Three critical SSL VPN vulnerabilities have become some of the most exploited by advanced persistent threat actors and ransomware groups.

To effectively prioritize remediation efforts, defenders must understand how attackers are targeting organizations and then act on that knowledge. Vulnerabilities in SSL VPN products are some of the most exploited by attackers for initial access to target networks, acting as a doorway for exploitation. Defenders need to hold the door — Game of Thrones fans will understand this reference. To defend distributed enterprise networks, teams must ensure their SSL VPN products are fully updated and properly configured to keep attackers out.

Earlier this year, the Tenable Security Response Team (SRT) published our Threat Landscape Retrospective (TLR) report examining major trends from 2020. One of those trends was the popularity of secure socket layer (SSL) virtual private network (VPN) vulnerabilities with threat actors. The TLR specifically highlighted the following three vulnerabilities in VPN products as part of the Top Five Vulnerabilities of the year.

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 25 and reflects VPR at that time.

Source: Tenable 2020 Threat Landscape Retrospective, January 2021.

Although all three vulnerabilities were disclosed in 2019 and patched by January 2020, they continue to be routinely exploited more than halfway through 2021. According to a joint cybersecurity advisory from four international government agencies, these vulnerabilities were some of the most exploited in 2020. In fact, CVE-2019-19781 was named the most exploited vulnerability of 2020, according to government data.

Based on this information, we felt it was prudent to re-examine how attackers have historically been exploiting these vulnerabilities, along with new reports of attacks, in 2021. We hope collecting this information in a single place will illustrate the dire importance of patching these vulnerabilities for any organizations that have been lagging.

SSL VPNs: the doorway for attackers

To provide a more holistic picture, we also explore several other relevant CVEs in the three key SSL VPN products. The additional CVEs highlighted in the table below have been included in alerts alongside the three listed above or have been paired with other vulnerabilities as part of attack chains.

Source: Tenable, August 2021

Citrix ADC, Gateway and SD-WAN WANOP

CVE-2019-19781 is a path or directory traversal vulnerability in Citrix ADC, Gateway and SD-WAN WANOP products disclosed on December 17, 2019. It received a CVSSv3 score of 9.8. At the time the vulnerability was disclosed, no patches were available. To exploit this vulnerability, an unauthenticated, remote attacker could send a specially crafted request containing a directory traversal string to a vulnerable Citrix endpoint. Successful exploitation would allow an attacker to execute arbitrary code.

Directory traversal flaws aren’t new, they have been around for decades, but they have seen a resurgence in recent years. As its name implies, exploitation of directory traversal flaws would allow an attacker to traverse file paths that would normally be inaccessible to a non-administrative user.

For weeks, there was an expectation that without patches, this vulnerability would be exploited in the wild. By January 10, 2020, and after extensive attention and analysis from researchers, exploit scripts were circulating publicly. On the following day, the SANS Internet Storm Center reported exploitation attempts using those scripts against its honeypots. Citrix finally released patches for CVE-2019-19781 on January 24, 2020. Based on the history of exploitation that continues well into 2021, it’s safe to presume many organizations still have not applied these patches a year-and-a-half after they were released.

Exploitation of CVE-2019-19781 began shortly after it was disclosed. Reports and alerts circulated throughout 2020, earning it the status of the most exploited CVE for the year. You wouldn’t expect a vulnerability this popular to fade into obscurity, and you’d be right. Attackers continue to exploit this vulnerability into 2021.

CVE-2019-19781 has been leveraged by several threat groups targeting the healthcare industry. Ransomware groups like Maze (now defunct) and Conti have a preference for attacking remote desktop protocol, but have also been observed exploiting CVE-2019-19781 in attacks against the healthcare sector. Additionally, advanced persistent threat (APT) groups have exploited this vulnerability against targets working on COVID-19 vaccine development.

Attackers have indicated their preference for this vulnerability in online forums between January 2020 and March 2021. CVE-2019-19781 was the top mentioned CVE on Russian and English-speaking dark web forums, according to Cognyte research. It was mentioned in 49 posts, the second highest number of posts.

In June 2021, researchers at Trend Micro published an analysis of the Nefilim ransomware group. This research revealed that this group uses CVE-2019-19781 as an initial attack vector. Trend Micro used Nefilim as a case study to illustrate behaviors of “modern ransomware attacks,” so it stands to reason that other ransomware groups are also using this vulnerability in their attacks.

Pulse Connect Secure

In April 2019, Pulse Secure released an out-of-band security advisory to address multiple vulnerabilities in its Pulse Connect Secure SSL VPN solution, including several flaws disclosed by researchers Meh Chang and Orange Tsai of the DEVCORE research team. The most notable vulnerability listed in the advisory was CVE-2019-11510, an arbitrary file disclosure vulnerability that was assigned the maximum CVSSv3 score of 10.0. An unauthenticated, remote attacker could exploit the vulnerability by sending an HTTP request containing a specially crafted directory traversal string.

Successful exploitation of CVE-2019-11510 would allow an attacker to read the contents of sensitive files on the vulnerable Pulse Connect Secure device. One file in particular, data.mdb, contains plain-text passwords for the SSL VPN. If an attacker is able to read this file, they can use the plain text passwords to authenticate to the vulnerable SSL VPN. By itself, the vulnerability is significant because it easily allows attackers to authenticate to an SSL VPN via simply sending requests to a vulnerable device. However when chained with CVE-2019-11539, a post-authentication command injection vulnerability in Pulse Secure, an attacker could gain access to a restricted environment, such as a corporate network.

Post-authentication flaws are exploited after an attacker has successfully authenticated to a vulnerable device, either using a separate pre-authentication vulnerability or using valid credentials obtained through theft or brute force.

In August 2019, following Chang and Tsai’s Black Hat and DEF CON 27 presentations regarding their research into several SSL VPNs, proof-of-concept (PoC) exploit scripts began circulating on GitHub. Soon after, researchers noticed an uptick in attempts to scan for and exploit vulnerable Pulse Connect Secure systems.

In addition to the sensitive plain-text passwords accessible by exploiting CVE-2019-11510, researchers also discovered that attackers could access Active Directory credentials that were encrypted using a static key that would allow for “easy decryption.”

In January 2020, attackers leveraged CVE-2019-11510 in order to deploy the REvil, or Sodinokibi, ransomware. In March, researchers at Palo Alto Network’s Unit 42 noted that CVE-2019-11510 was also used by the Maze ransomware group. It’s just one of the SSL VPN vulnerabilities used by ransomware groups to get their foot in the door before moving laterally in order to distribute ransomware payload across a network.

In the first quarter of 2021, a report from Nuspire showed an 1,527% increase in attempts to exploit CVE-2019-11510 against vulnerable Pulse Connect Secure SSL VPNs.

While much of the attention has been on CVE-2019-11510 for good reason, a zero-day in Pulse Connect Secure, identified as CVE-2021-22893, was disclosed in April 2021 that was exploited in the wild. Soon after this disclosure, researchers found that Chinese threat actors were leveraging CVE-2021-22893 as well as other post-authentication vulnerabilities in Pulse Connect Secure flaws in addition to CVE-2019-11539. These include CVE-2020-8260 and CVE-2020-8243, two flaws in the administrator web interface of Pulse Connect Secure devices that were patched in September and October 2020.

Fortinet FortiOS

In May 2019, Fortinet released Product Security Incident Response Team (PSIRT) advisory FG-IR-18-384 to address CVE-2018-13379, a directory traversal vulnerability in their FortiOS SSL VPN. The flaw allows an unauthenticated attacker to access arbitrary system files using crafted HTTP requests.

This vulnerability was described by Chang and Tsai of DEVCORE in the same 2019 Black Hat USA and DEF CON 27 presentations as the Pulse Secure vulnerability mentioned earlier. The pair detailed how CVE-2018-13379 could be utilized to obtain a session file which contains the username and plaintext password for a VPN user, very similar to CVE-2019-11510. This data would prove valuable to chain with additional vulnerabilities in the VPN, including CVE-2018-13383, a post-authentication heap overflow vulnerability which was utilized to gain a remote shell on affected versions of FortiOS SSL VPNs. CVE-2018-13383 was addressed in PSIRT advisory FG-IR-18-388 in April 2019 with additional affected release branches patched in May, August and November 2019.

Shortly after the Black Hat and DEF CON conferences, Fortinet released a blog post discussing the vulnerabilities and patches, urging customers to apply the patches as soon as possible. Within a month after the conference talks, attackers began exploiting vulnerable devices and released multiple PoCs for several CVEs in FortiGate SSL VPNs.

While CVE-2018-13379 was one of the most favored vulnerabilities for attackers and APT groups, additional flaws in FortiOS were identified and patched by Fortinet, including CVE-2019-5591 and CVE-2020-12812, which were also leveraged by threat actors.

CVE-2019-5591 is a default configuration vulnerability in the FortiGate SSL VPN due to a lack of verification of a Lightweight Directory Access Protocol (LDAP) certificate, which would allow the attacker to harvest sensitive information intended for a legitimate LDAP server.

CVE-2020-12812 is an improper authentication vulnerability in the FortiGate SSL VPN due to a misconfigured setting for two-factor authentication. This could be exploited if a legitimate user changes the case of their username, nullifying the second factor requirement, allowing an attacker to bypass two-factor authentication altogether.

According to Nuspire, attacks leveraging CVE-2018-13379 against Fortinet’s SSL VPNs increased 1,916% in the first quarter of 2021.

In an April report from Kaspersky ICS CERT, an incident response investigation revealed that CVE-2018-13379 was utilized as an initial entry point into an enterprise network by threat actors who later deployed Cring ransomware. The Cring ransomware is a relatively new ransomware variant which utilizes two forms of encryption and deletes backup files in attempts to force victims to pay the ransom.

With the public PoCs and ample unpatched devices for attackers to target, FortiGate SSL VPNs will remain highly valuable entry points for attackers unless action is taken to secure the devices and apply the necessary security updates. As attacks continue, Fortinet has attempted to reach out to its customers and release regular updates, including a blog post in June 2021 urging customers to take immediate action to apply the patches or mitigations outlined in their PSIRTs.

Threat actors target all three SSL VPNs

Nation-state actors have shown a preference for SSL VPN vulnerabilities. On April 15, 2021, the National Security Agency (NSA) and Federal Bureau of Investigation (FBI) published a joint alert about Russian Foreign Intelligence Service (SVR) activity leveraging all of these vulnerabilities. This followed alerts from 2020 pointing to state-sponsored attacks from China, Iran and Russia leveraging these vulnerabilities. These vulnerabilities were often leveraged in exploit chains leading to the takeover of domain controllers through the use of CVE-2020-1472, also known as Zerologon.

