pull apart the protocol, he says.

A component installed on administrators' systems, known as the ASDM launcher, could be used by attackers to deliver malicious code in Java class files or through the ASDM Web portal. As a result, attackers could create a malicious ASDM package to compromise the administrator's system through installers, malicious Web pages, and malicious Java components.

The ASDM vulnerabilities discovered by Rapid7 include a known vulnerability (CVE-2021-1585) that allows an unauthenticated remote code execution (RCE) attack, which Cisco claimed was patched in a recent update, but Baines discovered it remained.

In addition to the ASDM issues, Rapid7 found a handful of security weaknesses in the Firepower next-generation firewall module, including an authenticated remote command injection vulnerability (CVE-2022-20828). The Firepower module is a Linux-based virtual machine hosted on the ASA device, and it runs the Snort scanning software to classify traffic, according to Rapid7's advisory.

"The final takeaway for this issue should be that exposing ASDM to the internet could be very dangerous for ASA that use the Firepower module," the advisory states. "While this might be a credentialed attack, as noted previously, ASDM's default authentication scheme discloses username and passwords to active MitM \[machine-in-the-middle\] attackers."

Updating can be complex for Cisco ASA appliances, presenting a problem for companies in mitigating the vulnerabilities. The most widely deployed version of the ASA software is five years old, Baines says. Only about half a percent of installations updated their ASA software within seven days to the latest version, he adds.

"There is no auto-patch feature, so the most popular version of the appliance operating system is quite old," Baines says.

Cisco has had to deal with security issues in its other products as well. Last week, Cisco disclosed a trio of vulnerabilities in its RV series of small business routers. The vulnerabilities could be used together to allow an attacker to execute arbitrary code on Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers without authenticating first.

4 Flaws, Other Weaknesses Undermine Cisco ASA Firewalls

Eighteen companies, led by Amazon and Splunk, announced the OCSF framework to provide a standard way for sharing threat detection telemetry among different monitoring tools and applications.

BLACK HAT USA – LAS VEGAS – Amazon Web Services (AWS) and Splunk are leading an industry effort of 18 systems and security vendors to standardize how different monitoring systems share security alerts. The goal is to deliver a simplified and vendor-agnostic taxonomy to help security teams ingest and analyze security data faster.

The companies announced the Open Cybersecurity Schema Framework (OCSF) during the Black Hat USA conference on Wednesday in Las Vegas. The participating companies are Broadcom (Symantec), Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler.

Detecting and stopping today's cyberattacks requires coordination across cybersecurity tools, but many of these tools are not interoperable and there are too many different data formats. The OCSF specification will normalize security telemetry across various security products and services, said Mark Ryland, director of the office of the CISO at AWS, in a blog post announcing the project.

"Security teams have to correlate and unify data across multiple products from different vendors in a range of proprietary formats," Ryland wrote. "Instead of focusing primarily on detecting and responding to events, security teams spend time normalizing this data as a prerequisite to understanding and response."

OCSF, which extends the ICD Schema specifications originally developed by Broadcom’s Symantec division, offers a collection of data types, an attribute dictionary, and taxonomy written in JSON, according to an overview of the specification available on GitHub. Contributors can utilize and extend the framework and map the various data ingestion and normalization schemas in a common threat detection language.

"As practitioners, one of the most challenging problems in technology is connecting finding and event information across multiple vendor tools, operating systems, and versions," says Jamie Scott, product manager at Endor Labs. "A standard data format will reduce cost and accelerate incident triage for our industry as a whole," 

**An Extensible Framework for Interoperability**

As an open source project, OCSF seeks to provide an extensible framework for providing interoperable core security schema not tied to a specific provider, Splunk distinguished engineer Paul Agbabian wrote in a white paper documenting OCSF. Licensed under the Apache License 2.0, OCSF features an agnostic storage format, data collection, and extract, transform, and load (ETL) processes. The schema browser represents categories, event classes, dictionaries, data types, profiles, and extensions.  

"Vendors and other data producers can adopt and extend the schema for their specific domains," Agbabian explained in a separate blog post. "Data engineers can map existing schemas to help security teams simplify data ingestion and normalization so that data scientists and analysts can work with a common language for threat detection and investigation."

"Having a common data format for these events to be shared across tooling will make both consumers and producers lives’ easier. Producers can more easily integrate with other solutions and consumers can aggregate and triage incidents," Scott says.

