Microsoft and others say they have observed nation-state actors, ransomware purveyors, and assorted cybercriminals pivoting to an open source attack-emulation tool in recent campaigns.

Enterprise security teams, which over the years have honed their ability to detect the use of Cobalt Strike by adversaries, may also want to keep an eye out for "Sliver." It's an open source command-and-control (C2) framework that adversaries have increasingly begun integrating into their attack chains.

"What we think is driving the trend is increased knowledge of Sliver within offensive security communities, coupled with the massive focus on Cobalt Strike \[by defenders\]," says Josh Hopkins, research lead at Team Cymru. "Defenders are now having more and more successes in detecting and mitigating against Cobalt Strike. So, the transition away from Cobalt Strike to frameworks like Sliver is to be expected," he says.

Security researchers from Microsoft this week warned about observing nation-state actors, ransomware and extortion groups, and other threat actors using Sliver along with — or often as a replacement for — Cobalt Strike in various campaigns. Among them is DEV-0237 (aka FIN12), a financially motivated threat actor associated with the Ryuk, Conti, and Hive ransomware families; and several groups engaged in human-operated ransomware attacks, Microsoft said.

**Growing Use**

Earlier this year, Team Cymru reported observing Sliver being used in campaigns targeting organizations in multiple sectors, including government, research, telecom, and higher education. One campaign, between Feb. 3 and March 4, involved a Russian-hosted attack infrastructure, while another targeted government entities in Pakistan and Turkey. In many of these attacks, Team Cymru observed Sliver being used as part of the initial infection tool chain to deliver ransomware. In other instances, the threat intelligence firm found Sliver being used in opportunistic attacks involving potential exploitation of Log4j and VMware Horizon vulnerabilities.

Researchers from BishopFox developed and released Sliver, as an open source alternative to Cobalt Strike, in 2019. The framework is designed to give red-teamers and penetration testers a way to emulate the behavior of embedded threat actors in their environments. But as with Cobalt Strike, these same features also make it an attractive threat actor tool.

**An Attractive Alternative for Adversaries**

Sliver is written in the Go programming language (Golang), and therefore can be used across multiple operating system environments, including Windows, macOS, and Linux. Security teams can use Sliver to generate implants as Shellcode, Executable, Shared library/DLL, and as-a-Service, Microsoft said. Researchers added that Golang helps adversaries also because of the relatively limited tooling available for reverse engineering of Go binaries.

Sliver also supports smaller payloads — or stagers — with a handful of features that allow operators to retrieve and launch a full implant. 

"Stagers are used by many C2 frameworks to minimize the malicious code that's included in an initial payload (for example, in a phishing email)," Microsoft said. "This can make file-based detection more challenging."

Sliver also offers many more built-in modules than Cobalt Strike, says Andy Gill, adversarial engineer at Lares Consulting; these built-in capabilities make it easier for threat actors to exploit systems and leverage tooling to facilitate access, Gill says. Cobalt Strike, in contrast, is more of a bring-your-own payload/module tool.

"Sliver lowers the barrier of entry for attackers. \[It\] offers more customization in terms of payload delivery and ways of adapting attacks to evade defenses," he notes. 

But the most appealing factor for threat actors currently is its relative obscurity and the lack of work that has been undertaken — so far, at least — in building detections for Sliver, Hopkins from Team Cymru says. "Sliver has a lot of the same capabilities as Cobalt Strike, but without such a large spotlight being shone on it," he says. This has created a potential gap in detection coverage that some attackers are now trying to exploit.

And finally, the fact that it's free, open source, and available on GitHub also makes Sliver attractive compared to Cobalt Strike, which is commercial and therefore requires threat actors to crack the license mechanism each time a new version is released, Gill says.

**Cobalt Strike Remains Gold Standard — but Attackers Have Other Frameworks**

At the same time, it would be a big mistake for organizations to discount adversarial use of Cobalt Strike, researchers warn. 

In the first quarter of this year, for instance, Team Cymru observed some 143 Sliver samples that were likely being used as a first-stage tool in attack campaigns — compared with 4,455 samples of Cobalt Strike being used for potentially malicious purposes. 

"Defenders would be unwise to take their eyes off Cobalt Strike," Hopkins says. "Cobalt Strike is synonymous with — and the gold standard of — command-and-control networks."

Sometimes, the tools are used in tandem. Researchers at Intel 471 earlier this year observed Sliver being deployed along with Cobalt Strike, Metasploit, and the IcedID banking Trojan via a new loader called "Bumblebee". The company's chief intelligence officer Michael DeBolt says the framework has one feature that likely makes it especially useful for threat actors. 

"Sliver has a lot of features, \[but\] one that might be especially useful is its ability to limit execution to specific time frames, hosts, domain-joined machines, or users," he says "This feature can prevent the implant from executing in unintended environments, such as sandboxes, which aids against detection."

Sliver is just one of several C2 frameworks that attackers are using as alternatives to Cobalt Strike. Researchers from Intel 471, for instance, recently added detection for a legitimate red-teaming tool called Brute Ratel, after observing some threat actors using it for C2 purposes. 

Earlier this year, Palo Alto Networks' Unit 42 threat-hunting team uncovered what appeared to be Russia's notorious APT29 (aka Cozy Bear) using Brute Ratel in an attack campaign. 

Meanwhile, Gills from Lares pointed to Posh2, a C2 framework which, though not new, offers threat actors a chance of evading Cobalt Strike-centric detection mechanisms. And Hopkins from Team Cymru says his company is currently tracking a C2 framework called "Mythic" following some initial indications of adoption within the threat-actor community.  

Frameworks tend to vary in capabilities such as lateral movement, injection, and call out, Gill says. 

"\[So\], from a defensive standpoint, operators are better off profiling and generating signatures for techniques than analyzing specific C2 frameworks," he notes.

'Sliver' Emerges as Cobalt Strike Alternative for Malicious C2

Understanding how and why people respond to cyber threats is key to building cyber-workforce resilience.

