The ‘SolarWinds hack’, a cyberattack recently discovered in the United States, has emerged as one of the biggest ever targeted against the US government, its agencies and several other private companies.
About Speaker Sudhakar is Progressive CEO and Board member with nearly 25 year track record of delivering strong business results in startup, mid-size and large companies. Created and scaled businesses in enterprise software, Cloud/SaaS, Mobile Platforms and Applications, Software Defined Networking, Security, Unified Communications and Collaboration and Service Provider segments.
Bikash Barai is the Co-Founder of FireCompass, an AI assistant for IT security decision makers. Earlier he founded iViZ an IDG Ventures backed company which was later acquired by Cigital. He is also an early advisor at CISO Platform
As enterprises battle to conquer the new normal, an old concept of ‘Zero Trust’ has come to the fore. What is zero trust and how pertinent is it for the situation that businesses find themselves? What is the right approach to implement this framework?
About Speaker Bob Kalka, CRISC, is a Vice President in the IBM Security Business Unit. He has been involved in the information security industry for 20 of his 25 years with IBM. He has held a number of leadership positions in product management, sales, business development, marketing management and product development. He is a frequent international speaker on the relationship of business with Information Technology, cloud computing and security, and has had numerous papers and articles published on these topics. He also holds a United States Patent related to secure distributed computing software.
Posted by pritha on June 25, 2021 at 12:54am in Podcast
A Chief Information Security Officer (CISO) role has become more crucial in building a successful business. 33% of CISO roles are expected to present directly to the board. Learn what are the major metrics, how to make a minimalistic dashboard and get the key message conveyed without overload.
About Speaker Allan Alford is CISO/CTO at TrustMAPP. Allan has 20+ Years of Leadership Experience in the following industries: Telecommunications, Data Services, Tech, Consultancies, Security, Startups, Legal, Education. Leverages startup and intrepreneurial leadership experiences to streamline costs and grow revenue.
Bikash Barai is the Co-Founder of FireCompass, an AI assistant for IT security decision makers. Earlier he founded iViZ an IDG Ventures backed company which was later acquired by Cigital. He is also an early advisor at CISO Platform
Fireside Chat (Recorded)
Podcast Summary :
Q1 - What has been your most embarrassing moment in terms of reporting to the board
A1 - Generally we have allocated budget. But there was once I had to ask for more money along with my CTO. I prepared to mention why we needed the extra money. But then it wasn’t closed to preparation needed. The board had lots of questions and I was baffled. It did not go well. It’s crucial to understand what the board wants to be able to prepare. This can vary from nature of board members, maturity of company & more
Q2 - What were the key factors in one of your most successful board meeting ?
A2 - Every board is different. Some have security sub-committee. Some board members sometimes do appreciate some technical facts, not all. I had built great relationship with this particular board. And the head of the committee understood technical details more. So, what worked was a story-telling method with some technical data thrown in. Since they were enjoying, I could get into more technical details and they understood. We were able to connect better. That was probably my best experience. Definitely start with a story. Add business aligned data which you can start with. You could add some more technical data but that’s generally not a good starting point
Q3 - What do you prepare before board meeting ?
A3 - First, we’ll assume we already know the board members/had our 1st meeting before.
Slide 1 - What did we talk about last time? Where did we get to ?What investment did it take ? We basically try to prove the previous investment was a good investment. We discussed I’ll do X and need investment Y and here is the proof of this being done. May involve timeframe based on hw much the board cares about the operations
Slide 2 - Top 5 Outstanding business risks. Here’s where we stand
Slide 3 - Here’s what I propose to do to tackle the current risk profile. So this basically becomes slide 1 in the next board meeting
So the flow is like - here what we did; here’s where we are; here’s what we will do next
Tool Tip : CMMI Analysis which says security score of the organisation. Slowly, we show the increase in betterment of security score. Imperative to highlight the top security risks. Very important to demonstrate the security operations tie to the business goals for the year.
There’s a huge gap in CISOs understanding of business goal and board along with security. This stitching is very important. Suppose the revenue goal is X ARR. Changing the narrative to find patterns in the customer needs / RFPs.
Q4 - How do you build stories ? How do yo capture the heart of the board ?
