InGuardians Security Briefing

Sign up for our once per week free information security briefing. Concisely written executive summary of the one topic our team has identified as top priority.

* indicates required
Email Format


08/28/2018 Apache Struts 2 RCE Vulnerability Affects Many Web Apps, including products from Aruba Networks, Cisco Systems, and NetApp
Last week, the Apache Struts team publicly announced a severe remote code execution security vulnerability in Apache Struts 2. Similar to the Strutshock vulnerability used in the 2017 Equifax breach, this vulnerability will allow an attacker to run programs of their choice on a web application that uses specific configurations or functionality. The Equifax 2018 breach is considered by many to be the worst corporate breach in US history, wherein bad actors stole personal information, including social security numbers, belonging to 147 million people in the US, or roughly 58% of the US adult population. This vulnerability is present in Apache Struts versions 2.3 – 2.3.34 or 2.5 – 2.5.16.

Applications are vulnerable if they either:

1) use results with no namespace, where its upper actions have no namespace or a wildcard namespace.
2) use a url tag without a value and action set.

Many vendors’ products use Apache Struts 2, in addition to organizations’ internally-developed applications, use Apache Struts 2 as detailed in the next section.

Many web applications and product web front end interfaces are potentially vulnerable. As Apache Struts 2 is a “middleware” web application framework, organizations may not realize that they have web applications susceptiblevulnerable to this vulnerability.  Several vendors have already determined that their products are vulnerable, including Aruba Networks, whose announcement covers its ClearPass servers, Cisco Systems, whose announced 4four vulnerable products, and NetApp, who announced 82 vulnerable products.

Vulnerable products and web applications will allow an attacker full remote control of the host. This canmay  lead to organizational compromise, ransomware attack, or crypto-mining activity, whether on a small scale or through automated worm programs.

As this vulnerability was discovered in April, with some likelihood of independent discovery or leak before patches came available four months later in August, it is especially important to correct vulnerable applications quickly. Staff can accomplish implement the correction by upgrading the Apache Struts 2 framework to either versions 2.3.35 or 2.5.17. If the vulnerable application is provided by a vendor, InGuardians recommends seeking out the vendor’s advisory for corrective action.

Additional Resources
Apache Struts Security Bulletin

“Semmle Discovers Critical Remote Code Execution Vulnerability in Apache Struts (CVE-2018-11776)” (Semmle Blog)

Aruba Networks ClearPass Policy Manager Security Advisory ARUBA-PSA-2018-005

Apache Struts Remote Code Execution Vulnerability Affecting Cisco Products: August 2018

NetApp Security Advisory NTAP-20180822-0001

Three Public Exploits Posted

Nessus Plugin 112064 (Checks for Vulnerability)

CVE 2018-11776

08/20/2018 VIA C3 CPUs Allow Unauthenticated Code Execution

VIA C3 CPUs allow unauthenticated code execution, granting an attacker elevated privileges.  A new tool named project:rosenbridge exploits a backdoor on VIA C3 CPUs.  The C3 chips are found primarily on embedded x86 devices such as: point-of-sale machines, automated teller machines (ATM’s), healthcare hardware, industrial automation devices, and a limited percentage of desktops and laptops.  The chip is a small non-x86 core embedded alongside the x86 main processor.  The “backdoor” in the C3 provides access to debug mode, which should require elevated kernel access to access.  Researchers discovered that unauthenticated access to the backdoor is occasionally enabled by default.  Thus far, neither researchers nor VIA have named which devices shipped with the backdoor on by default.  This exposure allows any unprivileged code to modify the kernel of the operating system.

Impact level of this exposure is high, as it is a remote code execution vulnerability for which there currently are no patches and few workarounds.  Exposure of healthcare devices, ATMs, and industrial automation devices should be taken very seriously.

InGuardians recommends that your organization identify your deployed hardware to determine which machines are affected by this flaw.  Once investigation is complete, enumerate the Windows Active Directory machine accounts corresponding to the affected devices. Each of these machine accounts must have a strong password.  The affected machines must be segregated from the enterprise network with strong network access control. If segregation is not possible, then permit access to the devices on a case-by-case basis, using a white list approach until the a patch is released or the devices reach the end of their life cycle.

Additional Resources

VIA C3 processors (VIA Manufacturer Product Page)

Project:rosenbridge (GitHub project page, Christopher Domas)

08/14/2018 Princeton researchers warn home IoT devices could cause serious issues for utilities
This week, a team of researchers from Princeton University will be presenting their research on home Internet of Things (IoT) devices at the USENIX conference in Baltimore, MD.  They used the grid software packages MATPOWER and Power World to run simulations to determine how many devices, each using how much power, would be required to negatively impact the power grid.  In this case, they based their model on a small Polish power grid from 2008.  They discovered that they could create a “cascading blackout” of 86% of the power grid by arbitrarily and unexpectedly increasing the power demands by only 1%. The researchers were able to cause this increase with a botnet containing as few as 42,000 compromised IoT water heaters.
This awareness has just recently come out of the research phase and there is no current indication of a botnet made up of compromised water heaters.  However, given the history of IoT botnets and their negative impacts, such as with the Mirai botnet in October of 2016, this type of research should be considered an early warning.  In the past, refrigerators,, DVRs, smart TVs, and a whole host of other home IoT devices have been found to be a part of malicious botnets with hundreds of thousands of devices which have caused network outages via distributed denials of service (DDoS) attacks.Utility companies employ experts who predict the level of power requirements and configure generative devices accordingly.  However, this type of attack on the demand side of the equation, involving large home appliances such as water heaters and air conditioners, could hit unexpectedly.
For the consumer, vigilance, and isolation of home IoT devices is key.  Identify IoT devices on your networks, and put in controls and audit measures in order to prevent and detec abuse.  While there are standards in place for devices deployed by the utility companies, such a smart meters, there are currently no secure deployment standards for devices deployed by the homeowner.  InGuardians believes a standard, as such, should be created and a working group assembled to ensure that the risk of these home IoT devices are mitigated.Additional Resources
“A Quick History of IoT Botnets” (Radware)“Mirai (Malware) [Botnet]” (Wikipedia)“How Hacked Water Heaters Could Trigger Mass Blackouts” (Wired)
08/08/2018 Reddit Hack Reveals Flaws in SMS Based Two-Factor Authentication

On June 19th, the popular community messaging site Reddit revealed that it had suffered a successful intrusion of several user accounts, cloud infrastructure, and source code.  Reddit revealed that the data access was read-only. The attacker was unable to modify any website content or user data.  Data accessed included database backups from 2005 to 2007, account credentials (with salted and hashed passwords, email addresses, and email digests (providing a link between e-mail addresses and account names).

The manner in which the attacker was able to gain access to Reddit’s systems is more troubling than this particular compromise of data.  Of the accounts accessed for Reddit’s systems, all claimed to have had Two Factor Authentication (2FA) enabled.  In this particular case the 2FA mechanism on these accounts was purported to have been a PIN delivered via SMS to a mobile device. Typically enabling 2FA is enough to protect these accounts, delivery of PINS via SMS can be compromised in at least two ways.  While we do not know the specific method employed by the attacker in this case the like attack vectors are:

  1. Creation of a rogue cellular tower signal, in order to lure the victim’s mobile devices.  Once connected to the rogue tower, the attacker could perform cellular traffic interception, acting as Man in the Middle (MiTM), ultimately allowing for the recovery of the SMS based PINs for the affected users.
  2. Social engineering the cellular provider customer support call center in order to port the victim’s phone number to a device under the control of the attacker.  This effectively delivers the SMS based PINs directly to the attacker.