An additional advisory followed from the FBI in May 2021 urging the immediate patching of CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591 while also providing indicators of compromise (IOCs) that had been observed with APT activity. CVE-2018-13379, CVE-2019-19781 and CVE-2019-11510 were all included in a joint advisory listing the Top Routinely Exploited Vulnerabilities of 2020 by the Cybersecurity and Infrastructure Security Agency (CISA), the U.K. National Cyber Security Center (NCSC), the Australian Cyber Security Center (ACSC) and the FBI.

Attackers won’t stop unless you hold the door

It may be common knowledge, but it bears repeating: threat actors habitually exploit older vulnerabilities for which exploit or PoC code is available. All of the products described in this post have been targeted by ransomware groups to gain initial entry to networks. Most modern ransomware groups operate as a ransomware-as-a-service, where they provide the malware and infrastructure but rely on affiliates to gain access to organizations in order to deploy their ransomware. Affiliates use a variety of methods to gain entry. Because SSL VPNs provide a doorway into organizations, ransomware affiliates will continue to target these unpatched flaws until organizations take steps to reinforce these entry points by patching vulnerabilities in SSL VPN products.

While our focus here is on a few specific vulnerabilities, the important lesson is that routine patching and maintenance for SSL VPNs is an absolutely critical aspect of cyber hygiene. Three other vulnerabilities in Citrix ADC, Gateway and SD-WAN (CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196) were exploited by attackers last year, including Chinese threat actors that targeted the vulnerabilities we covered in detail here.

Multiple vulnerabilities in Pulse Connect Secure and Fortinet have also been exploited by threat actors, even if they showed a preference for a few specific vulnerabilities. Pulse Connect Secure vulnerabilities are particularly favored by threat actors. There are at least 16 malware families that have been developed to exploit vulnerabilities in Pulse Connect Secure, further solidifying the value of legacy flaws in SSL VPNs for cybercriminals and APT groups. With Fortinet, CVE-2018-13383 and CVE-2018-13382 could be valuable to attackers, particularly in exploit chains. Both of these vulnerabilities were exploited by APT groups.

Addressing these persistently exploited vulnerabilities in SSL VPNs is, perhaps, the easiest prioritization decision for all organizations. Patches have been available for these vulnerabilities for years; attackers of all kinds have been targeting them for just as long. Government agencies have issued multiple alerts advocating immediate action. Creating maintenance windows to update SSL VPNs can be difficult, especially with remote workers distributed across time zones. But if your organization uses one of these products and has not patched the relevant vulnerabilities yet, develop a plan right now to address it. The risk is hard to understate.

Identifying affected systems

A list of Tenable plugins to identify all of the vulnerabilities discussed in this post can be found here. In addition, many of these CVEs were included in our 2020 Threat Landscape Retrospective scan policy, which can be utilized for targeted scans of the CVEs covered in the TLR report.

The scan policy is accessible across Tenable products, including Nessus, Tenable.sc and Tenable.io.

Get more information

• Tenable Threat Landscape Retrospective
• Tenable Blog: Critical Vulnerability in Citrix ADC and Gateway Sees Active Exploitation
• Tenable Blog: Zero-Day Vulnerability in Pulse Connect Secure Exploited in the Wild
• Tenable Blog: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild
• Joint Government Alert: Top Routinely Exploited Vulnerabilities

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Recently disclosed critical flaw in Atlassian Confluence Server is being exploited in the wild by attackers. Organizations should apply patches immediately.

Background

On August 25, Atlassian published a security advisory for a critical vulnerability in its Confluence Server and Data Center software.

* Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on September 7 and reflects VPR at that time.

On September 1, one week after the advisory was published, Troy Mursch of Bad Packets detected attackers scanning for and attempting to exploit vulnerable servers.

Analysis

CVE-2021-26084 is an Object-Graph Navigation Language (OGNL) injection vulnerability in the Atlassian Confluence Webwork implementation. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to vulnerable endpoints on the Confluence Server or Data Center instance. Successful exploitation would allow an attacker to execute arbitrary code.

Initial confusion surrounding authentication requirement

When the vulnerability was first disclosed on August 25, the advisory stated that an authenticated attacker or “in some instances” an unauthenticated attacker — depending on the configuration — could exploit the flaw. However, in a subsequent update on September 4, Atlassian revised its advisory clarifying that authentication is not required to exploit the vulnerability and that in-the-wild exploitation had been observed.

Image Source: Atlassian Confluence Advisory

Thousands of Confluence Servers are vulnerable to CVE-2021-26084

On September 2, Censys, a search engine for discovering internet devices, published a blog post analyzing the number of hosts vulnerable to CVE-2021-26084.

#CVE-2021-26084 is a critical severity remote code execution vulnerability affecting Atlassian Confluence. Censys analyzed the issue for global impact as part of our Rapid Response program.
We urge practitioners to patch as soon as possiblehttps://t.co/zGkVpRU1Tm

— Censys (@censysio) September 2, 2021

Initially, Censys found that over 12,000 servers were publicly accessible and vulnerable to this flaw on September 1. However, they’ve since observed a marked decrease in the number of vulnerable servers, down to 8,597 as of September 5.

Image Source: Censys Blog

Attackers installing cryptocurrency miners on vulnerable Confluence servers

According to both Mursch and researcher Kevin Beaumont, attackers that have scanned for and exploited CVE-2021-26084 have been installing the XMRig cryptocurrency miner on vulnerable Confluence servers on both Windows and Linux. BleepingComputer reports they’ve reviewed a separate active exploit that attempts to install the Kinsing malware, which Trend Micro analyzed in November 2020.

Unpatched vulnerabilities remain valuable for cybercriminals months to years later

As active exploitation has begun, we know that historically attackers have found success in targeting flaws in Atlassian products like Confluence. For instance, CVE-2019-3396, a vulnerability in the Confluence Widget Connector that was patched in March 2019, was exploited in the wild in April 2019 by the GandCrab ransomware group and the AESDDoS botnet. Despite patches being available over two years ago, CVE-2019-3396 is listed as one of the Top Routinely Exploited Vulnerabilities according to a joint government advisory published in July.

Even with the observed decrease in the number of vulnerable Confluence servers, we expect to see continued exploitation attempts for CVE-2021-26084 in the coming weeks to months as other threat actors incorporate public exploits into their toolkits.

Proof of concept

At the time this blog post was published, there were at least 27 repositories on GitHub containing proof-of-concept code to detect and/or exploit CVE-2021-26084 as well as write-ups about the flaw.

Solution

Atlassian has released patches for CVE-2021-26084. In its advisory, Atlassian confirms that this flaw affects a number of branches of Confluence and Data Center server instances:

Please note that Atlassian Confluence Cloud is not affected by this vulnerability.

Atlassian advises customers to upgrade to the newest Long Term Support (LTS) release available, which is Confluence 7.13. If upgrading to a LTS release is not currently feasible, Atlassian has provided point releases for 6.13.x, 7.4.x, 7.11.x and 7.12.x.

Temporary workaround available

If applying the available patches is not possible at this time, Atlassian has provided update scripts along with instructions for both Windows and Linux Confluence customers in order to mitigate the flaw on their servers. Please note that these scripts should only be used as a temporary workaround until patches can be applied.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be found here.

Get more information

• Atlassian Advisory for CVE-2021-26084 in Confluence Server and Data Center
• Censys Blog Post on CVE-2021-26084
• GitHub Repositories for CVE-2021-26084
• Joint Advisory from CISA, FBI, ACSC and NCSC on Routinely Exploited Vulnerabilities
• Tenable Blog Post on CVE-2019-33396 in Confluence Server and Data Center Widget Connector

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Framing zero trust as a cybersecurity strategy for reducing business risk is a surefire way to get your executive leadership to take notice.

It's no secret that CISOs and other cybersecurity leaders struggle to communicate with executive management and boards of directors in a language they can understand. Business leaders naturally want to discuss cybersecurity in business terms. For many infosec leaders, learning how to "speak business" is akin to learning a second language; they're much more comfortable talking in tactical and technical terms. 

But there's more to the story. In my experience, board members and C-level business executives oftentimes allow ego to circumvent common sense. They've risen to their current lofty positions thanks to their unique blend of knowledge, talent and ambition. They're driven to be seen as the smartest person in the room at all times. And some think rules don't apply to them. So, what happens when a cybersecurity leader walks into a board meeting spouting technical jargon unfamiliar to these captains of industry and dares to suggest that their own behavior might be part of the problem? It solidifies a longstanding bias among executive leaders toward viewing cybersecurity as an inhibitor to the business. 

What if you could, instead, frame the discussion as a grand strategy articulated in one simple goal: to stop data breaches. Such framing would enable you to engage business leaders on a strategic level using plain language they can easily understand. Frankly speaking, a data breach is the only IT event that can get a CEO or company president fired. Plus, a data breach is the only cybersecurity event that is non-recoverable: you can never get the data back and you can't turn back the clock so that it's as if the breach never happened. 

A cybersecurity leader who can articulate a practical plan to stop data breaches will get the time and attention of the board.

The principles of zero trust architecture allow you to do just that. It's a new way of thinking about information security that treats trust as a vulnerability. The model was designed to resonate with the highest levels of the organization without necessarily requiring them to make a significant investment in new tools. And, it levels the playing field, immediately derailing any execs who see themselves as "trustier than thou." A cybersecurity strategy that removes trust entirely from digital systems is, in fact, a great equalizer, one that any proponent of "flat" corporate hierarchies ought to be more than happy to embrace.

Zero trust is built upon the idea that security must become ubiquitous throughout the infrastructure. The model is designed to be strategically resonant at the highest levels of any organization. The concepts of zero trust are simple:

• All resources are accessed in a secure manner, regardless of location.

• Access control is on a "need-to-know" basis and is strictly enforced.

• All traffic is inspected and logged.

• The network is designed from the inside out.

• The network is designed to verify everything and never trust


While the zero trust model represents a significant divergence from the legacy, moat-and-castle approach to network security, it can be implemented by practitioners using commercial off-the-shelf technology. And it's built upon current cyber best practices and sound cyber hygiene, such as vulnerability management, proactive patching and continuous monitoring, already implemented in most organizations today.  