A4 - I always start with the classic ‘once upon a time’. We knew I current security risk status and this was a business risk we needed to address. Showing the journey how the high-level risks were mitigated. Gartner has a maturity curve which is a poor man’s CMMI. Milestones are on the Gartner curve. Share the journey and credit the board and business wherever they are due. Winning over clients based on security being key-differentiator. Show the success factors tied to the security which led to the business goal success. Use actual metrics and data to add the pepper (seasoning). If there’s a bad news, share it before the board meeting. Start your meeting with positive vibes. If there’s a major decision to be taken, don’t wait till the board meeting. Talk to board members before hand and get them aligned before hand. Since board meetings are short. Marination is key to having a good barbecue
Q5 - How many slide do you typically have in your presentation ?
A5 - Generally 3 to 5 for a CISO and board meeting. This will be based on how much emphasis the board has on cyber security. In case security is not a big pie of the board meeting, I’d make 1 slide. One of the biggest mistake was when I created a hall of fame and hall of shame by putting together the security scores. This went down badly with the account holders, since they directly saw themselves going down in front of the board.
Q6 - What to do during the board meeting ? What works well etc ?
A6 - Definitely provide the material ahead of time so they have time to digest it and come back with their feedback and questions. I’ll present majorly to the highlight. But I am really looking forward to their questions. They might have questions like they’ve seen the current events in security and whether your organisation is prepared to handle it. Be ready for this ? Is this saving us money ? Gaining money etc. ? A CISO can be prepared for the Q&A and then generally the board meeting with security personal is about 15-20minutes
Q7 - Example of business metric connection with security
A7 - Here are generally a few examples of busines alignment.
Accelerate time to market.
Standout of competition.
Operational efficiency.
Let’s say you have a massive role of Zero Trust in Covid. To improve efficiency, you need to make sure everyone is empowered to work from home and pumps up work from home. Mention the X factor and Y factor associated with the efficiency impact when you implemented zero trust.
Example MFA (multi-factor authentication). This one needs more technical details. Then show how it ties to the business goal, business risk, maturity score.
Q8 - Suppose you have to build a SOC. Example of showing this to the board ?
A8 - A SOC for example. Obviously the highest risk is dealing with unknown. Not knowing what’s going on. So SOC does that. Show the reports from Gartner, CMMI that show it’s a huge business risk. Demonstrate SOC adheres to 1 or more aligns with the business goal even partial certainly helps. For e-commerce company, SOC can be used to prevent fraud which has business impact
Q9 - What not to include in board meeting ?
A9 - Start with all the things you share with your team, then what you share with the peers, then what you share with the CEO. Then start rejecting what doesn’t fit into your board meeting goals. Have some basic links in the slide which has 2nd level detail. Since we start with the full folder, we can go back to details if and when needed. Demonstrate security and business control with the board.
Q10 - Success factors in board meeting ?
A10 - Never include something you want to do once. Keep the same structure you will consistently present to the board. No experiments, always make sure it’s sustainable
Q11 - Any follow through post board meeting ?
A11 - Having someone with you at the meeting, so they can note the commitments at the meeting. Summarise and mention the things you’re now due to do and set in the timelines. If possible, do it at the meeting. See if any areas have challenges. It sorts things and unrealistic expectations
Posted by pritha on June 24, 2021 at 9:28pm in Blog
It's an ongoing challenge for the security world to be able to continuously test security controls in the network and prioritize remediation according to business impact. We'll learn the best practices, practical approach, empowering teams and security validation techniques.
About Speaker Brad LaPorte has been on the frontlines fighting cyber criminals and advising top CEOs, CISOs, CIOs, CxOs and other thought leaders on how to be as efficient and effective as possible. This was conducted in various advisory roles at the highest levels of top intelligence agencies, as a Senior Product Leader at both Dell and IBM, at multiple startups, and as a top Gartner Analyst.
Bikash Barai is the Co-Founder of FireCompass, an AI assistant for IT security decision makers. Earlier he founded iViZ an IDG Ventures backed company which was later acquired by Cigital. He is also an early advisor at CISO Platform
Fireside Chat (Recorded)
Key Points
1.Perspective on evolution. Why is continuous security validation important. What is it all about ?
Traditionally we would go through logs and try to figure out wha went wrong. That was very time consuming.
Now, things have changed with great tools, automation, cloud. Downside is the same tools can be leveraged by Criminals too. Slowly the dark market of cyber crimes has also grown as an economy on its own. Attackers are looking for a small window of opportunity and that’s where continuous security validation comes in.
2.Industry maturation. Tool kit for defenders
Understand that there will be breaches. There is no breach proof. Eventually organisations will end up in a series of data breach..trends of future.
