Category: Internet

Attacks Abound in Tricky Threat Terrain: 2021 Annual Cybersecurity Report

The digital transformations that had enabled many enterprises to stay afloat amid the Covid-19 health crisis also brought about major upheavals in cybersecurity, the impact of which was still widely felt in 2021. Trend Micro detected and blocked more than 94 billion threats over the course of last year, keeping pace with malicious actors who were intent on abusing any weak spots in the security postures of organizations around the world. In our annual cybersecurity report, “Navigating New Frontiers,” we look back at 2021 in terms of the most significant security issues and trends that shaped the year’s threat landscape.

Ransomware actors become more deliberate in targeting critical industries

From years of tracking ransomware activities, we have observed how ransomware operators have evolved from deploying quantity-based tactics to deliberately picking more profitable victims. Modern ransomware usually dedicates more time and effort to planning and reconnaissance, making for debilitating attacks that are tailored to the specific systems of targets.

Likely because of the important roles they had played amid the pandemic, organizations in the government, banking, and healthcare industries bore the brunt of ransomware attacks in 2021, although we observed a 21% year-on-year decrease in overall ransomware detections. But this decline does not necessarily mean that there were fewer ransomware attacks. Rather, it could be the result of our detection and blocking of more malware tools that were often used by ransomware actors, including the Cobalt Strike beacon CoBeacon, the trojan Trickbot, and the information stealer BazarLoader. That we blocked larger numbers of these affiliate tools, whose presence is an early indicator of infection, might have prevented ransomware actors from escalating their operations to full-scale attacks.


Figure 1. The top three industries in terms of ransomware file detections in 2020 and 2021

Source: Trend Micro™ Smart Protection Network™

Malicious actors zero in on misconfigurations in cloud environments

More companies turned to the cloud to continue and expand their businesses, but the inherent complexity of setting up cloud infrastructures drove malicious actors to move quickly and take advantage of misconfigurations in these environments. Notably, a role-based access control misconfiguration in Kubernetes enabled the threat actor group TeamTNT to compromise almost 50,000 IP addresses in the US and China as part of a large-scale credential theft campaign last year. Also in 2021, TeamTNT used misconfigured servers as an attack vector to pilfer metadata from cloud service providers.


Figure 2. TeamTNT’s attack chain

Email-based attacks evolve into a more complex threat

In 2021, Trend Micro Cloud App Security found and blocked more than 25 million email threats. Phishing attempts, in particular, nearly doubled from 2020’s number. Of these, 62% were from spam emails while the rest consisted of credential-phishing attempts. Organizations in finance, healthcare, and education experienced the bulk of phishing attempts.


Figure 3. A comparison of the detections of spam phishing and credential-phishing attempts in 2020 and 2021

Source: Trend Micro Cloud App Security

We observed a dip in attempts at business email compromise (BEC) in 2021, but this could be because of an increase in more sophisticated BEC emails that were capable of avoiding antispam rules. We were able to stay on top of this development, however, as Trend Micro Cloud App Security used authorship analysis to detect and block a greater proportion as well as a greater number of these BEC attempts in 2021 than in 2020.


Figure 4. A comparison of the proportions of BEC attempts blocked based on authorship analysis and BEC attempts blocked based on behavior and intention analysis in 2020 and 2021

Source: Trend Micro Cloud App Security

Email was also the preferred entry point of opportunistic actors looking to exploit developments in the ongoing pandemic. We detected over 8 million Covid-19-related threats throughout 2021, mostly in the US and Germany. The majority of these threats were made up of emails, which is consistent with the upward trend of phishing attempts levied against the vaccine cold chain. The consistent news coverage surrounding the health crisis likely supplied malicious actors with new themes for their email lures.