Boards of directors have a major role to play in shaping the future of cybersecurity strategy. Just as the recent Executive Order issued by the Biden Administration made zero trust a strategic imperative for the U.S., so, too, can boards wield their considerable power to elevate cybersecurity as a strategic business priority. Here are eight ways to start:

Stop seeing cybersecurity as an inhibitor of business. Having your business systems frozen in a ransomware attack is an inhibitor of business. Cybersecurity must be seen as an enabler of the business if we have any hope of reducing risk.


• Change the incentive structure. Reward everyone for doing the right thing.

• Give your cybersecurity experts the same amount of time to present as you give to your executive compensation committee.

• Create a culture of transparency and drop the blame game. The environment you have was most likely created long before these threats existed. Current employees are dealing with years of decisions made by predecessors over which they had no control. The system is organic. Instead of looking to place blame when bad things happen, reward those who are trying to fix the problems before bad things occur.

• Incentivize and reward those who are earnestly trying to fix the problems. And give them the time and support they need to do so.

• Demand all CISOs report to the CEO, not to the CIO. This gives executive leadership an unvarnished view of the organization's cyber risk. 

• Consider increasing the budgets for cybersecurity. If only 5% to 10% of your technology budget is going to cybersecurity, you're probably not doing enough.


Addressing today's cybersecurity challenges requires changing the ways we think about the problem at all levels of the organization. It requires as much commitment on the part of boards of directors and c-suite executives as it does from the rank-and-file admins who work tirelessly and against significant headwinds to protect sensitive data and reduce risk.

John Kindervag, senior vice president of ON2IT, is a guest contributor to the Tenable blog.

Learn more

• Read the blogs: The Path to Zero Trust: Is it Time to Rethink What We're Calling a Vulnerability? and Tenable and the Path to Zero Trust
• View the solution brief: Disrupt Attack Paths with Zero Trust

I never cease to be amazed at how infrastructure management continues to evolve over time, to become such a precise engineering discipline. Twenty years ago when I first published Nessus, the computers I designed the scan engine to assess were physically attached to hubs and switches, infrequently changing over time and invariably available unless somebody shut their system down for the weekend.

The visibility problems I strived to solve still exist today, but the methods used to identify vulnerabilities attackers target have evolved alongside the devices we use. As networks became more dynamic, Tenable created Nessus Network Monitor to identify systems in real time rather than scanning on a schedule. As more IT teams embraced containers, we pioneered a new approach of integrating into the CI/CD pipeline to identify vulnerabilities on docker hosts. As we saw the meteoric rise of Amazon Elastic Cloud Compute (EC2) on AWS and Virtual Machines in Azure, we launched Frictionless Assessment for security at the speed and ease of cloud.

Almost every organization now has a cloud-first strategy and a new deployment has moved from a lengthy purchase order process to a handful of commands. This is a big deal. With that velocity, infosec teams need to change the way they operate to keep pace and even create new points of leverage.

As the adoption of public clouds matures, so does the management of all of the cloud resources in an engineering-driven, repeatable way, through the use of scripts to create and manage environments in minutes. We are witnessing the rise of the Infrastructure as Code (IaC) movement, and to support this movement, cybersecurity needs to innovate with Security as Code.

Legacy Cloud Security Posture Management (CSPM) solutions have tried to address the security issue in the cloud but have not leveraged all of the capabilities the cloud has to offer. They've taken a traditional approach to identifying security flaws, assessing the systems and configurations at runtime. This approach fails to deliver on the promise of modern architectures, where you can identify and address the flaws in the code used to create the environment in the first place. It’s far more effective to find and fix the issues at the point of creation in code, rather than where they manifest in the cloud. Security can enable the DevOps team with a security syntax check for Infrastructure as Code, assessing Terraform and Kubernetes scripts for issues. In this way, we can ensure that what is deployed is secure by default and that any fixes are a simple merge request rather than a patch or operational afterthought.

By codifying the desired state of the platform in scripts, we believe the opportunities IaC brings to the table are limitless when it comes to security. In particular:

• Starting secure by design - assessing the code used to create the environment removes risks before they are ever introduced.

• Codifying your desired state - by looking at the drift between the actual cloud resource and what was intended, teams can catch problems earlier.

• Scale through Security at the Speed of Code - There is no more need to modify the permissions of thousands of cloud resources one by one if a single script creates them all.

• Code as the Rosetta Stone - Most importantly, Infosec teams can better communicate with ops by offering edits (pull requests) to their IaC scripts. In this manner, infosec becomes an actor and enabler in the deployment of new resources.

Enabling these new capabilities leveraging Infrastructure as Code will create a new world order for security and risk management. The Accurics team has focused on understanding Infrastructure as Code by integrating into the processes and tools that developers and infrastructure operators. There are over 200,000 downloads of Terrascan, their hugely popular open source IaC assessment tool.

We're incredibly thrilled to have them join Tenable following the completion of the acquisition and I can't wait to work with our teams to integrate their innovative approaches to help our customers to identify issues in Infrastructure in Code and drift in runtime to make their clouds  flawless.

Microsoft addresses 60 CVEs in its September 2021 Patch Tuesday release, along with patches for a critical vulnerability in its MSHTML (Trident) engine that was first disclosed in an out-of-band advisory on September 7.

1. 4Critical
2. 56Important
3. 0Moderate
4. 0Low

Microsoft patched 60 CVEs in the September 2021 Patch Tuesday release, including four CVEs rated as critical and 56 rated as important. This is the seventh time in 2021 that Microsoft has patched fewer than 100 vulnerabilities in a Patch Tuesday release, a stark contrast to 2020, which featured eight months where over 100 CVEs were patched.

This month's Patch Tuesday release includes fixes for:

• Azure Open Management Infrastructure
• Azure Sphere
• Dynamics Business Central Control
• Microsoft Accessibility Insights for Android
• Microsoft Edge (Chromium-based)
• Microsoft Edge for Android
• Microsoft MPEG-2 Video Extension
• Microsoft Office
• Microsoft Office Access
• Microsoft Office Excel
• Microsoft Office SharePoint
• Microsoft Office Visio
• Microsoft Office Word
• Microsoft Windows Codecs Library
• Microsoft Windows DNS
• Visual Studio
• Windows Ancillary Function Driver for WinSock
• Windows Authenticode
• Windows Bind Filter Driver
• Windows BitLocker
• Windows Common Log File System Driver
• Windows Event Tracing
• Windows Installer
• Windows Kernel
• Windows Key Storage Provider
• Windows MSHTML Platform
• Windows Print Spooler Components
• Windows Redirected Drive Buffering
• Windows Scripting
• Windows SMB
• Windows Storage
• Windows Subsystem for Linux
• Windows TDX.sys
• Windows Update
• Windows Win32K
• Windows WLAN Auto Config Service
• Windows WLAN Service.

Elevation of privilege (EoP) vulnerabilities accounted for 41.7% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 26.7%.

Tenable Solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains September 2021.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all the plugins released for Tenable’s September 2021 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

• Microsoft's September 2021 Security Updates
• Tenable plugins for Microsoft September 2021 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Agents installed by default on Azure Linux virtual machines are vulnerable to a remote code execution flaw that can be exploited with a single request.

Background

On September 14, researchers at Wiz disclosed a set of four vulnerabilities in Microsoft’s Open Management Infrastructure (OMI), an open source Common Information Model (CIM) management server used for managing Unix and Linux systems.

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on September 17 and reflects VPR at that time.

The flaws, which are collectively referred to as “OMIGOD,” are found within OMI agents that are installed on Microsoft’s Azure Linux virtual machines (VMs) by default. These agents can be found across a number of Azure-based services, including:

• Azure Automation
• Azure Automatic Update
• Azure Operations Management Suite (Azure Monitor)
• Azure Log Analytics
• Azure Configuration Management
• Azure Diagnostics
• Azure Container Insights

The researchers at Wiz note that this may not be a complete list and there may be other Azure services that utilize OMI. Because the OMI agents are installed by default, Linux VMs are at an increased risk for potential compromise, especially if they have exposed ports to the internet.

Analysis

CVE-2021-38647 is a remote code execution vulnerability in OMI. An unauthenticated, remote attacker can exploit this flaw by sending a specially crafted request to a vulnerable over a publicly accessible remote management port (ports 5986, 5985 and 1270). Successful exploitation would grant an attacker the ability to execute arbitrary code with root privileges on the vulnerable Linux VM. This particular vulnerability was assigned a CVSSv3 score of 9.8 and it is extremely simple to exploit. The specially crafted request needs to be sent without an Authorization header. As a result, this vulnerability is the most severe out of the four flaws encompassing OMIGOD.

CVE-2021-38645, CVE-2021-38648 and CVE-2021-38649 are three elevation of privilege vulnerabilities in OMI. Researchers at Wiz say that CVE-2021-38648 is “remarkably similar” to CVE-2021-38647 in that the exploitation process is nearly the same. Despite the similarities, Wiz researchers say that the root cause analysis differs from CVE-2021-38647.

For a full breakdown of the vulnerabilities, please refer to the blog post from Wiz.

Exploitation attempts for CVE-2021-38647 detected in the wild

Within just a few days of disclosure, there are reports that attackers are actively scanning for and exploiting CVE-2021-38647.

According to security researcher Kevin Beaumont, one of his test boxes was compromised and a cryptocurrency miner (coin miner) was installed by attackers.

Lol, my OMIGOD test box is now running a coin miner. It’s officially a vuln now, we should retire CVEs and go for Doge numbers.

— Kevin Beaumont (@GossiTheDog) September 16, 2021

Andrew Morris, founder and CEO of GreyNoise Intelligence, tweeted that his firm has observed around ~80 IP addresses “opportunistically exploiting” CVE-2021-38647 across the internet.

The Azure "OHMIGOD" vulnerability (CVE-2021-38647) is increasing a good bit. ~10 IPs opportunistically exploiting the vuln across the internet this morning, ~80 now. Tags available to all GN users and customers now.

GNQL:

cve:CVE-2021-38647https://t.co/sbdxJxzrEdpic.twitter.com/7dyU213Pl1

— Andrew Morris (@Andrew___Morris) September 16, 2021

Threat researcher Germán Fernández tweeted that the Mirai botnet is “launching a massive attack” attempting to exploit CVE-2021-38647.

