With the adoption of more cloud, mobile, IoT, and SaaS solutions, organizations need an effective way to understand, manage and reduce their cyber risk. Many organizations rely on patch management systems to automate the installation of patches across the network. When configuring these systems, many employ the "set it and forget it" method and assume all of their systems are being patched. This method often results in the patch management system reporting inaccurate information. Using Tenable.io, you can quickly audit patch management solutions and gain complete visibility into your Cyber Exposure at any given time.

Issues such as missing systems, patch installation failures, communication issues with managed host agents, and hosts needing to be rebooted can all increase your organization’s overall cyber risk. One of these supported solutions, IBM BigFix (formerly IBM Endpoint Manager), is a management platform designed to manage and patch large groups of systems and devices within organizations.

Setting up Scans

Before running any scan, you will need to add a custom analysis file on your BigFix server. Tenable.io uses this file to retrieve detailed package information by leveraging the BigFix Server API. For more information on how to set up the file, please visit IBM Tivoli Endpoint Manager (TEM) section within the Tenable.io Patch Management page.

Once your custom analysis file has been created and added to your BigFix server, you can create your scan by selecting the Advanced Scan template within Tenable.io. Under the Credentials tab, click on Patch Management, then select the IBM Tivoli Endpoint Manager (BigFix) option. Enter the IP address of your server along with an administrative account that has access to your BigFix server.

When creating your scan, Tenable.io only requires credentials from your patch management server, eliminating the need to add local credentials for your managed hosts. This option is useful for larger organizations where credentials for managed hosts may not be available. Vulnerability data is collected from the selected patch management solution, and will return a list of outstanding patches that you need to install.

To get a complete look at your patch management solution, we recommend adding credentials for your managed hosts. Nessus will scan each individual host and compare the information being reported by your patch management solution.

To audit your BigFix server, there are several plugins that need to be enabled within your scan to obtain results. Additionally, you will also need to enable the Windows : Microsoft Bulletins Plugin family.

Required IBM BigFix Plugins

• Patch Management: Tivoli Endpoint Manager Computer Info Initialization (Plugin ID 62559)
• Patch Management: Missing updates from Tivoli Endpoint Manager (Plugin ID 62560)
• Patch Management: IBM Tivoli Endpoint Manager Server Settings (Plugin ID 62558)
• Patch Management: Tivoli Endpoint Manager Report (Plugin ID 62561)
• Patch Management: Tivoli Endpoint Manager Get Installed Packages (Plugin ID 65703)
• Windows : Microsoft Bulletins Plugin family

If you have added credentials for your managed hosts into your scan, using the Patch Management Windows Auditing Conflicts plugin will help you quickly detect any patch conflicts being reported. The Patch Report plugin will report on vulnerabilities from third-party software that may not be covered by your existing patch management solution. Enabling the optional plugins will provide valuable information on client versions deployed within your network.

Recommended Plugins

• Patch Management Windows Auditing Conflicts (Plugin ID 64294)
• Patch Management Auditing Satisfied (Plugin ID 64295)
• Patch Report (Plugin ID 66334)

Once you have selected the appropriate plugins, your output should look similar to the screenshot below.

Results

The patch management feature within Tenable.io enables you to collect information on missing patches reported by patch management solutions. Scan results will include a summary of Windows Bulletins collected from your patch management solution, along with any additional plugins selected.

Vulnerabilities detected by your patch management solution include a report on the affected hosts and whether the system is vulnerable. Using this information will help to ensure that your BigFix server is configured properly and providing accurate information.

Results from the Patch Management: Tivoli Endpoint Manager Report (Plugin ID 62561) plugin will include a report on the status of managed hosts, last check-in timestamp, operating system version, missing patches reported and any hosts that are up to date. Because IBM BigFix supported multiple platforms, results using this plugin will include missing patch information supported platforms such as Windows, Linux, Solaris, AIX, and Mac OS.

This information will help you detect potential communication issues between the client and server, as well as any systems that may have fallen out of scope.

Conflicts

Using credentialed scans along with the Patch Management Windows Auditing Conflicts (Plugin ID 64294) plugin will report on any conflicts between Nessus and your patch management solution. If any conflicts are discovered, the plugin will use a “High” severity rating, and include a summary of the Microsoft Bulletins found.

Nessus uses the credentials provided within your scan to login to each managed host and compare the current patch level status. These results are compared to patch levels collected from BigFix by Nessus as indicated by “IBM TEM” conflicts.

The report for each patch and the discrepancies are displayed in the plugin output. Conflicts like this may indicate that the host was not targeted for deployment of a particular patch, so the BigFix server does not detect it as missing.

The below example shows that BigFix is reporting the MS15-060 patch missing, however Nessus is reporting the system as not vulnerable. In this instance, BigFix may be reporting outdated or inaccurate data that should be addressed immediately by your security team.

Using this data helps to underscore the importance of cross-referencing patches between what is on the system and what the BigFix server thinks is on the system.

Wrap Up

Using patch management integrations within Tenable.io helps you monitor patch cycles, improve remediation efforts and strengthen your overall security posture. This Cyber Exposure data can be used by security teams to effectively identify and resolve issues. CISOs can also use this information to better articulate the organization’s level of exposure and risk to C-level executives and the board.  

Built on industry-leading Nessus technology from Tenable, Tenable.io delivers a modern approach that manages, measures and reduces the modern attack surface to accurately understand and reduce cyber risk. Start with your free 60-day trial of Tenable.io Vulnerability Management to measure your Cyber Exposure.

Want to learn more?

• Check out the IBM Patch Management Overview dashboard.
• Continue the patch management conversation in the Tenable Community.

While we see Gartner’s 2017 information security spending forecast setting the industry abuzz with prospects of seemingly unstoppable growth – reaching $86.4 billion this year and topping the magical $100 billion mark in 2019 [1] – let’s look beyond the numbers to see what a pragmatic security leader can learn from it.

Gartner’s Reality Check

There’s a maturity journey that every security organization travels on, but it’s easy to lose sight of the fundamentals given all the noise in the field today.  Gartner tackles this head on, with Sid Deshpande noting, “Improving security is not just about spending on new technologies. As seen in the recent spate of global security incidents, doing the basics right has never been more important. Organizations can improve their security posture significantly just by addressing basic security and risk related hygiene elements like threat centric vulnerability management, centralized log management, internal network segmentation, backups and system hardening.” [emphasis added] [2]

The fact is there’s less tolerance than ever for not mastering the security fundamentals.  If you don’t know what devices (physical and virtual) are on your networks, what software is installed on them, how they’re configured, and what vulnerabilities may exist on them, then you’re literally flying blind.  The lack of a strong security foundation has brought increasingly severe consequences, as the threat landscape has evolved from script kiddies to hacktivists to professional cyber-criminals expert in social engineering and ransomware. WannaCry alone is projected to cause up to $4 billion in damage, and the industry still hasn’t learned its lesson.

And adoption of new digital initiatives is putting even more pressure on security teams to do the basics well.  Digital transformation is a reality for every organization today – no matter the industry or size, public or private sector – from public cloud adoption that unleashes on-demand scalability, to DevOps approaches that accelerate innovation, to new digital touchpoints that delight customers and strengthen loyalty.  As if the fundamentals weren’t hard enough before, now information security teams must wrestle with assets they often can’t see (containers), can’t control (line of business-managed cloud and SaaS, and industrial IoT / OT), and which live off-network (mobile devices and laptops).

Gartner forecasts rapid growth in the security testing market, which we see due to the adoption of DevOps. Gartner notes, “The use of automated and integrated application security testing – according to research – is considered the leading priority as the most critical technology to adopt in order to improve application resilience and integrity.” [1] The challenge of visibility and protection is greatest with dynamic, short-lived technologies like containers.

The key questions every CISO wants to understand – what do I have, where am I exposed, what should I do about it? – are more difficult than ever to answer.  That’s why Tenable is helping organizations address them as we pioneer the emerging discipline of Cyber Exposure.  Cyber Exposure will help both operational security teams and senior executives manage and measure their modern attack surface, so they can accurately understand and reduce their cyber risk.

