Cybersecurity researchers have detailed as many as five severe security flaws in the implementation of TLS protocol in several models of Aruba and Avaya network switches that could be abused to gain remote access to enterprise networks and steal valuable information.
The findings follow the March disclosure of TLStorm, a set of three critical flaws in APC Smart-UPS devices that could permit an attacker to take over control and, worse, physically damage the appliances.
IoT security firm Armis, which uncovered the shortcomings, noted that the design flaws can be traced back to a common source: a misuse of NanoSSL, a standards-based SSL developer suite from Mocana, a DigiCert subsidiary.
The new set of flaws, dubbed TLStorm 2.0, renders Aruba and Avaya network switches vulnerable to remote code execution vulnerabilities, enabling an adversary to commandeer the devices, move laterally across the network, and exfiltrate sensitive data.
Affected devices include Avaya ERS3500 Series, ERS3600 Series, ERS4900 Series, and ERS5900 Series as well as Aruba 5400R Series, 3810 Series, 2920 Series, 2930F Series, 2930M Series, 2530 Series, and 2540 Series.https://player.vimeo.com/video/704230226?h=6c3f78c718&byline=0&portrait=0
Armis chalked up the flaws to an “edge case,” a failure to adhere to guidelines pertaining to the NanoSSL library that could result in remote code execution. The list of bugs is as follows –
CVE-2022-23676 (CVSS score: 9.1) – Two memory corruption vulnerabilities in the RADIUS client implementation of Aruba switches
CVE-2022-23677 (CVSS score: 9.0) – NanoSSL misuse on multiple interfaces in Aruba switches
HTTP POST request handling heap overflow vulnerability in a discontinued Avaya product line (no CVE)
Even more concerningly, the vulnerabilities found in Avaya switches are zero-click, meaning they can be activated via unauthenticated network packets without any user interaction.
“These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation alone is no longer sufficient as a security measure,” Barak Hadad, head of research in engineering at Armis, said.
Organizations deploying impacted Avaya and Aruba devices are highly recommended to apply the patches to mitigate any potential exploit attempts.
Today Sophos has released the State of Ransomware 2022, its annual study of the real-world ransomware experiences of IT professionals working at the frontline around the globe.
The study has revealed an ever more challenging attack environment together with the growing financial and operational burden ransomware places on its victims. It also shines new light on the relationship between ransomware and cyber insurance, and the role insurance is playing in driving changes to cyber defenses.
This year, 5,600 IT professional from 31 countries participated in the research, with 965 sharing details of ransom payments made. Key findings include:
Ransom attacks are more frequent – 66% of organizations surveyed were hit with ransomware in 2021, up from 37% in 2020
Ransom payments are higher – In 2021, 11% of organizations said they paid ransoms of $1 million or more, up from 4% in 2020, while the percentage of organizations paying less than $10,000 dropped to 21% from 34% in 2020. Overall, the average ransom paid by organizations that had data encrypted in their most significant ransomware attack, increased nearly fivefold to reach $812,360
More victims are paying the ransom – In 2021, 46% of organizations that had data encrypted in a ransomware attack paid the ransom. Twenty-six percent of organizations that were able to restore encrypted data using backups in 2021 also paid the ransom
The impact of a ransomware attack can be immense – The average cost to recover from the most recent ransomware attack in 2021 was $1.4 million. It took on average one month to recover from the damage and disruption. 90% of organizations said the attack had impacted their ability to operate, and 86% of private sector victims said they had lost business and/or revenue because of the attack
Many organizations rely on cyber insurance to help them recover from a ransomware attack – 83% of mid-sized organizations had cyber insurance that covers them in the event of a ransomware attack
Cyber insurance almost always pays out – In 98% of incidents where the victim had cyber insurance that covered ransomware, the insurer paid some or all the costs incurred (with 40% overall covering the ransom payment)
94% of those with cyber insurance said that their experience of getting it has changed over the last 12 months, with higher demands for cybersecurity measures, more complex or expensive policies and fewer organizations offering insurance protection
“The findings suggest we may have reached a peak in the evolutionary journey of ransomware, where attackers’ greed for ever higher ransom payments is colliding head on with a hardening of the cyber insurance market as insurers increasingly seek to reduce their ransomware risk and exposure,” said Chester Wisniewski, principal research scientist at Sophos.
“In recent years, it has become increasingly easy for cybercriminals to deploy ransomware, with almost everything available as-a-service. Second, many cyber insurance providers have covered a wide range of ransomware recovery costs, including the ransom, likely contributing to ever higher ransom demands. However, the results indicate that cyber insurance is getting tougher and in the future ransomware victims may become less willing or less able to pay sky high ransoms. Sadly, this is unlikely to reduce the overall risk of a ransomware attack. Ransomware attacks are not as resource intensive as some other, more hand-crafted cyberattacks, so any return is a return worth grabbing and cybercriminals will continue to go after the low hanging fruit.”