The OCSF shares some similar taxonomy with the widely used MITRE ATT&CK Framework, according to the white paper, though it also noted some stark differences. The most notable is that OCSF is extensible by vendors and customers, while MITRE releases all content for ATT&CK.

An Enterprise Strategy Group and Information Systems Security Association (ISSA) survey found that 77% of cybersecurity professionals want to see the industry forge support for open standards. The same survey found that 85% see integration among products as essential. 

"Cybersecurity is ready to move on from silos and into an open, integrated era of inter-operability and cooperation," Aghabian noted.

**Normalizing Security Telemetry**

The project is open to other providers wishing to participate and contribute, according to Ryland.

"We see value in contributing our engineering efforts and also projects, tools, training, and guidelines to help standardize security telemetry across the industry," he wrote. "Although we as an industry can’t directly control the behavior of threat actors, we can improve our collective defenses by making it easier for security teams to do their jobs more efficiently."

The status of the OCSF and when vendors will begin testing wasn’t immediately apparent. And it remains to be seen to what extent the vendors will ultimately contribute to OCSF and implement it.

"The biggest threat to an early-stage effort like OCSF is the steering committee composition itself. Since the committee is made largely of vendors, representative consumer organizations will need a seat at the table to help drive adoption across vendors," Scott says. "As the OCSF continues to collaborate with the industry, it should ensure that the steering committee has reserved spots for industry practitioners who are willing to make an investment in their mission."

Erkang Zheng, founder and CEO of cyber operations platform provider JupiterOne, is pledging to embrace and participate in extending OCSF.

"Over time, we will continue to contribute to the OCSF initiative by extending the framework to cover both time-series event data and stateful/structural asset data, leveraging JupiterOne’s open-source data model," Zheng wrote. "Our hope in participating in this initiative is to inspire more cross-industry collaboration."

Scott adds: "Solving a problem like this is a journey that will require learnings across the industry. But the destination makes the journey worth it."

New Cross-Industry Group Launches Open Cybersecurity Framework

Ransomware gang gained access to the company's VPN in May by convincing an employee to accept a multifactor authentication (MFA) push notification.

Cisco has confirmed a breach of its network, where the attacker used voice phishing to convince an employee to accept a malicious multifactor authentication (MFA) push. The breach resulted in cyberattackers gaining access to the company's virtual private network (VPN) and the theft of an unspecified number of files from its network, the company stated on Aug. 10.

The attacker compromised a Cisco employee's personal Google account, which gave them access to the worker's business credentials through the synchronized password store in Google Chrome. To bypass the MFA protecting access to Cisco's corporate VPN, the attacker attempted voice phishing, or vishing, and repeatedly pushed MFA authentication requests to the employee's phone. Eventually, the worker either inadvertently, or through alert fatigue, accepted the push request, giving the attacker access to Cisco's network.

Cisco acknowledged the incident in a brief press statement, maintaining that the company discovered the breach on May 24 but "did not identify any impact to our business as a result of the incident."

"\[W\]e took immediate action to contain and eradicate the bad actors, remediate the impact of the incident, and further harden our IT environment," a company spokesman said in the statement sent to Dark Reading. "No ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Cisco's network since discovering the incident."

Breaches of technology companies have become commonplace, often as part of supply chain attacks. In one of the original supply chain attacks, in 2011, two state-sponsored groups linked to China compromised security vendor RSA to steal critical data underpinning the security of the company's SecurID tokens. In the most significant modern attack, the Russia-linked Nobelium group — which is Microsoft's designation — compromised SolarWinds and used a compromised update to compromise the company's clients.

The attack on Cisco likely had multiple goals, Ilia Kolochenko, founder of cybersecurity startup ImmuniWeb, said in a statement sent to Dark Reading.

"Vendors usually have privileged access to their enterprise and government customers and thus can open doors to invisible and super-efficient supply chain attacks," he said, adding that "vendors frequently have invaluable cyber threat intelligence: bad guys are strongly motivated to conduct counterintelligence operations, aimed to find out where law enforcement and private vendors are with their investigations and upcoming police raids."

While some security experts characterized the attack as "sophisticated," Cisco pointed out that it was a social-engineering play.

"The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user," the Cisco Talos team stated in an analysis of the attack. "Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN."

With access established, the attacker then tried to move through the network by escalating privileges and logging into multiple systems. The threat actor installed several tools, such as remote access software LogMeIn and TeamViewer, as well as offensive security tools, such as Cobalt Strike and Mimikatz, both in wide use by attackers.