While speculative, based on the level of effort for the two attack scenarios it is most likely that the number porting attack was utilized in this scenario.  InGuardians Operators have recently been made aware of similar type of attacks using number porting, however the basis was often to recover account credentials for cryptocurrency.

With a successful compromise of a users 2FA delivery method, through either number porting or rogue cellular tower, it is possible for an attacker to gain unfettered access to a victim network, applications and other credentials. As shown in this example with Reddit, the overall outcome can be quite severe, resulting in complete compromise of the organization.

While creating a rogue cellular tower is non-trivial, the number porting attack scenario is a more likely attack vector.  Taking only the boldness of the attacker to perform appropriate social engineering, this becomes a fairly low barrier to overcome.

As a result of more high profile attacks against 2FA utilizing SMS PIN delivery methods, organizations should carefully review and revise their stance on 2FA implementations.  At this time it is recommended that organizations move away from SMS based 2FA methods to those requiring hardware or software based tokens, in addition to passwords..

For those organizations looking to start 2FA implementations for either their users or customers, it is recommended to avoid the option of SMS based delivery and move right to hardware or software token based authentication, in addition to passwords.

While the adoption of hardware and software based tokens can be more expensive, and more obtrusive for the end user, the overall gain in security is much greater.

Additional Resources
Reddit: We had a security incident. Here’s what you need to know.

Reddit hack shows even strong security measures can be bypassed

07/30/2018 Browsers Begin Marking Unencrypted Sites as “Not Secure”

The lack of HTTPS on a website has slowly become a sign that a company hosting a web application does not understand the impact of unencrypted traffic to their clients. As a result, browser companies have adopted increasingly conspicuous approaches to alert users to the basic risks of unencrypted websites. They have long warned users that entering credentials into an unencrypted page is dangerous. Last week, Google released Chrome 68, which marks unencrypted sites as “Not Secure” in the top URL bar. Mozilla added a similar (albeit a manually activated) feature in 2017 and might soon make it standard. Microsoft and Apple may follow suit.

Most criticism of unencrypted websites describe the risk of some nefarious group reading the web traffic or stealing passwords, but properly-configured HTTPS offers much more than just those protections. Users of properly configured HTTPS websites can be sure of three things:

  • Authentication: The content is provided by the entity they expect.
  • Integrity: The content has not been modified between the server and the browser.
  • Confidentiality: The content is safe from decryption by third parties.

The risk the first two points pose is not theoretical. Numerous countries route all web traffic through a single national proxy. University of Toronto researchers found that one of these national proxies added cryptocurrency mining code to unencrypted websites. Citizens and tourists alike executed this code.

The same report identified two other countries adding state-sponsored malware to unencrypted downloads. This places a company’s customers and traveling personnel (and ultimately the enterprise environment) at risk. Those who notice will point to the company as the culprit, suggesting that it was compromised since the malicious code appeared to come from its site.

Even some US internet service providers (ISPs) have injected content on unrelated sites, and some may still do so. ISPs Verizon, Comcast, and CMA Communications have all been previously identified as modifying traffic passing through their networks.

Ultimately, HTTPS sites will lose the green “Secure” indication as browsers consider it the norm. The currently “Not Secure” text could change to something more ominous. Within hours of the release, some prominent retailers had already implemented HTTPS by default to avoid the potential trust issues. This had likely been planned for some time–enabling HTTPS is often not trivial–but it demonstrated how seriously many companies take the change.

InGuardians recommends that all companies protect their websites and services with a properly-issued HTTPS certificate and updated encryption settings, including mandatory HTTPS. These measures protect your clients, employees, and other users not only from a threat agent obtaining information but also from modifying it in ways that may not be easily detected.

Deployment of HTTPS has become much easier and less expensive, as certificate authorities (CAs) have adopted new models to promote its use. Let’s Encrypt offers free certificates, and some certificate vendors offer wildcard certificates that can be used on an unlimited number of systems.

Additional Resources
Google Chrome 68 Release Notes (Jul 24, 2018)

BAD TRAFFIC: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads? (Mar 9, 2018)

Verizon’s “supercookies” violated net neutrality transparency rule (Mar 7, 2016)

Comcast Wi-Fi serving self-promotional ads via JavaScript injection (Sept 8, 2014)

Comcast is still forcing pop-up ads on customers to upsell its modems (Dec 11, 2018)

How a banner ad for H&R Block appeared on—without Apple’s OK (Apr 7, 2013)

Qualys SSL Labs Server Test Strong Ciphers for Apache, nginx, and Lighttpd

Let’s Encrypt: Free Certificates

07/25/2018 “Devil’s Ivy” Flaw Renders Millions of Internet of Things (IoT) Devices Vulnerable

An integer overflow in a library used by security cameras and many other Internet of Things (IoT) devices has been discovered and disclosed by security researchers at Senrio.  While the Senrio researchers demonstrated the exploit against one camera, an AXIS security camera, the vulnerable library, gSOAP by Genivia, is used by many IOT device manufacturers. It is present in 249 distinct Axis camera models alone.

The impact of this vulnerability is likely to grow in the coming weeks, as proof of concept exploits surface and additional vulnerable targets are identified.  Almost one year ago, a flaw in a security camera opened the way a botnet called Mirai botnet to take hold.  At its peak, Mirai compromised more than 600,000 IoT devices and sent distributed denial of service (DDoS) attacks in excess of 1.1 terabits per second, slowing or stopping Internet access for nearly the entire eastern United States for a part of a day.  At this time, there are at least thirteen (13) versions of Mirai active on the Internet.

While the Devil’s Ivy flaw has not yet resulted in a Mirai-style botnet, the announcement of the vulnerability gives us pause to think of the wide ranging consequences of vulnerabilities in widely-deployed devices.  Now is the time to identify the products using the gSOAP library, and check your networks for vulnerable devices.

At the time of this briefing, Axis Communications has not issued a patch for CVE-2017-9765.  Their main recommendation, which InGuardians will echo, is to restrict network access to and from the devices.

Network segmentation, along with controls and audit measures, are the first line of defense here.  This is a remote execution flaw that requires no authentication or credentials, merely network access.

Often times, IOT devices are ignored by organization’s security operations teams, because the devices are either externally managed or simply not managed at all.  It is imperative to identify the systems you have in place, and be sure to spell out ownership and maintenance in an IT governance plan.

IoT security differs in some aspects from traditional IT security as many of these devices provide little in the way of configuration and management.  InGuardians recommends adding IoT devices to your asset inventory, and including them in regular maintenance, and security audits.

Additional Resources
Devil’s Ivy: Flaw in Widely Used Third-party Code Impacts Millions (Senrio, July 18 2018)

Axis Communications Security Advisory for Devil’s Ivy

Genivia advisory for Devil’s Ivy Vulnerability in gSOAP:,_2017%29

CVE Advisory for Devil’s Ivy:

“Devil’s Ivy” Vulnerability Could Afflict Millions of IoT Devices (Wired, July 18, 2018)

How a Dorm Room Minecraft Scam [Mirai] Brought Down the Internet (Wired, December 13, 2017)

Wikipedia Article on Mirai

07/16/2018 HP iLO 4: Simple Authentication bypass can lead to system compromise.

