Two vulnerabilities in this group — one in the Tinyroxy HTTP proxy daemon and another in the stb_vorbis.c file library — could lead to arbitrary code execution, earning both issues a CVSS score of 9.8 out of 10.

Wednesday, May 8, 2024 12:00

Cisco Talos’ Vulnerability Research team recently disclosed three zero-day vulnerabilities that are still unpatched as of Wednesday, May 8. 

Two vulnerabilities in this group — one in the Tinyroxy HTTP proxy daemon and another in the stb\_vorbis.c file library — could lead to arbitrary code execution, earning both issues a CVSS score of 9.8 out of 10. While we were unable to reach the maintainers, the Tinyroxy maintainers have since patched the issue.  

Another zero-day exists in the Milesight UR32L wireless router. 

These vulnerabilities have all been disclosed in adherence to Cisco’s third-party vulnerability disclosure timeline after the associated vendors did not meet the 90-day deadline for a patch or communication.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Use-after-free vulnerability in Tinyproxy daemon **

_Discovered by Dimitrios Tatsis._ 

The Tinyproxy HTTP proxy daemon contains a vulnerability that could lead to arbitrary code execution. 

Tinyproxy is meant to be used in smaller networking environments. It was originally released more than a dozen years ago.  

A use-after-free vulnerability, TALOS-2023-1889 (CVE-2023-49606), exists in the \`Connection\` header provided by the client. An adversary could make an unauthenticated HTTP request to trigger this vulnerability, setting off the reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. This issue has been patched, though Talos initially released it as a zero-day when no patch was available.

**Milesight UR32L firmware update vulnerability **

_Discovered by Francesco Benvenuto._ 

The Milesight UR32L wireless router contains a vulnerability that could force the device to implement any firmware update, regardless of its legitimacy.  

TALOS-2023-1852 (CVE-2023-47166) exists because the UR32L, an industrial cellular router, never checks the validity of the uploaded firmware. This could allow an adversary to upgrade the router with arbitrary firmware they created. 

Talos has previously covered how an adversary could chain together several other vulnerabilities in the UR32L to completely take over the device. Talos released 22 security advisories in July 2023, nine of which have a CVSS score greater than 8. 

_Discovered by Emmanuel Tacheau._ 

A heap-based buffer overflow vulnerability exists in the comment functionality of stb \_vorbis.c, an open-source, single-header file library used to decode Ogg Vorbis non-proprietary audio files. Ogg Vorbis is an open-source, patent- and royalty-free, general-purpose compressed audio format. 

TALOS-2023-1846 (CVE-2023-47212) is triggered if an adversary sends the target a specially crafted .ogg file, which can lead to an out-of-bounds write. With enough heap grooming, an adversary could use this vulnerability to achieve arbitrary code execution.

Talos discloses multiple zero-day vulnerabilities, two of which could lead to code execution

Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target's traffic off of the protection provided by their VPN without triggering any alerts to the user.

Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.

Image: Shutterstock.

When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect.

The machine on a network responsible for fielding these requests is called a **Dynamic Host Configuration Protocol** (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address — known as an **Internet gateway** — that all connecting systems will use as a primary route to the Web.

VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications. But researchers at **Leviathan Security** say they’ve discovered it’s possible to abuse an obscure feature built into the DHCP standard so that other users on the local network are forced to connect to a rogue DHCP server.

“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,” Leviathan researchers **Lizzie Moratti** and **Dani Cronce** wrote. “When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”

The feature being abused here is known as DHCP option 121, and it allows a DHCP server to set a route on the VPN user’s system that is more specific than those used by most VPNs. Abusing this option, Leviathan found, effectively gives an attacker on the local network the ability to set up routing rules that have a higher priority than the routes for the virtual network interface that the target’s VPN creates.

“Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface,” the Leviathan researchers said. “This is intended functionality that isn’t clearly stated in the RFC \[standard\]. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.”

Leviathan found they could force VPNs on the local network that already had a connection to arbitrarily request a new one. In this well-documented tactic, known as a DHCP starvation attack, an attacker floods the DHCP server with requests that consume all available IP addresses that can be allocated. Once the network’s legitimate DHCP server is completely tied up, the attacker can then have their rogue DHCP server respond to all pending requests.

“This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server,” the researchers wrote. “We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.”

The researchers say their methods could be used by an attacker who compromises a DHCP server or wireless access point, or by a rogue network administrator who owns the infrastructure themselves and maliciously configures it. Alternatively, an attacker could set up an “evil twin” wireless hotspot that mimics the signal broadcast by a legitimate provider.