CISO Takeaways

The pragmatic CISO can take away three learnings from Gartner’s announcement and other recent news:

First, don't get distracted by the latest “shiny objects” if you haven't mastered your foundational security controls.  The newest machine learning-powered threat detection solution or hyped-up deception technology might be helpful for some organizations, but consider if they’re right for you today.  If you haven’t locked the doors on the first floor of your house, do you really need bullet-proof windows on your second floor?

As Facebook CISO Alex Stamos noted at Black Hat, “Too many security researchers are focused on ‘really sexy, difficult problems’ that don’t address the common vulnerabilities that allow malware attacks to wreak havoc.”  The impact of WannaCry makes his point perfectly – think about how many hot new technologies in production were powerless to stop it.

Second, strengthen your security foundation.  It’s never too late to refocus on the fundamentals.  As Tenable CEO Amit Yoran implored the industry, “We should celebrate defense.  We focus on the threat of the day, the attack of the day, instead of focusing on the foundational issues.”

For those looking for an objective security framework to measure progress, the Center for Internet Security (CIS) Critical Security Controls (formerly the SANS Top 20) is a great place to start.  Other useful frameworks include the NIST Cybersecurity Framework (CSF) and ISO/IEC 27001/27002.  Moreover, progress can be rapid and meaningful.  A recent survey conducted by CIS and Tenable showed that among companies that started adopting a framework more than a year ago, 35 percent have automated 11 or more of the 15 foundational subcontrols, and even among those who started adopting one less than a year ago, 25 percent have automated six or more subcontrols.

Third, leverage outside help where it makes sense.  According to Gartner, "Security services will continue to be the fastest growing segment, especially IT outsourcing, consulting, and implementation services.” [2] Managed security services (MSS) can be a lifeline for many security teams struggling with staffing constraints.  Figure out what you need to manage in-house, and explore options for outsourcing other functions.  Tenable’s recently announced managed security services provider (MSSP) program will offer even more options for organizations.

Ultimately, vulnerability management must evolve to deliver even more value to security teams and executives.  Tenable has an expansive vision for how vulnerability management will evolve into Cyber Exposure by translating and contextualizing technical data into business terms:

• Not just raw vulnerability data, but the actual cyber risk for your organization
• Not just results, but context and guidance on what action to take
• Not just technical reports, but business metrics and visualizations that executives can understand

For information on how Tenable can help your organization build a successful vulnerability management program, download this whitepaper or contact us today.

[1] Forecast Analysis: Information Security, Worldwide, 1Q17 Update. Elizabeth Kim, Christian Canales, Ruggero Contu, Sid Deshpande, Lawrence Pingree. June 13, 2017.

[2] Gartner press release, Gartner Says Worldwide Information Security Spending Will Grow 7 Percent to Reach $86.4 Billion in 2017, August 16, 2017.

Vulnerability exploits have been in headlines around the world in recent months for being a leading source of cyber risk. As a result, your organization’s leadership may have started  to ask whether your network is vulnerable to exploitation. The answer to that question often lies in the relationship between vulnerability and exploitability. All exploitable vulnerabilities are, of course, vulnerabilities. But when a vulnerability isn’t “exploitable,” what does that mean? The most accurate answer would be that an exploitation hasn’t been discovered yet, but the vulnerability still has the potential to be exploited. In Tenable.io™, nine unique advanced filters allow you to isolate the vulnerabilities or assets in your network that may be vulnerable to a particular type of exploit, providing you increased visibility into your organization’s Cyber Exposure.

Exploits

The term exploit is commonly used to describe software that has been developed to attack a computer system or asset by taking advantage of a vulnerability. The objective of many exploits is to gain control of an asset.

For example, a successful exploit of a database vulnerability can provide an attacker with the means to collect or exfiltrate all the records from that database, resulting in a data breach. Exploits are also developed to attack a vulnerability in order to gain remote administrative privileges on a host. With Tenable.io, you can identify which hosts in your network have exploitable vulnerabilities by setting the Exploit Available advanced filter to true, allowing you to prioritize remediation efforts accordingly.

Exploit Frameworks

Security researchers know that to truly test and understand the nature of exploiting a vulnerability, an exploit framework is needed. An exploit framework is an abstraction in which the foundation of the software provides the generic functionality, and users can write code modules to perform specific tasks. For example, the developers of Metasploit, Core Impact and several others created exploit frameworks to leverage common attack techniques and delivery methods, while the users create the actual exploits. These exploit frameworks can be used by inexperienced attackers to create an attack that may look sophisticated because most of the difficult work has been created by the framework.

Once you understand how to leverage the exploit framework to exploit a buffer overflow vulnerability, replicating the attack seems trivial. The industry is seeing a rise in malware code that appears to have been developed using the various exploit frameworks as they become more popular. Tenable.io enables you to search for the presence of vulnerabilities in your network that could be exploited by specific exploit frameworks. The relevant advanced filters include the CANVAS, CORE, Elliot, and Metasploit Exploit Framework filters. The Elliot Exploit Name filter allows you to apply more specificity to find vulnerabilities exploited by a specific Elliot exploit, such as any of the ones on the D2 Security Elliot Exploits page. Each of these filters can be set to true to identify vulnerabilities known to be exploited by the specific framework.

Similarly to the databases maintained by well-known frameworks like Elliot, you can filter for vulnerabilities that are exploitable by exploits documented by the Exploit Database or ExploitHub websites. Some vulnerabilities may be exploitable by exploits compatible with multiple frameworks or documented in multiple databases. You can also filter for vulnerabilities that were exploited by Nessus during the process of identification. Some Nessus plugins actually perform a benign exploit when certain vulnerabilities are suspected in order to confirm the presence and exploitability of those vulnerabilities. Setting the Exploited by Nessus advanced filter to true will give you a list of vulnerabilities that Nessus was able to exploit.

The last advanced filter related to exploitability is the Exploitability Ease filter. This filter provides three options:

• Exploits are available
• No known exploits are available
• No exploit is required

The first two options check whether known exploits are available for the vulnerabilities in the network. The last option, “No exploit is required,” filters out vulnerabilities that do not require any tool, script or malware to be run in order for the vulnerability to be exploited. For example, the HTTP TRACE / TRACK Methods Allowed plugin (ID 11213) points out an HTTP method that is inherently vulnerable due to the information that could be gleaned by attackers from TRACE and TRACK traffic without the use of an exploit.

The Tenable.io solution

Tenable.io can easily identify assets that are more vulnerable and exploitable than others, allowing you to better manage, measure and reduce your organization’s cyber risk.

Regardless of your approach to reducing sources of cyber risk identified by Tenable.io – whether it’s applying patches, configuring mitigation controls or hardening operating systems – the first step is to clearly qualify the risks into actionable tasks and deliverables. Tenable.io provides information security professionals with the tools and resources needed to perform a detailed qualitative analysis of the risk that threatens business assets. Armed with Tenable.io, you’ll be prepared to provide an accurate assessment of your organization's Cyber Exposure.

Try Tenable.io

Tenable.io provides accurate information on how well your organization is addressing security risks and reducing its Cyber Exposure. Start with a free trial of Tenable.io Vulnerability Management for 60 days.

Malware and ransomware are a big topic these days, especially with the recent releases of WannaCry and Petya variants.Typically, when I read about new malware my first thought is, “How can I stop the infection from happening in the first place?” Tenable.io™, the first Cyber Exposure platform, answers that question by identifying vulnerabilities and presenting the information in an easy-to-understand format.

A common method of malware delivery is via an exploit kit. An exploit kit is a scalable software package, which allows modules to be removed, added or updated with new exploits. These kits typically come bundled with a management console, vulnerabilities for different applications and functions that allow an attacker to launch attacks.

As new vulnerabilities are identified, exploit modules are created which take advantage of the new exposures. Unpatched applications such as Adobe Flash, Adobe Acrobat and Microsoft Internet Explorer are commonly sought out by attackers. When activated, the kit identifies any vulnerabilities in the software installed on the targeted system.

Patching is an effective method of mitigating this risk. According to the 2017 Verizon Data Breach Investigations Report, “Having a good patch process is a fundamental security practice.” But patching can be a pain due to the sheer number of updates available. If you have multiple system architectures within your organization, the number of patches increases exponentially, which also increases your cyber risk.