In August of 2017 Hewlett Packard (HP) silently patched an authentication bypass vulnerability in their proprietary Integrated Lights Out (iLO) version 4.  iLO runs on a dedicated baseboard management controller on high end HP servers, to enable remote management even when the operating system itself cannot doesn’t function.  The vulnerability, present in versions prior to 2.54, is particularly concerning because of the criticality of the systems that many organizations utilize HP iLO4 to remotely manage.  These systems include those of the utmost importance in the organization, such as Windows Active Directory domain controllers.This authentication bypass is over a year old and received a CVSS score of 9.8 (out of 10) upon release.  However, it appears that many organizations have NOT patched their systems. Until just recently the researchers who discovered the flaw have been publicly speaking about it.  During recent presentations, it was disclosed that simply including a crafted HTTP host header to the iLO4 device including the phrase “Connection: “ followed by 29 “A” characters.  This simple attack grants full access to the iLO4 subsystem, allowing total control of the host system.  This includes the ability to gain access to the system console as the active user, mount additional file systems (such as various bootable penetration testing linux distributions), and the ability to reboot the hosts systems.

Recently InGuardians operators have successfully leveraged the HP iLO4 authentication bypass using the described scenario to gain full control of active directory where certain conditions were met.  While simple to exploit with tools such as curl under linux, several other PoC code releases, as well as a Metasploit module are available.

HP iLO3 and iLO5 are not affected, as well as iLO4 versions 2.54 and greater.

The impact of this vulnerability will differ based on the overall adoption, use cases, and policies concerning remote system management especially centered around the use of and of iLO4.  However, should the vulnerable version be in use, it is possible for an attacker to gain full control of an organization’s computing infrastructure, depending on the services hosted with iLO4 available.  In cases where lower privilege systems are managed with affected versions iLO4, it can merely provide an initial foothold for an attacker, likely leading to full compromise.

While remote management of systems is critical to effective IT operations, several things should be considered during its use to help protect the overall security of the environment:

PATCH: Add remote management solutions to the critical “short-list” for monitoring for and applying patches.
Evaluate the overall number of staff needed to conduct remote management and limit which systems can access the remote management interfaces through robust network segmentation and firewalling, potentially including the use of well secured jump hosts.
Limit systems in which the remote management can reach, especially for mounting remote filesystems.  Consider mounting of remote file systems from trusted sources, restricted by  robust network segmentation and firewalling.
Establish a policy for login sessions for remote access, specifically for remote terminal sessions.  In cases where privileged accounts can be left “logged in” indefinitely to a remote session, should an attacker access that same session, they gain all of the rights provided by the logged in user.  Set short timeouts for automatic logout for inactivity for remote sessions.

Additional Resources
HP iLO4 vulnerability: authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53:

Subverting your server through its BMC: the HPE iLO4 case [Fabien Périgaud , Alexandre Gazet , and Joffrey Czarny]:

07/09/2018 Google confirms external apps can scan and allow their staff to read your emails.

Google continues to allow outside software developers to “scan the inboxes of millions of Gmail users who signed up for email-based services offering shopping price comparisons, automated travel-itinerary planners or other tools.” (see WSJ report link below) Additionally, people who have connected third-party apps to their accounts may have unwittingly caused human staff permission to read messages those people considered private.Impact
All reports available to date suggest this is a common practice and not limited to Google. In June 2017, Google announced that it would allow users to opt out of its ad personalization via e-mail scanning. It seems that the company instead is allowing third party application developers do so both electronically (machine reading) and via human staff. Google has made statements assuring that these developers are vetted, but remains silent about any subsequent verification of their process.

Many organizations as well as individuals rely on Gmail and similar provider managed email services. This suggests that anything discussed in such emails is potentially exposed to apps and to the developers of those apps. It raises significant questions about the security of email exchanges and highlights the need for organizational policy and practice to mitigate loss of intellectual property and exposure of confidential information.

While that is not new, this is a new vector for exposure. Even if Google’s vetting is sound and developers adhere to reasonable security procedures, we know that data breaches of third parties is a common source of data exposure (see EXACTIS link below). It also raises a question about possible exposure of ANY hosted services. Reporting has limited discussion to Gmail and has been silent about whether or not G Suite “<person>@<company><dot>com“ emails are in the mix.

Review written policies for all external email communication among employees and to clients to ensure they proscribe discussion of sensitive information. Remind staff to remain vigilant about discussing business dealings in emails.

Review written policies to confirm that employees are not permitted to send sensitive organization data via free/consumer-level Gmail or other third-party email providers.

Additional Resources
Wall Street Journal article and report: 

ArsTechnica: Scroogled no more: Gmail won’t scan e-mails for ads personalization

Business Insider article and discussion: 

Wired (UK) news article:
(article is apparently NOT on the US *.com website)

Wired article about EXACTIS breach: 

ABC (Australia) article with a good guide to checking apps: 

07/02/2018 New attacks against LTE networks
Three new attack vectors in the LTE (aka 4G) standard have been unveiled by  researchers from Ruhr-Universität Bochum and New York University Abu Dhabi.  These new vulnerabilities include two passive attacks that allow for identity mapping and website fingerprinting, and one active cryptographic attack called aLTEr.  The last would allow attackers to remotely redirect network connections via DNS spoofing.  The major issue with these new attack vectors is that the flaw is in the standard, which is ubiquitous in mobile communication, and therefore affects ALL devices using LTE.There are three main attack vectors:
Website fingerprinting – identify which sites that users in a radio cell are visiting
Identity mapping – identify individual users in the radio cell
aLTEr – abusing flaws in the standard to redirect network communications via DNS spoofing

The impact of aLTEr and its related attack vectors is large, with hundreds of millions of devices using the vulnerable standard.  Researchers worked with the GSM Association (GSMA) and 3rd Generation Partnership Program (3GPP) along with telephone companies to ensure that all parties responsible for addressing the problem were notified prior to the release of the paper.The three main attacks outlined in the paper (mapping user identities in the radio cell, identifying websites a user visited, and the alteration attack via DNS manipulation) currently require special equipment and knowledge to be performed,  but it will not be long before these attacks are going to show up in the wild.The long term impact will depend on whether the GSMA & the 3GPP will fix the current standard in addition to ensuring that it is fixed in the next generation of the standard (5G).

The impact on individuals is hard to quantify at the moment, but the potential impact to critical infrastructure is serious.  Many of our critical infrastructure systems rely on LTE communications, for example: smart grid relies heavily on  the use LTE networks to transmit data.