**ANALYSIS**

**Bill Woodcock** is executive director at Packet Clearing House, a nonprofit based in San Francisco. Woodcock said Option 121 has been included in the DHCP standard since 2002, which means the attack described by Leviathan has technically been possible for the last 22 years.

“They’re realizing now that this can be used to circumvent a VPN in a way that’s really problematic, and they’re right,” Woodcock said.

Woodcock said anyone who might be a target of spear phishing attacks should be very concerned about using VPNs on an untrusted network.

“Anyone who is in a position of authority or maybe even someone who is just a high net worth individual, those are all very reasonable targets of this attack,” he said. “If I were trying to do an attack against someone at a relatively high security company and I knew where they typically get their coffee or sandwich at twice a week, this is a very effective tool in that toolbox. I’d be a little surprised if it wasn’t already being exploited in that way, because again this isn’t rocket science. It’s just thinking a little outside the box.”

Successfully executing this attack on a network likely would not allow an attacker to see all of a target’s traffic or browsing activity. That’s because for the vast majority of the websites visited by the target, the content is encrypted (the site’s address begins with https://). However, an attacker would still be able to see the metadata — such as the source and destination addresses — of any traffic flowing by.

KrebsOnSecurity shared Leviathan’s research with John Kristoff, founder of dataplane.org and a PhD candidate in computer science at the **University of Illinois Chicago**. Kristoff said practically all user-edge network gear, including WiFi deployments, support some form of rogue DHCP server detection and mitigation, but that it’s unclear how widely deployed those protections are in real-world environments.

“However, and I think this is a key point to emphasize, an untrusted network is an untrusted network, which is why you’re usually employing the VPN in the first place,” Kristoff said. “If \[the\] local network is inherently hostile and has no qualms about operating a rogue DHCP server, then this is a sneaky technique that could be used to de-cloak some traffic – and if done carefully, I’m sure a user might never notice.”

**MITIGATIONS**

According to Leviathan, there are several ways to minimize the threat from rogue DHCP servers on an unsecured network. One is using a device powered by the **Android** operating system, which apparently ignores DHCP option 121.

Relying on a temporary wireless hotspot controlled by a cellular device you own also effectively blocks this attack.

“They create a password-locked LAN with automatic network address translation,” the researchers wrote of cellular hot-spots. “Because this network is completely controlled by the cellular device and requires a password, an attacker should not have local network access.”

Leviathan’s Moratti said another mitigation is to run your VPN from inside of a virtual machine (VM) — like Parallels, VMware or VirtualBox. VPNs run inside of a VM are not vulnerable to this attack, Moratti said, provided they are not run in “bridged mode,” which causes the VM to replicate another node on the network.

In addition, a technology called “deep packet inspection” can be used to deny all in- and outbound traffic from the physical interface except for the DHCP and the VPN server. However, Leviathan says this approach opens up a potential “side channel” attack that could be used to determine the destination of traffic.

“This could be theoretically done by performing traffic analysis on the volume a target user sends when the attacker’s routes are installed compared to the baseline,” they wrote. “In addition, this selective denial-of-service is unique as it could be used to censor specific resources that an attacker doesn’t want a target user to connect to even while they are using the VPN.”

Moratti said Leviathan’s research shows that many VPN providers are currently making promises to their customers that their technology can’t keep.

“VPNs weren’t designed to keep you more secure on your local network, but to keep your traffic more secure on the Internet,” Moratti said. “When you start making assurances that your product protects people from seeing your traffic, there’s an assurance or promise that can’t be met.”

A copy of Leviathan’s research, along with code intended to allow others to duplicate their findings in a lab environment, is available here.

Why Your VPN May Not Be As Secure As It Claims

More than 50% of the 90,310 hosts have been found exposing a Tinyproxy service on the internet that's vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool.

The issue, tracked as CVE-2023-49606, carries a CVSS score of 9.8 out of a maximum of 10, per Cisco Talos, which described it as a use-after-free bug impacting versions 1.10.0 and 1.11.1, which is the

Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

The recently uncovered cyber espionage campaign targeting perimeter network devices from several vendors, including Cisco, may have been the work of China-linked actors, according to new findings from attack surface management firm Censys.

Dubbed ArcaneDoor, the activity is said to have commenced around July 2023, with the first confirmed attack against an unnamed victim

China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices

If CEOs want to prevent their firm from being the next victim of a high-profile deepfake scam, they need to double cybersecurity funding immediately.

Source: Tenebroso via Alamy Stock Photo

COMMENTARY

In a recent open letter, high-profile names from across the business, academic, and scientific worlds called for governments to intensify their regulation of deepfakes.

