nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

Energy

OWASP Top 10 2021 Update

The Open Web Application Security Project (OWASP) is a non-profit organization focused on improving the security of web application software. OWASP uses a community input model which welcomes input and contribution from the public. The Top 10 is a guidance document that ranks, what the community believes, are the top 10 most critical security risks that web applications face. Each risk is ranked in order of frequency discovered, severity of vulnerabilities, and potential impact.

OWASP recently released an update to its top 10 web application security threats for 2021. The last update to the list was in 2017, so this is something that was long overdue. With the ever-changing landscape in web application security, for 2021 OWASP has introduced 3 new categories, changed the names of categories, and consolidated a few items. OWASP Stated this is to, “focus on the root cause over the symptom.” Below is a summary of the changes.

The 3 new categories are:

  1. A04:2021- Insecure Design
  2. A08:2021- Software & Data Integrity Failures
  3. A10:2021- Server-Side Request Forgery (SSRF)

To update the Top 10, OWASP utilized data from researchers for 8 of the top 10 categories, and similar to 2017, included 2 from their community survey.  Often, the data is a lagging indicator for the threats the community on the front lines sees as the top threats. These are threats that may never be reflected in the data. Certain threats will take time to fine tune a testing methodology and then more time to create a way to test against those threats in an automated fashion.

There are data factors that are listed for each of the Top 10 Categories, here is what they mean:

  • CWEs Mapped: The number of CWEs mapped to a category by the Top 10 team.
  • Incidence Rate: Incidence rate is the percentage of applications vulnerable to that CWE from the population tested by that organization for that year.
  • Weighted Exploit: The Exploit sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalized, and placed on a 10pt scale.
  • Weighted Impact: The Impact sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalized, and placed on a 10pt scale.
  • (Testing) Coverage: The percentage of applications tested by all organizations for a given CWE.
  • Total Occurrences: Total number of applications found to have the CWEs mapped to a category.
  • Total CVEs: Total number of CVEs in the NVD DB that were mapped to the CWEs mapped to a category.

If you need to assess one of your web applications against the new OWASP Top 10, nGuard’s web application penetration testing is driven by the OWASP Top 10 and all findings are issued with a correlation to the application item within the top 10. Identify your weak points using the industry standard for web application assessments today!

Microsoft Azure Mitigates Impressive DDoS Attack

Microsoft is reporting that nearly 70,000 sources spread across the globe are responsible for one of the largest cyber-attacks in history. A Distributed Denial-of-Service (DDoS) attack is a cyber-attack in which the adversary attempts to make a machine or network resource unavailable to its intended users by flooding the target machine with requests in an attempt to overload the system. A report by Link11 suggests that DDoS attacks are on the rise, as we have seen a 33 percent increase during the first half of 2021.

Microsoft reports that the attack, while lasting only around 10 minutes, was one of the most significant they have ever seen. Bursts of traffic that peaked out at 2.4 Tbps were utilized in attempt to cripple servers and prevent legitimate traffic from reaching its target. While DDoS attacks on their own can be devastating for organizations with internet facing services, many times they are used as a distraction for an even more sophisticated attack. An attacker with persistent access to an internal network may use an external DDoS attack to distract IT staff while ransomware is deployed across the internal network.

The Azure security team was able to confirm that all services remained online during the attack due to security controls that mitigate the effect of large-scale DDoS attacks. How would your organization’s internet facing infrastructure hold up against an attack like this? Here are some mitigating steps:

  1. Reduce Attack Surface – Limiting the internet facing attack landscape is the best way to reduce the risk of DDoS attacks.
  2. Scaling – Scaling your infrastructure to absorb a large-scale DDoS attack can be a great way to mitigate risk. Utilizing Content Distribution Networks (CDNs) or Load Balancers to spread traffic out across multiple servers can limit the effect overwhelming amounts of traffic can have on a single server.
  3. Know What is Normal – Having a general idea of what is a normal amount of traffic and what is not can assist you in configuring technologies to prevent against DDoS attacks. Configuring proper rate limiting and traffic analysis to block illegitimate traffic could save you a major headache.
  4. Deploy Sophisticated Controls – Web Application Firewalls (WAFs) are sophisticated tool sets that can detect and block these types of attacks. They can be configured to protect your application by blocking source IPs, whitelisting specific geo-locations, and stopping illegitimate requests in their tracks.
  5. Penetration Testing – Performing external and web application penetration tests can point you to vulnerabilities that would be at risk of a DDoS attack. Patching these holes on your external perimeter may save your organization from experiencing unproductive downtime.

