Month: August 2022

Open Port Vulnerabilities List

Insufficiently protected open ports can put your IT environment at serious risk. Threat actors often seek to exploit open ports and their applications through spoofing, credential sniffing and other techniques. For example, in 2017, cybercriminals spread WannaCry ransomware by exploiting an SMB vulnerability on port 445. Other examples include the ongoing campaigns targeting Microsoft’s Remote Desktop Protocol (RDP) service running on port 3389.

Handpicked related content:

Read on to learn more about the security risks linked to ports, vulnerable ports that need your attention and ways to enhance the security of open ports.

A Refresher on Ports

Ports are logical constructs that identify a specific type of network service. Each port is linked to a specific protocol, program or service, and has a port number for identification purposes. For instance, secured Hypertext Transfer Protocol (HTTPS) messages always go to port 443 on the server side, while port 1194 is exclusively for OpenVPN.

The most common transport protocols that have port numbers are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is a connection-oriented protocol with built-in re-transmission and error recovery. UDP is a connectionless protocol that doesn’t recover or correct errors in messages; it’s faster  and has less network overhead traffic than TCP. Both TCP and UDP sit at the transport layer of the TCP/IP stack and use the IP protocol to address and route data on the internet. Software and services are designed to use TCP or UDP, depending on their requirements.

TCP and UDP ports are in one of these three states:

  • Open — The port responds to connection requests.
  • Closed — The port is unreachable, indicating that there is no corresponding service running.
  • Filtered — The firewall is monitoring traffic and blocking certain connection requests to the port.

Security Risks Linked to Ports

Numerous incidents have demonstrated that open ports are most vulnerable to attack when the services listening to them are unpatched or insufficiently protected or misconfigured, which can lead to compromised systems and networks. In these cases, threat actors can use open ports to perform various cyberattacks that exploit the lack of authentication mechanisms in the TCP and UDP protocols. One common example is spoofing, where a malicious actor impersonates a system or a service and sends malicious packets, often in combination with IP spoofing and man-in-the-middle-attacks. The campaign against RDP Pipe Plumbing is one of the latest to employ such a tactic. In addition, ports that have been opened on purpose (for instance, on a web server) can be attacked via that port using application-layer attacks such as SQL injection, cross-site request forgery and directory traversal.

Another common technique is the denial of service (DoS) attack, most frequently used in the form of distributed denial of service (DDoS), where attackers send massive numbers of connection requests from various machine to the service on the target in order to deplete its resources.

Vulnerable Ports that Need Your Attention

Any port can be targeted by threat actors, but some are more likely to fall prey to cyberattacks because they commonly have serious shortcomings, such as application vulnerabilities, lack of two-factor authentication and weak credentials.

Here are the most vulnerable ports regularly used in attacks:

Ports 20 and 21 (FTP)

Port 20 and (mainly) port 21 are File Transfer Protocol (FTP) ports that let users send and receive files from servers.

FTP is known for being outdated and insecure. As such, attackers frequently exploit it through:

  • Brute-forcing passwords
  • Anonymous authentication (it’s possible to log into the FTP port with “anonymous” as the username and password)
  • Cross-site scripting
  • Directory traversal attacks

Port 22 (SSH)

Port 22 is for Secure Shell (SSH). It’s a TCP port for ensuring secure access to servers. Hackers can exploit port 22 by using leaked SSH keys or brute-forcing credentials.

Port 23 (Telnet)

Port 23 is a TCP protocol that connects users to remote computers. For the most part, Telnet has been superseded by SSH, but it’s still used by some websites. Since it’s outdated and insecure, it’s vulnerable to many attacks, including credential brute-forcing, spoofing and credential sniffing.

Port 25 (SMTP)

Port 25 is a Simple Mail Transfer Protocol (SMTP) port for receiving and sending emails. Without proper configuration and protection, this TCP port is vulnerable to spoofing and spamming.

Port 53 (DNS)

Port 53 is for Domain Name System (DNS). It’s a UDP and TCP port for queries and transfers, respectively. This port is particularly vulnerable to DDoS attacks.