In addition, the attacker had extensive access to Cisco's network, using the compromised account to access "a large number of systems" and compromised several Citrix servers to get privileged access to domain controllers, according to the Cisco Talos analysis. The attacker used already existing remote desktop protocol (RDP) accounts to access systems, removing firewall rules to prevent them from blocking access.

While Cisco maintains that the attackers did not impact its products, services, or sensitive customer or employee data, the company did acknowledge that on Aug. 10, the threat actors published a list of files stolen from the network during the incident. While the attackers demanded a ransom, according to one press report, Cisco stated that the attackers did not deploy ransomware. The threat actor did install a number of offensive tools and payload to a variety of systems on Cisco's network.

Cisco believes the threat actor is an initial access broker — an adversary that gains unauthorized access to corporate networks and then sells that access as a service on the Dark Web. The threat actor appears to have "ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators," Cisco's Talos group stated.

The threat actor, or its affiliates, spoke in English with various international accents and dialects, and claimed to be part of a support organization known to the worker, the targeted employee told Cisco, according to the Talos analysis.

Cisco Confirms Data Breach, Hacked Files Leaked

Industry standards would provide predictable and understandable IoT security frameworks.

The Internet of Things industry's lack of cybersecurity standards is nothing new. We’ve been at this for years. However, with the number of devices expected to surpass 25.4 billion by 2030, and given the recent increase in cyberattacks and threats, it’s clear the situation has risen to crisis levels.

This perfect storm of threats can be extinction-level events for organizations and have detrimental effects on natural resources, economies, governments, and much more. Unfortunately, such threats often begin with unsecured connected devices. Acting as a double-edged sword, connected devices play a crucial role industrywide in day-to-day business operations and solutions, but pose a grave security risk to both enterprises and consumers.

Whose responsibility is it to keep these applications secure? The public sector often points the finger at vendors and brands, but it also has a responsibility to carefully research and choose its vendors and partners. Technology companies, for their part, are responsible for helping to mitigate vulnerabilities and privacy and security flaws. While both the private and public sectors can agree that we must address these issues and create a more secure environment, the solution, however, is where the real challenges lie.

**Synchronized Security Standards**

There are many reasons why today’s devices and mobile applications are insecure, but they all boil down to one thing: There hasn’t been one set of cybersecurity standards until now. IoT product manufacturers must make it a priority to test and certify their products against these security standards to show their consumers that their product offerings have gone through a security certification process. For innovation to evolve, there’s a critical need to follow a set of global, synchronized security standards that will keep everyone on the same page and bring clarity to the future of IoT security.

Brands and manufacturers can hire the best security leadership, bolster security infrastructure, and even mandate companywide cybersecurity training, but it's simply not enough. An industry standard would provide predictable and understandable frameworks to incorporate security into mobile apps and IoT devices — from inception, to testing and third-party validation before going to market, to end use.

With more unique cybersecurity events happening as major world events occur, the time has come to double down on security efforts. Testing and third-party validation is the way to go, giving peace of mind to organizations, partners, and customers.

**Hackers' Affinity for IoT devices**

It’s a never-ending game of cat and mouse — as innovation increases and we become ever-more connected, hackers continue to bring their A games. With more connected devices and buildings becoming interoperable, hackers have become more sophisticated, using connected devices to gain access to — and wreak havoc on — critical infrastructure. Both B2B and B2C businesses must prioritize offering customers secured products, and customers should be made aware of such options and processes. Transparency of security processes and availability of secured products is crucial to achieving a more secure world.

**Remote Working – It's Not All Fun and Games**

The global pandemic summoned the age of remote work. As a result, there's been an uptick in employees using personal smartphones and laptops while logging in to company VPNs to perform their job duties. This presents an increasingly high security risk, but organizations that provide managed devices with a zero-trust model in mind, secured VPNs, and connected devices that have undergone certification and testing will avoid potential security breaches.

**Lack of Data-Sharing Across the Industry**

Today's data-sharing efforts across the industry are insufficient and shine a light on a critical aspect of today’s cybersecurity challenges: sharing and making use of information. The time has come for the global industry to unite, collaborate, and embrace a set of baseline security requirements. This includes data sharing, to help build a more secure cybersecurity landscape and, therefore, a safer world. This can be achieved through testing and third-party validation of IoT devices, in addition to fostering a community — a global think tank of security thought leaders — that is tenaciously looking to advance the greater security ecosystem through sharing crucial data and engaging in creative brainstorming.