The complexity, ceaselessness, and increasingly destructive nature of today's cyber threats creates a high cognitive workload. This is why it's crucial to ensure that employees are developing the right cognitive skills and agility to protect against attacks. Doing so will have a powerful impact on an organization's cyber-workforce resilience.

A recent "Cyber Workforce Benchmark" report from Immersive Labs took the pulse of cyber skills, knowledge, and preparedness of organizations and their workforces across numerous industries, including financial services, retail, healthcare, and government. The report examines how prepared certain industries are for cyberattacks, providing results from a psychological standpoint. Here are some key findings from the report and the psychological analysis behind them.

**The frequency of organizations conducting cyber-crisis exercises varies significantly across different industries — and can also impact performance scores.**

An analysis of more than 6,400 crisis response decisions shows that technology and financial services companies prepare the most for cyberattacks, running nine and seven exercises per year, respectively. Critical national infrastructure organizations prepare the least, with just one exercise per year. Healthcare runs a mere two. When it comes to these industries' performance in cyber-crisis exercises, healthcare scored 18%, which is low when compared with technology companies, which scored 80%.

_What it means: The more an organization exercises its abilities, the better they become._

Psychology provides an explanation as to why this is the case. People develop surface-level knowledge of a capability before moving on to more advanced thinking. If these skills aren't reinforced or exercised, they fade. It's like learning a new language: If you don't practice the language and speak it on a regular basis, odds are you will lose your knowledge of it. Only with regular, consistent practice and exercise will crisis response teams be able to develop the ability to make connections between previous decisions and how to apply them — or not — during a cyberattack.

**Ransomware causes great uncertainty for crisis response teams.**

The research asked participants to rate how confident they were in their answers during training, and the simulations that focused on ransomware were the ones where participants lost confidence in their decision-making and judgments. Teams did not want to pay the ransom, with 83% of participants saying they would not do so. However, they were also uncertain about the outcome if they did not pay. Interestingly, the report showed, the industries most likely to pay ransoms were education (25%), consulting (23%), and retail and e-commerce (20%).

_What it means: This lack of decision-making confidence points to a classic issue for crisis response teams, often referred to as a "wicked problem."_

When considering options with no clear-cut resolution, decisions are challenged by data overload and decision fatigue. The sheer amount of information can be overwhelming. Decisions may be rushed, based on uncertainty or even fear. In the end, because the brain becomes overwhelmed, we settle on a compromise that leads to a lack of confidence in the decision.

**High-profile vulnerabilities see a significantly decreased time to capability.**

Four of the top five fastest-developed skills in 2021 came from dealing with the Log4j vulnerability. It took cybersecurity teams an average of two days to develop the knowledge and skills to defend against it. This was a whopping 48 times faster than the average threat intelligence lab. This reflects the severe impact of Log4j. It also demonstrates the scramble many teams faced in understanding and responding to the threat.

_What it means: The human need to take action is an automatic response, hardwired into our brains, and could cause people to rush into making decisions — good or bad._

The brain makes assumptions and takes shortcuts based on previous experiences, which could spell trouble for organizations. These assumptions and shortcuts, known as biases and heuristics, can lead to irrelevant decisions that may end up backfiring or even making situations worse. If people understood how their minds work and how they react in emergencies, they could learn how to eventually counteract their natural instincts. This will help increase confidence and the effectiveness of decision-making in the future.

**The Bottom Line**

Cyber-workforce resilience is more crucial than ever before. Cyber-crisis exercises should not be considered a one-and-done occurrence — nor should they be exclusive to cyber teams. We must shift our mindset to making regular exercises a critical business function, developing cognitive agility across the entire workforce. Continuous professional development needs to become part of the day job. We call this concept "microdrilling." It helps to sharpen teams' skills, bolster their confidence when making decisions, and enable them to make smarter decisions in real-life situations. The goal is not to teach people to respond to a specific crisis, but rather to develop the necessary decision-making skills to respond to _any_ crisis. Organizations will never become truly cyber resilient unless they make regular cyber exercises across the workforce a priority.

What You Need to Know About the Psychology Behind Cyber Resilience

PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.

Original Release: August 4, 2022

****Overview****

Recently, a security vulnerability was discovered in the PrinterLogic Windows Client driver installation process. Vasion has completed remediation for this vulnerability via an updated Windows Client package.

****Vulnerability Description****

The PrinterLogic Windows Client on or before Version 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content. A CVE will be published by Mitre shortly and added to this bulletin when available.

****Investigation and Remediation****

The vulnerability is remediated by updating the PrinterLogic Windows Client to Version 25.0.0.688 or later. Release notes for the new client are found here. Depending on your PrinterLogic platform, the following instructions apply:

*   For PrinterLogic SaaS, information about updating clients is found here.
*   For the PrinterLogic Virtual Appliance, a VA Application Update containing the new Windows client is available. For more information about application updates is available here. Once the update is complete, deploy the new client using the steps found here.
*   For PrinterLogic Web Stack, the latest client download is here.
*   If you prefer to push the new Windows client via third-party software, you’ll find the client installation package (MSI) here.

Original Release: April 5, 2022

****Overview****

A security vulnerability that affects VMware products was reported in CVE-2022-22965. The issue does not impact Vasion software.

****Description****

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment.

****Impact****

While some customers run their PrinterLogic Virtual Appliance on VMware hypervisors, the VA itself is not at risk. Information about remediations for VMware software is available here.

Original Release: Mar 24, 2022

****Overview****

Recently, an out-of-bounds vulnerability assigned to CVE-2021-44142 was disclosed in Samba versions prior to 4.13.17. This flaw involves an out-of-bounds heap read-write event in which remote attackers could execute arbitrary code as root on affected Samba installations that use the VFS module vfs\_fruit. The PrinterLogic Virtual Appliance (VA) is susceptible to this vulnerability and was remediated. This issue does not affect PrinterLogic SaaS.

****Vulnerability Description****

Samba is an implementation of SMB protocol that provides file and printer interoperability for Windows platforms over the network. It is a widely installed software package, and many Linux-based IoT and network devices include publicly open SMB services by default.