Conti Ransomware CISA Alert & Attack Playbook

On September 22nd, the Cybersecurity & Infrastructure Security Agency (CISA) released an alert regarding a spike in the use of Conti ransomware. Conti ransomware has been used in attacks more than 400 times against U.S based and international organizations. Back in May, the FBI also released a flash on Conti Ransomware and its impact on healthcare and first responder networks.
Conti ransomware is classified as a ransomware-as-a-service (RaaS) model with a small difference in how its threat actors are compensated. Rather than paying a percentage of the earning from a successful attack, they pay a wage to the individuals who deploy the ransomware. CISA advises Conti typically gains access to networks in the following ways:

  • Spear phishing containing malicious links or attachments. Once the link is clicked or the attachment is opened, malware is usually placed on the system to help gain persistent access with Command and Control (C2) operated by software like Cobalt Strike. nGuard published a security advisory on Cobalt Strike earlier this year.
  • Stolen or weak remote desktop protocol (RDP) credentials.
  • Phone calls.
  • Fake software promoted through search engine optimization (SEO).
  • Other malware distribution networks (ZLoader).
  • Common vulnerabilities in external assets.

Recently, a Conti ransomware playbook was leaked, giving insight on how the organization operates. Some of the main takeaways are how Conti gains access, and the IP addresses they use for their Cobalt Strike C2 servers. Conti has been taking advantage of the recent PrintNightmare vulnerability, Zerologon vulnerability, and the 2017 Windows SMB 1.0 vulnerabilities. A few IPs they are known to use for their C2 operations are:

  • 162.244.80.235
  • 85.93.88.165
  • 185.141.63.120
  • 82.118.21.1

It is recommended you block these IPs in your firewall to prevent any type of inbound or outbound connection and then be alerted if there is any connection attempts.

To reduce risk, CISA, FBI, and NSA and recommending the following mitigations:

  • Implement multi-factor authentication (MFA) to remotely access networks
  • Implement network segmentation and filter traffic. This will make it more difficult for ransomware to spread should it find its way into your network.
  • Scan for vulnerabilities and keep software updated.
  • Remove unnecessary applications and apply controls.
  • Implement endpoint detection and response tools.
  • Limit access to resources, especially RDP.
  • Secure user accounts.
  • If infected, use the Ransomware Response Checklist.

CIS Controls v8 (Part 3)

Summary
Last month, nGuard released a security advisory called CIS Controls v8 (Part 2) where we covered controls 7-12. This time, we are wrapping it up by covering the remaining 8 controls that are essential for a company who puts emphasis on a strong security posture. Read about these controls below and then take action within your organization to implement them.

Controls
Control 13: Network Monitoring and Defense
If an attacker gained access to your internal network, would you even know that it happened? It is essential that tools be in place to monitor network traffic for malicious activity and take action if necessary. Implementing an intrusion prevention system and log management system, then configuring it to meet the needs of your organization can halt simple attacks in their tracks.

Control 14: Security Awareness and Skills Training
Employees are the weakest link in the chain of organizational security landscape. Step 1 for any company looking to increase their security posture should be training employees to put a halt to social engineering attempts. At nGuard, we regularly conduct advanced social engineering campaigns for our customers — their employees fall for it every time. It is essential to establish and maintain a security awareness program for employees and conduct simulations if possible. Make security part of your company’s culture.

Control 15: Service Provider Management
We have been seeing a lot of disturbing headlines lately in which companies release data to third-parties and those vendors allow the data to become compromised. While the vendor may be responsible, perhaps the contracting organization didn’t conduct proper due diligence. Take service provider management seriously by having a developed process in place to evaluate whether or not this vendor is going to put security first while in possession of your sensitive data.

Control 16: Application Software Security
Any nGuard engineer will tell you that the easiest way to compromise a system is by exploiting critical, widely-known vulnerabilities due to outdated or unsupported software. Although these companies rely on a slew of software packages to conduct daily business operations, they fail to update them when security patches are released. nGuard recommends that you maintain a list of firmware and software that will need to be updated; sign up for mailing lists that will alert you when new patches are to be released; and configure automatic updates if possible. Do not let your software be outdated for an extended period of time!

Control 17: Incident Response Management
Many security professionals will tell you that it’s not a matter of “if,” but a matter of “when” a company will become compromised in some form or fashion. Is your organization prepared to recover from a ransomware attack? If not, maybe it’s time to think about this. Having a well-developed incident response plan in place can prevent a world a trouble. Develop policies, plans, procedures, define roles, conduct training, and develop communication plans to mitigate threats. Once these measures have been implemented, conduct table top exercises to test the plan you have put in place.

Control 18: Penetration Testing
This is nGuard’s favorite control. Penetration testing attempts to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. While vulnerability scans do a great job of pointing you to the low hanging fruit that attackers will take advantage of, penetration testing brings a real-world expert into your environment to chain together vulnerabilities and give you a better evaluation of potential risk. Start with external penetration testing to secure your public facing infrastructure and then move to internal penetration testing to make life harder for an attacker that gets in.

