Archive for February 6, 2024

Guest Post: Horizon3.ai Lists 2023’s Most Exploited Vulnerabilities

Posted in Commentary with tags on February 6, 2024 by itnerd

In Rust Won’t Save Us: An Analysis of 2023’s Known Exploited Vulnerabilities, new research from Horizon3.ai, Chief Attack Engineer Zach Hanley analyzes all critical vulnerabilities from the CISA KEV catalog starting from January 2023 through January 2024, categorizing vuln root causes to see whether  current efforts in the information security industry match with the current threat vectors being abused.

He says: “Memory safety issues have plagued the software industry for decades. The Cybersecurity & Infrastructure Security Agency (CISA) has been leading a charge for secure-by-design and encouraging developers and vendors to utilize memory safe languages like Rust to eradicate this vulnerability class.  

“Google Chromium, the engine used by the majority of browsers around the world, reports that approximately 70% of their high severity issues are memory safety issues. Microsoft reports the same percent of issues affecting it’s Windows OS are also memory safety. But, what vulnerabilities are being exploited by threat actors today? CISA maintains and publishes its Known Exploited Vulnerability (KEV) catalog of all vulnerabilities that they have insight into having been exploited by threat actors. 

We have analyzed all critical vulnerabilities from the CISA KEV catalog starting from January 2023 through January 2024, categorized the vulnerability root causes, and attempted to analyze if the current efforts in the information security industry match with the current threat vectors actually being abused.”

Key findings:

  1. Insecure Exposed Functions Lead the CISA KEV: Nearly half of vulnerabilities are enabled by insecure exposed functions. Vulnerabilities fall into this category when: a) It is not apparent that the developer made any effort to prevent an unauthenticated user from reaching dangerous code, or b) Often, the exposed dangerous code allows authorization bypass or remote code execution via insecure usage of command execution libraries, unrestricted deserialization, or file operations.  (more online)
  2. Rust Won’t Save Us, But It Will Help: Memory safety issues were the second (tied with 3) leading cause of vulnerabilities in the data set, coming in at 20%. Interestingly, 75% of the analyzed memory safety vulnerabilities have been exploited as 0-days by threat actors. Additionally, 25% were discovered by security researchers and retroactively discovered to have been exploited as 0-days. When vulnerabilities are exploited as 0-days they typically have a much more widespread effect on the world given that patches often lag by weeks once they are discovered.
  3. Web Routing and Path Abuse Tied for Second: Nearly 20% of vulnerabilities in Figure 1 are the result of routing and path abuse in web applications. These vulnerabilities typically manifest in the “glue” between web frameworks when a developer attempts to route application traffic from one service to another. Vulnerabilities fall into this category when the developer has made an apparent effort to prevent an unauthenticated user from reaching dangerous code – developer mistakes include reverse proxy regex issues, framework filter issues, path normalization issues, and internal application path inspection issues. Similarly, once this code is reached, developers have abandoned defense-in-depth and secure coding practices, which allow abuse of insecure functions.
  4. Threat Actors Love Exploiting Appliances: This isn’t a new trend, but it’s clear from the analysis that they are the target of choice coming in at 49%.

Hanley notes: “The lion’s share of vulnerabilities exploited in the last year are trivial to exploit. While memory safe languages like Rust may help eliminate some portion of breaches, there is much work to do to address the risk that comes with building complex software systems. We’re already seeing similar trends in 2024 with the recently exploited Ivanti Connect Secure vulnerabilities back-to-back…” (continues online).

Hanley recommends:

  1. Vendors
    1. Develop the depth of knowledge of your engineers in the frameworks they use
    2. Harden, standardize, and audit the use of those frameworks across products
    3. Enable and expose verbose logging for your products
  2. Developers
    1. Assume all code you write is reachable from an unauthenticated context
    2. Practice defense-in-depth programming and don’t make it easy for an attacker to shell out
  3. Defenders
    1. Reduce any attack surface exposed to the internet if its not needed there
    2. Proactively enable logging, and remote logging if possible, for all products that touch the internet
  4. Researchers
    1. Look for bugs in the places frameworks come together

Leave a comment »