Ports 137 and 139 (NetBIOS over TCP) and 445 (SMB)

Server Message Block (SMB) uses port 445 directly and ports 137 and 139 indirectly. Cybercriminals can exploit these ports through:

  • Using the EternalBlue exploit, which takes advantage of SMBv1 vulnerabilities in older versions of Microsoft computers (hackers used EternalBlue on the SMB port to spread WannaCry ransomware in 2017)
  • Capturing NTLM hashes
  • Brute-forcing SMB login credentials

Ports 80, 443, 8080 and 8443 (HTTP and HTTPS)

HTTP and HTTPS are the hottest protocols on the internet, so they’re often targeted by attackers. They’re especially vulnerable to cross-site scripting, SQL injections, cross-site request forgeries and DDoS attacks.

Ports 1433,1434 and 3306 (Used by Databases)

These are the default ports for SQL Server and MySQL. They are used to distribute malware or are directly attacked in DDoS scenarios. Quite often, attackers probe these ports to find unprotected database with exploitable default configurations.

Port 3389 (Remote Desktop)

This port is used in conjunction with various vulnerabilities in remote desktop protocols and to probe for leaked or weak user authentication. Remote desktop vulnerabilities are currently the most-used attack type; one example is the BlueKeep vulnerability.

Tips for Strengthening the Security of Open Ports

Luckily, there are ways to enhance the security of open ports. We highly recommend the following six strategies:

1. Patch firewalls regularly.

Your firewall is the gatekeeper to all the other systems and services in your network. Patching keeps your firewalls up to date and repairs vulnerabilities and flaws in your firewall system that cybercriminals could use to gain full access to your systems and data.

2. Check ports regularly.

You should also regularly scan and check your ports. There are three  main ways to do this:

  • Command-line tools — If you have the time to scan and check ports manually, use command-line tools to spot and scan open ports. Examples include Netstat and Network Mapper, both of which can be installed on a wide range of operating systems, including Windows and Linux.
  • Port scanners — If you want faster results, consider using a port scanner. It’s a computer program that checks if ports are open, closed or filtered. The process is simple: The scanner transmits a network request to connect to a specific port and captures the response.
  • Vulnerability scanning tools — Solutions of this type can also be used to discover ports that are open or configured with default passwords.
  1. Track service configuration changes.

Many services on your network connect to various ports, so it is important to monitor the running states of installed services and continuously track changes to service configuration settings. Services can be vulnerable when they are unpatched or misconfigured.

Using Netwrix Change Tracker, you can harden your systems by tracking unauthorized changes and other suspicious activities. In particular, it provides the following functionality:

  • Actionable alerting about configuration changes
  • Automatic recording, analyzing, validating and verifying of every change
  • Real-time change monitoring
  • Constant application vulnerability monitoring

4. Use IDP and IPS tools.

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) can help you prevent attackers from exploiting your ports. They monitor your network, spot possible cybersecurity incidents, log information about them and report the incidents to security administrators. IPS complements your firewalls by identifying suspicious incoming traffic and logging and blocking the attack.

5. Use SSH Keys.

Another option is to use SSH keys. These access credentials are more secure than passwords because decrypting SSH is very difficult, if not impossible. There are two types of SSH keys:

  • Private or identity keys, which identify users and give them access
  • Public or authorized keys, which determine who can access your system

You can use public-key cryptographic algorithms and key generation tools to create SSH keys.

6. Conduct penetration tests and vulnerability assessments.

Consider conducting penetration tests and vulnerability assessments to protect your ports. Although both of these techniques are used to spot vulnerabilities in IT infrastructure, they are quite different. Vulnerability scans only identify and report vulnerabilities, while penetration tests exploit security gaps to determine how attackers can gain unauthorized access to your system.

FAQs

What is an open port vulnerability?

An open port vulnerability is a security gap caused by an open port. Without proper configuration and protection, attackers can use open ports to access your systems and data.

Which ports are most vulnerable?

Certain ports and their applications are more likely to be targeted because they often have weaker credentials and defenses. Common vulnerable ports include:

  • FTP (20, 21)
  • SSH (22)
  • Telnet (23)
  • SMTP (25)
  • DNS (53)
  • NetBIOS over TCP (137, 139)
  • SMB (445)
  • HTTP and HTTPS (80, 443, 8080, 8443)
  • Ports 1433, 1434 and 3306
  • Remote desktop (3389)

Is port 80 a security risk?

Port 80 isn’t inherently a security risk. However, if you leave it open and don’t have the proper configurations in place, attackers can easily use it to access your systems and data. Unlike port 443 (HTTPS), port 80 is unencrypted, making it easy for cybercriminals to access, leak and tamper with sensitive data.