When speaking with customers about the importance of patching, I’ve often heard the following two questions:

• With so many patches available, how do we prioritize them?
• How can we keep our organization up-to-date when vendors continue to release new updates?

Luckily, Tenable.io can help answer these two questions. Tenable.io helps you manage, measure and reduce your attack surface by prioritizing patches based on their risk.

All Patches Are Not Equal, Focus on What is Important

All vulnerabilities are not equal and should be evaluated against policies and operational requirements. When planning mitigation efforts, you will need to assign priorities to vulnerabilities and then execute your patching strategies accordingly. Tenable.io easily provides you the information needed to determine which patches are missing, and which are more critical than others.

Filters help to focus the vulnerability workbench to a manageable and more targeted view. In the example below, we are setting the date range to a specific 90-day time period using the advanced filter.

From the drop down picker select ‘Patch Publication Date.’ Set the date ‘earlier than’ today’s date, click the ‘+’ icon and select ‘Patch Publication Date’ once again. Set the date ‘later than’ three months prior.

Once you click apply, you will be returned to the Vulnerabilities By Plugin Workbench. The missing patches that meet the search criteria will be displayed, which can still be a lot of information. Then click on the ‘By Asset’ tab, noted by the number 1 in the screenshot below. If you hover over the first ring chart, noted by the number 2, percentages will be displayed. In this example, I hover over either ‘Windows’ or the color associated with Windows assets, and can see that 50 percent of Windows Operating Systems are missing patches from the last 90 days.

You can view details for the ‘Assets with Vulnerabilities’ in the areas noted by the number 3. Here you can see the number of assets with vulnerabilities, sort Assets, Sort by Vulnerability Count, and by Last Seen date.

Clicking anywhere on the asset loads a page for that asset, displaying the host details and all the missing patches. Patches that are missing and those that have been detected in the last 14 days are presented with a ‘New’ tag. Those patches that have resurfaced are also tagged appropriately.

I recommend setting additional filters to refine the data further, such as a filter for ‘Exploit available = true.’ Adding this filter to the previous filter will only return results for hosts which are missing patches from the last 90 days in which an exploit exists. You may add filters for specific severity levels to refine data further. You should also conduct queries with filters to search for missing patches over a year old or more.

Timely patch management can reduce your organization's cyber risk, eliminating the types of scenarios demonstrated here. Data breaches based on high-profile malware dominate the media, often times leading to a loss of reputation for those organizations who become the unfortunate targets of a malicious attack.

Utilizing Tenable.io and these methods will enable you to successfully navigate vulnerability data with ease. By adding filters for exploitable vulnerabilities, and filtering on specific date ranges, you can identify and focus your patching efforts on applications or hosts which are most likely to be exploited. Reviewing the vulnerable assets and applications will allow you to further identify and prioritize software and devices that should take priority. I also utilize dashboards such as the Outstanding Patch Tracking Dashboard to gain additional insight into patching efforts.

Wrapping up

Tenable.io helps you to manage, measure and reduce your cyber risk by identifying missing patches and prioritizing those most critical. Whether you are communicating up the chain, to peers or to your team, Tenable.io enables flexible navigation through vulnerability data, while allowing you to quickly and effortlessly take a thorough look at your outstanding risk.

Interested in learning more about Tenable.io?

• Visit the Tenable.io product page
• Start a Tenable.io Vulnerability Management free trial

On August 31, 2017, Nomotion released five vulnerabilities for two Arris modems used by AT&T U-Verse customers in the US. The vulnerabilities are of the following types:

• Hardcoded Credentials (CWE-798)
• Information Exposure (CWE-200)
• Authenticated Command Injection (CWE-78)
• Firewall Bypass (CWE-653)

The hardcoded credentials give attackers access to the device via SSH or HTTP/HTTPS. On certain devices, when logged into the modem, the attacker can then leverage the authenticated command injection vulnerabilities to get a root shell. This vulnerability is especially bad for users whose devices are exposed to the internet.

The firewall bypass vulnerability is particularly worrisome. After successfully gathering the list of hosts behind the firewall using the port 61001 information exposure, an unauthenticated remote attacker can then connect to any device behind the firewall by using the firewall bypass. Effectively opening the internal network to attack.

Nomotion reported that these vulnerabilities were found on the following Arris models used by AT&T U-Verse:

• NVG589
• NVG599

Tenable Research has further identified that Arris made Motorola DSL modems 2210, 2241, 2247, 2310, 3347, and 3360 are currently vulnerable to one or more of these vulnerabilities. Additionally, some newer AT&T U-Verse devices such as the Arris 5268AC also suffer from one or more of the vulnerabilities. Arris 5268AC’s newer firmware contains the embedded bdctest credentials mentioned in Nomotion’s disclosure as well as the firewall bypass vulnerability (this is partially mitigated due to the increased difficulty associated with obtaining the device’s serial number). Tenable has reached out to Arris to inform them of the Nomotion research as well as the additional vulnerable devices.

Despite the recent disclosure of the vulnerabilities, public reference to remote SSH access via the “remotessh” user account has been previously published on November 2014 post on dsl-report.com:

Furthermore, the last firmware Arris released for many of these devices was 9.1.1h0d34 released back in May 2013. That’s not to say that the various ISPs that use these devices haven’t been issuing their own patches though.

In response to these vulnerabilities, Tenable has released the following plugins:

• Plugin ID 102915: Hardcoded SSH credentials
• Plugin ID 102916: AT&T U-verse Arris Modems NVG589 / NVG599 / 5268AC Multiple Vulnerabilities (SharknATTo)

Because no updated firmware that remediates these issues has yet been deployed or made available, Tenable recommends customers follow Nomotion’s mitigation guide until Arris or AT&T provide a formal response. Customers should also always be wary about the services they are exposing to the internet and minimizing the attack surface as much as possible.

A new critical vulnerability (S2-052) in the Apache Struts framework (CVE 2017-9805) could allow an unauthenticated attacker to run arbitrary commands on a server using the Struts framework with the popular REST communication plugin.

Vulnerability details

A remote code execution vulnerability exists in Apache Struts due to an unsafe deserialization of Java code in the REST plugin. The REST plugin uses XStream to deserialize XML requests without first sanitizing user-supplied input. This allows a remote unauthenticated attacker to execute arbitrary code using a crafted XML payload passed to the REST plugin.

A code sample used by lgtm to identify the flaw is listed here:

/** The ContentTypeHandler Java class in Struts **/
class ContentTypeHandler extends Interface {
  ContentTypeHandler() {
    this.hasQualifiedName("org.apache.struts2.rest.handler", "ContentTypeHandler")
  }
}
/** The method `toObject` */
class ToObjectDeserializer extends Method {
  ToObjectDeserializer() {
    this.getDeclaringType().getASupertype*() instanceof ContentTypeHandler and
    this.getSignature = "toObject(java.io.Reader,java.lang.Object)"
  }
}

Tenable coverage

Tenable has released two plugins to detect vulnerable Apache Struts installs in your environment.

Unauthenticated Remote Check

Plugin 102977 is a remote plugin which will attempt to exploit the vulnerability and send an ICMP echo (ping) request from the remote host back to the scanner host to verify a successful exploit. A successful scan will produce the following results:

To enable a proper scan test, a few steps must be performed.  

1. First, enable the scanner to “perform thorough tests” under the Assessment -> General Settings.

2. Second, enable a Web Application Scan (Assessment -> Web Applications. It's best for the scan to be configured with the appropriate location to start crawling the web application. The crawler setting can be defined in Assessment -> Web Applications -> Start crawling from.

3. Finally, for highly segmented and compartmentalized networks, it is important for the target to have the ability to ping the scanner’s direct IP. This is especially important in cloud environments where VPCs, subnets, and containerized applications can interfere with the communication the plugin sends from the target to the scanner to verify that the blind remote code execution vulnerability exists.

Authenticated Local Check

In addition to the remote check, a local version check (Plugin ID 102960) is available for both Windows (using SMB credentials) and Unix (using SSH credentials). Note that this plugin only runs in scans where the Accuracy setting is set to Show potential false alarms. Since the plugin relies only on the version number identified for a Struts application, this plugin is unable to identify if a workaround is in place which mitigates the vulnerability. For this reason, the Accuracy setting must be set to Show Potential false alarms.