Tool Kit for defenders - ASM / ESM, CART, DAST
It helps in understanding what’s going on with the devices in the environment, what’s vulnerable. It helps in not being in the blind. Then you can identify the areas that need action and work
Breach simulations and reduction of attack surface tools help. Security awareness and training is crucial since it’s a mindset and every person can be targeted. So it is important to educate. Fundamentals are still - People. Process. Technology
3.What’s a good strategy for small and medium companies ?
Small and medium size companies who may not have access to latest and innovative tools. They need to be honest as whether they need it and understand their environment. Focus on the necessary areas instead of going by best practices. Basics like Multi-factor authentication, strict password rules, monitoring security, red blue team practices and more. Use open-source eg. Crawling. Select tools with multiple specialities like Swiss Army knife.
As you grow your business, then start investing in more advanced products based on the needs evolving
4.What are some of the common success and failure factors when you come to implementing continuous security validation ?
This is highly dependent on Nature of business, culture, financial goal, security goal. Setup the key metrics based on your goals
Measuring is key. Adding loads of tools isn’t helpful either. It’s like adding hay, harder to find the needle (attack).
One of the biggest cyberattacks to have targeted US government agencies and private companies, the 'SolarWinds hack' is being seen as a likely global effort. SolarWinds said that of its 300,000 customers, 33,000 use Orion.Of these, around 18,000 gove
Read more…
In keeping with the latest happenings in Information security, this article is on the 10 finalists of RSA innovation sandbox contest held at the RSA Security conference, the world's leading Information security conference. Companies with innovative products and disruptive technologies are given platform to pitch their product. This competition promotes innovative thinking and encourages out-of-the-box ideas.
The finalist have to demonstrate their products and deliver a 3 minute long presentation in front of attendees and Judging panel. The judges based on participants demonstration and presentation decides the winner.
SECURITI.ai is a leader in AI-powered PrivacyOps. Its PRIVACI.ai solution automates privacy compliance with patent-pending People Data Graphs™ and robotic automation. It enables enterprises to give rights to people on their data, comply with global privacy regulations and build trust with customers.
Other Finalists
AppOmni
Headquarters: San Francisco
Founded: 2018
Current CEO: Brendan O'Connor
AppOmni is a leading software-as-a-service (SaaS) security and management platform providing data access visibility, management, and security of SaaS solutions. AppOmni's patent-pending technology deeply scans APIs, security controls, and configuration settings to secure mission-critical and sensitive data.
Blu Bracket
Headquarters: PALO ALTO, California
Founded: 2019
Current CEO: Prakash Linga
BluBracket is an enterprise security solution for code in a software-driven world. BluBracket gives companies visibility into where source code introduces security risk while also enabling them to fully secure their code—without altering developer workflows or productivity.
Elevate Security
Headquarters: Berkeley, California
Founded: 2017
Current CEO: Robert Fly
Elevate Security solves for the human element. Using data companies already have, Elevate Security scores employee risk based on their security actions, showing actionable trends while delivering personalized communications that nudge employees to better security habits.
ForAllSecure
Headquarters: PALO ALTO, California
Founded: 2012
Current CEO: David Brumley
ForAllSecure aims to secure the world’s software. Using patented technology from CMU research, ForAllSecure delivers a next generation fuzzing solution to Fortune 1000 companies in telecom, aerospace, automotive and more. DARPA named ForAllSecure a Cyber Grand Challenge winner and MIT Tech Review named it one of the 50 Smartest Companies.
INKY Technology
Headquarters: Maryland
Founded: 2012
Current CEO: David Baggett
INKY is an industry leader in mail protection powered by unique computer vision, artificial intelligence, and machine learning. The company's flagship product, INKY Phish Fence, uses these novel techniques to "see" each email much like a human does, to block phishing attacks that get through every other system.
Obsidian Security
Headquarters: California
Founded: 2017
Current CEO: Glenn Chisholm
Obsidian Cloud Detection and Response delivers frictionless security for SaaS. Using a unique identity graph and machine learning, Obsidian stops the most advanced attacks in the cloud. Unified visibility across applications, users, and data provides threat detection, breach remediation, and security hardening with no production impact.
Sqreen
Headquarters: Paris
Founded: 2015
Current CEO: Pierre Betouin
Sqreen is the application security platform for the modern enterprise. Organizations of all sizes trust Sqreen to protect, observe and test their software. As opposed to pattern-based approaches, Sqreen analyses in-app execution in real time to deliver more robust security without compromising performance.
