Incentivized by affiliate programs, scammers are evolving how they utilize fake Instagram accounts to target users on the popular social media platform.

As social networking services rose to prominence in the early part of this century, the services themselves and all manner of other businesses saw the revenue potential that came with targeted advertisements tailored to individual interests. At the same time, scammers, who until this point had relied on email as their vehicle to promote adult dating and webcam-based scams, were quick to capitalize on the burgeoning platforms — albeit in shadier ways — in order to earn money from affiliate sign-ups. 

In the years since, an entire cottage industry of scammers has cropped up, using bots to redirect social media users to fake accounts in order to game the lead-generation system. Indeed, since 2016, Instagram users have been subjected to a variety of scammers peddling adult dating and webcam spam via porn bots. The activities of the porn bots range from simply following Instagram account holders to liking and commenting on their photos to, more recently, exchanging direct messages with them. 

To its credit, Instagram — which attained 1 billion monthly active users (MAU) in 2018— has worked to try to thwart the efforts of the operators of these porn bot accounts, but, as you can imagine, it is a cat-and-mouse game. As someone who has been researching this space for many years, the cat-and-mouse game fascinates me. This post aims to highlight some of the notable trends I’ve recently observed with Instagram porn bots, such as the use of intermediary accounts and bots using literary quotes in their photo captions, and discusses the driving force behind their presence as part of my continued effort to educate Instagram users. 

Instagram Porn Bots

Historically, Instagram porn bots would be self contained, performing activities such as liking photos and following users with a link directly in their bio along with suggestive text, as seen in the example above. These porn bots have made some simple changes, for instance, altering their profile images with Story rings around them to make it seem as though they’ve posted an Instagram story and removing their suggestive text.

However, in an effort to bypass some of the mechanisms in place to detect this type of activity, porn bot operators began to leverage what I’m referring to as intermediary accounts.

How Porn Bots Use Intermediary Accounts

In this example, the intermediary account, “kayla” follows a user. Visiting this profile shows there are no photographs on the account. However, the bio contains emojis and the words “My Nude Pics Here” spaced out with periods in-between. The added punctuation is an attempt to bypass some automated measures Instagram may have in place to detect such activity.

The reason this is considered an intermediary account is because it instructs users to visit a different profile. In this case, the “kayla” intermediary account is linking to a “babe” account.

Similar to the intermediary account, the “babe” account also doesn’t contain any photos. However, this bio contains no obfuscation of the text, directly stating “All nude pics posted on website, look” with a link to a Bitly-shortened URL.

Not having any sort of activity associated with the “babe” accounts allows it to persist on the service without getting flagged by automated means. Based on intelligence from some of the domains used in the babe campaign, it appears the person behind that particular campaign has been actively pursuing Instagram porn bot spam since at least the middle of 2016. They’ve registered close to 1,300 domains since 2016, registering nearly 100 in the last six months.

Prevalence of “Babe” and Similar Instagram Accounts

There are quite a few similarly named “babe” accounts on Instagram. They all have the phrase “ALL NUDE PICS POSTED ON WEBSITE, LOOK” along with emojis in their bios, but only a handful of accounts have Bitly-shortened URLs as well, indicating these are actively being used. It is unclear if the accounts without Bitly-shortened URLs have been abandoned after they served their purpose or if they are spare accounts ready to be used once the active accounts have been removed by Instagram.

In addition to the “babe” accounts, there are other accounts with a different naming convention that are essentially identical. The same Bitly-shortened URL was used by several  “babe” accounts, as well as an “n_” account, indicating that each batch of accounts was generated by the same person.

Use of “Novel” Porn Bot Accounts

Even as we see an uptick in the use of intermediary accounts, some porn bot accounts on Instagram still follow users directly to capture their attention. I recently observed a new batch of accounts that were slightly different from normal porn bot accounts. These accounts aren’t blank; they typically contain a maximum of three photographs. Their names contain two random emojis, one at the beginning and one at the end. For instance, one account named “Carolyn Jones” has the vulcan salute emoji followed by a smiling face with horns emoji.

What’s peculiar about the photos on this account is the seemingly random nature of them, which is an intentional effort to thwart suspicion in three ways:

• Most porn bot accounts would promote sexually suggestive imagery on their profiles. 
• The woman in the images doesn’t look like the same person. 
• The absence of any sort of tagline in the bio and no presence of a short URL.

The random images themselves don’t contain links or any suggestive commentary either. Instead, they include some text that appears to be truncated. In the example above, the image contains a quote from The Count of Monte Cristo by Alexander Dumas.

Similarly, another porn bot account named “Pamela Turner” included another truncated Dumas quote from The Count of Monte Cristo, albeit from a different source.

Another porn bot account named “Denise Sanders” had very little text on each image, save for one image that included a shorter, truncated quote.

This account wasn’t quoting any of Dumas’ novels, opting instead to use a truncated quote from George R.R Martin’s famous Game of Thrones novel.

In some respects, these accounts are novel in their approach, and at the same time they also use quotes from novels, which is why I’m referring to these as “Novel Accounts.”

“Conversing” With A Porn Bot in Direct Messages

Since Novel Accounts and other porn bot accounts with nothing in their bios aren’t promoting their adult dating spam in public, they do so privately in direct messages. Following one of these accounts and initiating a conversation leads to "conversations" in broken English, such as this one with “Carolyn Jones” from earlier.

A similar “conversation” occurred with "Pamela Turner" as well.

What is interesting about these “conversations” is the delay between responses. The “Carolyn Jones” porn bot account took an hour to respond to the initial message, while the “Pamela Turner” porn bot account took five hours to respond. A subsequent message did not receive a response for nearly 22 hours. The reason for the delay is unclear. It could be a feature in the bot configuration to attempt to evade automated mechanisms looking for bot-related behavior within Instagram Direct Messages.

In both “conversations,” the same domain was used in the initial message with a different name in the path (Alison, Amy) despite their account names being entirely different (Carolyn, Pamela). Interestingly enough, in the latter exchange the second link used a different URL but with the same path (Amy).

One thing to note is that, while these Novel Accounts appear to be unique and may be operated by a single spam operator, engaging with Instagram users via direct messages to peddle spam links isn’t unique.

Fake “Safe” Instagram URL Message

Another Instagram porn bot tactic I’ve observed involves faking an Instagram page that claims a URL has been deemed as safe by Instagram.

The porn bot in this case links a user to a website via the short URL service TinyURL. The “Leaving Instagram” page is hosted on a .xyz domain and merely acts as an obfuscation layer to convince the user that the link they’re browsing to is indeed safe.

Non-Mobile Users Redirected to Benign Pages

In some instances, if a link is visited from a computer, users will be redirected to a non-adult themed page. For instance, one of the campaigns I’ve observed while browsing on a desktop will serve up a saved copy of an old article from the Planetary Society that contains broken images and stylesheets.

Visiting this same link from a mobile device will result in a 302 redirect to the scammer’s intended website. While this might be viewed as an effort to thwart examination by a researcher on a computer, there are ways around it for research purposes. However the real intention behind the redirects is likely to ensure that the “lead” is coming from a mobile device and not a computer, to ensure compliance with the adult dating affiliate program guidelines.

Group Instagram Direct Messaging

Outside of intermediary or Novel Accounts, some scammers opt to take a more direct approach when pushing adult dating spam: send out a group direct message to a large number of users.

In the case above, a porn bot account named “Dorothy” added 25 users to an Instagram Direct message chat. According to Instagram, users can add up to 32 users to an Instagram Direct message thread.

While anyone can send an Instagram Direct message to users, they get filtered out into a separate “Message Requests” section. They normally don’t change the group name, but sometimes they name groups like “my very hot  photos” for example.

A mass Instagram Direct message from one of these porn bots asks the user if they want to let “Dorothy” message them; the link and image thumbnail aren’t displayed to the recipient.

Once the message request is accepted, it reveals a link and thumbnail claiming to direct the user to the pin-up model community site, SuicideGirls.

In another example, the porn bots include links claiming to direct users to OnlyFans, a social networking service with a less-restrictive content policy that’s used by models and porn actors to offer content via subscriptions.

These links do not lead users to the SuicideGirls or OnlyFans websites after all. Just like the other porn bot accounts above, the links leads to a hookup site intermediary page.

Intermediary Pages for Adult Dating and Webcam Sites

While I’ve noted the presence of Intermediary accounts, Instagram porn bot operators also leverage intermediary sites (referred to as a “prelander” page) designed to serve up varying campaigns to direct users to different adult-themed dating and webcam sites.

The user is asked to fill out a “survey” about their sexual preferences, which leads to the intended adult dating or webcam website. In these instances, they lead to websites called Snapcheat and Sinder, a play on the popular social networking and dating apps Snapchat and Tinder. Included in these URLs are query strings containing parameters about campaign identifiers and, most importantly, affiliate identifiers.

Affiliates and Bots: Like Peanut Butter and Jelly 

As discussed in a VICE piece about the money trail behind Instagram porn bots, the goal of the intermediary pages is to get male Instagram users to sign up for adult dating and webcam services like Snapcheat and Sinder. The services themselves rely on affiliate programs to bring in new users. Affiliate programs are quite common and used by many e-commerce sites. In the world of adult dating and webcam sites, these affiliate programs are not so stringent when it comes to cracking down on fraudulent activity. After all, the goal is to get more users to sign up to their websites.

In most cases, the affiliate can earn a lead by simply convincing the user to sign up to one of these adult dating or adult webcam websites. This is usually defined in the affiliate offers as flow. In most cases, when a user completes the “free user registration” flow, it qualifies as a converted lead, and this is usually worth anywhere between $2 and $5 per lead. 

The Holy Grail of leads is when an affiliate offer includes verbiage like "CC submit," which is when an affiliate can convince the user to submit their credit card to sign up for a service for a free trial. If the user doesn’t cancel the supposedly “free” trial, they are often billed between $40 and $100, which ensures that the affiliate gets a higher payout versus a free user registration lead.

In the case of most Instagram porn bot spam, the affiliates are leveraging free user registration affiliate offers. Therefore, we can surmise that those responsible for Instagram porn bot spam are focused on generating a large quantity of leads via simple sign-ups, versus pursuing the more lucrative offers that require the user to submit a credit card. The latter tactic has a higher barrier to entry which is, therefore, reflected in the affiliate payout amount. Despite the intermediary pages asking users if they are over the age of 18, users are still directed to the adult dating and webcam sites, making it likely that even underage teens are clicking on the links and signing up for the websites.

We reached out to Bitly and Instagram to provide them with information about the scam activity. Bitly confirmed it has suspended the account and removed the URLs generated by the scammer. Instagram did not respond as of the time of this publication. 

Link Activity from Instagram Spam

The URLs used in Instagram porn bot spam can vary between direct links to intermediary sites or short URLs that mask the actual destination URL. Based on the short URL statistical data we were able to obtain from a limited number of campaign activities, the average number of clicks per link is roughly 285. This number is also skewed due to the varying degree of clicks on the link, between nine clicks as the lower bound and over 1,000 clicks as the upper bound.

Bitly provides a breakdown on the clicks for each short URL. For instance, below is a breakdown of one of the of the larger volume short URLs used in one of the “babe” campaigns. 

When we pulled the statistics for this particular Bitly link on June 21, it showed over 1,000 clicks, 97% of which originated from Instagram, with a smaller subset coming from Facebook and a more generic bucket.

Geographic distribution of interaction with the Bitly link shows it is highly concentrated in the United States, but its reach spreads across 80 locations worldwide.

Conclusion

As long as Instagram has such a high volume of active users, it will continue to be a haven for porn bot scammers. After all, just as advertisers flock to social networking services like Instagram looking to capitalize on all of the eyeballs affixed to their screens, one should expect scammers won’t be far behind.

However, the only thing constant is change, so we anticipate these tactics will deviate over time, as the cat-and-mouse game continues to be played. For these scammers, one particular Dumas quote accurately depicts their efforts: “all human wisdom is summed up in two words; wait and hope.”