Bluesky No Longer Requires Invites

Posted in Commentary with tags on February 6, 2024 by itnerd

A few weeks ago, you might have seen a post from me that mentioned that I had signed up for fledgling social network Bluesky via an invite code provided by a friend. So far I haven’t done anything with that account, which by the way is @theitnerd.bsky.social if you want to give me a follow. But I plan on it when I figure out how to cross post to Bluesky. Having said that, if you want to give Bluesky a shot, now you can without an invite code according to this blog post:

Bluesky is building an open social network where anyone can contribute, while still providing an easy-to-use experience for users. For the past year, we used invite codes to help us manage growth while we built features like moderation tooling, custom feeds, and more. Now, we’re ready for anyone to join.

This will be interesting to see what happens and what sort of traction that this will give this social network. If it does gain traction at a rapid rate, it may get the attention of Elon Musk and cause him to do something irrational and ill advised in retaliation.

I’ll go get the popcorn ready.

1 Comment »

Cisco Unveils New Innovations on the Cisco Observability Platform

Posted in Commentary with tags on February 6, 2024 by itnerd

Cisco today announced a series of exciting new solutions – enriched by business context – on the Cisco Observability Platform. With applications acting as the front door for nearly every business – and delivering a flawless application experience a top priority for IT teams – the latest enhancements will help customers deliver secure and performant user and application experience.

Digital Experience Monitoring (DEM) for greater visibility and insight into user behavior

With application experience expectations at an all-time high, technologists can now leverage new Digital Experience Monitoring (DEM) capabilities for both hybrid and cloud environments. The new DEM application includes Real User Monitoring (RUM) and Session Replay modules for deep insights into browser and mobile applications performance and efficient resolution of session-level issues. In addition, integrations with Cisco ThousandEyes and Cisco Accedian empower applications and network teams with the insights into service delivery required to identify whether the root cause of impacted digital experience is the application, network or cloud infrastructure.

Observability for Kubernetes workloads, powered by extended Berkeley Packet Filters (eBPF) technology

Cisco offers observability for Kubernetes workloads on the Cisco Observability Platform, using the powerful, lightweight Linux kernel utility, extended Berkeley Packet Filters (eBPF). Operating at the kernel level allows operators access to granular visibility into network activity, resource utilization, application dependencies and misconfigurations impacting network performance, without the need for multiple tools, cross-team collaboration and manual dependency mapping.

Unified Observability Experience for increased application insights

Cisco is delivering a unified experience across its observability portfolio, with new capabilities across Cisco AppDynamics and the Cisco Observability Platform. Using a single account and shared context, the unified observability experience arms operators with capabilities including Log Analytics, to search with context and improved log storage; and Core Web Vitals, providing front-end application owners the golden signals to keep their web pages from being de-ranked for poor user experience.

Natural Language Interface, powered by Generative AI

As part of Cisco’s continued expansion in innovations powered by Generative AI, the Cisco Observability Platform now offers a natural language interface for troubleshooting. Operators can use conversational dialogues instead of a structured query language to perform common tasks during troubleshooting, thereby increasing productivity.

In addition, Cisco is announcing:

Cisco AIOps for Cisco Full-Stack Observability for actionable insights that improve IT operations

The new Cisco AIOps application simplifies real-time business health monitoring and significantly reduces noise from events and alerts to automate IT processes and keep operations teams productive and responsive. The application unifies data from Cisco AppDynamics, Cisco ThousandEyes, Cisco DNA Center, VMWare, Zabbix and ServiceNow (ITSM, ITOM and CMDB). It is uniquely positioned having been built on the Cisco Observability Platform, which supports logs in addition to alerts, events and metrics. It also provides dynamic thresholds-based alerting on metrics and events and multiple anomaly-detection approaches.

Data Security Posture Management (DSPM) Observability

The introduction of Data Security Posture Management (DSPM) Observability to Cisco’s Business Risk Observability solution delivers real-time and automated data discovery, classification, policy definition and compliance visibility for sensitive data, in addition to visualizing and prioritizing attack surface.

