• Skip to primary navigation
  • Skip to main content
nGuard

nGuard

Call us p. 704.583.4088
  • Solutions
    • Security Assessments
    • Compliance
    • Cyber Security Incidence Response
    • Penetration Testing
    • Managed Event Collection
    • Vulnerability Management
    • Red Teaming
    • Mobile Security
    • Cloud Security
  • Industries
    • Healthcare
    • Energy
    • Information Technology
    • Manufacturing
  • About Us
    • Our Company
    • Careers
    • Blog
  • Contact
Client PortalSpeak to An Expert

bug

Foreign Cyber Threats Risk National Security

Over the last week there have been several major stories in the international community involving Russia, Iran and China. Russian code was discovered in in the U.S. Army and CDC applications; Iranian hackers used Log4Shell to compromise a U.S. Federal agency; the China-based APT group, Billbug, was able to compromise a Certificate Authority (CA) as part of an espionage campaign. Check out each story below for more detail.

Russian Company Pushwoosh Code Found in U.S. Army & CDC Applications
The company Pushwoosh, an organization that offers data processing for applications, has been disguising itself as a U.S. organization based out of Washington, D.C. and Maryland. However, Reuters has discovered Pushwoosh is, in fact, a Russian backed company whose HQ is based out of Novosibirsk, Siberia. Since it is a company registered to the Russian government and pays taxes to the Russian government, they must comply with the laws of Russia. This would require sharing data when and if requested by the Russian government. Pushwoosh code has been implemented in a U.S. Army application that is used as an information portal for the National Training Center. The code was removed earlier in the year with the reason stated as “security issues.” The CDC was using Pushwoosh code within many public-facing applications but has since removed the code. In addition to the U.S. Army and the CDC, Pushwoosh code is used in over 8,000 applications in the iOS App store and the Google Play store including the likes of UEFA, Deloitte, Coca-Cola, McDonald’s and Unilever. Max Konev, the founder of Pushwoosh, is claiming his company “has no connection with the Russian government of any kind” and that all data is stored in either the US or Germany. At this time, evidence has not been brought forward showing Pushwoosh has shared any data with the Russian Government, but that does not mean they have not or could not in the future.

Iranian Hackers Used Log4Shell to Compromise a U.S. Federal Agency
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has credited an Iranian-sponsored group for compromising an unpatched VMWare Horizon server owned by a U.S. Federal agency using the Log4Shell vulnerability. CISA responded to the incident over the summer and discovered crypto mining software was installed on the server. The attackers pivoted through the network to compromised credentials and the domain controllers (DC), then installed reverse proxies in order to maintain their persistent access. CISA believes the original compromise happened in February of 2022. Once the group had access, they added a rule within Windows Defender to the allow list on the C:\ drive. This led to the ability to download PowerShell scripts, execute malicious code like PSExec and Mimikatz, which aided in furthering the attack. Additionally, the attackers changed the password for a local administrator account.

nGuard detailed the Log4Shell vulnerability back in January. If you feel Log4Shell is still an issue within your organization nGuard offers Log4j scanning, consulting services, log management and event collection and penetration testing services. 

Billbug, a China-Based APT Compromised a Certificate Authority
Billbug, a state-sponsored APT group, was able to compromise an unknown Certificate Authority as a part of an espionage campaign. If the attackers could successfully gain access to the certificates, they could use them to sign their own malware in order to bypass security checks and intercept and successfully decrypt HTTPS traffic. The Symantec Threat Hunting team was able to make this discovery and report it to the affected Certificate Authority. At this time there is no evidence or indication that Billbug was able to compromise or gain access to any digital certificates.

Filed Under: Advisory, Breach, Compliance, Events, Financial, General, Products & Services, Vulnerabilities & Exploits Tagged With: apt, bug, countries, foreign, influence, national, risk, security, threat, threats, zeroday

OpenSSL Downgrades Panic Bug After Days of Anxiety

Initial Report
On October 27th it was reported by Dark Reading that organizations have five days to get ready for what the OpenSSL Project defined as a “serious” vulnerability impacting versions 3.0 and up of the widely used cryptographic library for encrypting digital communications. They caution that enterprises would rush to remedy the problem as soon as possible if this vulnerability turns out to be another Heartbleed flaw, which was the most recent serious vulnerability to affect OpenSSL.

Favorable News
We now have some good news after five days since the initial revelations of an internet-reshaping major flaw in OpenSSL. Instead of the critical rating that initially alarmed the online community, CVE-2022-37786 and CVE-2022-3602 have been published as high-rated vulnerabilities. According to OpenSSL:

“A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.”

As a result, the vulnerability is considerably harder to exploit than what was initially suggested.

Remediation
The two CVE reports published on November 1st indicate this issue as being present in OpenSSL versions 3.0.0 to 3.0.6. Despite the fact that these flaws are not as severe as anticipated, it is still advised that all businesses identify their OpenSSL implementations and update to version 3.0.7 right away. At this point, according to OpenSSL, there is no evidence that this vulnerability has been exploited in the wild and no operational exploit that could result in code execution. A list of notable operating systems and application runtimes which are packaged with a vulnerable version of OpenSSL has been established by the Computer Emergency Response Team (CERT) for the Netherlands.

What Now?
nGuard is ready to assist clients in detecting and mitigating OpenSSL vulnerabilities. nGuard can identify whether or not a vulnerable version of OpenSSL is present in your environment by performing vulnerability scans and penetration testing against both external and internal facing services. Organizations may feel at ease knowing that OpenSSL versions that are insecure are being fixed in their environments by carrying out these scans on a frequent basis.

Filed Under: Advisory, Breach, Compliance, Events, Financial, General, Products & Services, Vulnerabilities & Exploits Tagged With: bug, crypto, cryptograhy, day, encryption, flaw, now, openssl, panic, patch, vuln, zero-day

nGuard

nGuard

3540 Toringdon Way
Suite 200
Charlotte, NC 28277-4650

info@nGuard.com

Client Portal

Solutions

  • Security Assessments
  • Compliance
  • Cyber Security Incident Response
  • Penetration Testing
  • Managed Event Collection
  • nGuard Vulnerability Management
  • Mobile Security
  • Cloud Security

Industries

  • Energy
  • Healthcare
  • Manufacturing
  • Information Technology

About Us

  • Our Company
  • Careers
  • Blog

© 2023 nGuard. All rights reserved.

  • Privacy Policy