The specific flaw exists in EA metadata parsing when opening files in smbd, the Samba server daemon that provides file sharing and printing services to Windows clients. Access as a user with write access to a file’s extended attributes is required to exploit this vulnerability. A guest or unauthenticated user could do this if they are allowed write access to file extended attributes.

The problem in vfs\_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to settings other than the default values, the system is not affected by the security issue. The PrinterLogic VA Host has vfs\_fruit enabled and required remediation.

****Vasion Investigation and Remediation****

Vasion has removed the VA\_Fruit module from the PrinterLogic Virtual Appliance. Therefore, we recommend that PrinterLogic VA customers with host versions 1.0.735 and earlier update their VA Host, which includes the latest application release. This update includes other new functionality as well described in the release notes. The update and release notes can be found in our PrinterLogic VA Admin Guide here.

Original Release: Feb 7, 2022

****Overview****

In late January, Vasion became aware of a vulnerability that affects many Linux distributions. The company has completed remediations in its PrinterLogic SaaS and PrinterLogic Virtual Appliance (VA) platforms.

****Vulnerability Description****

Polkit (formerly known as PolicyKit) is a systemd SUID-root program and is installed by default in every major Linux distribution. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. 

In the version of Polkit that resulted in this vulnerability discovery, the pkexec application doesn’t handle the calling parameters count correctly and ends by trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in a way that induces pkexec to execute arbitrary code. This can result in a local privilege escalation and give unprivileged users administrative rights on the target machine.

A new version of Polkit was released that addresses this vulnerability. More information can be found in the CVE-2021-4034 detail document found here.

****Vasion Investigation and Remediation****

Vasion completed its investigation to determine how this vulnerability affects PrinterLogic SaaS and the PrinterLogic Virtual Appliance (VA). It was found that servers for both platforms contained the affected version of Polkit.  

Both PrinterLogic products have been patched with the latest version of Polkit recommended by Linux (0.105-20 Ubuntu 0.18.04.05 changed to 0.105-20 Ubuntu 0.18.04.06). 

Because PrinterLogic SaaS updates occur automatically, this remediation is already live.

PrinterLogic VA customers with host versions 1.0.730 and earlier will need to update their VA host, which includes the latest application release as well. The VA update and release notes can be found in our Admin Guide here.

Original Release: Jan 21, 2022

****Overview****

Recently, security vulnerabilities were discovered in PrinterLogic Web Stack versions 19.1.1.13 SP9 and below. PrinterLogic has completed corrective measures to remediate each vulnerability, and updates are available now for PrinterLogic Web Stack and the Virtual Appliance. Updates occurred automatically with PrinterLogic SaaS and are live worldwide. A summary of the vulnerabilities and corrective actions PrinterLogic has taken are below. Links to the respective CVEs will be added once they are available.

****Vulnerabilities (CVEs) and Remediation Summary****

*   **CVE-2021-42631:** Object Injection leading to RCE CVSS 8.1

– The affected endpoints were reorganized so they no longer use objects passed as parameters (removing the vulnerability). The vulnerable function “unserialize()” is no longer used.

– Affected Web Stack, the VA, and SaaS. Remediations completed.

*   **CVE-2021-42635:** Hardcoded APP\_KEY leading to RCE CVSS 8.1

– The Web Stack installers were adjusted to generate random keys on installation and on updates.

– In addition, we performed scans for other keys and credentials that may have been leaked, and any findings were also corrected.  Measures were furthermore put in place to prevent any leaked secrets from accidentally    being included in future releases.

– Affected Web Stack only. Remediations completed.

*   **CVE-2021-42638:** Misc command injections leading to RCE CVSS 8.1

– The affected areas were completely removed where possible (e.g., no longer supported features, printer models, etc.), and escaping/sanitation was corrected for items that could not be removed.

– Affected Web Stack only. Remediations completed.

*   **CVE-2021-42633:** SQLi may disclose audit logs CVSS 0

– The SQLi code was never used. The offending pages were removed.

– Affected Web Stack, the VA, and SaaS. Remediations completed.

*   **CVE-2021-42637:** Blind SSRF CVSS 4.0

– The test page causing this issue was removed.

– Affected Web Stack only. Remediations completed.

*   **CVE-2021-42639:** Misc reflected XSS CVSS 4.0

– All RCSS vulnerabilities were identified and removed or inputs were escaped or sanitized.

– Affected Web Stack, the VA, and SaaS. Remediations completed.

*   **CVE-2021-42640:** Driver assignment IDOR CVSS 3.8

– RBAC security was added to routes that were allowing access to sensitive objects/data.  

– Affected Web Stack, the VA, and SaaS. Remediations completed.

*   **CVE-2021-42641:** Username/email info disclosure CVSS 2.0

– RBAC security was added to routes that were allowing access to sensitive objects/data.  

– Affected Web Stack, the VA, and SaaS. Remediations completed.

*   **CVE-2021-42642:** Printer console username/password info disclosure CVSS 4.0

– RBAC security was added to routes that were allowing access to sensitive objects/data.  

– Affected Web Stack, the VA, and SaaS. Remediations completed.

****Affected PrinterLogic Software Versions:****

*   **PrinterLogic Web Stack**

– **Version 19.1.1.13 SP9 and earlier**, when operating with macOS or Linux endpoint client software. See new install and update links below.

*   **PrinterLogic Virtual Appliance**

– **Version 20.0.1304 and earlier,** when operating with macOS or Linux endpoint client software.

a. Application update is required. See links below.  

b. Host update not required if you have **VA Host v1.0.674 or later.** 

*   **PrinterLogic SaaS**

– Our SaaS platform does automatic updates. Remediations are now live worldwide. No customer action is needed.

****Updated Files and Documentation****

*   **PrinterLogic Web Stack**

– Link to file for new installs

– Link to file for updates

– Online documentation for these updates

– Only admin server updates are required; no client updates are needed.

*   **PrinterLogic Virtual Appliance**

– Online documentation and file(s) for these updates

– No client software updates are required.

