Aggregator

A vulnerability was found in Sajid Javed Top Bar Plugin up to 2.0.1 on WordPress. It has been rated as critical. This issue affects some unknown processing. The manipulation leads to path traversal. The identification of this vulnerability is CVE-2024-47645. The attack may be initiated remotely. There is no exploit available.

A vulnerability, which was classified as critical, has been found in All Club CMS up to 0.0.1f. This issue affects some unknown processing of the file index.php. The manipulation of the argument name leads to sql injection. The identification of this vulnerability is CVE-2008-0601. The attack may be initiated remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as critical, was found in RMSOFT Gallery System 2.0. This affects an unknown part. The manipulation of the argument id leads to sql injection. This vulnerability is uniquely identified as CVE-2008-0611. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in Photokorn Gallery 1.543. It has been classified as critical. Affected is an unknown function of the file index.php. The manipulation of the argument pic leads to sql injection. This vulnerability is traded as CVE-2008-0614. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as very critical, has been found in Nero MediaPlayer 1.4.0.35. This issue affects some unknown processing of the file neromediaplayer.exe of the component Media Player. The manipulation leads to memory corruption. The identification of this vulnerability is CVE-2008-0619. The attack may be initiated remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as critical, was found in All Club CMS up to 0.0.1f. Affected is an unknown function of the file index.php. The manipulation of the argument class_name leads to path traversal. This vulnerability is traded as CVE-2008-0602. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

A vulnerability has been found in Com Awesom 0.3.2 on Joomla and classified as critical. Affected by this vulnerability is an unknown functionality of the file index.php. The manipulation of the argument listid leads to sql injection. This vulnerability is known as CVE-2008-0603. The attack can be launched remotely. Furthermore, there is an exploit available.

A vulnerability was found in Phil Taylor Shambo2. It has been declared as critical. This vulnerability affects unknown code of the file index.php. The manipulation of the argument Itemid leads to sql injection. This vulnerability was named CVE-2008-0606. The attack can be initiated remotely. Furthermore, there is an exploit available.

A vulnerability classified as critical was found in DivideConcept VHD Web Pack 2.0. Affected by this vulnerability is an unknown functionality of the file index.php. The manipulation of the argument page leads to path traversal. This vulnerability is known as CVE-2008-0609. The attack can be launched remotely. Furthermore, there is an exploit available.

Okta announced new Workforce Identity Cloud capabilities to address top security challenges such as unmanaged SaaS service accounts, governance risks, and identity verification. As part of a unified approach, these innovations help protect business before, during and after authentication, providing greater control, visibility, and streamlined user experience. Why it matters: Identity in the enterprise is under attack, with 80% of breaches involving some kind of compromised credentials and 1.9 billion session cookies stolen from employees … More →

The post Okta helps protect business before, during and after authentication appeared first on Help Net Security.

社招或实习均可 Go 高级安全研发岗位 薪资范围： 15–25K 岗位职责 1. 参与公司安全扫描器相关产品的研发和维护 2. 调研、设计和实施安全方向相关产品 3.红队工具开发 4. 指导新人 岗位要求： 1. 5年及以上GO开发经验 2. 具备扎实的编程基础，熟悉常用算法和数据结构 3. 擅长数据结构设计和数据库优化 4. 精通网络编程和多线程编程技术 5. 熟练掌握 Socket 通信、UDP/TCP 和 HTTP 协议及q其开发 6. 熟悉 MySQL、Redis 等数据库 7. 熟悉 Linux 系统及命令操作 8. 熟练使用 Docker、K8S 进行开发部署 9. 具备出色的沟通能力和问题解决能力 10. 拥有良好的代码编写习惯和接口文档编写能力 11. 对技术有钻研精神，在某一领域有深入研究或浓厚兴趣 加分项： 1. 具有网络安全行业经验 2.有高并发扫描器开发经验 简历投递：job@caskt.com.cn 公司主要方向：研发对标watchtowr的EASM，SAAS类安全服务产品

A vulnerability was found in Adobe Flash Player up to 21.0.0.213 on Windows. It has been declared as very critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to memory corruption. This vulnerability is known as CVE-2016-4112. The attack can be launched remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

The FIDO Alliance said it's working to make passkeys and other credentials more easier to export across different providers and improve credential provider interoperability, as more than 12 billion online accounts become accessible with the passwordless sign-in method. To that end, the alliance said it has published a draft for a new set of specifications for secure credential exchange,

Как северокорейские хакеры маскируют вредоносный код под обычные уведомления.

