On Friday, May 27, 2022, Security vendor nao_sec identified a malicious document leveraging a zero-day remote code execution RCE vulnerability (CVE-2022-30190) in Microsoft Windows Support Diagnostic Tool (MSDT). The actively exploited vulnerability exists when MSDT is called using the URL protocol from a calling application, such as Microsoft Word.

If you want just to see how to find detections for the Follina MS Office RCE, skip down to the “detections” sections. Otherwise, read on for a quick breakdown of what happened, how to detect it, and MITRE ATT&CK mappings.

This blog describes the attack path we have uncovered during a recent penetration test of a web application, coupled with a back-end infrastructure assessment. Throughout we introduce different attack techniques and tools that can be used to attack the underlying infrastructure and APIs of a web application.

Vulnerabilities in enterprise environments create many opportunities for cyber criminals to attack the organization. Bad actors may take advantage of security misconfigurations, broken authentication processes, buffer overflows, and other vulnerabilities to spread malware, launch account takeover attacks, and steal large amounts of sensitive data. As of April 2022, the U.S.

This month, Microsoft announced a vulnerability in NFS. The exploit lies in how an attacker can force a victim NFS server to request an address from the attacker’s fake NFS server. The address returned will overflow memory on the victim NFS server and cause a crash. Through Microsoft’s MAPP program, Corelight Labs reviewed a proof-of-concept exploit for this vulnerability and wrote a Zeek®-based detection for it. You can find a PCAP of this exploit in our GitHub repository.

This month, Microsoft announced a vulnerability in PPTP, a part of the VPN remote access services on Windows systems that runs on port 1723/tcp. Through Microsoft’s MAPP program, Corelight Labs reviewed a proof of concept exploit for this vulnerability and wrote a Zeek®-based detection for it.

Apple has recently released OS updates for multiple operating systems, addressing known and exploited security vulnerabilities along with previously unknown ones. During the past week, various data security organizations like the US Cybersecurity and Infrastructure Security Agency and Indian Computer Emergency Response Team have issued warnings asking users to install the latest updates on their Apple devices as soon as possible to avoid possible exploitation of devices and device data.

The vulnerabilities page allows you to see all findings across your attack surface. This includes simple filters that let you specify what you want to focus on, including the level of severity, which domains you want to look at, and whether it was found in the past week or the past month.

Snyk recently discovered overt 200 malicious packages in the npm registry. While we acknowledge that vulnerability fatigue is an issue for developers, this article is not about the typical case of typosquatting or random malicious package. This article shares the findings of targeted attacks aimed at businesses and corporations that Snyk was able to detect and share the insights.

In our latest credit card fraud investigation blog our threat intelligence analysts investigate the current card shop ecosystem, from active shops and the return of Rescator as well as other recently shuttered card shops and credit card fraud to look out for. Methodology Credit Card Fraud Investigation: Active Card Shops Credit Card Fraud Investigation: Inactive Card Shops Conclusions

CISA released a warning to federal agencies on May 18 that APT actors are actively exploiting recent vulnerabilities found in VMware, including CVE-2022-22954. Your first thought may have been to want new signatures, indicators, and/or behavioral techniques to detect attempted and successful exploits. If you’re a Zeek user or Corelight customer, you’ll find that sometimes you’re already getting what you need.

Like any company that uses web apps or enterprise software built with Java, San Francisco-based LiveRamp was concerned that it had been infected by the Log4Shell zero-day vulnerability within Log4j — the popular open source logging library.

Fixing vulnerabilities can be hard—especially so for cloud-native applications. Let’s take a deeper look at why this is, and how mitigating controls can help secure your cloud-native applications.

On Wednesday, May 18, 2022, VMware published an advisory (VMSA-2022-0014) to address multiple vulnerabilities, including CVE-2022-22972, an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation. This vulnerability was assigned a CVSSv3 score of 9.8, making it a critical vulnerability.

CVE-2022-30617 and CVE-2022-30618 are sensitive data exposure vulnerabilities that may lead to account compromise in the admin panel of the headless CMS software Strapi.

Scanning your packages for security vulnerabilities and license violations should be done as early as possible in your SDLC, and the earlier the better. This concept is also known as “Shifting Left”, which helps your organization comply with security policies and standards early on in the software development process. As developers, this may seem like a hassle, but with JFrog CLI it’s easy!