Sophos commissioned research agency Vanson Bourne to conduct an independent, vendor-agnostic survey of 5,600 IT professionals in mid-sized organizations (100-5,000 employees) across 31 countries. The survey was conducted during January and February 2022, and respondents were asked to respond based on their experiences over the previous year. Respondents were from Australia, Austria, Belgium, Brazil, Canada, chile, Colombia, Czech Republic, France, Germany, Hungary, India, Israel, Italy, Japan, Malaysia, Mexico, Netherlands, Nigeria, Philippines, Poland, Saudi Arabia, Singapore, South Africa, Spain, Sweden, Switzerland, Turkey, UAE, UK, and US.
Latest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.
Targeted ransomware attacks continue to be one of the most critical cyber risks facing organizations of all sizes. The tactics used by ransomware attackers are continually evolving, but by identifying the most frequently employed tools, tactics, and procedures (TTPs) organizations can gain a deeper understanding into how ransomware groups infiltrate networks and use this knowledge to identify and prioritize areas of weakness.
Symantec, a division of Broadcom Software, tracks various ransomware threats; however, the following three ransomware families are being observed in the majority of recent attacks:
Hive
Conti
Avoslocker
Similar to many other ransomware families, Hive, Conti, and Avoslocker follow the ransomware-as-a-service (RaaS) business model. In the RaaS model the ransomware operators hire affiliates who are responsible for launching the ransomware attacks on their behalf. In most cases affiliates stick to a playbook that contains detailed attack steps laid out by the ransomware operators.
Once initial access to a victim network has been gained, Hive, Conti, and Avoslocker use a plethora of TTPs to help the operators achieve the following:
Gain persistence on the network
Escalate privileges
Tamper with and evade security software
Laterally move across the network
Initial Access
Affiliates for the Hive, Conti, and Avoslocker ransomware operators use a variety of techniques to gain an initial foothold on victim networks. Some of these techniques include:
Spear phishing leading to the deployment of malware, including but not limited to:
IcedID
Emotet
QakBot
TrickBot
Taking advantage of weak RDP credentials
Exploiting vulnerabilities such as:
Microsoft Exchange vulnerabilities – CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855
FortiGate firewall vulnerabilities – CVE-2018-13379 and CVE-2018-13374
Apache Log4j vulnerabily – CVE-2021-44228
In most cases, the spear-phishing emails contain Microsoft Word document attachments embedded with macros that lead to the installation of one of the previously mentioned malware threats. In some instances, attackers use this malware to install Cobalt Strike, which is then used to pivot to other systems on the network. These malware threats are then used to distribute ransomware onto compromised computers.
Persistence
After gaining initial access, Symantec has observed affiliates for all three ransomware families using third-party software such as AnyDesk and ConnectWise Control (previously known as ScreenConnect) to maintain access to victim networks. They also enable default Remote Desktop access in the firewall:
netsh advfirewall firewall set rule group=”Remote Desktop” new enable=yes
Actors are also known to create additional users on compromised systems to maintain access. In some instances we have seen threat actors add registry entries that allow them to automatically log in when a machine is restarted:
During the discovery phase the ransomware actors try to sweep the victim’s network to identify potential targets. Symantec has observed the aforementioned ransomware actors using tools such as the following:
ADRecon – Gathers Active Directory information and generates a report
Netscan – Discovers devices on the network
Credential Access
Mimikatz is a go-to tool for most ransomware groups and Hive, Conti, and Avoslocker are no exception. We have observed them using the PowerShell version of Mimikatz as well as the PE version of the tool. There are also instances where the threat actors directly load the PowerShell version of Mimikatz from GitHub repositories:
In addition to using Mimikatz, the threat actors have also taken advantage of the native rundll32 and comsvcs.dll combination to dump the LSASS memory:
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <process id> lsass.dmp full
Adversaries also dump the SECURITY, SYSTEM, and SAM hives and later extract credentials from the dump. In rare occasions they have also been observed using taskmgr.exe to dump the LSASS memory and later using the dump to extract valuable credentials.
Lateral Movement
Attackers employ tools like PsExec, WMI, and BITSAdmin to laterally spread and execute the ransomware on victim networks. We have also observed the attackers using several other techniques to laterally move across networks.
As with a number of other ransomware families, Hive, Conti, and Avoslocker also tamper with various security products that interfere with their goal. We have observed them meddling with security services using the net, taskkill, and sccommands to disable or terminate them. In some cases they also use tools like PC Hunterto end processes. They have also been seen tampering with various registry entries related to security products, since changes to the registry entries can make those products inoperative.
Both Hive and AvosLocker have been observed attempting to disable Windows Defender using the following reg.exe commands.