**Forming a United Front to Fight Cybercrime**

Many in the cybersecurity industry have found themselves at a crossroads: Either continue operating as individual entities, all pining for the same goals, or begin tackling cybercrime head-on as a united front by joining those that have already unified under a harmonized set of security standards.

Further implementing standardized solutions industrywide will not only create additional industry standards, but will also continue to hold companies accountable to those standards. Such security standards and guidelines are centered on compliance, transparency, and visibility. By further cultivating a community in which ideas about security solutions are shared, organizations can be on — or close to — the same page and therefore in a more secure place. Harmonizing standards and solutions brings higher visibility and clarity to the state of security at any given point in time and paints a better picture of what the future holds. Hackers have a harder time keeping up, and, as an added bonus, the industry is able to foster greater transparency with partners and customers.

The Time Is Now for IoT Security Standards

The new open source tools are designed to help defense, identity and access management, and security operations center teams discover vulnerable network shares.

Network shares in Active Directory environments configured with excessive permissions pose serious risks to the enterprise in the form of data exposure, privilege escalation, and ransomware attacks. Two new open source adversary simulation tools PowerHuntShares and PowerHunt help enterprise defenders discover vulnerable network shares and manage the attack surface.

The tools will help defense, identity and access management (IAM), and security operations center (SOC) teams streamline share hunting and remediation of excessive SMB share permissions in Active Directory environments, NetSPI's senior director Scott Sutherland wrote on the company blog. Sutherland developed these tools.

PowerHuntShares inventories, analyzes, and reports excessive privilege assigned to SMB shares on Active Directory domain joined computers. The PowerHuntShares tool addresses the risks of excessive share permissions in Active Directory environments that can lead to data exposure, privilege escalation, and ransomware attacks within enterprise environments.

"PowerHuntShares will inventory SMB share ACLs configured with 'excessive privileges' and highlight 'high risk' ACLs \[access control lists\]," Sutherland wrote.

PowerHunt, a modular threat hunting framework, identifies signs of compromise based on artifacts from common MITRE ATT&CK techniques and detects anomalies and outliers specific to the target environment. The tool automates the collection of artifacts at scale using PowerShell remoting and perform initial analysis. 

Network shares configured with excessive permissions can be exploited in several ways. For example, ransomware can use excessive read permissions on shares to access sensitive data. Since passwords are commonly stored in cleartext, excessive read permissions can lead to remote attacks against databases and other servers if these passwords are uncovered. Excessive write access allows attackers to add, remove, modify, and encrypt files, such as writing a web shell or tampering with executable files to include a persistent backdoor.   

"We can leverage Active Directory to help create an inventory of systems and shares," Sutherland wrote. "Shares configured with excessive permissions can lead to remote code execution (RCE) in a variety of ways, remediation efforts can be expedited through simple data grouping techniques, and malicious share scanning can be detected with a few common event IDs and a little correlation (always easier said than done)."

New Open Source Tools Launched for Adversary Simulation

Threat actors can abuse weaknesses in HTTP request handling to launch damaging browser-based attacks on website users, researcher says.

BLACK HAT USA – LAS VEGAS – A security researcher who previously demonstrated how attackers can abuse weaknesses in the way websites handle HTTP requests warned that the same issues can be used in damaging browser-based attacks against users.  

James Kettle, director of PortSwigger, described his research as shedding new light on so-called desync attacks that exploit disagreements in how a website's back-end and front-end servers interpret HTTP requests. Previously, at Black Hat USA 2019, Kettle showed how attackers could trigger these disagreements — over things like message length, for instance — to route HTTP requests to a back-end component of their choice, steal credentials, and invoke unexpected responses from an application and other malicious actions. Kettle also has previously shown how HTTP/2 implementation errors can put websites at risk of compromise.

Kettle's new research focuses on how threat actors can exploit the same improper HTTP request handling issues to also attack website users and steal credentials, install backdoors, and compromise their systems in other ways. Kettle said he had identified HTTP handling anomalies that enabled such client-side desync attacks on sites such as Amazon.com, those using the AWS Application Load Balancer, Cisco ASA WebVPN, Akamai, Varnish Cache servers, and Apache HTTP Server 2.4.52 and earlier.

The main difference between server-side desync attacks and client-side desync is that the former requires attacker-controlled systems with a reverse proxy front end and at least partly malformed requests, Kettle said in a conversation with Dark Reading following his presentation. A browser-powered attack takes place within the victim's Web browser, using legitimate requests, he said. Kettle showed a proof-of-concept where he was able to store information such as authentication tokens of random users on Amazon in his shopping list as an example of what an attacker would be able to do. Kettle discovered he could have gotten each infected victim on Amazon's site to relaunch the attack to others.