Figure 5. A comparison of the detections of Covid-19-related threats consisting of malicious emails, URLs, and files in 2020 and 2021

Source: Trend Micro Cloud App Security

Exploits of vulnerabilities both old and new run rampant

In 2021, Trend Micro™ Zero Day Initiative™ (ZDI) published advisories for 1,604 vulnerabilities, a 10% increase from the previous year. Alongside newly found ones, however, malicious actors continued to exploit previously disclosed flaws in their attacks. They carried on with abusing legacy vulnerabilities despite the availability of patches addressing these flaws, and a demand for these persisted in the cybercriminal underground, where almost 25% of vulnerabilities sold were at least three years old.


Figure 6. A comparison of the proportions of Common Vulnerability Scoring System (CVSS) ratings among vulnerabilities disclosed by Trend Micro’s ZDI program in 2020 and 2021

Source: Trend Micro™ Zero Day Initiative™

Unpatched systems remained a liability for organizations, as evidenced by Log4Shell (CVE-2021-44228), a high-severity vulnerability in Apache Log4j that was first reported privately to Apache in November 2021. A patch for it was made available a month later, but that did not stop malicious actors from exploiting it in various ransomware, data theft, and cryptocurrency-mining attacks.

Similarly, even though patches for them had been released, the Microsoft Exchange Server vulnerabilities ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) were still successfully exploited by malicious actors. The cybercriminals behind the Squirrelwaffle loader, for example, used ProxyLogon and ProxyShell in hijacking their victims’ email accounts.

Enterprises need multilayered defense to keep thorny threats at bay

As their attack surfaces expand or otherwise evolve, enterprises across the globe are compelled to explore unfamiliar security terrain, where they will need high-quality data from a unified view of their entire digital ecosystems to anticipate, assess, and mitigate risks. Read our annual cybersecurity report, “Navigating New Frontiers,” to learn more about the noteworthy security stories of 2021 and obtain valuable insights that can help enterprises fend off latent, emergent, and current threats.

Source :
https://www.trendmicro.com/en_us/research/22/c/attacks-abound-in-tricky-threat-terrain–2021-annual-cybersecuri.html

Cisco IOS XR Software Health Check Open Port Vulnerability

MediumAdvisory ID:cisco-sa-iosxr-redis-ABJyE5xK
First Published:2022 May 20 16:00 GMT
Version 1.0:Final
Workarounds:Yes
Cisco Bug IDs:CSCwb82689
CVSS Score:Base 6.5
CVE-2022-20821CWE-200 Download CVRFEmail

Summary

  • A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container.This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK

Affected Products

  • Vulnerable ProductsAt the time of publication, this vulnerability affected Cisco 8000 Series Routers if they were running a vulnerable release of Cisco IOS XR Software and had the health check RPM installed and active.For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.Determine the Device ConfigurationTo determine if the device is in a vulnerable state, issue the run docker ps CLI command. If the output returns a docker container with the name NOSi, as shown in the following example, the device is considered vulnerable:RP/0/RP0/CPU0:8000#run docker ps Wed May 18 04:54:52.502 UTC CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 54307e434f29 nosi:latest “docker-entrypoint.s…” 9 seconds ago Up 8 seconds NOSi RP/0/RP0/CPU0:8000#Products Confirmed Not VulnerableOnly products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Workarounds

