Internet-facing relays in IBM BigFix deployments could lead to information disclosure and potential full remote compromise if not properly configured, Atredis Partners security researchers have discovered.
Tracked as CVE-2019-4061 and affecting BigFix Platform versions 9.5 - 9.5.11 and 9.2 - 9.2.16, the vulnerability is found in all deployments where relays that are exposed to the Internet are not configured as authenticating.
This misconfiguration could allow an unauthenticated, remote attacker to query the relay and gather information about the updates deployed to the associated sites.
“Internet-facing relays, if any, in a BigFix deployment might be configured as non-authenticating, which exposes the deployment to security risks,” IBM notes in an advisory.
“Security attacks in this context might mean unauthorized access to the relays and any content or actions, and download packages associated with them or to the Relay Diagnostics page that might contain sensitive information (for example: software, vulnerability information, and passwords),” IBM continues.
According to Atredis Partners’ security researchers, BigFix deployments with external relays that lack authentication expose a very large amount of information to unauthenticated external attackers, and could even lead to full remote compromise.
Some of the data an attacker could access includes server IP, server name, port numbers, digital signatures, and license information (details found in the masthead BigFix uses to publish info on installations), an index of configured sites, and a list of package names and versions.
The researchers also note that the BigFix data is still accessible to an attacker with access to the internal network or to an externally connected system with an authenticated agent, even if relay authentication is enabled.
“The best path to preventing a compromise through BigFix is to not include any sensitive content in uploaded packages,” the researchers note.
An Internet-wide survey Atredis Partners conducted revealed the existence of 1,458 BigFix relay servers with relay authentication disabled. The researchers say they were able to query the masthead and obtain information on each of the discovered relays.
“This list included numerous government organizations, large multinational corporations, health care providers, universities, insurers, major retailers, and financial service providers, along with a healthy number of technology firms,” the researchers reveal.
After being informed on the vulnerability, the BigFix team updated the documentation and took steps to notify affected customers, a process completed as of March 18, Atredis Partners says.
IBM recommends addressing the vulnerability by configuring Internet-facing relays in BigFix deployment as “authenticating”. This would allow only BigFix clients in one’s environment to connect to the relay and would also ensure that all communication will take place through TLS (HTTPS).
“This configuration also prevents any unauthorized access to the Relay Diagnostics page,” IBM notes.
To enable the relays for authentication, one should head to the BES Support website and find the BES Client Settings: Enable Relay authentication fixlet. Next, they simply need to run the fixlet and wait for the action to finish.Infosec Island
Over its five-year lifetime, the Android Application Security Improvement Program helped over 300,000 developers to fix more than 1,000,000 apps on Google Play, Google says.
The program was launched to help the Android ecosystem thrive by helping developers improve the security of their applications and eliminate vulnerabilities from them.
Through this initiative, Google scans all applications submitted to the official storefront to determine if a variety of vulnerabilities are present. Should any issues emerge, the Internet giant then alerts the developer and helps them address the issues.
This allowed the Internet giant to fix over 1,000,000 apps since the Application Security Improvement Program’s launch. Last year, the program helped over 30,000 developers fix over 75,000 apps, the company says.
“The downstream effect means that those 75,000 vulnerable apps are not distributed to users with the same security issues present, which we consider a win,” Patrick Mutchler and Meghan Kelly, Android Security & Privacy Team, note in a blog post.
The program covers a large variety of problems in Android applications, including vulnerabilities in certain versions of popular libraries, and other issues with broader impact.
The Internet search giant says it also focuses on improving existing checks and expanding them to cover more classes of security vulnerabilities, to ensure the program evolves to cover emerging exploits.
“Think of it like a routine physical. If there are no problems, the app runs through our normal tests and continues on the process to being published in the Play Store. If there is a problem, however, we provide a diagnosis and next steps to get back to healthy form,” Mutchler and Kelly note.Infosec Island
Healthcare has traditionally had a weaker security profile than most other industries. On the one hand, it is a favorite target for ransomware attacks, and for hackers looking to steal confidential patient records that have a high resale value on the black market. On the other, healthcare experiences more insider attacks than any other industry.
Recent research reveals that healthcare companies face their biggest threats from malicious insiders that abuse their access privileges to view or exfiltrate personally identifiable information (PII) and protected health information (PHI) data. Verizon’s 2018 Protected Health Information Data Breach Report noted that 58 percent of data breaches in healthcare stem from employees or contractors.
Clearly, payers and providers are severely challenged to prevent both insider and outsider attacks on patient and corporate data.
To limit these threats, progressive organizations are using real-time analytics and risk-scoring to automate security controls. This approach monitors the behavior of users and devices, and applies analytics to risk-score them. When anomalies from normal patterns are detected, the risk score increases.
The Insider Threat Landscape Insider threats pose the biggest challenges to healthcare organizations because they can happen without triggering any security alarms.
A trusted employee can steal confidential patient and corporate information, or tamper with it, and even sabotage systems. While many insider attacks are carried out by disgruntled employees, some can be unintended or simply human error. For example, an employee might mistakenly send confidential information to another employee or to an outsider, or give network access to someone who should not have it.
In some cases, outsiders use social engineering to trick employees into giving up their account credentials. Such ploys include a spoofed email, phishing scheme or a “call from IT” seeking a person’s ID and password.