While their aims are admirable, their efforts are misplaced — it's innovation, not regulation, that will shore up our defenses against the deepfake threat. 

The letter, titled "Disrupting the Deepfake Supply Chain," was signed by prominent thinkers, including Stephen Pinker, computer scientist Joy Buolamwini, US politician Andrew Yang, and the "godfather" of AI, Yoshua Bengio.

Specifically, the letter called for increased criminalization of deepfakes, the establishment of specific criminal penalties, and liability for software developers and distributors for the use of their products in deepfakes. 

The letter correctly identifies the symptoms. Deepfakes are proliferating at a rapid rate — more than 900% annually, according to The World Economic Forum. This is ratcheting up the threat level across society.

Deepfakes are already an established weapon in the hacker arsenal. One finance worker recently paid $25 million to malicious actors after they used a deepfake of the employee's CFO in a video conference call. This should serve as a warning shot across the bow for the corporate world, and the open letter is correct to raise the alarm about the relative lack of action.

However, delegating responsibility to governments will only leave corporations more exposed. CEOs cannot afford to sit back and rely on regulators to stem the flow of deepfakes. They must take action and build their own defenses as soon as possible — and they are already starting from behind. Catching up will mean doubling their investment in innovative technologies that can counteract deepfakes.

**Stone Age Policies**

But why aren't governments up to the task themselves?

Most governments' cybersecurity departments and policies are in the Stone Age compared with these hackers. By the time legislation is drawn up, debated, and rolled out, it's often already antiquated and behind the pace of technological development. 

Furthermore, relying on reactive regulation in one government also means trusting all governments to do the same. No matter how punitive the legislation in one country, hackers in another country won't worry about the penalties, so nations will have to work together to negate the threat of deepfakes. But right now, hoping the Chinese or Russian states will prevent hackers from disrupting business in the West is nothing short of naive. 

CEOs and senior management must step up to the challenge and take responsibility for ensuring that they aren't the next victim of a deepfake scam.

Fortunately, management has several technologies available that can be rolled out to shore up their deepfake defenses, including advanced authentication, detection AI, and content watermarking. 

CEOs can integrate enhanced authentication standards to insulate their firms from deepfake scams. Two-factor or multifactor authentication systems require users to provide additional verification beyond a password, adding information that deepfake scammers will need to access sensitive information.

**Fighting Deepfakes With AI**

Management must also deploy AI in the fight against deepfakes. AI tools can analyze media files for anomalies and inconsistencies that are evidence of tampering. They can also analyze the subjects of these files, such as facial expressions and vocal patterns, and then flag non-natural inconsistencies that the human eye may miss. They can even compare deepfakes against genuine employee biometric data to identify fake representations of company employees.

Another option available to corporations is content watermarking, which embeds invisible, unique identifiers into official company media files. This can be used to verify the authenticity and origin of media content that employees come into contact with. 

These are just some of the many digital tools that management can use to insulate themselves from deepfake scammers and hackers. But they come at a cost.

Currently, cybersecurity funding lags far behind the scale of the threat that deepfakes pose. As with the finance worker above, company funds are at risk. Deepfake scams could also be used to access sensitive IP and trade secrets. Deepfakes of employees can also damage a firm's reputation, harming investor and consumer confidence. 

Even in the face of these ominous threats, firms continue to woefully underfund cybersecurity. The recent Cisco Cybersecurity Readiness Index highlights how only 3% of organizations have the "mature" level of readiness needed to be resilient against cyber threats. 

So, if CEOs want to prevent their firm from being the next victim of a high-profile deepfake scam, they need to double cybersecurity funding immediately. Relying on the government to do this for them only increases their exposure to the risk that deepfakes pose. With healthier financing, corporations can roll out authentication tools, AI identification systems, and content watermarking to properly insulate themselves from the deepfake threat. 

**About the Author(s)**

Founder & CEO, artius.iD

Michael Marcotte is one of the world’s pre-eminent experts in digital identity, cybersecurity, and business intelligence technology. He joined EchoStar, the multibillion-dollar satellite communications firm, in 2006, and was Global CIO, Global CDO, and president (Hughes Cloud Services). He was one of the very first people to serve as chief digital officer of a major international corporation. Michael left EchoStar in 2014 and currently is the founder and CEO of digital authentication firm artius.iD. He has applied his expertise at a range of firms in technology, cybersecurity, and venture capital. He is also co-founder of the National Cybersecurity Center (NCC) and was founder and chairman of the NCC's Rapid Response Center Board. He has been a senior adviser for several heads of state and US senators.