The main recommendation for the moment is to identify which parts of your business operations rely on LTE communications and ensure that your vendors are using strong encryption and authentication independent of the LTE layer.Additional Resources
Website for the attack research:
https://alter-attack.netAcademic paper on the research:

Hacker news article:

06/26/2018 Attackers leverage cost of GDPR fines to extort businesses
In what appears to be an exploit of the concept of “the lesser of two evils”, hackers in Europe have began changing the approach of ransom based attacks. Two Bulgarian companies have recently had their data compromised, but instead of encrypting it and demanding that the victim pay up to get the data back, these attackers are threatening to make the data public. This would expose the company to risk of fines with Europe’s General Data Protection Regulation (GDPR) that went into effect in May.  These fines would be upward of 4% of annual revenue.The attackers, acutely aware of the potentially high cost of GDPR fines, typically ask for much less. At their highest, attackers are currently asking for the equivalent of €20,000.  This type of attack may be effective as GDPR is still relatively new, and businesses are still trying to grasp the risk of fines and levels of enforcement.Impact
A wrinkle in this scheme, is that the the GDPR requires companies to report a breach within 72 hours of becoming aware of it, or also face steep fines. As of today, if the company self-reports a breach, they are still liable for the 4% fine. These attacks force the victimized companies to consider the value of profit motive over full compliance with the law.
Due to the level of potential loss, and the possibility of running afoul of European law, companies subject to the GDPR should ensure that they do more than merely meet the minimum regulations of compliance dictated by GDPR. They also should apply defense-in-depth strategies and perform periodic penetration testing to ensure that their most sensitive data is protected in ways that are beyond reproach. Demonstrating that this due diligence has been performed is the only way to avoid a fine in the event of a reportable breach.
06/18/2018 ZipSlip: Vulnerabilities in compression archive file processing can lead to system compromise.


Researchers have demonstrated that multiple file archive extraction libraries, across multiple programming languages, allow an attacker-supplied archive to overwrite arbitrary paths on the filesystem.  In essence, a program using a vulnerable C#, Java, JavaScript, or Go library can unintentionally overwrite files on the machine with attacker-supplied content, granting the attacker remote code execution capability on the system. The file formats known to be affected include: ZIP, tar, jar, war, cpio, apk, rar and 7zip.

This is due to two major factors: vulnerable libraries and lack of centralized file archive extraction libraries. The vulnerable libraries span multiple languages. These include, but may not be limited to:

JavaScript NPM: Unzipper

JavaScript NPM: Admzip

Java: codehaus/plexus-archiver

Java: zeroturnaround/zt-zip

Java: zip4j

C# / .NET: DotNetZip.Semverd

C# / .NET: SharpCompress

C# / .NET: mholt/archiver


Java: commons-compress

C# / .NET: SharpZipLib

Ruby: zip-ruby

Ruby: rubyzip

Ruby: zipruby

Go: archive

The lack of centralized libraries for performing archive file extraction, leading to the development of hand-crafted methods.  These hand-crafted methods often do not feature robust error trapping routines to prevent extracted files from being written outside of the extraction path.  These hand-crafted code “snippets” are often shared publicly (through websites such as StackOverflow) and adopted across many projects.  With these three factors considered, many closed and open source projects are writing or have adopted vulnerable archive file extraction processing.  This issue can result in overwriting of sensitive system files with a malicious file archive, potentially resulting in remote code execution and full system compromise.

The researchers discovering this issue have identified a number of common applications that carry the vulnerability, including the Apache projects: Ant, Hadoop, Hive, Maven, and Storm.  A comprehensive list of these applications can be found at:


The impact of this vulnerability will differ from environment to environment, depending on the various software packages deployed.  However, should an organization be utilizing one of the affected and identified applications, it is possible for a malicious actor to deliver a specifically-crafted archive file to a victim program, which can cause a full system compromise simply by extracting the file.  Because of the nature of the code sharing nature and the affected programming language deficiencies it is highly likely that this issue far exceeds the current identified scope.


Our recommendations fall into two separate categories:

Developers and Enterprise Development operations:

Evaluate the quality of shared code, and fully test it for “outside cases” before implementation.

Integrate the use of shared code evaluation into the DevOps process.

Select and adopt a standard set of libraries for core application functions, and document and standardize on its implementation based on testing results.

Carefully select development languages at the start of any new project, taking into account the use of well developed core libraries essential to the success of the project.

Enterprise adopters:

Perform robust and regular testing of all application input functions at time of adoption and during major code updates or releases.

When possible, perform regular code audits of open source projects in use in the organization in order to discover similar failures.

When possible, encourage your software vendors to perform perform regular code audits in order to discover similar failures.  Ask them to share the results (under NDA or otherwise) so that proper risk decisions  and corrective actions can me made. 

Ultimately all organizations should be mindful of the ZipSlip vulnerability, patch currently identified vulnerable applications, and watch for additional discoveries. Remember, this specific exploit of a vulnerability has revealed previously unknown or only narrowly known general vulnerabilities that may enable many more exploits. 

Additional Resources

ZipSlip Overview:

ZipSlip Release and White Paper:

Current list of known vulnerable software and patch status:


05/29/2018 New “VPNFilter” malware targets at least 500K networking devices worldwide.


Dubbed “VPNFilter” by Cisco’s Talos research group, this multi-stage, modular platform has versatile capabilities to support both intelligence-collection and destructive cyber attack operations. The first stage will persist through a device reboot, enabling downloads of other stages and full reinfection. It also redundantly maintains the IP address(es) of second stage deployments, enabling robust maintenance of the malware command and control (C2) environment even in the face of unpredictable changes, such as those occurring as system administrators attempt to track and remove malware. 


The code collects intelligence (scans) and has multiple attack features that can either execute additional commands or simply “brick” a device. From the Talos blog, “… the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine.” That overlap with known attack code and two separate upticks in malware on Ukrainian IP addresses in mid-May 2018 prompted Talos to release information before completing full analysis. 

VPNFilter includes modules to use the Tor anonymity network to mask C2 IP addresses and foster misattribution. It is designed to attack devices on the perimeter of the network, with no intrusion protection system (IPS) in place, and that typically do not have an available host-based protection system such as an anti-virus (AV) package.

Specific sequences in the malware include:

  • kill: Overwrites the first 5,000 bytes of /dev/mtdblock0 with zeros, and reboots the device (effectively bricking it).
  • exec: Executes a shell command or plugin.
  • tor: Sets the Tor configuration flag (0 or 1).
  • copy: Copies a file from the client to the bad actor’s remote server.

The inherent destructive capability is of particular concern because it allows the operators of this malware to ‘brick’ the network connections of any infected organizations. That would eliminate remote operations control for ICS/SCADA systems, as well as shut down any other network connections. The combination of intelligence gathering and mapping seems aimed at finding systems from which to launch effective attacks.


  • Reset SOHO routers and directly-connected NAS devices to factory settings, then update with up to date, non-vulnerable firmware.
  • Work with ISPs to reset devices provided by ISPs
  • For any directly connected device that may be infected or suspect, contact and work closely with manufacturers to ensure devices have up-to-date firmware and that they are not infected.
  • ISP should also work aggressively with customers to address potential problems.

This is a harbinger of IoT risks that will likely become more common. Look at the ‘heat’ map in the SDX Central article below to see this is, at least so far, clearly targeting or being tested against the Ukraine and appears to be a direct descendant of the previously-discovered Russian malware, BlackEnergy. It has, however, also been discovered in 54 other countries, so far. It is not going away.