"This would have released a desync worm — a self-replicating attack which exploits victims to infect others with no user interaction, rapidly exploiting every active user on Amazon," Kettle said. Amazon has since fixed the issue.

Cisco opened a CVE for the vulnerability (CVE-2022-20713) after Kettle informed the company about it and described the issue as allowing an unauthenticated, remote attacker to conduct browser-based attacks on website users. "An attacker could exploit this vulnerability by convincing a targeted user to visit a website that can pass malicious requests to an ASA device that has the Clientless SSL VPN feature enabled," the company noted. "A successful exploit could allow the attacker to conduct browser-based attacks, including cross-site scripting attacks, against the targeted user."

Apache identified its HTTP request smuggling vulnerability (CVE-2022-22720) as tied to a failure "to close inbound connection when errors are encountered discarding the request body." Varnish described its vulnerability (CVE-2022-23959) as allowing attackers to inject spurious responses on client connections.

In a whitepaper released today, Kettle said there were two separate scenarios where HTTP handling anomalies could have security implications,

One was first-request validation, where front-end servers that handle HTTP requests use the Host header to identify which back-end component to route each request to. These proxy servers often have a whitelist of hosts that people are allowed to access. What Kettle discovered was that some front-end or proxy servers only use the whitelist for the first request sent over a connection and not for subsequent requests sent over the same connection. So, attackers can abuse this to gain access to a target component by first sending a request to an allowed destination and then following up with a request to their target destination.

Another closely related but far more frequent issue that Kettle encountered stemmed from first-request routing. With first-request routing, the front-end or proxy server looks at the HTTP request's Host header to decide where to route the request to and then routes all subsequent requests from the client down to the same back end. In environments where the Host header is handled in an unsafe way, this presents attackers with an opportunity to target any back-end component to carry out a variety of attacks, Kettle said.

The best way for websites to mitigate client-side desync attacks is to use HTTP/2 end-to-end, Kettle said. It's generally not a good idea to have a front end that supports HTTP/2 and a back end that is HTTP/1.1. "If your company routes employee's traffic through a forward proxy, ensure upstream HTTP/2 is supported and enabled," Kettle advised. "Please note that the use of forward proxies also introduces a range of extra request-smuggling risks beyond the scope of this paper."

New HTTP Request Smuggling Attacks Target Web Browsers

Four serious security issues on the popular appliance could be exploited by hackers with any level of access within the host network, Bitdefender researchers say.

A series of vulnerabilities on the popular asset management platform Device42 could be exploited to give attackers full root access to the system, according to Bitdefender.

By exploiting a remote code execution (RCE) vulnerability in the staging instance of the platform, attackers could successfully obtain full root access and gain complete control of the assets housed inside, Bitdefender researchers wrote in the report. The RCE vulnerability (CVE-2022-1399) has a base score of 9.1 out of 10 and is rated "critical," explains Bogdan Botezatu, director of threat research and reporting at Bitdefender.

"By exploiting these issues, an attacker could impersonate other users, obtain admin level access in the application (by leaking session with a LFI) or obtain full access to the appliance files and database (through remote code execution)," the report noted.

RCE vulnerabilities allow attackers to manipulate the platform to execute unauthorized code as root — the most powerful level of access on a device. Such code can compromise the application as well as the virtual environment the app is running on.

To get to the remote code execution vulnerability, an attacker that has no permissions on the platform (such as a regular employee outside of the IT and service desk teams) needs to first bypass authentication and gain access to the platform.

**Chaining Flaws in Attacks**

This can be made possible through another vulnerability described in the paper, CVE-2022-1401, that lets anyone on the network read the contents of several sensitive files in the Device42 appliance.

The file holding session keys are encrypted, but another vulnerability present in the appliance (CVE-2022-1400) helps an attacker retrieve the decryption key that is hardcoded in the app.

"The daisy-chain process would look like this: an unprivileged, unauthenticated attacker on the network would first use CVE-2022-1401 to fetch the encrypted session of an already authenticated user," Botezatu says.

This encrypted session will be decrypted with the key hardcoded in the appliance, thanks to CVE-2022-1400. At this point, the attacker becomes an authenticated user.

