Yet another *4Shell exploit highlights the horror of strange visitors into enterprise environments. This Tech Tip focuses on what to do next.

A family moves into their dream home, only to be plagued by ominous letters, a strange tenant, and sinister threats. Sound familiar?

It should. This is the story behind _The Watcher_, a true crime series that premiered on Netflix on October 13, 2022. It's also the story of the Text4Shell vulnerability, which was announced that same day, causing many people worldwide the horror of unknown attackers getting access to their private environments and threatening their applications.

Text4Shell is a remote code execution (RCE) vulnerability that allows attackers to remotely access a server and run malicious code on it. RCE attacks have become very popular lately, with vulnerabilities like Log4Shell and WannaCry, due to the growth of cloud applications that expose APIs (REST, GraphQL, LDAP, etc.) in public environments.

These attacks are straightforward for hackers to attempt. All they have to do is scan the Internet for applications running a known vulnerable tech stack, and search for the right external endpoint that will allow them to inject their malicious code.

**How Does Text4Shell Work?**

The Apache Common Text library is a widely used Java library for text manipulation and other string algorithms. It is a common dependency in the supply chain for many OSS libraries, and is used directly by many Java applications too.

One of the library functions, to create interpolators to substitute variables from a string, has flawed logic as it executes part of a given string without using isolation. This oversight makes the string accessible to the whole environment. In practical words, if you have a REST API with a request parameter such as 'https://your.app/user/{userID}', you would manipulate this 'userID' variable, with the 'createInterpolation(userID)' function.

In the case of a public API, any attacker can replace the 'userID' parameter with malicious code and have it execute it in your environment. The worst case scenario of such an attack is taking remote shell control of your environment (this is why this class of vulnerabilities are called \*4Shell).

For future reading, this Palo Alto Networks post has a practical code example that you can run locally and see this flaw in action.

**Can We Proactively Prevent RCEs?**

While there is no way for enterprises to promise they will never be hacked, applying proactive DevSecOps methodology in progressive development organizations can save you a lot of pain in future RCEs and \*4Shell attacks.

Progressive DevSecOps approaches make a concerted effort to assess all of the potential risks in the entire software development lifecycle, from the supply chain of your application to the runtime in production. It doesn't stop there, though. The more critical part is then making it possible to easily create continuous automated pipelines to detect, estimate, and remediate such security vulnerabilities.

The following best practices list will guide you step by step in creating self-defending engineering organizations, that autonomously maintain security based on security domain expertise available to defend against known hacking vectors.

**1\. Continuously Run SCA Tools on Your Code Base**

Software Composition Analysis tools have been available for many years, with countless free and commercial tools that leverage online sources to detect vulnerable versions of libraries and tools used in software. Multiple tools out there differ in their level of inspection, and the quality and coverage of their vulnerability database. For Java, you can use open source tools such as OWASP dependency check (or commercial tools such as Snyk and Mend). Regardless of which you choose, you should find the SCA tool available for your tech stack and run it regularly. Some defense is better than no defense.

By running those tools periodically on the code base, you can detect any vulnerable versions of tools and libraries you are using in your supply chain, just in time. We recommend running it at least daily, while also continuously monitoring new code being pushed for any updates that may include vulnerable versions.

Another point is ensuring a well-defined strategy for updating versions of vulnerable third-party libraries and tools. You can get help through APIs like https://osv.dev, which collects data on vulnerabilities and the versions where they are resolved, and also create automated processes that commit the fixed version like the Dependabot or jit.io auto-remediation feature.

**2\. Use SAST Tools**

Vulnerabilities found in third-party libraries should not always receive the highest priority for remediation. In the Text4Shell example, if you do not use the 'createInterpolator()' function in the code, there really is no reason to prioritize the upgrade, as it isn't possible to practically exploit the vulnerability. (This Twitter thread by Simon Bennetts, creator of OWASP ZAP, can teach a lot about prioritizing real risk based on the Log4Shell example that still has many in a frenzy).

So — how can you know if this is being used anywhere in your code? By running SAST tools.Static analysis security test (SAST) tools, as their name suggests, statically scan your code with tools like Abstract Source Tree (AST) or other string scanning methods to find if there are any places in the code that are vulnerable to known issues. Updated versions of such tools will detect the vulnerable code and will alert you. Some of the tools will even offer a practical fix for the vulnerabilities, so you'll only need to replace the code with the patch they suggest.

You can find SAST tools that are specific to languages such as Bandit for Python and GoSec for Golang, but there are also cross-language tools such as SonarQube and SemGrep.

You can also define those tools to run as part of the automated CI/CD pipelines so that any relevant new issues will be caught in time to avoid their propagation to production.

**3\. Avoid Default Errors**

The explosion in the number of RCE attacks previously mentioned is the byproduct of the existence of public-facing APIs that provide attackers an easy way to explore the public Internet for vulnerable servers. The typical method is to create automated scripts that scan for error responses that use default error messages and pages – making it easy to identify the underlying technology. (For example, the Apache Java 404 default page, the most commonly used Web server, even today remains a gold mine for would-be attackers.) By wrapping any of the errors returned to users with a custom error, you make it hard for attackers to identify what server technology you used, for example.

Besides serving as a best practice for code reviews and code styling, many of the SAST and lint tools also provide the added benefit of monitoring every HTTP request static tree and alert about any raw error that is returned to the end user.

**4\. Configure Everything as Code**

By configuring everything as code, all configuration is protocoled, monitored, and managed in a reliable and searchable way that makes changes and rollbacks fast and quiet. Not only that, you can use automated tools such as KICS and Checkov to scan the configuration files for any vulnerable configurations before you even deploy it to a real environment. By running these tools you can verify critical configuration issues such as:

*   Overly privileged containers, to ensure the container can only run only the particular code it should and also verify the narrowest set of permissions (also called least privilege).
*   API configurations and access to endpoints, to ensure all requests are validated for any potential code injections.
*   Scanning code runners to ensure containers don't have egress call access to a white list of addresses.

Like other static analysis tools, those tools make it very easy to create automated CI/CD pipelines that ensure every configuration deployed is the safest one, that changes are monitored, and that the human error factor is minimized to as close to zero as possible.

**5\. Do Not Run Code on Native Machines and Use Least Privilege**

The biggest damage \*4Shell vulnerabilities can cause is when you run these processes as standard processes in a (virtual) machine. Running code in containers minimizes the damage to the current running environment and enables you to maintain a very narrow set of permissions and privileges for the container.

By monitoring containers to run only in needed processes, alongside limiting the users that run the applications to only the required permissions, you can ensure there will not be any impact on the sensitive areas attackers will want to infiltrate.

Running all your applications in containers and other standard cloud-native methods also helps define a centralized network and privilege configuration that wraps up all the running applications, avoiding any manual configurations that can easily go bad.