Source :
https://blog.netwrix.com/2022/08/04/open-port-vulnerabilities-list/

Upselling vs. cross-selling: What’s the difference?

Upselling and cross-selling are tactics that you can use to sell more, with less—less time, less money, less resources. Simple as that. And both tactics can be applied to virtually every industry: software, retail, finance, telecom, manufacturing, real estate—you name it.

I run Tee Tweets, a clothing brand that lets you wear any tweet in the world, and cross-selling and upselling are two of the most important tactics in my business strategy. Both techniques are designed to get customers to buy more, and since there are hundreds of thousands of tweets generated every minute, I certainly have plenty of products for buyers to add to their cart.

Sell more and keep your customers happy

Automate your eCommerce

Upselling and cross-selling are often confused because, in some ways, they accomplish the same goal of increasing the amount that a customer will buy. But there are distinct differences between the two, and if you can master them, they can both be uniquely instrumental to your business’s success.

What’s the difference?

Both cross-selling and upselling involve convincing an existing customer to increase the amount they’re buying. But here’s the difference:

  • When you’re cross-selling, you’re working specifically to get the customer to make additional purchases that would go well with what they originally intended to buy. 
  • When you’re upselling, you’re not necessarily suggesting more items, but convincing the customer to buy the bigger, better, and more expensive version of their original purchase.

For example, when I send out marketing or confirmation emails to recent buyers, I make sure to include products that are similar to whatever that recipient bought. Often this results in a new sale, but even when it doesn’t, it still exposes the customer to other products they may not have known existed. That’s cross-selling.

There’s not as much upselling involved in TeeTweets, but I’ve come across plenty of upselling opportunities in my freelance consulting career at Swyftlight. I had one particular client who wanted me to build a simple marketing website, so they gave me their specs and budget and asked me to put together a proposal. I pitched the idea of adding eCommerce capabilities to their site, quoting them a rate that was still within their budget but was more than I would have quoted them for the simple site alone. They took me up on it—I effectively upsold them on a better version of their original product.

Those are two basic examples, but if you really want to make sure you’re capitalizing on every upselling and cross-selling opportunity you encounter, it’s important to understand both tactics in depth.

Graphic illustration visualizing cross-selling and upselling

What is upselling?

Upselling is about upgrading the customer to a bigger or better version of the product or service they’re already buying. Virtually every modern business does some form of upselling, but one of the most common examples can be seen in an industry we all know and love: food.

Think specifically of the fast food industry, where customers are always encouraged to “supersize” the size of an item. Ordering small fries? Make it a large for only an extra 25 cents. 

Upselling works in all industries, not just consumer-focused ones. If your business pays for software, for example, you’ve almost definitely seen upselling in action. Let’s take a look at Airtable.

Screenshot of Airtable's pricing structure

Airtable’s pricing structure is laid out in such a way that you can see every plan’s capabilities all in one place. When you’re making your purchase, this page encourages you to stop and wonder: will 5,000 automation runs be enough? Will 5GB hold what I need?

As you’re contemplating how much you need, you’ll also notice that the prices don’t increase proportionately with the increase in services. The Pro plan costs twice as much as the Plus plan, but offers four times more attachment space and ten times more automation runs. When the higher overall price means a lower price-per-item, people are much more susceptible to being upsold.

Those are just two examples. Once you know what upselling looks like, you’ll start to notice it everywhere. More examples include:

  • Promoting a warranty when someone buys an appliance
  • Suggesting upgrading to a spa package when someone goes to book a massage
  • Offering more analytical accounting services in addition to your standard transitional bookkeeping services
  • When someone hires you to design their logo, proposing an entire branding package instead
  • Suggesting the fleece-lined version when someone’s about to buy leggings

What is cross-selling?

Cross-selling is about getting customers to buy different, related items in addition to what they’re already buying. The most effective cross-sellers pitch items that will enhance whatever the person is buying, or will make using that item much easier.

The most clear-cut example is Amazon. Whenever you’re looking at a product, if you scroll down, you’ll always see a “Customers also bought” section. Amazon also uses automated purchase history analysis to look at what you’ve bought in the past, find customers with similar buying habits, and suggest items that are popular among people who are looking for the same things you are.