"Once logged in, they can use CVE-2022-1399 to fully compromise the machine and gain complete control of the files and database contents, execute malware and so on," Botezatu says. "This is how, by daisy-chaining the described vulnerabilities, a regular employee can take full control of the appliance and the secrets stored inside it."

He adds these vulnerabilities can be discovered by running a thorough security audit for applications that are about to be deployed across an organization.

"Unfortunately, this requires require significant talent and expertise to be available in house or on contract," he says. "Part of our mission to keep customers safe is to identify vulnerabilities in applications and IoT devices, and then to responsible disclose our findings to the affected vendors so they can work on fixes."

These vulnerabilities have been addressed. Bitdefender received version 18.01.00 ahead of public release and was able to validate that the four reported vulnerabilities — CVE-2022-1399, CVE-2022-1400, CVE 2022-1401, and CVE-2022-1410 — are no longer present. Organizations should immediately deploy the fixes, he says.

Earlier this month, a critical RCE bug was discovered in DrayTek routers, which exposed SMBs to zero-click attacks — if exploited, it could give hackers complete control of the device, along with access to the broader network.

Multiple Vulnerabilities Discovered in Device42 Asset Management Appliance

Many of the technologies and services that organizations are using to isolate Internet traffic from the internal network lack session validation mechanisms, security startup says.

Many of the tools that organizations are deploying to isolate Internet traffic from the internal network — such as multifactor authentication, zero-trust network access, SSO, and identity provider services — do little to protect against cookie theft, reuse, and session hijacking attacks.

Attackers in fact have a way to bypass all these technologies and services relatively easily because they often lack proper cookie session validation mechanisms, researchers from Israeli startup Mesh Security said this week.

The researchers recently examined technologies from Okta, Slack, Monday, GitHub, and dozens of other companies to see what protection they offered against attackers using stolen session cookies to take over accounts, impersonate legitimate users, and move laterally in compromised environments.

The analysis showed that a threat actor who manages to steal the cookies of an authenticated user and hijack their sessions could bypass all MFA checkpoints and other access controls offered by these vendors. It found that even in environments that had deployed MFA and ZTNA approaches, an attacker with stolen session cookies could access privileged accounts, SaaS applications, and sensitive data and workloads.

With Okta, for instance, Mesh security researchers discovered that if an adversary could steal the session cookies of a user logged into their Okta account, they could use it to log into the same account from a different browser and location. Mesh found the attacker could access any of the resources that the user was authorized to access via their Okta account. "Surprisingly, although these attempts are expected to be blocked, the technique allows the attacker to bypass active MFA mechanisms since the session has already been verified," Mesh said in a report summarizing its findings.

**Not Directly Responsible?**

Okta described such attacks as an issue for which it was not directly responsible. "As a web application, Okta relies on the security of the browser and operating system environment to protect against endpoint attacks such as malicious browser plugins or cookie stealing," Mesh quoted Okta as saying. Most of the other vendors that Mesh contacted about the issue similarly distanced themselves from any responsibility for cookie theft, reuse, and session-hijacking attacks, says Netanel Azoulay, co-founder and CEO of Mesh Security.

"We believe that this issue is the complete responsibility of the vendors on our list — including IdP and ZTNA solutions," Azoulay insists. "Every vendor who intensively promotes the 'verify explicitly' principle should embed it in their own system. The whole idea of Zero Trust is to always verify every single digital interaction explicitly and never to trust."

Cookie theft and session hijacking are well-known issues and an attack vector that many threat actors — including advanced persistent threat actors such as APT29 — use routinely in their campaigns. Common tactics for stealing session cookies include phishing campaigns, browsing traps, and malware such as CookieMiner, Evilnum, and QakBot.

Attackers often use stolen session cookies to access Web applications and services as an authenticated user and have access until the sessions time out — something that can happen within several hours or several days.

**A Growing Concern**

Azoulay says the issue is important because organizations are increasingly moving from a perimeter-centric security approach to a more identity-driven model. Organizations such as Okta and other ZTNA vendors have become the hubs that connect employees and resources, including SaaS apps, IaaS workloads, and data, via customized browser-based portals. These systems serve as the core network of enterprises these days and provide a one-to-many access mechanism for attackers, he says.

"Organizations are investing massive budgets and efforts to isolate Internet traffic from their internal network by implementing security solutions such as IdP, SSO, MFA, and ZTNA," Azoulay says.

"A threat actor can potentially bypass this entire expensive mechanism and control measures to reach an organization’s crown jewels with a click of a button," he says. "The current mitigation techniques aren't designed to address it."