Additional Resources

Cisco Talos Group blog warns of “VPNFilter” malware

SDX Central – Cisco Warms Massive Russian Malware Attack Hit 500K Routers Globally 

IBM X-Force report on Russian malware BlackEnergy 


05/21/2018 New PDF malware combines recent Windows & Adobe exploits


New PDF malware combines two zero day exploits discovered as recently as last week.  The malware, detected by anti-malware firm ESET, combines the most recent Windows & Adobe exploits to compromise Microsoft Windows operating systems.  The patches for the flaws being exploited have been available for a short period of time; Microsoft released their patches May 8th, with Adobe releasing security patches for Reader and Acrobat on May 14th.  The PDF malware in question compromises Window’s systems when users open an infected PDF on a vulnerable system.  Both the flaws offer remote command execution to the attacker, with the Windows flaw offering System level access. The major impact of this is that these are two new zero day exploits found in a malicious PDF file, in the wild.


The impact of combining two zero days into a lethal piece of malware could be devastating.  How many were hit before the patches?  The end result is not known at this time.  The sample identified by ESET did not contain a final payload, so the initial goal of the malware is not known.  That said, the malware is sophisticated and the zero day exploits embedded in it are more so. 


With zero day exploits in the wild it is usually too late to simply patch your systems.  By all means, we are not advocating delaying in patching your systems, but at this time it is advisable to engage in a full, internal hunt team to identify vulnerable and/or compromised systems.  This is a good reminder that we need to implement the basics first: patch/vulnerability management, software/data inventory, governance etc.  Once shored up, start to look at additional segmentation, access management, application firewalls and white listing.  Zero day exploits are in the wild, and our organizations have to evolve to be resilient against exploits we do not have patches for.

Additional Resources

Microsoft Patch for CVE-2018-8120

Adobe Security Bulletin:

Anton Cherepanov Blog on the two zero days found in PDF malware


05/14/2018 Industrial Control System product vendor Schneider Electric’s InduSoft and InTouch products contain critical security vulnerabilities.


Schneider Electric makes products that allow HMI clients to read, write, tags and monitor alarms and events.  Their InduSoft and InTouch software is vulnerable to remote compromise, and should be patched immediately.


Schneider Electric’s software is often deployed on critical Industrial Control systems, and it’s InduSoft and InTouch applications are vulnerable to remote compromise.  The vulnerable software runs with high privilege level, so compromised systems should be completely wiped and reinstalled before being put back into production.  Given the severity of the vulnerability, and the criticality of the systems we would rate the impact as high.


InGuardians recommends the following steps be taken:

  1. Identify if you run either of the two applications – software inventory
  2. If running the software, ensure that it is running on isolated network segments
  3. Check production systems for indicators of compromise
  4. Patch vulnerable systems &/or rebuild compromised systems

Additional Resources

Schneider Electric Security Bulletin LFSEC00000125

Schneider Electric InduSoft Web Studio and InTouch Machine Edition Remote Code Execution (Tenable Research Advisory Detail)


Tenable Research Advisory: Critical Schneider Electric InduSoft Web Studio and InTouch Machine Edition Vulnerability

05/07/2018 Plaintext Passwords Exposed on Twitter and Github, Suggesting Password Safes and MFA


Last week, both Twitter and GitHub publicly announced that their services had exposed plaintext passwords in internal log streams. While neither company has disclosed a compromise, mature information security programs assume that at least one machine in the organization is under the control of a bad actor, and thus that any cleartext password must be replaced. While Twitter has begun requiring some users to change passwords and Github has made no such requirement, it would behoove all users of both Twitter and Github to assume their passwords are compromised.


If one or more bad actors have compromised either Twitter or GitHub, they may possess your organization’s credentials for the respective service. If your organization uses multi-factor authentication (MFA/2FA) for any accounts, the bad actors will likely not have gained access using those accounts.  

A GitHub account compromise produces significant risk in multiple ways. First, if a bad actor can alter code stored on GitHub that a user deploys to your or their own systems, they can achieve an indirect compromise of those systems and any systems accessible by them. Second, a bad actor may find access credentials, private certificate keys, or other secrets stored in GitHub. InGuardians often finds this kind of data in its red team penetration tests, particularly API keys that provide full cloud service administration capabilities. Finally, when targeting a DevOps environment, a bad actor with GitHub access gains full knowledge of routing, firewall and system provisioning code.


InGuardians recommends changing all organization accounts on both Twitter and GitHub. Given the tendency for code and data to proliferate to both personal and business GitHub accounts, InGuardians recommends requiring all staff to change their personal and business GitHub passwords and implement multi-factor authentication on that platform.  

InGuardians also recommends deploying password safe software or hardware, whether free or commercial, to ensure that every password an organization uses is unique. Bad actors will gain access to passwords – to understand, contain and recover from the damage, its important to make sure that compromised passwords are useful only on one service.

Further, InGuardians recommends conducting a quarterly internal review of what code, data and secrets lie in GitHub repositories, to both understand and reduce the amount of sensitive or secret information is entrusted there.

Additional Resources

Twitter Admits Recording Plaintext Passwords in Internal Logs, Just Like GitHub

GitHub Accidentally Recorded Some Plaintext Passwords in Its Internal Logs


04/30/2018 Multiple known Java and HPE iLO vulnerabilities being targeted for ransomware


Software management is often boring. It is, however, essential to business survival. The many “new” attacks the grab media attention all too often exploit known vulnerabilities for which patches have been published – and missed or ignored. Atlanta’s recent ransomware attack exploited Java’s deserialization bug, which was called the most under-hyped vulnerability of 2015. 

It’s is NOT just Java. HPE iLO, an integrated remote management console for HP servers, has many known vulnerabilities. They are now being hit with disconnect and lock out ransom demands. This one may not be encrypting drives, but instead is remotely locking out administrators. The effect and impetus for ransom is the same.


Atlanta’s one case has so far incurred $2.6 million in external consulting costs, there is no capture of internal costs or disruption effects, and as of this writing Atlanta’s departments are still using paper and other offline tools. In many commercial environments, this is a business killer. The iLO attacks effectively take servers offline – they are no longer under your control. 

Any unpatched or unresolved vulnerability is opportunity for exploitation and disaster. Delays in patching increase the window of vulnerability and the likelihood of exploitation. A ‘standardized’ weekly or monthly or worse patch cycle, if known publicly, advertises an organization’s unpreparedness. E.g., Outfit A, Inc., patches on first Mondays of the month; a vulnerability and patch are published in the second week; attackers can posit Outfit A will remain vulnerable AT LEAST 3 weeks … and maybe even into more than one cycle.


1. Do frequent and aperiodic vulnerability assessments. Scan for vulnerabilities and create a realistic, prioritized, ACTION list.

2. Pay attention to other organizations, news, and vulnerability announcements.

3. PATCH. Just Do It. When patches are more complex, mitigate with layered defenses and architecture – network segmentation.

4. Review policy and architecture to ensure systems that should NOT face the internet, such as HPE iLO interfaces, DON’T.

5. And do not let anyone tell you to relax, it’s only a “theoretical vulnerability.” Ever.

In 2015 the Java vulnerabilities “were considered to be theoretical and hard to exploit.”(1)

STOP. That mistaken viewpoint goes back decades – was wrong then and is wrong now. 

Additional Resources

Atlanta fall-out continues

2018 – Atlanta projected to spend at least $2.6 million on ransomware recovery

This is NOT new – it’s been skipped and left to fester:

2015 – Java Serialization Vulnerability Threatens Millions of Applications

… and it persists

2018 – Cisco Secure Access Control System Java Deserialization Vulnerability

(1) 2016 – Lessons Learned from the Java Deserialization Bug

And it is NOT just Java

2018 – Ransomware Hits HPE iLO Remote Management Interfaces

The CVE list of HPE iLO vulnerabilities:

04/23/2018 Attackers Compromising Drupal-based Web Sites En Masse for Financial Gain

Attackers are using two vulnerabilities, including Drupalgeddon2, to compromise Drupal installations, install DDoS and currency-mining malware, and attack non-Drupal machines made accessible by that foothold.