When your architecture scales, you can use tools such as Wiz, Orca, and other cloud-native security observability tools to ensure everything is properly defined in real time.

**6\. Employ Dynamic API Scanning**

Using DAST tools like ZAP, you can find out which of your applications are really vulnerable to Text4Shell. This can be useful if you have a large number of applications that are vulnerable, making it possible to prioritize fixing them, or if you need access to the source code. The ZAP Text4Shell Scan Rule is currently in the optional Alpha Active Scan Rules add-on and requires an OAST service in order to work.

**Faster Security == Dev Velocity**

We can't expect exploits to disappear, and it shouldn't surprise us when new \*4Shell or any other zero days appear. What we can do is have the right guardrails and controls in place, so that we can quickly discover and remediate these without wreaking too much havoc on our already bogged-down dev processes.

By taking action today, you essentially avoid being caught off guard tomorrow and disrupting engineering delivery. We're privileged to be in an age with excellent open source security tooling that integrates well with our CI/CD and stacks, and we should make an effort to employ them as often as possible. What's more, this doesn't even require domain expertise any longer; there are plenty of DevSecOps tools (and, as noted above, open source tools) that will do this for you, and even SaaS-based offerings for those who are willing to pay for it that will orchestrate this end to end. Don't leave your house open to strangers. Start with the easy stuff — lock the front door.

How Development Teams Should Respond to Text4Shell

Cybercrime continues to evolve — and shows no signs of slowing down.

Tech companies have created the tools we use to build and run businesses, process consumer transactions, communicate with one another, and organize our personal and professional lives. Technology has shaped the modern world as we know it — and our reliance on tech continues to grow.

The tech industry's importance has not been lost on cybercriminals and nation-state groups, who target tech companies for a variety of reasons: to fulfill strategic, military, and economic goals; to access sensitive corporate data they can hold for ransom or sell on the Dark Web; to compromise supply chains; and much more.

Tech companies are no strangers to cybercrime — they've long been targets of adversary activity — but in the past year, these attacks have rapidly increased. Technology was the most targeted vertical for cyber intrusions between July 2021 and June 2022, according to CrowdStrike threat data. This made tech the most popular sector for threat actors during a year when CrowdStrike threat hunters recorded more than 77,000 potential intrusions, or approximately one potential intrusion every seven minutes.

If this sounds familiar, it's probably because you've seen this threat activity in the news — data breaches affecting the technology industry have dominated headlines in 2022. Tech companies of all sizes should be concerned about the potential for adversary activity, because they're often trying to steal data. Let's take a closer look at the threats that tech companies should be most worried about, what those adversary tactics look like, and how to stop them.

**How Today's Adversaries Target Tech Companies**

Enterprises, small to midsize businesses (SMBs), and startups alike must be aware of the threats they face and how to defend against them.

Adversaries are increasingly moving away from malware in an effort to evade detection: CrowdStrike threat data shows malware-free activity accounted for 71% of all detections between July 2021 and June 2022. This shift is partially related to attackers increasingly abusing valid credentials to gain access and maintain persistence (i.e., establish long-term access to systems despite disruptions such as restarts or changed credentials) in IT environments. However, there is another factor: the rate at which new vulnerabilities are being disclosed and the speed with which adversaries can operationalize exploits.

The number of zero-days and newly disclosed vulnerabilities continues to rise year-over-year. CrowdStrike threat data shows more than 20,000 new vulnerabilities reported in 2021 — more than any previous year — and more than 10,000 were reported by the start of June 2022. This is a clear indication this trend is not slowing down.

A closer look at tactics, techniques, and procedures (TTPs) used during intrusions reveals common patterns in adversary activity. When a vulnerability is successfully exploited, it's routinely followed by the deployment of Web shells (i.e., malicious scripts that enable adversaries to compromise Web servers and launch additional attacks).

**What Can Tech Companies Do to Stop Breaches?**

The technology industry is challenged to maintain a strong defense against a constantly evolving threat landscape. Today's attackers are changing their TTPs to be more subtle, to evade detection, and to cause more damage. It's up to defenders to protect the workloads, identities, and data their business relies on.

There is no one-size-fits-all model for how cybercriminals conduct their attacks, nor is there a single silver bullet for tech companies to defend themselves against every intrusion. However, a closer look at intrusion activity reveals critical areas of focus for IT and security teams. Below are key recommendations:

*   **Get back to basics:** It is paramount that tech companies have the basics of security hygiene in place. This includes deploying a strong patch management program, and ensuring robust user account control and privileged access management to mitigate the effects of compromised credentials.
*   **Routinely audit remote access services:** Adversaries will leverage any pre-existing remote access tooling at their disposal or attempt to install legitimate remote access software in the hope that it evades any automated detections. Regular audits should check to see if the tool is authorized and if the activity falls within an expected timeframe, such as within business hours. Connections made from the same user account to multiple hosts in a short timeframe may be a sign that an adversary has compromised credentials.
*   **Proactively hunt for threats:** Once an adversary breaches a tech company's defenses, it can be tough to detect them as they quietly collect data, look for sensitive information, or steal credentials. This is where threat hunting comes in. By proactively looking for adversaries in their environment, tech companies can detect attacks earlier and strengthen their security posture.
*   **Prioritize identity protection:** Adversaries are increasingly targeting credentials to breach tech companies. Any user, whether they're an employee, third-party vendor, or customer, can unknowingly be compromised and provide an attack path for adversaries. Tech companies must authenticate every identity and authorize each request to prevent cyberattacks, like a supply chain attack, ransomware attack, or data breach.
*   **Don't forget about threat prevention:** For tech companies, threat prevention tools can block cyber threats before they penetrate an environment or before they do damage. Detection and prevention go hand in hand. In order to prevent cyber threats, they must be detected in real-time. The bigger the IT environment, the greater the need for tools that can help with threat detection and prevention.

The evolution of cybercrime and nation-state activity shows no signs of slowing down. Tech companies must strengthen their defenses and understand an adversary's techniques in order to protect their workloads, identities, and data, and keep their organizations running.

How Tech Companies Can Slow Down Spike in Breaches

A 500-page document reviewed by WIRED shows that Corellium engaged with several controversial companies, including spyware maker NSO Group.

Corellium, a cybersecurity startup that sells phone-virtualization software for catching security bugs, offered or sold its tools to controversial government spyware and hacking-tool makers in Israel, the United Arab Emirates, and Russia, and to a cybersecurity firm with potential ties to the Chinese government, according to a leaked document reviewed by WIRED that contains internal company communications.

The 507-page document, apparently prepared by Apple with the goal of using it in the company’s 2019 copyright lawsuit against Corellium, shows that the security firm, whose software lets users perform security analysis using virtual versions of Apple’s iOS and Google’s Android, has dealt with companies that have a track record of selling their tools to repressive regimes and countries with poor human rights records.