Top Insider Violations Some of the most common insider threat incidents in healthcare include:
- Snooping on the medical records of friends, family, neighbors, and celebrities
- Sending sensitive data to personal accounts, competitors, or bad actors
- Printing, downloading and exporting patient records and reports
Most of these activities can be partially addressed by monitoring activity logs from Electronic Medical Records (EMR) Systems such as Allscripts, Cerner, and Epic and from security tools including firewalls, VPNs, etc. However, manual monitoring is incapable of identifying and remediating threats in real-time. This is where data analytics come into play.
Security analytics powered by machine learning enables healthcare organizations to analyze large volumes of data in real time and to predict anomalous behaviors. Machine learning uses historical data to create behavior baselines for users, devices, and other entities.
These baselines, which are used to identify deviations from normal patterns, are self-adjusting and change as the user and entity behaviors change. Such capabilities can be used not just to monitor behaviors, but to assign risk scores to individual users and devices — resulting in highly accurate information that singles out potentially risky activity in real time.
Analytics and risk scoring facilitate the automation and orchestration of security decisions. Sometimes called model-driven security, this approach can respond to threats with the speed and accuracy of a machine by enforcing new controls when activity exceeds pre-determined risk thresholds.
Real-time Detection and Prevention of Insider Threats As a real-time security control, model-driven security collects all enterprise intelligence data that can be correlated back to a single user identity such as proxy logs, entitlements, actions taken using those entitlements, and basically anything they can bring back into a data warehouse. Then, behavioral models are applied to the data to develop a risk score for users within the company.
Risk scores are like credit scores. The same way a credit score goes up and down depending on money owed and payment history, a user’s risk score goes fluctuates depending on the actions taken while using their access permissions. The risk score is adjusted dynamically, based on a user’s behavior.
In this way, an insider’s risk score can serve as a dynamic security control. If the score is high, the organization can block the user’s account. Or, if it’s medium-risk, the user can be prompted to call in to the help desk to verify his or her identity. This has been historically impossible to do without the ability to risk score users dynamically. When a user’s risk score increases in a short amount of time, or exceeds a threshold, the organization can send out an alert, lock an IP address, restrict all traffic via DLP, open a security incident, etc.
Risk-scoring using analytics enables healthcare organizations to predict, detect and prevent insider threats, in ways that are impossible using static rules. It reduces much of the friction imposed by conventional security mechanisms, while providing continuous risk monitoring and real-time intervention when and where warranted.
About the author: Nilesh Dherange is CTO of security and fraud analytics vendor Gurucul, and an expert on identity, data science and machine learning. Nilesh was an integral member of identity technology vendor Vaau, which was acquired by Sun Microsystems. He also co-founded BON Marketing Group and created BON Ticker — a predictive analytics tool for online advertising.Copyright 2010 Respective Author at Infosec Island
A recently discovered threat actor was observed targeting a Middle Eastern government agency on several occasions over the course of last year, Palo Alto Networks security researchers reveal.
Referred to as WINDSHIFT, the surveillance-focused threat actor is believed to have remained unnoticed for a long time, and to have hacked other actors to re-use their malware, which helped it stay unnoticed.
In a report from last year (PDF), Dark Matter said WINDSHIFT was observed launching sophisticated and unpredictable spear-phishing attacks against specific individuals and rarely targeting corporate environments.
The group’s Tactics, Techniques and Procedures (TTPs) were said to resemble those of Bahamut, a threat actor security researchers also linked to Urpage last year.
Following a long recon period, which could take several years, the group would attempt to steal the victim’s credentials by sending fake emails prompting the victim to reset their password for Gmail , Apple iCloud, Etisalat (main ISP in UAE), or professional emails.
Should the credential harvesting fail, the actor then attempts to infect the victim with malware, also via email. The actor would then attempt to erase all traces of the attacks by shifting to a new infrastructure, gaining access to new malware, and shutting down malicious domains.
The cyber-espionage group is known to be using macOS-targeting malware, namely WINDTAIL backdoor for file exfiltration, WINDTAPE backdoor for taking screenshots, and WINDTAIL downloader for WINDTAPE. The group is also believed to be using WINDDROP, a Windows-targeting downloader.
Now, Palo Alto Networks saysit has observed WINDSHIFTattacks unfolded at a Middle Eastern government agency between January and May of 2018.
In early January 2018, an initial attack featuring a WINDTAIL sample was observed originating from the remote IP address 109.235.51[.]110 to a single internal IP address within the government agency.
The IP was associated with the domain flux2key[.]com, and the malware’s command and control (C&C) server IP address 109.235.51[.]153 was associated with the domain string2me[.]com, both known WINDSHIFT domains.
Palo Alto Networks says that several other WINDTAIL samples originating from 109.235.51[.]110 were observed being directed at the same internal IP address from January through May 2018.
All related WINDTAIL samples were Mac OSX app bundles in zip archives. One of them had C&C server IP address 185.25.50[.]189, which was associated with the domain domforworld[.]com at the time of activity.
Palo Alto Networks says it “assesses with high confidence that both the IP address 25.50[.]189 and the domain domforworld[.]com is associated with WINDSHIFT activity. Additionally, the IP addresses 109.235.51[.]110 and 109.235.51[.]153, corresponding to the previously validated WINDSHIFT domains flux2key[.]com and string2me[.]com, respectively, were also observed in use during this campaign.”
One of the attacker-owned IP addresses (109.235.50[.]191) was previously associated with Operation Hangover (which was analyzed several years ago), strengthening the previously identified relation between Operation Hangover and WINDSHIFT activity.
Palo Alto Networks also believes the attackers were unable to establish persistence within the targeted environment, given the multiple inbound WINDTAIL samples directed at the same internal IP address.Infosec Island