  • There are workarounds that address this vulnerability:Option 1: This is the preferred method. Disable health check and explicitly disable the use cases.To effectively disable health check, enter the following commands exactly as shown:RP/0/RP0/CPU0:8000(config)#no healthcheck enable
    RP/0/RP0/CPU0:8000(config)#healthcheck use-case asic-reset disable
    RP/0/RP0/CPU0:8000(config)#healthcheck use-case packet-drop disable
    RP/0/RP0/CPU0:8000(config)#commit
    RP/0/RP0/CPU0:8000#Then remove the health check RPM from the device:RP/0/RP0/CPU0:8000#install package remove xr-healthcheck
    Wed May 18 05:00:08.060 UTCInstall remove operation 5.2.2 has started
    Install operation will continue in the background
    RP/0/RP0/CPU0:8000#
    RP/0/RP0/CPU0:8000#install apply restart
    Wed May 18 05:01:08.842 UTC
    Install apply operation 5.2 has started
    Install operation will continue in the background
    RP/0/RP0/CPU0:8000#Option 2: Use an Infrastructure Access Control List (iACLs) to block port 6379.To protect infrastructure devices and minimize the risk, impact, and effectiveness of direct infrastructure attacks, administrators are advised to deploy infrastructure access control lists (iACLs) to perform policy enforcement of traffic sent to infrastructure equipment. Administrators can construct an iACL by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. For the maximum protection of infrastructure devices, deployed iACLs should be applied in the ingress direction on all interfaces to which an IP address has been configured. An iACL workaround cannot provide complete protection against this vulnerability when the attack originates from a trusted source address.The iACL policy denies unauthorized Redis communications packets on TCP port 6379 that are sent to affected devices. In the following example, 192.168.60.0/24 is the IP address space that is used by the affected devices. Care should be taken to allow required traffic for routing and administrative access before denying all unauthorized traffic. Whenever possible, infrastructure address space should be distinct from the address space used for user and services segments. Using this addressing methodology will assist with the construction and deployment of iACLs. ipv4 access-list Infrastructure-ACL-Policy ! !– The following vulnerability-specific access control entries !– (ACEs) can drop Redis Database communication packets ! deny tcp any 192.168.60.0 0.0.0.255 eq 6379 ! !– Explicit deny ACE for traffic sent to addresses configured !– within the infrastructure address space ! deny ip any 192.168.60.0 0.0.0.255 ! !– Permit or deny all other Layer 3 and Layer 4 traffic in !– accordance with existing security policies and configurations ! !– Apply iACL to interfaces in the ingress direction
    ! interface GigabitEthernet0/0 ipv4 access-group Infrastructure-ACL-Policy in

    For additional information about iACLs, see Protecting Your Core: Infrastructure Protection Access Control Lists.While these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

Fixed Software

  • When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.Fixed ReleasesAt the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.Cisco IOS XR ReleaseFirst Fixed Release7.2 and earlierNot affected7.3.15, 7.3.16, 7.3.1, and 7.3.2Not affected7.3.37.3.417.4Not affected7.5.1Not affected7.5.2Not affected7.6Not affected1. An SMU is also planned for 7.3.3.The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Exploitation and Public Announcements

  • In May 2022, the Cisco PSIRT became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers apply suitable workaround or upgrade to a fixed software release to remediate this vulnerability.

Source

  • This vulnerability was found during the resolution of a Cisco TAC support case.

URL

Revision History

  • VersionDescriptionSectionStatusDate1.0Initial public release.-Final2022-MAY-20

    Source :
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK

VMware Releases Patches for New Vulnerabilities Affecting Multiple Products

VMware has issued patches to contain two security flaws impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks.

The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior authentication.

CVE-2022-22973 (CVSS score: 7.8), the other bug, is a case of local privilege escalation that could enable an attacker with local access to elevate privileges to the “root” user on vulnerable virtual appliances.

“It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments,” VMware said.

The disclosure follows a warning from the U.S. Cybersecurity and Infrastructure Agency (CISA) that advanced persistent threat (APT) groups are exploiting CVE-2022-22954 and CVE-2022-22960 — two other VMware flaws that were fixed early last month — separately and in combination.

“An unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user,” it said. “The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.”

On top of that, the cybersecurity authority noted that threat actors have deployed post-exploitation tools such as the Dingo J-spy web shell in at least three different organizations.

IT security company Barracuda Networks, in an independent report, said it has observed consistent probing attempts in the wild for CVE-2022-22954 and CVE-2022-22960 soon after the shortcomings became public knowledge on April 6.