Clarity surrounding number of publicly exposed hosts

On September 16, Derek Abdine, the chief technical officer at Censys, published a blog post about the impact of OMIGOD. There have been reports that over two million hosts may be exposed and potentially vulnerable. Abdine reports that while the number might seem daunting, the devil is in the details. Some of the ports that OMI runs on include those with Windows Remote Management (WinRM). After performing more targeted scans, Abdine reports that they’ve identified 56 publicly exposed hosts, with the majority of them residing within Azure. Censys mentions that some of the affected hosts are associated with a major health organization and two major entertainment companies.

Proof of concept

At the time this blog post was published, there were at least three GitHub repositories containing proof-of-concept exploit scripts for CVE-2021-38647.

Vendor Response

Microsoft published a blog post on September 16 providing additional guidance on the OMI vulnerabilities.

Solution

To address these vulnerabilities, Microsoft released updates to OMI on August 11. However, the flaws were not publicly disclosed until this month’s Patch Tuesday release.

Microsoft says that CVE-2021-38647 only affects those customers using “a Linux management solution” that enables the remote management of OMI, which includes:

• On-premises System Center Operations Manager (SCOM)
• Azure Automation State Configuration
• Azure Desired State Configuration Extension (DSC Extension)

The following is a mapping of vulnerable services/extensions to their associated agents:

Below is a table of affected and fixed versions for the modules/extensions as defined by Microsoft in their most recent blog post.

For the remaining agents, Microsoft says that they will provide automatic updates for cloud deployments if they are enabled. If automatic updates are disabled, users are encouraged to follow the manual update instructions in the table below. For on-premises deployments, please follow the manual update instructions once the fixed versions are available.

To manually update to the patched version of OMI, organizations and individuals are instructed to add the Microsoft repository for OMI to their system before using the local package manager to upgrade, which is dependent upon which distribution of Linux is in use.

For the Azure Container Monitoring Solution, Microsoft has released an updated Docker image with the following SHA256 ID:

12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707

If your Container Monitoring Solution Docker image has a different SHA256 ID, it is considered vulnerable.

Identifying affected systems

A local detection plugin for the Microsoft Open Management Infrastructure has been released. A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Tenable Research is investigating a direct check plugin as well. Once it is available, we will update this blog post.

Get more information

• Wiz Blog on OMIGOD Vulnerabilities
• Microsoft Blog on Additional Guidance for OMI Vulnerabilities
• GitHub Repository Search for CVE-2021-38647

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

A recent Executive Order from the Biden Administration put zero trust architecture in the spotlight. When your top execs come asking about it, here's what you need to know.

President Joseph R. Biden's May 12 Executive Order on Improving the Nation's Cybersecurity brought renewed interest in zero trust architecture, the ripple effects of which are just starting to be felt in government and private sector organizations around the world. 

The principles of zero trust, first introduced by then-Forrester analyst John Kindervag in 2010, require rethinking the trust-but-verify model upon which so much IT infrastructure has been built. It calls for viewing trust as a vulnerability instead and posits that we remove the notion of trust from digital systems entirely. With ransomware attacks on the rise, the software supply chain compromised and the attack surface growing exponentially, it's clear that a new approach to cybersecurity is in order. If your executive leadership hasn't yet come around asking about your plans for zero trust, we assure you it's only a matter of time.

With misperception about zero trust running rampant, here are five things your boss needs to know about zero trust:

1. Zero trust is a strategy, not a SKU. In most organizations, it can be implemented using existing off-the-shelf cybersecurity products. There is no single zero trust product your organization can purchase and plug in to transform your risk posture overnight.
2. Zero trust requires a foundation of strong cyber hygiene. As the National Institute of Standards and Technology (NIST) guidelines make clear, you can't build a zero trust strategy without first having accurate visibility into all of the organization's assets — including IT, cloud, operational technology (OT) internet of things (IoT).
3. User profiles matter more than ever. A zero trust strategy requires you to continuously monitor all users all the time. Tools such as Active Directory, which are used to manage user profiles and privileges, must be continuously monitored and kept up to date. 
4. No one is trusted — no exceptions. This may not please the CEO or other C-suite executives, who can sometimes behave as if the rules don't apply to them. Brushing up on your diplomatic skills is advised. 
5. Zero trust requires thoughtful change management. There are people throughout the organization who have built their careers on the legacy cybersecurity principles of moat-and-castle and trust-but-verify. They may be threatened or feel that their jobs are in jeopardy if they aren't engaged in the zero trust buildout from day one.

The bottom line? It won't happen overnight. Zero trust as a concept is simple to grasp. What makes it complex to implement are the same factors that make any cybersecurity strategy complex: the unique mix of process, procedure, education and technology found in your IT infrastructure. It's best to start small and roll out from there, rather than trying to boil the ocean. 

Cybersecurity in a world without perimeters

As organizations around the globe emerge from pandemic lockdown and embrace a hybrid model that allows working from home to be as seamless on premises, it's clear that the legacy approaches to cybersecurity are no longer in order. A successful zero trust journey requires executive support and buy-in from all areas of the organization. It's not something cybersecurity leaders can execute in a vacuum. It's a strategic decision that will ultimately change the way every employee in the organization uses technology, reducing risk every step of the way. 

Learn more

• Visit our web page: Rethinking Your Security with a Zero Trust Approach
• Read the blogs:  How to Talk to the Board About Zero Trust | The Path to Zero Trust: Is it Time to Rethink What We're Calling A Vulnerability? | Tenable and the Path to Zero Trust
• View the on-demand webinar: Security Beyond the Perimeter: Accelerate Your Journey to Zero Trust

Snap lockdowns are making remote work models a permanent feature — and leaving organisations more exposed to risk. Find out how the floodgates for cyberattacks have opened in Australia. 

As many Australians grapple with long stints of remote work due to snap lockdowns, it's looking more certain than ever before that the way we work will never go back to how it was pre-pandemic. In fact, 77% of Australian businesses plan to have employees working from home at least once a week in the next 12-24 months while 59% plan to make remote work permanent in the next 1-2 years.

The self-reported data is drawn from a commissioned study of more than 1,300 security leaders, business executives and remote employees worldwide, including 161 respondents in Australia. The study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work, was conducted in April 2021 by Forrester Consulting on behalf of Tenable. 

Adoption of new technologies continues to atomise the attack surface

The pandemic response accelerated the pace of technological adoption, with IT and security teams turning to cloud-based solutions, expanding their software supply chain and quickly rolling out tools for connectivity, collaboration and productivity.

But this rapid adoption of new technologies won't be slowing down anytime soon as organisations shift out of pandemic crisis mode and adjust to a new world of work — one that's a combination of in-office and work-from-home models.

To facilitate this new work order, over the next 12-24 months Australian business and security leaders plan to continue their focus on enhancing existing digital platforms (65%), moving non-critical-business functions to the cloud (55%) and creating new digital platforms (57%). And while these changes are enabling organisations to pivot their business operations and improve the experience for employees, they're also setting the stage for increased risk.

Remote workers increase business risk

When we talk about a home office, it's easy to focus on the physical elements of what it entails — a desk, chair, printer, laptop and maybe a couple of monitors. What's unseen is the myriad of people and devices connecting to the very same home network.

Taking a glimpse into the average home in Australia, it was found that roughly nine in 10 remote workers connected six or more devices to their home networks. But that's not the worst part. The study revealed that many remote workers access corporate financial records (43%) and customer data (51%) from a personal device — oftentimes with little guidance to ensure data remains protected. 

Australian security leaders now have less control over risk, as they face a lack of compliance by homeworkers and limited visibility over the expanding home network of the remote workforce. Two in five security leaders say they lack visibility into remote employee home networks and their connected devices. Furthermore, 45% of business and security leaders say they are somewhat or largely unprepared to support their workforce strategy from a security standpoint over the next 12-24 months. 

Cyberattacks will continue to persist

These concerns are justified when you look at the threat landscape of the past 12 months. A staggering 92% of Australian organisations experienced at least one business-impacting* cyberattack with 70% falling victim to three or more.

Nearly three quarters of respondents (73%) said these attacks targeted remote workers, making them one of the biggest risks facing Australian organisations in the new world of work. The vast majority of organizations (70%) suffered an attack that resulted from vulnerabilities in systems put in place in response to the pandemic, whilst 59% attributed recent attacks to a third-party software vendor compromise. These cyberattacks underscore the need for greater visibility into the atomised attack surface. 

It's no wonder eight out of 10 business and security leaders say that their organisations are more exposed to risk as a result of a remote workforce.

Redefining what risk is

As organisations in Australia continue to embrace a hybrid work model, they must redefine and address what risk means for the new world of work. It's no longer about securing a disparate piece of software or code. It's about having visibility of their infrastructure, identifying those assets and systems that are critical to function, and scanning for flaws in the most dynamic aspects of their attack surface. In tandem, the focus must be placed on restricting access to critical systems and key internal data by addressing misconfigurations in the Active Directory to disrupt attack paths. 

Focus on vulnerabilities that matter most to the business. This allows security teams to remediate and focus on vulnerabilities that are being actively exploited by threat actors rather than the thousands that might only theoretically be used. 

Manage risks across third-party service providers. That means having a better understanding and vetting of vendors in the supply chain and consistently evaluating third-party and contractor access to enterprise data, and continuously scanning for unmanaged assets connecting to the corporate network. Closing the holes attackers look to climb through can prevent attacks from being successful.

Don't wait until today's risk becomes tomorrow's reality. Align your organisation's cybersecurity strategies today to keep pace with business changes.

*A business-impacting cyberattack is one which results in one or more of the following outcomes: loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.

View more study highlights here

View the global studyDownload the infographic

India's plans for hybrid work models in the next 12-24 months are outpacing the speed of security in India. Find out where organizations need to place their focus to secure the new world of work.

The rapid deployment of new technologies to facilitate remote work heightened the level of risk for Indian businesses. Security and business leaders in India indicate their organizations have more exposure to risk today as a result of remote work (76%) and migrating business-critical functions to the cloud (73%). 

The self-reported data is drawn from a commissioned study of more than 1,300 security leaders, business executives and remote employees worldwide, including 92 respondents in India. The study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work, was conducted in April 2021 by Forrester Consulting on behalf of Tenable. 


Remote work, previously the province of a select few road warriors and executives, became ubiquitous in response to the pandemic and the trend is here to stay in India for the foreseeable future. The vast majority of Indian organizations (80%) plan to have employees working from home at least once a week in the next 12-24 months, while 63% plan to make a permanent move to remote work over the next two years. 