Windows Example:

Unix Example:

What customers should do

Customers who are affected by this vulnerability should upgrade to Apache Struts version 2.3.34 or 2.5.13 or later.  A workaround is available at https://cwiki.apache.org/confluence/display/WW/S2-052.

If you suspect your system is vulnerable, but it is not reporting something similar, check the scan’s Audit Trail for plugins 102977 and 102960. Nessus may have difficulty crawling some web applications or could have trouble finding the application on the file system for the authenticated check. Make sure you follow the instructions listed above.

Due to the nature of this vulnerability, it is critical that vulnerable hosts be patched as quickly as possible. By leveraging the remote check available from Nessus, it is possible to scan all of your web applications to identify any application that is using an outdated and vulnerable version of Struts.

Thanks to Andrew Orr and Thomas Cappetta for their contributions to this blog post.

A new attack vector, codenamed BlueBorne, can potentially affect all devices with Bluetooth capabilities – ordinary computers, mobile phones, and IoT devices – literally billions of devices in the world today. Hackers can use this attack vector to leverage Bluetooth connections to completely take over targeted devices.

BlueBorne spreads through the air, allowing it to bypass all security measures and potentially infect even “air-gapped” networks. The attack does not require the attacker’s device and the targeted device to be paired; in fact, the targeted device does not even need to be set on discoverable mode. The BlueBorne attack vector requires no user interaction, no connection to the internet, covers multiple OS versions, and does not require any special configuration other than Bluetooth being active on the targeted device. BlueBorne is completely undetected by the user and can be used for a large range of attacks, including remote code execution and man-in-the-middle attacks, ransomware, creating IoT botnets and more.

Tenable Coverage

CVE-2017-8628, CVE-2017-1000250 and CVE-2017-1000251 cover the vulnerabilities that allow the BlueBorne attack vector to succeed in Windows and Linux environments. Tenable has released following plugins to address those CVEs:

To find your vulnerable systems, in the Tenable.io Vulnerability Workbench, click on “Advanced” and do a search for CVE equal to “CVE-2017-8628,CVE-2017-1000250,CVE-2017-1000251” (note that there are no spaces after the commas):

Additional Tenable.io vulnerability detection plugins related to BlueBorne will have “BlueBorne” in their names. To do a search for these vulnerabilities, click on “Advanced” in the Tenable.io vulnerability workbench and do a search for Plugin name contains “blueborne” (the search is not case sensitive):

Also note that Plugin 43830 (WMI Bluetooth Network Adapter Enumeration) can be used for finding Bluetooth network adapters on your Windows systems.

Now What?

If you’ve discovered that you have vulnerabilities that could be exploited by BlueBorne, you should update your systems as soon as possible. Microsoft has already issued security patches to all supported Windows systems, with coordinated notification on Tuesday, September 12. Patches for the various Linux OS distros have also been released. Devices running iOS 10 already have the vulnerability mitigated, but all iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are vulnerable.

Many of us have heard this story before, and it goes something like this:

Developers are focused on one thing and one thing only - speed. They expunge anything that gets in their way or slows them down. And they can, because successful DevOps is becoming a core competitive differentiator for many organizations.

Security leaders are focused on one thing and one thing only - risk. They are vigilant with ensuring compliance with enterprise policy and abhor change. And they can, because major cyberattacks and security breaches can become company killers.

It doesn’t take much imagination to picture these two functions at odds with one another. Even InfoSec professionals, 77 percent of them according to Gartner, agree that their own policies slow IT’s ability to respond quickly to the needs of the business. However, the trend among IT leaders is about increasing throughput and speed. A recent study looked at the differences between high and low IT performers and found that high performers deploy code 46x more frequently, have 440x faster lead times from commit and deploy, and are 2x more likely to exceed profitability and market share goals. How can DevOps and InfoSec bridge this divide spanning speed and risk?

Join DevOps pioneer, author, researcher and entrepreneur, Gene Kim, this Wednesday at 2 p.m. ET as he and our own Corey Bodzin discuss how shifting left with security can reduce an organization’s Cyber Exposure. You will learn why “DevOps is awesome for InfoSec” with the ability to integrate security into the development process and be welcomed by developers. Gene will also discuss three ways for InfoSec to partner with DevOps to ensure superior code quality. Finally, Corey will provide an example of a secure DevOps solution today supporting Docker containers that incorporates security as a critical test early into the software development lifecycle.

Webinar attendees will have a chance to win one of two hundred copies of The DevOps Handbook or The Phoenix Project as an added bonus. We hope to see you on Wednesday for this one-of-a-kind session!

CCleaner, a popular application used for performing routine maintenance on systems, was recently found to contain a malicious backdoor. This could allow a remote attacker to extract sensitive data from the host, or execute malicious code on the host.

Vulnerability details

A malicious modification of the 32-bit CCleaner.exe binary (CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191) contains a two-stage backdoor that allows a remote attacker to execute code on an affected system. The code modification is hidden in CCleaner’s initialization code known as CRT (Common Runtime) that is usually inserted at compilation time. The modified code performs various tasks before the application’s code is executed, including unpacking and decrypting shellcode. The code then performs the following actions:

• Creates the Windows registry key HKLM\SOFTWARE\Piriform\Agomo to store data about the host, including the name of the computer, a list of installed software including Windows updates, a list of running processes, the MAC addresses of the first three network adapters and additional information such as whether the process is running with administrator privileges, whether it is a 64-bit system and more.
• Encrypts and encodes all the collected information using base64 with a custom alphabet.
• Sends the encoded information via an HTTPS POST request to the external IP address 216[.]126[.]225[.]148 with a hardcoded HTTP Host Header of  “Host: speccy.piriform.com” to make the request look legitimate.
• Communicates with the remote IP to download a second stage payload.
• If the hardcoded IP address becomes unreachable, the malicious code uses a Domain Generation Algorithm (DGA) to redirect communication to a different location. These generated domains are not under the control of the attacker and do not pose any risk currently.

Tenable coverage

Tenable has released a set of plugins to help you determine if CCleaner is currently installed on your network and whether the installed versions have the backdoor:

To find your vulnerable systems, in theTenable.io Vulnerability Workbench, click on “Advanced” and do a search for Plugin Name contains “CCleaner”:

For any malware situation, you should always run a malware scan against your systems, using the predefined Malware Scan template. Plugins such as Plugin 59275, Malicious Process Detection, will report if any systems are infected. For more information on setting up scans, see the Tenable.io Scans Workflow documentation.

We also recommend that you check the output of Plugin 92371, Microsoft Windows DNS Cache, for the following domains to see if any machines have connected to these domains. Hosts that have connected to one or more of these domains have been compromised, meaning that they have the backdoored version of CCleaner installed and have connected back to the attacker.

• ab6d54340c1a[.]com
• aba9a949bc1d[.]com
• ab2da3d400c20[.]com
• ab3520430c23[.]com
• ab1c403220c27[.]com
• ab1abad1d0c2a[.]com
• ab8cee60c2d[.]com
• ab1145b758c30[.]com
• ab890e964c34[.]com
• ab3d685a0c37[.]com
• ab70a139cc3a[.]com

Some additional useful checks include:

• Check uninstalled programs using Plugin 20811, Microsoft Windows Installed Software Enumeration (credentialed check) for signs of CCleaner ever having been installed.
• In the output of Plugin 70329, Microsoft Windows Process Information, check for the CCleaner process and version information to see if the affected version of CCleaner is running on your network.
• Use Plugin 64582, Netstat Connection Information, and search the Netstat output for the known malicious IP address “216[.]126[.]225[.]148”

You can also use Tenable.io to check previous scans for signs that this backdoor vulnerability has been present on your network longer than you may have realized. If you select a previous scan in Tenable.io, you can search for signs of the DNS domains, processes, or other information mentioned above.

Nessus® Network Monitor (formerly PVS™) has also released a signature that detects if the remote host performs a DNS lookup to a list of known malicious domains.

What customers should do

Only users who have installed the 32-bit version of CCleaner for Microsoft Windows are affected by this backdoor vulnerability. Customers who installed CCleaner version 5.33.6162 should upgrade to version 5.34 or later. Customers using CCleaner Cloud version 1.07.3191 have already received an automatic update.