Innovation, Not Regulation, Will Protect Corporations From Deepfakes

Actual legislation is a long shot and a decade away, but policy experts are looking to jump-start the conversation around greater legal liability for insecure software products.

Source: Nick Lylak via Alamy Stock Photo

While legal legwork is already in progress to hold software vendors liable for delivering insecure products, actual laws and penalties are at least a decade away, says one policy expert who'll be speaking at next week's RSA Conference.

Greater accountability for insecure software vendors has the support of the Biden White House. However, licensing and contract protections have shielded companies whose vulnerable products have cost customers millions, according to James Dempsey, senior policy adviser/technology and governance lecturer, Stanford Program on Geopolitics/UC Berkeley Law School.

Dempsey will moderate a detailed discussion of proposed legal frameworks for software liability at this year's RSA, giving vendors a glimpse at the liability landscape. He'll be joined by Nick Leiserson, assistant national cyber director, cyber policy and programs, Office of the National Cyber Director; Bruce Schneier, security technologist, researcher, and lecturer, Harvard Kennedy School; and Chinmayi Sharma, associate professor, Fordham Law School.

"Right now, almost all software developers have language in their licenses or other contracts or terms of service in which they disavow any liability for any flaws in their products," Dempsey explains.

He uses the example of the Microsoft license on his own laptop to illustrate.

"For example, the Microsoft license for the operating system on my laptop says: 'You may not under this limited warranty, under any other part of this agreement, or under any theory, recover any damages or other remedy, including lost profits or direct, consequential, special, indirect, or incidental damages,'" Dempsey tells Dark Reading. "The damage exclusions and remedy limitations in this agreement apply even if Microsoft knew or should have known about the possibility of the damages."

That's how vendors have been evading legal liability for their customer's damages, and in some cases, collecting cyber insurance payouts instead.

Progress Software, whose vulnerable MOVEit file transfer software led to the breach of more than 600 organizations and the compromise of the personal information of more than 40 million people, has so far evaded liability for its customer losses. Instead, Progress filed an 8-K form with the Securities and Exchange Commission that outlined the company's intent to collect on its full $15 million cyber-insurance policy coverage.

While there is a class-action consumer rights litigation against Progress Software for negligence and breach of contract, there are no legal protections for its customers, which in other industries could be enforced under an agreed upon legal "standard of care," according to a recent paper, "Standards for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor," published by Dempsey in Lawfare. The paper outlines Dempsey's theory for the right path toward holding vendors legally liable for the cybersecurity of their products.

Okta is another software vendor that has exposed its customers to cyberattacks — and losses. September cyberattacks against Caesars Entertainment and MGM Resorts used Okta as an initial attack vector. Losses related to the cyberattacks at the hospitality giants racked up hundreds of millions in costs; both in lost earnings, as well as ransomware payouts.

By the end of 2023 Okta confirmed that an unauthorized user was able to gain access to data on 100% of its customers.

**Why Strong Software Developer Liability Protections Also Matter**

Holding developers liable for knowingly producing insecure tools requires carefully considered guidelines for what is a reasonable level of cybersecurity to expect from a software vendor in order to determine egregious outliers, Dempsey explained.

"Because there is general agreement that the manufacturers of software should not be made insurers of their products but rather should be liable only when a product is unreasonably secure, getting software liability right turns a lot on defining a standard of care," Dempsey's Lawfare article read.

This standard would include defects analysis already widely used in products liability law, the article added.

Dempsey also advocates a software developer "safe harbor" for hard-to-detect flaws. "For that, I would turn to a set of robust coding practices," Dempsey wrote.

Dempsey tells Dark Reading the Biden Administration realizes legislation will be necessary to achieve its goal of holding insecure software developers liable, which he adds they also understand is a long shot: "They see this as a 10-year issue."

Dempsey will moderate a detailed discussion of proposed legal framework for software liability on Monday, May 6, during RSA in San Francisco at 8:30 a.m. PT, giving vendors a glimpse at the liability landscape to come.

Software Security: Too Little Vendor Accountability, Experts Say

Threat actor dropped in to Dropbox Sign production environment and accessed emails, passwords, and other PII, along with APIs, OAuth, and MFA info.

Source: Lina Images via Shutterstock

Online storage service Dropbox is warning customers of a data breach by a threat actor that accessed customer credentials and authentication data of one of its cloud-based services.