A vulnerability was found in Golosinas Simpson1 0.1 and classified as critical. Affected by this issue is some unknown functionality of the component X.509 Certificate Handler. The manipulation leads to cryptographic issues. This vulnerability is handled as CVE-2014-7726. The attack needs to be approached within the local network. There is no exploit available.

Как мошенники в Ирландии обманывают невнимательных водителей.

Attackers leverage QR codes in PDF email attachments to spearphish corporate credentials from mobile devices

Simplify operations without sacrificing control. Read how Akamai delivers a robust defense with innovations like Behavioral DDoS Engine and AI Assistant.

Conventional wisdom suggests best-of-breed is the only way to secure your clouds. But what of hybrid attack paths that cross security domains — like those exploited in the SolarWinds and Capital One breaches? Exposing the gaps attackers exploit to move laterally requires visibility and context across security silos.

Insidious attacks like those associated with the 2020 SolarWinds breach — which compromised the software supply chain — frequently progressed from on-premises to cloud infrastructures completely unchecked. Others, like the 2019 Capital One breach, exploited a vulnerable web application to ultimately compromise client data stored in cloud infrastructure. These are just two examples of high-profile cloud breaches that traversed traditional security silos, making them challenging to prevent using siloed approaches.

Whether you’re responsible for securing cloud environments, or the entirety of your attack surface, even the best point tools will not give you the level of visibility needed to expose and close the gaps that attackers exploit to move across environments and compromise high-value targets.

Cloud-related breaches in the past 18 months

Source: Tenable, 2024 Cloud Security Outlook: Navigating Barriers and Setting Priorities

In this blog, we explore the SolarWinds and Capital One breaches, including the techniques used by attackers, and the security conventions that contributed to their success. More importantly, we explore how you can augment your existing security practices and understand the elusive attacker's perspective to help you shut down even the most sophisticated threat actors.

“Combined with the use of sophisticated authentication exploits, [the SolarWinds breach] also leveraged vulnerabilities and major authentication protocols, basically granting the intruder the keys to the kingdom, allowing them to deftly move across both on-premises and cloud-based services, all while avoiding detection.”

— Senator Mark R. Warner (D-Virginia), Chairman, U.S. Senate Select Committee on Intelligence, SolarWinds Hearing, Feb. 23, 2021

SolarWinds: Even the best cloud security solutions were ineffective

The breach of the SolarWinds Orion infrastructure management platform will go down in history as one of the costliest when measured in terms of total financial impact — estimated at nearly $1 billion — and sheer number of organizations affected. The United States government alone invested over $750 million to upgrade security systems in response. Insurers paid out $90 million in claims. And SolarWinds spent $40 million in just the first year, plus an additional $25 million to settle investor lawsuits.

Beyond the financial impact, the attack — which embedded malicious code into SolarWinds Orion software— introduced a layer of suspicion into a previously trusted and almost routine supply chain process used by countless vendors and customers.

Attackers reportedly directed by the Russian intelligence service first breached the SolarWinds development environment and injected the malicious code, known as Sunburst, into the Orion platform before the final build process. The software was then automatically sent to nearly 18,000 organizations, including the U.S. Department of Defense, the Department of Homeland Security, the Treasury Department, numerous government organizations in other countries, as well as leading enterprises including Cisco, Intel, Microsoft, Mandiant and Palo Alto Networks. The Sunburst code provided a back door attackers could use to gain initial entry into target organizations, along with machine privileges.

Threat actors did not honor security silos

The breaches of SolarWinds customers that followed frequently exploited the back door in the Orion software to gain an initial foothold on premises before moving laterally to the cloud. Attackers were able to move to the cloud despite varying degrees of existing cloud security tools, network segmentation and multi-factor authentication (MFA) in use at the targeted organizations.