According to the leaked document, Corellium in 2019 offered a trial of its product to NSO Group, whose customers have for years been caught using its Pegasus spyware against dissidents, journalists, and human rights defenders. Similarly, Corellium’s sales staff offered to provide a quote to purchase its software to DarkMatter, a now-shuttered cybersecurity company with ties with the UAE government that hired several former US intelligence members who reportedly helped it spy on human rights activists and journalists. 

In correspondence with WIRED, Corellium says NSO Group and Dark Matter had access to “a limited time/limited functionality trial version of Corellium's software” and that both were later denied requests to purchase the full version following its vetting process. 

For years Corellium has painted itself as a crucial defender against software bugs on Android and iOS. But the leaked document shows that Corellium worked with several companies that use bugs and exploits to hack into cell phones, as opposed to helping Google and Apple patch vulnerabilities.

The document includes emails between Corellium staff and customers or potential customers, including NSO Group and DarkMatter. The document is not public and is being reported on for the first time here. 

“As one of our early beta requesters, we’re delighted to extend you and your team at NSO Group an exclusive invitation to try Corellium, the world’s first and only mobile device virtualization platform. We think you’ll really enjoy the advanced mobile security research tools we have to offer,” reads a March 26, 2019, email between Correllium’s support staff and an NSO Group employee. “Your free trial will last until April 9. Trial accounts are limited, but if you need more time, or if you prefer to start your trial at a different time, just let us know.”

In the case of DarkMatter, the document includes an email exchange between a company employee and a Corellium sales email address. The emails are not dated, but they apparently reference a 2019 training on how to use the platform that Corellium offered potential customers at the cybersecurity conference Black Hat.

“I was a trainer at Blackhat last year where you guys had provided us access to the portal for a few days and I was very impressed with the amount of features it had,” the DarkMatter employee wrote. “We are interested in purchasing it. Can you guys provide us a quote for all the available options that you have?”

“We’re so glad to hear that you enjoyed using Corellium at Blackhat, and we actually have DarkMatter on our list of teams to reach out to regarding availability,” an unnamed Corellium employee responded. “We’d be more than happy to provide you a quote with all the options checked.”

Also in 2019, according to the document, Corellium sold its software to Paragon, a little-known company that has since been reported to be a provider of government surveillance technology. Corellium also licensed its software to a company called Pwnzen Infotech, whose founders were part of Pangu Team, a well-known Chinese group of elite iOS and iPhone hackers. A Pwnzen sales representative told Reuters in 2019, when Pwnzen was already a Corellium customer, that the company helped hack the phone of a person suspected of “subverting the government” in China. 

“There are a number of ties between Pwnzen and the People’s Republic of China’s government that are cause for concern,” says Dakota Cary, a consultant at Krebs Stamos Group who has written several reports about cybersecurity in China. “Bolstering Pwnzen’s hacking capabilities likely occurred at the detriment to US security interests,” he added, explaining that the company’s improved capabilities could have provided the Chinese government with better tools to hack targets inside and outside of the country, including the US.

Also, as of today, Corellium counts Russian iPhone hacking company Elcomsoft as a customer. And in 2019, Corellium sold to Elcomsoft’s Israeli competitor Cellebrite, a firm that helps law enforcement unlock iPhones and access the data stored within. Cellebrite has reportedly sold its phone-hacking products to countries such as China, Saudi Arabia, and Bahrain, among others. 

Corellium did not dispute the legitimacy of the document, but it also did not respond to a series of questions about its contents. Instead, Corellium CEO Amanda Gorton shared a draft of a blog post in which the company says it offered trials to NSO Group and DarkMatter but denied that the two companies became customers. 

“We’ve had opportunities to profit from these bad actors and have chosen not to,” the blog post reads. It further explains that Corellium restricts sales of its cloud product to “fewer than sixty countries” and has a “block list” of organizations.

Corellium didn’t specify the 60 countries, nor did it answer specific questions about Paragon, Pwnzen, Cellebrite, or Elcomsoft. The company wrote in the blog post that as the sales process goes on, the vetting gets “more intensive.” According to the blog post, that means Corellium asks about the customer’s use case, consults with “trusted contacts in the security community, including contacts at various US government agencies,” and looks at the potential customer’s online presence and investigates its “ownership, corporate structure, and employees.”

Apple did not respond to a request for comment, nor did NSO Group, Cellebrite, or Pwnzen. XiaBo Chen, who identifies as the founder of Pwnzen on LinkedIn, did not respond to multiple requests for comment. After the controversy surrounding DarkMatter’s role in targeting activists and journalists, the company reportedly rebranded to Digital14 in 2019, then to CPX in 2021. Digital14 and CPX did not respond to requests for comment.

Idan Nurick, the CEO and cofounder at Paragon, says that “as a matter of principle, Paragon maintains the confidentiality of its clients, as well as technology providers, and the company does not disclose any information pertaining to these entities.”

Vladimir Katalov, the CEO, cofounder, and co-owner of Elcomsoft, confirmed that his company is a Corellium customer. 

‘Puzzling’ Claims

The leaked document, prepared in 2021, according to an included timeline, mirrors Apple’s arguments against Corellium, which it accused of violating its copyright and the Digital Millennium Copyright Act by re-creating a virtual version of iOS. While Apple has never publicly presented the evidence that’s contained in the document against Corellium, the tech giant accused Corellium in its lawsuit of helping researchers develop zero-day exploits and spyware for governments around the world, hinting that this was one of the main reasons it didn’t approve of Corellium’s practices, apart from alleged copyright infringement.

“Although Corellium paints itself as providing a research tool for those trying to discover security vulnerabilities and other flaws in Apple’s software, Corellium’s true goal is profiting off its blatant infringement,” Apple said in the complaint. “Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder.”

Corellium has forcefully defended itself against Apple’s claims, saying it sells to “well-known and well-respected financial institutions, government agencies, and security researchers” who use their product for legitimate purposes.

In December 2020, when he dismissed Apple’s copyright infringement claims, US District Judge Rodney Smith, of the Southern District of Florida, sided with Corellium, writing in the order on the parties’ motions for summary judgment that “Apple’s position is puzzling, if not disingenuous.”

“As for Apple’s contention that Corellium sells its product indiscriminately, that statement is belied by the evidence in the record that the company has a vetting process in place (even if not perfect) and, in the past, has exercised its discretion to withhold the Corellium Product from those it suspects may use the product for nefarious purposes,” the judge wrote. “Having reviewed the evidence, the Court does not find a lack of good faith and fair dealing.”

The case took an unexpected turn in August 2021, when Apple and Corellium settled out of court. (The terms of the deal were confidential.) Then, days later, the tech giant filed an appeal, keeping its case against Corellium alive.