Learn more:

• Read the Vice story: The Secret Trail of Money Behind Those Instagram Porn Bots
• Read the Daily Mail story: Hackers are taking over YOUR Instagram profiles with pornograhpic images and adult dating spam
• Visit https://www.tenable.com/research for the latest news and views from Tenable Research

Scanner for “BlueKeep” vulnerability and newly minted exploits for Exim and Jira incorporated into cryptocurrency mining malware.

Background

On July 24, researchers at Intezer published a blog about a new variant of the WatchBog malware. WatchBog is a “cryptocurrency mining botnet” that deploys a Monero (XMR) miner on infected systems. WatchBog was previously identified by AlibabaCloud in May 2019, but there are some indications that it has been around since at least November 2018 based on a blog post from Sudhakar Bellamkonda.

Analysis

Most notable in the new variant of WatchBog is a scanning module for BlueKeep(CVE-2019-0708), a critical remote code execution vulnerability in Microsoft’s Remote Desktop Service that was patched in May 2019, which included fixes for out-of-support versions of Windows. The scanner module appears to be a port of a proof-of-concept scanner published to GitHub nearly two months ago. However, the module variant described in the Intezer blog doesn’t contain any exploit code.

According to the researchers, WatchBog will scan a predefined list of IP addresses fetched from a command-and-control (C2) server to identify vulnerable Windows systems. The researchers surmise that the inclusion of such a module is to prepare for future attacks once exploit code does become public, or to sell the data on vulnerable systems to a third party.

In its latest iteration, WatchBog has incorporated new exploits in what is referred to as its “pwn” modules. These exploits are for two recently disclosed vulnerabilities and they include:

• CVE-2019-10149 is a critical remote command execution in Exim, the widely used mail transfer agent (MTA) that was revealed in June 2019
• CVE-2019-11581 is a critical template injection vulnerability in Atlassian Jira Server and Jira Data Center that was patched earlier this month on July 10

These two vulnerabilities join three other exploits in WatchBog’s “pwn” modules, as well as two bruteforcing modules targeting databases.

The following is the list of exploits, scanners and bruteforcing modules incorporated into WatchBog:

Proof of concept

There are proofs-of-concept (PoCs) available for all of the vulnerabilities used by WatchBog.

Solution

For Windows users, applying the patch to address BlueKeep is paramount. The inclusion of the BlueKeep scanner is worrisome enough, but the lingering possibility that exploit code may soon become public underscores the sheer importance of patching against it. This is highlighted by a recent report that there are over 800,000 systems vulnerable to BlueKeep that are still internet accessible.

All of the vulnerabilities leveraged by WatchBog have been patched over the last eight months. Users running Jenkins, Nexus Repository Manager 3, Apache Solr, Exim, Atlassian Jira Server and Data Center should apply the available patches as soon as possible.

If you have CouchDB or Redis servers in your environment, it is important to ensure that they’re not exposed publicly, but if they are, use strong and unique passwords and review the CouchDB and Redis security guides.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here:

• CVE-2018-1000861
• CVE-2019-0192
• CVE-2019-7238
• CVE-2019-10149
• CVE-2019-11581

Additionally, customers can utilize custom YARA rules as well as the file scanning feature on Tenable.io and Nessus to scan for hashes associated with WatchBog on Linux hosts.

The following Linux malicious file detection and YARA plugins are available to customers:

• Linux Malicious File Detection
• Linux Malicious File Detection: User Defined Malware
• YARA File Scan (Linux)

Intezer provided three SHA-256 sample hashes that can be used in a list of known bad hashes:

• b17829d758e8689143456240ebd79b420f963722707246f5dc9b085a411f7b5e
• 26ebeac4492616baf977903bb8deb7803bd5a22d8a005f02398c188b0375dfa4
• cdf11a1fa7e551fe6be1f170ba9dedee80401396adf7e39ccde5df635c1117a9

In the user interface, customers can provide a list of known bad hashes:

There are some advanced options that customers can use to scan $PATH locations, /home as well as custom directories.

The following is an example scan result for known bad hashes for WatchBog:

Additionally, Intezer provided a custom YARA rule that can be used to identify unknown or newly discovered Watchbog samples. The following is an example scan output for the YARA file scanning plugin.

Get more information

• Watching the WatchBog: New BlueKeep Scanner and Linux Exploits
• Return of Watchbog: Exploiting Jenkins CVE-2018-1000861
• Blocking Watchbog Malware/Ransomware with IPTables on Linux

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Eleven critical vulnerabilities, including RCEs, denials of service, information leaks and logical flaws, were recently disclosed, impacting the RTOS VxWorks

Background

The Armis Research Team has released an advisory for URGENT/11, 11 critical vulnerabilities in VxWorks, a Real-Time Operating System (RTOS) found in over 2 billion devices, including critical industrial, medical and enterprise hardware. Wind River, the maintainer of VxWorks, released patches on July 19 for all 11 of the vulnerabilities.

Analysis

VxWorks is an RTOS found in a wide array of devices like firewalls, medical equipment and industrial control systems. The vulnerabilities found affect VxWorks’ TCP/IP stack (IPnet) and could allow attackers to circumvent Network Address Translation (NAT) and Firewalls via maliciously crafted IP packets. Wind River acquired the IPnet networking stack in 2006. Prior to this, the stack was licensed and used by other real-time operating system vendors, which potentially widens the number of affected devices that have yet to be patched. The scale and potential impact of these vulnerabilities create similar threats on par with the likes of WannaCry and ETERNALBLUE.

The following video from Armis provides an overview of URGENT/11 and its potential impact:

From Wind River's URGENT/11 security advisory, the following vulnerabilities and their respective details are:

Proof of Concept

While no Proof of Concept (PoC) code has been released for these vulnerabilities, the Armis team has provided two videos demonstrating how an attacker could compromise internal assets from other internet-facing devices:

Solution

Organizations and individual users will need to apply updates from their respective device vendors in order to fix these vulnerabilities within their environments. Vendors like SonicWall and Xerox have reportedly released updates for their affected devices. Detection and mitigation may take some time, however, given the sheer magnitude of the number of devices utilizing VxWorks.

Tenable will add active and passive plugins as patches and updates become available from different vendors. Our OS Identification plugin can enumerate hosts running VxWorks, which will be available in the plugin output section in the scan results for a given asset. Tenable Nessus Network Monitor (NNM) currently offers multiple VxWorks detection plugins, and proactively detects assets that may be running vulnerable versions of VxWorks.

For users seeking guidance on configuring NNM and creating useful notifications for VxWorks devices, please see our NNM configuration and usage documentation or reach out to our support team at https://support.tenable.com.

Identifying affected systems

A list of plugins to identify these vulnerabilities will appear here as they’re released. Please note that vulnerability detection plugin creation also relies on vendor support for any given device. As there are likely to be further updates from vendors in response to these vulnerabilities, we encourage organizations to examine the plugin output of our detection plugins as well to identify vulnerable systems in addition to utilizing specific vulnerability detection.

Get more information

• Armis Research Vulnerability Disclosure
• Wind River Vulnerability Advisory
• SonicWall Vulnerability Advisory
• Wikipedia List of Notable VxWorks Utilization
• Live list of URGENT/11 plugins

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io.

Nearly 80 days after the announcement of BlueKeep, threats of exploitation remain. Those who have not patched remain at risk as rumors of exploit scripts surface.

Background

In May 2019, Microsoft released a critical patch for CVE-2019-0708, dubbed BlueKeep, a critical remote code execution vulnerability that could allow an unauthenticated attacker to exploit a vulnerable host running Remote Desktop Protocol (RDP). Microsoft took the unusual step of publishing a blog post announcing security updates for out-of-support versions of Windows, including Windows XP and Windows 2003, and warning that BlueKeep could be as impactful as the WannaCry worm that took hold in May 2017. Despite the criticality of the issue, reports suggest that over 800,000 machines remain vulnerable. The number of unpatched machines is concerning considering exploits have been developed and proof of concept code (PoC) continues to appear on popular sites like GitHub.

Analysis

As we outlined in our May blog, BlueKeep is a pre-authentication vulnerability that requires no user interaction and allows arbitrary code to be run on a vulnerable remote target. Less than 24 hours after Microsoft’s disclosure on Patch Tuesday, Microsoft Security Response Center (MSRC) warned of the potential for BlueKeep to be widely exploited and wormed. Several projects began to pop up on sites like GitHub with fake exploits and malicious code. Since May, that number continues to increase and there are many claims of working examples.

Our own Tenable Researchers worked tirelessly following Patch Tuesday to develop plugins to identify vulnerable assets both through unauthenticated remote checks, and authenticated local checks. Our authenticated local plugins were released within hours of Microsoft’s disclosure, while an unauthenticated remote plugin was released just a week after the BlueKeep disclosure.

In the weeks since BlueKeep was announced, coverage and interest in exploitation continue to increase. For example, security vendor Immunity has announced an exploit module, and independent researcher zerosum0x0 has developed an exploit which may soon be found in open source tools. In addition, a new variant of the WatchBog malware now includes a scanning module for BlueKeep. The vulnerability has gained so much attention that US-CERT released an alert urging users and administrators to take action immediately.

Solution

Tenable recommends applying the appropriate patches immediately. Microsoft has provided updates for Windows 7, Windows Server 2008 and Windows Server 2008 R2. Additionally, Microsoft has provided patches for out-of-support systems, including Windows XP and Windows Server 2003.

Tenable also recommends the following mitigation steps:

• Enabling Network Level Authentication (NLA). Microsoft recommends NLA as a mitigation, however NLA may be something an organization chooses to deploy in addition to patching.
• Blocking RDP (Default is TCP port 3389) at your perimeter firewall.
• Disabling any unused services.
• Upgrading end-of-life (EOL) operating systems.

Identifying affected systems

Tenable’s remote plugin for CVE-2019-0708 can be found here. This plugin can be used to identify affected systems without providing credentials.

For identifying systems without NLA enabled, please use plugin 58453.

A list of all plugins to identify BlueKeep (CVE-2019-0708) is available here.

Get more information

• Microsoft's CVE-2019-0708 Advisory Page
• MIcrosoft Customer Guidance for CVE-2019-0708
• Critical 'BlueKeep' Vulnerability CVE-2019-0708 Addressed in Patch Tuesday Updates
• WatchBog Malware Adds BlueKeep Scanner (CVE-2019-0708), New Exploits (CVE-2019-10149, CVE-2019-11581)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io.

In my experience running Technical Support for Tenable, I’ve gained valuable insight into what makes a strong vendor/customer relationship. Here are my five tips for making the most of Technical Support. 

As November approaches, marking two years since I joined Tenable, I’m reflecting on what I’ve learned as our Technical Support organization has grown to become a leader in the Vulnerability Management space.

When you make any large scale technology purchase, Technical Support may not be the first thing you think about. But, after making a critical decision for your security infrastructure, after the product is installed, Technical Support is where the rubber meets the road. Over the long term, Technical Support is the place you'll turn to again and again to find ways to make the most out of your technology deployment. 

Choosing a vendor is never easy. But choosing a vendor that is unable to provide you with strong Technical Support throughout the length of your relationship could derail your whole project.

5 Tech Support Factors to Look for When Choosing a VM Solution

Based on what I’ve seen and heard from our customers over the past two years, here are five things to look for when considering the Technical Support aspects of any vendor relationship:

1. Response times.  When you contact a vendor’s technical support organization, you want answers and you want them quickly. Look for an organization where your calls are answered in less than 30 seconds. Make sure the TS organization is staffed globally, not just in one region or time zone, so you can be assured a Technical Support Engineer (TSE) is always ready and available to help.
2. Full-time technical support engineers. Look for vendors that operate technical support in house. When TSEs are full time employees of your vendor, you’ll experience globally consistent processes and 24x7x365 response times.
3. Committed relationships. There’s nothing more frustrating than having your technical issue bounced amongst various support engineers, putting you in the position of having to constantly repeat your issue and explain it multiple times to multiple TSEs. Ask your vendor whether you’ll get a dedicated engineer who will take your issue and own it throughout the customer support lifecycle and stay with you until it’s resolved. 
4. Rich and extensive Knowledge Base and Community. Choose a vendor that gives you the tools you need for self-education. Does your vendor have world-class technical knowledge publications? Is there a community portal where you can turn to your peers for advice about making the most of your deployment? If not, you may want to look elsewhere. 
5. Engineers who aren’t afraid to be human. Is the vendor you’re evaluating providing its team with ongoing training in so-called “soft skills”? There’s more to technical support than resolving technical issues. A support team that lacks the emotional intelligence to understand your organization’s broader challenges will only be able to take you so far. Make sure you’re choosing to work with organizations where TSEs are fully trained in understanding the customer’s perspective. 