After gaining initial access to the networks of the targeted organizations, attackers used popular tools and techniques to exploit unpatched vulnerabilities and misconfigurations and move laterally to high-value targets. For example, using mimikatz, attackers frequently accessed credentials stored as LSA Secrets to create a rogue domain controller in Microsoft Active Directory, ultimately leading to control over the Active Directory Federation Service.

Techniques used in the SolarWinds breaches

Source: Tenable, October 2024

Attackers then forge SAML tokens, bypassing MFA and allowing them to move laterally to clouds using SAML for SSO, such as Microsoft Azure and Office 360. Attackers were not only able to give themselves full administrative privileges, but they were authenticated as legitimate users. Once authorized to access the respective cloud, they were effectively unstoppable by traditional cloud security.

40% of organizations using Active Directory have unpatched critical or high severity vulnerabilities that are frequently exploited by attackers.

— Tenable Research, based on data from 9,000 organizations using Active Directory

Capital One: Without relationship context, security was an illusion

Unlike the SolarWinds breach, the Capital One breach targeted the company’s Amazon Web Services (AWS) cloud infrastructure and demonstrates the ease with which an attacker can move across security silos frequently seen in cloud infrastructure.

Web applications offer a primary way in for attackers

Source: Verizon 2024 Data Breach Investigations Report, Web applications were the number one ways-in vector, used in upwards of 60% of non-error, non-misuse breaches.

The attacker, a former Amazon Web Services (AWS) engineer, initially exploited an externally facing web application to gain machine privileges. They leveraged the machine identity to access credentials and elevate privileges further. And they ultimately exploited a misconfiguration to discover and exfiltrate sensitive data stored in cloud object storage. The result? Sensitive data from more than 100 million Capital One users was compromised.

What is not immediately obvious is that each of these findings is typically identified by separate security tools (and teams) — web application scanning, cloud security posture management (CSPM), and cloud infrastructure entitlements management (CIEM) respectively. Independently, all lacked the technical and business context needed to identify the criticality and entirety of the attack path.

Techniques used in the Capital One breach

Source: Tenable, 2024

A better approach to securing the modern attack surface

So what lessons can we take from these attacks, and how can we apply them in the context of our existing security program to drive better outcomes?

• Breaches can begin anywhere and attackers can move anywhere. Whether they originate on prem or in the cloud, some initial attack vectors are virtually impossible to prevent outright, such as supply chain or phishing attacks. It is therefore imperative to have complete visibility into all assets and their relationships across the attack surface to not only identify potential entry points, but also to close off opportunities for attackers to move laterally.

Select ways-in enumerations in non-error, non-misuse breaches over time

Source: Verizon 2024 Data Breach Investigations Report

• Every breach is an identity breach. Whether an attacker exploits a vulnerability or misconfiguration to compromise an asset, or uses a social engineering attack or stolen password to commandeer a user account, EVERY ATTACK looks to exploit identity — be it human or machine — to elevate privileges and ultimately gain control over crown jewels, such as administrator accounts and identity systems like Active Directory, or critical business applications and data stores.
• Security without context is an illusion. Security silos are a fact of life, and necessity in many cases, but without integrated visibility into assets, identities, risk relationships and their potential impact to crown jewels, organizations lack the attacker’s point of view needed to effectively identify and close viable attack paths — the ones attackers will ultimately exploit once they gain initial access.

The challenge, of course, is that traditional security tools are not designed with these considerations in mind.

Exposure management unifies visibility, insight and action

The role of exposure management platforms, such as Tenable One, is to unify visibility, insight and action across the attack surface. Tenable One not only discovers asset, identity and risk relationships across multi-cloud environments, it also discovers on prem IT, operational technology (OT) and internet of things (IoT) assets and identities. 