Adversaries tend to disable or tamper with operating system settings in order to make it difficult for administrators to recover data. Deleting shadow copies is a common tactic threat actors perform before starting the encryption process. They perform this task by using tools like Vssadmin or WMIC and running one of the following commands:
vssadmin.exe delete shadows /all /quiet
wmic.exe shadowcopy delete
We have also seen BCDEditbeing used to disable automatic system recovery and to ignore failures on boot:
Attackers commonly exfiltrate critical data from a victim’s environment before encrypting it. They then use the stolen data in an attempt to extort a ransom from victims. We have observed threat actors using the following cloud services to exfiltrate data:
https://anonfiles.com
https://mega.nz
https://send.exploit.in
https://ufile.io
https://www.sendspace.com
We have also seen attackers use the following tools for data exfiltration:
Filezilla
Rclone
Conclusion
The TTPs outlined in this blog are a snapshot of the current ransomware threat landscape. The TTPs used by these threat actors are constantly evolving, with groups continually tweaking their methods in a bid to outmaneuver their targets’ security defenses. As such, organizations need to be vigilant and employ a multi-layered security approach.
Symantec Protection
Symantec Endpoint Protection (SEP) protects against ransomware attacks using multiple static and dynamic technologies.
AV Protection
Ransom.Hive
Ransom.Conti
Ransom.AvosLocker
Backdoor.Cobalt
Hacktool.Mimikatz
Trojan.IcedID*
Trojan.Emotet*
W32.Qakbot*
Trojan.Trickybot*
Behavioral Protection
SONAR.RansomHive!g2
SONAR.RansomHive!g3
SONAR.RansomHive!g4
SONAR.RansomAvos!g2
SONAR.RansomConti!g1
SONAR.RansomConti!g3
SONAR.RansomConti!g4
SONAR.Ransomware!g30
SONAR.RansomGregor!g1
SONAR.SuspLaunch!gen4
SONAR.SuspLaunch!g18
SONAR.Ransom!gen59
SONAR.Ransomware!g26
SONAR.Cryptlck!g171
Intrusion Prevention System (IPS) detections
IPS blocks initial access, persistence, and lateral movement. SEP’s Audit Signatures are intended to raise awareness of potentially unwanted traffic on the network. By default, Audit Signatures do not block. Administrators reviewing the logs of IPS events in their network can note these Audit events and decide whether or not to configure the corresponding Audit Signatures to block the traffic.
The following is a list of Audit Signatures that can be enabled to block, through policies, activity related to the use of software or tools such as AnyDesk, ScreenConnect, and PsExec.
Symantec recommends that you have intrusion prevention enabled on all your devices including servers.
Adaptive Protection
Symantec Adaptive Protection can help protect against lateral movement and ransomware execution techniques used by an attacker. If you are not using tools like PsExec, WMIC, and BITSAdmin in your environment then you should “Deny” these applications and actions using Symantec Adaptive Protection policies.
Recommendations
Customers are advised to enable their Intrusion Prevention System (IPS) on desktops and servers for best protection. Click here for instructions on enabling the IPS Server Performance Tuning feature. This feature should be enabled on servers to allow additional tuning for the IPS module and definitions in high-throughput scenarios.
Customers are also advised to enable Proactive Threat Protection, also known as SONAR, which is Symantec’s behavior-based protection.
Customers should also keep Symantec Endpoint Protection (SEP) up-to-date with the latest version and definition set.
Symantec has multi-layer protection technologies for all the threat types. To provide the best protection, all SEP features should be enabled for Windows desktops and servers.
You’ve been asked for a Vulnerability Assessment Report for your organisation and for some of you reading this article, your first thought is likely to be “What is that?”
Worry not. This article will answer that very question as well as why you need a Vulnerability Assessment Report and where you can get one from.
As it’s likely the request for such a report came from an important source such as the Board, a partner, a client or an auditor, there isn’t a moment to waste. So let’s drive straight in.
What is a Vulnerability Assessment Report and why do you need one?
A Vulnerability Assessment Report is simply a document that illustrates how you are managing your organisation’s vulnerabilities. It’s important because, with tens of thousands of new technology flaws being discovered every year, you need to be able to prove that your organisation does its best to avoid attack if you want to be trusted by partners and customers.
A best security practice recommended by governments across the world, a vulnerability assessment is an automated review process that provides insights into your current security state. The vulnerability assessment report is the outcome of this review. Used as a roadmap to a better state of security preparedness, it lays out the unique risks your organisation is up against due to the technology you use, and reveals how best to overcome them with minimal disruption to your core business strategy and operations.