Learn more:

• Visit Tenable’s Technical Support webpage here: https://www.tenable.com/support/technical-support
• Read the Tenable Technical Support guide here: https://www.tenable.com/data-sheets/tenable-technical-support-guide
• Join the Tenable Community here: https://community.tenable.com/s/

Few organizations have sufficient visibility into their attack surface—until now. Tenable announces new asset discovery capabilities across on-premises and cloud environments. 

Visibility into all assets across your attack surface is a foundational capability in cybersecurity. There is a reason why it’s step 1 in the Cyber Exposure lifecycle: you cannot secure what you cannot see. Many security frameworks, such as NIST CSF and SANS Controls, emphasize this point by including asset management and inventory at the beginning of their lists of essential controls. 

Despite the fact that asset discovery is so fundamental to cybersecurity, very few organizations have it mastered. In fact, only 29% of 2,400 IT and security professionals recently surveyed by Ponemon Institute believed their organizations have sufficient visibility into their attack surface. This is a critical problem for organizations of all sizes and industries.

There are three key reasons why asset discovery is so hard:

1. Assets are more dynamic than ever. The modern attack surface is constantly expanding, contracting and evolving, with new devices constantly connecting to and leaving the network and IT services spinning up and down. 
2. New device types are accelerating. You are no longer just responsible for securing traditional IT assets. Now you’re responsible for mobile devices, cloud instances, DevOps processes and operational technology (OT) that integrates with your IT networks. 
3. The number of unknown assets is increasing. Despite your best efforts, there will always be devices and IT services across your organization that go unsanctioned or unaccounted for. But with the rise in bring-your-own-device (BYOD) policies and the proliferation of IaaS instances and SaaS-based applications, the number of “known unknowns” is rapidly expanding.

Traditional vulnerability management (VM) solutions haven’t kept up with this modern asset evolution. Active scanning alone is unable to detect frequent changes in the attack surface or gain visibility into new SaaS applications or OT devices. Cybersecurity leaders require new Cyber Exposure approaches to continuously discover known and unknown assets across on-prem and cloud environments.

Introducing New Rogue Asset Discovery Capabilities

Today, we’re excited to announce a series of new innovations in Tenable.io and Tenable.sc to help you not only automatically detect every asset across your computing environments, but also assess them for vulnerabilities and misconfigurations. These new capabilities are provided natively in our base VM platforms at no additional cost without the need for a separate application that would create another data silo. Here’s what’s new:

Nessus Network Monitor (NNM) Discovery Mode

NNM — which is used to provide passive monitoring capabilities in Tenable.io and Tenable.sc — has been a trailblazer in the world of passive network monitoring with over 10 years of customer deployments. It has one of the industry’s broadest asset coverage, with visibility into traditional IT, SaaS applications, mobile devices and OT and IoT devices without the need for third-party integrations. Passive monitoring with NNM is an essential ingredient for attack surface visibility, complementing existing active and agent-based scans to detect assets and vulnerabilities continuously. This helps to eliminate blind spots between active scans and identify previously unknown assets when they are active on your network. 

Now with Discovery Mode, you can use NNM within Tenable.io and Tenable.sc to continuously monitor your networks to discover rogue assets without the need to consume a product license. This new capability will be available in both products later this year.

Tenable Cloud Connector Auto Discovery

In addition to NNM that is deployed on-prem, you also need continuous visibility into your cloud assets and IaaS instances as workloads are rapidly created and turned off. Tenable Cloud Connectors provide live visibility into AWS, Azure and GCP cloud environments so you know which cloud instances are active at any given time. Data collected from the cloud connectors is fully integrated into Tenable.io alongside other asset information.

Now with Cloud Connector Auto Discovery, you can automatically collect and track cloud assets from all member accounts associated with the master cloud account without any manual intervention or configuration. This ensures that you have continuous visibility into your cloud environments, even in cloud accounts you may not have known existed until now. This new capability is available today in Tenable.io.

Rogue Asset Automatic Assessment

What good is asset discovery alone if you are unable to quickly and automatically assess those assets for vulnerabilities and misconfigurations? It’s critical that you are able to quickly scan all newly discovered assets without any manual intervention based on policies you define to do so. Workflow automation will help you not only improve your overall security posture, but also re-allocate operational resources to more meaningful tasks.

Now with Rogue Asset Automatic Assessment, you will be able to tag newly discovered assets that have not yet been assessed and configure scans based on tags that can automatically run as determined by your scan policy. This new capability is available today in Tenable.sc and will be available in Tenable.io later this year. 

Turn the Unknown Into the Known with Rogue Asset Discover

Unified visibility is a hallmark of a mature cybersecurity and Cyber Exposure program. Make sure your Cyber Exposure solutions can shine a light into every dark corner across your modern attack surface. To see how, take advantage of a free 60-day evaluation of Tenable.io today and get started in minutes. 

Understanding risk in a complex digital environment is Jewelry Television’s biggest Cyber Exposure challenge. Learn how the company is using Tenable.sc and the Vulnerability Priority Rating to improve visibility and control.

Jewelry Television (JTV) is one of the largest jewelry retailers in the United States, supporting over 1,400 jobs on its 16-acre Knoxville, TN, campus. The company’s omni-digital strategy includes  live TV programming — 24 hours a day, seven days a week to 84 million U.S. households — as well as an industry-leading, mobile-optimized e-commerce platform and a robust and engaging social media presence.

A software development shop and a large technical operations team support the company’s business. “We do it all in house,” said Kyle Bubp, Senior Security Engineer at JTV, in an interview with Tenable during the Edge 2019 user conference in Atlanta in May. 

The JTV environment includes multiple operating systems — Windows, MacOS, Linux and Solaris, among others — as well as a number of cloud hosting providers, all running on a segmented, firewall-protected network. “The biggest challenge that I'm looking to solve right now is just the understanding of risk in the environment,” said Bubp, who’s using Tenable.sc (formerly SecurityCenter) for internal scanning. (Editor's Note: This blog explores how JTV uses Tenable.sc; the organization also uses Tenable.io for external scanning.)

With Tenable.sc, “we're scanning every subnet, we're doing authenticated scans [and] we're getting back very valuable data,” said Bubp. Tenable.io is primarily used to perform Payment Card Industry (PCI) Approved Scanning Vendor (ASV) scans of the company’s Amazon Web Service (AWS) and Azure cloud instances, he explained.

Visibility is Key

“With any security program, visibility is key,” said Bubp. “[Tenable.sc] gives me all the visibility I could ever want and need from one platform. I don't have to manage six different tools to get the visibility I need.”

And the visibility isn’t limited to Bubp; he’s able to give Tenable.sc logins to software engineers and admins so they can see and scan their assets in real time. “It gives them an easy way to look at the security posture of the assets that they own and then mitigate any vulnerabilities that are on those assets.”

The result? A more streamlined process, according to Bubp. “Now that the admins can log in to Tenable.sc and see the data that I'm seeing, I don't have to throw a PDF report over the fence and say, ‘Please fix this.’ They can log in, they run their own scans, they're very proactive, they fix what needs to be fixed. I don't have to keep asking, ‘Hey, can you please fix this vulnerability?’ ”

The improved visibility helps improve efficiency. “We are much more aware of where our risk resides,” enabling everyone involved to manage their time as effectively as possible, according to Bubp. “There's only so much time in a day,” he said. “Our admins, our software engineers, they have things that they need to be focused on to support the business. When I do throw work onto their pile, I want to make sure it’s work that needs to be done and not just a ‘nice to have.’ ”

Putting Tenable’s Vulnerability Priority Rating to Work

JTV recently began using Tenable’s new Vulnerability Priority Rating (VPR) — included with both Tenable.sc and Tenable.io — to further refine the risk assessment and remediation processes. VPR, a new capability introduced this year in Tenable.sc and Tenable.io, is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability. 

Bubp uses the VPR score to give the admins and software engineers context around each vulnerability. “Sometimes people get hung up on, ‘Well, this thing says critical, so it must be critical.’ But a lot of times, it's not critical,” said Bubp. “You have to really look at your environment and first look at ‘why is the vulnerability scanner telling me this thing's critical?’ Is it just because it's an outdated, unsupported version? Or are there actual exploitable vulnerabilities for it? If it's the former and not the latter, well, maybe it's not critical. Maybe you can recast that risk and then put [in place] what company compensating controls you have.”

The additional context is also helpful when communicating with C-level executives in the organization. “The way that Tenable displays the data, you can get as technical as you want,” said Bubp. “A C-level executive isn't going to want to get down into the output of the plug-in itself, but the admins will. But I don't have to provide three to four different reports depending on who's consuming the data. I can point them to one central location and, depending on how deep they want to go, it's kind of the sky's the limit.” 

Access to Tenable.sc is linked to the company’s active directory, making it easy for stakeholders to log in and see the data they need. “And then, any questions they have, you know, I just talk to them about it,” said Bubp. “That additional visibility is key for any security program.”

Bubp added: “Out of all the vulnerability management tools I've used, I always come back to Tenable, because they're the most accurate [and] the data is easy to consume. I don't have to spend time training other people to read the dashboards, 'cause it's just so easy to consume the data.”

While Bubp said he could point to a reduction in the hours spent on vulnerability management since the team began using VPR, the real story is in how those newfound extra hours are being used instead. “There's been an increase in man-hours focused on mitigating risk,” said Bubp. “They're spending a lot more time fixing these vulnerabilities that they didn't have visibility into before.”

For Bubp, vulnerability scanning is a foundational first step in any cybersecurity program. “I don't think you can start building a security program without something like Tenable,” he said. “I believe vulnerability scanning is key to building a strong security program.”

Learn More:

Watch the interview here:

• See more customer stories here
• Learn about Cyber Exposure here

As the disciplines of IT and Operational Technology (OT) continue to converge, organizations find themselves challenged to provide threat protection, risk management and asset monitoring. It all starts with a strong asset discovery and detection plan.

For years now, CISOs have tried to come to grips with the convergence of two equal but distinct parts of the business — IT and Operational Technology (OT) — and what it means for the overall cybersecurity posture of industrial enterprises.

The first question is: Where to start? 

How best to address this question was the central premise of the Tenable webinar, Practical Industrial Control System Cybersecurity: IT and OT Have Converged, Discover and Defend Your Assets. Hosted by SANS, the webinar featured: Doug Wylie, Director, Industrials & Infrastructure Business Portfolio, SANS Institute; Dean Parsons, Information Security Officer, Nalcor Energy; and Ted Gary, Senior Product Marketing Manager with Tenable. The three discussed how the disciplines of IT and OT have changed over the years and explored what is needed to reconcile the two in order to improve threat protection, risk management and asset monitoring.

Industrial Digitization 

For decades, OT systems remained outside the control of IT, effectively "air-gapped" from interacting with systems connected to public internet services. By mid-2005, much of that changed as Ethernet became the standard network gear connecting all manner of endpoints, including those within industrial systems.

By late 2010, IT and OT systems had started to converge as businesses began to see the early benefits of digital transformation. Converged IT and OT systems can ease the sharing of information and provide granular data from industrial machinery to help organizations uncover new operational efficiencies.

So, what’s the downside? Connected IT and OT systems expand the attack surface, and businesses need to rethink their risk assessment practices within this converged world. 