More than three-fourths of the attacker IPs, about 76%, are said to have originated from the U.S., followed by the U.K. (6%), Russia (6%), Australia (5%), India (2%), Denmark (1%), and France (1%).

Some of the exploitation attempts recorded by the company involve botnet operators, with the threat actors leveraging the flaws to deploy variants of the Mirai distributed denial-of-service (DDoS) malware.

The issues have also prompted CISA to issue an emergency directive urging federal civilian executive branch (FCEB) agencies to apply the updates by 5 p.m. EDT on May 23 or disconnect the devices from their networks.

“CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products,” the agency said.

The patches arrive a little over a month after the company rolled out an update to resolve a critical security flaw in its Cloud Director product (CVE-2022-22966) that could be weaponized to launch remote code execution attacks.

CISA warns of active exploitation of F5 BIG-IP CVE-2022-1388

It’s not just VMware that’s under fire. The agency has also released a follow-up advisory with regards to the active exploitation of CVE-2022-1388 (CVSS score: 9.8), a recently disclosed remote code execution flaw affecting BIG-IP devices.

CISA said it expects to “see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks.”

Source :
https://thehackernews.com/2022/05/vmware-releases-patches-for-new.html

High-Severity Bug Reported in Google’s OAuth Client Library for Java

Google last month addressed a high-severity flaw in its OAuth client library for Java that could be abused by a malicious actor with a compromised token to deploy arbitrary payloads.

Tracked as CVE-2021-22573, the vulnerability is rated 8.7 out of 10 for severity and relates to an authentication bypass in the library that stems from an improper verification of the cryptographic signature.

Credited with discovering and reporting the flaw on March 12 is Tamjid Al Rahat, a fourth-year Ph.D. student of Computer Science at the University of Virginia, who has been awarded $5,000 as part of Google’s bug bounty program.

“The vulnerability is that the IDToken verifier does not verify if the token is properly signed,” an advisory for the flaw reads.

“Signature verification makes sure that the token’s payload comes from a valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side.”

The open-source Java library, built on the Google HTTP Client Library for Java, makes it possible to obtain access tokens to any service on the web that supports the OAuth authorization standard.

Google, in its README file for the project on GitHub, notes that the library is supported in maintenance mode and that it’s only fixing necessary bugs, indicative of the severity of the vulnerability.

Users of the google-oauth-java-client library are recommended to update to version 1.33.3, released on April 13, to mitigate any potential risk.

Source :
https://thehackernews.com/2022/05/high-severity-bug-reported-in-googles.html

Millions of Attacks Target Tatsu Builder Plugin

The Wordfence Threat Intelligence team has been tracking a large-scale attack against a Remote Code Execution vulnerability in Tatsu Builder, which is tracked by CVE-2021-25094 and was publicly disclosed on March 24, 2022 by an independent security researcher. The issue is present in vulnerable versions of both the free and premium Tatsu Builder plugin. Tatsu Builder is a proprietary plugin that is not listed on the WordPress.org repository, so reliable installation counts are not available, but we estimate that the plugin has between 20,000 and 50,000 installations. Tatsu sent an urgent email notification to all of their customers on April 7th advising them to update, but we estimate that at least a quarter of remaining installations are still vulnerable.

All Wordfence users with the Wordfence Web Application Firewall active, including Wordfence free customers, are protected against attackers trying to exploit this vulnerability.

We began seeing attacks on May 10, 2022. The attacks are ongoing with the volume ramping up to a peak of 5.9 million attacks against 1.4 million sites on May 14, 2022. The attack volume has declined but the attacks are still ongoing at the time of publication.

The following is a graph showing the total volume of attacks targeting the vulnerability in Tatsu Builder.

Graph showing attack volume against CVE-2021-25094

While the following is a graph showing the total number of sites being targeted by attackers trying to exploit the vulnerability in Tatsu Builder.