Next Steps
nGuard offers a wide variety of services that will help guide your organization on its path to implementing these critical security controls. Our Strategic Security Assessment allows your organization’s key players the opportunity to sit down with a security consultant who knows these controls like the back of their hand. Not only will they help you strengthen the controls that are already in place, they will make recommendations for the areas in which your organization falls short. Below are some other ways nGuard can help your business implement these controls:

This Week In Cybersecurity (TWIC)

It’s another busy week in the world of cybersecurity and nGuard wants to keep our advisory readers up to date. This week, nGuard is bringing you everything from the US State Department being attacked to Microsoft Power Apps leaking 38 million records.

US State Department Hit By Cyber-Attack

On August 21, Fox News journalist Jacqui Heinrich reported that the U.S. State Department suffered a cyber-attack. This led to the Department of Defense Cyber Command making notifications of a possible serious breach. A spokesperson for the State Department was quoted as saying, “The department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected. For security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time.” The State Department will not likely release any details of the attack. This comes in the wake of recent attacks on Colonial Pipeline and JBS from Russia, and the Microsoft Exchange Server attacks originating from China.

AT&T Data Being Sold On The Dark Web

Last week it was T-Mobile, this week it’s AT&T. The hacker gang, ShinyHunters, is claiming they have the data of 70 million AT&T customers personal identifiable information (PII) which includes names, phone numbers, social security numbers, dates of birth, addresses, and more.  ShinyHunters are selling the data on RaidForums in small segments for $30,000 or the entire database for $1 million. AT&T has denied this information came from their systems.

Microsoft Power Apps Leaks 38 Million Records

The data of 38 million people was mistakenly exposed to the internet which was caused by an issue with more than 1000 Microsoft web applications. Some of the companies that were affected are American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. The information leaked included COVID-19 contact tracing platforms, vaccination information, job application portals, and employee databases. The information included vaccination status, social security numbers, home addresses, and phone numbers. The flaw that allowed this leak to occur was in the Power Apps application programming interface (API) default setting which opened the information to the public. The privacy settings needed to be changed manually to prevent this from happening, but a majority of customers were not aware of this option.

President Biden Hosts Tech, Energy, Finance Leaders Meet In ‘Call to Action’

On Wednesday August 25th, Apple, Amazon, Google, Microsoft and chief executives from insurance, energy and water companies were summoned to the White House to focus on improving cybersecurity. This meeting comes as recent high-profile attacks like the SolarWinds and Microsoft Exchange attacks have become more frequent. The White House wanted to address these areas of concern and determine how to best protect the 16 Critical Infrastructure sectors. Additionally, nonprofit organizations focused on computer science education and several colleges were included in the meeting to discuss efforts on how to address the gap of roughly 500,000 vacant U.S. cybersecurity jobs.

This Week In Cybersecurity (TWIC)

It’s another busy week in the world of cybersecurity and nGuard wants to keep our advisory readers up-to-date. This week, nGuard is bringing you everything from a T-Mobile data breach that exposed some extremely sensitive data to a Windows zero-day that may allow remote code execution.

T-Mobile Data Breach
Late Sunday night, the U.S. Sun reported that T-Mobile USA had likely suffered a massive data breach. T-Mobile was made aware of the breach after a hacker posted large swaths of data for sale on a popular online hacking forum. Early reports show the information from over 100 million customers may be at risk. This data set includes drivers license information, physical addresses, phone numbers, names, social security numbers, and unique IMEI numbers.

Norton and Avast Merger
On August 11th, the security community was made aware that anti-virus giants NortonLifeLock and Avast were going to merge in a deal worth more than $8 billion. While both companies offer a similar product set, Norton’s experience with identity logistics and Avast’s individual focus on privacy could lead us down the path to the ultimate anti-virus product. With ransomware attacks on the rise, this merger could be timely for security professionals.

Gigabyte Ransomware Attack
Bleeping Computer and United Daily News were the first to report that Taiwan-based computer manufacturer, Gigabyte, had been the latest company to suffer a large-scale ransomware attack. Early reports are confirming that IT infrastructure was shut down, but the attack may be worse than originally expected. The attack appears to have been carried out by an organization called RansomEXX. This organization is also responsible for the attacks on the Brazilian government and the Texas’ Department of Transportation.

Windows Print Spooler Zero-Day
Late last week, Microsoft confirmed the presence of a Windows print spooler vulnerability now known as CVE-2021-36958. This is one of many vulnerabilities in a class of bugs known as “PrintNightmare.” This vulnerability utilizes the CopyFile registry directive on the device to copy a DLL file that ultimately allows an attacker to gain SYSTEM level privileges on the device. Microsoft quickly released security updates to address this vulnerability.

Chat Icon Chat Close

Learn how nGuard can secure your data

Ready to take the next step? Speak to an nGuard expert and get your questions answered today.

Chat Popup

No thanks, maybe later