Original Release: Dec 14, 2021

****Overview****

The Log4j vulnerability, documented in CVE-2021-44228, is a remote code execution vulnerability in Log4j. This framework is used for logging within many software solutions. The Log4j library is vulnerable to Remote Command Execution (RCE), which means a remote attacker can execute commands over the network on software that contains the vulnerable Log4j versions.

****Vasion Security Response****

Vasion is aware of the issue and has not found any evidence of exploitation or vulnerability with our products. Vasion products including PrinterLogic SaaS, PrinterLogic VA, and Vasion ST do not utilize, or have dependencies on, the affected Log4j libraries. Therefore, these products are not vulnerable to the referenced CVE-2021-44228.

Our security team will continue to monitor the situation. If our assessment changes, we will publish our findings and subsequent recommendations in this bulletin.

Original Release: Jul 13, 2021

****Overview****

PrintNightmare, documented in CVE-2021-34527, is a remote code execution vulnerability in the Windows Print Spooler. This vulnerability is exposed through specific inbound Remote Procedure Calls (RPC), which are used to add printers and related drivers. This can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

****PrinterLogic Solution****

With PrinterLogic’s Managed Direct IP Printing solution, print jobs are always spooled locally using the local print spooler on the originating workstation. Since PrinterLogic does not use  RPC to access the Windows Print Spooler, a PrinterLogic Managed Direct IP print environment is entirely unaffected when the mitigation steps detailed in the CVE **(option 2)** are followed as recommended by Microsoft. This ensures that the attack vector is closed on all machines running the Windows Print Spooler, while allowing users to continue to safely print using PrinterLogic’s Managed Direct IP solution.

Microsoft has released a patch for this vulnerability. PrinterLogic highly recommends all customers install the July 2021 Out-of-band update on all Windows systems. For details, see KB5004945 and KB5004946.

****What about Point and Print?****

According to Microsoft documentation, Point and Print is a term that refers to the capability of allowing a user on a Windows 2000 and later client to create a connection to a remote printer without providing disks or other installation media. All necessary files and configuration information are automatically downloaded from the print server to the client.

This specifically applies to print queues installed from a Windows print server and does not impact a user’s ability to install print queues from the PrinterLogic Self-Service Portal.

As part of the July 2021 Out-of-band update, a registry setting is checked that will restrict the installation of new unsigned printer drivers to Administrators only. Since PrinterLogic only allows signed Type 3 drivers to be used, and since the PrinterLogic Client is solely responsible for managed print driver installation, this setting will not adversely affect PrinterLogic customers.

While this registry setting does not impact a PrinterLogic Managed Direct IP environment, in accordance with security best practices, PrinterLogic still recommends that all customers enable this registry setting as recommended by Microsoft:

Key: HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint

Value: RestrictDriverInstallationToAdministrators

Type: REG\_DWORD

Data: 1

For more information, please see KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.

****Caveats****

Printers that are configured as shared printers or with Windows Print Server Links will cease to function properly if inbound remote printing is disabled on the Windows print server. PrinterLogic highly recommends that these printers be converted to Managed Direct IP print queues to avoid this and future Windows Print Spooler vulnerabilities.

****References****

Security Update Guide – Microsoft Security Response Center – CVE-2021-34527

VU#383432 – Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx()

KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates

July 6, 2021—KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083) Out-of-band

July 6, 2021—KB5004946 (OS Build 18363.1646) Out-of-band

Introduction to Point and Print – Windows drivers

Original Release: May 3, 2019 | Last Revised: May 9, 2019

**Description**

Using an exploit to forcibly update configuration data, the PrinterLogic Client can be directed to bypass HTTPS hardening or directed to another PrinterLogic Server. The PrinterLogic Client does not correctly verify the origin and integrity of updates. An attacker who successfully exploits these vulnerabilities could run arbitrary code in the context of the Local System Account.

**Solution**

**CVE-2018-5408**

This solution prevents Man-in-the-Middle (MITM) attacks where bad actors may attempt to spoof a trusted entity by tricking the PrinterLogic Server into connecting to a malicious host. To reduce any attempt at MITM attacks, you must configure your PrinterLogic Server to use the HTTPS protocol as described below:

1\. Follow the steps outlined here: HTTP and HTTPS Configuration Steps.

2\. Next, make sure your homeURL is updated to HTTPS. For more information, see Update the Client’s HomeURL.

3\. In addition, you need to apply the client update described below to secure your PrinterLogic environment.

**CVE-2018-5409, CVE-2019-9505**

This solution addresses vulnerabilities related to properly verifying the origin and integrity of the PrinterLogic Client code, as well as sanitizing special characters that could lead to unauthorized changes to configuration files. To address these issues, apply the latest PrinterLogic software update as described below:

1\. Download the update from: PrinterLogic Security Update.

2\. On the PrinterLogic Server, navigate to C:\\inetpub\\wwwroot\\public\\client\\setup.

3\. Make a backup copy of your existing PrinterLogic Client files before replacing them.

4\. Copy and replace the PrinterLogic Client installation files with the new files provided in the download.

5\. Navigate to your PrinterLogic Admin Console and enable the automatic update option to update your clients. If you want to push out the clients via GPO or using a software deployment tool, follow these instructions.

6\. To validate the update, check to see that the client for each workstation has been updated to the new version by navigating to **Tools** → **Reports** → **Workstations** from the PrinterLogic Admin Console. Click **Search** to run a report for workstations in your environment. Verify that the numbers in the Client Version column are **at least** as recent as the numbers shown below  
– Windows: **25.0.0.49** or higher– Mac: **25.1.0.274** or higher– Linux: **25.1.0.274** or higher

If you have questions about these solutions, contact PrinterLogic Product Support for assistance.

**References**

CVE-2018-5408, CVE-2018-5409, CVE-2019-9505

CVE-2022-32427: Security Bulletin | Printerlogic

It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed. This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6.