Thanks to Scott Caveza for his contributions to this blog.

Once again, we have a basic failure in cyber hygiene causing a massive data breach. This one affects potentially half of the U.S. population and compromises particularly sensitive personal information that can be used by criminals to wreak havoc on people’s bank accounts, credit scores and identities.

I’m referring, of course, to the Equifax breach. What I find particularly disturbing is that criminals took advantage of a known vulnerability for which a patch had been available for two months. Let that sink in for a moment -- two months is an eternity of exposure to hostile internet actors when efficient systems management and compensating controls are readily available. In fact, the Tenable team had published this post in March about this particular Apache Struts vulnerability and the availability of Tenable plugins. In an era where companies are continuously updating their software, IT and security teams should be consistently patching bugs and closing vulnerabilities as they are reported. 

These types of attacks take advantage of the worst and most common habits -- the avoidance of doing something as simple as maintaining good cyber hygiene and patching systems.  Cyber criminals don’t need to waste a precious and rare zero-day exploit when they can easily get into your network using a known exploit of an unpatched vulnerability. 

Every organization has a responsibility to know what systems it operates and which ones it relies on.  To know those systems are exposed and to efficiently manage and reduce cyber risk, frequently through patching and compensating controls.  This isn’t sexy work, but it gets the job done. Maintaining good cyber hygiene is so fundamental to building a solid, scalable and IT program that it ought to be a requirement against which all IT functions are measured. Imagine the benefits to the business if CIOs and CISOs rewarded their teams for maintaining top rate systems hygiene and celebrated defense and prevention? 

Just as doctors take the Hippocratic oath to “first do no harm,” IT and security teams ought to adopt a similar mantra, “Maintain your systems.” That is the surest way to keep the business healthy and safe from cybercriminals. And it's the only way we're going to stop this vicious cycle of breaches and the inevitable face palm that results from knowing the breach was entirely preventable. 

While we’ve already seen Congress engage in fierce debates over fiscal year 2018 funding, it’s important to remember that there are bipartisan issues on the table. Upgrading and modernizing government IT systems is one such area that deserves continued focus.

That’s why we were pleased to see the Senate pass the 2017 National Defense Authorization Act (NDAA) with the Modernizing Government Technology (MGT) Act as an amendment from Sens. Jerry Moran (R-KS) and Tom Udall (D-NM). The MGT Act (HR 2227), introduced earlier this year by Rep. Will Hurd (R-TX), is an important step toward federal IT modernization. The bill passed the House in May with 18 co-sponsors from across the political spectrum, with Reps. Robin Kelly (D-IL), Gerry Connolly (D-VA) and Steny Hoyer (D-MD) joining Reps. Blake Farenthold (R-TX) and Darrell Issa (R-CA), among others. Now that the Senate has done its job, we urge members of the Conference Committee to agree to and pass the NDAA with the MGT Act so federal agencies have the funding they need to implement modern IT systems as quickly as possible.

The security challenges of legacy IT are compounded by today’s complex mix of modern computing platforms and devices. An asset is no longer just a laptop or server, it is now everything from an iPhone to a fighter jet. As a result, the elastic attack surface is now comprised of modern, often short-lived assets and traditional, legacy technology. This has created a massive gap in agencies’ ability to truly understand their Cyber Exposure at any given time.

Modernization Requires Security

But modernizing IT is not enough. Agencies must also ensure that they’re implementing approaches to secure this new technology. That means live discovery of every asset across any computing environment and continuous visibility into where an asset is secure or exposed, and to what extent. Agencies need additional context to prioritize and select the appropriate remediation technique. The ability to transform raw security data into actionable information and risk metrics is also key for making strategic decisions.

Smart Public Policy

The MGT Act is essential to help agencies jumpstart the process of updating their IT systems by establishing a capital fund so agencies won’t be subject to “use it or lose it” provisions of the current federal budget requirements. The Government Accountability Office (GAO) has called out the risks and high costs of outdated federal IT systems for years, most recently estimating that of the more than $80 billion spent for IT annually, 80 percent goes toward operating and maintaining old systems that are difficult, if not impossible, to protect against today’s cyber threats.

Only with modern tools that allow agencies to manage, measure and reduce their cyber risk can they undertake a long-term plan to improve cybersecurity posture and protect against evolving cyber threats. The MGT Act not only enables that shift, but has the potential to save billions of taxpayer dollars in the process. It will also be important to prioritize the cybersecurity funding tied to this legislative initiative to ensure security is intertwined with government modernization efforts into the future. It’s smart public policy that is urgently needed to make our country and its citizens safer, stronger and more secure.

Tenable.io™ Scan and Policy Templates allow you to set up scans with minimal configuration. There are templates for many tasks, such as Host Discovery, detecting the latest headline-grabbing malware, managing mobile devices and more. However, your network is constantly evolving. Eventually the predefined templates will not satisfy the needs of your network. With Tenable.io, you can optimize the management of your network’s cyber risk by designing and launching customized vulnerability scans that are tailored to your organization.

Each template enables a specific set of plugins, and each plugin performs a different security check. By choosing the “Advanced Network Scan” template, you can select your own plugins. Similar plugins are broken up into Plugin Families. These Plugin Families may include plugins that run local checks, which require authentication credentials and test for vulnerabilities specific to the host manufacturer or OS distribution, or remote checks that do not gain access to the host before running the test.

Creating a customized Advanced Network Scan policy is a good way to ensure that you receive the necessary information regarding your network’s cyber risk and exposure in a timely fashion.  

Enumerating All the Windows User IDs

In the “Windows” section of “Assessment” tab, you have the option to Enumerate Domain Users and Local Users for a given range of User IDs (UIDs). The default range for both Local and Domain Users is between 1,000 and 1,200. When a new user is created, a new UID is assigned starting at 1,000, and automatically increases by one for each addition. UIDs are never reused. So, this range would cover the first 200 UIDs that were assigned to new users.  

However, if you are part of a large organization in which more than 200 people have had user-level access to the network, then you may want to consider changing the “End UID” to 20,000 (or greater), thus ensuring all accounts are identified. Also, the default range does not account for UID 500, where the default local administrator account is enumerated.

Compliance Analysis

Tenable.io offers three different types of compliance checks. Standards-based auditing evaluates the configuration of your machines against standards set by third-party organizations, like the Center for Internet Security (CIS) or the Department of Defense’s Defense Information Systems Agency (DISA). Content auditing searches through file contents to look for sensitive information, like plaintext credit card numbers. Finally, network infrastructure auditing checks that configuration of routers, switches, firewalls and other devices are in line with internal policies.

When a compliance audit is conducted, an audit file is used to configure the check. There is a wide variety of compliance audit files available in Tenable.io. Audit files are available on Tenable.io directly through the Customer Support Portal, or you can write a custom audit file.

For example, the CIS VMware ESXi 5.5 v1.2.0 Level 1 audit file lets you set the NTP server address, designate privileged users and more. Under “DCUI Access Users” in the settings of compliance audit, you can list trusted users that are able to override the lockdown mode initiated by the scanner. The “DCUI Access Users” list is useful if there is more than one privileged account to ensure that the override lockdown mode is not bestowed upon just one user. The field labeled “SSH session timeout” allows you to restrict the scanner to a designated number of minutes after which an idle SSH session will terminate. Setting a shorter SSH session timeout limit can increase scan efficiency, otherwise scanners can waste a lot of time in an idle session. Note that this compliance check requires credentials to complete the audit. However, not every compliance audit requires credentials.

Preparing for the Future

By choosing appropriate scan settings, you can streamline the scans on your network to be as comprehensive or lightweight as needed. With the proliferation of IoT, the average size of networks is growing quicker than ever before. By 2020, there will be an estimated 70+ billion internet-connected “things” across the world. To prepare, you’ll need to understand all of the nooks and crannies of your network. Then, you can plan your scans accordingly.

Tenable.io is an easy-to-use platform with preconfigured templates that allow you to hit the ground running. However, to comprehensively manage your network’s elastic attack surface, you must optimize the tools for the particular needs of your network.