Tala Security
Headquarters: Fremont, California
Founded: 2016
Current CEO: Aanand Krishnan
Tala safeguards the modern web against client-side risk. Tala’s AI-driven analytics engine continuously interrogates site architecture to work in concert with an advanced automation engine that activates standards-based security to prevent a broad range of client-side attacks like magecart, XSS, session re-directs, and client-side malware.
Vulcan Cyber
Headquarters: Israel
Founded: 2018
Current CEO: Yaniv Bar-Dayan
Vulcan is a vulnerability remediation and orchestration platform that is modernizing the way enterprises reduce cyber risk. With its remediation-driven approach, Vulcan automates and orchestrates the vulnerability remediation lifecycle, enabling security, operational and business teams to effectively remediate cyber risks at scale.
IoTForum and CISOPlatform co-organized IoTSecurity Panel brings together CyberSecurity veterans from large security consulting companies, Fortune 1000 securityvendors, startups, academicians and end users. Panelists will delve on the state of the art products and ongoing research to secure devices, network and embedded applications.
They will discuss the organizational changes required going from a segregated IT and OT to a hybrid world and the investments happening in IoT Security, regulations and laws that are upcoming, especially, the new IoT Security law sitting on the current US President's desk. The Panelists will focus on the recent development in AI aiding both the attacker and defenders. With the current broad MNC, consulting and startup ecosystem already thriving in India, how and what are the specific areas of research, products and consulting opportunities in IoT Security the panelists see emerging from India
Panelists : Arnab Chattopadhayay (moderator) Associate Director IBM Kingshuk Banerjee SVP Hitachi Research Sandeep Shukla Poonam and Prabhu Goel Chair Professor and Head of Computer Science and Engineering Department, Indian Institute of Technology, Kanpur, India IIT Kanpur Scott Hankins CEO & Co-Founder Priatta Networks Khiro Mishra Global Head-Cybersecurity NTT Brian de Lemos VP Palo Alto Networks
Recorded Session :
Key Areas We Try To Address In The Session :
- IoT security impact on healthcare - How is customer's perception changing for IoT security - How is business getting impacted due to this change of perception
1. Federated learning, due to real-time anomaly detection need in a federated manner using signature based methods 2. Consolidation 3. Orchestration 4. Malware Detection - IIoT in India PSU, especially in power sector - Impact of AI in IoT - Lack of appreciation of cyber security - Research at scale - AI impact on IoT - Shift focus to network for securing IoT devices - Identifying device behavior - Focus on enterprise IoT e.g. HVAC, Smart City, distributed enterprises - Geography wise and industry maturity wise: what are the key pain points regarding adopting IoT security
- How do companies like NTT working with the companies to address those challenges
We are hosting a session and would request all interested to join us and have your security team members join us too. You could also share it with others who would find value
Workshop : How To Perform Penetration Testing On Industrial Control Systems And Operational Technology Safely
17th December, Thursday (6:30 PM India or 8 AM EST)
Duration : 6 hour
About Session :
Industrial control systems (ICS), including supervisory control and data acquisition (SCADA) are found in many national critical infrastructure industries such as oil and natural gas, electric utilities, transportation, petrochemical and refining, water and wastewater, pharmaceutical, and manufacturing. Due to the high availability nature of these systems, any security testing must ensure that these systems are not affected operationally. Traditional IT Penetration Testing techniques are too harsh and potentially damaging to these sensitive systems. This educational presentation will first provide an overview of how ICS systems work, their vulnerabilities, and threats to these systems. The second part of this short training course will dive into proven methodologies and tools that our team has used to safely perform penetration testing on these systems. Lastly, this talk will conclude with best practices to secure and defend ICS and OT systems from cyber incidents.
Jonathan Pollet Founder at Red Tiger Security, Black Hat USA Trainer
He has over 20 years of experience in both Industrial Process Control Systems and Cyber Security. In 2001 he began to publish several white papers that exposed the need for security for Industrial Control Systems (ICS). Pollet and his team have conducted over 300 security assessments of live Industrial Control Systems globally. Throughout his career, he has been involved with SANS, IEEE, ISA, ISSA, EEI, UTC, CSIA, NERC, and several other professional societies and has spoken in over 200 conferences and workshops around the world. He has also been featured on Fox News, CNN, CNBC, Vanity Fair, Popular Mechanics, CIO Magazine, and several security publications.