The impact for organizations which run Drupal now (or ran it at any time since March 28th, 2018) is severe. Multiple organized criminal groups have raced to exploit the first vulnerability, named Drupalgeddon2. The most prolific uses malware named “Muhstick,” which infects a host, then spreads to other machines using SSH and WebDav, as well as exploits against the Drupalgeddon2 vulnerability and vulnerabilities in Oracle’s WebLogic, ClipBucket, Webuzo, and the WordPress content management system. Muhstick is a variant of Tsunami, which has infected tens of thousands of Linux hosts. Muhstick has built a botnet from servers and Internet of Things (IoT) “smart devices,” allowing it to scan the Internet for vulnerable hosts very quickly.

For any site that ran Drupal since March 28th, it’s critical to patch the Drupal software immediately. InGuardians further recommends assuming that Internet-facing Drupal installations have been compromised, until that assertion can be ruled out. The Muhstik malware doesn’t spread only using software vulnerabilities. It also scans for SSH servers, trying both a pre-populated set of password possibilities as well as credentials that it finds on the system from which it runs. If Muhstik compromised a single Drupal system, it has likely spread to other systems.

InGuardians has seen many clients use a best practice approach to content management system-provided websites. These clients bifurcate their Drupal application servers into two servers: an internal dynamic server and an external static server. The internal server runs the content management system (Drupal) to allow organization staff to update the site’s content. On any update, this server pushes a static mirror of the site to the external server.  The external server serves content statically, exposing far less code to attackers. This can be accomplished on Drupal using the Static Generator module.

Additionally, InGuardians recommends disallowing root login via SSH and relocating the SSH server port from 22 to a less well-known number. These two measures massively reduce the number of successful SSH-based attacks, whether in initial infection or lateral movement.

Additional Resources
Drupal Patch Instructions for Drupalgeddon2

Drupal Static Generator Module

Botnet Muhstik is Actively Exploiting Drupal CVE-2018-7600 in a Worm Style (Netlab at

Big IoT Botnet Starts Large-Scale Exploitation of Drupalgeddon 2 Vulnerability (Bleeping Computer)

04/16/2018 Researchers Can Hijack ATI Systems’ Emergency Alert Sirens Using Software Defined Radio (SDR)

Security researchers at Bastille Networks were able to capture, analyze and replay packets to trigger emergency alert sirens in the city of San Francisco provided by ATI Systems.  Over a 2 year period, researchers captured the weekly transmission to initiate system tests.  Upon analyzing the captured radio protocol, it was discovered that the transmissions were neither encrypted nor authenticated.

While the ATI Systems emergency alert sirens are a unique implementation, the vulnerability in these systems extends to those installed outside of San Francisco, with identical systems deployed across the globe.  Attacks against these types of systems are not unique, as it is theorized similar attacks were used in the erroneous activation of the Tornado Warning sirens. In Dallas, Texas

Adoption of proprietary Radio Frequency (RF) systems is quite common in both legacy and current systems.
InGuardians often finds that organizations do not have an accurate inventory of RF-enabled systems in their environment, nor do they understand the overall implications of compromise of the unknown RF-enabled systems.

This proof of concept is specific to the ATI Systems implementations, which by design, could cause widespread panic should the emergency sirens be triggered by an attacker.  However, a bad actor or researcher could use the overall methodology and tools for discovering an attack surface for this system on other RF-enabled systems.  Overall impact to an organization will depend on the affected system discovered and analyzed, but it is not outside the realm of possibility that there could be pecuniary or life safety issues.

With the increased development in Software Defined Radio (SDR) and expertise in these tools being gained by the security community, RF protocols that formerly enjoyed “security through obscurity” are unlikely to remain free from attack much longer.  This becomes particularly challenging in legacy systems where the RF protocols were designed with obscurity as the only security measure either due to lack of available technology, or little future consideration in technology advancements.

InGuardians recommends its clients perform or commission an overall discovery of RF-enabled systems in the enterprise environment, followed by a thorough risk analysis. Should the risk impact be determined to be elevated for any of the discovered systems, it is recommended, at a minimum, to contact the vendor to in order to determine methods in use for securing, encrypting, and performing authentication of transmissions.  Should the answers from the vendor be insufficient, or the RF-enabled systems be critical to the operation of the business, a thorough review and analysis of the RF transmissions should be performed.

Additional Resources

Dallas Tornado Siren Hack [Washington Post]

04/09/2018 Security vulnerabilities in two Moxa Industrial Control Systems (ICS) devices

There are security vulnerabilities in two Moxa ICS devices: MXview network management software and the AWK-3131A 802.11n ICS wireless gear.    The management software has a flaw that would allow an attacker to view/retrieve the cryptographic key on the server.  The wireless gear has a flaw that allows an unauthenticated user to execute commands on the system.Impact
The first vulnerability affects Moxa’s AWK-3131A 802.11n ICS wireless network gear.  This was reported initially by Cisco Talos in December 2017, and patched by Moxa on April 3.  The vulnerability is present due to the way Moxa is using ‘loginutils’ to parse failed logins, allowing attackers to use a semicolon to terminate the login and follow it with a command to be executed.  Cisco Talos has stated that it believes the web front end is  also vulnerable to the attacks, as it also uses ‘loginutils’ to parse the failed logins.  The vulnerability was successfully exploited via ‘Telnet’, ‘SSH’, and the local management console.

The second vulnerability is in Moxa’s MXview network management software, and allows an attacker to retrieve the private key for the server.  Obtaining the cryptographic private key would allow the attacker to decrypt files and traffic.  The flaw is considered severe enough for DHS to have issued an advisory on April 5.  This follows a flaw in the same product discovered in January, which allows attackers to use an “unquoted search path” in order to execute code or gain access to files on the server.

First and foremost, it is important to deploy ICS devices on an isolated network segment to ensure that they are not accessible from the Internet.  InGuardians recommends that you deploy ICS networks and devices behind firewalls and other network controls, isolating them from the business network.  InGuardians also recommends performing routine risk assessments to ensure that controls and audit measures are working properly.

As for these specific vulnerabilities, Moxa released patches last week (link in the Additional Resources below).

Additional Resources
DHS advisory:

NCCIC document on recommended practices for securing ICS

* Moxa MXview advisory:

* Moxa MXview site:

* Moxa AWK-3131A

*N.B. the Moxa site is badly designed, with no clear and easy way to view security updates and advisories.

04/02/2018 Drupal CMS High-Critical Remote Code Execution Vulnerability

Security researchers have discovered and publicly released several Highly-Critical Remote Code Execution (RCE) vulnerabilities in Drupal versions 7 through 8.5, as well as the end-of-lifed version 6.  Due to the serious nature of these remote code execution vulnerabilities, Drupal has released patches for older, unsupported versions including version 6.

The Drupal Content Management System (CMS) powers 6% of the 10,000 most popular public web sites. Over 647,000 publicly-accessible web sites use this software. This may increase the risk that bad actors may either quickly attack companies running Drupal or will create and release malware targeting this software.