As a companion to another post on hardening network devices and creating baseline configurations, I wanted to look at another area where standardizing configurations can pay off in a big way. While there is plenty of fertile ground out there, I decided to focus on some specific aspects of databases. As I started reviewing recent research, I noticed a couple of interesting things from the world of finance that likely aren’t radically different from most environments. Findings in both the Verizon 2017 Data Breach Investigations Report (DBIR) and the SecurityScorecard 2016 Financial Industry Cybersecurity Research Report bear out that there are a number of challenges for security pros across financial institutions.

Background

According to the SecurityScorecard report, the majority of U.S. Commercial Banks surveyed scored a “C” or lower for network security, while several scored below a “C” for application security. These results  indicate that paths into networks are open for attackers to leverage. This isn’t an isolated issue in the finance sector, the DBIR also shows similar findings across the board, from manufacturing to retail and public administration/government.

Given these findings, security pros must be focused on keeping data where it belongs and ensuring that it’s available only to those who need it. Even if a particular environment is scoring high on both the network and application security realms, there is still the ever-present need to conform to compliance standards and security frameworks.

In most environments, the ultimate resting place of data, specifically financial data, health records and confidential trade secrets, is often any number of databases. This makes the security posture of the database itself the last line of defense for protecting data and customer information. There are literally hundreds of aspects to securing a typical database but there are two that I’m going to focus on here.

From a compliance and security framework perspective, most of the well-known standards  agree on a number of things, like enforcing baseline configurations and encrypting stored data.

While these are just two places that the standards overlap, they do cover a couple of the more effective controls that we can leverage.

By creating and enforcing a standard hardened configuration for databases, we can reduce the overall attack surface and make the required ports and interfaces as secure as possible. So even if our network allows a number of paths to our data, we can close off many of them and make sure the paths stay unavailable.

By layering encryption on top of the baseline, we help fulfill the other side of the equation. Since we always have to think in terms of risk and effects, we need to consider what happens if our configuration fails and the data finds its way out. By protecting data with high-quality encryption, we make the data as useless as possible to a cyber criminal.

It’s important that all of these controls be implemented, working and monitored on a regular basis.    

Tenable Solutions

Tenable provides a wide range of compliance and audit files for the most widely used commercial database platforms, like Microsoft SQL Server, Oracle Server and IBM DB2, along with MySQL, PostgreSQL and MongoDB

Most of these platforms are covered by multiple audit files based on CIS Benchmarks or Defense Information Systems Agency (DISA) Secure Technical Implementation Guides (STIG).

These audit files provide a good foundation of industry best practice configuration settings and also include checks to validate many aspects of the encryption strategies in place.

Recent Additions

Tenable has also recently released support for Sybase ASE along with an accompanying audit file based on the CIS Sybase ASE 15.0 v1.1.0 benchmark.

Sybase ASE scans can be initiated from both the Advanced Scan or Policy Compliance Scan templates. The database credentials page has been updated to add Sybase ASE as a database type for selection. Support for both plain text and RSA authentication is available.

Wrap-Up

Limiting the paths that data can move in and out of your database infrastructure is a great first step in reducing your available attack surface. You should couple this with encrypting sensitive data to ensure that if any data leaves the network, it’s of as little value as possible. Even if our environment is getting straight A’s, the normal lifecycle of a network is always conspiring to introduce variations which might result in new or reopened paths appearing. Building and maintaining these end-of-the-line safeguards will continue to pay dividends.

We are pleased to announce the release of SecurityCenter® 5.5.2, which will deliver a number of exciting new capabilities. Here are some highlights:

Support for Multiple LDAP Servers

SecurityCenter 5.5.2 introduces Multi-LDAP support, allowing users to use multiple LDAP servers to authorize SecurityCenter users. This new feature removes operational overhead and administrative challenges associated with authenticating SecurityCenter users, and allows compliance with local security policies.

Support for Multiple LDAP Query Assets

Once set up, customers will also be able to utilize multiple LDAP servers in their asset lists for vulnerability scanning, dashboards, reports and other areas of the product.

Setup

If you’re currently using an LDAP server in SecurityCenter, no additional work is required. Migration will occur automatically upon upgrade and there will be no service disruption.

To set up an LDAP server in SecurityCenter for the first time, or to add additional LDAP servers, navigate to Resources > LDAP Servers.

From here, you can set up multiple LDAPs and associate them with organizations, giving those organizations access to that LDAP server. After that, it’s as easy as editing a user to point them to a specific LDAP to use when logging in to SecurityCenter. For more detailed instructions, review the documentation at docs.tenable.com.

Once set up, users can create LDAP Query Assets to use in asset lists. Note that a user can't add an LDAP server to an asset list unless that LDAP is associated with their organization.

More Information

• If you’re a current user and want to learn more, log in to the Tenable Support Portal to review the SecurityCenter 5.5.2 release notes. Or review the official documentation at the Tenable Documentation Center.
• Information about SecurityCenter, including whitepapers and videos, is available on our website.
• If you’d like to see a demo or speak with a Tenable™ sales representative, please request a demo.

A new weakness in WPA2 protocol could allow an attacker to read information that was previously assumed to be encrypted, provided the attacker is within the range of the victim.

The weakness was discovered by researchers Mathy Vanhoef and Frank Piessens, from the University of Leuven and has been dubbed KRACK (Key Reinstallation Attack).

Which devices are affected by KRACK?

The KRACK weakness works against all modern, protected Wi-Fi networks. Therefore, if a device supports Wi-Fi, it is most likely affected.

What’s the impact?

The weakness could allow an attacker to decrypt network traffic allowing him/her to steal sensitive information such as credit card numbers, passwords, emails etc. In certain configurations, it could also allow an attacker to inject or forge packets, which could be leveraged to potentially inject malware.

How does it work?

The KRACK weakness affects the Wi-Fi standard itself. This means, the attack works against personal and enterprise Wi-Fi networks as well as older WPA and the latest WPA2 standard, even if the networks only use AES algorithm for encryption.

The vulnerability works by attacking the 4-way handshake of the WPA2 protocol and, in the process, tricking a victim into re-installing a key that’s already in use. Ideally, it should not be possible to reuse a key, but since the WPA2 protocol does not guarantee key reuse, attackers can exploit this weakness by manipulating cryptographic handshakes.

In a typical 4-way handshake, a client will install the key after receiving message 3 of the 4-way handshake. This key is subsequently used to encrypt normal data frames using an encryption protocol. But since messages often get lost/dropped, an access point could resend message 3 multiple times to the client if appropriate acknowledgment was not received. In which case, the client will reinstall the key, and reset the nonces.

If an attacker can reset these nonces at will (which is possible due to this weakness) by collecting and replaying retransmissions of message 3 of the 4-way handshake, the encryption protocol can be attacked resulting in decryption of packets.

Tenable coverage of KRACK

Tenable has released several Nessus® plugins to detect systems affected by the KRACK weakness. The following table summarizes Tenable's coverage.

Protecting your organization from KRACK

As patches become available, you should consider which systems expose the network to the greatest risk (those that use Wi-Fi), define a series of checks and then test patches before rolling them to all systems in the network.

Tenable products can assist in identifying systems in the network that may require patching and ensure that systems for which patches are available are properly updated.Tenable will continue to provide coverage for products as patches are rolled out by vendors.

KRACK Dashboard

SecurityCenter® has a new dashboard, WPA2 Key Reinstallation Attack (KRACK) Vulnerability Detection, that focuses specifically on this new weakness. This dashboard provides an analysis of the Wi-Fi infrastructure and the systems that need to be secured against the KRACK vulnerability.

Stay tuned for more updates

Tenable is keeping a close eye on this story as it develops. Our team will release coverage as additional patches from vendors become available and this post will be updated as new plugins are released.   

The hacker-favorite TV show, Mr. Robot, is back on with a great season three opener that features a Capture-the-Flag contest. As the show begins, Elliot decides he needs to stop stage 2 from taking place. Needing a computer to close the backdoor he left in Season 2, Darlene and Elliot travel to the hackerspace in an attempt to find Internet access.

At the hacker space, Elliot talks to a contestant that proclaims he was a CyberPatriot finalist. Elliot and the contestant discuss how to poison the data collected by the Minesweeper game. Elliot is invited into the CTF and captures the final flag, thus securing the hacker space a spot at the CTF.