Hello, We're excited to bring to you some awesome security minds who generously contributed to make security knowledge accessible to the community. We're giving free passes for the community. We request you to tag your security peers and everyone to sign up
Includes : Understand the underlying implementation of the application from the API traffic; Detect potential vulnerable points in APIs; Advanced exploitation techniques for: BOLA(IDOR), Mass Assignment, BFLA, Excessive Data Exposure and more; Examples for complex API exploits, which involve many steps; Perform a successful and effective pen test in modern applications ... Know More
[Industry Expert Training] (1/2 Day)How To Build Effective SOC Workshop
Speakers : Amit Modi (Renowned Expert | Blockchain Enthusiast)
Includes : What is SoC - including three pillars of SoC; What is Expected Out of SoC; Technologies Involved; SIEM Evaluation Criteria; How to Increase SoC Maturity; How to Define the Use Case; How to Build the Use Case; How to Build the SoC Processes; How SoC can be a Business Enabler; MSSP Vs. On Premise SoC; Key Consideration to run it Effectively; How to Perform Incident Management; How to Automate Incident Management; Challenges of SIEM; Evolution & Role of SOAR in Incident Management; Advantages of SOAR; Key Elements to Look For in SOAR; SOAR Evaluation Criteria ... Know More
I am highly excited to tell you the 'Call For Speakers' for 'Best Of The World In Security' Conference is now open We are more excited because now is the time when we will receive your innovation, those billions of papers and the most exciting hacks of this year.
Below I will share a few details that could help you submit your papers-
Step 1 - Choose Your Speaking Slot
We believe in sharing knowledge which is short, great and impactful. We don't believe in restricting oneself from thoughts and sharing them, thus your talk will win the speaking slot most apt to your needs.
TED Style (30 minutes) - this will invite top speakers and security researchers across the world who made significant contribution in the field of security in recent past
Deep Dive (4 hour+) - this is a deep dive workshop style session where a particular topic is dwelt in details
Step 2 - Choose The Domain Of Your Talk
You can select any cyber security domain at free will from 'Technology' or 'Security Metric and Management'. Here's a list to help you click here
However, we are particularly keen this year on below domains
Secure coding
API security
Cloud security
Pentesting
SOC (SIEM)
Step 3 - Create An Awesome Topic
For this, previous topics can always be very helpful in understanding both your best area of communication and the audience expectations. Here are a few-
(Deep Dive) The 'Dark Web' Workshop (1 day)
(Deep Dive) Workshop On 'Windows Malware 101: Reverse Engineering And Signature Generation' (6 hour)
(Ted Style Talk) The Notorious 9 in Cloud Security Architecture in Business
(Ted Style Talk) Security Landscape for CISO Post Covid
(Ted Style Talk) FOMO in Cyber Security: Top 10 CISO Learnings
(Ted Style Talk) A Sprint to Protect POS
Step 4 - You Did It, Sit back and Relax
Submit your application and relax. Great, You're done! Our review board will review the content and get back to you via email. Make sure you've used an email you check frequently
P.S. - We are unable to allot speaking slot to everyone right now. We hope it's possible in future. For now our review board selects the speakers as mentioned above.
This malware is a threat to any system using PHP. It can be used remotely by someone to carry on malicious activities. It is capable of executing shell level (OS) commands and send it back to remote executioner. It also scans systems and servers for particularly sensitive or valuable information.
Few Technical Details
The malware can be password-protected.
The file-encryption component is one of the capabilities that can be used to wage attacks against servers.
According to the researchers at Trend Micro, the malware uses PHP RIJNDAEL_128 algorithm with CBC mode to encrypt files in a web shell directory.
Another function includes the recursive overwrite of all files with a specified extension in a directory of a web shell.
What Are Researchers Saying ?
Ensiko is a PHP WebShell that can affect Windows, macOS and Linux systems. Trend Micro analyst Aliakbar Zahravi explains how the newly-discovered malware can remotely control the system and infect the machine.
Security researchers at Trend Micro reported a new malware with a host of capabilities including remote server control and encryption. Dubbed Ensiko, the malware is a WebShell security threat, capable of performing malicious activities at the behest of its operator.
Aliakbar Zahravi, Malware Analyst at Trend Micro wrote in a blog that Ensiko is written in PHP and can victimize any internet-facing server or system running on an environment that supports PHP. This makes Windows, macOS as well as Linux susceptible to Ensiko attacks. As is the case with typical WebShell, Ensiko can execute code and scripts to gain remote server administration and control.