The help it provides is clear but why do you need one? As mentioned above, it’s likely you were asked for a Vulnerability Assessment Report by the Board, a partner, a client or an auditor as each of these groups needs reassurance that you’re on top of any weaknesses in your infrastructure. Here’s why:
— Customers need to trust you
Weaknesses in your IT systems could affect your customers’ operations. With supply chain attacks on the rise, a vulnerability in a single company could leave the whole range of organizations paralysed, as demonstrated by the infamous SolarWinds hack last year.
It doesn’t matter how small your business is; if your customers will be entrusting you with any of their data, they may wish for a Vulnerability Assessment Report first to confirm that your IT security practices are tiptop.
— The Board wants a better understanding of the business’ risk
Cyber security is a growing concern across many businesses, so chances are your board members want to take a better grip of their risk, before the lack of insights into vulnerabilities is turned into a much more serious business problem. With ransomware attacks regularly making headlines, having proper vulnerability management in place and presenting an “all clear” report, can give your business heads that needed peace of mind.
— Your auditors are checking for compliance
Many of the regulatory or compliance frameworks related to security and privacy, like SOC2, HIPAA, GDPR, ISO 27001, and PCI DSS, advise or outright require regular compliance scans and reporting, so if the request for a vulnerability assessment report was made by your auditor, it is likely to be for compliance purposes.
— Your CFO is renewing your cyber insurance
It could be the case that your insurance provider is seeking a vulnerability assessment report as part of the underwriting process. If you don’t want to run the risk of being denied your insurance payment or wouldn’t like to see your premiums rise, then you could benefit from supplying these reports regularly.
How often do you need to produce a vulnerability assessment report?
Regularly. Think of it like vulnerability scanning: For maximum efficacy, you need to conduct regular, if not constant, comprehensive evaluations of your entire technology stack, otherwise you could miss something that could bring your business to a costly halt.
Cybercriminals do not stop searching until they find something they can take advantage of. You need to scan your systems continuously and have up to date reporting to reflect your vigilance as and when it’s needed.
Modern vulnerability scanning solutions, like Intruder, will give you a cyber hygiene score which enables you to track the progress of your vulnerability management efforts over time, proving that your security issues are being continuously resolved in good time.
A vulnerability assessment report from Intruder, to provide evidence to your customers or regulators that a vulnerability scanning process is in place.
What should be included in a vulnerability assessment report?
Unfortunately, there isn’t a one size fits all report. While the contents are generally the number of vulnerabilities detected in your systems at a point in time, your different stakeholders will require varying levels of detail. Even for compliance purposes, vulnerability assessment reporting requirements can differ.
As a good rule of thumb, we recommend building an Executive Report containing graph views and composite cyber hygiene scores for the Board and C-Suite that clue them in on where they stand at any given moment. And for your IT team, their report needs greater detail such as how to apply the correct solutions to existing problems and sidestep subsequent mistakes.
Where can you get a Vulnerability Assessment Report from?
Ensuring your Vulnerability Assessment Reports contain all the elements and information your stakeholders require can take a lot of work and expertise; which can distract your security teams from other activities that will keep your organisation secure. That is why it’s recommended to choose an external provider to produce your reports.
Before you start comparing individual vendors, make sure you have a solid understanding of your technical environment and of the specific outcomes that the vulnerability assessment should present. This is because vulnerability assessment tools are not built the same; they check for different types of weaknesses, so you need to choose the solution that best suits your requirements. Consider the features and checks you’ll require, as well as the industry standards you need to follow and your budget.
Two key elements to consider relate to reporting: firstly, how flexible the assessment provider will be with how much detail is presented (particularly if you need to present data to different audiences); and secondly, how clearly the results are communicated. Scanning results can be overwhelming but the right vendor will demystify complex security data to grant you a clear, jargon-free understanding of the risks you face.
At Intruder, reports are designed to be well-understood, whilst also maintaining all the technical detail required by IT managers and DevOps teams. Whether you’re a massive enterprise or a fledgling startup, you can generate rapid reports, create compliance paper trails, stay secure, and communicate with employees and potential investors. Intruder offers a free trial of its software, which you can activate here. Get vulnerability assessment reporting in place now.
Looking for the best way to extend your firewall protection to the cloud? Independent testing recently found that SonicWall NSv series is more than up to the challenge.
More than 90% of enterprises use the cloud in some way, with 69% of those considered hybrid cloud users (utilizing both private and public clouds). Along with widespread remote work adoption, this shift is driving the need for scaled-out, distributed infrastructure.
Within this new cloud landscape, security has become more complex as the number of perimeters and integrations grow, and cybercriminals increasingly focus on security gaps and vulnerabilities in cloud implementations. It’s often easier for threat actors to exploit these vulnerabilities than it is to breach hardened components of the cloud deployment.
A next-generation firewall deployed in the cloud can protect critical data stored in the cloud. But it’s important to make sure this firewall provides the same level of security and performance as an on-premises firewall.