Exposure management is a preventative security strategy that leverages deep context, in the form of business-aligned asset, identity and risk relationships to distinguish ordinary risk findings from true exposure that can have a material impact on an organization. What makes exposure management different is that it looks at the entire attack surface (cloud, IT, OT, IoT, identities, applications), and the full spectrum of preventable risk (vulnerabilities, misconfigurations, human and machine privileges) which enable all breaches, exposing and closing viable attack paths before a breach can begin.

For example, Tenable One’s inventory includes human and machine identities and privileges from Active Directory — provided by Tenable Identity Exposure. This information is integrated with multi-cloud identities and privileges – provided by Tenable Cloud Security. Combined, they enable Tenable One to map technical and business relationships across traditional security boundaries, prioritizing attack paths such as those used in the SolarWinds and Capital One breaches. 

The short video below demonstrates how Tenable One can uncover and bridge visibility gaps exploited in the SolarWinds and Capital One breaches so users can remediate high exposure attack paths before they can be exploited by attackers.

Source: Tenable, October 2024

Tenable One’s capabilities set it apart from other exposure management platforms in two key ways:.

• Cloud-only exposure management platforms (sometimes referred to as CNAPP) focus on public cloud assets, identities and risks. This means they can miss security risks that traverse cloud and hybrid environments.
• Other exposure management platforms focus on identifying assets across the attack surface (e.g. IT, OT, IoT, Cloud), but lack visibility into identities and their permissions, which are leveraged to progress virtually every attack.

To learn more about exposure management, download the whitepaper “Hackers Don’t Honor Security Silos: 5 Steps To Prioritize True Business Exposure.”

Learn more about Tenable products featured in this blog

• Tenable One is the world’s only AI-powered exposure management platform, designed to radically unify security visibility, insight and action across the modern attack surface to rapidly expose and close the priority gaps that drive up business risk. Security leaders rely on Tenable One to protect against attacks from IT to the cloud to OT and everywhere in between.
• Available as part of Tenable One, Tenable Cloud Security is a comprehensive CNAPP solution that simplifies identification and remediation of risk across multi-cloud environments. Unlike silo tools that leave visibility gaps, it maps every cloud asset, identity, sensitive data and risk – identifying toxic combinations of risk that pose the greatest threat to your business, and helps you close cyber exposure, and improve productivity.
• Also available as part of Tenable One, Tenable Identity Exposure equips modern enterprises with a new level of end-to-end protection from identity-based attacks. This singular solution isolates and eradicates the security gaps where identity-based exploits thrive. Reduce risk by finding and fixing priority exposures across your identity environment to strengthen your security posture and prevent attacks before they occur.

Conventional wisdom suggests best-of-breed is the only way to secure your clouds. But what of hybrid attack paths that cross security domains — like those exploited in the SolarWinds and Capital One breaches? Exposing the gaps attackers exploit to move laterally requires visibility and context across security silos.

Insidious attacks like those associated with the 2020 SolarWinds breach — which compromised the software supply chain — frequently progressed from on-premises to cloud infrastructures completely unchecked. Others, like the 2019 Capital One breach, exploited a vulnerable web application to ultimately compromise client data stored in cloud infrastructure. These are just two examples of high-profile cloud breaches that traversed traditional security silos, making them challenging to prevent using siloed approaches.

Whether you’re responsible for securing cloud environments, or the entirety of your attack surface, even the best point tools will not give you the level of visibility needed to expose and close the gaps that attackers exploit to move across environments and compromise high-value targets.

Cloud-related breaches in the past 18 months

Source: Tenable, 2024 Cloud Security Outlook: Navigating Barriers and Setting Priorities

In this blog, we explore the SolarWinds and Capital One breaches, including the techniques used by attackers, and the security conventions that contributed to their success. More importantly, we explore how you can augment your existing security practices and understand the elusive attacker's perspective to help you shut down even the most sophisticated threat actors.

“Combined with the use of sophisticated authentication exploits, [the SolarWinds breach] also leveraged vulnerabilities and major authentication protocols, basically granting the intruder the keys to the kingdom, allowing them to deftly move across both on-premises and cloud-based services, all while avoiding detection.”