Even as these plans unfold, an alarming 53% of security and business leaders expressed concerns that their organizations are only somewhat or not at all prepared to secure their remote workforce. This is a sign that future plans for hybrid work models are outpacing the speed of security in India.

Adoption of new technologies continues to atomize the attack surface

To facilitate this new work order, Indian business and security leaders will continue to focus on enhancing existing digital platforms (63%), moving non-critical-business functions to the cloud (62%) and expanding software supply chains (49%) over the next 12-24 months. And while these changes are enabling organizations to pivot their business operations and improve the experience for employees, they're also setting the stage for increased risk as security leaders lack holistic visibility into an attack surface that's been atomized.



Specific challenges about supporting a remote workforce include the lack of employee awareness to secure home networks and personal devices (53%) and visibility into employee security practices (56%). 


These concerns are justified when you look at the threat landscape of the past 12 months. A staggering 88% of Indian organizations experienced a business-impacting* cyberattack. 

More than half of respondents (56%) said these attacks targeted remote workers, making them one of the biggest risks facing Indian organizations in the new world of work. Nearly three quarters of respondents (71%) suffered an attack that resulted from vulnerabilities in systems put in place in response to the pandemic, whilst 63% attributed recent attacks to a third-party software vendor compromise. These cyberattacks underscore the need for greater visibility into the atomized attack surface. 

To prevent history from repeating itself, it's clear that organizations need to eliminate blindspots by shoring up their defenses to support the next phase of their workforce model.



Redefining what risk is

As organizations usher in this new world of work that comprises a mix of remote and hybrid work models, the corporate network perimeter has shattered into a myriad of devices across cloud and on-premises. Organizations, therefore, cannot rely on yesterday's tools to secure this new reality. This starts with adopting a never trust, always verify approach throughout the organization. It calls for viewing trust as a vulnerability instead and posits that any notion of trust be removed from digital systems entirely. Organizations also need a modern, comprehensive strategy to quickly and accurately identify vulnerabilities and misconfigurations in their dynamic infrastructures, one which delivers clear guidance and recommendations on how to prioritize and remediate any risks.

*A business-impacting cyberattack is one which results in one or more of the following outcomes: loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property

View more study highlights here

View the global studyDownload the infographic

As U.K. organisations plan their long-term hybrid and remote work models, embracing this new world of work opens the door to new and unmanaged cyber risk. Here's what you need to know.

Over a year after work-from-home mandates went into effect, many U.K. organisations are shifting to long-term hybrid and remote work models. Today, 70% of U.K. organisations have employees working remotely, compared to 31% prior to the pandemic, while 86% plan to permanently adopt a remote working policy or have already done so. But embracing this new world of work opens up unprecedented and unmanaged cyber risk.

The self-reported data is drawn from a commissioned study of more than 1,300 security leaders, business executives and remote employees worldwide, including 168 respondents in the U.K.. The study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work, was conducted in April 2021 by Forrester Consulting on behalf of Tenable. 

Introducing a hybrid working model is complex

The move to a hybrid work model required three significant shifts, all of which served to atomize the attack surface:

1. Dissolving traditional workplace perimeters and providing technology that enables employees to work from anywhere

2. Moving business-critical functions to the cloud 

3. Rapidly expanding the software supply chain with new tools for collaboration, communication and productivity.


This reality has seen the corporate attack surface explode, with many organisations still struggling to understand and address the risks introduced.

A hybrid worker could be in the corporate office one day and the next they're connecting remotely via home routers or WiFi hotspots. While 57% of U.K. security leaders say they have high or complete visibility of remote employer-provisioned devices, only 33% have a similar level of visibility into employee-owned devices. 

As part of changes made in response to the pandemic, 46% of U.K. organisations moved business-critical functions to the cloud, including accounting and finance (42%) and human resources (33%). But when asked about the increased risks, 80% of U.K. respondents believe their organisation is more exposed as a result. Equally concerning, 58% of U.K. respondents attributed at least one cyberattack to third-party software vendor compromise in the last 12 months.

Despite the wide support of hybrid and remote work models, less than half (48%) of U.K. security and business leaders feel they're adequately prepared, from a security standpoint, to support the new world of work. In fact, 78% believe their organisation is more exposed to risks as a result.

Attackers are taking advantage

The concern from corporate leaders is certainly warranted. The study found that 90% of U.K. organisations experienced a business-impacting cyberattack* in the last 12 months, with 51% falling victim to three or more. When looking at the focus of these attacks:

• 72% resulted from vulnerabilities in systems and/or applications put in place in response to the pandemic

• 68% targeted remote workers or those working from home

• 63% involved an unmanaged personal device used in a remote work environment

• 51% resulted from VPN flaws or misconfigurations

• 51% involved cloud assets 


The impact to organisations is far from trivial as 36% said they'd suffered a ransomware attack while 33% reported the attacks resulted in a data breach.

We need to change the way we're thinking about risk

Hybrid work models and a digital-first economy have brought cybersecurity front and centre as a critical investment that can make or break short- and long-term business strategies. To address this demand, 75% of U.K. security leaders plan to increase their network security investments over the next 12 to 24 months; 73% will increase spend on cloud security while 66% plan to spend more on vulnerability management.

The new world of work has shattered the corporate network, forcing a move away from perimeter-based security architectures. Organisations need the ability to see into the entirety of the attack surface — on-premises and in the cloud. In tandem, they need to determine where vulnerabilities exist and the impact if exploited. 

Another key focus is Active Directory; the dissolution of traditional perimeters makes the configuration and management of user privileges and access more critical than ever before. Building adaptive user risk profiles — based on changing conditions, behaviours or locations — means the organisation can continuously monitor and verify every attempt to access corporate data before granting or revoking the request.

This provides the security team with visibility of their entire threat landscape, the intelligence to predict which cyberthreats will have the greatest business impact, and controls to address the risks introduced by the new world of work. 

If cybersecurity strategies fail to keep pace with business changes, today's risk could become tomorrow's reality.

*A business-impacting cyberattack is one which results in one or more of the following outcomes: loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.

View more study highlights here

View the global studyDownload the infographic

As German organizations plan their long-term hybrid and remote work models, embracing this new world of work opens the door to new and unmanaged cyber risk. And attackers are taking advantage. To address this, we need to change the way we're thinking about risk.

While the pandemic-driven work-from-home obligation in Germany has been revoked, many organizations still plan to continue long-term hybrid and remote work models. At the beginning of 2020, just 22% of German organizations had employees working remotely. Today, that has risen to 82%, with 65% planning to make this adoption permanent in the next 1-2 years. But, by their own admission, only 58% of German organizations feel they are prepared to support new workforce strategies from a security standpoint.

The self-reported data is drawn from a commissioned study of more than 1,300 security leaders, business executives and remote employees worldwide, including 156 respondents in Germany. The study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work, was conducted by Forrester Consulting on behalf of Tenable in April 2021.

Cloud adoption enables hybrid working model

Historically, German organizations have been reluctant, and some even resistant, to embrace cloud adoption. The pandemic has completely changed that. To facilitate a remote workforce, cloud adoption has accelerated, shattering the boundaries of the corporate network and introducing exponential risk.

Seventy-three percent of German organizations said they have moved business-critical functions to the cloud, including accounting and finance (51%) and human resources (48%). When asked if this exposed the organization to increased cyber risk, 76% of security and business leaders believed it did.

Business-critical systems weren't the only ones shifted to the cloud. More than a third (35%) of German organizations also moved non-critical functions to the cloud in response to the pandemic, despite 57% of security leaders believing this increased their exposure to risk.

Attackers are taking advantage

With little attention given to security during this massive shift, attackers have taken advantage.  Ninety-three percent of German organizations experienced a business-impacting cyberattack* in the last 12 months, with 57% falling victim to five or more.

When looking at the focus of these attacks:

• 78% resulted from vulnerabilities in systems and/or applications put in place in response to the pandemic

• 66% targeted remote workers or those working from home

• 61% involved cloud assets 

• 61% involved an unmanaged personal device used in a remote work environment


The impact to organizations is far from trivial as 44% suffered a ransomware attack and 35% experienced a data breach.

We need to change the way we're thinking about risk

As organizations adjust to the new world of work — one that combines in-office and work-from-home models — CISOs and infosec leaders must reevaluate their approach to maintaining security in highly dynamic and disparate environments. This includes realigning themselves to the business in order to effectively reduce risk.

Security teams need visibility of their entire threat landscape, with the intelligence to predict which cyberthreats will have the greatest business impact on the organization. In tandem, controls are needed to address the risks introduced by the new world of work.

Improving the way Active Directory is configured and managed is crucial to disrupting attack paths. Organizations need to implement adaptive user risk profiles in order to continuously monitor and verify every attempt to access corporate data based on set criteria — who is requesting access, where are they connecting from and the hygiene of the device being used. If the criteria aren't met, the request is declined.

If cybersecurity strategies fail to keep pace with business changes, today's risk could become tomorrow's reality.

*A business-impacting cyberattack is one which results in one or more of the following outcomes: loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.

View more study highlights here

View the global studyDownload the infographic

Where there was reluctance, the pandemic has forced French organizations to embrace hybrid and remote work models and they're not reversing this trend any time soon. Here's what it means for cyber risk.

Prior to the pandemic, just 24% of French organizations had employees working remotely. Today, that figure stands at 83%, while 96% plan to permanently adopt a remote work policy or have already done so. But embracing this new world of work opens up new and unmanaged cyber risk.

The self-reported data is drawn from a commissioned study of more than 1,300 security leaders, business executives and remote employees worldwide, including 153 respondents in France. The study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work, was conducted by Forrester Consulting on behalf of Tenable in April 2021. 

Introducing a hybrid work model is complex

To introduce a remote and hybrid work environment, IT and security teams in France turned to cloud-based solutions, while quickly rolling out tools for connectivity, collaboration and productivity. Almost three-quarters (72%) of French organizations have moved business-critical functions to the cloud, including human resources (89%) and accounting and finance (71%). When asked if this move exposed the organization to increased cyber risk, 77% believed it did.

The result? Employees en masse are accessing sensitive intellectual property and data outside the confines of the office. In fact, 80% of French security and business leaders believe remote work exposes them to increased risk. This is a credible concern, as some remote French employees don't believe protecting customer data (18%) or the company's intellectual property (34%) is very important. What's more, 64% admit to using a personal device to access customer data, 30% use a personal device to access intellectual property and 18% access other classified information.