Description: Unauthenticated Remote Code Execution
Affected Plugin: Tatsu Builder
Plugin Slug: tatsu
Plugin Developer: BrandExponents
Affected Versions: < 3.3.13
CVE ID:CVE-2021-25094
CVSS Score: 8.1 (High)
CVSS Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Vincent Michel (darkpills)
Fully Patched Version: 3.3.13

Indicators of Attack

Most of the attacks we have seen are probing attacks to determine the presence of a vulnerable plugin. These may appear in your logs with the following query string:

/wp-admin/admin-ajax.php?action=add_custom_font

The vast majority of attacks are the work of just a few IP addresses.

The top 3 attacking IPs have each attacked over 1 million sites:

148.251.183.254
176.9.117.218
217.160.145.62

An additional 15 IPs have each attacked over 100,000 sites:

65.108.104.19
62.197.136.102
51.38.41.15
31.210.20.170
31.210.20.101
85.202.169.175
85.202.169.71
85.202.169.86
85.202.169.36
85.202.169.83
85.202.169.92
194.233.87.7
2.56.56.203
85.202.169.129
135.181.0.188

Indicators of Compromise

The most common payload we’ve seen is a dropper used to place additional malware located in a randomly-named subfolder of wp-content/uploads/typehub/custom/ such as wp-content/uploads/typehub/custom/vjxfvzcd.

The dropper is typically named .sp3ctra_XO.php and has an MD5 hash of 3708363c5b7bf582f8477b1c82c8cbf8.

Note the dot at the beginning as this indicates a hidden file, which is necessary to exploit the vulnerability as it takes advantage of a race condition.

This file is detected by the Wordfence scanner.

What Should I Do?

All Wordfence users with the Wordfence Web Application Firewall active, including Wordfence free customers, are protected against this vulnerability. Nonetheless, if you use the Tatsu Builder plugin, we strongly recommend updating to the latest version available, which is 3.3.13 at the time of this writing. Please note that version 3.3.12 contained a partial patch but did not fully address all issues.

If you know anyone using the Tatsu Builder plugin on their site, we urge you to forward this article to them as this is a large-scale attack and any vulnerable sites that are not updated and not using some form of a Web Application Firewall are at risk of complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

Source :
https://www.wordfence.com/blog/2022/05/millions-of-attacks-target-tatsu-builder-plugin/

Researchers Find Potential Way to Run Malware on iPhone Even When it’s OFF

A first-of-its-kind security analysis of iOS Find My function has identified a novel attack surface that makes it possible to tamper with the firmware and load malware onto a Bluetooth chip that’s executed while an iPhone is “off.”

The mechanism takes advantage of the fact that wireless chips related to Bluetooth, Near-field communication (NFC), and ultra-wideband (UWB) continue to operate while iOS is shut down when entering a “power reserve” Low Power Mode (LPM).

While this is done so as to enable features like Find My and facilitate Express Card transactions, all the three wireless chips have direct access to the secure element, academics from the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt said in a paper entitled “Evil Never Sleeps.”

“The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM,” the researchers said.

“Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model.”

The findings are set to be presented at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022) this week.

The LPM features, newly introduced last year with iOS 15, make it possible to track lost devices using the Find My network even when run out of battery power or have been shut off. Current devices with Ultra-wideband support include iPhone 11, iPhone 12, and iPhone 13.

A message displayed when turning off iPhones reads thus: “iPhone remains findable after power off. Find My helps you locate this iPhone when it is lost or stolen, even when it is in power reserve mode or when powered off.”

Malware

Calling the current LPM implementation “opaque,” the researchers not only sometimes observed failures when initializing Find My advertisements during power off, effectively contradicting the aforementioned message, they also found that the Bluetooth firmware is neither signed nor encrypted.

By taking advantage of this loophole, an adversary with privileged access can create malware that’s capable of being executed on an iPhone Bluetooth chip even when it’s powered off.