Bad Reputations

Even in 2019, NSO Group and DarkMatter had poor reputations in the world of cybersecurity. At the time, there had already been several examples of abuse of NSO Group’s Pegasus spyware, particularly against journalists in Mexico. Ronald Deibert, the director of the Citizen Lab, a digital rights watchdog housed at the University of Toronto's Munk School that has investigated companies like NSO Group for years, said in March 2019 that there was a “mountain of evidence that NSO Group’s surveillance technology is being abused by its clients, and the company is either unwilling or unable to perform the type of due diligence to prevent that from happening.” 

Both Apple and Microsoft have called NSO Group “21st-century mercenaries.”

Gorton has publicly denied selling Corellium’s products to DarkMatter and NSO Group and said Corellium does not sell to companies in the Middle East.

“We have definitely rejected customers who have approached us. I’m sure you can imagine DarkMatter, NSO Group have all reached out and we just politely declined, we don’t sell to that region,” she said during a November 2021 interview with the _Decipher_ podcast. 

In the interview, she sold her company’s mission as positive and uncontroversial, saying that Corellium can be used to help researchers find bugs and report them to companies like Apple, something that companies like NSO Group, DarkMatter, Paragon, Pwnzen, Cellebrite, and Elcomsoft don’t do. Gorton added that hunting for security bugs is “kind of exactly what we wanted to see the platform used for.”

In the past, other Corellium executives and founders have repeatedly downplayed the possibility that bad actors could use its software. When asked whether he was worried that Corellium customers could use the product to find bugs and develop exploits that would then be used by governments, David Wang, one of the company’s cofounders, told _Forbes_ in 2018 that the company would be “selective in who we choose to do business with.” 

Wang did not respond to WIRED’s request for comment. 

In the podcast interview, Gorton has also fielded questions about how Corellium vets its customers to avoid selling to bad actors and that the company takes this process “very seriously,” selling only in the Asia-Pacific, European Union, and North America regions, and researching companies they don’t recognize. “We err on the side of caution,” she said.

The leaked document includes a 2021 email from Steve Dyer, the vice president of sales and business development at Corellium, to Gorton. In the email, Dyer explains the process for vetting “current and future cloud customers” as they submit requests for trials online. Part of the process, Dyer wrote, is to check that the companies are not from countries sanctioned by the US government, such as North Korea, Sudan, Syria, and Russia. (While Elcomsoft is headquartered in Russia, the company is not sanctioned by the US government.) 

“China has been added to the list for auto-denied trials,” Dyer wrote. 

Last year, the US government added NSO Group to a federal blocklist, preventing any US companies and individuals from doing business with the spyware company. In correspondence with WIRED, Corellium said it voluntarily refused to sell its software to NSO Group “more than two years before the United States Department of Commerce placed NSO Group on its Entity List.”

Nevertheless, Corellium’s engagement with these controversial companies may change the cybersecurity community’s view that Apple’s lawsuit is a case of an entitled tech giant going after a scrappy startup with an innovative product that it doesn’t like. 

John Scott-Railton, a senior researcher at the Citizen Lab, says the Corellium sales department’s outreach to NSO Group and DarkMatter is “a potentially cynical act” given the nature of those companies. “At that point, Corellium and everyone else knew exactly who NSO Group was and what they would do with that kind of technology and the people that would inevitably be harmed,” Scott-Railton says. “It raises questions about their ethics, their judgment, or both.”

Zach Edwards, an independent privacy and security researcher, says that “sensitive technology cannot be haphazardly sold to any company, in any country in the world.”

“While Corellium is a reverse-engineering tool that doesn't intrinsically create risks through its sale, the core purpose of the tool is to reverse malware,” Edwards says. “And if you sell the product to malware developers in countries averse to Western interests, we should assume that this tool will be used to improve malware.”

A person who tried Corellium in the past, who asked to remain anonymous because they were not allowed to speak to the press, says that “given what’s happening in the world today, you shouldn’t be dealing with Russian companies,” such as Elcomsoft. 

Elcomsoft’s CEO Katalov says that “the decision to work with a company based in Russia is a personal choice.”

“Please rest assured that we still strive to provide the best software and services, and trying to keep good relationships with our customers all over the world,” he adds. “We will just keep doing our job, making the world a safer place and battling the crime.”

Adrian Sanabria, a cybersecurity veteran, says that it’s not surprising that “groups interested in creating iOS exploits would be using a platform designed for iOS security research.” 

“For me, the core takeaway is that Apple created the need for platforms like Corellium by not providing the tools, access, and transparency the market needs and desires,” he says.

Danger Zones

Some of the organizations and companies linked to Corellium in the document come from countries seen as controversial by most people in the cybersecurity community in the West, including Alex Stamos, who acted as an expert witness for Corellium in the lawsuit against Apple.  

“I personally don’t believe it would be ethical to sell exploits to Saudi Arabia,” Stamos, the director of Stanford University’s Internet Observatory, said during testimony he provided in the lawsuit between Apple and Corellium, which is quoted in the document.  

Stamos also expressed doubts about selling products to the United Arab Emirates, whose government had a close relationship with DarkMatter. “The UAE has been shown to use malware and exploits to spy on journalists and suppress local dissent,” Stamos said. 

In response to the document’s revelations, Stamos says he doesn’t think “it's appropriate for Apple to use copyright law to try to stop security research, and I don't think it's responsible for Corellium to offer their product to companies known to create malicious software for authoritarian states.”

The document also includes the logos of alleged Corellium customers and companies linked to it. As well as the companies previously mentioned, the document includes the logo of Azimuth, a provider of advanced hacking tools to the intelligence and law enforcement agencies of the so-called Five Eyes. Other logos include the Centre for Strategic Infocomm Technologies of Singapore, or CSIT, as well as the logo of an academic institution in Saudi Arabia called the Center of Excellence in Information Assurance (COEIA), housed at the King Saud University. 

CSIT executives did not respond to a request for comment. Other than the logo of the COEIA, the document also shows a 2019 email titled “invitation to Corellium” sent to the organization. The COEIA did not respond to a request for comment.

The legal battle between Apple and Corellium is ongoing. Late last month, the two companies appeared at a hearing before the Eleventh Circuit of the US Court of Appeals in Florida. Apple’s lawyer, Melissa Sherry, argued that Corellium’s product is just a slightly tweaked version of iOS that’s not transformative enough not to be fair use. Corellium attorney Kevin Russell said the product helps users “shed light on the functionality of the Apple operating system” and is, therefore, fair use.

“I don't think there's a genuine dispute that the purpose of the product is to explore the unprotected functionality of the system's software,” he said. “What people do with that knowledge is the subject of another statute.”

A Leak Details Apple's Secret Dirt on Corellium, a Trusted Security Startup

By Waqas
The attack, according to authorities, was launched on the Federal Civilian Executive Branch (FCEB).
This is a post from HackRead.com Read the original post: Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network

In December last year, it was reported that Iranian and Chinese hackers were exploiting the Log4Shell vulnerability in the wild. Now, according to the US CISA (Cyber security infrastructure and security Agency), an advanced persistent threat (APT) group sponsored by the Iranian government compromised the network of a U.S. federal agency.