Securing converged IT and OT systems is easier said than done. In an ideal world, an organization would build its converged IT and OT network architecture from the ground up, using a reference architecture suggested by the US Department of Homeland Security or another entity. This would take into account the need for features such as a "DMZ" between the IT and OT systems to ensure greater cybersecurity. 

"This is certainly the ideal situation, and if we were going to build an Industrial Control System cookie factory today, this is where we would start,” Parsons said.

In reality, most businesses are faced with trying to secure OT systems which were designed as closed networks years ago and retrofitted repeatedly over the years to meet business needs. 

So, how can a security team even find all the OT assets running on the network?

Wylie and Parsons draw their inspiration from the Center for Internet Security (CIS) and its security control list for Industrial Control Systems (ICS). Specifically, the first three controls, which include inventory and control of hardware assets, inventory and control of software assets and continuous vulnerability management.

From there, security teams can use four different methods to discover assets:

• Physical inventory
• Passive monitoring and discovery
• Active scanning
• Additive sources

While each of these methods alone can't discover all the assets on the network, when taken together, these four tactics can produce a holistic picture of the converged system, while creating a comprehensive inventory. The key is knowing which method to use for which assets to avoid any unintended downtime. For example, physical inventory and passive monitoring and discovery pose less risk of downtime for OT systems than active scanning, which is best reserved for non-operational systems. 

Patching Smartly

Once all the assets are discovered, the question becomes how to assess the risk and determine which vulnerabilities are worth patching first.  

In most cases, risk assessment is based on the CVSS score assigned to a given vulnerability. However, Wylie suggested security professionals would do well to consider all the various elements used to arrive at a final CVSS number; you might find some of the elements used to calculate the score are less relevant to your particular business, which can help as you look to prioritize your remediation plans.

Additional monitoring and controls can also allow for smarter patching. Parsons cited as an example a situation that might happen at a large industrial energy facility: "An energy organization in the middle of winter finds a vulnerability in software that they are using, and this vulnerability could be exploited by attackers that [are] publicly known at this point. Do they patch? In the middle of winter in an area that is north like Canada, we have a lot of storms and cold weather. It's not an ideal time to change the process, to increase the risk of the system going down because of the patch. Yet, the vulnerability remains, so how do you work around that? [P]atching smartly in this context is really about understanding what is there and how you do controls between now and the middle of winter and perhaps in spring … to keep the actual ICS process up, and patch smartly when you can so you won't disrupt the system. The idea here is to maintain the safety and the ability of operations and that's the utmost."

Risk Management as Part of The Maintenance Lifecycle

How can organizations assess risk when trying to maintain converged IT and OT systems? As Tenable's Gary noted, the risks companies face change over time as new vulnerabilities are discovered and the threat landscape evolves.

Gary said, "When you make changes to devices on your network, you can introduce new risks that need to be mitigated. But I think a key point is, even if you don't change anything, the environment from a risk point-of-view can change. There can be new vulnerabilities that are discovered that weren't there a month ago or a week ago. There could be ones very important to you … there can be new exploits to them, so the threat landscape can change as well."

For these reasons, Gary recommended making risk management part of the maintenance lifecycle of your OT equipment.

Learn more:

• Watch the on-demand webinar: Practical Industrial Control System Cybersecurity: IT and OT Have Converged, Discover and Defend Your Assets
• Read the blog: IT/OT Cybersecurity Convergence: Start Strong with These Six Controls
• Download the whitepaper: Practical Industrial Control System Cybersecurity: IT and OT Have Converged – Discover and Defend Your Assets

In part two of our five-part series on Vulnerability Management fundamentals, we explore the essentials of asset discovery and classification, which is the first step in the Cyber Exposure lifecycle.

Maintaining a comprehensive and updated asset inventory is a fundamental and critical component of Vulnerability Management (VM) programs. This fact is reinforced by industry standards and best practices. For example, the Center for Internet Security (CIS) lists Inventory of Authorized & Unauthorized Devices and Inventory of Authorized & Unauthorized Software as the top two cybersecurity controls in its Critical Security Controls (CSC) list. 

Although an asset can be any item of perceived value to an organization, for the purposes of this blog, we’ll focus on computing assets such as web or email servers, desktops, laptops, mobile devices, cloud services, network devices, OT devices, databases and web applications.

In global IT environments spanning on-premises and cloud, maintaining an asset inventory is anything but simple. So where do you start? While there is no one-size-fits-all answer, the process begins with a comprehensive discovery and classification by business and security criticality.

Before you use any sophisticated tools, talk to the network management and IT teams in your organization. They very likely have IP address ranges and and databases of all authorized assets across the organization. 

Here are six discovery questions to ask as a starting point:

1. Where are your business offices and network infrastructure sites, including failover and backup sites, located? 
2. What are the key web applications, operating systems, software packages and databases supported by the IT organization? 
3. What types of assets (IT/OT, physical, software, mobile, development) are used by the company?
4. Do you have an asset management tool or a database of all assets owned by the organization? 
5. Do you use an asset and data classification policy to enforce security and access controls?
6. Which assets, applications and data are considered critical for the organization? 

Not all assets are equally important...

Once you’ve captured the above inputs, the end result will likely be a list or a database of IP address ranges and DNS records. That is a good first step. It is a good idea to start asset classification right away to help you prioritize next steps in the VM lifecycle. Remember, not all assets are equally important. A public web server running your e-commerce site is far more business critical and vulnerable to attacks than internal desktops are. 

Data and asset classification policy should be an integral part of any security policy. You should define and consistently use that policy across the organization, not just for vulnerability management, but for all security operations, such as access control, application of security controls and data retention.  

Now, start digging

Do you know what exists at those IP addresses, hostnames and URLs? At this stage you need to leverage some discovery tools to scan your network and applications to detect assets.  

Here are some asset discovery questions to consider when selecting a VM product: 

1. What asset attributes can it detect? Just detecting an asset at an IP address is not enough. Can it detect operating systems, application types and technology, and open ports?
2. Can it scan different types of infrastructures? Can it be integrated into your DevOps process for continuous discovery? Can it scale to handle a large number of assets? 
3. Can it passively monitor network traffic to detect assets connecting to your network that may not be officially authorized by your organization?

Here today, gone tomorrow.

Periodic scanning provides a point-in-time view of your environment, but there may be some blind spots. For example, assets that are short-lived, turned off, temporarily connecting to you network or not accounted for in your original IP address blocks may be undetected. This emphasizes the need for a continuous discovery approach, which includes:

• Baking discovery into the DevOps process; 
• Leveraging software agents installed on the assets; and
• Passively monitoring the network. 

After you have a validated list of assets, do another round of classification. Organizations often classify and group assets based on the sensitivity of data or business criticality of applications supported by the asset. Assets are also grouped and classified based on internal asset management and asset ownership policies. 

For example, for VM purposes you may want to group assets based on who owns them, the operating system or applications they run, or their physical location. Most modern asset management and VM tools provide some form of tagging and grouping capabilities to help with proper manual and automated classification and grouping of assets. One of the most difficult problems in vulnerability management is identifying asset owners who will fix vulnerabilities. Try to make that identification early on in the process and tag assets based on ownership. 

Asset discovery and classification is a fundamental first step to help you focus on actions that result in maximum reduction of your cyber risk. Watch this on-demand webinar to learn more about asset discovery best practices and find out how Tenable can help you on your journey. 

In part one of our five-part series on Vulnerability Fundamentals, we explored the first four stages of the Cyber Exposure Lifecycle. In part three, we’ll discuss the essential tactics involved in the “Assess” stage. 

Microsoft’s August 2019 Security Updates, released on August 13, address over 90 vulnerabilities, 29 of which are critical.

Microsoft’s August 2019 Patch Tuesday release contains updates for 93 CVEs, 29 of which are rated Critical. This month brings patches for the usual suspects, namely the various flavors of Microsoft Windows, Office Products, Browsers IE and Edge, as well as Microsoft Dynamics, to name a few. As always, we recommend administrators take immediate action and ensure patches are applied across your organization. In cases where immediate patching is not an option, mitigation steps should be followed as per Microsoft’s recommendations. While none of the CVE’s this month appears to be exploited in the wild yet, several are likely to be exploited. Here, we break down and highlight a few of the most important CVEs from this month’s release.

CVE-2019-1181 & CVE-2019-1182 & CVE-2019-1222 & CVE-2019-1226 | Remote Desktop Services Remote Code Execution Vulnerability

Coming mere months after the May release of CVE-2019-0708 (BlueKeep), Microsoft released patches for four critical remote code execution vulnerabilities in Remote Desktop Services, dubbed DejaBlue by researcher Michael Norris. Exploitation requires little more than sending a specially crafted request to a targeted system’s Remote Desktop Service via RDP. The vulnerability can be exploited pre-authentication and requires no user interaction, making these bugs incredibly dangerous. Successful exploitation would allow an attacker to execute arbitrary code on a targeted host. CVE-2019-1181 and CVE-2019-1182 both offer mitigation options from Microsoft, similar to those offered around BlueKeep; Enabled Network Level Authentication (NLA) and Block TCP port 3389 at the perimeter firewall (Assuming the default port is in use on your hosts). While Microsoft notes these have not been exploited, it’s very likely that a Proof of Concept (PoC) will surface in the near future.

Additionally, three related CVEs were patched affecting Windows Remote Desktop Protocol. CVE-2019-1223 is a Denial of Service (DoS) vulnerability, while CVE-2019-1224 and CVE-2019-1225 are both information disclosure vulnerabilities. While Microsoft only rates these three vulnerabilities as important, it’s encouraging to see so much focus around RDP in the wake of BlueKeep and improving the security of a crucial component in Windows.

CVE-2019-0736 | Windows DHCP Client Remote Code Execution Vulnerability

A memory corruption vulnerability exists in the Windows DHCP client. A remote unauthenticated attacker could send a malicious DHCP response to a vulnerable machine, which the target then executes as code with SYSTEM permissions. DHCP also saw an update for CVE-2019-1213, a memory corruption vulnerability in Windows Server DHCP that could lead to remote code execution, along with two Denial of Service Vulnerabilities CVE-2019-1206 and CVE-2019-1212.

CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in the Windows Operating System Advanced Local Procedure Call (ALPC). If an attacker has gained login access via some other means to a vulnerable host, that attacker could then execute malicious code that runs with SYSTEM permissions, rather than being restricted by the current user’s session permissions. CVE-2019-1162 is credited to Tavis Ormandy of Google Project Zero, who today published details of the work around finding the flaw. In addition to the research, Tavis also released a tool to ease in finding these flaws, and we expect to see more on this front in future months.

CVE-2019-1201 & CVE-2019-1205 | Microsoft Word Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Microsoft Word. A specially crafted file could perform actions and run commands as the current user. Successful exploitation would require social engineering to get the target user to execute a malicious file, either through sending that file to the targeted user, or hosting the malicious file on a website with which the target user interacts. This vulnerability still requires the end user to open the malicious Word file to be executed. An interesting detail found in the advisories: Microsoft Outlook Preview Pane is an attack vector for these vulnerabilities. A related CVE, CVE-2019-1200 in Microsoft Outlook, could also lead to remote code execution by enticing a user to open a specially crafted file.

CVE-2019-0965 | Windows Hyper-V Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. While exploitation does require the attacker to be able to execute a crafted application on a guest operating system, this highlights the dangers of insider threats. While exploitation is less likely in this scenario, Microsoft still rates the severity as Critical, since arbitrary code could be executed on the host operating system.

Tenable Solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name Contains August 2019.

With that filter set, click on the plugin families to the left, and enable each plugin that appears on the right side. Note that if your families on the left say Enabled then that means all of the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all of the plugins released for Tenable’s August 2019 Patch Tuesday update can be found here.

Learn more:

• Microsoft’s August 2019 Security Updates
• Tenable plugins for Microsoft August 2019 Patch Tuesday Security Updates

As social media platforms become popular, scammers aren’t far behind. One of the more popular social media scams involving adult-dating has started to emerge on TikTok over the last six months.

Since March 2019, I’ve been tracking the activity of a number of scam accounts on the popular short-form video platform TikTok. The social media site’s user base took off after it merged with musical.ly in August 2018, topping 1 billion monthly active users (MAUs) earlier this year. 