However, for such a firmware compromise to happen, the attacker must be able to communicate to the firmware via the operating system, modify the firmware image, or gain code execution on an LPM-enabled chip over-the-air by exploiting flaws such as BrakTooth.

Put differently, the idea is to alter the LPM application thread to embed malware, such as those that could alert the malicious actor of a victim’s Find My Bluetooth broadcasts, enabling the threat actor to keep remote tabs on the target.

“Instead of changing existing functionality, they could also add completely new features,” SEEMOO researchers pointed out, adding they responsibly disclosed all the issues to Apple, but that the tech giant “had no feedback.”

With LPM-related features taking a more stealthier approach to carrying out its intended use cases, SEEMOO called on Apple to include a hardware-based switch to disconnect the battery so as to alleviate any surveillance concerns that could arise out of firmware-level attacks.

“Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates,” the researchers said. “Thus, it has a long-lasting effect on the overall iOS security model.”

“Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation.”

Source :
https://thehackernews.com/2022/05/researchers-find-way-to-run-malware-on.html

Europe Agrees to Adopt New NIS2 Directive Aimed at Hardening Cybersecurity

The European Parliament announced a “provisional agreement” aimed at improving cybersecurity and resilience of both public and private sector entities in the European Union.

The revised directive, called “NIS2” (short for network and information systems), is expected to replace the existing legislation on cybersecurity that was established in July 2016.

The revamp sets ground rules, requiring companies in energy, transport, financial markets, health, and digital infrastructure sectors to adhere to risk management measures and reporting obligations.

Among the provisions in the new legislation are flagging cybersecurity incidents to authorities within 24 hours, patching software vulnerabilities, and readying risk management measures to secure networks, failing which can incur monetary penalties.

“The directive will formally establish the European Cyber Crises Liaison Organization Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents,” the Council of the European Union said in a statement last week.

The development closely follows the European Commission’s plans to “detect, report, block, and remove” child sexual abuse images and videos from online service providers, including messaging apps, prompting concerns that it may undermine end-to-end encryption (E2EE) protections.

The draft version of NIS2 explicitly spells out that the use of E2EE “should be reconciled with the Member States’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offenses in compliance with Union law.”

It also stressed that “Solutions for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime.”

That said, the directive will not apply to organizations in verticals such as defense, national security, public security, law enforcement, judiciary, parliaments, and central banks.

As part of the proposed agreement, the European Union member states are mandated to incorporate the provisions into their national law within a period of 21 months from when the directive goes into force.

“The number, magnitude, sophistication, frequency and impact of cybersecurity incidents are increasing, and present a major threat to the functioning of network and information systems,” the Council noted in the draft.

“Cybersecurity preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market.”

Source :
https://thehackernews.com/2022/05/europe-agrees-to-adopt-new-nis2.html

Apple releases iOS 15.5 with enhancements to Apple Cash and Podcasts app

Apple on Monday released iOS 15.5 and iPadOS 15.5 to the public following the release of the RC build last week. The update doesn’t bring significant changes, but it does improve the Apple Cash and Podcasts app.

iOS 15.5 new features

Apple says that iOS 15.5 makes enhancements to Apple Cash, with support for more easily requesting and sending money from the Apple Cash card in the Wallet app. There’s also a new feature in Apple Podcasts to help preserve your iPhone’s storage space and some bug fixes for HomeKit. 

Here are the full release notes for iOS 15.5 according to Apple: 

iOS 15.5 includes the following improvements and bug fixes:

  • Wallet now enables Apple Cash customers to send and request money from their Apple Cash card
  • Apple Podcasts includes a new setting to limit episodes stored on your iPhone and automatically delete older ones
  • Fixes an issue where home automations, triggered by people arriving or leaving, may fail

Here are some other changes in iOS 15.5 we’ve spotted so far, not mentioned in Apple’s release notes: 

You can update your devices by going to the Settings app, then General > Software Update. Check out Apple’s website for more details about the security patches included with iOS 15.5.