The attack, according to authorities, was launched on the Federal Civilian Executive Branch (FCEB).

**Cyberattack Details**

CISA revealed that the hackers used the Log4Shell vulnerability, tracked as CVE-2021-44228, in the unpatched VMware Horizon server to compromise the network and gain control of the organization’s domain controller (DC). Once they successfully invaded the system, the hackers deployed XMRig crypto mining software to steal credentials and mine for crypto.

For your information, Log4Shell is a zero-day vulnerability in a Java logging framework called Log4j that causes arbitrary code execution and impacts VMware Horizon and an extensive array of products.

**CISA’s Analysis**

As per CISA, their researchers conducted a routine investigation in April 2022 and identified suspicious APT activities on the FCEB network using the EINSTEIN intrusion detection system used by the agency.

They discovered bi-directional traffic passing through the network and an already found malicious I.P. address linked with Log4Shell vulnerability exploitation in VMware Horizon servers.

CISA further noted that an HTTPS activity was launched from I.P. address 51.89.18164 to VMware’s server. Further probe revealed that the I.P. address was associated with Lightweight Directory Access Protocol (LDAP) server operated by attackers to deploy Log4Shell.

**Who are the Attackers?**

In a joint advisory from CISA, the Department of Homeland Security, and the FBI, it was revealed that the attack was launched in February 2022. The attackers moved laterally to DC, stole credentials, and implanted Ngrok reverse proxies on multiple hosts to retain persistence. U.S. security officials responded in June to clean the network.

Reportedly, the hackers were identified as Nemesis Kitten, and they launched the attack with backing from the Iranian government. Nemesis Kitten is an extension of the Phosphorus Iranian malware group, and they regularly utilize well-known, highly exploitable vulnerabilities to facilitate ransomware attacks against organizations.

CISA warned that organizations still using the unpatched server versions should be concerned as they would eventually be compromised.

1.  Dirty Pipe Linux Vulnerability Overwrites Data
2.  Watch Out: Microsoft Office 0-Day Vulnerability Follina
3.  OpenSSL Released Patch for High-Severity Vulnerability
4.  Flaw in GPS Tracker Lets Hackers Remotely Control Vehicles
5.  Critical Amazon Ring Flaw Could Expose Camera Recordings

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network

By Waqas
The most prominent CMS today is WordPress which is being used by over 455 million across the globe.
This is a post from HackRead.com Read the original post: Step-by-Step Security Guide for WordPress

As the internet becomes increasingly integral to daily life, website security is more important than ever. Hackers can gain access to sensitive information, like credit card numbers and social security numbers, through websites with weak security. This can lead to identity theft and financial fraud.

Your website’s CMS (content management system) works as the backbone of your entire setup. The most prominent CMS today is WordPress which is being used by over 455 million across the globe. Naturally, WordPress is a lucrative target for cybercriminals and highlights the fact why WordPress security should never be ignored.

WordPress or another other CMS, while 100% security may be a myth, there are a few things you can do to ensure your website is secure from external and internal threats.

**Secure Hosting**

A website is a powerful tool that can help businesses of all sizes reach new customers and grow. However, a website is only as secure as the hosting provider that it uses. That’s why it’s important to choose a secure website hosting provider when setting up your website. Here are two things to look for in a secure website hosting provider:

**1. Industry-Leading Security Measures:** A good web hosting provider will have industry-leading security measures in place to protect your website from hackers and other online threats. This includes things like firewalls, DDoS protection, and malware scanning.

**2. Regular Backups:** In the event that your website is hacked or compromised, regular backups will ensure that you can quickly restore your site to its previous state. A good web hosting provider will perform regular backups of your site automatically.

**Strengthening Login Credentials**

According to studies, around 8 percent of hacked WordPress websites are due to weak passwords. However, as the largest self-hosted blogging tool in the world, WordPress has a responsibility to its users to keep their information safe. One way it does this is by natively offering two-factor authentication (2FA).

Two-factor authentication is an extra layer of security that requires not only a username and password but also something that the user has on them, like a phone. This makes it much harder for someone to hack into a WordPress account, even if they have the login credentials.

WordPress offers 2FA through several different methods, including SMS text messages, email, and authenticator apps. Which method you choose is up to you, but we recommend using an authenticator app like Authy or Google Authenticator.

**Updated Plugins**

The reason why WordPress powers millions of websites and blogs is its user-friendliness and free plugins. Although WordPress is good at adding new features and constantly issues security patches, zero-day vulnerabilities can be a calamity.

Therefore, always keep your plugins up to date because newer versions of plugins often fix security vulnerabilities that older versions had. Outdated plugins can cause compatibility issues with other plugins or with WordPress itself.

Additionally, newer versions of plugins usually have new features and improvements that can make your site run better. So next time you see a plugin update available, don’t ignore it – go ahead and update!

**Hiding WordPress Login URL**

There are a few reasons webmasters might want to change the default WordPress login URL. By doing so, you can help keep your site more secure from hackers and bots who try to gain access by brute force. Additionally, it can also deter casual users from trying to snoop around areas of your site they shouldn’t be.

If you’re running a membership site or online community, you may also want to change the login URL to something more branded and memorable for your users. By making it easy for them to find and login, you can reduce frustration and increase adoption.

Whatever your reason for wanting to change the WordPress login URL, it’s actually quite easy to do. There are a few different methods you can use, including plugins and editing code directly.

**Login Limit Plugin**

As a website owner, it’s important to make sure that your site is secure. One way to do this is by using a WordPress login limit plugin. This type of plugin will help to protect your site by limiting the number of failed login attempts.

There are many benefits of using a WordPress login limit plugin. By limiting the number of failed login attempts, you can help to prevent hackers from gaining access to your site. Additionally, this plugin can also help to improve the security of your password.

If you’re looking for a way to improve the security of your website, then we recommend that you consider using a WordPress login limit plugin.

**Security Plugins**

Using a security plugin is a must. There are many security plugins available for WordPress, but not all of them are created equal. Do some research and find a plugin that suits your needs. (We recommend looking into Wordfence or Sucuri.)

Once you’ve found a plugin, install it and activate it. Follow the instructions on the plugin’s settings page to configure it properly.

Most security plugins will offer features like blocking IP addresses, two-factor authentication, malware scanning, and more. Choose the features that are most important to you and make sure they’re enabled.

Keep your security plugin up to date by installing new versions when they’re released.

**Sharing Admin Access**

If you’re planning on giving someone else access to your WordPress admin panel, there are a few security precautions you should take first.

For starters, be sure to create a separate user account for the person to whom you’re granting access. That way, if their account is ever compromised, your main admin account will remain safe.

Next, be sure to set strong passwords for both your main admin account and the new user account. Use a combination of letters, numbers, and symbols to make it as difficult as possible for hackers to guess.