The breach occurred when an unauthorized user gained access to the Dropbox Sign (formerly HelloSign) production environment, something administrators became aware of on April 24, according to a blog post published on May 1. Dropbox Sign is an online service for signing and storing contracts, nondisclosure agreements, tax forms, and other documents using legally binding e-signatures.

Specifically, the actor gained access to a Dropbox Sign automated system configuration tool, compromising a service account used to execute apps and run automated services as part of Sign's back end.

"As such, this account had privileges to take a variety of actions within Sign's production environment," the Dropbox Sign team wrote in the blog post. "The threat actor then used this access to the production environment to access our customer database."

**Customer Credentials Exposed**

Data exposed in the breach includes Dropbox Sign customer information such as emails, usernames, phone numbers, and hashed passwords. Moreover, anyone who received or signed a document through Dropbox Sign but never created an account had their email addresses and names exposed in the breach.

The threat actor also accessed data from the service itself, such as Dropbox Sign's API keys, OAuth tokens, and multifactor authentication (MFA) details, according to the post. This is all data used by third-party partners to connect to the service and offer seamless integration from their respective online services, with OAuth in particular being weaponized by threat actors for cross-platform compromise. Thus, users of other services could indirectly be affected by the breach.

Dropbox found no evidence that threat actors accessed any of the contents of customer accounts, such as documents or agreements signed through the service, nor any customer payment information. Moreover, as Dropbox Sign's infrastructure is largely separate from other Dropbox services, the company found that none of its other entities were affected by the breach.

As soon as Dropbox discovered the breach, the company brought on forensic investigators to get to the bottom of it; that investigation is ongoing. Dropbox also is in the process of reaching out to all users impacted by the incident and will provide step-by-step instructions on how to further protect their data.

**Mitigation Steps**

As an initial mitigation of the effects of the breach, Dropbox's security team reset users' passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens for the service. From a user perspective, all Dropbox Sign users will be asked to reset their passwords the next time they log into the service, the company said.

API customers will need to rotate their API keys by generating a new one; instructions for doing this are online. That key will then have to be configured with their individual application, along with deleting the current API key to protect their accounts, according to Dropbox.

"As an additional precaution, we'll be restricting certain functionality of API keys while we coordinate rotation," according to the post. As a result, only signature requests and signing capabilities will continue to be operational until the API key is rotated; only then will the restrictions be removed and the product continue to function as normal.

For customers who use an authenticator app along with Dropbox Sign for MFA, they should reset it by first deleting their existing entry and only then proceed with the reset, the company said. Those who use SMS for MFA don't need to take action.

Further, if someone reused their Dropbox Sign password on any other services, Dropbox recommends that password be changed and MFA be used whenever available.

Dropbox will continue an "extensive review" of the incident to understand exactly what happened, and to protect its customers against similar threats in the future, the company said, adding its willingness to help any customer who was impacted by the breach.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Dropbox Breach Exposes Customer Credentials, Authentication Data

There are some classics on this list — the ever-present “Password” password, Passw0rd (with a zero, not an “O”) and “123456.”

Thursday, May 2, 2024 14:00

Brute force attacks are one of the most elementary cyber threats out there. Technically, anyone with a keyboard and some free time could launch one of them — just try a bunch of different username and password combinations on the website of your choice until you get blocked.  

Nick Biasini and I discussed some of the ways that organizations can defend against brute force attacks since detection usually doesn’t fall into the usual bucket (ex., there’s nothing an anti-virus program could detect running). But a good place to start just seems to be implementing strong password rules, because people, unsurprisingly, are still using some of the most obvious passwords that anyone, attacker or not, would guess. 

Along with our advisory on a recent increase in brute force attacks targeting SSH and VPN services Cisco Talos published a list of IP addresses associated with this activity, along with a list of usernames and passwords adversaries typically try to use to gain access to a network or service. 

There are some classics on this list — the ever-present “Password” password, Passw0rd (with a zero, not an “O”) and “123456.” This tells me that users still haven’t learned their lesson. It’s somewhat funny to think about some well-funded actor just being like, “Well, let me try to ‘hack’ into this machine by using ‘123456’” as if they’re in a parody movie, but if they already can guess a username based off someone’s real name, it’s not that unlikely that password is being used somewhere. 

A few other example passwords stood out to me: “Mart1x21,” because I can’t tell if this is just someone named “Martin” or a play on the month of March, and things like “Spring2024x21” and “April2024x21” because I appreciate the idea that someone using that weak of a password thinks that adding the extra three characters onto “April2024” is really going to throw an attacker off. 

Looking at this list got me thinking about what some potential solutions are to the internet’s password problem, and our ever-present battle to educate users and warn them about the dangers of using weak or default passwords. 