Given TikTok’s meteoric rise in popularity, it comes as no surprise that scammers would take notice. So far, these scams appear to be in their infancy. There is no WikiHow entry for how to create TikTok scams...yet. However, it’s clear the scammers are already reaping the benefits of using the platform to accomplish one or more of the following:

1. Boosting likes and followers in order to raise the popularity of a profile.
2. Gaming the cost-per-action networks of adult dating websites that pay for qualified leads.
3. Taking advantage of cost-per-install networks, which offer monetary rewards to users who drive other users to install apps.

In this two-part series, we’ll explore three of the most common types of scam accounts I’ve been tracking, which involve one or more of the following categories:

• adult-dating;
• impersonation; and
• increasing followers/likes. 

Here, in part one, we discuss how scammers are using fake profiles to trick unsuspecting TikTok users to sign up for adult dating websites or pay for fraudulent “premium” Snapchat accounts. In part two, we explore the tactics involved in creating imposter accounts and how these are used to increase followers and clicks, while also discussing the oldest trick in the scammer’s playbook — offering free likes and followers. We informed TikTok and Snapchat of our findings. TikTok said it is in the process of removing the accounts we identified and actively working to identify and remove others. Snapchat directed us to a support article. 

We expect these scam activities to only increase as TikTok continues to dominate the Apple App Store marketplace, remaining at the top of the App Store Downloads page for multiple quarters, while also trailing behind only Facebook properties WhatsApp and Messenger in Overall Downloads on mobile platforms.

Adult Dating Scam Accounts

“Damn your girl so fine, but her breath is like woah.”

The first type of scam accounts I’ve observed on TikTok are those promoting adult dating. These profiles feature stolen videos from sources like Instagram and Snapchat, featuring women dancing, posing in bikinis, working out or just going about their normal day-to-day lives.

For example, we were able to identify one of the adult-themed TikTok accounts using a stolen video of a swimwear model.

These profiles appear under the “For You” page, which is a page curated by a TikTok algorithm based on views and likes, though the specifics of how the algorithm works is not known. Typically, TikTok users append the hashtags #foryoupage, #foryou and #fyp as a way to try to get featured on these pages, but that doesn’t appear to be a tactic used by these scam accounts.

While these accounts could use their TikTok profile biography to promote their adult-themed dating websites, the scammers primarily use these accounts to drive users to a separate Snapchat account, which they promote in their video captions. Examples of such captions include:

• “Waiting in my 18+ SnapChat: [username]”
• “Urge you follow me on SnapChat: [username]”
• “Maybe u come help me sleeping? Wait u in Snapchat: [username]”
• “I hope you to hold me a hard k.i.ss and… Go my Snapchat: [username]”
• “Would you come help me remove my clothes? Go Snapchat: [username]”
• “More n.u.d.e items in my Snapchat: [username]”

In some captions, certain words contain periods between the letters, e.g. “nude” is “n.u.d.e” and “kiss” is “k.i.ss” though it’s unclear if this is an active attempt to bypass keywords that TikTok might be searching for to remove these spam accounts.

In addition to the captions, the accounts contain a variety of hashtags, from the obvious — such as #stripdance, #stripped, #tweark [sic], #topsmodels, #18plus, #18plusonly and #18pluscontent — to the more benign and often regional in nature — such as #windycity, #massachusetts, #pittsburgh, #miamibeach, #nashville, #sf, #philadelphia.

Another interesting approach undertaken by these adult dating scam accounts is their use of original sounds. TikTok users are encouraged to make videos based on existing sounds. My current assumption is that the scammers are either using sounds attached to the stolen videos, thus requiring them to create an original sound, or using original sounds to prevent the discovery of their videos via any algorithms TikTok has in place when listed under a different sound.

Based on their comments on videos posted to these fake accounts, it seems many TikTok users believe the videos are actually posted by the women themselves. Some scam accounts may follow users, but otherwise they do not appear to engage with users in a more direct way.

Based on a sampling of adult dating scam accounts I’ve encountered since March 2019, on average each account would follow 299 users, would be followed by 650 users and receive an average of 1,744 likes across their videos.

The most successful adult dating scam account I’ve been tracking received over 34,000 likes across their videos and gained over 12,300 followers.

Directing Users to Snapchat 

Using Snapchat as a vehicle to promote spam from other services/platforms is a fascinating workaround. Because Snapchat has historically operated within a walled garden, it’s a unique way to stealthily create these adult dating accounts that are only accessible to those who know their usernames or Snapcodes.

If a TikTok user moves to Snapchat to add these adult-themed Snapchat accounts, they’ll be presented with a Snapchat Story that features videos, often of the same unidentified woman, either being sexually suggestive, displaying nudity or performing sexual acts on themselves with a sticker or an emoji covering the explicit part of the video.

The stories themselves also contain a link attachment that directs users to an external page hosted on Google Sites.

The Google Sites page is gated with an “age verification” question, asking the viewer if they are 18 years old or not. Regardless of which option the user selects, they will be redirected to what is referred to as a prelander, or intermediary, page, used by scammers who sign up for adult dating affiliate programs. The page poses a series of questions to the visitor, whose answers are not used whatsoever. It is merely part of the ruse.

Once the user completes the survey, they are redirected to the real adult dating site, which offers an affiliate program to drive traffic and sign-ups. These scammers use a cost-per-action (CPA) network that provides offers to affiliates in exchange for some sort of revenue share. For instance, the CPA network will likely take 20 percent off the top of the affiliate marketer’s payout, leaving the user with 80 percent to themselves.

The adult dating website used in one of the more recent TikTok adult dating scams is flirt.com. The CPA networks advertise flirt.com affiliate leads that could earn a scammer anywhere between $1 to $3 dollars for a qualified lead tied to a specific geographic region, a preferred age category (above 25, for example) or a new user account. However, if a single lead converts to become a paid user by adding a credit card to the account on the adult dating website, the scammer could potentially earn over $50.

Affiliate programs are great incentives for scammers to make a quick buck, and the overhead costs for creating fake accounts on apps like TikTok and Snapchat are very low, so the potential return on investment is huge.

Premium Snapchat Offer

In recent weeks, the scammers behind these accounts have begun pivoting away from affiliate programs, bypassing the need to convince a user to sign up for an adult dating website. Instead, they’re asking users to subscribe to a “premium” Snapchat account. The rise in popularity of legitimate Snapchat premium accounts is a real phenomenon in which people earn money by posting Not-Safe-For-Work (NSFW) Snaps from a more private account.

In the case of these scammers, they are offering their so-called “premium Snapchat” for $10. They ask the user to make the payment through PayPal and to take a screenshot. If users “swipe up” they’re redirected to a PayPal payment site to send the scammer the funds they’re requesting. I’ve seen a few variations of the premium Snapchat offer from these scam accounts, altering the requested payment from a minimum of $5 to a maximum of $20.

As you can imagine, the users who pay for the supposed “premium” Snapchat aren’t likely to get anything in return. Instead, the scammers move away from being a middle man, getting paid directly by their victims instead of through a CPA firm.

This concludes part one of our two-part series. In the next installment , we’ll explore the tactics used by impersonation accounts as well as those designed to take advantage of the TikTok users desire to obtain a large number of followers or likes on their videos.

Learn More:

• See more from this author here
• Learn more about Tenable Research here
• Read additional blogs about social media scams: Sudan Meal Project: Social Media Is Used to Amass Nearly 900,000 Followers on Instagram and Instagram Porn Bots Evolve Methods for Adult Dating Spam 

The economic engine on social media platforms are the followers (or fans) and likes. Scammers take advantage of this economy, while others seek out ways to grow their following inorganically by impersonating popular creators and celebrities.

In part one of our two-part series on TikTok scams, we explored the tactics involved in getting users to sign up for adult dating sites and paying for phony premium Snapchat accounts. Here, in part two, we look at the ways scammers are impersonating popular TikTok accounts in order to obtain a genuine following without having to create original content. In addition, we explore the tried-and-true method of offering users free followers and likes for their own legitimate accounts, using them as pawns to earn money. 

Impersonation Accounts

“Who are you? I am you. I am me. No sir, you are you.”

Another trend I’ve observed on TikTok is the presence of impersonation accounts. Impersonation on social media isn’t new by any means. We recently documented how scammers tried to outscam each other by impersonating an account called Sudan Meal Project claiming to donate meals to Sudanese civilians. In some of my earlier research, I uncovered a series of Instagram accounts impersonating lottery winners.

On TikTok, while the vehicle might be different, the destination is the same — impersonation for the sake of gaining followers before pivoting to a personal account. 

Salice Rose, a popular creator of Vine, YouTube and TikTok videos, is one of many users who has been impersonated on TikTok.

In the image above, the original video from Salice Rose is on the left side of the panel. On the right side, an impersonator downloaded Salice’s video and reuploaded the same video, copying the video caption and adding in some hashtags. In this case, the impersonator’s video surfaced in the “For You” section of the TikTok app.

To trick users, the impersonation account uses non-standard characters in its username because “officialsalicerose” is already taken. In this case, the impersonator is using an “s” with an accent above it (ś) and an “e” with a macron above it (ē) at the end of the username. 

Despite the real Salice Rose having a verified “popular creator” badge on her own profile, the impersonator still managed to gain over 7,000 followers on their account right off the bat. This is likely a byproduct of the impersonator’s videos appearing in the “For You” section for other TikTok users. This is the first Salice Rose impersonator I encountered.

However, not everyone who encounters these impersonation accounts falls for them. There were examples of TikTok users who commented on videos on the impersonator’s profile, one of whom said “stop trying to upload video that not yours thus [sic] is NOT your account” with another saying “You are just hurting people’s feelings.” These prompted responses from the impersonator to dismiss the criticism and call out those who are “hating” on them.

Impersonator Promoting Another Impersonator

In one of the impersonator’s videos, the video caption was changed to ask users to follow a separate Salice Rose impersonation account, likely one of their friends who followed the same blueprint.

Unlike the first Salice Rose impersonator, this second impersonator started posting videos of themselves as well as modifying the profile image and biography. The impersonator took these steps after managing to gain over 52,000 followers and over 83,000 likes. Similar to the first Salice Rose impersonator, this account’s username also uses non-standard characters.

Impersonators Tease a Face “Reveal”

The impersonator uses their impersonation account to their advantage by teasing that they might reveal their true identity to their followers.

Eventually, they post a video revealing their true identity, often encouraging followers to follow their live stream “to see more.” 

The first Salice Rose impersonator went from over 7,000 followers to over 31,000 followers before revealing their true identity.

Pivoting Away From An Impersonation Account

The process of pivoting from an impersonation account to a personal account is normally very simple. Remove all traces of the videos that were stolen and used to gain followers, change the profile bio and change the profile image. However, TikTok presents one challenge to a clean account pivot: a username on TikTok can only be changed once every 30 days. As a result, many of these impersonation accounts might start the process of pivoting, but their usernames remain intact until the 30 days are up.

Other Impersonation Styles

Not all impersonators follow the same approach as observed in the Salice Rose case. There are a few other impersonation styles that can be classified as follows.

Fan Pages

On the surface, a fan page is harmless. People are fans of artists and content creators, so it would make sense for these accounts to exist. But they’re also a really convenient way to gain followers.

Fans of Loren Gray, who is one of the most popular TikTok users with over 32 million followers, will often create fan pages in her name to show their enthusiasm. Among these, however, we find examples like the one pictured above. This fan page managed to gain over 361,000 followers. But did they always have the phrase “fanpage” in their profile bio? It’s possible they didn’t and that’s how they gained so many followers. If the person operating the fan page wanted to, they could easily pivot to a personal account. They may not, but it’s certainly an easy way to gain followers quickly.

Above is another example of a “big fan” account in Loren Gray’s name and image. However, this big fan wasn’t always a “big fan” as seen in the comments section.

A commenter called out the Loren Gray page for claiming to be Loren Gray’s “second account” which is another phenomenon in the world of impersonation.