**Take Away**

Malicious actors are continuously coming up with new ways to use a company’s online presence against them, while cyber security specialists are always coming up with new ways to resist them.

This is the never-ending cycle of cybersecurity, and we’re all trapped in its center. Your WordPress site is just like any other website on the internet when it comes to cyber-attacks. However, by following the above-recommended tips and hacks, you can secure your WordPress website from cyber criminals or at least reduce the risk of being attacked. 

1.  What is WooCommerce, and Why You Should Care
2.  Tips for Using Uploader Widgets on WordPress Blogs
3.  5 WordPress Security Solutions with Free SSL Certificates
4.  Flaws in 2 famous WordPress plugins put millions of sites at risk
5.  WordPress GDPR Compliance plugin hacked to spread backdoor

Step-by-Step Security Guide for WordPress

Additional functionality also added to the fourth-party risk solution is providing better visibility and insights into vendor risk.

**BOSTON, Nov. 16, 2022 /PRNewswire/** — BitSight, the Standard in Security Ratings, today announced that it has enhanced its Third-Party Risk Management (TPRM) platform to provide additional insights to customers, helping them to more proactively detect and mitigate vulnerabilities and exposure across their third-party vendor ecosystem. BitSight also expanded its Fourth-Party Risk Management solution to increase visibility into risk across an organization's extended supply chain and to help manage and prioritize mitigation efforts more efficiently.

Third-Party Vulnerability Detection helps organizations to uncover, attribute, and prioritize vulnerabilities and exposures. Risk managers can use these real-time insights to respond to major security events, and in their ongoing efforts to find and remediate threats within their vendor portfolio. These enhancements allow users to save time by prioritizing vendor outreach efforts, easily access critical vulnerability data, and build stronger vendor relationships through timely and evidence-based collaboration.

"When Zero Days and other major security events occur, organizations struggle to quickly understand, remediate, and report on their exposure," said Vanessa Jankowski, Vice President and General Manager of Third Party Risk Management, BitSight. "This new capability from BitSight enables organizations to uncover, prioritize, and respond to vulnerabilities and other exposure across their vendor ecosystem. With easy access to vulnerability data that scales across an entire third-party portfolio, customers can now take action on high-priority incidents quickly, while surfacing critical information to board members and executive-level stakeholders."

BitSight also announced that it has enhanced the fourth-party capabilities within its platform by providing critical data and insights to help customers gain better visibility into concentrated risk within their extended supply chain, and more easily communicate risk emanating from fourth-party service providers.

"Customers are trying to understand the state of cyber risk not only in their third-party portfolio but in their extended digital footprint," continued Jankowski. "We're seeing networks of fourth-party vendor relationships that are indirect and increasingly complicated, making it necessary to prioritize based on impact. BitSight's enhanced fourth-party risk management capability automatically discovers service providers and products in use across the extended ecosystem, surfaces areas of risk based on concentration and fourth-party security posture, and provides visibility into fourth-party security incidents. Together, customers can connect concentration risk and security risk, allowing them to prioritize across an extended network that often goes unmanaged."

BitSight provides a complete Third-Party Risk Management offering with solutions for continuously monitoring vendor security performance, measuring security controls, mitigating supply chain risk, and quantifying cyber risk for business leaders. In September, as part of its acquisition of ThirdPartyTrust, BitSight launched its new Vendor Risk Management product to help address the evolving needs of third-party risk managers and provide customers with the tools they need to successfully manage vendor risk in one place, from procurement all the way through the lifecycle of the vendor relationship.

**About BitSight**

BitSight creates trust in the digital economy and transforms how organizations manage cyber risk. The BitSight Security Ratings Platform applies sophisticated algorithms, producing daily security ratings that range from 250 to 900, to help organizations manage their own security performance; mitigate third party risk; underwrite cyber insurance policies; conduct financial diligence; and assess aggregate risk. With the largest ecosystem of users and information, BitSight is the Standard in Security Ratings. For more information, please visit www.bitsight.com, read our blog or follow @BitSight on Twitter.

SOURCE: BitSight

BitSight Enhances Its Third-Party Risk Management Platform to Help Organizations Respond to Major Vulnerabilities

Nova introduces innovations to help stop zero-day threats, simplify security architectures, and reduce the risk of costly misconfigurations.

**SANTA CLARA, Calif., Nov. 16, 2022 /PRNewswire/** — Cyber threats continue to increase in volume and complexity with threat actors developing new ways to avoid detection — including highly evasive malware. To help organizations outpace these evolving threats, Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today announced PAN-OS® 11.0 Nova, the latest version of its industry leading PAN-OS software, unleashing 50-plus product updates and innovations. Amongst them are the new Advanced WildFire® cloud-delivered security service that brings unprecedented protection against evasive malware and the Advanced Threat Prevention (ATP) service which now protects against zero-day injection attacks.

"We've observed a significant increase in unique malware samples  
over the last year along with an increasing level of malware  
sophistication. A new approach is required to detect this advanced  
malware," said Anand Oswal, senior vice president, Network Security, Palo Alto Networks. "PAN-OS 11.0 Nova is a leap forward in network security.  
It stops 26% more zero-day malware than traditional sandboxes; detects  
60% more injection attacks; simplifies security architecture; and helps  
organizations adopt cybersecurity best practices. The bottom line is  
that Nova helps keep organizations one step ahead of attackers."

**Security Against Zero-Day Threats**

**Advanced WildFire:** Modern malware is highly evasive and sandbox-aware. To solve this problem, sandboxes need to continuously evolve to thwart analysis-resistant evasion techniques. The new Advanced WildFire service builds upon its custom hardened hypervisor to introduce radical new capabilities, such as intelligent run-time memory analysis combined with stealthy observation and automated unpacking to stay hidden from malware and defeat advanced evasions. These new capabilities enable Advanced WildFire to stop more highly evasive zero-day malware than traditional sandboxes.

**Advanced Threat Prevention (ATP)**: The enhanced ATP service reimagines the intrusion prevention system (IPS) with industry-first inline capabilities for stopping zero-day injection attacks. Injection attacks — one of the top attacks on the OWASP "Top 10 Web Application Security Risks" list — attempt to push malicious code into a computing system by exploiting unpatched vulnerabilities in software. Such malicious code executes remote commands that lead to data loss or full system compromise.

To protect against such injection attacks, ATP deep-learning models have been built on high fidelity telemetry data across tens of thousands of exploited vulnerabilities over the last decade. Internal testing has shown that the enhanced ATP service detects 60% more zero-day injection attacks that traditional solutions miss.

Nova not only sets up the foundation for modern day network security by continuously protecting against zero-day threats but also raises the bar for how organizations can proactively improve cyber hygiene and simplify security architectures. In addition to Advanced WildFire and Advanced Threat Prevention, notable innovations in the Nova release include:

**Simplified and Consistent Security**

**Web Proxy Support:** For customers who need to run explicit proxies in their network due to network architecture or compliance requirements, Nova introduces natively integrated proxy capabilities for Palo Alto Networks NGFWs helping to secure Web as well as non-Web traffic. Now Palo Alto Networks NGFWs and Prisma® Access support web proxy, allowing customers to deploy consistent network security across campus locations, branches and mobile users, all managed centrally.