New Partner Modules

Continuing the momentum of creating an observability ecosystem with its global partners across categories including AIOps, MLOps, networking, infrastructure observability and business insights, Cisco unveiled a series of new partner modules on the Cisco Observability Platform:

  • Aporia – Machine Learning Monitoring.
  • CloudFabrix – Asset Intelligence, Operational Intelligence and Infrastructure Observability.
  • Komodor – Kubernetes Change Management.
  • Perform IT – AS400 Monitoring and I4Cube business performance.
  • SoftServe – Operational Intelligence for Oilfields.

About the Cisco Observability Platform:

The Cisco Observability Platform brings data together from multiple domains at scale – including networking, security, applications, end user, cloud services and multi-cloud infrastructure and business – to break down silos by leveraging ML and AI capabilities to contextualize and correlate real-time telemetry across these domains, so organizations can better attain the visibility, insights and actions to improve digital experiences for customers and end-users.

Leave a comment »

Valimail Highlights Successes In 2023

Posted in Commentary with tags on February 6, 2024 by itnerd

 Valimail, the leading DMARC vendor and provider of automated email authentication and anti-phishing solutions, today announced the close of a highly successful fiscal year ending January 31, 2024. The past year was highlighted by being the first-to-market to meet the new email requirements from Google and Yahoo with Valimail Align, significant partnerships including Microsoft, and a notable client base growth rate of 40 percent.  

2024 Fiscal Year Achievements Included: 

Product Innovation: 

  • Launched Valimail Align – Align is the first to market, innovative solution that simplifies the process for companies of all sizes to meet new sender authentication standards set by Google and Yahoo, facilitating a swift path towards overall DMARC compliance.
  • Continued to Evolve its DNS Infrastructure – Valimail solidified its position as the leader in DMARC-as-a-service with significant updates to its DNS infrastructure, furthering its commitment to delivering innovative, market-leading technology its customers need. 
  • Added 5 new U.S. patents, including 3 new DMARC patents. 

Market Momentum: 

Over the last fiscal year, Valimail has seen tremendous growth and adoption of its DMARC as a service platform. After passing 30,000 customers in June 2023, Valimail now has more than 38,000 customer accounts, including organizations of all types and sizes, from higher education to global consumer brands. While growing at an exceptional rate, the company has also maintained a world-class Net Promoter Score (NPS), with Enforce Customers reflecting their satisfaction with the product by scoring Valimail at 83, and across all products, Valimail was scored at 72. The high NPS scores are a reflection of the Company’s patented Precision Sending Services and world-class support.

Strategic Partnerships: 

Company Growth and Recognition: 

Leave a comment »

C-Suite Receives 42x More QR Code Attacks Than Average Employee: Abnormal Security

Posted in Commentary with tags on February 6, 2024 by itnerd

 Abnormal Security, the leading AI-native cloud email security platform, today released its H1 2024 Email Threat Report, revealing how QR code attacks, or “quishing” attacks, have emerged as a popular tactic among cybercriminals, with no signs of slowing down. 

Although phishing emails have grown in sophistication over time, the end goal has stayed the same: trick targets into divulging sensitive information. QR code attacks are the latest evolution of traditional phishing, where threat actors use social engineering to manipulate targets into interacting with malicious QR codes. In doing so, they may unknowingly provide details that enable the attacker to compromise accounts and launch further attacks.

Targeted QR Code Attacks On the Rise

Examining data collected during the second half of 2023, Abnormal identified attackers’ preferred quishing targets. While every employee is at risk, C-Suite executives were 42 times more likely to receive QR code attacks than the average employee. 

Cybercriminals also seem to have a favorite industry to target, with the construction and engineering industry experiencing quishing attacks at a rate 19 times higher than any other vertical. Further, small organizations with 500 or fewer mailboxes also experience these attacks at a rate 19 times higher than any other size company. 

In the research report, Abnormal also identified key themes that cybercriminals are using to execute QR code phishing attacks. The most popular are related to multi-factor authentication and access to shared documents—approaches that accounted for 27% and 21% of all QR code attacks respectively. In each of these instances, threat actors attempt to compel recipients to scan a QR code within a fraudulent email, which is linked to a seemingly legitimate website that then prompts the victim to enter login credentials or other sensitive details. The perpetrator can then use the credentials provided to compromise the target’s account and steal data, launch additional attacks, or move laterally to connected applications.