“Second” or “Backup” Accounts

Besides outright impersonation of an account, the concept of a “secondary” or “backup” account is not an unusual precedent, but it’s also a convenient method for users to take advantage of TikTok users.

Baby Ariel, another popular TikTok creator, has an impersonator claiming to be a “backup account.” The imposter account not only gained over 82,000 followers, but, most surprisingly, attained over 2.4 million likes on the stolen videos and images. This so-called “backup account” may never pivot away to a personal account, but it’s been used to promote other accounts on other social networks like Instagram.

Impersonation is Global

While the impersonators featured here are all primarily U.S.-based, impersonation itself is a global issue. For instance, Neha Kakkar — a popular playback singer in Bollywood with nearly 10 million TikTok followers — is also the subject of impersonations on the platform.

In the image above, the official Neha Kakkar account has the “verified account” badge. Even though the impersonation accounts lack the verified account badge, they’ve still managed to rack up hundreds of thousands of followers and likes, leading some followers of the impersonation account to wonder which account is the real one.

Even Bollywood celebrities who don’t have a TikTok account are being impersonated. For instance, Salman Khan, one of the biggest Bollywood movie stars in the world, has impersonator accounts on TikTok.

This particular impersonator references another profile, potentially their own, in an effort to gain more followers who are fans of Salman Khan.

Based on their comments on these videos, users appear to believe it’s really Salman Khan when it’s not. 

Verified Impersonation Account

As mentioned before, impersonation accounts claiming to be a “second” or “backup” account are another way for scammers to impersonate popular TikTok users. The most fascinating example of this involves Liza Koshy, another Vine, YouTube and TikTok creator with over 14 million followers on TikTok.

When looking for Liza Koshy on TikTok, users will come across two verified accounts. The first, which features a “popular creator” badge, is the real Liza Koshy account. The second, featuring the “verified account” badge, is an impersonator.

The real Liza Koshy posted a video on her profile of a skit. That same video was captured and reuploaded by the “backup” account to their impersonation account. The difference between the videos isn’t just the video quality (slightly degraded when downloaded), it’s also the video caption, which reveals their true intentions. The impersonator promotes another TikTok account, saying “go follow and spam @[username] for a BFF and shoutout.”

The account that’s recommended by the impersonator calls itself a “tunes” account, which makes sped-up or slowed-down audio tracks for other users on TikTok to use as sounds in their videos. This “tunes” account has nearly 6,000 followers and over 19,000 likes. 

Another video on the Liza Koshy impersonator account asks followers to follow a different user to “get her to 500 followers and tap her bell.” 

In this case, the username is not clickable, indicating the account was either removed from TikTok or they pivoted away to some other name after gaining followers from the Liza Koshy impersonation account. It is unclear whether the person operating the impersonation account is also the one promoting these accounts.

How did a Liza Koshy impersonation account manage to get verified status? That’s a question for TikTok, but the fact that it occurred is a concern.

Impersonation accounts aren’t going anywhere. They’re a commodity for scammers.  As long as social media platforms exist, there will be impersonators trying to scam their way into more followers and likes or scamming their users out of money. 

As mentioned previously, I’ve discovered lottery winner impersonators before on other social networks. Unsurprisingly, lottery impersonators have already been spotted on TikTok, in what would appear to be a testing phase. The account above is impersonating Mavis Wanczyk, a 2017 Powerball winner of over $750 million dollars, who has already been the subject of scams since winning the Powerball.

Free Followers and Likes on TikTok Accounts

“They do anything for clout, they do anything for clout.”

While impersonation accounts and adult dating scams have been around for years, one of the oldest tricks in a scammer’s playbook is offering free followers and likes.

On TikTok, scammers create accounts to follow users or comment on videos to draw their attention to their profiles. Their profiles typically contain no content, but they may include references to sites where users can go to get free followers or likes in their profile bios. For instance, TikTokFans asks users to “Google” for the website. TikTokLift uses a space between each character in their bio, perhaps as a way to prevent the accounts from being detected. Taking it one step further, the GetFans Club references the website within their profile photo. 

The practice of promoting free followers and likes isn’t new to TikTok. Even before TikTok’s merger with Musical.ly increased its popularity, these scammers were already on Musical.ly and appear to have been successful at attracting users seeking their services.

Free Followers in India

India is one region in which we particularly notice scammers engaging in activity promoting free followers and likes. According to another CNN Business article, TikTok has over 200 million users in India. Therefore, it’s no surprise that these types of scams are targeting TikTok users in India.

The “Tik Tok Followers” account seen in the image above offers payment through Paytm, an e-commerce and digital wallet service in India. In addition to the offer of TikTok followers, likes and views, the scammer also sells Instagram followers, Facebook Page likes and followers, and YouTube subscribers, likes and views. 

A different “TikTok Followers” account advertises pricing in a video. The scammer asks for 150 rupees for 1,000 TikTok followers and offers up to 10,000 TikTok followers for 1,400 rupees. In both of these cases, the users are instructed to send a direct message either on TikTok or through Instagram as a way to communicate in a private channel to discuss facilitating the transaction.

Free TikTok Likes and Followers Sites

TikTok users are directed to external websites in order to get their “free” followers and likes on TikTok. These websites usually ask for basic information on the user, such as their username, and how many followers or likes they want. Some are more advanced compared to others. 

For instance, one of the sites will take the username provided and retrieve the profile photo as well as thumbnails of the videos posted to the account.

While they operate differently in some ways, all of these websites have one thing in common: they ask you to download an application.

One website claims the “final step” is to stop “automated bots.” Another says verification is required because of the “high amount of users.” Another just asks the user to download the application without reasoning.

The so-called “final step” leads users to a different website, known as a “content locker,” which provides instructions on how to “verify” they are a human being in order to receive the requested followers. The applications themselves are legitimate applications from the Apple App Store and Google Play Store. They may vary from time to time, but they’ve included food delivery apps like Postmates, internet radio apps like iHeartRadio, games like Solitaire and Virtual Private Network (VPN) apps like Norton Secure VPN. The instructions tell the user to run the application for a minimum of 30 seconds in order to “unlock this content.” Others ask the user to perform an action; for example, with Solitaire, the user needs to win three games in order to unlock the “desired content.” 

Clicking through one of these applications will lead to a redirect to a disclaimer page, warning the user that the application may offer a subscription, may charge for in-app content and may also have its own terms and conditions. This is likely a way for the scammers to absolve themselves of responsibility for directing users to download potentially premium applications.

If the user proceeds to the app store, they’ll be redirected via a link from appsflyer.com, which is part of a cost-per-install (CPI) affiliate program. Based on the URL that users are directed to from the disclaimer site, the CPI offer appears to be $0.60 per install. Compared to the CPA offer of $1 to $3 per qualified lead for adult dating websites, it’s no wonder scammers prefer adult dating-themed scams versus the free followers and like scams.

One of the free followers and likes websites includes a YouTube video walking users through this process. The video shows a user downloading apps and using them for 30 seconds, after which their “test account” receives the requested followers. Watching the video, it’s clear these so-called “followers” are fake, just based on usernames and profile images. For instance, in the image above, there are two users with the same profile image. So, while the scammers “deliver” on their promise, not all of them do and, even with fake followers, there’s always the risk TikTok will remove them.

Growing Platforms Become Havens for Scammers

Over the years, scammers have gravitated towards growing platforms like Facebook, Twitter, Instagram, Vine, Tinder, Kik and Snapchat. TikTok is the latest platform to experience such growth, so it makes sense that scammers would look for ways to take advantage of the one billion monthly active users (MAUs) of the service and it will remain that way for the foreseeable future. 

It is critically important for users of TikTok to do their part and report these accounts when they see them. In the app, this can be done by clicking on the three dots at the top right, selecting the “Report” option and choosing the most appropriate reason for the report (impersonation, inappropriate content).

When the next hyper-growth platform appears, scammers won’t be far behind. The tactics might change to suit the platform, but at its core, the scams will be the same.

Learn More:

• See more from this author here
• Learn more about Tenable Research here
• Read additional blogs about social media scams: Sudan Meal Project: Social Media Is Used to Amass Nearly 900,000 followers on Instagram and Instagram Porn Bots Evolve Methods for Adult Dating Spam 

A variety of Denial of Service vulnerabilities were found in third-party implementations of HTTP/2.

Background

On August 13, researchers at Netflix published an advisory for their GitHub page detailing their discovery of eight vulnerabilities in the HTTP/2 protocol implementations by third parties. The vulnerabilities were primarily discovered by Jonathan Looney, Engineering Manager at Netflix, with one vulnerability, CVE-2019-9518, discovered by Piotr Sikora, Senior Software Engineer at Google.

Image Credit: Cloudflare

Analysis

A client (“the attacker”) can exploit these HTTP/2 vulnerabilities by sending specially crafted requests to vulnerable servers. While these requests will vary, a vulnerable server will attempt to process the request and attempt to send a response. However, the malicious client ignores the response, leading to excess consumption of resources, which would result in a denial of service (DoS).

The following are the eight vulnerabilities and the associated nicknames given to them in the Netflix advisory.

Proof of concept

At the time the blog was published, no proof-of-concept code was available.

Solution

To immediately address the vulnerabilities, Netflix’s advisory suggests disabling HTTP/2 support, but cautions that this could either result in performance degradation or not be feasible. Software vendors are in the process of publishing patches for these vulnerabilities. Initial reports from vendors can be found below:

Customers using these software applications are encouraged to update to the patched versions as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Netflix Advisory (NFLX-2019-002)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io .

The popular Linux/UNIX systems management tool has more than 3 million downloads per year and the vulnerability has been present for at least a year, putting many virtual UNIX management systems at risk.

Background

On August 17, Webmin version 1.930 was released to address a remote code execution (RCE) vulnerability (CVE-2019-15107) present in Webmin versions 1.882 to 1.921. According to the Virtualmin site, “Webmin is the world's most popular Linux/UNIX systems management UI, with over three million downloads per year.” These vulnerabilities do have publicly available exploit modules, which puts many virtual UNIX management systems at risk.

The security notice indicates that version 1.890 is vulnerable in the default configuration, while the other affected versions require the “user password change” option to be enabled. According to a BinaryEdge search, there are nearly 28,000 publicly accessible systems running version 1.890 of webmin.

Analysis

An attacker can send a malicious http request to the password reset request form page to inject code and take over the webmin web application. According to the vulnerability writeup, an attacker does not need a valid username or password in order to exploit this flaw. The existence of this feature means this vulnerability has potentially been present in Webmin since July 2018.

"Webmin 0day remote code execution"

Tl;Dr: Lack of input validation in the reset password function allows RCE (CVE-2019-15107). Over 13 0000 vulnerable on Shodan.

PoC:
/password_reset.cgi
user=root&pam&expired&old=wrong | idhttps://t.co/kYKfq8v6Bb

— Shishi0_ (@shishi0_) August 17, 2019

According to a Webmin release note, the company’s security team “...received no advance notification of it, which is unusual and unethical on the part of the researcher who discovered it. But, in such cases there's nothing we can do but fix it ASAP.” While not entirely unheard of, unannounced public disclosures of vulnerabilities are uncommon, even at DEF CON, especially when the organization in question has a cash bug bounty program, as Webmin does.

Confirmed by Webmin team now. 1.882 - 1.920 contain RCEs introduced due to compromised build infrastructure.
1.890 contained the real deal: Remote unauthenticated code execution with default config (commands executed as root).
Compromised builds date back until July *2018*! https://t.co/SgqJN2EI5lpic.twitter.com/xznHPk2IjP

— Roman (@faker_) August 18, 2019

This vulnerability disclosure comes on the heels of CVE-2019-12840, another RCE vulnerability that was disclosed by AKKUS back in June 2019. Webmin has stated for CVE-2019-12840, “This is NOT a workable exploit as it requires that the attacker already know the root password. Hence there is no fix for it in Webmin.”

Proof of concept

AKKUS has posted a full writeup with a detailed explanation of proof of concept code and an exploit module.