Have a look at this small business in the candle game: 

Four candles with prices under the heading "You may also like"

In this case, when you buy a relaxing candle, the site is going to recognize more types of relaxing candles. But cross-selling isn’t just about getting customers to buy more similar items right this moment—it’s also about exposing your customers to new products they might not be familiar with. 

The most important thing to keep in mind is that while products you suggest don’t need to be extremely similar, they do need to be complementary. Cross-selling isn’t just about getting customers to buy more items right this moment—it’s about exposing your customers to new products and offerings they may not have seen before. When coupled with a purchase your customer is already set on buying, your brand exposure can have more significant weight than you might expect. You may not make the extra sale today, but you increase the likelihood that the customer comes back at some point down the line.

Upselling vs. cross-selling in action

One of the easiest ways to learn the difference between upselling and cross-selling is to look for examples of both within the same industry or even at the same company. 

Let’s say you buy a new desk chair for your home office. The upsell would be a better, fancier chair with ergonomic features and fancy wheels. The cross-sell would be an under-desk mat, which you’ll need to keep those fancy wheels from tearing up the hardwood.

Applying upselling and cross-selling to your business 

Upselling and cross-selling are both an art and a science. You need to think creatively about your offerings (and potential offerings) and how they might complement existing purchases. But you also need to dive into your analytics and make some data-driven decisions about what your customers are buying, when they’re buying them, and why. After all, upselling and cross-selling won’t do anything for you if no one actually buys what you’re promoting.

I’ve found that the most effective strategy when it comes to using upselling and cross-selling well is to reverse engineer what makes the most sense for your customers. What adds the most value for them? What questions do they have when buying from you? What products or services do they ask you about that you don’t yet offer? Talking directly to existing customers or clients about what they might want is a great place to start.

And remember: there’s always room to experiment. If people who buy product X often also buy product Y, you should absolutely be trying to sell product Y to everyone who buys product X. But don’t stop there. Try promoting product Z to those same people, or try upselling them to a higher quality version. Think outside the box, and you’ll find some creative ways to sell more—and better.

This article was originally published in March 2021 and was most recently updated in August 2022 with contributions from Amanda Pell.

Source :
https://zapier.com/blog/cross-selling-vs-upselling/

Twilio discloses data breach after SMS phishing attack on employees

Cloud communications company Twilio says some of its customers’ data was accessed by attackers who breached internal systems after stealing employee credentials in an SMS phishing attack.

“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials,” Twilio said over the weekend.

“The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”

The company also revealed the attackers gained access to its systems after tricking and stealing credentials from multiple employees targeted in the phishing incident.

To do that, they impersonated Twilio’s IT department, asking them to click URLs containing “Twilio,” “Okta,” and “SSO” keywords that would redirect them to a Twilio sign-in page clone.

​The SMS phishing messages baited Twilio’s employees into clicking the embedded links by warning them that their passwords had expired or were scheduled to be changed.

Twilio’s EMEA Communications Director Katherine James declined to provide more information when asked how many employees had their accounts compromised in the phishing attack and how many customers were affected by the breach, saying the company has “no additional comment to provide at this time beyond what is posted in the blog.”

Twilio SMS phishing
Twilio SMS phishing message (Twilio)

“The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down,” Twilio added.

“We have heard from other companies that they, too, were subject to similar attacks, and have coordinated our response to the threat actors – including collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs. Despite this response, the threat actors have continued to rotate through carriers and hosting providers to resume their attacks.”

Credentials revoked, attackers yet to be identified

The company has not yet identified the attackers, but it’s working with law enforcement as part of an ongoing investigation.

Twilio revoked the employee accounts compromised during the attack to block the attackers’ access to its systems and has started notifying customers affected by this incident.

“As the threat actors were able to access a limited number of accounts’ data, we have been notifying the affected customers on an individual basis with the details,” Twilio also revealed.

The company also disclosed in May 2021 that it was impacted by last year’s Codecov supply-chain attack where threat actors modified the legitimate Codecov Bash Uploader tool to steal credentials, secret keys, and user tokens from Codecov customers.

With more than 5,000 employees in 26 offices in 17 countries, Twillio provides programmable voice, text, chat, video, and email APIs used by over 10 million developers and 150,000 businesses to build customer engagement platforms.

Twilio also acquired Authy in February 2015, a popular two-factor authentication (2FA) provider for end users, developers, and enterprises with millions of users worldwide.