Recently, Tolly Group used Keysight Technologies’ brand-new native cloud testing solution — CyPerf — to measure the performance of SonicWall NSv 470 virtual firewall in Amazon Web Services (AWS). AWS is the major public cloud vendor, with a projected 49% market share in enterprise cloud adoption for 2022. AWS recommends a shared responsibility model, meaning AWS is responsible for the security of the cloud, and the customer is responsible for security in the cloud.
What is SonicWall NSv virtual firewall?
SonicWall’s NSv Series virtual firewalls provide all the security advantages of a physical firewall, plus all the operational and economic benefits of the cloud — including system scalability and agility, speed of system provisioning, simple management and cost reduction. NSv delivers full-featured security tools including VPN, IPS, application control and URL filtering. These capabilities shield all critical components of the private/public cloud environments from resource misuse attacks, cross-virtual-machine attacks, side-channel attacks, and common network-based exploits and threats.
What is Keysight Technologies CyPerf?
Keysight CyPerf is the industry’s first cloud-native software solution that recreates every aspect of a realistic workload across a variety of physical and cloud environments. CyPerf deployed across a variety of heterogeneous cloud environments realistically models dynamic application traffic, user behavior and threat vectors at scale. It validates hybrid cloud networks, security devices and services for more confident rollouts.
Putting SonicWall NSv to the Test
Keysight Technologies and Tolly Group engineers tested a SonicWall NSv 470 virtual firewall running SonicOSX version 7. The AWS instance for the NSv 470 under test was AWS C5.2xlarge. The engineers deployed CyPerf agents on AWS C5.n2xlarge instances to be certain that the agents would have sufficient resources to stress the firewall under test. Each of two agent instances was provisioned with 8 vCPUs, 21GB memory and 25GbE network interfaces.
Test methodology and results
The engineers used three different traffic profiles to collect results — unencrypted HTTP traffic, encrypted (HTTPS/TLS) traffic, and Tolly’s productivity traffic mix, which includes five applications: JIRA, Office 365, Skype, AWS S3 and Salesforce. Engineers used CyPerf application mix tests to create the Tolly productivity mix and generate stateful, simulated application traffic.
The tests were run against three different security profiles:
1) Firewall: Basic firewall functions with no policy set
2) IPS: Firewall with the intrusion prevention system feature enabled
3) Threat Prevention: Firewall with IPS, antivirus, anti-spyware and application control features enabled
The results observed in the AWS public cloud environment are similar to the results observed in virtual environment.
Test
Unencrypted HTTP Traffic
Encrypted HTTPS/TLS Traffic
Firewall Throughput
7.70 Gbps
3.10 Gbps
IPS Throughput
7.60 Gbps
3.05 Gbps
Threat Prevention
7.40 Gbps
3.04 Gbps
Table 1: Test measurements for NSv 470 in AWS Cloud
Note: The table above highlights just a few of the test results. For complete results and test parameters, please download the report.
Conclusion
Most enterprises are moving their datacenters away from traditional on-premises deployments and to the cloud. It is imperative that security teams provide the same level of security for cloud server instances as they have been doing for on-premises physical servers. A next-generation firewall with advanced security services like IPS and application control is the first step to securing cloud instances against cyber threats.
In addition to security features, it also important to choose a firewall that provides the right level of performance needed for a given cloud workload. SonicWall NSv series offers a variety of models with performance levels suited to any size of cloud deployment, with all the necessary security features enabled. To learn more about how SonicWall NSv Series excels in AWS environments, click here.
Closing the cybersecurity skills gap has been a topic of interest for a number of years with many organizations reporting on its slow decline. According to (ISC)2’s 2021 Cyber Workforce Report, the global cybersecurity workforce needs to grow 65 percent to effectively defend organizations’ critical assets. While the number of professionals needed to fill the gap has decreased from 3.12 million down to 2.72 million in the past year, this is still a significant void that leaves organizations vulnerable.
Organizations are looking for individuals with certified skills
Organizations are looking for more diversity
Raising cybersecurity awareness remains a key challenge
The survey was conducted in January and February of 2022 and included more than 1200 IT and cybersecurity decision-makers from 29 different locations. There was an even split between the respondents in four regions: North America, EMEA, APAC and LATAM.
How Cybersecurity and the Skills Gap Affects Every Organization
A staggering 80% of organizations experienced at least one breach during the last 12 months that they could attribute to a lack of cybersecurity skills and/or awareness. Almost 20% suffered five or more breaches.Number of breaches in the last 12 months
If that weren’t enough, 64% of organizations experienced breaches that resulted in lost revenue and/or cost them fines. Of those, 38% reported breaches that cost them more than a million dollars (USD).
How is the Skills Gap Creating Cyber Risk?