In its response to Mesh's analysis, Okta recommended that admins clear a user's sessions in the user interface or via its API. The company also noted that session time-out is configurable — from as little as 1 minute to 90 days. Once a session has expired, any copied sessions would also expire, the company noted. Okta also highlighted steps that organizations can take to minimize risk from stolen session cookies. For downstream applications, for instance, Okta administrators can require additional sign-on policies — including MFA. Similarly, tying a session to a registered or a managed device would minimize the risk of a rogue session being established from another devices, Okta said.

Many ZTNA, MFA Tools Offer Little Protection Against Cookie Session Hijacking Attacks

Least privilege is a good defense normally applied only to users. What if we limited apps' access to other apps and network resources based on their roles and responsibilities?

At some point in their career, everyone has probably seen one of those operational hierarchy charts that define who reports to whom at an organization. Sometimes just called an org chart, it's a useful tool to let people know who works for them, and who their bosses are. For example, in a typical org chart, the head of a coding group might report to the director of product development, who in turn reports to the vice president of innovation. Who hasn't looked at one of those charts to try and find their personal little block nestled inside somewhere?

There is one thing that almost every organizational chart has in common regardless of the size of the business or other factors. For the most part, all the building blocks on those charts represent humans or groups of humans. We are not at the point where machines are able to oversee humans, so for now, org charts are an exclusively human affair. But does our software also need an organizational hierarchy?

Of course, I am not suggesting that we add software to our company org charts. Nobody wants to have an app for a boss. How would you even ask them for a raise? However, by helping define the responsibilities of our apps and software within a tight hierarchy, and enforcing those policies with least privilege, we can make sure that our apps and software also survive and thrive despite the devastatingly rough threat landscape arrayed against them.

**Attacks on Apps, Software Reach an All-Time High**

Attackers these days, and the bots and automation-driven software that work for them, are constantly scanning for any slip-up in defenses to exploit. While all software is being targeted, the most damaging attacks are being made against application programming interfaces, or APIs. They are often flexible and unique, and sometimes even created on the fly as needed in the development process.

APIs are certainly flexible, but they are also often way over-permissioned for their functions. Developers tend to give them lots of permissions so that they can, for example, continue to function even as the program they are helping to manage continues to develop and change. But that means that if an attacker compromises them, then they get a lot more than just the rights to access, for example, one chunk of a specific database. They may even capture near-administrator rights to an entire network.

It's no wonder that several security research firms say the overwhelming majority of credential-stealing attacks today are being made against software like APIs. Akamai puts that number at 75% of the total, while Gartner also says that vulnerabilities involving APIs have become the most frequent attack vector. And the most recent Salt Labs report shows attacks against APIs rising by almost 700% compared with last year.

**Creating an Org Chart for Software**

One of the ways that organizations are fighting back against credential-stealing threats is by enforcing least privilege or even zero trust within their networks. This limits users to just receiving barely enough permissions in order to accomplish their tasks. That access is often further restricted by factors such as time and location. That way, even if a credential-stealing attack is successful, it won't do the attacker much good since they will only have permission to perform limited functions for a brief time.

Least privilege is a good defense, but is normally only applied to human users. We tend to forget that APIs also hold elevated privileges, yet often aren't nearly as supervised. That is one of the reasons why broken access control is now public enemy number one, according to the Open Web Application Security Project (OWASP).

It's easy to say that the solution to this critical problem is to simply apply least privilege to software. But it's a lot harder to implement. First, developers need to be made aware of the dangers. And then, moving forward, APIs and other software should either be officially placed, or at least envisioned, as part of an org chart within the network where it will reside. For example, if an API is supposed to grab real-time flight data as part of a booking application, then there is no reason why it should also be able to connect with payroll or finance systems. On the software org chart, there would be no direct or even dotted lines connecting those systems.

It's probably unrealistic for developers to actually create an org chart showing the thousands or even millions of APIs operating in their organization. But being aware of the danger that they pose, and restricting their permissions to just what they need to do their jobs will go a long way to stopping the rampant credential-stealing attacks that everyone is facing these days. It begins with awareness, and ends with treating APIs and software with the same scrutiny as human users.

Rethinking Software in the Organizational Hierarchy

Platform engineered to let organizations mitigate risk and manage complexities.