Source :
https://www.bleepingcomputer.com/news/security/twilio-discloses-data-breach-after-sms-phishing-attack-on-employees/

Critical RCE Bug Could Let Hackers Remotely Take Over DrayTek Vigor Routers

As many as 29 different router models from DrayTek have been identified as affected by a new critical, unauthenticated remote code execution vulnerability that, if successfully exploited, could lead to full compromise of the devices and unauthorized access to the broader network.

“The attack can be performed without user interaction if the management interface of the device has been configured to be internet facing,” Trellix researcher Philippe Laulheret said. “A one-click attack can also be performed from within the LAN in the default device configuration.”

Filed under CVE-2022-32548, the vulnerability has received the maximum severity rating of 10.0 on the CVSS scoring system, owing to its ability to completely allow an adversary to seize control of the routers.

CyberSecurity

At its core, the shortcoming is the result of a buffer overflow flaw in the web management interface (“/cgi-bin/wlogin.cgi”), which can be weaponized by a malicious actor by supplying specially crafted input.

“The consequence of this attack is a takeover of the so-called ‘DrayOS’ that implements the router functionalities,” Laulheret said. “On devices that have an underlying Linux operating system (such as the Vigor 3910) it is then possible to pivot to the underlying operating system and establish a reliable foothold on the device and local network.”

DrayTek Vigor Routers

Over 200,000 devices from the Taiwanese manufacturer are said to have the vulnerable service currently exposed on the internet and would require no user interaction to be exploited. Many of the remaining 500,000 devices, even when not exposed externally, are susceptible to one-click attacks.

The breach of a network appliance such as Vigor 3910 could not only leave a network open to malicious actions such as credential and intellectual property theft, botnet activity, or a ransomware attack, but also cause a denial-of-service (DoS) condition.

CyberSecurity

The disclosure comes a little over a month after it emerged that routers from ASUS, Cisco, DrayTek, and NETGEAR are under assault from a new malware called ZuoRAT targeting North American and European networks.

While there are no signs of exploitation of the vulnerability in the wild so far, it’s recommended to apply the firmware patches as soon as possible to secure against potential threats.

“Edge devices, such as the Vigor 3910 router, live on the boundary between internal and external networks,” Laulheret noted. “As such they are a prime target for cybercriminals and threat actors alike. Remotely breaching edge devices can lead to a full compromise of the businesses’ internal network.”

Source :
https://thehackernews.com/2022/08/critical-rce-bug-could-let-hackers.html

Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts

Twitter on Friday revealed that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform.

“As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” the company said in an advisory.

CyberSecurity

Twitter said the bug, which it was made aware of in January 2022, stemmed from a code change introduced in June 2021. No passwords were exposed as a result of the incident.

The six-month delay in making this public stems from new evidence last month that an unidentified actor had potentially taken advantage of the flaw before the fix to scrape user information and sell it for profit on Breach Forums.

Although Twitter didn’t reveal the exact number of impacted users, the forum post made by the threat actor shows that the flaw was presumably exploited to compile a list containing allegedly over 5.48 million user account profiles.

Restore Privacy, which disclosed the breach late last month, said the database was being sold for $30,000.

CyberSecurity

Twitter stated it’s in the process of directly notifying account owners affected by the issue, while also urging users to turn on two-factor authentication to secure against unauthorized logins.

The development comes as Twitter, in May, agreed to pay a $150 million fine to settle a complaint from the U.S. Justice Department that alleged the company between 2014 and 2019 used information account holders provided for security verification for advertising purposes without their consent.

Source :
https://thehackernews.com/2022/08/hackers-exploit-twitter-vulnerability.html

Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users

Slack said it took the step of resetting passwords for about 0.5% of its users after a flaw exposed salted password hashes when creating or revoking shared invitation links for workspaces.

“When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members,” the enterprise communication and collaboration platform said in an alert on 4th August.

CyberSecurity

Hashing refers to a cryptographic technique that transforms any form of data into a fixed-size output (called a hash value or simply hash). Salting is designed to add an extra security layer to the hashing process to make it resistant to brute-force attempts.

The Salesforce-owned company, which reported more than 12 million daily active users in September 2019, didn’t reveal the exact hashing algorithm used to safeguard the passwords.

The bug is said to have impacted all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022, when it was alerted to the issue by an unnamed independent security researcher.