Attackers are taking advantage

Attackers have seized on the opportunities created by the shift to remote work. Ninety-three percent of French organizations experienced a business-impacting cyberattack* in the last 12 months, with 72% falling victim to four or more. When looking at the focus of these attacks:

• 70% resulted from vulnerabilities in systems and/or applications put in place in response to the pandemic

• 65% targeted remote workers or those working from home


The impact to organizations is far from trivial: 42% experienced theft of intellectual property; 39% were the victims of a ransomware attack; and 37% suffered data breaches.

We need to change the way we're thinking about risk

Organizations must re-evaluate their cybersecurity strategies to safely and securely embrace the new world of work.

Visibility of the entire attack surface is vital — both on premises and in the cloud. Knowing what's there, where vulnerabilities exist and what the impact would be should the worst happen allows the organization to effectively prioritize risk reduction and remediation efforts.

How organizations configure and manage Active Directory is another key area of focus. Organizations should create adaptive user risk profiles — built around who is accessing what, the device being used and from where the request originates — and continuously monitor each corporate data access request.

Security teams need visibility into their entire threat landscape and the ability to predict which cyberthreats potentially pose the greatest risk to the business, along with controls to take responsible action and address the risks introduced in the new world of work.

If cybersecurity strategies fail to keep pace with business changes, today's risk could become tomorrow's reality.

*A business-impacting cyberattack is one which results in one or more of the following outcomes: loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.

View more study highlights here

View the global studyDownload the infographic

A new world of work has been adopted by Saudi Arabian organizations, with many planning to make hybrid and remote work models permanent. Here’s how these changes are increasing risk.

The transition to cloud adoption and remote work practices, which were being cautiously adopted in Saudi Arabia prior to the pandemic, has accelerated in the past 18 months. Today, 91% of organizations have remote employees, up from just 34% in early 2020. Moving forward, the vast majority of organizations (91%) plan to adopt this working model permanently. But embracing this new world of work opens up new and unmanaged cyber risk.

The self-reported data is drawn from a commissioned study of more than 1,300 security leaders, business executives and remote employees worldwide, including 104 respondents in the Kingdom of Saudi Arabia. The study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work, was conducted by Forrester Consulting on behalf of Tenable in April 2021. 

Introducing a hybrid working model is complex

To facilitate the new world of work, cloud adoption has surged. The majority of Saudi organizations (77%) have moved business-critical functions to the cloud. The vast majority (80%) are now running human resources fully in the cloud or in a hybrid cloud/on-prem model; 60% are doing the same for  accounting and finance.

Yet, by their own admission, 63% of Saudi organizations are prepared to support new workforce strategies from a security standpoint, while 67% believe moving business-critical functions to the cloud exposes the organization to increased cyber risk.

Attackers are taking advantage

The study found that concerns about the security implications of the new world of work are warranted. Ninety-eight percent of Saudi organizations experienced a business-impacting cyberattack* in the last 12 months, with 33% falling victim to five or more. When looking at the focus of these attacks:

• 86% resulted from vulnerabilities in systems and/or applications put in place in response to the pandemic

• 71% involved cloud assets

• 66% exploited an unmanaged personal device used by a remote employee

• 57% targeted remote workers or those working from home


We need to change the way we’re thinking about risk

The pandemic has seen the corporate perimeter shattered. Organizations must reevaluate their approach to cybersecurity, making sure it is closely aligned to the business, in order to effectively reduce the risks introduced by remote work.

This requires the ability to gain a holistic view of the expanded attack surface — wherever it resides. This needs to be combined with external factors — such as identifying vulnerabilities being actively exploited and the impact these could potentially have on the organization — to enable security leaders to fully comprehend the risks posed.

Given the change to working practices, employees are operating outside the safe confines of the network with a myriad of devices. This elevates the role Active Directory plays and puts new emphasis on the importance of configurations and user privileges. Organizations need to develop adaptive user risk profiles that take context into account — who is trying to access what, where are they doing that from and what are they using to do it. And the activity needs to be continuously monitored. For example, someone using a corporate-owned device within the office perimeter during working hours may be deemed a lower risk than someone connecting using their own device over an insecure WiFi hotspot at 2:00 am.

The new world of work opens up possibilities, for employees, who can now work anywhere, and for the organization, which can benefit from the improved productivity. However, it’s imperative that security and business leaders fully explore and resolve the inherent risks involved to ensure the new ways of working don’t come at too high a cost.

If cybersecurity strategies fail to keep pace with business changes, today’s risk could become tomorrow’s reality.

*A business-impacting cyberattack is one which results in one or more of the following outcomes: loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property

View more study highlights here

View the global studyDownload the infographic

Embracing the new world of hybrid and remote work in Mexico has opened the door to new and unmanaged cyber risk. Here's what you need to know.

The pandemic completely transformed the way most organizations work, and Mexico is no exception. At the beginning of 2020, hybrid and remote work models were far-off visions of the future at a time when only 16% of Mexican organizations had employees working remotely. By April 2021, eight out of 10 Mexican organizations had adopted remote work, with 71% planning to make it permanent in the next one to two years. Yet, 80% of security and business leaders have raised concerns that this new world of work creates increased risk.

The self-reported data is drawn from a commissioned study of more than 1,300 security leaders, business executives and remote employees worldwide, including 155 respondents in Mexico. The study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work, was conducted by Forrester Consulting on behalf of Tenable in April 2021.

Embracing new world of work brings new and unmanaged cyber risk

The rapid transition to facilitate remote work accelerated technology adoption. As a result, the attack surface has transformed with the adoption of new cloud-based solutions, alongside significant changes in the digital platforms and the software supply chain in order to improve collaboration, communication and productivity.

The vast majority (82%) of remote workers in Mexico have six or more devices connected to their home networks, and many admit to using a personal device to access customer data (59%) and financial records (40%). Six out of 10 security leaders said they lack visibility over remote employee home security practices.

Cloud-based solutions played a key role in enabling businesses continuity. Today, Mexican organizations have moved business-critical functions (77%) and non-business critical functions (90%) into the cloud.

Digital platforms and services are next. Almost half (47%) of Mexican organizations enhanced existing digital platforms, while 23% created new platforms in pandemic times. Looking to the future, 67% of security and business leaders said enhancing digital platforms will continue to be a priority.

The software supply chain also expanded as a result of the pandemic, according to 63% of respondents; another 14% expect to add new software over the next 12-24 months.

Attackers have also evolved

Attackers have capitalized on these workforce changes. Ninety-six percent of Mexican organizations experienced a business-impacting* cyberattack in the last 12 months, with 81% falling victim to four or more

When looking at the focus of these attacks:

• 74% resulted from vulnerabilities in systems and/or applications put in place in response to the pandemic
• 69% targeted remote workers or those working from home
• 59% resulted from a third-party software vendor compromise
• 57% involved an unmanaged personal device used in a remote work environment

The time to rethink risk management is now

There is no turning back. A new world of work that combines in-office and remote work is here to stay. As a result, security and business leaders are turning their eyes forward and planning to increase investments in network security (88%), vulnerability management (79%) and cloud security (75%) in the next one to two years. Seventy-three percent feel confident that in the next two years they will have the ability to accurately analyze and measure cyber risk, allowing for better business and technology decisions.

Managing risk in an environment where the perimeter has disappeared even as the attack surface continues to expand isn't an easy task. Organizations cannot rely on yesterday's tools to secure this new reality. Securing the new world of work requires a new mindset. It's imperative that organizations gain a holistic view of their risk profile and re-evaluate their cybersecurity strategies to ensure businesses aren't left vulnerable.

If cybersecurity strategy fails to keep pace with business changes, today's risk could become tomorrow's reality.

*A business-impacting cyberattack is one which results in one or more of the following outcomes: loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.

View more study highlights here

View the global studyDownload the infographic

A new study reveals how moving to a remote workforce model and migrating business-critical functions to the cloud are exposing the vast majority of organizations to increased risk.

The next 18 months are going to test the mettle of cybersecurity organizations around the globe like never before.

The attack surface has been atomized by systems put in place to support remote work in response to the COVID-19 pandemic, all of which are well on their way to becoming permanent fixtures as the boundaries between office and home blur. The SolarWinds and Kaseya attacks heighten concerns about the integrity of the software supply chain. And the cloud is no longer optional — it's a crucial enabler of critical business functions in a workplace without boundaries.

What does all this mean for security leaders? We believe it represents an opportunity to rethink what's considered an "asset" and how a "vulnerability" is defined — and how to improve visibility into both — all while keeping employees productive and safe. It places renewed emphasis on the need to align cybersecurity with business practices.

A new study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work, commissioned by Tenable and conducted by Forrester Consulting reveals that adjustments organizations made to adapt during the pandemic have heightened their level of risk. And it provides a sometimes alarming glimpse into what's happening on the average home network.The study is based on the results of an online survey of 426 security leaders, 422 business executives, and 479 remote workers across 10 countries (i.e., full-time employees working three or more days from home), as well as in-depth telephonic interviews with six business and security executives.

According to the study, 80% of security and business leaders indicate their organizations have more exposure to risk today as a result of moving to a remote workforce model and migrating business-critical functions to the cloud. We believe many of the remote work and cloud tools were pressed into service without security controls; in some cases, the tools themselves are nascent and their security controls are immature.

It's already well past time for infosec leaders to strategically re-evaluate the systems put into place to accommodate these changes with an eye toward making their security as dynamic as the workplace itself. Already, nearly a quarter (24%) of business and security leaders have made the move to remote work permanent; another 68% say they'll make it official over the next two years.

Expanding the software supply chain is likewise seen as a vector of increased risk for 61% of respondents. We believe any software expansion borne of necessity and spun up in haste is more likely to lack robust third-party security controls.

And the consequences for businesses are real. According to the study:

• 92% of organizations experienced a business-impacting cyberattack or compromise within the past 12 months resulting in one or more of the following outcomes: a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property. 

• More than two thirds of respondents (67%) say these attacks targeted remote workers.

• The vast majority (74%) said at least one attack resulted from vulnerabilities in systems put in place in response to the COVID-19 pandemic.

• Nearly three quarters (70%) were victims of three or more attacks. 


Meanwhile, the perimeter between the home network and the corporate network is dissolving. Not only are remote workers accessing sensitive corporate data from home, they're often doing so using a personal device. According to the study, over half of remote workers acknowledge accessing customer data using a personal device. When you consider remote workers have an average of eight devices connecting to their home network — including employer-provisioned devices, personal devices, appliances, wearables and gaming systems — and, on average, have three people in their household with devices connecting to the same home network, the challenges facing security leaders becomes stark.