'2033121?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-4125: Invalid Bug ID

Spring4Shell and Veeam RCE exploit topped the list in Q1 2022

Spring4Shell and Veeam RCE exploit topped the list in Q1 2022

API-related security vulnerabilities continue to be a thorn in the side of organizations, with access control flaws now associated with high-severity CVEs.

According to a new whitepaper published by API security firm Wallarm, titled ‘API vulnerabilities discovered and exploited in Q1-2022’, a total of 48 API-related vulnerabilities were found and reported in the first quarter.

Based on industry standards, 18 were considered high-risk and 19 were labeled as of medium severity, the report (PDF) says.

The critical vulnerabilities disclosed publicly earned themselves CVSS v3 scores ranging from 8.1 and 10.

**Top API threats**

Merging both OWASP Top 10 and OWASP API Security Top 10 standards, the cybersecurity firm categorized the most significant API threat disclosures as issues relating to broken access controls (or broken function level authorization, depending on the OWASP standard), as well as injection attacks.

While security flaws including cryptographic failures, insecure design, excessive data exposure, and misconfigurations also made the list, the most dangerous, exploited API vulnerabilities disclosed in Q1 2022 relate to injection attacks, incorrect authorization or a complete bypass, and incorrect permission assignment.

Topping the list of the four most dangerous API vulnerabilities disclosed and reported in the first quarter of 2022 is CVE-2022-22947, also known as ‘Spring4Shell.’

**BACKGROUND** Spring4Shell: Microsoft, CISA warn of limited, in-the-wild exploitation

Spring4Shell is linked to two vulnerabilities – CVE-2022-22963, a SpEL expression injection bug in Spring Cloud Function, and CVE-2022-22947, a code injection attack leading to remote code execution (RCE) in Spring Framework’s Java-based Core module.

A developer publicly released exploit code for the critical bug in March, and although promptly deleted, the release of working RCE code ensured Spring4Shell became a headache for developers who needed to apply Spring’s emergency patch quickly.

The vulnerability was compared to Log4j due to the Spring Framework’s popularity. Before long, Microsoft and CISA warned of active exploitation of the zero-day flaw. Attackers then harnessed the bug to grow the Mirai botnet.

**Enterprise technologies targeted**

The second vulnerability at the top of the API vulnerability list is CVE-2022-26501 (CVSS 9.8), an improper authentication bug in Veeam Backup and Replication that allows attackers to execute arbitrary code remotely without authentication. Veeam supports over 400,000 customers, many of which are enterprise firms.

According to Nikita Petrov, the Positive Technologies researcher who disclosed the critical bug alongside two others, CVE-2022-26501 had the potential to “be exploited in real attacks and put many organizations at significant risk”.

The third flaw, another assigned a CVSS score of 9.8, impacts Zabbix, an enterprise-grade open source network tool. Tracked as CVE-2022-23131, when a non-default setting to enable SAML SSO authentication was in use, the tool’s front end was susceptible to privilege escalation and admin session hijacking – as long as an attacker knew the admin’s username.

**YOU MIGHT ALSO LIKE** SOS.dev program launched to help protect critical upstream software

Fourth is CVE-2022-24327, a lower-grade bug assigned a CVSS score of 7.8 but still considered a severe vulnerability. Found in the JetBrains suite hub, the bug related to developer accounts integrated into the hub which inadvertently exposed API keys with excessive permissions, potentially leading to account takeover or hijacking.

Finally, Wallarm has bundled a category of API security threats as a common denominator in many cyber-attacks today. Described by Mitre as “CWE-639: Authorization Bypass Through User-Controlled Key”, the issues surround system authorization functionality which allows key values to be tampered and users to access other users’ data or records without permission.

APIs, as key communication methods between functions, will remain a target for cyber-attackers as long as they are in use due to their critical roles in modern networks and services.

In recent API security news, open source hacking tool GoTestWAF has introduced API security platform evaluation capabilities, emulating OWASP and API exploits to test API security defenses.

**RECOMMENDED** Vulnerability in open source identity management system Free IPA could lead to XXE attacks

API security: Broken access controls, injection attacks plague the enterprise security landscape in 2022

**SAN FRANCISCO, Aug. 17, 2022 —** The Open Source Security Foundation (OpenSSF), a cross-industry organization hosted at the Linux Foundation that brings together the world's most important software supply chain security initiatives, on Wednesday announced 13 new members from leading financial services, technology, employment, software development, cybersecurity, telecommunications, and academic sectors.

New premier member, Capital One, joins the OpenSSF Governing Board. New general member commitments come from Akamai, Indeed, Kasten by Veeam, Scantist, SHE BASH, Socket Security, Sysdig, Timesys, and ZTE Corporation. New associate members include Eclipse Foundation, Purdue University, and TODO Group. "We are excited to welcome new members to the OpenSSF," says Brian Behlendorf, General Manager of OpenSSF. "As open source software security vulnerabilities continue to draw attention from governments and businesses around the world, interest in the work of the OpenSSF has been rapidly increasing."

"A growing community of organizations, developers, researchers, and security professionals are investing the time and resources needed to strengthen open source security," said Jamie Thomas, OpenSSF Board Chair and IBM Enterprise Security Executive. "New members of OpenSSF are joining at a time when cross-industry collaboration and innovation are needed more than ever to proactively respond to pervasive cybersecurity threats."

Resolving the systemic issues that led to major security vulnerabilities like the Log4shell incident emphasizes the urgency and importance of the work of OpenSSF. A recent Cyber Safety Review Board report declared that Log4j has become an "endemic vulnerability" that will be exploited for years to come and that the 10-point mobilization plan introduced earlier this year at the Open Source Software Security Summit II by the OpenSSF will improve the resiliency and security of open source software.

OpenSSF will host a full day of sessions on Tuesday, Sept. 13, at OpenSSF Day EU on the eve of Open Source Summit Europe (OSS EU) in Dublin. Working Group leaders and community members will host sessions, panels, and fireside chats about ongoing work to secure the software supply chain and the future of open source security. Registration and attendance are free for all those attending the OSS EU.