Ransomware continues to be a prevalent threat to almost every modern industry after a sudden renaissance at the beginning of the COVID-19 pandemic as threat actors sought to capitalize on overwhelmed organizations and their suddenly vulnerable employees. It poses a particular danger to companies that hold sensitive data and house valuable assets, or those that could impact countless other industries and organizations should their critical operations be taken offline.

To stay ahead of malicious attacks, developers and security teams must have a way to identify, prioritize, fix, and monitor vulnerabilities, a process known as vulnerability remediation. When it comes to detection, organizations can use a variety of application security testing (AST) tools to identify vulnerabilities in software applications and other systems.

CVE-2022-26809 was patched in Microsoft’s previous Patch Tuesday (April 12) and it’s a doozy: remote code execution on affected versions of DCE/RPC hosts. The vulnerability attracted a lot of attention in the security community, both because of its severity but also because it appears to be really hard to trigger.

On Thursday, May 12, 2022, Zyxel released a patch advisory for an unauthenticated remote code execution (RCE) vulnerability in their line of Firewall products tracked as CVE-2022-30525. The exploitation of this vulnerability can allow a threat actor to modify specific files and execute code remotely on a vulnerable appliance. Proof of Concept (PoC) exploit code for this vulnerability has been made publicly available via multiple sources.

Software testing is notoriously hard. Search Google for CVEs caused by basic CRLF (newline character) issues and you’ll see thousands of entries. Humanity has been able to put a man on the moon, but it hasn’t yet found a proper way to handle line endings in text files. It’s those subtle corner cases that have a strong tendency of being overlooked by programmers.

On Tuesday, May 10, 2022, security researcher Oliver Lyak published a PoC exploit for CVE- 2022-26923, a privilege escalation vulnerability impacting Active Directory Domain Services with a CVSS score of 8.8 and high severity. The vulnerability allows a threat actor who has already compromised a user account to elevate privileges to Domain Admin, if Active Directory Certificates Services is running on the domain. Microsoft patched the vulnerability in May’s Patch Tuesday release.

Security is a critical, if somewhat overwhelming, task for any organization. As products grow and teams expand, the challenge of maintaining a security posture at scale increases as well. This is where automation comes in. The ability to automate security tasks offers obvious benefits such as increased speed, while also driving deeper shifts in a company’s culture and processes.

In this post we discuss how an account with two-factor authentication could be bypassed if the password were breached.

The Splunk Threat Research Team (STRT) has been heads-down attempting to understand, simulate, and detect the Spring4Shell attack vector. This post shares detection opportunities STRT found in different stages of successful Spring4Shell exploitation. At the time of writing, there are two publicly known CVEs: CVE-2022-22963, and CVE-2022-22965. The Splunk Security Content below is designed to cover exploitation attempts across both CVEs.

It’s been a bad month for RubyGems vulnerabilities. Critical CVE-2022-29176 was issued May 8, 2022, and another critical CVE-2022-29218 was discovered less than a week later, on May 11. This new vulnerability would allow for a takeover of new versions of some platform-specific gems under certain circumstances.

Trustwave SpiderLabs is tracking a new critical-rated vulnerability (CVE-2022-1388) affecting F5 BIG-IP network devices. Threat actors are reported to be actively exploiting this vulnerability in the wild. F5 disclosed and issued a patch for CVE-2022-1388 on May 4. We are diligently watching over our clients for exposure and associated attacks and working closely with our clients to ensure that mitigations are in place.

Corporate credential theft is a targeted effort and makes FTSE 100 companies credentials particularly attractive to cybercriminals with accelerated digital transformation (BYOD and hybrid working). Once an attacker gets hold of stolen user credentials and passwords, they can sell the credentials in the cybercrime underground or use them to compromise an organization’s network, bypassing security measures and threaten the credibility and integrity of the institution.

On May 6, 2022, a critical CVE was published for RubyGems, the primary packages source for the Ruby ecosystem. This vulnerability created a window of opportunity for malicious actors to take over gems that met the following criteria: Because RubyGems provides data dumps that include a lot of information, it is unfortunately relatively simple to create an automated mining process for these criteria.

Remediating vulnerabilities efficiently is the cornerstone of a great vulnerability management program. Prioritizing becomes paramount as resources are often limited. Sometimes teams might pinpoint specific vulnerability types that are particularly risky for their attack surfaces, such as a misconfigured Amazon S3 bucket or even a new XSS vulnerability. Users can now filter the /Vulnerabilities view by title, such as a specific type of XSS or even the CVE name.