CyberSecurity

It’s worth pointing out that the hashed passwords were not visible to any Slack clients, meaning access to the information necessitated active monitoring of the encrypted network traffic originating from Slack’s servers.

“We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue,” Slack noted in the advisory. “However, for the sake of caution, we have reset affected users’ Slack passwords.”

Additionally, the company is using the incident to advise its users to turn on two-factor authentication as a means to protect against account takeover attempts and create unique passwords for online services.

Source :
https://thehackernews.com/2022/08/slack-resets-passwords-after-bug.html

Announcing Public Preview of Update management center

We are excited to announce the Public Preview of the Update management center (UMC), the next iteration of the Azure Automation Update Management solution. In addition to zero onboarding steps, and no dependency on Azure Automation and Log Analytics, you also get new capabilities such as flexible scheduling options and on-demand assessments that help you manage a patch workflow that is best suited for your needs. 

Ongoing management of operating system and application patches is critical in order to ensure your machines remain secure and meet compliance policies. With the increasing size of IT estates today, this could be a complex process. UMC eases this process of managing and automating patching of Windows and Linux Operating systems. It provides a consolidated view to centrally manage the process of patching on Azure virtual machines and devices in on-premises or other public clouds (via Azure Arc). It facilitates you to assess and install patches on a single VM or at scale. 

What’s new in the UMC? 

  • The “overview” tab offers a wide range of filters, charts and categories and provides a unified view of patching status of all Windows and Linux machines on Azure and Azure Arc-enabled servers. 
  • UMC leverages native functionality on Azure Compute and Azure Arc for Servers platform to provide a zero-step onboarding with no dependency on Log Analytics or Azure Automation, simplifying the user experience.  
  • UMC offers granular access control at individual resource level instead of that at Automation account and Log Analytics workspace level. It allows RBAC and roles based of ARM in Azure, enabling fine grained control on who can manage, assess and update a machine in Azure. 
  • The enhanced flexibility in UMC allows deployment of patches on a flexible schedule. UMC provides on-demand assessment and installation of patches, customizable scheduled patching, periodic assessment, and offers patching methods such as automatic VM guest patching in Azure, hotpatch or custom maintenance schedules and more. 

Getting Started 

You can find the Update management solution in the “updates” option on your Azure VMs or Azure Arc-enabled servers. 

thumbnail image 1 of blog post titled Announcing Public Preview of Update management center

You can also navigate to the Update management center using the search bar on the Azure portal. The overview tab for UMC enables you to view the patching compliance and status for all your Azure and Non-Azure machines. You can use the filters on top to drill down to a specific set of machines, view a breakdown of machines and their statuses based on multiple categories, and identify the machines that are non-compliant to quickly take corrective action. The “No updates data” status tells you the count of machines that have not been assessed in the past 7 days or do not have Periodic assessment setup. 

thumbnail image 2 of blog post titled Announcing Public Preview of Update management center

The machines tab shows the list of all VMs under a given subscription. You can access the features of UMC from the menu on the top. Broadly, “Check for updates” allows you to assess updates on-demand while “One-time update” allows to install patches on-demand. The Scheduled updates and Updates Settings options allow you to enable customised patching schedules. 

thumbnail image 3 of blog post titled Announcing Public Preview of Update management center

Overall, Update management center offers an easy to use one-stop location for all operating system and application patching scenarios for a single VM or VMs at scale. 

Overall, Update management center offers an easy to use one-stop location for all operating system and application patching scenarios for a single VM or VMs at scale. 

What’s next in UMC? 

  • Extend patch management to all Azure supported distros & OSes, and all Arc workloads such as Azure Arc-enabled private clouds. 
  • Provide additional controls for configuration of patching workflows and orchestration of patch schedules.  

Stay tuned for more announcements! 

Additional Resources 

High Severity Vulnerability Patched in Download Manager Plugin

On July 8, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Download Manager,” a WordPress plugin that is installed on over 100,000 sites. This flaw makes it possible for an authenticated attacker to delete arbitrary files hosted on the server, provided they have access to create downloads. If an attacker deletes the wp-config.php file they can gain administrative privileges, including the ability to execute code, by re-running the WordPress install process.

Wordfence PremiumWordfence Care, and Wordfence Response received a firewall rule on July 8, 2022 to provide protection against any attackers that try to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on August 7, 2022.