**Premier Member Quote**

**Capital One**

"Today some of the most groundbreaking digital experiences created for customers are based on open source software. As a company that widely adopts this technology, Capital One is incredibly proud to join the OpenSSF and the world's technology leaders as we collaborate to strengthen the software security supply chain. As a highly regulated company, we are seasoned in managing compliance and governance and advocate for standardization, automation and collaboration. We look forward to working together to identify solutions that advance the OpenOSSF mission and give back to the open source community."

*   Chris Nims, EVP of Cloud & Productivity Engineering at Capital One

**General Member Quotes**

**Akamai**

"Improving the security of open source software — so central to the internet ecosystem — is one of the most critical security challenges we face today. Only by gaining visibility into the network and the software supply chain can we reliably address security flaws when they occur at the code level. The technology community must support the open source communities we depend on with financial and technological resources to limit our collective risk_._ As a leading security and cloud services provider, we look forward to contributing to the Open Source Security Foundation and helping to advance this important work."

*   Robert Blumofe, EVP and CTO, Akamai

**Kasten by Veeam**

"We are honored to be part of the Open Source Security Foundation (OpenSSF) and champion this initiative alongside our peers. Kasten by Veeam has an open source heritage, and with Kubernetes data protection as our core offering, security remains a critical underpinning for Kasten K10 design and implementation. As Kubernetes adoption continues to fuel Digital Transformation journeys for enterprises, more attention is rightfully being placed on security, especially with the inexorable rise of ransomware attacks. Kasten by Veeam is committed to ensuring the security and data protection of cloud native environments to better protect business applications."

*   Gaurav Rishi, Vice President of Products and Partnerships at Kasten by Veeam

**Scantist**

"On one hand, the software industry is benefiting substantially from the rapid growth of open source, which has become the basic building blocks of the digital world. On the other hand, open source security is becoming more critical and all these risks are multiplied by the interdependent nature of open source. Now as a member of OpenSSF, we would like to contribute to the OpenSSF missions based on our recent research on open source ecosystem analysis to provide a quantitative view to understand the complexity and security of open source. We want to become the active participant, evangelist and ambassador for OSS governance in southeast Asia to promote open source software supply chain security."

*   Dr. Liu Yang，Professor at Nanyang Technological University, Singapore and Co-Founder of Scantist

**SHE BASH**

"Since our inception, SHE BASH has witnessed a variety of predatory industry practices that get shielded from extensive scrutiny via the protective veil of closed source. At our core, open source software is a public institution that enables everyone to build their future.

"The combination of decades of apathy and the incentive mechanisms that sustain a culture of 'don't care' has allowed our company to stand out among tech's largest and most culpable companies. We have always considered 'best practice first' as one of the main value propositions we can provide as a company, albeit a small one. Open Source Software provided us the level playing field to make differences in key technological shifts within the public sector, and the evolution of these shifts are the development of best practices born from the open source that sustains all software life today. It's a true honor to be of assistance to the work OpenSSF is leading to remedy large structural mistakes that grew from decades of neglect."

*   Cameron Banowsky, Co-founder and CTØ, SHE BASH

**Socket Security**

"As maintainers of open source packages which are installed over 1 billion times per month, the Socket team is intimately familiar with the massive growth in open source dependency usage. Modern applications use thousands of dependencies written by hundreds of maintainers, and installing even one package leads to dozens of transitive dependencies coming along for the ride. Unfortunately, it is far too easy for a bad actor to infiltrate the software supply chain and wreak havoc. That's why Socket is proud to join OpenSSF and do our part to make open source safe for everyone with our industry-leading approach to software composition analysis which is used by thousands of companies to detect and prevent supply chain attacks. The Socket team is excited to work with other OpenSSF member companies to safeguard the open source ecosystem for everyone."

*   Feross Aboukhadijeh, Founder and CEO, Socket Security

**Sysdig**

Sysdig is proud to be part of OpenSSF and work together to help guide open source security standards and secure the software supply chain. As a cloud security company built on open source, we believe the industry must come together to strengthen software for the common good. Having created and contributed Falco to the CNCF to help secure the runtime, we look forward to continuing open collaboration in the OpenSSF. The future of security is open, and what we do now will shape software forever."

*   Edd Wilder-James, Vice President, Open Source Ecosystem at Sysdig

**Timesys**

"With software supply chain breaches up more than 650%, securing the software supply chain is a big focus. We've been working for more than 5 years developing technology to help secure, monitor, and maintain open source-based embedded Linux and Android devices from exposures and vulnerabilities. We are so excited to be joining up on this community effort with OpenSSF and to be a part of the Linux Foundation again. By sharing technology and collaborating to build ecosystems that accelerate open-source technology development, device manufacturers and consumers everywhere will be able to rest easier knowing they are secure."

*   Atul Bansal, CEO of Timesys

**ZTE Corporation**

"We are very pleased to join the OpenSSF. As a world-leading communication equipment manufacturer, more and more open source software is used by us. While actively embracing open source software, it also brings unprecedented risks to software supply chain security. ZTE Corporation has made many efforts to control and manage risks, and regard them as our top priority. After joining the OpenSSF, ZTE Corporation works with a group of members with similar visions and goals to promote the development of open source software supply chain towards a more secure direction."

*   Xiang Shuming, Director of OSS Compliance and Security Governance, ZTE Corporation

Additional Resources

*   View the complete list of the 89 OpenSSF members
*   Watch the recent August OpenSSF Town Hall
*   Contribute efforts to one or more of the active OpenSSF working groups and projects

**About OpenSSF**

The Open Source Security Foundation (OpenSSF) is a cross-industry organization hosted by the Linux Foundation that brings together the industry's most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at: openssf.org.

**About the Linux Foundation**

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world's leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation's methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

OpenSSF Announces 13 New Members Committed to Strengthening the Security of the Open Source Software Supply Chain

SOS.dev initiative will combat software supply chain attacks by encouraging researchers to suggest security improvements to key projects

Stephen Pritchard 18 August 2022 at 12:09 UTC  
Updated: 18 August 2022 at 12:19 UTC

SOS.dev initiative will combat software supply chain attacks by encouraging researchers to suggest security improvements to key projects

A new program is aiming to reward developers and security researchers who make improvements to critical infrastructure based on open source technology.