According to the survey respondents, a key factor contributing to the breaches is that organizations struggle to find and retain certified cybersecurity people. 67% of global leader respondents indicate that the skills shortage creates additional cyber risks for their organization.
Recruitment and Retention Are Key Challenges Causing the Skills Gap
Organizations need qualified cybersecurity professionals now more than ever, which is why 76% of organizations indicate that their board of directors now recommend increases in IT and cybersecurity headcount.Board members who recommend increases in IT and cybersecurity headcount
Most would hope that increasing hiring could be an easy fix to this problem, however, 60% of organizations indicated that they struggle to recruit cybersecurity talent and 52% struggle to retain it.
Another key challenge for recruitment is the that organizations need to hire people for a broad range of security and IT network-related roles and specializations. Cloud security specialist and security operations (SOC) analysts remain among the most sought-after roles in cybersecurity, followed closely by security administrators and architects. But organizations aren’t just looking to ramp up hires arbitrarily. They’re deliberately trying to build teams of specialized talent who are equipped to handle an increasingly complex threat landscape.
Finding Qualified People is a Challenge for the Skills Gap
Globally, 50% of organizations seek cloud security specialists, a priority that’s likely informed by how rapidly companies moved their operations to the cloud during the pandemic.
The challenge is finding the right people.What roles are organizations looking for?
What Skills Are Needed to Work in Cybersecurity?
Central to the challenge of recruiting and retaining cybersecurity talent is the importance of certification. Certified professionals are universally sought after with 95% of decision-makers sharing that technology-focused certifications positively impact both their role and their team.
Organizations Are Looking for Certified Skills
As such, 81% of leaders prefer to hire people with certifications.
However, 78% indicate it’s hard to find certified people. This may contribute to the fact that globally 91% of organizations say they are willing to pay for an employee to achieve a cybersecurity certification.Organizations would pay for an employee to get a cybersecurity certification
The preference to hire certified people may be because organization leaders followed that same path themselves:
86% of decision-makers report having earned technology-focused certifications
88% report having other people with certificates on their team
Certification is an Opportunity Given the Skills Gap
It should also be noted from above that global leaders attributed the struggle to find and retain certified cybersecurity people as a key factor contributing to breaches. This also may influence an organization’s hiring strategy with a tendency to lean towards professionals with corresponding certifications to the positions they are attempting to fill.
Closing the Cybersecurity Skills Gap by Prioritizing Diversity
The challenge isn’t just hiring more people, but also building more capable and more diverse teams. While enterprises need qualified talent for a range of different roles, 89% of global companies also have explicit diversity goals as part of their hiring plan.
7 out of 10 leaders worldwide say hiring women and new graduates are among their top three challenges. 61% say hiring minorities is also a top three challenge.
Despite the challenges, or perhaps because of it, three out of four organizations implemented formal processes to hire more women, and nine out of 10 actively engaged women and new graduates during the last three years. 59% of companies have structures in place to hire minorities, and 51% for hiring more veterans.Hiring from these populations is a top three challenge for organizations
Raising Cybersecurity Awareness to Close the Skills Gap
Even though the recruitment, retention, and certification of a cybersecurity team is vital, companies cannot realistically protect themselves until they also raise the cyber awareness of all employees. That requires ensuring that all employees, at all levels and all roles within the organization, have the knowledge and awareness to protect themselves and their organization’s data. Until they do, breaches will always be likely.
87% of organizations implemented a training program to increase cyber awareness. However, 52% of leaders continue to believe their employees still lack the necessary knowledge. This raises the question of the effectiveness of the programs that organizations currently have in place. Employees lack knowledge when it comes to cybersecurity awareness
For those that don’t have a program in place, 66% report they are currently looking for a program that would suit their needs.
The Power of People Can Help Close the Skills Gap
Cybersecurity can sometimes feel like a purely technological domain. But when you look past the technology that organizations rely on, cybersecurity is all about how well your employees work together to protect the organization.
Fortunately, organizations are making deliberate efforts to improve on all these fronts. However, it is imperative to remember that the cyber battle isn’t won on any one front. Cybersecurity requires an entire system of people and technology working together to protect an organization.
That starts with people who are empowered, qualified, and certified to protect the organization.
OpenSSL has released a security update to address a vulnerability in the library that, if exploited, activates an infinite loop function and leads to denial of service conditions.
Denial of service attacks may not be the most disastrous security problem. However, it can still cause significant business interruption, long-term financial repercussions, and brand reputation degradation for those affected.
That is especially the case for software like OpenSSL, a ubiquitous secure communication library used by many large online platforms. Therefore, any vulnerability that affects the library can significantly impact a large number of users.
Certificates causing DoS
In this case, the high-severity OpenSLL problem lies in a bug on the BN_mod_sqrt() function, that if served a maliciously crafted certificate to parse, it will enter an infinite loop.
