Wednesday, November 15, 2017

No-Shock: Worst Year For Vulnerabilities Already – Only Through Q3 2017

2017 has officially become the worst year on record with over 16,006 disclosed vulnerabilities.

RICHMOND, VA, November 14, 2017 -- Risk Based Security today announced the release of its Q3 2017 VulnDB QuickView report that shows there have been 16,006 vulnerabilities disclosed through September 30th this year. This is the highest number of disclosed vulnerabilities at the end of the third quarter on record and represents a 38% increase over the same period in 2016. In addition, cataloged vulnerabilities in the first nine months of 2017 have exceeded the total vulnerabilities for all of 2016 (15,832). The 16,006 vulnerabilities cataloged by Risk Based Security’s VulnDB research team eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by 6,295.

“When hearing that so many vulnerabilities are missing from CVE/NVD, most security professionals want to justify the gap by trying to convince themselves that the vulnerabilities missed can’t possibly impact their organization and if they do they must be low risk. However, just as our previous reports have indicated this isn’t the case. 44.1% – over 2,700 – of the vulnerabilities not published by NVD/CVE have a CVSSv2 score between 7.0 and 10, which include widely deployed software used by many organizations. Any security product or tool that relies on CVE/NVD is putting your organization at serious risk.” said Jake Kouns, Chief Information Security Officer for Risk Based Security.

“As Equifax dominated the data breach headlines, it was revealed that due to a series of delays they were unable to patch the exploited flaw, now commonly known as Struts-Shock, in a timely fashion. What the media missed is that there have been a total of 75 vulnerabilities in Apache Struts, and 5 new vulnerabilities since Struts-Shock was disclosed. It makes you wonder if there were any other delays in correcting those issues as well, and if Equifax has additional unpatched vulnerabilities”, added Kouns.

The newly released 2017 Q3 2017 report from Risk Based Security shows that 39.9% of total reported vulnerabilities received CVSSv2 scores above 7.0. This means that not only is the number of vulnerabilities on the rise, but the severity of the vulnerabilities disclosed remains high. What is more concerning for organizations is that 31.6% of the vulnerabilities disclosed have public exploits available and 47.9% can be exploited remotely.

The VulnDB QuickView report also highlights the relationships between researchers and vendors, showing that they are continuing to work together. Vulnerabilities disclosed in a coordinated fashion continues to be around 43%, on par from the mid-year report. In addition, 6.1% of the vulnerabilities disclosed in software products were coordinated through vendor and third-party bug bounty programs.

“While our proprietary Vulnerability, Timeline, and Exposure Metrics (VTEM) show that not all vendors are prioritizing and fixing vulnerabilities as quickly as we would prefer, the good news is that 75.8% of 2017 vulnerabilities through September do have a documented solution”, says Kouns.

Tuesday, November 14, 2017

Top 5 Predictions for ICS Security in 2018

Nozomi Networks has comprised the top 5 predictions for ICS Security in 2018.

1. ICS malware moves beyond Windows exploits to ICS-specific malware. Up to now, most malware that has infected ICS have used Windows vulnerabilities or protocols to infect and spread. For example, in 2017, WannaCry, Industroyer and Dragonfly 2 all used the Windows protocol, SMB, as a key infection and proliferation mechanism. Malware attacks using OT device software, such as PLC software, will start to occur adding to the sea of Windows-dependent attacks.

2.The cuffs will come off of Internet connectivity for ICS systems as IT technology is increasingly integrated with ICS systems to achieve operational efficiencies.  Progressive companies will implement new technologies and procedures necessary to not only bridge IT and OT, but also to defend their ICS from this source of cyber threats.

3. Artificial intelligence becomes more mainstream for ICS systems to provide next generation security to fight cyber threats. Organizations grappling with ICS cybersecurity staffing and skills shortages are turning to AI solutions to achieve security and productivity goals. AI powered monitoring tools are now able to discover breaches automatically and provide information on remediation.

4. The shortage of ICS cybersecurity skills will open the door for vendors to provide full security services. These services will move beyond risk assessments to become more full service.

5. Security-by-Design will start to improve ICS Security.  Major companies will increase their demands that security be included in new automation equipment purchases; for example, requiring that RTUs have encrypted software. Cybersecurity certification will also rapidly grow and major automation vendors will have their products tested for the ISA Secure certification.

For more, see these books:

Cyber Security for Industrial Control Systems: From the Viewpoint of Close-Loop

Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS

Wednesday, October 25, 2017

Research on BadRabbit Ransomware

From Eskenzi PR:

"Nozomi Networks has taken a look into the BadRabbit Ransomware that hit Russia and Ukraine yesterday affecting systems at three Russian websites, transport systems in Ukraine, including an airport and an underground railway in Kiev.

"Moreno Carullo, Co-Founder and Chief Technical Officer for Nozomi Networks says, “Our research shows that the group behind Bad Rabbit have spent considerable time creating their ‘infection-network,’ going back at least to July, with the majority of sites relating to media and news.When a victim visits what they believe is a legitimate site, they are instructed to download an Adobe Flash installer/update. Given that the attackers are targeting media and news sites, that have previously employed Flash to enhance the visitor experience, this request may not immediately arouse suspicion – but it should! If the user follows the redirection the attack begins and the ransomware dropper (distributed from: hxxp://1dnscontrol[.]com/flash_install.php) downloads.”

"Moreno explains,“As soon as the victim executes the dropper, for which admin privilege is needed, a malicious DLL named infpub.dat is saved and is then run using the usual utility rundll32. Our experience executing the infpub.dat file is that it then seems to try to brute-force NTLM [NT LAN Manager] login credentials and download an executable dispci.exe, which appears to be derived from the well-known utility DiskCryptor code - a disk encryption module. The execution of the last file downloaded begins the encryption phase and the replacement of the bootloader as already seen in previous NotPetya attacks.

"According to Moreno, “Prevention is always better than cure as, if infected, it is never advisable to pay the ransom as it is not guaranteed that the criminals will honor the agreement and restore systems/data. Organizations need tools that will help them immediately identify when something ambiguous is happening within the infrastructure. Applying artificial intelligence and machine learning for real-time detection and response, organizations can monitor for malware to rapidly discover and act to remove malicious code and the risks posed before harm is done.”

"Michael Patterson, CEO of Plixer says, “Many times ransomware infections go unreported. Employees who make the mistake and click on something they shouldn’t are usually very embarrassed about the infection. Security teams need to be aware of all infections in order to grasp the scale of the intrusion. Unreported infections can often be discovered using network traffic analytics.  By profiling the Bad Rabbit communication behavior other machines reaching out to the Internet with similar behaviors can be identified.”"