Editor’s note: This is the latest in a series of posts we have planned over the next several weeks where we explore topics such as network monitoring in Kubernetes, using sidecars to sniff and tunnel traffic, show a real-world example of detecting malicious traffic between containers, and more! Please subscribe to the blog, or come back for more each week.

On Wednesday, May 4, 2022, F5 disclosed a critical-severity vulnerability impacting the iControl REST authentication of BIG-IP systems being tracked as CVE-2022-1388. If successfully exploited, the vulnerability could lead to Authentication Bypass, which could allow a threat actor to execute arbitrary system commands, perform file actions, and disable services on BIG-IP. BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffic SDC are not impacted by CVE-2022-1388.

CVE-2022-30278 is a reflected cross-site scripting (XSS) vulnerability in Black Duck Hub’s embedded MadCap Flare documentation files.

Snyk Code is turning one! We’ve hit so many milestones in the last 12 months, and today we invite you to look back, celebrate, and peer into the future of code security with us.

In recent times as the field of information is on the rise a new term ‘Ethical Hacking’ has emerged and opened many different avenues for IT and cyber security professionals. Now more and more people are getting familiar with the field of information security and are getting interested in learning about hacking skills.

Many companies look to CISOs or compliance teams to manage security throughout software development. But this practice usually keeps security considerations separate from developers. CISOs can assign security tasks to developers, but if developers aren’t thinking about security regularly, those tasks may be overlooked.

Have you ever wondered what vulnerabilities are exploited the most by threat actors? The answers you have been eagerly waiting for could be found inside a joint Cybersecurity Advisory (CSA) coauthored by the cybersecurity authorities of the United States (CISA), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK), plus the U.S. National Security Agency (NSA) and Federal Bureau of Investigation (FBI).

The Center for Internet Security (CIS) provides Critical Security Controls to help organizations improve cybersecurity. Control 7 addresses continuous vulnerability management (this topic was previously covered under CIS Control 3). Continuous vulnerability management is the process of identifying, prioritizing, documenting and remediating weak points in an IT environment.

When Algolia’s security program manager Regina Bluman ran a Twitter poll to see how many people within the security industry understood the concept of EASM, she didn’t expect that the term is far from being on an IT security team’s radar. Moreover, most were not even aware of it.

What’s your role in the vulnerability management process?

Over the years, as a developer, I’ve built and deployed many applications through digital agencies, side projects, startups, and freelance work. With time-sensitive deadlines, client expectations, and delivery dates to consider, security wasn’t usually top of mind when npm installing an open source package. This often led to reworking and cleanup on deployments that had let in known vulnerabilities, adding to compounding timelines and client disappointment.

CVE-2022-23648, reported by Google’s Project Zero in November 2021, is a Kubernetes runtime vulnerability found in Containerd, a popular Kubernetes runtime. It lies in Containerd’s CRI plugin that handles OCI image specs containing “Volumes.” The attacker can add Volume containing path traversal to the image and use it to copy arbitrary files from the host to container mounted path. The vulnerability was reported by Felix Wilhelm on Nov.

Ignore a vulnerability? That sounds like a paradox. Why would anyone want to ignore a vulnerability? While ignoring security issues should not be your default practice, it is still sometimes necessary. Development and security teams today face vulnerability backlogs consisting of thousands of issues. To maintain rapid development, they must be able to effectively prioritize their work.

Data theft, denial-of-service, ransomware—the world of cyber threats has never been more dangerous, in large part because there’s never been more vulnerabilities.

The first few months of 2022 have brought with them plenty of breaches and vulnerabilities for threat experts to sink their teeth into; in March alone, Microsoft has patched 71 CVEs, two of which, CVE-2022-22006 and CVE-2022-24501, were deemed critical–but more on those later. Meanwhile, cloud-based software company Okta has suffered a cyber-attack, believed to be at the hands of threat actor “Lapsus$”, which has put thousands of its 15,000 customers on high alert.

When protecting an organisation against cyber attacks, the words security threats, vulnerabilities, risk exposure, and sometimes exploits are seen very commonly. Unfortunately, these terms are not used correctly or interchangeably and are often left undefined.

Call me David. As you might have heard, Log4Shell, “the single biggest, most critical vulnerability ever”1 was recently disclosed to the public. You may even have seen us make mention of it here, here, here, or even maybe here. Splunkbase was impacted by way of apps both made by Splunk and third-party developers.