Solution

Updating to Webmin 1.930 or disabling the “user password change” option in Webmin will mitigate CVE-2019-15107, but restricting "Package Updates" module access is the only mitigation step available to prevent exploitation of CVE-2019-12840. Additionally, the Webmin team has noted that 1.930 addresses some cross-site scripting (XSS) vulnerabilities as well and encourages users to upgrade even if the password expiry policy option is not in use.

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Webmin security advisory page
• AKKUS page for CVE-2019-15107
• AKKUS page for CVE-2019-12840
• Webmin advisory notification page
• Tenable plugin search page

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io.

Previously disclosed and patched flaw was reintroduced in iOS 12.4, which could be used in combination with a separate vulnerability to hack into Apple mobile devices

Background

On August 18, unc0ver, a popular jailbreaking software, was updated to version 3.5.0 which includes a public jailbreak on a signed version of Apple’s firmware for the first time in years due to the reintroduction of a previously patched vulnerability (CVE-2019-8605).

unc0ver v3.5.0 is NOW OUT with iOS 12.4 support for A7-A11 devices (Latest and signed firmware)!

GitHub releases: https://t.co/xwxRUDYbqj

Reddit post: https://t.co/PzpTCxCuIf

— Pwn20wnd is reviving 0-Days (@Pwn20wnd) August 18, 2019

Analysis

Earlier this year, security researcher Ned Williamson discovered and reported CVE-2019-8605, a use-after-free vulnerability dubbed “SockPuppet” in the XNU kernel for both iOS and macOS. It was patched by Apple in iOS 12.3 back in May 2019.

Here's the bug. Not entirely clear if this is powerful enough alone for tfp0, but I'm continuing to investigate and look for new bugs. https://t.co/GrrlNnOuNb

— nedwill (@NedWilliamson) May 20, 2019

In July 2019, Williamson released SockPuppet and SockPuppet2, exploit code that “achieves kernel_task port” or task_for_pid(0) (tfp0), which is highly sought after for jailbreaking Apple devices.

However, following the release of iOS 12.4 on July 22, 2019, it appears that the SockPuppet flaw was unintentionally reintroduced. It was eventually incorporated into unc0ver version 3.5.0 to allow iPhone and iPad users to jailbreak their devices running the latest signed version of iOS. A subsequent update to unc0ver, version 3.5.1, credits security researcher Umang Raghuvanshi for his own variation on SockPuppet, dubbed SockPuppet 3.0, for its “amazing exploit reliability” on iOS 12.4.

The reintroduction of the SockPuppet vulnerability, along with the availability of the unc0ver jailbreak means that certain Apple iPhone and iPad Devices running specific iOS versions are not only vulnerable to being jailbroken, but also exploited by attackers.

Stefan Esser, a security researcher known as i0n1c, tweeted out a warning that users should also be careful about downloading apps from the App Store because a malicious app “could have a copy of the jailbreak in it” and he expects criminals to “incorporate this into Apps and submit to the iOS AppStore” soon.

I hope people are aware that with a public jailbreak being available for the latest iOS 12.4 people must be very careful what Apps they download from the Apple AppStore. Any such app could have a copy of the jailbreak in it.

— Stefan Esser (@i0n1c) August 19, 2019

Affected Versions

The following is a list of iOS versions and Apple devices that are affected by the SockPuppet vulnerability and the unc0ver jailbreak.

A newer release of unc0ver, version 3.5.3, includes “partial support” for some Apple A12 and A12X devices on iOS 12.1.3, 12.1.4, 12.2 and 12.4.

Proof of concept

As previously referenced, exploit code for SockPuppet and SockPuppet 2 have been available since July 2019 and the updated exploit code for SockPuppet 3 is included in unc0ver versions 3.5.1 and later.

Solution

No new patch for the reintroduced SockPuppet vulnerability had been released at the time this blog was published. However, users running specific versions of iOS, such as 12.3, 12.3.1, 12.3.2 (iPhone 8 Plus) and 13 (beta releases) are not affected and are advised to remain on these versions until a patch is available. We anticipate that Apple will release an iOS update in the coming days.

Identifying affected systems

Tenable products offer integration with Mobile Device Management (MDM) solutions to identify mobile devices missing vendor updates. Once a patch is available, a list of our MDM plugins to identify vulnerable devices will appear here as they’re released.

Get more information

• Project Zero Issue Tracker for CVE-2019-8605
• iOS 12.3 Release
• iOS 12.4 Release

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io.

Emerson’s solutions are used in manufacturing, industrial, commercial and residential environments. Learn how Tenable.io became a staple for the application and product security testing team.

The technologies and services provided by Emerson improve human comfort, safeguard food, protect the environment, enable sustainable food waste disposal and support efficient construction and maintenance of buildings and municipal infrastructure. The company, headquartered in St. Louis, MO, has two core businesses — Emerson Automation Solutions and Emerson Commercial & Residential Solutions — serving customers in industrial, commercial and residential markets. 

Making sure the hardware and software being developed is secure falls to Jon Brown, Emerson’s Manager of Application and Product Security Testing. Brown conducts penetration testing on the company’s offerings, working with the engineers to do threat modeling and think through what could go wrong with any given product. 

“Once the threat modeling is done, we sit down with them and talk about some of the controls that they can put in place to ensure that it is secure,” said Brown in an interview with Tenable during the Edge 2019 User Conference in May. “And then we ensure that the controls that they say that they're going to put in place, they do put in place.”

When the software requirements are met, Brown and his team “pull the hardware apart, and we try to see what we can do,” he said. “We monitor the communications, we scan to see what we can see on that device, if there are open ports, open services, and ensure that it's locked up as tight as it can be.”

How VPR Eases Communication Among Stakeholders 

One of the biggest challenges Brown faces is helping engineers see the security concerns he and his team are uncovering. “Vulnerability management is tough because you are showing them that their baby's ugly,” said Brown. “You're walking up to them and you're saying, ‘Hey man, like this doesn't look all that great.’ You need to be able to do it in a way that's a little dispassionate. If you have a tool that can...show the results in a way that can be digested and that can be obtained easily and is trusted then, all of sudden, that communication becomes a lot easier.”

Emerson turned to Tenable.io to help ease those difficult conversations. “Tenable.io is a staple of what we're doing in our penetration testing service to understand and get that initial attack surface and be able to leverage those results and make them real.” 

The Vulnerability Priority Rating (VPR), introduced in Tenable.io and Tenable.sc earlier this year, is giving Brown even more data to support his pen test findings when it comes time to present the results to the engineering team. “Tenable does a great job of showing you what's wrong,” he said. “But [engineers] always ask, ‘Prove it to me...Show me that these results actually matter.’ ” 

VPR is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability. 

With VPR, Brown and his team are able to say “Here's that top three percent of what we really should focus in on, and that’s extremely valuable.”

Communicating with peers is only part of the story. Emerson also uses Tenable.io to provide context for cybersecurity conversations throughout the organization, including in the executive suite. “It's important for them to see trending...and it's important for them to see results,” said Brown. “They need to be able to understand where [you’re] at and where you're going and why you are going there.”

The VPR score goes beyond traditional criticality ratings to offer context about a vulnerability’s real-world exploitability and potential business impact on the organization’s specific environment.  “CVSS gives us that kind of baseline, but what is the business impact, what is the actual impact, what's the exploitability?,” said Brown. “[We’re] able to take those results up to the leadership and say, ‘Here are the issues that we're going to work on...this month, this quarter. And this is what that result looks like.’”

Being able to tell senior management “ ‘we had a thousand open [tickets] on this issue and this month we closed 900 of them’...shows real value and that shows actionable results,” added Brown. As a manufacturer, Emerson also has an obligation to reassure its own customers about the Cyber Exposure scores of its hardware and applications. “The companies that we do business with are starting to look at Emerson and say, ‘Why is your score X, we want it to be Y.’ And we're starting to look at companies [we do business with] and say, ‘Why is your score X, and we need it to be Z.’ It’s something that a lot of people are starting to take seriously, and I think that's a good thing. Ultimately, it raises the bar a little bit for everybody.”

Learn More:

Watch the interview with Emerson’s Jon Brown here:

• See presentations from Tenable's Edge 2019 User Conference here.
• Visit our Tenable.io page here: https://www.tenable.com/products/tenable-io

A proof of concept has been made public for CVE-2019-11510, an arbitrary file disclosure vulnerability found in popular virtual private network software, Pulse Connect Secure.

Background

On April 24, Pulse Secure released a security advisory (later amended to include CVEs on the 25th) and patch for multiple critical and high severity vulnerabilities. The issues were identified in Pulse Connect Secure (PCS), previously known as Juniper SSL Virtual Private Network (VPN), a widely used commercial VPN solution. The issues were found by Orange Tsai and Meh Chang from the DEVCORE research team who shared details on the subject at their Black Hat and DEF CON talks earlier this month in Las Vegas.

Among the most severe issues reported is CVE-2019-11510, an arbitrary file disclosure vulnerability. This flaw could allow an unauthenticated, remote attacker to read the contents of files found on a vulnerable device, including sensitive information such as configuration settings.

Analysis

In order to exploit the issue, an attacker can send a malicious HTTP request containing directory traversal sequences along with a crafted Uniform Resource Identifier (URI) and access any file on the device. This provides the attacker access to sensitive device information, and as the researchers describe in their initial report of the issue, this attack could be chained with other vulnerabilities they discovered.

When a user logs into the admin interface of the VPN, their plain-text password is stored in /data/runtime/mtmp/lmdb/dataa/data.mdb. Using the method described above, the attacker could obtain the file, extract the user’s password, and log into the device. Once logged in, the attacker can take advantage of CVE-2019-11539, a command injection vulnerability in the administrative web interface. Alternatively, with the user’s credentials in hand, the attacker could exploit CVE-2019-11508, a vulnerability in the Network File Share (NFS), which allows an authenticated user to upload a malicious file and write arbitrary files to the host.

This research demonstrates how an attacker can take advantage of a pre-authentication flaw and achieve command execution by chaining multiple vulnerabilities to compromise a vulnerable device. What is most concerning about these chained exploits is that PCS is used to restrict external access to an environment, and by achieving command execution on the device, an attacker could use this access to weaponize the device and use it for malicious purposes such as data exfiltration.

If the attacker is not able to find cached credentials, they can access the file /data/runtime/mtmp/system to gather a list of users and hashed passwords. With enough time, effort, and processing power, an attacker could crack the hashes, giving them the ability to log in with the stolen credentials.

Adding to the concern over the potential to exploit these flaws, a Shodan search lists more than 42,000 devices that may be affected if proper patches have not yet been applied.

Image source: https://www.shodan.io

A breakdown of the CVEs and the PCS versions affected are outlined below:

Proof of concept

A proof of concept (PoC) was published to the Exploit Database on August 20 as an exploit module.

Solution

Pulse Secure has published a security advisory with information on each of the CVEs reported. Patching solutions are listed below:

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities is listed here.

Get more information

• Pulse Security Advisory SA44101
• Vulnerability Report on HackerOne
• Tenable plugin search page

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io.

Get your Nessus vulnerability assessment tool up and running with these five easy steps.

With Nessus, you can gain full visibility into your network by conducting a vulnerability assessment. Read on as we guide you through the five steps to run your first Nessus scan. (If you have not yet installed Nessus, please click here to see the installation guide.) 

Step 1: Creating a Scan

Once you have installed and launched Nessus, you’re ready to start scanning. First, you have to create a scan. To create your scan:

• In the top navigation bar, click Scans.
• In the upper-right corner of the My Scans page, click the New Scan button.

Step 2: Choose a Scan Template

Next, click the scan template you want to use. Scan templates simplify the process by determining which settings are configurable and how they can be set. For a detailed explanation of all the options available, refer to Scan and Policy Settings in the Nessus User Guide.

A scan policy is a set of predefined configuration options related to performing a scan. After you create a policy, you can select it as a template in the User Defined tab when you create a scan. For more information, see Create a Policy in the Nessus User Guide.

The Nessus interface provides brief explanations of each template in the product. Some templates are only available when you purchase a fully licensed copy of Nessus Professional.