We attempted to reach out to the developer on July 8, 2022, the same day we discovered the vulnerability. We never received a response so we sent the full details to the WordPress.org plugins team on July 26, 2022. The plugin was fully patched the next day on July 27, 2022.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Download Manager”, which is version 3.2.53 at the time of this publication.

Description: Authenticated (Contributor+) Arbitrary File Deletion
Affected Plugin: Download Manager
Plugin Slug: download-manager
Plugin Developer: W3 Eden, Inc.
Affected Versions: <= 3.2.50
CVE ID: CVE-2022-2431
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.2.51

Download Manager is a popular WordPress plugin designed to allow site content creators to share downloadable files that are stored as posts. These downloads can be displayed on the front-end of the WordPress site for users to download. Unfortunately, vulnerable versions of the plugin contain a bypass in how the downloadable file is stored and subsequently deleted upon post deletion that make it possible for attackers to delete arbitrary files on the server.

More specifically, vulnerable versions of the plugin register the deleteFiles() function that is called via the before_delete_post hook. This hook is triggered right before a post has been deleted and its intended functionality in this case is to delete any files that may have been uploaded and associated with a “download” post.

At first glance this looks like a relatively safe functionality assuming the originally supplied file path is validated. Unfortunately, however, that is not the case as the path to the file saved with the “download” post is not validated to ensure it was a safe file type or in a location associated with a “download” post. This means that a path to an arbitrary file with any extension can be supplied via the file[files][] parameter when saving a post and that would be the file associated with the “download” post. On many configurations an attacker could supply a path such as /var/www/html/wp-config.php that would associate the site’s WordPress configuration file with the download post.

32add_action('before_delete_post', array($this, 'deleteFiles'), 10, 2);
979899100101102103104functiondeleteFiles($post_id, $post){    $files= WPDM()->package->getFiles($post_id, false);    foreach($filesas$file) {        $file= WPDM()->fileSystem->locateFile($file);        @unlink($file);    }}

When the user goes to permanently delete the “download” post the deleteFiles() function will be triggered by the before_delete_post hook and the supplied file will be deleted, if it exists.

This can be used by attackers to delete critical files hosted on the server. The wp-config.php file in particular is a popular target for attackers as deletion of this file would disconnect the existing database from the compromised site and allow the attacker to re-complete the initial installation process and connect their own database to the site. Once a database is connected, they would have access to the server and could upload arbitrary files to further infect the system.

Demonstrating site reset upon download post deletion.

This vulnerability requires contributor-level access and above to exploit, so it serves as an important reminder to make sure you don’t provide contributor-level and above access to untrusted users. It’s also important to validate that all users have strong passwords to ensure your site won’t subsequently be compromised as a result of a vulnerability like this due to an unauthorized actor gaining access via a weak or compromised password.

Timeline

  • July 8, 2022 – Discovery of the Arbitrary File Deletion Vulnerability in the “Download Manager” plugin. A firewall rule is released to Wordfence PremiumWordfence Care, and Wordfence Response users. We attempt to initiate contact with the developer.
  • July 26, 2022 – After no response from the developer, we send the full disclosure details to the WordPress plugins team. They acknowledge the report and make contact with the developer.
  • July 27, 2022. – A fully patched version of the plugin is released as version 3.2.51.
  • August 7, 2022 – Wordfence free users receive the firewall rule.

Conclusion

In today’s post, we detailed a flaw in the “Download Manager” plugin that makes it possible for authenticated attackers to delete arbitrary files hosted on an affected server, which could lead to remote code execution and ultimately complete site compromise. This flaw has been fully patched in version 3.2.51.

We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.2.53 at the time of this publication.

Wordfence PremiumWordfence Care, and Wordfence Response received a firewall rule on July 8, 2022 to provide protection against any attackers trying to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on August 7, 2022.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

Source :
https://www.wordfence.com/blog/2022/08/high-severity-vulnerability-patched-in-download-manager-plugin/

Better Together: AWS and Trend Micro

There’s a very good reason why AWS remains a leader in cloud computing. While many providers describe themselves as “customer obsessed,” few come close to our long-time partner in the lengths it goes to earn and retain the trust of its customers.

AWS starts with the customer and works backwards. That means the vast majority of its feature enhancements and new services are directly driven from their input. The latest is Amazon GuardDuty Malware Protection.

This threat detection tool, which will work closely with Trend Micro cloud solutions, will provide another valuable layer of defense in our fight against a shared adversary.