**Integration of Next-Generation CASB:** Palo Alto Networks Next-Generation Cloud Access Security Broker (CASB), natively integrated with Nova and Prisma SASE, now includes all-new SaaS Security Posture Management (SSPM) to help find and eliminate dangerous misconfigurations in 60-plus enterprise SaaS apps. Next-Generation CASB now also has support for near-real time data protection in modern collaboration apps and suspicious user behavior detection, which helps to protect sensitive data in modern SaaS apps from compromised accounts and insider threats.

**Stronger Cyber Posture**

**AIOps:** Palo Alto Networks AIOps helps reduce misconfigurations that can lead to security breaches. AIOps, launched earlier this year, now processes 29B metrics every month across 50,000 firewalls, and proactively shares 24,000 misconfigurations and other issues with customers for resolution every month. With Nova, AIOps is even more proactive. AIOps now guards against violations of best practices and enables remediation of inefficiencies in security policies before committing changes, helping organizations strengthen defenses against cyberattacks.

In addition to all the PAN-OS software updates, a new set of 4th-generation ML-Powered NGFWs bring these new capabilities to branches, campus locations and data centers at up to 5x higher performance compared to the previous generation. The new hardware firewalls also bring the flexibility of fiber and Power over Ethernet (PoE) to small branches.

**PA-445 and PA-415 for small branches**: The PA-445 and PA-415 bring the flexibility of fiber and PoE ports to distributed enterprises and small and medium businesses. PoE powers downstream devices such as access points, IP cameras, and IP phones without the need for additional electrical circuits.The PA-445 and PA-415 also bring improved resiliency with dual power supplies and fanless cooling.

**PA-1400 Series for large branches**: The new PA-1400 Series offers up to 5x performance and up to 7x the session capacity compared to the previous generation. The PA-1400 Series is ideal for protecting large branch locations and small enterprise campuses, with support for PoE and fiber ports.

**PA-5440 for large campus locations and data centers**: We are launching the highest performing fixed-form factor in 2RU, the PA-5440. This platform offers 2x the performance of the previous generation PA-5260, and is ideal for protecting large campus locations and data centers.

"Attackers continue to develop new ways to evade traditional defenses, while security teams struggle to defend organizations with point solutions that are complex to deploy and operate," said John Grady, ESG senior analyst. "Palo Alto Networks PAN-OS 11.0 Nova addresses these critical challenges by stopping zero-day threats in real-time, simplifying security architectures, and improving cyber hygiene."

**Availability  
**PAN-OS 11.0 and most of the security services will be available in November. New ML-Powered NGFW platforms will be available in December, and SSPM will be available on the NGFW platforms in January. Most security services, including Advanced WildFire, will be compatible with previous versions of PAN-OS.

**Additional Resources**

*   Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram
*   Launch event

**About Palo Alto Networks  
**Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2022), Comparably Best Companies for Diversity (2021) and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Prisma, PAN-OS and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

SOURCE: Palo Alto Networks, Inc.

Palo Alto Networks Announces PAN-OS 11.0 Nova to Help Keep Organizations One Step Ahead of Zero-Day Threats

By Waqas
The planned smart device security labeling program spearheaded by the US government will be introduced next year, although…
This is a post from HackRead.com Read the original post: Will a Labeling System Solve IoT Security Challenges?

The planned smart device security labeling program spearheaded by the US government will be introduced next year, although official details about its implementation are not yet available. From home routers to smart cameras, various connected devices are set to get cybersecurity labels similar to the Energy Star labels used on appliances.

The question is this: Can labels really help address the IoT security challenges associated with smart devices? Some compare this IoT cybersecurity labeling plan to the compulsory “nutrition facts” on food products, which does not appear to inspire optimism. The nutrition information on junk food and sugar-rich food products has not discouraged people from consuming unhealthy products. 

Will the same happen to the US government’s device labeling plan? Can cybersecurity labels drive consumers towards highly secure gadgets, or will they just go on with their usual buying habits, wherein product availability and prices are usually the most important purchase decision-driving factors?

The answers to these questions can be explained more intuitively by discussing smart device and IoT security challenges and presenting the proposed or expected benefits of the cybersecurity labeling program.

**Challenge 1: Lack of visibility**

More often than not, Internet of Things (IoT) manufacturers do not have any system for monitoring their products. Once their devices move to the hands of customers, they no longer exert any effort to check if their products require security updates or patches to address malfunctions and security vulnerabilities. They do not have a system to keep track of changes or product activity histories that can be used to determine the root cause of issues and provide the necessary remedies.

This lack of visibility suggests that products are unlikely to be secure. It is an important fact that should be taken into account when examining the cyber threat readiness of certain smart devices, something that can be reflected in the proposed IoT labeling program.

**Challenge 2: Reactive approach to zero-day threats**

A big majority of IoT and smart device manufacturers do not include the anticipation of zero-day threats as part of their product security strategy. Primarily reactive, their sole solution to threats is security patching, which is useless against zero-day threats. It takes time to develop and release a security patch in response to newly discovered vulnerabilities. It takes even longer for the patches to be applied by the device owners.

Before the security patch is installed, it is likely that threat actors have already managed to exploit an unpatched vulnerability and inflicted damage that could have been preventable. IoT makers need to consider employing cybersecurity solutions that are proactive instead of reactive. Examples of these are simplified network access controls (NAC), web application firewalls (WAF), and extended detection and response (XDR).

This does not mean that security patching is no longer necessary. It is still an important part of securing smart devices, but there have to be ways to address zero-day or newly emerging unidentified threats.

IoT cybersecurity labeling can be used to indicate if specific IoT devices or smart gadgets have proactive security versus zero-day threats. Regulators will be obliged to examine the protection systems baked into devices or their ability to integrate with the proactive cyber defense solutions employed by organizations.

**Challenge 3: Open source and third-party vulnerability exposure**

Many IoT device makers do not develop from scratch their own firmware or the basic software installed in their devices. This is particularly true for mass-produced generic devices that flood the low-cost electronics retail industry. These unknown brands or generic devices rely on open-source or third-party software libraries for their authentication, communication, encryption, and other fundamental functions.

One report indicates that around 84 percent of codebases have components that contain known security vulnerabilities. This figure should alarm those that patronize cheap IoT and smart devices for various purposes. A significant number of “successful” cyber attacks on IoT devices are attributed to open-source and third-party. This makes cyber attacks easier for cybercriminals, as the knowledge of the specific devices used by an organization could be all they need to come up with an efficient attack strategy against specific businesses or organizations.