LEXINGTON, Mass., August 9, 2022 - BLACK HAT US 2022 – Mimecast Limited (Mimecast), an email and collaboration security company, today announced the availability of the Mimecast X1™ Platform. The widespread adoption of hybrid work environments coupled with the increased usage of digital-centric communication channels has expanded the attack surface – creating new organizational security risks for both people and data. By safeguarding email and business communications, the Mimecast X1 Platform is engineered to leverage a rich source of intelligence to learn about people and how they collaborate. These insights enable organizations to work protected by protecting their people, data, and communications.

By 2026, Gartner® forecasts\* that 50% of C-level executives will have performance requirements related to risk built into their employment contract. The Mimecast X1 Platform is designed to mitigate risk across email communications – the No. 1 attack vector – and help empower organizations to secure their workplace environment wherever work happens. It serves as the foundation of the Mimecast® Product Suite – built to drive industry-leading detection capabilities, deliver reliability, resilience and scale, and transform data into insights that turn email and collaboration security into the eyes and ears of organizations worldwide.

The Mimecast X1 Platform encompasses four core innovations designed to mitigate risk and manage complexities:

*   **Mimecast X1™ Precision Detection**: Mimecast X1 Precision Detection is engineered to apply the latest advancements in AI and Machine Learning and enable intelligent detection of emerging and unknown threat types, while layered protection keeps users safe all the way down to the point of risk. The industry’s most robust view of the email threat landscape – derived from Mimecast’s inspection of 1.3 billion emails daily – powers instantaneous blocking of the vast majority of email-based threats.
*   **Mimecast X1™ Service Fabric:** By allowing customers to grow securely and seamlessly and uncover user insights that can accelerate detection and response, the Mimecast X1 Service Fabric provides the foundation for cloud-delivered security at scale.
*   **Mimecast X1™ Data Analytics:** Providing the foundation for a wide array of services and capabilities – from the discovery and analysis of new threats and accelerated product innovation to rich context for threat researchers and support for cross-correlation of data with systems beyond email – X1 Data Analytics is built with one primary goal in mind: making information actionable for customers.
*   **Mimecast Extensible Security Hooks (MESH):** MESH exposes a vast API ecosystem that supports fast, simplified integration of Mimecast with existing security investments. Hundreds of integrations to third party security solutions have been implemented, spanning SIEM, SOAR, EDR to TIP and XDR. The result is reduced complexity, lowered risk, and optimized security investments.

“The introduction of the Mimecast X1 Platform represents an important next step in our company’s transformational journey,” said Peter Bauer, Mimecast CEO. “Email is where collaboration happens, and it continues to be the top attack vector demanding the strongest possible protection. However, alleviating cyber risk is not just the CISO’s job anymore. It is a collective responsibility shared by every organizational leader and employee. With the adoption of these solutions, more organizations and employees at all levels can work protected by receiving critical security benefits at lower costs and with easy deployment options.”  

The company is also previewing Mimecast Email Security (Express), a new gateway-less email security solution. The existing email security product, Secure Email Gateway, will now be known as Mimecast Email Security (Gateway). With the introduction of this new deployment option, enabled by the Mimecast X1 Platform, Mimecast will be able to provide customers with world-class email security and deployment flexibility.

Qualified new customers can register for early access to a 30-day trial of Email Security (Express) immediately. The product will be generally available for purchase by new customers in the United States and United Kingdom in late fall 2022. To learn more about the Mimecast X1 Platform, experience a demo of Mimecast Email Security (Express), and explore other Mimecast products and solutions, visit Booth #1250 at Black Hat USA 2022 on August 10–11, or visit our website www.mimecast.com.

\*Gartner Press Release, “Gartner Unveils the Top Eight Cybersecurity Predictions for 2022-23,” June 21, 2022. \[https://www.gartner.com/en/newsroom/press-releases/2022-06-21-gartner-unveils-the-top-eight-cybersecurity-predictio\]

**Mimecast: Work Protected™**

**Since 2003, Mimecast has stopped** bad things from happening to good organizations by enabling them to work protected. We empower more than 40,000 customers to help mitigate risk and manage complexities across a threat landscape driven by malicious cyberattacks, human error, and technology fallibility. Our advanced solutions provide the proactive threat detection, brand protection, awareness training, and data retention capabilities that evolving workplaces need today. Mimecast solutions are designed to transform email and collaboration security into the eyes and ears of organizations worldwide.

_Mimecast, the Mimecast logo, Mimecast X1 and Work Protected are either registered trademarks or trademarks of Mimecast Services Limited in the Unites States and/or other countries. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. All other third-party trademarks and logos contained in this press release are the property of their respective owners._

Source

DARKReading