Shining a light on an expanding attack surface

Spurred by a drive for greater cost efficiency and business agility, global organizations are migrating to the cloud in droves. Gartner predicts the worldwide market for public cloud services will reach almost $495bn this year, and grow by over 21% in 2023. In this environment, security remains a persistent concern for cloud builders, because if not properly managed, investments can increase the digital attack surface.

According to recent Trend Micro research, many global organizations are already struggling to securely manage their cloud assets. We found that 73% of IT and business leaders are concerned with the size of their attack surface, and 43% claim it is “spiralling out of control.” Cloud is the area where most respondents say they have least insight. They want their cloud providers to do more—for example by building enhanced detection into their systems, to complement third-party tools.

That’s part of the reason why AWS built Amazon GuardDuty Malware Protection was built. This new feature is triggered by detection of known malicious signatures across the cloud network. Based on this detection, the service scans the associated Amazon EBS storage environment for malware and reports any findings to AWS Security Hub. Open APIs from here link to products like Trend Micro Cloud One to enhance existing detection and response efforts.

Better together

Trend Micro and AWS have been working closely together for over a decade now, and this latest announcement represents another exciting stage in the journey. Customers will welcome AWS native threat detection as a complement to their Trend Micro Cloud One capabilities, delivering a comprehensive range of features to secure the hybrid cloud. Once they add the AWS tool to our virtual patching, vulnerability scanning, lateral movement detection, posture management and other capabilities, joint customers will have a powerful set of integrated offerings to deliver simple, all-in-one cloud security and compliance.

In addition, this move from AWS validates our XDR strategy, which is focused on using as many data sources as possible to enhance detection and response. The bottom line is that security takes a village. Customers, cloud providers and security vendors have a shared responsibility to work together as the threat landscape continues to evolve. That’s what we’ll continue to do, expanding and deepening our strategic partnerships with AWS and other providers in a collective effort to make the digital world safer.

Source :
https://www.trendmicro.com/en_us/research/22/g/aws-trend-micro.html

Google Delays Blocking 3rd-Party Cookies in Chrome Browser Until 2024

Google on Wednesday said it’s once again delaying its plans to turn off third-party cookies in the Chrome web browser from late 2023 to the second half of 2024.

“The most consistent feedback we’ve received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome,” Anthony Chavez, vice president of Privacy Sandbox, said.

In keeping this in mind, the internet and ad tech giant said it’s taking a “deliberate approach” and extending the testing window for its ongoing Privacy Sandbox initiatives prior to phasing out third-party cookies.

Cookies are pieces of data planted on a user’s computer or other device by the web browser as a website is accessed, with third-party cookies fueling much of the digital advertising ecosystem and its ability to track users across different sites to show targeted ads.

Privacy Sandbox is Google’s umbrella term for a set of technologies that aim to improve users’ privacy across the web and Android by limiting cross-site and cross-app tracking and offering improved, safer alternatives to serve interest-based ads.

CyberSecurity

While Google had originally planned to roll out the feature in early 2022, it revised the timeline in June 2021, pushing its proposal to transition from third-party cookies over a three-month period, starting in mid-2023 and ending in late 2023.

“It’s become clear that more time is needed across the ecosystem to get this right,” the company noted at the time.

3rd-Party Cookies in Chrome

The second extension comes as Google announced Topics API as a replacement for FLoC (short for Federated Learning of Cohorts) in January 2022, following it up with a developer preview of Privacy Sandbox for Android in May.

In February 2022, the U.K. Competition and Markets Authority (CMA) formally accepted commitments from Google over how it develops the technology, pointing out the need to flesh out Privacy Sandbox such that it promotes competition and supports publishers to raise revenue from ads while also safeguarding consumer privacy.

CyberSecurity

Under the new plan, Privacy Sandbox trials are expected to be expanded to users globally next month, with the number of users included in the tests ramped up throughout the rest of the year and into 2023.

Google also emphasized that users will be shown a prompt to manage their participation, adding it intends to make the APIs generally available by Q3 2023, with third-party cookie support tentatively dropped in H2 2024.

The CMA, for its part, acknowledged today that it’s aware of “alternative proposals being developed by third-parties,” and that it’s “working with the [Information Commissioner’s Office] to better understand their viability and likely impacts.”

Source :
https://thehackernews.com/2022/07/google-delays-blocking-3rd-party.html