Cybersecurity labeling for IoT devices can help address this problem by alerting prospective smart device buyers about the possible security flaws or defects of the software in the products they are considering. Regulators can keep a comprehensive and growing guide on all open-source and third-party software security flaws.

**Challenge 4: Performance over security**

IoT devices inherently have limited resources, particularly their CPU, RAM, and ROM. As such, they cannot pack advanced security software tools, which are generally resource-intensive. It would be difficult to bring together security and performance with all the limitations of IoT products.

Many IoT device manufacturers admit that they purposely take out or cut corners on their security features to ensure that their devices can run relatively smoothly. This results in vulnerabilities that make IoT gadgets even less capable of resisting attacks, especially sophisticated tactics.

The planned nonprofit/nongovernmental organization that will be established to oversee the national cybersecurity certification and labeling activities can evaluate devices to ascertain their cybersecurity readiness. Too many security compromises will be indicated in the cybersecurity label or reflected in the overall score/rank written on the label.

**Challenge 5:  Outdated or obsolete security tools and methods**

Some smart device makers demonstrate some inclination to make their devices safe and secure. However, the tools they install or the approaches they undertake may no longer be applicable to the current threat ecosystem. They could be using outdated static analysis and vulnerability discovery solutions, which do not help improve the security of their products. There are also those that employ perimeter defense and network segmentation solutions that have notably limited capabilities in detecting and stopping IoT device assaults.

These facts need to be indicated in the proposed IoT cybersecurity label to encourage device makers to update the security solutions they use. If manufacturers refuse to update their security features, customers will know that they will likely be endangering their IT assets or resources by allowing such devices to connect to their network.

**Guide, not a silver bullet**

Will a cybersecurity labeling system be enough to address the challenges that mire IoT and connected smart devices? It can certainly help, but it is not going to be the be-all and end-all solution. There is and will never be a foolproof solution. However, labels can guide customers in making smart choices. If customers still choose devices with low cybersecurity ratings/scores and various caveats, the risk is theirs to take. 

Nevertheless, authorities may use the labels in setting thresholds for the cybersecurity level acceptability of devices that will be allowed in certain settings. By doing this, they can subtly enforce a policy of only using proven secure devices in businesses and government offices.

1.  Access:7 Supply Chain Flaws Impact ATMs, Medical, IoT devices
2.  IoT Devices Can Be Hacked to Install Ransomware on OT Networks
3.  Millions of IoT devices, baby monitors open to audio, video snooping
4.  Vulnerable Smartphones, IoT Devices: 400% increase in infection rate
5.  Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai

Will a Labeling System Solve IoT Security Challenges?

Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an export of requests from the list view.

**Privilege escalation vulnerability when exporting requests from the request list view**

**CVE ID :** CVE-2022-40773

**Product Name**

**Severity**

**Affected Version(s)**

**Fixed Version(s)**

**Fixed On**

ManageEngine ServiceDesk Plus MSP

High

10608 and below

10609

Sept 26, 2022

ManageEngine SupportCenter Plus

High

11024 and below

11025

Oct 13, 2022

**Details**

Users with lower access privileges are able to access restricted data by manipulating the URL, while exporting requests from the list view.

**Impact**

Unauthorized access to restricted data.

**Solution**

Customers must upgrade to version 10609 or above of ManageEngine ServiceDesk Plus MSP and 11025 of ManageEngine SupportCenter Plus.

**Steps to upgrade:**

ServiceDesk Plus MSP customers can upgrade to version 10609 or above using the appropriate migration path listed here.

SupportCenter Plus customers can upgrade to version 11025 using the appropriate migration path listed here.

**Acknowledgements:**

Reported by Piotr Bazydlo (@chudypb) of Trend Micro's Zero Day Initiative.

CVE-2022-40773: Security advisory: CVE-2022-32551 - ServiceDesk Plus MSP

Bug emerges from ambition to find ‘end-to-end exploits beyond DoS’

Adam Bannister 11 November 2022 at 15:37 UTC

Bug emerges from ambition to find ‘end-to-end exploits beyond DoS’

A prototype pollution vulnerability that could lead to remote code execution (RCE) in Parse Server has been patched.

An attacker could potentially trigger RCE through the MongoDB BSON \[Binary JSON\] parser by leveraging the flaw (CVE-2022-39396), according to a GitHub security advisory published on November 8.

Parse Server is a popular, open source API server module for Node.js that provides push notification functionality for iOS, macOS, Android, and tvOS.

BACKGROUND Prototype pollution: A dangerous and underrated vulnerability impacting JavaScript applications

Although the security researchers involved are withholding technical details to give developers time to apply patches, so the detail remains unclear, we know the bug is comparable to another prototype pollution-to-RCE issue they disclosed earlier in the year. That vulnerability – which surfaced in March 2022 – was given the highest possible severity rating of CVSS 10.

**Patch now**

“I can confirm that both vulnerabilities have the highest impact because they affect the default configuration of Parse Server and allow an attacker to control the system remotely without any authentication,” Mikhail Shcherbakov, a researcher from the KTH Royal Institute of Technology in Stockholm, told The Daily Swig. “So my advice is to patch Parse Server ASAP, if you have it.”

The flaw has been patched in the NPM parse-server package in versions 4.10.18 and 5.3.1.

The patches prevent prototype pollution in the MongoDB database adapter. If updates cannot be applied immediately, then users can protect themselves in the meantime by disabling RCE through the MongoDB BSON parser.

**‘Complex task’**

The flaw was discovered during a research project undertaken by Shcherbakov, KTH colleague Musard Balliu, and Cristian-Alexandru Staicu from the Helmholtz Center for Information Security (CISPA) in Saarbrücken, Germany.

The trio investigated how prototype pollution vulnerabilities in Node.js systems might lead to RCE attacks.

“The detection of prototype pollution is a complex task,” said Shcherbakov. “However, the exploitation that demonstrates a high impact of vulnerabilities is more complicated in practice but still possible.”

The researchers have presented their findings, which also feature Node.js targets NPM CLI and Rocket.Chat, in a white paper (PDF). They are due to present their research at the USENIX Security ’23 conference.

**Universal gadgets**

Prototype pollution, which affects Node.js and prototype-based languages like JavaScript, involves injecting “properties into an object’s root prototype at runtime \[to\] subsequently trigger the execution of legitimate code gadgets that access these properties on the object’s prototype,” explains the presentation precis.

The researchers set out to find “end-to-end exploits beyond DoS in full-fledged Node.js applications”, and “the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets”.

Technical details for the Parse Server RCE will eventually be disclosed via the Trend Micro Zero Day Initiative (ZDI) blog.

Other significant security bugs addressed in Parse Server this year include an issue that enabled brute-force guessing of sensitive user data, and a high severity authentication bypass impacting Apple Game Center.

RELATED Prototype pollution bug exposed Ember.js applications to XSS

Tag

#zero_day