Once a system is infected, Ensiko can exhibit ransomware capabilities by encrypting stored files. It implements PHP RIJNDAEL_128 with block cipher mode of operation to encrypt files.
Once encrypted, the malware, now acting as a ransomware, attaches files with .bak extension.
Malicious Capabilities
Ensiko’s malicious capabilities can also be misused to disrupt services like website defacing, exfiltrate and disclose sensitive server data. It can also be used to carry out brute-force attacks against file transfer protocol (FTP), cPanel, and Telnet.
A threat actor can potentially load additional tools for malicious activity from the Pastebin, which it stores in tools_ensikology. Furthermore, an image file’s EXIF data headers are leveraged for hiding and later extracting code using the Steganologer function. Zahravi illustrates this with the image below.
Password Protected Malware ??
One of the unconventional characteristics of Ensiko is that it can be password protected for authentication. It also incorporates a hidden input form for login as shown below.
This blog was originally contributed by Apoorv Saxena, technical team, FireCompass over here
At the end of May a researcher by the pseudonym “chompie” published a tweet that showed a working PoC for CVE-2020-0976(SMBGhost), expecting a similar disclosure from the ZecOps security. As part of Microsoft June 2020 Patch release on June 9, ZecOps Researcher disclosed a new vulnerability with PoC in Microsoft SMB named SMBleed. ZecOps combines both SMBGhost and SMBleed to gain unauthenticated RCE and publishes GIF of working PoC. The Airbus security team also disclosed one vulnerability: SMBLost, exploitation is possible only if the attacker has user credentials to connect to a remote share folder. Much lethal combination is SMBBleedingGhost: achieving unauthenticated RCE with SMBGhost and SMBleed.
CISO Platform Members Get Access To A Few Free SMBleed Vulnerability Scans (*limited) Get a free scan here
What is the business impact ?
The vulnerability received a CVSS score of 10, which means if exploited it can have high privileged access to the exploited machine and can move laterally to the connected machines.
Root Cause
The SMBleed vulnerability happens in the Srv2DecompressData function in the srv2.sys SMB server driver, similarly to SMBGhost. It receives the compressed message sent by the client, allocates the required amount of memory, and decompresses the data.
Then, if the Offset field isn’t zero, the Srv2DecompressData function will take the data placed before the compressed data and copy it, as is, to the beginning of the allocated buffer. See appendix for a simplified version of the function.
Technical Analysis
SMBGhost Inadvertently Revealed
On March 12, Microsoft published an out-of-band advisory for CVE-2020-0796, a remote code execution (RCE) flaw in SMBv3 that was inadvertently revealed in Microsoft’s March 2020 Patch Tuesday release. Within one day, security researchers from KryptosLogic and SophosLabs published proof-of-concept (PoC) scripts that could trigger a blue screen of death (BSoD) on vulnerable systems. At the time there was an expectation that a PoC achieving RCE would be released.
Gaining RCE using CVE-2020-0796
In April, a report from researchers at Ricerca Security states they were able to construct a PoC for CVE-2020-0796 to gain RCE. However, the researchers opted not to publicly share their script to “avoid abuse,” instead offering it to their paying customers.
At the end of May, a researcher known by the pseudonym “chompie” published a tweet that showed a working PoC for CVE-2020-0796 capable of gaining RCE.
One day later, chompie decided to publicly release their PoC for “educational purposes” with the expectation that ZecOps would be publishing a PoC of their own “in the coming days.” The researcher stressed that the PoC “needs some work to be more reliable.”
On June 9, Microsoft released an advisory for CVE-2020-1206, an information disclosure vulnerability in SMBv3 due to an issue in handling compressed data packets. It was discovered and disclosed by researchers at ZecOps, who have dubbed the flaw “SMBleed.”
SMBleed builds on previous research surrounding SMBGhost. ZecOps published a blog post at the end of March that included a PoC for gaining local privilege escalation using SMBGhost. In their latest blog post, ZecOps says the SMBleed vulnerability exists in Srv2DecompressData, which is “the same function as with SMBGhost.” It is likely that they identified SMBleed during their analysis of SMBGhost.
SMBleedingGhost: Achieving RCE with SMBleed and SMBGhost
ZecOps cautions that unauthenticated exploitation of SMBleed, while possible, is “less straightforward.” As a result, they combined both SMBleed and SMBGhost to gain unauthenticated RCE. They’ve not yet provided technical details about chaining the two flaws together. However, they did share a PoC as well as a GIF that shows them gaining RCE.