The Secure Open Source Rewards (SOS.dev) scheme will be broader than current bug bounty programs, according to its backers.

The program will “harden critical open source projects” and help protect against application and software supply chain attacks by encouraging researchers and developers to suggest security improvements.

Rewards range from $505 for small improvements up to $10,000 or more for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities”.

**Save Our Software**

Secure Open Source Rewards will pick eligible projects based on the NIST definition of ‘critical software’, as well as the extent of the security improvements and the number of users who stand to benefit.

The backers will also consider the seriousness of any compromise of the project, and where the project ranks in open source criticality research, including the Harvard 2 Census Study of most-used packages, and the OpenSSF Criticality Score project rankings.

**RELATED** Developers still struggling with security issues during code reviews, study finds

Secure Open Source Rewards are looking for supply chain security improvements, improvement that give higher OpenSSF Criticality Scorecard results, adopt software artifact signing and verification, and other best practise measures.

Other improvements will be added to the aims as SOS.dev evolves.

**Million-dollar funding**

The Secure Open Source Rewards scheme differs from conventional bug bounty programs as it covers security improvements by project developers rather than just vulnerabilities.

It will also offer a limited amount of upfront funding for projects looking to make longer-term security improvements.

The initiative comes as organizations move to upgrade security for critical infrastructure and applications. More attention is being focused on software supply chains, including the role of vital open source components across the ecosystem.

“A lot of commercial and open source solutions, including those used by CNI, operate critical infrastructure relying on open source libraries including OpenSSL and Log4j, of which we have seen repeated attacks in the past,” Steven Sim, president of the ISACA Singapore chapter and chair of the OT-ISAC executive committee, told _The Daily Swig_.

“If we don’t do anything right now about these Achilles’ heels, we will continue to see massive breaches as a result of software supply chain attacks.”

Read more of the latest software supply chain security news

Andrew Martin, CEO at ControlPlane and CISO at OpenUK, added: “Supply chain security starts with the initial contributor and the security of their coding practices, computing environment, and build systems.

“Organizations need to be aware of all the components in development and production systems, including open source.

“The Linux Foundation’s OpenSSF and CNCF TAG Security groups are focused on critical and cloud native software respectively, and SOS.dev occupies a more developer-focused space, and is additionally supported by Google GOSST team.

“The latter is also supporting the Kubernetes-based kCTF Vulnerability Rewards Program (VRP), which looks to pay researchers for escaping containers and attacking the Linux Kernel.

“These initiatives are seeing dramatically increasing payouts commensurate with the level of skill required to escape these sandboxes and applications, and together are shining a light of the risk of untrusted third-party code making its way past the scrutiny of vulnerability researchers.”

SOS.dev is run by the Linux Foundation with sponsorship from the Google Open Source Security Team, with $1 million of initial funding.

**YOU MIGHT ALSO LIKE** Swiss Post relaunches e-voting bug bounty program

Secure Open Source Rewards program launched to help protect critical upstream software

Especially if your e-commerce and CMS platforms are integrated, you risk multiple potential sources of intrusion, and the integration points themselves may be vulnerable to attack.

Chances are your business has both an e-commerce platform and a content management system. Perhaps they're one and the same. Together, these technologies drive your business, empowering customers, sales staff, and partners. The content management system (CMS) gives them information; the e-commerce platform handles transactions. Easy.

However, these technologies can also be a target, providing everything that a bad actor wants, from trade secrets (such as inventories and price discount sheets), lists of partners and suppliers, discount codes, and even sensitive information about customers.

Whether your e-commerce platforms and CMSes are combined in an all-in-one comprehensive suite, or are disparate systems integrated together, the risks and potential weak spots are mainly the same. If you have integrated e-commerce and CMS platforms, not only does your tech now have multiple potential sources of intrusion, but the integration points themselves may be vulnerable to attack, or at least to snooping. If you have an all-in-one system, a single exploited vulnerability or phishing-enabled breach could give cybercriminals everything in one fell swoop.

For this discussion, let's assume that your company follows well-established cybersecurity best practices, such as applying patches and fixes to operating systems, applications, drivers, and libraries. Failure to make these updates in a timely fashion is a leading cause of breaches. Also, let's assume you employ state-of-the-art encryption for data in transit, and change all default access and admin passwords for your servers, routers, and services.

With that as a baseline, let's talk about seven specific steps that are particularly well-suited to CMS and e-commerce platforms.

**Gather the Least Amount of Customer Information Possible**

Then be careful where (and how) you store that data. If you steal customer credit card numbers or medical information, the market impact, civil lawsuit penalties, and adverse publicity could put you out of business. Oh, don't forget HIPAA and GDPR fines, depending on what and where your data is stolen.

**Careful What You Store On Internet-Facing Servers**

Yes, your e-commerce platform needs to be aware of inventory levels and pricing discounts in order to facilitate e-commerce. What if competitors can retrieve that information in a tidy bundle? They might be able to use your business data against you.

**Monitor Lists of Zero-Day Threats and Other Vulnerabilities**

You can start with the one published by organizations like the Cybersecurity & Infrastructure Security Agency. It's not enough to receive threat-assessment reports, of course. They need to be read and acted upon. An issue with a very large impact appeared, for example, in the popular Log4j library not long ago. Every organization that uses Log4j needed to update to version 2.16 or later immediately. Is there someone in your organization responsible for knowing about that sort of incident? If not, there's a vulnerability right there.

**Use Penetration Testing Tools and Services**

No matter whether your software is off the shelf, tailored by consultants, or homegrown, you don't know how secure it is unless you test, test, test. Conduct pen tests regularly and thoroughly; not only do systems become less secure if not maintained properly (see the first point), also your service landscape changes and attackers are becoming more sophisticated as well. If you haven't pen tested recently, or used a white-hat firm to assess your defenses, you don't know what you don't know.