Connecting from home is one thing; connecting from personal devices on an overtaxed consumer-grade home network without any corporate security controls is entirely another.

These findings make clear how little visibility organizations have into what's happening in their environments: 71% of security leaders say they lack high or complete visibility into remote employee home networks; 64% lack this level of visibility into remote employee-owned devices. With privacy expectations for employees naturally limiting any view employers can have into a home network, it becomes clear that security protections need to reside as close as possible to business-critical data and the assets used to access it. In short: If you can't understand the device and network, you need to control the access a user has.

While the challenges may seem daunting, the path forward is hiding in plain sight. Organizations must rethink how they define risk, looking beyond software flaws and device compliance to achieve a holistic view of their dynamic and disparate environments. They must invest in adaptive user and data risk profiles to disrupt attack paths by accounting for misconfigurations in Active Directory and the cloud and step up security based on changing conditions, behaviors or locations. And they must take a hard look at the limits of traditional, perimeter-based security architectures, to consider more sophisticated options that continuously monitor and verify every attempt to request access to corporate data at all levels, whether that's a device, app, user, or network attempting to make that connection. For some, this may mean a reckoning with their own cyber hygiene and vulnerability management practices; for others, it could present an opportunity to shift toward risk-based vulnerability management and continuous monitoring of Active Directory as a strategy for effectively disrupting attack paths; and, for the most advanced organizations, it could mean taking the first steps on a journey toward zero trust.

Whichever path you choose, the study makes one thing clear: business and security leaders must work together to find new ways to protect sensitive data in the new world of work.

Learn more

• Read the full study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work

• View the infographic, Beyond Boundaries: Rethinking Risk in the New World of Work

VMware published an advisory addressing 19 vulnerabilities, including one critical flaw in vCenter Server that is reportedly simple to exploit.

Background

On September 21, VMware published a security advisory addressing 19 vulnerabilities in vCenter Server, its centralized management software for VMware vSphere systems. The full list of vulnerabilities patched includes:

Source: VMware, September 2021

In addition to publishing the security advisory, VMware published a blog post and a Questions and Answers post addressing some foundational questions about the advisory. Of the 19 vulnerabilities, only CVE-2021-22005 was assigned a severity of Critical.

Source: Tenable, 2021

Analysis

CVE-2021-22005 is a file upload vulnerability in the vCenter Server. An unauthenticated attacker capable of accessing port 443 over the same network or directly from the internet could exploit a vulnerable vCenter Server by uploading a file to the vCenter Server analytics service. Successful exploitation would result in remote code execution on the host. In its blog post, VMware notes that this vulnerability exists in vCenter Server “regardless of the configuration settings,” which makes this exploitable by default in affected vCenter Server installations.

While the remainder of the vulnerabilities patched in today’s release aren’t critical, they are split evenly between Important and Moderate severity flaws. The remaining vulnerabilities vary, from privilege escalation and denial of service to information disclosure and path traversal vulnerabilities. These flaws will likely be valuable to attackers, particularly affiliates of ransomware groups, that have already compromised a network through other means.

This is the second time in the last four months that VMware issued a patch for a critical flaw affecting vCenter/vSphere. In May, VMWare disclosed CVE-2021-21985, a remote code execution vulnerability in VMware’s vSphere Client.

Security researcher Allan Liska tweeted that CVE-2021-21985 has already been leveraged as part of ransomware attacks and that CVE-2021-22005 “looks even worse.”

Researchers stress urgency to patch as the vulnerability is “trivial to execute”

Derek Abdine, chief technology officer for Censys, tweeted that he discovered the vulnerable code path for this vulnerability and that it “looks stunningly trivial to execute.” As a result, Abdine added that users should “Patch now.”

I've discovered the vulnerable code path for vCenter CVE-2021-22005. Wasn't hard after seeing the workaround from VMware and diffing versions of vCenter's decompiled class files.

It looks stunningly trivial to execute. Patch now.

— Derek Abdine (@dabdine) September 22, 2021

Proof of concept

At the time this blog post was published, there were no publicly available proof-of-concept (PoC) scripts for CVE-2021-22005. However, Abdine’s warning implies that we may see PoC released shortly.

Solution

To address the 19 vulnerabilities disclosed in its advisory, VMware released patches for vCenter Server 7.0, 6.7 and 6.5. For a full breakdown of which CVEs are addressed in each release, please refer to the VMware advisory page.

For CVE-2021-22005, the following is a breakdown of the vCenter Server version, associated fixed version as well as the installation addressed.

Please note that vCenter Server version 6.7 for Windows and version 6.5 for any installation are not affected by CVE-2021-22005.

Organizations are strongly encouraged to apply these patches as soon as possible.

If patching is not feasible at this time, VMware has provided workaround instructions for CVE-2021-22005. However, the workaround should be considered a temporary solution and should not be a replacement for upgrading to a fixed version.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• VMware Advisory VMSA-2021-0020
• VMware VMSA-2021-0020 Blog Post: What You Need To Know
• VMware VMSA-2021-0020: Questions & Answers
• VMware Workaround Instructions for CVE-2021-22005

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

If you can't continuously monitor Active Directory, it's impossible to achieve full visibility into your evolving attack surface. Here's how combining Tenable.ad with IBM QRadar can help.

It's no secret that CISOs are constantly challenged with new cyberthreats across an expanding attack surface. The average workplace has shifted from traditional assets, such as desktops and workstations, to a more dynamic spread that includes mobile, cloud, web applications and operational technology (OT) environments. But, no matter the size and scope of your attack surface, three questions always remain the same when protecting the organization: 



1. Is there anything else that puts us at risk?

2. How do I manage our dynamic mix of assets and applications?

3. How can I achieve a centralized view of all my security information?


Most organizations leverage Active Directory (AD) to manage users, employees and contractors, as well as to control which assets the users have access to within the organization. But viewing Active Directory as simply a tool for managing access and authentication privileges overlooks the complexity inherent in such a system. Organizational churn requires constant adjustments to how privileges and group policies are configured. Yet, many organizations are unaware of the significant risk posed by Active Directory.

Active Directory not only holds the keys to the kingdom, so to speak. It goes as far as providing the blueprint of the entire castle. Yet, organizational silos often mean security professionals have minimal insight and monitoring abilities into their organization's Active Directory, leaving IT teams unable to find and fix flaws before they become business-impacting issues. If a threat actor gains an initial foothold by leveraging a misconfiguration in Active Directory, they can use the compromised credentials to move laterally, potentially gaining unprivileged access to email, important corporate data, users and credentials and access to applications and cloud resources. The original infiltration could quickly evolve into a critical security breach without the organization even knowing about it because many security teams lack continuous visibility into Active Directory. To answer the first question from earlier, ‘is there anything else' - Yup, Active Directory is it!

So how do you go about securing such a complex and ever-changing directory of users?

Tenable.ad, a new solution in the market, aims to help security professionals solve the daily challenges of managing and protecting the long-lived, dynamic lists of access points contained in Active Directory. Tenable.ad enables you to prioritize and prevent misconfigurations in Active Directory to disrupt attack paths before attackers exploit them.

Tenable + IBM QRadar

Now, let's consider our second and third questions: how do I manage our dynamic mix of assets and applications?; and how can I achieve a centralized view of all my security information?

Tenable's Technology Ecosystem allows customers to enhance their data visibility by using Security Information and Event Management (SIEM) partners, like IBM QRadar. IBM QRadar helps security teams accurately detect and prioritize threats across the enterprise, and it provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents. By consolidating log events and network flow data from thousands of devices, endpoints and applications distributed throughout your network, QRadar correlates all this different information and aggregates related events into single alerts to accelerate incident analysis and remediation.

Up to this point in the strong IBM partnership, Tenable has been able to integrate with IBM QRadar to bring in vulnerability insights and misconfigurations from Tenable.io, Tenable.sc and Tenable.ot. This allows security teams to improve decision making and correlate events to take action on flaws using Tenable IT and OT findings. Tactically, security teams are able to get rich summary data for security investigations for a given offense at the asset level.

With the release of Tenable.ad into the market, IBM QRadar now adds Tenable.ad to its suite of supported products, offering a way for security teams to gain full visibility of their blind spots, including IT, OT and now AD, all within the IBM QRadar interface.

Source: Tenable and IBM QRadar, September 2021

To add some context, the above image gives security analysts a view of Tenable's Active Directory data in the form of "Indicators of Exposure." These security events found within QRadar also provide the source, the magnitude of the attack and a visual timeline of the event. Combining all of Tenable's rich vulnerability information, the integration now gives the ability to strengthen event investigations and give peace of mind to CISOs who constantly ask themselves the same three questions every day.

IBM Security is a featured partner within Tenable's Technology Ecosystem, which contains over 95 partners and 125+ unique integrations. The breadth and depth of Tenable's ecosystem helps joint customers improve their security programs by combining Tenable's market-leading risk-based vulnerability management solutions with other security applications in their environment. This "better together" approach helps serve and strengthen security programs of all sizes around the world.

Learn More:

• To learn more about Tenable.ad, visit the Tenable.ad product page

• Read more about the Tenable + IBM Partnership
 here
• For more information on the integration, dowload our Solution Overview

• Download IBM QRadar from IBM's App Exchange


Researchers identified a configuration issue in Microsoft Power Apps portals that exposed millions of records for nearly 50 organizations. Learn how you can use Tenable.io Web App Scanning to identify this configuration issue and prevent the exposure of sensitive information.

Thanks to Satnam Narang from the Security Response Team for his contributions to this blog post.

Background

On August 23, UpGuard Research published a blog post detailing its discovery of the exposure of 38 million records across 47 entities via Microsoft Power Apps portals. Power Apps portals, as Microsoft describes them, allows both internal and external individuals to securely access Microsoft Dataverse data using portals.

According to UpGuard, the Power Apps portals are configured for public access by default, which means anonymous users could access this data. In their research, Upguard found the exposure of personally identifiable information (PII), including COVID-19 related contact tracing and vaccination appointment details, social security numbers, employee IDs, names and addresses and a variety of other sensitive information.

UpGuard disclosed its findings to Microsoft in June. Microsoft responded that the behavior is “considered to be by design” and UpGuard’s case was closed. However, as recent industry data shows, misconfigurations in cloud environments can increase an organization's risk of being breached.