In our blog for CVE-2020-0796, we alluded to the potential similarity between SMBGhost and EternalBlue (CVE-2017-0144), an RCE vulnerability in SMBv1 that was used as part of the WannaCry attacks in 2017. The comparison was clear to many, so much so that CVE-2020-0796 was initially dubbed EternalDarkness by security researcher Kevin Beaumont, in addition to its SMBGhost moniker. However, since the vulnerability only affects SMBv3, its potential for a WannaCry-level impact was mitigated by the fact that the flaw only resides in specific versions of Windows, such as Windows 10 and Windows Server 2016.
SMBLost In Space
In addition to SMBleed, Microsoft also released an advisory for CVE-2020-1301, an RCE vulnerability in SMBv1 due to an improper handling of a specially crafted SMBv1 request. The vulnerability was disclosed to Microsoft by researchers at Airbus’ cybersecurity division.
On June 9, Airbus published a blog post by vulnerability researcher Nicolas Delhaye, detailing their discovery of CVE-2020-1301, which they’ve dubbed SMBLost.
Unlike SMBGhost and SMBleed, SMBLost is more akin to EternalBlue because it impacts SMBv1. However, as Delhaye notes in his blog, SMBLost is “much less harmful” than SMBGhost and EternalBlue due to two mitigating circumstances:
SMBLost is post-authentication (valid credentials), whereas SMBGhost and EternalBlue are pre-authentication (no credentials).
The presence of a shared partition on the vulnerable SMBv1 server (e.g. “c:\” or “d:\”) is required for exploitation, which Delhaye notes is “less common.”
Airbus provided a proof of concept for SMBLost in their blog, which results in denial of service (DoS) by way of a BSoD.
As a caveat, the blog post mentions that using SMBLost to gain RCE “seems conceivable,” but they believe it will be “difficult to make it reliable.” In the case of SMBGhost, a similar situation occurred where the only PoCs to emerge initially were for a DoS and Local Privilege Escalation (LPE). While there is no RCE currently available for SMBLost, it is possible that determined researchers or attackers could find a way to develop a reliable PoC to gain RCE in the near future.
How FireCompass Can Help ?
Firecompass has a continuous monitoring system which looks at the complete attack surface of the organization and all the exposed services. It notifies the organization in case of rise of new vulnerability through released CVE or through misconfiguration. Get a free scan here
However, we realize that applying an update is not always an option. This is why we’ve attached several workarounds, which could help mitigate the risk immediately.
2. Disabling SMB 3.1.1 compression
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the following PowerShell command:
3. Block TCP port 445 at the enterprise perimeter firewall
TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.
4. Blocking port 445 inside the enterprise where not needed
Where it is not needed, block port 445 on the relevant assets. This will stop lateral movements using these vulnerabilities.
At Firecompass we have a continuous monitoring system which looks at the complete attack surface of the organization and all the exposed services. It notifies the organization in case of rise of new vulnerability through released CVE or through misconfiguration. Get a free scan here
This is a cross post from original source at FireCompass here
This report summarizes the top breaches between mid May to mid June 2020 accounting for the major breaches the world has seen. This helps you in keeping track of the latest hacks and safeguarding your organization by looking at the trends. We share insights to the breach
1.“Bank Of America (BofA) Data Breach”
Bank Of America Corporation during late May notified of a third party breach through their PPP (Paycheck Protection Program). Compromised information included Address/TIN, Name, SSN, Phone, Email, Citizenship Status. The number of accounts affected were not declared. Officials have notified necessary measures are being taken
2.“BHIM Wallet App Data Breach”
Another Amazon S3 bucket misconfiguration data breach. Since it’s a payment app, the breach exposed financial and personal details. The approximate is 7 million indian citizen records being affected. The exposed data includes Aadhaar number, DOB, name, gender, biometrics, PAN, Address etc. NPCI has denied any breach. *P.S: The breach was at the CSC (Common Service Center), which is responsible for the website, and has nothing to do with the payment app - BHIM. The company responsible for development of the website & the care-taker of sensitive data is understood to be the Common Services Center(CSC) e-Governance Services Ltd. The CSC scheme is one of the mission mode projects under the Digital India Programme.