The certificate has to contain elliptic curve public keys in compressed form or elliptic curve parameters with a base point encoded in compressed form to trigger the flaw.
“Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack,” describes OpenSSL’s security notice.
“The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.”
Unfortunately, the problem impacts quite a few deployment scenarios, such as:
TLS clients consuming server certificates
TLS servers consuming client certificates
Hosting providers taking certificates or private keys from customers
Certificate authorities parsing certification requests from subscribers
Anything else which parses ASN.1 elliptic curve parameters
The vulnerability is tracked as CVE-2022-0778, and affects OpenSSL versions 1.0.2 to 1.0.2zc, 1.1.1 to 1.1.1n, and 3.0 to 3.0.1.
Google’s security researcher Tavis Ormandy discovered the certificate parsing vulnerability and reported his findings to the OpenSSL team on February 24, 2022.https://platform.twitter.com/embed/Tweet.html?creatorScreenName=BleepinComputer&dnt=false&embedId=twitter-widget-0&features=eyJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3NrZWxldG9uX2xvYWRpbmdfMTMzOTgiOnsiYnVja2V0IjoiY3RhIiwidmVyc2lvbiI6bnVsbH0sInRmd19zcGFjZV9jYXJkIjp7ImJ1Y2tldCI6Im9mZiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1503771787733069826&lang=en&origin=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fopenssl-cert-parsing-bug-causes-infinite-denial-of-service-loop%2F&sessionId=311e29408eba4153b418ae523e23f843cf490dd1&siteScreenName=BleepinComputer&theme=light&widgetsVersion=f9f80a909a60b%3A1648751432723&width=550px
The fixed versions released yesterday are 1.1.1n and 3.0.2, while only premium users of 1.0.2 will be offered a fix through 1.0.2zd.
Because version 1.0.2 does not parse the public key during the parsing of the certificate, the infinite loop is slightly more complicated to trigger than the other versions, but it’s still doable.
OpenSSL 1.0.2 has reached EOL and is not actively supported, so non-premium users are advised to upgrade to a new release branch as soon as possible.
Already exploited by threat actors?
Although OpenSSL has not said that the bug is already used by threat actors, Italy’s national cybersecurity agency, CSIRT, has marked it as actively exploited in the wild.
Bleeping Computer has contacted the OpenSSL team to request a clarification on this point, and they told us they are not aware of any active exploitation at this time.
Even if the message is mixed on that front, the low complexity of exploitation and the published information will allow threat actors to test and play quickly with the vulnerability in the future.
An OpenSSL spokesperson shared the following statement with Bleeping Computer:
The flaw is not too difficult to exploit, but the impact is limited to DoS. The most common scenario where exploitation of this flaw would be a problem would be for a TLS client accessing a malicious server that serves up a problematic certificate. TLS servers may be affected if they are using client authentication (which is a less common configuration) and a malicious client attempts to connect to it. It is difficult to guess to what extent this will translate to active exploitation.
Because most users obtain OpenSSL from a third party, there’s no centralized authority to count upgrade stats, so it’s impossible to estimate how many vulnerable deployments are out there.
Security hardware manufacturer SonicWall has fixed a critical vulnerability in the SonicOS security operating system that allows denial of service (DoS) attacks and could lead to remote code execution (RCE).
Tracked as CVE-2022-22274, the bug affects TZ Series entry-level desktop form factor next-generation firewalls (NGFW) for small- and medium-sized businesses (SMBs), Network Security Virtual (NSv series) firewalls designed to secure the cloud, and Network Security services platform (NSsp) high-end firewalls.
Exploitable remotely without authentication
Unauthenticated attackers can exploit the flaw remotely, via HTTP requests, in low complexity attacks that don’t require user interaction “to cause Denial of Service (DoS) or potentially results in code execution in the firewall.”
The SonicWall Product Security Incident Response Team (PSIRT) says there are no reports of public proof-of-concept (PoC) exploits, and it found no evidence of exploitation in attacks.
The company has released patches for all impacted SonicOS versions and firewalls and urged customers to update all affected products.
“SonicWall strongly urges organizations using impacted SonicWall firewalls listed below to follow the provided guidance,” the company said in a security advisory published on Friday.
NSv 10, NSv 25, NSv 50, Nsv 100, NSv 200, Nsv, 300, NSv 400, NSv 800, NSv 1600
6.5.4.4-44v-21-1452 and earlier
6.5.4.4-44v-21-1519 and higher
NSsp 15700 firewall gets hotfix, full patch in April
The only affected firewall still waiting for a patch against CVE-2022-22274 is the NSsp 15700 enterprise-class high-speed firewall.
While a hotfix is already available for those reaching out to the support team, SonicWall estimates that a full patch to block potential attacks targeting this firewall will be released in roughly two weeks.