Remote code execution vulnerabilities like these allow an attacker to execute code of their own choosing on an unpatched installation. This could ultimately result in full system compromise and/or allow the attacker to move laterally to compromise other machines, including those on internal network segments.

InGuardians often finds that organizations do not have an accurate inventory of Internet-facing hosts or the applications which they host.  In these cases, application vulnerabilities are particularly challenging to defend, as it is impossible to update software that isn’t known to the patch management staff.

Unless Drupal CMS versions are updated to 7.58 or 8.51,  it is possible for an attacker to gain full control of the affected system. Drupal CMS version 6 permits the same behavior unless patched against SA-CORE-2018-2. Depending on the attacker’s skillset, as well as the defender’s level of network segmentation, it is possible that an attacker could take full control of the defender’s infrastructure.

InGuardians recommends immediate patching of the Drupal content management system (CMS) across all versions.  Until such time as a patch can be applied, InGuardians recommends that affected organizations restrict access severely to a few trusted IP addresses.  This restriction should only be utilized to perform appropriate upgrades and patches, before restoring full access.

This is also the perfect opportunity to undergo an aggressive look at internet-facing resources in order to develop an accurate inventory, with the intent of finding previously unknown assets including Drupal.  Upon completion of internet-facing asset discovery, InGuardians recommends performing a similar discovery on internal network segments.

Additional Resources 
Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002
FAQ about [Security Advisory] SA-CORE-2018-002
[Content Management System] CMS Usage Statistics

03/28/2018 Municipal governments battle cyber attacks.

The Georgia cities of Atlanta and Loganville are the latest victims in an ongoing trend of attacks on municipalities. First, on Thursday, March 22nd, the City of Atlanta announced that its networks had been shut down due to a ransomware attack. At the time of this posting, the city is working with the FBI and the Department of Homeland Security, as well as external partners from Microsoft and Cisco’s cybersecurity response team, to investigate the situation.

The City of Loganville (a suburb of Atlanta), announced on Monday, March 26th on its Facebook page that an external threat actor had successfully perpetrated a breach of an internal server. The Loganville breach may not be related to that of Atlanta.

In Atlanta, the ransomware has cut off electronic access to court records, while many departments are using pen and paper to perform their duties. Many city services, such as electronic bill pay, are still unavailable to city residents. As a precautionary measure, the public wireless network (Wi-Fi) at Hartsfield-Jackson airport has also been suspended.

Evidence suggests the Atlanta malware is SamSam, which has been seen in other government targeted attacks, like the one that occurred at Colorado’s state Department of Transportation.  In particular, the letter shared by local media during the early stages of the ransomware infection in Atlanta is clearly a SamSam ransom note.The wording — including typos — is identical to the examples shared by researchers working for Cisco’s Talos group earlier this year. The only difference was the directory where the contact portal is hosted.

Once attribution to SamSam became public knowledge, the SamSam group deleted the contact portal that the city of Atlanta would use to make payment. Given the SamSam group’s actions, it isn’t clear if payment is even possible now. While it is possible other portals exist for the systems infected in Atlanta, the city hasn’t released any technical details to the public.

In Loganville, the breach is believed to have exposed personally identifiable information, (PII) such as social security numbers, to the attacker.

InGuardians echoes the sentiments of the newly elected Atlanta Mayor who is quoted as saying, “this is bigger than a ransomware attack, it’s an attack on government and therefore an attack on all of us.”

It is increasingly apparent that organizations must make the resources available and establish effective policies and preventative measures to strengthen their security postures in order to mitigate these threats.

InGuardians recommends that all leaders of municipal governments view themselves as a likely soft target and create internal Information Security programs to address the emerging threats. We also recommend that all business leaders continue to follow this case for lessons learned, such as:

  • Do not leave Remote Desktop Protocol (RDP), Windows Server Message Block (SMB), Secure Shell (SSH) or Telnet available to the Internet – use VPNs and firewall white lists
  • Confirm that no operations systems use SMB version 1
  • Apply Windows group policy objects (GPOs) to harden government systems uniformly
  • Do not allow users to have local administrative privilege on their desktop machines
  • Make sure that all patches are deployed quickly – malware victims have lost a race with an attacker

Additional Resources

Small Towns Confront Big Cyber Risks (GovTech)

Atlanta Working “Around the Clock” to Fight Off Ransomware Attack (NPR)

We Are a Resilient City – Atlanta Works to Move Forward Following Cyber Attack (11Alive)

Metro Atlanta City Reports Its Own Data Breach (Atlanta Journal Constitution)–politics/metro-atlanta-city-reports-its-own-data-breach-warns-customers/GsK565pH9L8y3GOk0NvERI/

Atlanta’s Computers Crippled by Ransomware – Issues Unresolved After 4 Days (SmartCities Dive)

03/19/2018 New DHS alert on breaches of power grid and other control systems


Disabling safety or security controls invalidate risk assessment and mitigation.  It won’t matter if the control was disabled by a hacker or by an employee.

New information is surfacing about breach of control systems first identified in August 2017.  One conceptual flaw and one implementation or operating error combined to defeat safety systems and shut down systems.

In a SCADA environment, the TRICONEX system is a sound concept, using triple redundancy comparison of signals as a check of proper operating conditions. If one of the 3 is different, the system enters a safety condition with appropriate alerts and changes. That could mean opening vales to increase cooling, or shutting fuel valves to stop machinery. The firmware of the controllers can, of course, be updated.

To ensure security, a physical switch is used to change it from “read only” to “read-write” for updates. A variety of implementation factors, from remote locations to limited personnel managing large automated systems, may have contributed to operators leaving systems in read-write. In at least one case, one of the maintenance management computers was compromised allowing hackers access to now fully modifiable controllers. In another case, the SCADA system was on a larger network and not properly isolated from external connections leaving it vulnerable to external penetration.

Remote network access to systems enabled hackers to destroy hard drives inside the company’s computers and their data was wiped clean. (NYT). It also appears that only an error in the attack code prevented physical damage and possibly explosions.


InGuardians’ clients may be at LOW risk for the specific attacks used against these Industrial Control Systems (ICS).

However, the broader issue of increased risk from “work arounds” which inevitably occur in every business may be negating what you think is in place for risk mitigation. The focus is NOT on malicious employees, but on those trying to succeed in the face of unintended policy conflicts. Too few people required to do detailed checks on too many systems too widely separated or remotely located is only one of the sorts of situations that creep in to daily ops.


Review ACTUAL operating conditions and procedures compared to policy. Third party audits or interdepartmental audit teams provide fresh perspectives.

Think more like an attacker. Be less sure – “my door is locked, I can relax” – and more – “the door has a lock but how would it get picked? Broken? Simply evaded?  If it was picked, how would I know”.  Red Teams don’t simply do set penetration tests, but use creative thinking to find the unexpected gaps, the new approaches. Those attacking your systems don’t have any rules.

Additional Resources




03/12/2018 Dofoil trojan variant used to install cryptocurrency-mining malware

Microsoft’s Windows Defender Research group identified a new variant of the Win32/Dofoil remote access trojan which installed a cryptocurrency miner for Electroneum (ETN) coin.