**Vet Software Suppliers, and Insist They Follow Secure Coding Practices**

If you are using cloud services, examine those carefully. Consider everything. For example, the CMS company I work for is certified at the highest level for its security practices, conforming to ISO 27001 security protocols. These protocols include regular code reviews, strict access control, anomaly detection and rigorous security testing. You should expect nothing less from every supplier.

**Check With Banks, Payment Processors to Ensure You're Doing It Right**

There are many practices for working with ACH transfers and credit-card payments. Some of these appear obvious, such as using CVV values on credit cards, and verifying that shipping addresses match the bank account's address — but e-commerce platforms may not enable those extra levels of validation by default. I would also highly suggest using a service that specializes in payment transactions. These services will be certified according to PCI DSS requirements and you can focus on your core competencies.

**Log Everything and Analyze Those Logs for Anomalies, Attack Patterns**

Every transaction, every privileged login to the CMS or e-commerce platform, every error caused by someone entering a bad password, should be logged. Don't trust humans to be able to understand those logs, by the way; modern-day attacks can be both fast and subtle, and there's too much data to correlate for patterns. Use machine-learning tools to monitor events and logs, and as in the fourth point above, make sure someone is responsible for receiving, reading, and following up on those reports.

Follow these seven steps, and your CMS and e-commerce platforms will be more secure and more trustworthy than ever before. Are these steps reasonable? Yes. Are they easy? Once systems are in place to work safely and run securely, yes. Your customers, suppliers, and partners want your systems to be safe. Let's get to work.

7 Smart Ways to Secure Your E-Commerce Site

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

CVE-2020-21642: ManageEngine Analytics Plus | Release Notes

‘Summer Camp’ for hackers features a compromised satellite, a homecoming for hackers and cyberwarfare warnings.

‘Summer Camp’ for hackers features a compromised satellite, a homecoming for hackers and cyberwarfare warnings.

There was nothing typical this year at BSides LV, Black Hat USA and DEF CON – also known collectively as Hacker Summer Camp. The weeklong collection of cybersecurity conferences featured an eclectic mix of attendees to learn, network, hack and have fun. The week even included a rare Las Vegas flash flood (not a new DDoS technique) on Thursday creating chaos in one casinos.

The past week, while not ‘typical’, was a nod to normalcy for attendees. Attendance for events was up from the previous year, which in 2021 was muted by lower attendance and COVID fears. Here is a roundup of leading research, themes and buzz from this year’s shows.  

****Research of Note****

Video conferencing darling Zoom was highlighted at DEF CON by Patrick Wardle, founder of the Objective-See Foundation, for a hacking technique that allowed him, using the macOS version of Zoom, to elevated privileges and gain access to the entire macOS operating system.

Pen Test Partners revealed a flaw in the Electronic Flight Bag tablets used by some Boeing aircraft pilots that could have allowed an adversary to modify data “and cause pilots to make dangerous miscalculations,” according to a Reuters report.

Starlink, the satellite operated by SpaceX that provides internet access to over 36 countries, was shown vulnerable to a hack via a $25 modchip. Belgian researcher Lennert Wouters revealed at Black Hat how he mounted a successful fault injection attack on a user terminal used to manage the satellite.

Researcher James Kettle debuted a new class of HTTP request smuggling attack that allowed him to compromise Amazon and Akamai, break TLS, and exploit Apache servers, according to reporting from Portswigger’s The Daily Swig.

Journalist Eduard Kovacs reported on a high-severity Realtek bug in the company’s eCos SDK. Found by Faraday Security and discussed at DEF CON, the eCos SDK is used in a variety of routers, access points and network repeaters, according to his report.

For fans of FUD, PC Magazine has a nice rundown of “The 14 Scariest Things We Saw at Black Hat 2022“. Things keeping them up are SMS codes flunk MFA, an “invisible finger to take control” of your touchscreen device and a Microsoft hiccup when launching its Early Launch Antimalware (ELAM).

****Topics of Discussion****

The main Black Hat keynote was from Chris Krebs, former Cybersecurity and Infrastructure Security Agency (CISA), who shared his optimism when it comes to the US approach to information security. However, he did express pessimism that US cyber-defenses were too focused on nation state attackers versus more mundane and pressing concerns, in his estimation, such as ransomware.

Ukraine war and Log4j also were major themes at each of the conferences. ESET provided Black Hat attendees with an update on cyberattacks against Ukraine. Firms such as CyCognito warned that we aren’t out of the Log4j woods. A report by SiliconAngle  quotes Robert Silvers, undersecretary for policy at the Department of Homeland Security, echoed those concerns telling attendees that “\[Log4j\] is most likely that organizations are going to deal with Log4j issues for at least a decade and maybe longer.”

Victor Zhora, deputy head of Ukraine’s State Special Communications Service, told Black Hat attendees that his country’s infrastructure has experienced a 300 percent uptick in cyber incidents since Russia’s invasion of the country. The visit was unannounced, according to a Voice of America report.

Meanwhile current White House Cyber Director Chris Inglis told journalist Kim Zetter, during a DEF CON session, that he was focused on “‘three waves of attacks’ that have progressed in recent years,” according a Nextgov report.

_The first wave “focused on adversaries holding data and systems at risk.” In the second, the attackers “still held data and systems at risk, but they then abstracted that into holding critical functions at risk.” The third is an attack on confidence, as exemplified by the attack on the Colonial Pipeline. –_ Nextgov.

For DEF CON, it was the event’s 30th anniversary, which events organizers billed as not a birthday but a Hacker Homecoming.

“This has been a crazy couple of years,” according to an official DEF CON forum post.

“A global pandemic turned DEF CON 28 into DEF CON Safe Mode. Some easing of the restrictions and some strict attendance rules gave us a hybrid con for DC29. An improvement, to be sure, but something short of a full DEF CON experience… We want DEF CON 30 to have the energy of a reunion… In honor of all that, we’re calling DEF CON 30 ‘Hacker Homecoming’.”

Tag

#log4j