— Senator Mark R. Warner (D-Virginia), Chairman, U.S. Senate Select Committee on Intelligence, SolarWinds Hearing, Feb. 23, 2021

SolarWinds: Even the best cloud security solutions were ineffective

The breach of the SolarWinds Orion infrastructure management platform will go down in history as one of the costliest when measured in terms of total financial impact — estimated at nearly $1 billion — and sheer number of organizations affected. The United States government alone invested over $750 million to upgrade security systems in response. Insurers paid out $90 million in claims. And SolarWinds spent $40 million in just the first year, plus an additional $25 million to settle investor lawsuits.

Beyond the financial impact, the attack — which embedded malicious code into SolarWinds Orion software— introduced a layer of suspicion into a previously trusted and almost routine supply chain process used by countless vendors and customers.

Attackers reportedly directed by the Russian intelligence service first breached the SolarWinds development environment and injected the malicious code, known as Sunburst, into the Orion platform before the final build process. The software was then automatically sent to nearly 18,000 organizations, including the U.S. Department of Defense, the Department of Homeland Security, the Treasury Department, numerous government organizations in other countries, as well as leading enterprises including Cisco, Intel, Microsoft, Mandiant and Palo Alto Networks. The Sunburst code provided a back door attackers could use to gain initial entry into target organizations, along with machine privileges.

Threat actors did not honor security silos

The breaches of SolarWinds customers that followed frequently exploited the back door in the Orion software to gain an initial foothold on premises before moving laterally to the cloud. Attackers were able to move to the cloud despite varying degrees of existing cloud security tools, network segmentation and multi-factor authentication (MFA) in use at the targeted organizations.

After gaining initial access to the networks of the targeted organizations, attackers used popular tools and techniques to exploit unpatched vulnerabilities and misconfigurations and move laterally to high-value targets. For example, using mimikatz, attackers frequently accessed credentials stored as LSA Secrets to create a rogue domain controller in Microsoft Active Directory, ultimately leading to control over the Active Directory Federation Service.

Techniques used in the SolarWinds breaches

Source: Tenable, October 2024

Attackers then forge SAML tokens, bypassing MFA and allowing them to move laterally to clouds using SAML for SSO, such as Microsoft Azure and Office 360. Attackers were not only able to give themselves full administrative privileges, but they were authenticated as legitimate users. Once authorized to access the respective cloud, they were effectively unstoppable by traditional cloud security.

40% of organizations using Active Directory have unpatched critical or high severity vulnerabilities that are frequently exploited by attackers.

— Tenable Research, based on data from 9,000 organizations using Active Directory

Capital One: Without relationship context, security was an illusion

Unlike the SolarWinds breach, the Capital One breach targeted the company’s Amazon Web Services (AWS) cloud infrastructure and demonstrates the ease with which an attacker can move across security silos frequently seen in cloud infrastructure.

Web applications offer a primary way in for attackers

Source: Verizon 2024 Data Breach Investigations Report, Web applications were the number one ways-in vector, used in upwards of 60% of non-error, non-misuse breaches.

The attacker, a former Amazon Web Services (AWS) engineer, initially exploited an externally facing web application to gain machine privileges. They leveraged the machine identity to access credentials and elevate privileges further. And they ultimately exploited a misconfiguration to discover and exfiltrate sensitive data stored in cloud object storage. The result? Sensitive data from more than 100 million Capital One users was compromised.

What is not immediately obvious is that each of these findings is typically identified by separate security tools (and teams) — web application scanning, cloud security posture management (CSPM), and cloud infrastructure entitlements management (CIEM) respectively. Independently, all lacked the technical and business context needed to identify the criticality and entirety of the attack path.

Techniques used in the Capital One breach

Source: Tenable, 2024

A better approach to securing the modern attack surface

So what lessons can we take from these attacks, and how can we apply them in the context of our existing security program to drive better outcomes?

• Breaches can begin anywhere and attackers can move anywhere. Whether they originate on prem or in the cloud, some initial attack vectors are virtually impossible to prevent outright, such as supply chain or phishing attacks. It is therefore imperative to have complete visibility into all assets and their relationships across the attack surface to not only identify potential entry points, but also to close off opportunities for attackers to move laterally.