Going passwordless is certainly one option because if there just are no passwords to log in, there’s nothing text-based an attacker could just start guessing. 

The best solution I’ve seen recently is that the U.K. literally made a law requiring hardware and software manufacturers to implement stronger security standards. The Product Security and Telecommunications Infrastructure (PSTI) that went into effect last month contains a range of security protections companies must follow, but they now include mandatory password rules that will force users to change default passwords when registering for new accounts and stop them from using easy-to-guess passwords like “Admin” and “12345.”  

It would be great if users would just stop using these credentials on their own, but if attackers are still thinking that someone out there is using “Password” as their password, they probably are.  

**The one big thing **

For the first time in several quarters, business email compromise (BEC) was the most common threat in Cisco Talos Incident Response (Talos IR) engagements during the first quarter of 2024. BEC made up 46 percent of all engagements in Q1, a significant spike from Q4 2023, according to the latest Talos IR Quarterly Trends Report. Ransomware, which was the top-observed threat in the last quarter of 2023, decreased by 11 percent. Talos IR also observed a variety of threats in engagements, including data theft extortion, brute-force activity targeting VPNs, and the previously seen commodity loader Gootloader. 

**Why do I care? **

BEC is a tactic adversaries use to disguise themselves as legitimate members of a business and send phishing emails to other employees or third parties, often pointing to a malicious payload or engineering a scheme to steal money. The use of email-hiding inbox rules was the top-observed defense evasion technique, accounting for 21 percent of engagements this quarter, which was likely due to an increase in BEC and phishing within engagements. These are all valuable insights from the field provided in Talos IR’s full report. 

**So now what? **

There are some known indicators of compromise that customers can look for if they suspect The lack of MFA remains one of the biggest impediments for enterprise security. All organizations should implement some form of MFA, such as Cisco Duo. The implementation of MFA and a single sign-on system can ensure only trusted parties are accessing corporate email accounts, to prevent the spread of BEC. If you’d like to read about other lessons from recent Talos IR engagements, read the one-pager here or the blog post here. 

**Top security headlines of the week **

**The chief executive of UnitedHealth Group testified to U.S. Congress on Wednesday regarding the recent cyber attack against Change Healthcare.** Change’s operations went nearly completely dark for weeks earlier this year after a data breach, which likely resulted in millions of patients’ records and personal information being accessed. Lawmakers questioned whether UnitedHealth was too involved in the nation’s medical systems, as Change manages a third of all American patient records and processes more than 15 billion transactions a year at doctor’s offices, hospitals and other medical providers. As a result of the outage, some healthcare practitioners went more than a month without being paid, and many had to tap into their personal funds to keep offices open. UnitedHealth’s CEO told Congress the company was still working to figure out the full extent of the campaign and was talking to U.S. agencies about how to best notify individuals who were affected. The hearing has also generated a conversation around consolidation in the American healthcare industry and whether some groups are controlling too much of the patient base. (The New York Times, CNBC) 

**Vulnerabilities in a popular phone tracking app could allow anyone to view all users’ locations.** A security researcher recently found that iSharing, which allows users to see the exact location of a device, contains a vulnerability that prevented the app's servers from conducting proper checks of user data access. iSharing is advertised as an app for users who want to track friends' and family members’ locations or as an extra layer of security if their device were to be lost or stolen. The flaws also exposed users’ names, profile pictures, email addresses and phone numbers. The researcher who discovered the vulnerability was able to show a proof-of-concept exploitation almost immediately after creating a brand new account on the app. Representatives from the developers of iSharing told TechCrunch that the company’s logs did not show any signs of the vulnerability being exploited prior to the researcher’s disclosure. These types of apps can also be used as “stalkerware,” in which someone who knows a targeted user quietly downloads the app on a target’s phone, and then uses it to remotely track their location. (TechCrunch) 

**Adversaries are hiding malware in GitHub comments, disguising malicious code as URLs associated with Microsoft repositories, and making the files appear trustworthy.** Although some security researchers view this as a vulnerability, Microsoft maintains that it is merely a feature of using GitHub. While adversaries have so far mainly abused this feature to mirror Microsoft URLs, it could theoretically be used to create convincing lures on any GitHub repository. When a user leaves a comment in GitHub, they can attach a file, which is then uploaded to GitHub’s CDN and associated with the related project using a unique URL. GitHub automatically generates the link to download that attachment after adding the file to an unsaved comment, allowing threat actors to attach malware to any repository without the administrators knowing. This method has already been abused to distribute the Readline information-stealing trojan by attaching comments to Microsoft’s GitHub-hosted repositories for “vcpkg” and “STL.” The malicious URL will even still work if the poster deletes the comment, allowing them to reuse the GitHub-generated URL. (Bleeping Computer, Dark Reading) 