BEC and VEC Attacks Continue to Grow

The report also revealed that business email compromise (BEC) and vendor email compromise (VEC) attacks have grown substantially, with BEC doubling in frequency and VEC jumping 50% year-over-year. Additional findings from the Abnormal team include:

  • BEC attacks increased by 108% from 2022 to 2023. The rate of these attacks peaked in October with a monthly average of 14.57 attacks per 1,000 mailboxes.
  • Larger organizations have the highest probability of BEC attacks. Organizations with more than 50,000 employees have a nearly 100% chance of experiencing at least one BEC attack every week. However, organizations of all sizes are at risk—even organizations with fewer than 1,000 employees have a 70% probability of receiving at least one BEC attack per week.
  • The construction and retail industries are most targeted by VEC. Seventy-six percent of organizations in the construction and engineering industry received at least one VEC attack in the second half of 2023, while 66% of retailers and consumer goods manufacturers were targeted during that same period.
  • The percentage of organizations targeted by VEC each month in 2023 never dropped below 32%, indicating that threat actors are continuing to see success impersonating third parties in advanced attacks.

You can download the full H1 2024 Email Threat Report, “Phishing Frenzy: C-Suite Receives 42x More QR Code Attacks Than Average Employee”, here

You can learn more about how Abnormal Security stops QR code attacks here.

Leave a comment »

DH2i Announces General Availability of Revolutionary DxOperator for Streamlined SQL Server Container Deployment on Kubernetes

Posted in Commentary with tags on February 6, 2024 by itnerd

 DH2i today announced the general availability (GA) launch of DxOperator, a major advancement for Kubernetes and SQL Server integration. DxOperator is engineered to meet the growing demands of businesses seeking efficient, scalable, and highly available (HA) database environments. It is the ideal choice for customers looking to streamline their SQL Server container deployments on Kubernetes, with unparalleled ease of use, robustness, and automation capabilities.

DxOperator was meticulously developed from the ground up by DH2i in collaboration with the Microsoft SQL Server team. It is designed to automate the deployment of DxEnterprise clusters and streamline the orchestration of Microsoft SQL Server availability group (AG) workloads within Kubernetes environments. DxOperator provides extensive control to users over their SQL instances and availability groups, encompassing a wide range of functionalities. It adeptly translates user-defined directives into precise, low-level actions, ensuring deployments are not only efficient but also adhere to the best practices embedded within its logic. With features like custom pod naming, node selection and affinity, SQL AG customization, and load balancing, DxOperator is more than just a tool; it’s a gateway to deploying highly available, resilient, and scalable SQL Server containers with an unprecedented level of ease and precision. Its ability to handle complex configurations, like custom annotations, specific container specifications, and quality of service parameters, further accentuates its role as a crucial enabler for robust, production-grade SQL Server deployments in Kubernetes.

Key Features of DxOperator:

  • Efficient Deployment: Enables the rapid deployment of SQL Server instances on Kubernetes clusters with precise MSSQL-config parameters.
  • High Availability (HA): Automates the configuration of DxEnterprise clusters and the seamless integration of SQL Server instances into Always On Availability Groups (AGs).
  • Simplified Management: Reduces the complexity of managing SQL Server environments on Kubernetes, offering a user-friendly approach with minimal commands.

Key Benefits for Users:

  • Enhanced Productivity: DxOperator’s streamlined processes allow IT teams to focus on more strategic tasks, leaving the intricacies of deployment and management to the operator.
  • Scalability: Catering to the dynamic needs of businesses, DxOperator makes scaling SQL Server environments on Kubernetes a straightforward process.
  • Cost-Efficiency: The automation and efficiency provided by DxOperator significantly reduce the total cost of ownership for SQL Server deployments.

Getting Started with DxOperator: For more information on DH2i’s DxOperator and to begin leveraging its capabilities, interested customers can visit https://dh2i.com/dxoperator-preview/. Here, they can access a wealth of resources, including a comprehensive quick-start guide and details on obtaining a DxEnterprise developer license.

1 Comment »