“For NSsp 15700, continue with the temporary mitigation to avoid exploitation or reach out to the SonicWall support team who can provide you with a hotfix firmware (7.0.1-5030-HF-R844),” the company explained.
“SonicWall expects an official firmware version with necessary patches for NSsp15700 to be available in mid-April 2022.”
Temporary workaround available
SonicWall also provides a temporary workaround to remove the exploitation vector on systems that cannot be immediately patched.
As the security vendor explained, admins are required to only allow access to the SonicOS management interface to trusted sources.
“Until the [..] patches can be applied, SonicWall PSIRT strongly recommends that administrators limit SonicOS management access to trusted sources (and/or disable management access from untrusted internet sources) by modifying the existing SonicOS Management access rules (SSH/HTTPS/HTTP Management),” SonicWall added.
The updated access rules will ensure that the impacted devices “only allow management access from trusted source IP addresses.”
British-based cybersecurity vendor Sophos warned that a recently patched Sophos Firewall bug allowing remote code execution (RCE) is now actively exploited in attacks.
It enables remote attackers to bypass authentication via the firewall’s User Portal or Webadmin interface and execute arbitrary code.
The vulnerability was discovered and reported by an anonymous researcher who found that it impacts Sophos Firewall v18.5 MR3 (18.5.3) and older.
“Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region,” the company said in an update to the original security advisory.
“We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.”
Hotfixes and workarounds
To address the critical bug, Sophos released hotfixes that should be automatically deployed to all vulnerable devices since the ‘Allow automatic installation of hotfixes’ feature is enabled by default.
However, hotfixes released for end-of-life versions of Sophos Firewall must manually upgrade to patch the security hole and defend against the ongoing attacks.
For these customers and those who have disabled automatic updates, there’s also a workaround requiring them to secure the User Portal and Webadmin interfaces by restricting external access.
“Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN,” Sophos added.
“Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.”
After toggling on automatic hotfix installation, Sophos Firewall will check for new hotfixes every thirty minutes and after restarts.
Patching your Sophos Firewall instances is critically important especially since they have been previously exploited in the wild, with threat actors abusing an XG Firewall SQL injection zero-day starting with early 2020.
Asnarök trojan malware was also used to exploit the same zero-day to try and steal firewall credentials from vulnerable XG Firewall instances.
Networking equipment maker Zyxel has pushed security updates for a critical vulnerability affecting some of its business firewall and VPN products that could enable an attacker to take control of the devices.
“An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions,” the company said in an advisory published this week. “The flaw could allow an attacker to bypass the authentication and obtain administrative access to the device.”
The flaw has been assigned the identifier CVE-2022-0342 and is rated 9.8 out of 10 for severity. Credited with reporting the bug are Alessandro Sgreccia from Tecnical Service Srl and Roberto Garcia H and Victor Garcia R from Innotec Security.
The following Zyxel products are impacted –
USG/ZyWALL running firmware versions ZLD V4.20 through ZLD V4.70 (fixed in ZLD V4.71)
USG FLEX running firmware versions ZLD V4.50 through ZLD V5.20 (fixed in ZLD V5.21 Patch 1)
ATP running firmware versions ZLD V4.32 through ZLD V5.20 (fixed in ZLD V5.21 Patch 1)
VPN running firmware versions ZLD V4.30 through ZLD V5.20 (fixed in ZLD V5.21)
NSG running firmware versions V1.20 through V1.33 Patch 4 (Hotfix V1.33p4_WK11 available now, with standard patch V1.33 Patch 5 expected in May 2022)
While there is no evidence that the vulnerability has been exploited in the wild, it’s recommended that users install the firmware updates to prevent any potential threats.
CISA warns about actively exploited Sophos and Trend Micro flaws
The disclosure comes as both Sophos and SonicWall released patches this week to their firewall appliances to resolve critical flaws (CVE-2022-1040 and CVE-2022-22274) that could allow a remote attacker to execute arbitrary code on affected systems.
The critical Sophos firewall vulnerability, which has been observed exploited in active attacks against select organizations in South Asia, has since been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities Catalog.
Also added to the list is a high-severity arbitrary file upload vulnerability in Trend Micro’s Apex Central product that could allow an unauthenticated remote attacker to upload an arbitrary file, resulting in code execution (CVE-2022-26871, CVSS score: 8.6).
“Trend Micro has observed an active attempt of exploitation against this vulnerability in-the-wild (ITW) in a very limited number of instances, and we have been in contact with these customers already,” the company said. “All customers are strongly encouraged to update to the latest version as soon as possible.”
Number of breaches in the last 12 months
Board members who recommend increases in IT and cybersecurity headcount
What roles are organizations looking for?
Organizations would pay for an employee to get a cybersecurity certification
Hiring from these populations is a top three challenge for organizations
Employees lack knowledge when it comes to cybersecurity awareness