Select ways-in enumerations in non-error, non-misuse breaches over time

Source: Verizon 2024 Data Breach Investigations Report

• Every breach is an identity breach. Whether an attacker exploits a vulnerability or misconfiguration to compromise an asset, or uses a social engineering attack or stolen password to commandeer a user account, EVERY ATTACK looks to exploit identity — be it human or machine — to elevate privileges and ultimately gain control over crown jewels, such as administrator accounts and identity systems like Active Directory, or critical business applications and data stores.
• Security without context is an illusion. Security silos are a fact of life, and necessity in many cases, but without integrated visibility into assets, identities, risk relationships and their potential impact to crown jewels, organizations lack the attacker’s point of view needed to effectively identify and close viable attack paths — the ones attackers will ultimately exploit once they gain initial access.

The challenge, of course, is that traditional security tools are not designed with these considerations in mind.

Exposure management unifies visibility, insight and action

The role of exposure management platforms, such as Tenable One, is to unify visibility, insight and action across the attack surface. Tenable One not only discovers asset, identity and risk relationships across multi-cloud environments, it also discovers on prem IT, operational technology (OT) and internet of things (IoT) assets and identities. 

Exposure management is a preventative security strategy that leverages deep context, in the form of business-aligned asset, identity and risk relationships to distinguish ordinary risk findings from true exposure that can have a material impact on an organization. What makes exposure management different is that it looks at the entire attack surface (cloud, IT, OT, IoT, identities, applications), and the full spectrum of preventable risk (vulnerabilities, misconfigurations, human and machine privileges) which enable all breaches, exposing and closing viable attack paths before a breach can begin.

For example, Tenable One’s inventory includes human and machine identities and privileges from Active Directory — provided by Tenable Identity Exposure. This information is integrated with multi-cloud identities and privileges – provided by Tenable Cloud Security. Combined, they enable Tenable One to map technical and business relationships across traditional security boundaries, prioritizing attack paths such as those used in the SolarWinds and Capital One breaches. 

The short video below demonstrates how Tenable One can uncover and bridge visibility gaps exploited in the SolarWinds and Capital One breaches t so users can remediate high exposure attack paths before they can be exploited by attackers.

Source: Tenable, October 2024

Tenable One’s capabilities set it apart from other exposure management platforms in two key ways:.

• Cloud-only exposure management platforms (sometimes referred to as CNAPP) focus on public cloud assets, identities and risks. This means they can miss security risks that traverse cloud and hybrid environments.
• Other exposure management platforms focus on identifying assets across the attack surface (e.g. IT, OT, IoT, Cloud), but lack visibility into identities and their permissions, which are leveraged to progress virtually every attack.

To learn more about exposure management, download the whitepaper “Hackers Don’t Honor Security Silos: 5 Steps To Prioritize True Business Exposure.”

Learn more about Tenable products featured in this blog

• Tenable One is the world’s only AI-powered exposure management platform, designed to radically unify security visibility, insight and action across the modern attack surface to rapidly expose and close the priority gaps that drive up business risk. Security leaders rely on Tenable One to protect against attacks from IT to the cloud to OT and everywhere in between.
• Available as part of Tenable One, Tenable Cloud Security is a comprehensive CNAPP solution that simplifies identification and remediation of risk across multi-cloud environments. Unlike silo tools that leave visibility gaps, it maps every cloud asset, identity, sensitive data and risk – identifying toxic combinations of risk that pose the greatest threat to your business, and helps you close cyber exposure, and improve productivity.
• Also available as part of Tenable One, Tenable Identity Exposure equips modern enterprises with a new level of end-to-end protection from identity-based attacks. This singular solution isolates and eradicates the security gaps where identity-based exploits thrive. Reduce risk by finding and fixing priority exposures across your identity environment to strengthen your security posture and prevent attacks before they occur.

The post At Nearly $1 Billion Global Impact, the Best Cloud Security Couldn’t Stop This Hybrid Attack Path. Lesson: Map and Close Viable Attack Paths Before Breaches Begin. appeared first on Security Boulevard.