The Capture The Flag Hack

The CTF flag Elliot completed was an actual flag used in a CTF in 2012. Python's pickle command can do more than you might think. By crafting a special command string and tricking a service into unpickling that string, you can access files on the remote server. In this episode, Elliot tells a participant in the CTF challenge to do just that for the Python remote service running the classic Windows game Minesweeper. When the hacker protests that they thought of that, but they don't have the encryption key, Elliot tells him how to get the key: save an almost-finished game to get the encrypted version of the pickled field dictionary, and then XOR that with the pickled version of the reconstructed field dictionary to get the encryption key. More details about the hack can be found at 29C3 CTF.

The Back Door

In the episode, Elliot talks about the backdoor left when deploying the femtocell. A backdoor can often be hidden on a system and disguised as a regular service, other times the hacker may leave some random port opened up. In the example below, I am using Netcat to simulate an unauthorized backdoor.

In this example, you can see how to use netstat to look for a port that doesn't seem correct. Port 1337 is a common port used throughout the industry and the one we'll be using as our example port. As you'll see below, port 1337 is not authorized.

While the netstat command is great and useful on a local host, running netstat commands on all computers in your network is not practical. Tenable.io™ has the ability to do port scans, techniques of which are discussed in this blog post. The results of a port scan using Tenable.io would show that port 1337 and port 22 are open.

Wrapping Up

Using Tenable.io, you can perform different types of port scans within your network. The scans range from TCP, SYN Scans and netstat commands. By reviewing the results for anomalies, you are able to detect the outlying ports. With Tenable.io, customers are able to figure out whether Mr. Robot left any backdoors open in their network.

Tenable.io provides visibility into any asset on any computing platform and allows you to schedule scans on a regular basis, ensuring you always have the most useful, up-to-date information. Start a free 60-day trial of Tenable.io for your organization today.

The United States Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) have detected a coordinated effort by malicious actors at compromising the country’s critical infrastructure. These infrastructures include those involved in government, aviation, power production, energy production, and some critical manufacturing sectors. Typically, part of these infrastructures include Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems that control the physical processes.

These attacks are ongoing.

The “ownership” of any one of these critical infrastructures by a malicious actor would cause significant economic and social distress to the United States. On October 20 and 21st, DHS and the FBI jointly published Technical Alert TA17-293A entitled “Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors”.

Let’s Look at These Attacks at a High Level

The attackers are carefully choosing high-value targets rather than just randomly looking for targets of opportunity. They are conducting “open source” research on the targets by studying publically available information, which reveals business partners, data on employees, data on infrastructure and so-on. All of this data is useful for identifying targets and designing attacks.

The present attacks follow a pattern of compromising weakly defended networks, typically operated by suppliers or contractors, that are connected to more strongly defended critical infrastructure targets. Once compromised, the partner/contractor network is used as a bridge to attack the critical infrastructure network. This effectively takes advantage of the trust relationship that exists between the subcontractors/partners and the primary objective of the attack, the critical infrastructure network. The attackers are also manipulating “watering hole” domains - for example, trade and informational websites that relate to Industrial Control, Process Control and Critical infrastructure.

Targeted, critical infrastructure specific spear-phishing attacks are used to collect user credentials by sending email attachments that leverage authenticating Microsoft Office functions to retrieve files from SMB servers under the control of the attackers. The SMB server may be owned by the malicious actors or may be a compromised machine owned by the victim. This allows the attackers to capture the authentication sequence that takes place between the client and server, allowing credentials to be harvested. A similar SMB credential-stealing technique is also used by the compromised watering hole domains.

Using the stolen credentials, the attackers access the victim network and:

• Download tools to establish presence, persistence and control.
• Create user accounts
• Attempt to escalate the privilege of these user accounts
• Disable any host firewalls
• Establish Remote Desktop Protocol access
• Install VPN Clients

As of this writing, no actual ICS/SCADA network has been maliciously manipulated. It appears as if the attackers are still in the analysis phase. For example, the attackers have viewed files related to wiring diagrams, SCADA panel layouts and so-on. That said, a foothold has been established within the target environments that could be leveraged for something far more sinister in the future.

Now that we’ve got a basic understanding of the attacks, let’s take a step back.

The Reality is That We’ve Seen This Movie Before

We observe that the current attacks are in many ways similar to those conducted against the Ukrainian power grid in late 2015. Open source research, credential harvesting, studying the internal infrastructure, establishing persistent presence and the installation of tools on the victim network were all performed many months before the actual attack against the ICS infrastructure. This appears to be exactly what the malicious actors are doing against United States targets. This is exactly why early detection is so important, and why these attacks are being taken so seriously.

In both the Ukrainian attacks and the current U.S. attacks, the “traditional” IT network was the initial vector of the attack. There are several reasons for this:

• The malicious operators harvested credentials from the IT network.
• The malicious operators conducted research on the infrastructure layout accessing systems using the harvested credentials.
• In most cases, there are connections between the traditional IT network and the ICS network that can be leveraged through the use of harvested credentials.
• In the case of the Ukrainian attack, the harvested credentials allowed devastating access into the ICS network.

To accomplish these objectives, the malicious actors had to:

• Exploit vulnerabilities
• Exploit weak endpoint configurations
• Install malware
• Create new user accounts

The reality is that “owning” the IT network is an effective way to ultimately “own” the ICS network, since for critical infrastructure operators the two are intimately related.

For operators of critical infrastructure, both the traditional IT environment and the ICS environment must be continuously monitored not only for indicators of compromise but also for proper configuration, the presence of vulnerabilities, and changes of state to the endpoints.

Some recommendations include:

• Discover all assets, all the time to understand and reduce risk due to “unknown unknowns”
• Continuously monitor devices for vulnerabilities
• Constantly search for the presence of unknown software or active unknown processes on endpoints
• Continuously monitor critical infrastructure devices for proper secure configuration and detect systems where the configuration has mysteriously changed
• Monitor for changes in critical directories or executable files to detect malicious modifications
• Monitor for new user accounts on endpoints which may have been created by malicious actors
• Continuously monitor the ICS environment for vulnerabilities and unusual traffic patterns
• Detect, monitor and understand in detail the connections that exist between the IT network and the ICS network
• Detect, monitor and understand in detail the connections that exist between “trusted” third parties and the IT network
• Detect, monitor and understand any outside connections that may exist directly to the ICS network
• Insist that “trusted” third parties comply with minimum security standards
• Consider universal adoption of two factor authentication

How Tenable Can Help

Tenable is uniquely positioned to help operators of critical infrastructure implement these recommendations and understand their Cyber Exposure. Nessus, the industry gold standard of vulnerability assessment and compliance auditing, serves as the foundational Tenable platform to help both IT Security and ICS Operations teams ensure they know what assets are on the network at any given time and continuously assess them for vulnerabilities. Nessus Network Monitor passively analyzes network traffic to provide continuous visibility into managed and unmanaged assets on the network, including IT, Operational Technology and IoT assets. Nessus Network Monitor includes capabilities for asset discovery and vulnerability identification on critical infrastructure and embedded systems, such as ICS and SCADA systems, which require a non-intrusive approach to vulnerability management.

Try Tenable.io Vulnerability Management, which includes Nessus Network Monitor, free for 60 days by requesting an evaluation.

Given that the threat is real and ongoing, there is now a sense of urgency for operators of critical infrastructure to be diligent in the configuration and monitoring of their IT and ICS environments.

A new ransomware dubbed Bad Rabbit has hit several targets and began spreading across Russia and Eastern Europe on Tuesday, October 24, 2017. The ransomware exploits the same vulnerabilities exploited by the WannaCry and Petya ransomware that wreaked havoc in the past few months. As new versions of ransomware using Shadow Brokers exploits run wild, Tenable.io Vulnerability Management (VM) users are equipped with tools to stay ahead of the game and reduce your overall Cyber Exposure risk.  

What is Bad Rabbit and what does it do?

According to early reports, Bad Rabbit Ransomware uses a fake Flash update to lure unsuspecting users into installing the ransomware, resulting in the encryption of their data. Whether the attackers honor the payment or just keep asking for more money, the best approach is to patch your systems today and avoid the issue altogether.