**Can’t get enough Talos? ** 

*   Cisco Talos at RSAC 2024 
*   Cisco Zero-Days Anchor 'ArcaneDoor' Cyber-Espionage Campaign 
*   Governments issue alerts after 'sophisticated' state-backed actor found exploiting flaws in Cisco security boxes 
*   Vulnerabilities in employee management system could lead to remote code execution, login credential theft 
*   Researcher Spotlight: James Nutland studies what makes threat actors tick, growing our understanding of the current APT landscape 

**Upcoming events where you can find Talos**

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._

What can we learn from the passwords used in brute-force attacks?

PRESS RELEASE

SAN FRANCISCO, April 30, 2024 /PRNewswire-PRWeb/ -- Cobalt, the pioneers of Pentest as a Service (PtaaS) and leading provider of offensive security solutions, today announced its sixth annual State of Pentesting Report. In addition to a deep dive into pentesting trends, this year's report uncovers an industry deeply grappling with how to both use and protect from AI amidst significant resource and staffing constraints.

Pentesting plays a key role in addressing this challenge, equipping organizations with the ability to more frequently security test critical assets, expanded environments, and proliferating cloud applications. As part of the report, Cobalt analyzed 4,068 pentests, revealing a 21% increase in the number of findings per pentest engagement year-over-year (from Cobalt State of Pentesting Report 2022), aligning with increases in Common Vulnerabilities and Exposures (CVE) records. Additionally, findings indicated that the median time to fix vulnerabilities also increased in comparison to previous years.

In addition to its pentesting analysis, the report also includes a survey of more than 900 cybersecurity professionals across the U.S. and U.K. The study digs into how cyber professionals are balancing internal staffing and working with external partners, the push-pull of AI as both a tool and a threat, and the challenges the C-suite faces to lead change. Some of the most critical findings include:

*   Challenges In the Eye of the AI Storm: The study highlights the push-pull relationships cyber security teams have with AI. A huge majority (86%) cite their teams have adopted AI-powered tools on their teams, while on the flip side, seven in ten respondents also cite an increase in threats coming from AI. This aligns with the growth Cobalt experienced in its business. Throughout 2023, Cobalt performed an increasing number of pentests on AI systems, primarily on software products incorporating AI-enabled chatbots to improve user experience. The most common vulnerabilities uncovered included prompt injection (including jailbreak), model denial of service, and prompt leaking (sensitive information disclosure). Despite the increased investment, many teams (59%) worry they are still trailing behind the AI threat.
    
*   Short Staffing Shifts From Concerning to Significant Risk: The report captures the reality of significant industry layoffs and uncertainty that plagued 2023 and the hangover effect layoffs continue to have on threat levels. Thirty-one percent of respondents said their organization conducted layoffs during the past six months, and ⅓ of those agree their organization faces greater cyber risk due to those departures. Most concerning is that there are no signs of a strong staffing recovery. Nearly one-third of respondents report being on a hiring freeze, and 29% expect to do more layoffs still this year. Looking at the data, Cobalt sees an increase in the overall volume of high and critical severity findings of 39% year over year. This is leading many companies to look at how they will utilize partnerships and vendors to improve security measures, with 59% agreeing they will increase pentesting in 2024.
    
*   C-Suite Pressures: As attacks rise, C-suite executives are increasingly finding themselves at the top of the accountability and liability food chains. It's clear that respondents are feeling this pressure; C-suite is 31% more likely than non-C-suite to say the industry environment is impacting their mental health, and 51% more likely to say it's impacting their physical health. Like their staff, they cite challenges balancing talent shortages and budget constraints against both increasing and emerging threats. Among all groups surveyed, they are the most concerned about AI adoption (33% more than non-C-suite respondents). Despite these challenges, C-suite leadership is proven to be critical to cyber security, with 23% noting that C-suite leadership is more critical than budget to preventing attacks.
    

"With cybersecurity teams strained by staffing shortages and concerns rising about AI's potential to enhance cyberattacks, the importance of pentesting as a proactive measure is key," said Caroline Wong, Chief Strategy Officer at Cobalt. "Our data reinforces the actions we as an industry need to take: prioritizing talent acquisition, exercising caution in AI integration to safeguard against evolving threats, and leveraging pentesting."