Two-thirds of cloud breaches were due to misconfigurations

IBM’s 2021 X-Force Cloud Security Threat Landscape Report, which analyzed data sets from Q2 2020 through Q2 2021, found that two-thirds of cloud environment breaches could have been prevented if misconfigurations and policies were properly reviewed and addressed. IBM’s findings were centered around improperly configured APIs and virtual machines, but the overarching theme of misconfigurations is also applicable to Power Apps. However, the problem with the Power Apps exposure is that organizations likely did not realize they were exposing this information when UpGuard identified the exposure.

Analysis

As a low-code platform — an environment that supports development via a graphical user interface instead of hand-coding — Microsoft Power Apps allow users to build and publish web pages rendering data from multiple sources using connectors. Among the different application types offered by the platform, Power Apps portals provide a web view which can be accessed by authenticated or anonymous users. By leveraging the concept of lists, a Power Apps user is able to quickly render a set of records from the data source without the need to write code.

The problem with default table permissions in Power Apps

Power Apps portals rely on web roles and table permissions to define the privileges allowed to the different users on a given list, whether they are authenticated or not. By default, table permissions are not applied to lists and need to be explicitly enabled with an option in the list properties:

Source: Tenable Research, 2021

Usually, lists are included in web pages which have their own permissions settings, preventing the pages from being accessed by unauthorized or anonymous users.

Exposing sensitive information through OData feeds

A feature of Power Apps portals lists allows users to publish the underlying data feed as a RESTful web service through the OData protocol:

Source: Tenable Research, 2021

OData feeds define a specific endpoint on the target application, which exposes OData metadata and the list of feeds available:

Example endpoint: https://myportal.powerappsportals.com/_odata/

Source: Tenable Research, 2021

With the previous default configuration, table permissions were not enforced on the various data collections returned in the OData feed, leading to the data being exposed to any user with a query targeting specific collections like: Example endpoint: https://myportal.powerappsportals.com/_odata/collection

Source: Tenable Research, 2021

Solution

The mitigation of this configuration issue requires enforcing table permissions, especially when the OData feed is enabled.

Power Apps portals management can be achieved by using Power Apps portals Studio or with the Power Apps portal management application.

With Power Apps portals Studio, table permissions are enabled by default when adding a new entity to a page:

Source: Tenable Research, 2021

Browsing a live website with this option enabled and without any explicit permission will display an error:

Source: Tenable Research, 2021

With Power Apps portal management, applications previously required users to enable the table permissions. Now, the option is set by default when creating an entity:

Source: Tenable Research, 2021

When trying to disable the table permissions, a warning is now displayed at the top of the Power Apps management console:

Source: Tenable Research, 2021

On July 15, Microsoft added release notes that include a configuration check for both existing and new portals to detect when the “Enable Table Permissions” is disabled when OData feeds are enabled:

Source: Tenable Research, 2021

Finally, Microsoft added a warning message in the Power Apps portals Studio when one or more entities exists without table permissions. This alert warns users that the permissions will be enforced automatically starting in April 2022:

Source: Tenable Research, 2021

Note that enabling table permissions does not prevent Power Apps administrators from misconfiguring a table if, for example, they set anonymous access to lists containing sensitive data.

Identifying affected systems

Power Apps portals are software-as-a-service (SaaS) web applications hosted in the Microsoft Cloud platform. Tenable.io Web App Scanning offers two plugins to help customers identify applications built on the Power Apps platform and determine whether they are potentially exposing data.

The Power Apps Application Detected plugin is designed to verify if an application hosted on a custom DNS name is a Power Apps portal:

Source: Tenable Research, 2021

Once a Power Apps portal is detected, customers can use the Power Apps OData Feeds Detected plugin. This plugin performs a check on the OData feeds to identify collections that can be publicly accessed and their associated URLs. Web App Scanning users can then browse the list of collections to verify if any sensitive or unexpected data has been exposed.

Source: Tenable Research, 2021

Note that Microsoft also provides the portal checker tool, which can be used in addition to Web App Scanning to allow administrators to run a configuration check on their portals and identify lists that allow for anonymous access:

Source: Tenable Research, 2021

Get more information

• UpGuard Blog Post about Microsoft Power Apps Data Exposure
• IBM X-Force Cloud Security Threat Landscape Report for Q2 2020 through Q2 2021

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Web application security is more than a best practice — it's a critical part of your security program. Find out how discovering and testing your web applications can help you gain an edge over attackers.

Web applications have long played a critical role in supporting e-commerce and key business initiatives. So, why are so many organizations struggling to keep them safe?

Recently a controversial tool called PunkSpider (re)claimed that it can crawl the entire web, identify hackable vulnerabilities in websites and post them publicly so everyone can search for those results.

If everyone else is testing your websites and your web applications, shouldn't you know what they know? Discovering and testing your web applications for vulnerabilities before anyone else does will help you minimize downtime, maximize revenue and gain the competitive advantage you need to ensure business success.

What Formula 1™ racing can teach us about web application security

Now imagine your web applications are Formula 1™ cars, your developers are the drivers and your security team is the pit crew. The drivers care about performance and speed of the cars while the pit crew wants to make sure the cars are safe, well maintained and free of vulnerabilities. When the race cars perform well, the entire team not only gains financially but also increases its fan base. And, just like these cars, when a company's e-commerce site does well, it generates revenue. But if it is compromised or suffers from downtime, the company loses money and its reputation suffers.

So...what can we learn from Formula 1 racing?

1: Prioritize visibility

Visibility is crucial to a Formula 1 team's success. F1 drivers are in continuous radio contact with their pit crew to get a clear view of the entire race, including track condition, turns and corners and all the cars that are on the track. 

Your web applications are like Formula 1 cars — running in a fast and dynamic environment. Unfortunately, your security team is often unaware of all of the websites and web applications that are being developed by the other parts of the organization. Examples include the unauthorized third-party web applications employees use on the company's behalf, and the abandoned and outdated web applications that potentially pose security holes. Knowing what web apps your organization has — whether in-house, open source or third-party developed — is an important first step in protecting them.

2: Run an efficient pit crew

Formula 1 teams are known for their teamwork, efficiency and ability to keep the cars running safely and at optimal performance levels. During a race, the pit crew must be extremely efficient, refueling cars and changing tires in less than three seconds on average. It is so incredibly impressive that it makes you wonder why a service visit at your car dealership can't be as efficient.

Likewise, if we think of your developers as the drivers, then your security team is the pit crew. The developers want performance and speed of the web applications and are often concerned with how the additional security process can hinder the agility of their web applications. Security practitioners need to guide, enable and support developers in their efforts to create secure code. It is the entire team's goal to ensure the performance and speed of the web applications while maintaining good cyber hygiene and increasing security posture.

3: Do the warm-up lap

Before the actual race, drivers take a warm-up or formation lap to get a last look at the track, warm-up tires, and ensure cars are fully race ready.

Race car drivers shift gears; security leaders "shift left." The traditional security practice of handing your DevOps team a static vulnerability report is no longer scalable in today's dynamic business environment. Integrating a web application scanning tool early into the dev, test, and/or QA phases of the Software Development Life Cycle (SDLC) is akin to a warm-up lap that can help expose vulnerabilities early, reduce the cost of fixing those problems and limit the potential for damages due to a compromise. According to Gartner, by 2023, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, which is a significant increase from fewer than 30% in 2019*. Automating security scanning for applications every time — before they go into production and as code changes — is a recommended best practice for increased security posture.

Ready, set, go!

Now that you're ready for the race, keep your web applications safe and improve efficiency by removing silos between your security and DevOps teams and integrating security scanning into your SDLC.

*Source: Gartner, "12 Things to Get Right for Successful DevSecOps," Neil MacDonald and Dale Gardner, refreshed April 9, 2021.

GARTNER is a registered trademark and service mark of Gartner, Inc., and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Learn More

• Register for the webinar: Three Ways We Can Improve Web App Security: Lessons From F1™ Racing
• View the infographic: What Formula 1™ Racing Can Teach Us About Web Application Security

The Apache HTTP Server Project patched a path traversal vulnerability introduced less than a month ago that has been exploited in the wild.

Background

On October 5, the Apache HTTP Server Project patched CVE-2021-41773, a path traversal and file disclosure vulnerability in Apache HTTP Server, an open-source web server for Unix and Windows that is among the most widely used web servers. According to the security advisory, CVE-2021-41773 has been exploited in the wild as a zero-day. The vulnerability was disclosed to the Apache HTTP Server Project on September 29 by Ash Daulton and the cPanel Security Team. However, the advisory does not indicate when exploitation of CVE-2021-41773 was detected, but it stands to reason that the exploitation drove the expedited release of a patch.

If you use Apache HTTP Server 2.4.49 (only that version), you should update to 2.4.50 now due to CVE-2021-41773, a nasty 0-day path traversal vulnerability https://t.co/2QiV4h77B4

— Mark J Cox (@iamamoose) October 5, 2021

Analysis

CVE-2021-41773 was introduced into Apache HTTP Server by a change made to path normalization in version 2.4.49, which was released on September 15. This vulnerability only impacts Apache HTTP Server version 2.4.49 with the “require all denied” access control configuration disabled.

In a default install of 2.4.49 you'll only be able to access things in the document root or cgi-bin directories

— Mark J Cox (@iamamoose) October 5, 2021

Successful exploitation would give a remote attacker access to arbitrary files outside of the document root on the vulnerable web server. According to the advisory, this flaw could also leak “the source of interpreted files like CGI scripts” which may contain sensitive information attackers can exploit for further attacks.

According to a Shodan search, just under 112,000 Apache HTTP Servers are running the vulnerable version. However, other vulnerable web servers might be configured to not display version information.

Source: Shodan, October 2021

In the same release, the Apache Server HTTP Project addressed CVE-2021-41524, a null pointer dereference vulnerability which could lead to a denial-of-service condition that also only impacts version 2.4.49.

Proof of concept

Positive Technologies Offensive Team, PT Swarm, announced on Twitter that they had reproduced the vulnerability. Shortly after, another user replied with the proof-of-concept (PoC) payload. Other PoCs have been shared on Twitter and we expect working exploit scripts will be published shortly.

Solution

All users should ensure that they update to the fixed version, 2.4.50. Because Apache HTTP Server 2.4.49 was released on September 15, 2021, there is a chance some users have not yet updated to the vulnerable version.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Apache HTTP Server Project Advisory
• Open Web Application Security Project (OWASP) guide on Path Traversal

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.