Closing the Cyber Exposure Gap

Tenable.io users are ahead of the game. By using active scanning and agent-based scanning, customers will be able to easily identify the vulnerable assets across the exposed attack surface. Existing Petya and WannaCry plugins will display systems that are vulnerable to MS17-010, and these assets should be patched immediately.

Tenable.io™ Vulnerability Management has the following two plugins, released earlier this year, to detect vulnerable systems:

• 97737 - MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)
• 97833 - MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)

Malware Scanning to Close the Gap

The Cyber Exposure Gap is ever expanding as new assets connect to the network, and vulnerability scanning will not cover all aspects of the modern attack surface. Scanning using the Malware plugins such as Malicious Process Detection (59275) and others, you can better detect and eliminate cyber risks across all assets. Other plugins that are useful to enable during scanning are:

• Web Site Hosting Malicious Binaries (71024)
• Linux Malicious Process Detection (71261)
• Mac OS X Malicious Process Detection (71263)
• Malicious File Detection (88961)

In the image below, we can see the result of a scan of a system with running processes that are considered malware. These systems should be quarantined and analysed forensically to ensure that compromise has not occurred.

How to find Assets

As part of the Cyber Exposure lifecycle, you will need to assess and analyze assets to understand and ultimately mitigate your cyber risk.  You can use the VM Vulnerabilities workbench in Tenable.io to close in on vulnerabilities and reduce your Cyber Exposure gap. To use the workbench, you will need to create an advanced search and apply the following filters:  

After you apply the search, you will see the affected assets and you can take the first steps in mitigating your cyber risk.  

As your modern attack surface changes, you must set up vulnerability scanning to collect data using active scanning and agent scanning. This assessment process allows you to detect changes in the network and establish the state of your network against your previously defined baseline. A good baseline tracks indicators such as hardening standards, known assets and the locations of critical assets. The next step in the Cyber Exposure lifecycle is to analyze. Tenable.io allows you to put assets in the correct context to better understand and establish the priority of mitigation efforts. If the WannaCry or Petya vulnerabilities are still in your network, assets with these vulnerabilities need to be moved to the top of your priority list.  

Wrap up

Most ransomware exploits well-known vulnerabilities that already have patches available. Implementing a proactive security program that includes regular patching and system updating is one of the best strategies you can use to prevent malware from infecting your systems. Make it a regular habit to patch and protect your assets.

For more information

• Learn more about Tenable.io, the first vulnerability management platform for all modern assets
• Get a free 60-day trial of Tenable.io

Many thanks to the Tenable research team for their contributions to this blog.

We are at a critical inflection point in technology and business today. On one hand, we are on the cusp of realizing the transformative impact of innovations like IoT and Artificial Intelligence. And yet we continue to see crippling cybersecurity breaches within organizations of all kinds. Large, small, retail, finance, government, healthcare—no organization or industry is immune from the threat of cyber attack.

Stemming the growing tide of cyber threats does not come down to a single company, or a single platform. It will require a sea change in the way that we think about and approach security. First, from a technology standpoint, we need to shift our thinking on cybersecurity from protecting against the “threat of the week” to a comprehensive approach that considers all aspects of an organization’s cyber exposure in real time. Even more fundamental, however, is the need for a new cyber workforce strategy that develops and advances the ranks of people from all walks of life.

This week, the fourth of National Cyber Security Awareness Month, the conversation is rightly focused on careers, and with good reason: according to the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. In our industry, diversity is not a nice-to-have. It is a necessity. We will not be able to adequately address growing cyber threats until we find a way to build a larger, more diverse and inclusive workforce.

Women constitute only 14 percent of the cybersecurity workforce in North America and just 11 percent of the cyber workforce globally. African-Americans make up only three percent of the information security analysts in the United States. This can and must change. The lack of women and minorities in cybersecurity careers is the Achilles heel of our industry. 

At Tenable, we believe that change can begin within our walls. I’m proud to work for a company and a CEO, Amit Yoran, that is committed to diversity and is willing to back up the rhetoric with policies that help move the needle. For example, our company employs the “Rooney Rule” for hiring job candidates. The Rooney Rule is a National Football League (NFL) policy that requires teams to interview minority candidates for head coaching and senior football operations jobs. While there’s no preference given to minority candidates per se, the rule ensures that minority candidates are considered. It’s been highly effective in its goal to increase the number of minority coaches—roughly 25 percent of NFL head coaches are now black or another minority, up from two percent prior to the implementation of the rule. It’s also a winning strategy: since 2007, 10 Super Bowl finalists have had a minority head coach or general manager. It’s clear that the NFL’s efforts to build a more diverse workforce have resulted in a stronger, more competitive league overall. Like football, cybersecurity is a team sport. And we have a similar opportunity to build a stronger, more responsive cybersecurity workforce. We’d love to see other companies join us in implementing these types of strategies.

However, the Rooney Rule is not a silver bullet to diversity. There are many factors that will ultimately contribute to a more diverse workforce, including early education and learning opportunities at the high school and college level. While the private sector can lead the way, we also need buy-in and partnership from the government. We applaud recent efforts by policymakers to address diversity, and also support initiatives including those from the National Initiative for Cybersecurity Education (NICE) designed to help address the cybersecurity workforce shortage within the federal government, where a diverse and skilled workforce will be critical to enable the savings and efficiencies stakeholders are targeting from growing investments in cloud computing and security-as-as-service solutions.

If we are to meet the security demands of the next era, we must begin taking concrete steps now to increase the number of minorities and women in the cybersecurity workforce. Only through increased inclusion and diversity in perspective and thought can our industry achieve greater creativity, innovation, and develop new solutions to our most vexing challenges.

The new modern attack surface encompasses many emerging technologies such as the Internet of Things (IoT). As IoT becomes more integrated into the business communications path and the security boundary of your organization begins to blur, the risk of vulnerable IoT devices such as routers, cameras and video recorders will continue to increase.

About the Reaper Botnet

On October 20, 2017, researchers at the Chinese security firm Qihoo 360 and the Israeli firm Check Point detailed a new IoT botnet based in part on the Mirai botnet code. The main difference between Mirai and this new botnet is that Reaper relies on exploits instead of brute-forcing passwords as its infection method. The Reaper malware is leveraging nine vulnerabilities affecting home routers made by Linksys and D-Link; IP cameras and digital network video recorders made by VACRON, NUUO, NETGEAR, AVTECH, Maginon, Avacom, and others. Some of these vulnerabilities have patches available but unfortunately, many consumers never take the necessary steps to patch IoT devices in their homes.

Current Impact

Researchers have found that several tens of thousands of devices have been infected and over two million are queued to be infected. At the moment, researchers have only been able to identify from the Command and Control (C&C) that the botnet has focused on growing its numbers and no malicious payload has been seen. However, the code for the malware is a modular one where components can be loaded to expand the botnet’s capabilities, which makes the potential of someone using the botnet for other attacks very high.

Detection of Vulnerable Devices

Tenable.io Vulnerability Management and Nessus provide you with plugins to detect IoT devices vulnerable to the Reaper IoT botnet. The vulnerabilities detected are:

• D-Link 850L RCE (103114)
• GoAhead Credential Leak (102174)
• NUUO NVR / ReadyNAS Surveillance RCE (103928)
• Vacron NVR RCE (104124)
• NETGEAR DGN RCE (104128)
• Linksys E1500/E2500 Authenticated RCE (104129)
• D-Link DIR-300/DIR-600 RCE (104126)
• AVTech Multiple Vulnerabilities (104102)
• D-Link DIR-635L Credential Leak (66238)
• MVPower NVR RCE (104144)

Tenable will continue to monitor the Reaper botnet and add additional coverage if new exploits are added to the Reaper malware.

Wrap-up

Botnets often use well-known vulnerabilities & exploits to propagate their code to devices which in turn become bots. These well-known vulnerabilities can often be remediated either through patches or software updates. Implementing a proactive security program that includes regular patching and software updating is one of the best strategies you can use to prevent botnets from growing. Make a regular habit of scanning your IoT devices and updating them as necessary, to protect your assets.

For more information

• Learn more about Tenable.io, the first vulnerability management platform for all modern assets
• Get a free 60-day trial of Tenable.io Vulnerability Management

Many thanks to the Tenable research team for their contributions to this blog.