3.“Joomla Data Breach”
Joomla is an open source CMS (content management system). A member of the team left a complete backup of the JRD site (resources.joomla.org) on a AWS S3 bucket. It is known the backup was not encrypted and had around 2,700 registrants. If exposure, details such as name, business id, phone, nature of business, encrypted password etc. could be exposed
4.“Keepnet Data Breach”
Keepnet labs notified an agent exposed 5Billion records database. During maintenance, the firewall was paused for a few minutes when the database got indexed by BinaryEdge. Post this the link was accessible without a password. However no customer data was exposed. It only had previously publicly available data
5.“MU Health Data Breach”
Missouri Health Care has notified patients of a september data breach. Information stolen may include name, DOB, medical record numbers, health insurance detail etc. An incident was noticed where an access was noted to email accounts of MU students affiliated with MU Health.
6."San Antonio Aerospace Breach"
The maze ransomware gang hit VT San Antonio and released their data (unencrypted files) from company’s compromised devices. This company is a major American MRO (maintenance, repair, overhaul). They work with defense services, governments and commercial segments in 100 + countries.
Get a free report of your organization’s attack surface from a hacker’s viewpoint (Unsanctioned Cloud Assets, Digital Footprint, Phishing Risks, Misconfigured Infrastructure & more.) The report will be shown as a part of the demo. Here is the link To Get A Free Report * Limited number of assessments
Third party vendors and suppliers often have access to your network and your organisation's confidential information. The best way to prevent a data breach is to have robust program to assess how your third parties are managing their risk and protecting your data. Organisations must have a clear understanding of the risks inherent in their business relationships with third parties. How should you approach managing third party risk?
Wayne Tufek (Frequent speaker at RSA Conference) will be joining us to discuss the topic
-Discuss the major failings of traditional third party risk management programs -Creating a supply chain awareness program -Creating a comprehensive catalogue of vendors and suppliers -Risk based segmentation of identified vendors and suppliers -Risk assessment and rules based due diligence activities -The key contractual clauses all contracts with third parties should contain and why -Methods for continuous monitoring -How to develop and present a supplier risk dashboard for management -A model for a comprehensive process to effectively and efficiently manage third party risk
A large enterprise cognizant has released a notification regarding the maze ransomware attack. The team is working on various aspects to contain the incident. However, this puts us in a shocking position to understand how vulnerable major companies are. There have been various previous reports on this notorious malware
Currently, the company has a statement informing their cyber security team is actively taking steps to contain it. They have had service disruptions in certain areas due to the attack
Topic : Evolution Of AI : Past, Present, Future (Dr. Monojit Choudhury)
Brief - This session is about AI and how AI revolutionized almost every aspect of human lives - from healthcare to agriculture, and from fashion to political campaigns. There is a lot of excitement as well as fear around the future promises of AI. Yet, speculations abound that we are soon going to hit the third AI winter. In this talk, I will try to address some these questions and speculations. I will use examples from the domain of Natural language processing (NLP) - allegedly one of the hardest areas of AI - to illustrate what we have achieved, what are the promises offered by the recent advances in deep learning and why there are certain problems that are too difficult for any of the current approaches to handle. I will also highlight the non-AI aspects of AI system building (aka data creation and engineering) which are the unsung foundations of most practical AI systems.
Dr. Monojit Choudhury - Security Research, Artificial Intelligence
https://www.firecompass.com/wp-content/uploads/2020/06/Screenshot-2020-06-23-at-10.06.55-AM-300x273.png 300w" sizes="(max-width: 625px) 100vw, 625px" />
https://www.firecompass.com/wp-content/uploads/2020/06/Screenshot-2020-06-23-at-10.08.23-AM-300x178.png 300w" sizes="(max-width: 562px) 100vw, 562px" />
https://www.firecompass.com/wp-content/uploads/2020/06/Screenshot-2020-06-23-at-10.08.30-AM-300x247.png 300w" sizes="(max-width: 561px) 100vw, 561px" />
https://www.firecompass.com/wp-content/uploads/2020/06/Screenshot-2020-06-23-at-10.10.10-AM-300x206.png 300w" sizes="(max-width: 547px) 100vw, 547px" />
https://www.firecompass.com/wp-content/uploads/2020/06/Screenshot-2020-06-23-at-10.30.15-AM-300x217.png 300w" sizes="(max-width: 629px) 100vw, 629px" />
https://www.firecompass.com/wp-content/uploads/2020/06/Screenshot-2020-06-23-at-10.13.55-AM-300x254.png 300w" sizes="(max-width: 520px) 100vw, 520px" />
https://www.firecompass.com/wp-content/uploads/2020/06/Screenshot-2020-06-23-at-10.16.17-AM-300x210.png 300w" sizes="(max-width: 626px) 100vw, 626px" />