To see a full list of the types of templates available in Nessus, see Scan and Policy Templates. To quickly get started with Nessus, use the Basic Network Scan template.

Step 3: Configure Scan Settings

Prepare your scan by configuring the settings available for your chosen template. The Basic Network Scan template has several default settings preconfigured, which allows you to quickly perform your first scan and view results without a lot of effort. 

Follow these steps to run a basic scan:

1. Configure the settings in the Basic Settings section. 

The following are Basic settings:

2. Configure remaining settings

Although you can leave the remaining settings at their pre-configured default, Tenable recommends reviewing the Discovery, Assessment, Report and Advanced settings to ensure they are appropriate for your environment. 

For more information, see the Scan Settings documentation in the Nessus User Guide. 

3. Configure Credentials

Optionally, you can configure Credentials for a scan. This allows credentialed scans to run, which can provide much more complete results and a more thorough evaluation of the vulnerabilities in your environment. 

4. Launch Scan

After you have configured all your settings, you can either click the Save button to launch the scan later, or launch the scan immediately. 

If you want to launch the scan immediately, click the button, and then click Launch. Launching the scan will also save it.

The time it takes to complete a scan involves many factors, such as network speed and congestion, so the scan may take some time to run.

Step 4: Viewing Your Results

Viewing scan results can help you understand your organization’s security posture and vulnerabilities. Color-coded indicators and customizable viewing options allow you to tailor how you view your scan’s data.

You can view scan results in one of several views:

Viewing scan results by vulnerabilities gives you a view into potential risks on your assets.

To view vulnerabilities:

1. In the top navigation bar, click Scans.
2. Click the scan for which you want to view results.
3. Do one of the following:
   • Click a specific host to view vulnerabilities found on that host.
   • Click the Vulnerabilities tab to view all vulnerabilities.
4. (Optional) To sort the vulnerabilities, click an attribute in the table header row to sort by that attribute.
5. Clicking on the vulnerability row will open the vulnerability details page, displaying plugin information and output for each instance on a host.

Step 5: Reporting Your Results

Chances are your job isn’t done yet. You need to report your findings to your team.

Scan results can be exported in several file formats. Some of these report formats are customizable, while others are designed to be imported into another application or product, such as Microsoft Excel or Tenable.sc. For an explanation of the various report formats and the purpose of each, see the Nessus User Guide.

To Export a Scan Report:

1. Start from a scan's results page
2. In the upper-right corner, click Export.
3. From the drop-down box, select the format in which you want to export the scan results.
4. Click Export to download the report.

Thanks for using Nessus! Once your first scan is complete, you can begin to discover more of what Nessus has to offer. If you have additional questions, please see the Nessus FAQs or join in the conversation on the Tenable Community.

Cisco published new advisories for Integrated Management Controller (IMC) and Unified Computing System (UCS) Director, and updates for Small Business 220 Series Smart Switches that include the existence of public exploit code. 

Background

On August 21, Cisco published 27 new advisories and updated six advisories across a variety of its products.

Analysis

Twelve of the advisories address vulnerabilities in Cisco Integrated Management Controller (IMC) used to manage Cisco Unified Computing System (UCS) C-Series Rack Servers and S-Series Storage Servers. Six advisories are for vulnerabilities affecting Cisco IMC Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data. Four of the six advisories are rated by Cisco as Critical.

Five of the six vulnerabilities could be exploited by an unauthenticated, remote attacker sending specially crafted requests to a vulnerable system. CVE-2019-1936 can only be exploited by an authenticated, remote attacker who is capable of logging into the vulnerable management interface. However, with CVE-2019-1935, an attacker could exploit this vulnerability by using the ‘scpuser’ account. According to Cisco, this default account has “incorrect permission settings” and uses an “undocumented default password” to log into a vulnerable system. Tenable has not yet confirmed whether use of the scpuser account would allow an attacker to exploit CVE-2019-1936.

Cisco also patched several additional IMC vulnerabilities this month.

In addition to these new advisories, Cisco released several updates for previously published advisories. This includes updates to the recently reported vulnerabilities in the Cisco Small Business 220 Series Smart Switches from August 6.

Two of the three 220 Series Smart Switches vulnerabilities are rated as Critical and exist within the web management interface of these devices. Sending specially crafted requests to the vulnerable interface could allow a remote attacker to execute arbitrary code (CVE-2019-1913) or modify the device configuration (CVE-2019-1912). CVE-2019-1914 requires an attacker to be authenticated on a vulnerable interface and have level 15 permissions.

Additionally, Cisco updated its advisory for CVE-2019-1649, the Secure Boot Hardware Tampering Vulnerability known as Thrangrycat, to account for additional vulnerable products.

Proof of concept

Cisco’s Product Security Incident Response Team (PSIRT) notes in the updated advisories for the Small Business 220 Series Smart Switches that they are aware of the presence of public exploit code for these devices. However, at the time this blog post was published, Tenable has not identified a proof of concept (PoC) for these vulnerabilities.

Solution

Cisco has released updates for each of the affected products. The affected versions and relevant fixed versions can be found under the advisory pages. Customers should obtain and install these updates as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information 

• Cisco Advisories for August 21, 2019
• Tenable blog on Thrangrycat

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Attackers are exploiting arbitrary file disclosure vulnerabilities in popular SSL VPNs from Fortinet and PulseSecure.

Background

On August 22, two reports emerged of scanning activity targeting vulnerable Secure Socket Layer (SSL) virtual private network (VPN) systems. Kevin Beaumont (@GossiTheDog) tweeted that attackers had begun exploiting vulnerabilities in FortiGate SSL VPNs, while Troy Mursch (@Bad_Packets) tweeted that attackers were scanning for vulnerable Pulse Connect Secure SSL VPN endpoints.

Fortigate Fortinet SSL VPN is being exploited in the wild since last night at scale using 1996 style ../../ exploit - if you use this as a security boundary, you want to patch ASAP https://t.co/IaBSqZJ9iS

— Kevin Beaumont (@GossiTheDog) August 22, 2019

Analysis

FortiGate SSL VPN Vulnerabilities

On August 8, Meh Chang and Orange Tsai of the DEVCORE research team published part two of their blog series on vulnerabilities in SSL VPNs, just one day after their Black Hat talk on the subject. The first part of the blog series, published on July 17, 2019, detailed CVE-2019-1579, a critical pre-authentication vulnerability they discovered in the Palo Alto Networks (PAN) GlobalProtect SSL VPN, which Tenable blogged about.

Part two of their blog series details their analysis and discovery of several vulnerabilities in Fortinet’s FortiGate SSL VPN. Chang and Tsai report they found more than 480,000 servers hosting FortiGate SSL VPN, adding that it is “common in Asia and Europe.”

The researchers detailed five vulnerabilities in FortiGate SSL VPNs:

* Please note Tenable VPR scores are calculated nightly, so the scores referenced in this table reflect the scores at the time the blog was published and are subject to change.

Attackers appear to be utilizing CVE-2018-13379, a pre-authentication arbitrary file read vulnerability in the way FortiOS attempts to request a language file from the system. Exploitation of this vulnerability allows an attacker to read the contents of the ‘sslvpn_websession,’ a session file that contains a username and plaintext password on a vulnerable system.

According to Chang and Tsai, CVE-2018-13379 can be paired with CVE-2018-13383, a post-authentication heap overflow vulnerability in the FortiGate WebVPN. CVE-2018-13383 could be triggered when an attacker instructs the SSL VPN to proxy to an attacker-controlled web server hosting an exploit file.

Image Credit: Meh Chang and Orange Tsai

Another notable vulnerability discovered in the FortiGate SSL VPN is CVE-2018-13382, which the researchers call “the magic backdoor.” The name is derived from a “special” parameter named magic, which is used as a secret key to reset passwords without authentication. However, an attacker would need to know what the “magic” string is in order to reset a password. While Chang and Tsai did not disclose the magic string in their findings, other researchers have managed to reproduce it, and it appears that the magic string has been publicly revealed, so we anticipate it will soon be used by attackers.

Critical vulns in #FortiOS reversed & exploited by our colleagues @niph_ and @ramoliks - patch your #FortiOS asap and see the #bh2019 talk of @orange_8361 and @mehqq_ for details (tnx guys for the teaser that got us started) pic.twitter.com/TLLEbXKnJ4

— Code White GmbH (@codewhitesec) July 2, 2019

Pulse Connect Secure SSL VPN Vulnerabilities

Following the disclosure of a proof-of-concept for CVE-2019-11510, an arbitrary file disclosure vulnerability in Pulse Connect Secure, attackers have begun scanning for vulnerable Pulse Connect Secure VPN server endpoints. Similar to CVE-2018-13379, attackers are using CVE-2019-11510 to seek out vulnerable systems in order to retrieve usernames and plaintext passwords. Once authenticated, attackers could utilize CVE-2019-11539, a command injection vulnerability in the admin web interface, to gain access to what is normally a restricted environment, e.g. a corporate network.

Over 14,500 Pulse Secure VPN endpoints are vulnerable to CVE-2019-11510 according to Mursch. This figure was derived from BinaryEdge, a search engine that scans and indexes systems on the internet. There were 41,850 Pulse Secure VPN endpoints publicly accessible. Using HEAD HTTP requests, Mursch identified 14,528 endpoints were vulnerable, which include government agencies, universities, hospitals, utility providers, financial institutions, media corporations and a number of Fortune 500 companies.

Security researchers Alyssa Herrera and Justin Wagner plan to share more details about post-authentication remote code execution for Pulse Secure in an upcoming blog post.

Besides the command injection, there's also ability to access internal corporate networks or exploiting any staff that connect to the vpn itself due to functionality that can allow a start up script to be made thus allowing the possibility for malware to be spread

— Alyssa Herrera (@Alyssa_Herrera_) August 23, 2019

We're now working on the post-auth RCE so should have some fun stuff to show soon. I'll be writing up an article on the gritty details on how the various pulse exploits works, impact, and some other stuff.

— Alyssa Herrera (@Alyssa_Herrera_) August 26, 2019

Additionally, Meh Chang and Orange Tsai have plans to release the third part of their SSL VPN blog series about Pulse Connect Secure.

Everyone is exploiting our Fortinet and Pulse Secure SSL VPN bugs. Due to the severity and the exploits are in the wild. We will write an article on @d3vc0r3 blog next week!

— Orange Tsai (@orange_8361) August 27, 2019

Finally, Kevin Beaumont recently mentioned that attackers targeting Pulse Connect Secure SSL VPNs could also access encrypted Active Directory (AD) credentials and decrypt them because they are encrypted using static keys, which are now public.

For those who missed part #300 of Pulse Secure SSL VPN issue, which is being exploited at scale in the wild, the vulnerability allows you to access 'encrypted' Active Directory credentials - which are encrypted with a static key, allowing easy decryption https://t.co/kd1vl9cszHpic.twitter.com/jLQGE23QIm

— Kevin Beaumont (@GossiTheDog) August 27, 2019

Further details on the Pulse Connect Secure vulnerabilities can be found in our blog, CVE-2019-11510: Proof of Concept Available for Arbitrary File Disclosure in Pulse Connect Secure.

Proof of concept

There is proof-of-concept code for vulnerabilities in both SSL VPNs.

Solution

Fortinet patched these vulnerabilities in April and May 2019.

* Vulnerable only when SSL VPN service is enabled.

With reports of active exploitation, customers running vulnerable versions of FortiGate SSL VPNs are strongly advised to update as soon as possible. If updating is not feasible at this time, Fortinet has provided workarounds, which can be found in the advisory pages listed in the table above. Please note that some of the workarounds include disabling the SSL-VPN service entirely.

Identifying affected systems

A list of Tenable plugins to identify vulnerabilities in FortiGate SSL VPNs can be found here.

Get more information

• Tweet from Kevin Beaumont
• Tweet from Troy Mursch
• Blog from Meh Chang and Orange Tsai on FortiGate SSL VPN
• Blog Post by Troy Mursch on Pulse Connect Secure

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.