"Enterprises today not only face digital threats but the personal toll that these challenges take on their executives," said Chris Manton-Jones, CEO at Cobalt." As leaders, it is crucial to understand that cybersecurity is not just about securing our digital assets but also about ensuring the safety of our entire organization, including ourselves. This is where Cobalt can help make a difference. We close the gaps with security expertise and provide scalable offensive security testing across the entire attack surface. It adds a community of trusted security experts to your team and takes your security program to the next level."

Cobalt will be discussing the report at its booth #4324 in Moscone North Expo during RSA. Visit https://www.cobalt.io/ to learn how Cobalt can help your organization and to download the full 2024 State of Pentesting Report.

About Cobalt   
Cobalt combines talent and technology with speed, scalability and resilience. Our award-winning Pentest as a Service (PtaaS) model empowers organizations to keep pace with their evolving attack surface and agile software development lifecycles. Thousands of customers and hundreds of partners rely on Cobalt's modern SaaS platform and exclusive community of more than 400 trusted security experts to secure applications, networks, and devices. We deliver security testing that supports business drivers, maximizes internal resources, and creates stronger security programs so that organizations can operate fearlessly and innovate securely.

You May Also Like

Cobalt's 2024 State of Pentesting Report Reveals Cybersecurity Industry Needs

Unmanaged and unknown Web services endpoints are just some of the challenges organizations must address to improve API security.

Source: Wright Studio via Shutterstock

Organizations shoring up their API security need to pay particular attention to unmanaged or shadow application programming interfaces.

Shadow APIs are Web services endpoints that are no longer in use, outdated, or undocumented, and therefore not actively managed. Application and security teams need to find such APIs and ensure each one is either documented or decommissioned to mitigate the significant risk they present, says Rupesh Chokshi, senior vice president, application security at Akamai.

**The Risk From Unmanaged APIs**

Chokshi is scheduled to present a talk on the topic at the upcoming RSA Conference 2024 in San Francisco next week. In a presentation titled "The Secret Life of APIs: Latest Attack Data Shows What Your APIs are Doing," Chokshi identifies shadow APIs as one of several postural — or implementation-related — issues that organizations must prioritize when tackling API security.

One of the biggest surprises for enterprises that increase their visibility into API activity is the sheer number of shadow endpoints in their environment that they were previously unaware of, Chokshi says. The first step to enabling better API security is to discover these shadow endpoint and either eliminate them or incorporate them into the API security program, he notes.

API security has become an increasingly pressing challenge for IT and security leaders. In recent years, many organizations have deployed APIs extensively to integrate disparate systems, applications, and services in a bid to streamline business processes and boost operational efficiencies. APIs have also played a central role in enabling digital transformation initiatives by giving companies a way to modernize legacy applications, adopt cloud services, and engage more efficiently with customers, partners, and other third parties.

**The API Proliferation Challenge**

The resulting proliferation of APIs has significantly expanded the attack surface at many organizations and exposed them to greater risks, Chokshi says. He points to research from Akamai earlier this year that found that 29% of all Web attacks in 2023 targeted APIs. Common attack vectors included SQL injection, cross-site scripting, session hijacking/session manipulation, and data harvesting attacks. Attackers targeted organizations in certain sectors more frequently than others. More than 44% of all Web attacks in the e-commerce sector, for instance, targeted APIs. Similarly, nearly 32% and 19% of the Web application attacks that business services organizations and healthcare organizations, respectively, encountered last year targeted application programming interfaces.

Chokshi says the API security challenges that most organizations encounter fall under two broad categories: postural and runtime related. Postural issues result from implementation weaknesses, such as those related to shadow APIs. An October 2022 research report from Cequence Security identified more than 31% of all malicious requests — or some 5 billion of 16.7 billion — targeted unknown and unmanaged APIs.

Other common postural problems include unauthenticated resource access, sensitive data in the URL, overly permissive cross-origin resource sharing, and excessive client errors, which can include issues like improper authentication.

The most common runtime problems — or active threats — that organizations typically encounter include unauthenticated attempts to access sensitive API resources; API activity with unusual JSON payloads, like unexpected data types; unexpected or malformed data as part of API requests; and data scraping attempts.

Given the rapidly evolving nature of the API threat landscape, organizations need to ensure they have proper visibility over their API environment, Chokshi notes. In addition to detecting and decommissioning shadow APIs, organizations need to maintain an inventory of their APIs. They also need to harden their API posture by, for instance, correcting flaws in API code and addressing misconfiguration issues; bolstering threat detection and response capabilities; and establishing an API threat hunting capability.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#cisco