It’s unclear whether this update will be the last before the first iOS 16 beta, which should arrive shortly after WWDC 2022 in June.

Source :
https://9to5mac.com/2022/05/16/apple-releases-ios-15-5-with-enhancements-to-the-apple-cash-and-podcasts-app/

SonicWall Releases Patches for New Flaws Affecting SSLVPN SMA1000 Devices

SonicWall has published an advisory warning of a trio of security flaws in its Secure Mobile Access (SMA) 1000 appliances, including a high-severity authentication bypass vulnerability.

The weaknesses in question impact SMA 6200, 6210, 7200, 7210, 8000v running firmware versions 12.4.0 and 12.4.1. The list of vulnerabilities is below –

  • CVE-2022-22282 (CVSS score: 8.2) – Unauthenticated Access Control Bypass
  • CVE-2022-1702 (CVSS score: 6.1) – URL redirection to an untrusted site (open redirection)
  • CVE-2022-1701 (CVSS score: 5.7) – Use of a shared and hard-coded cryptographic key

Successful exploitation of the aforementioned bugs could allow an attacker to unauthorized access to internal resources and even redirect potential victims to malicious websites.

Tom Wyatt of the Mimecast Offensive Security Team has been credited with discovering and reporting the vulnerabilities.

SonicWall noted that the flaws do not affect SMA 1000 series running versions earlier than 12.4.0, SMA 100 series, Central Management Servers (CMS), and remote access clients.

SonicWall

Although there is no evidence that these vulnerabilities are being exploited in the wild, it’s recommended that users apply the fixes in the light of the fact that SonicWall appliances have presented an attractive bullseye in the past for ransomware attacks.

“There are no temporary mitigations,” the network security company said. “SonicWall urges impacted customers to implement applicable patches as soon as possible.”

Source :
https://thehackernews.com/2022/05/sonicwall-releases-patches-for-new.html

Enjoy the Speed and Safety of TLS 1.3 Support

SonicWall NGFWs offer full TLS 1.3 support — ensuring your network can handle the latest encryption protocols.

The best products tend to stick around for a while. In the first two years that the Ford Mustang was manufactured, 1965 and 1966, roughly 1.3 million cars rolled off assembly lines in Dearborn, Mich.; Metuchen, N.J.; and Milpitas, Calif. Of those, a remarkable 350,000 are still on the road today — and with proper care, still getting from Point A to Point B just as well as they did during the Johnson Administration.

But aesthetics aside, does that make them a good choice for a daily driver today? In a crash test with any modern vehicle (or a race with any of today’s Mustangs), the first-generation Mustang would be completely overwhelmed. Safety features we take for granted, such as airbags, lane-keep assist, blind spot detection and anti-lock brakes, are absent. These cars might do fine for the occasional Sunday spin around town. But would you put your family in one?

When a product forms the boundary between something precious and grave disaster, you want that product to be as safe as possible. This also holds true for another Milpitas innovation: SonicWall firewalls. To know whether your current choice is still the right choice, it helps to look at what innovations have occurred since then, and whether they were incremental improvements or giant leaps forward. In the case of TLS 1.3 encryption support, it’s unquestionably the latter.

TLS 1.3 is the latest version of transport layer security, which offers reliable encryption for digital communications over the internet. And as with the Mustang before it, modern innovations have led to sizeable leaps in two areas: safety and performance.

TLS 1.3: Safety First

Since the original SSL technology was introduced in 1994, each new version has worked to solve the problems of the previous versions while also maintaining compatibility with those versions. But, unfortunately, maintaining backward compatibility meant leaving in many unnecessary or vulnerable ciphers.

These legacy ciphers made the encryption susceptible to attack, offering attackers a vector through which to circumvent newer security advances in favor of older and weaker protection. A few of the ciphers that persisted up through TLS 1.2 were so weak that they allow an attacker to decrypt the data’s contents without having the key.

TLS 1.3 represents a fundamental shift in this philosophy. Due to a sharp increase in attacks, such as Lucky13, BEAST, POODLE, Logjam and FREAK, which depend on such vulnerabilities for transmission, the Internet Engineering Task Force (IETF) opted to remove these ciphers altogether — and the resulting TLS 1.3 is vastly more secure because of it.

It’s also more private. In previous versions, including 1.2, digital signatures weren’t used to ensure a handshake’s integrity — they only protected the part of the handshake after the cipher-suite negotiation, allowing attackers to manipulate the negotiation and access the entire conversation.

In TLS 1.3, the entire handshake is encrypted, and only the sender and the recipient can decrypt the traffic. This not only makes it virtually impossible for outsiders to eavesdrop on client/server communications and much harder for attackers to launch man-in-the-middle attacks, it also protects existing communications even if future communications are compromised.

TLS 1.3: Safety Fast

With TLS 1.3, the handshake process isn’t just more secure — it’s faster, too. The four-step handshake required with TLS 1.2 necessitated two round-trip exchanges between systems, introducing latency and taking up bandwidth and power.

These slowdowns especially affected the growing class of Internet of Things (IoT) devices, which have trouble handling connections requiring lots of bandwidth or power, but also tend to need encryption most due to weak onboard security.

However, with just a single key exchange and significantly fewer supported ciphers, TLS 1.3 uses considerably less bandwidth. And because it requires just one round trip to complete the handshake, it’s significantly faster. TLS 1.3’s zero round trip time (0-RTT) feature is even quicker: On subsequent visits, it offers a latency time equal to that of unencrypted HTTP.

Is Your Firewall Up to the Task?

Experts estimate that 80-90% of all network traffic today is encrypted. But many legacy firewalls lack the capability or processing power to detect, inspect and mitigate cyberattacks sent via HTTPs traffic at all, let alone using TLS 1.3 — making this a highly successful avenue for hackers to deploy and execute malware.

According to the 2022 SonicWall Cyber Threat Report, from 2020 to 2021, malware sent over HTTPS rose a staggering 167%. All told, SonicWall recorded 10.1 million encrypted attacks in 2021 — almost as many as in 2018, 2019 and 2020 combined.

https://e.infogram.com/e3c6d4f2-5828-4326-8c3d-b5bb992a1321?parent_url=https%3A%2F%2Fblog.sonicwall.com%2Fen-us%2F2022%2F05%2Fenjoy-the-speed-and-safety-of-tls-1-3-support%2F&src=embed#async_embed

With an average of 7% of customers seeing an encrypted attack in a given month, the odds your organization will be targeted by an attack this year are enormous. But if your firewall cannot inspect encrypted traffic — and increasingly, if it cannot inspect TLS 1.3 — you’ll never know it until it’s too late.

SonicWall Supports TLS 1.3 Encryption

SonicWall Gen 7 firewalls bring a lot to the table: They combine higher port density and greater threat throughput with comprehensive malware analysis, unmatched simplicity and industry-leading performance. But among the biggest game-changers in Gen 7 (and its predecessors capable of running SonicOS Gen 6.5) is its support for TLS 1.3 encryption.

SonicWall NGFWs with SonicOS Gen 6.5 and later offer full TLS inspection, decrypting data, checking it for potential threats, and then re-encrypting it for secure transmission — all while ensuring you retain optimal performance and comprehensive visibility.

After all, as in the case of the classic Mustang, there’s no blind spot detection for firewalls that can’t handle today’s encrypted traffic — and these legacy solutions are easily outclassed when going head-to-head. Don’t let yesterday’s firewalls leave unprotected gaps in your network: Upgrade to SonicWall Gen 7 today.

Source :
https://blog.sonicwall.com/en-us/2022/05/enjoy-the-speed-and-safety-of-tls-1-3-support/