The impact of this trend is severe, due in part to the trojan’s ability to download and execute code on command.  The Dofoil family of trojans give the attackers full command and control of the compromised system. In addition to crypto mining, the trojan has previously been used to install ransomware and other malicious code.

In this latest attack, Dofoil used a technique known as process hollowing, copying legitimate binaries for explorer.exe and swapping malware in its place.

Many attackers are using cryptocurrency mining as a major revenue stream.  During the WannaCry outbreak, at least two other groups used the same exploits to install crypto miners and subsequently earn millions of dollars (far better than the WannaCry authors fared.)


InGuardians recommends having a robust segmented network, with good instrumentation of inbound and outbound traffic.  Organizations can use network and host monitoring tools that identify unusual behavior and activity to help identify and contain malware outbreaks.  Some of the tools that can be used for detection and containment are Bro, Snort, and Windows Defender. Many anti-malware and threat protection services claim to detect and protect against cryptocurrency miners.

Detection of cryptocurrency miners is typically done by identifying the installation, code injection, or persistence mechanisms, as well as the coin mining itself.  While the miners that we are discussing here are hidden in running processes, there are many implementations of JavaScript miners that run in browsers.

In addition to segmentation and instrumentation, InGuardians recommends having solid backup and recovery solutions in place.  These should be tested on a regular basis, with verification of the recovered systems.

Additional Resources

Win32/Dofoil (Microsoft Windows Defender Security Intelligence)

DoFoil: Crypto-mining Malware Outbreak Infects 500,000 Computers In One Day (Newsweek)

The State of Malicious Crypto-mining (MalwareBytesBlog)

03/05/2018 Widespread SSL Certificate Revocation Disrupting Internet Transport Encryption with Further Disruption Planned for April and October

On Wednesday, Trustico (a Symantec reseller) triggered the revocation of roughly 23,000 SSL/TLS certificates, in advance of April and October’s certificate disruptions on any certificate sold under the brands Symantec, GeoTrust, Thawte, and RapidSSL.

While the April deadline for Symantec, GeoTrust, Thawte and RapidSSL certificates looms, Trustico’s method of revocation has caused further concern. Trustico wanted to move its customers from roughly 50,000 Symantec-provided certificates to new ones provided by Comodo. Digicert, who had purchased Symantec’s certificate business, initially refused, on the basis that it would only revoke so many certificates in the case of a security breach. Trustico’s CEO then e-mailed 23,000 certificates’ private keys without encryption to Digicert, thus creating a breach. The breach was compounded when a remote code execution vulnerability was found in Trustico’s website.

This situation calls into question Trustico’s practices as a certificate reseller. First, certificate vendors should not retain private keys. Second, Trustico’s choice to e-mail private keys put all communications using those keys at risk and may have failed to give customers the opportunity to replace the certificates before this risk window.

Any organization using one of the revoked Trustico-resold Symantec SSL certificate has lost the integrity of HTTPS connections to any server using that certificate. Users will generally see an untrusted connection error  immediately and many will understand that a problem exists. Further, any organization using a Symantec certificate, including those branded as GeoTrust, Thawte and RapidSSL, will face a similar problem on April 17th or in October, at which point Google’s Chrome and Mozilla’s Firefox browsers will begin stating that the certificates are untrusted. See the schedule below (under “Recommendations”) for more detail.

InGuardians strongly recommends that organizations audit their SSL/TLS certificates, determining which have been provided by Symantec, GeoTrust, Thawte and RapidSSL. Staff should replace every certificate provided by these companies well before the following deadlines:

April 17th: Certificates issued before June 1, 2016 will not work with Chrome 66.

May: Certificates issued before June 1, 2016 will not work with Firefox 60.

October: Certificates will no longer be trusted, as of Firefox 63.

October 23rd: Certificates will no longer be trusted, as of Chrome 70.

Organizations can use a number of tools to check its SSL/TLS certificates, whether for its web servers or its other SSL/TLS-enabled services. The popular open source tool, nmap, will display information about the certificate enabled on one or more ports, like so:

nmap -v -sT -p 443 –script=ssl-cert | egrep ‘(Issuer|valid)’
| Issuer: commonName=GeoTrust RSA CA 2018/organizationName=DigiCert Inc/countryName=US/
| Not valid before: 2018-01-25T00:00:00
| Not valid after:  2019-02-24T12:00:00

Organizations should be careful to check all ports on a system, and not just the standard service ports for SSL/TLS.Additional Resources
Google: “Chrome’s Plan to Distrust Symantec Certificates”

Mozilla: “CA:Symantec Issues”

DigiCert: “How do you handle mass revocation requests?”!msg/

Trustico® Abandons Symantec® SSL Certificates

02/26/2018 Increased attacker focus on exposed cloud services, specifically AWS Simple Storage Service (S3) Buckets


Amazon’s cloud-based Simple Storage Service Buckets, colloquially referred to as “S3 Buckets”, have been a recent focus of attackers and security researchers.  With the advent of new open source and publicly-available tools to search for improperly configured S3 buckets, bad actors and information security firms have found many cases where the buckets’ owners have inadvertently granted access to every user on the Internet.
Internet-accessible S3 buckets have multiple risks. In cases of world-wide read-only access, the discoverers have found personally-identifiable information (PII) and other sensitive data. In at least one case of world-wide write access, the discoverer found a production website hosting content directly from the bucket, such that any Internet user could alter the website’s content.  A bad actor could drastically change the overall presentation of the site and would likely add hostile JavaScript code that would run in every visitor’s browser, including key-loggers or crypto-coin mining clients. When discovered, this could ultimately reduce customer faith in the company owning the S3-backed site.
In moving to cloud-hosted services, many organizations have failed to heed widespread warnings with this message:
Organizations must secure and monitor cloud-based services just as strongly as with traditional on-premise infrastructure.


Impact from exposure of Amazon S3 is varied, depending on an organization’s adoption and configuration of Amazon’s cloud-based storage infrastructure:

Known adoption of Amazon S3: The risk level varies from low to critical, depending on individual bucket configuration for read/write access, granularity of defined accesses, types of content stored, and use cases for the stored content. The overall level of risk would be determined by these factors and will be different for each individual bucket within an organization’s cloud infrastructure.

No known adoption of Amazon S3: The current risk is undefined, and merits analysis to identify whether your organization is using S3, and if it is see above.


InGuardians recommends performing a self-assessment of existing S3 Buckets using currently available tools, such as AWSBucketDump and BuckHacker.  Results of these tools should then undergo a thorough inventory and risk analysis.

In addition to these open source tools, Amazon makes the AWS Trusted Advisor tool available to customers with a Business or Enterprise-level support plan. Trusted Advisor can analyze an AWS environment, including its S3 buckets, and make best practice recommendations.

Additional Resources

Tesla Cryptojacked by Currency Miners

AWSBucketDump, an Open Source S3 Bucket Search Tool

BuckHacker, an S3 Search Engine

AWS S3 Documentation: Which Access Control Method Should I Use?

AWS Trusted Advisor

02/20/2018 Theft of Newtek domains is a reminder to stay vigilant


Last week a web services company (Newtek) responsible for hosting over 100,000 e-commerce based websites and email servers had three of its core domains stolen.  These domains originally hosted software that allowed customers of these services to manage their websites.

The attackers then replaced the application that users would normally use to manage their websites with his own application in the form of a live-chat service.  When users logged in, they believed themselves to be chatting with a helpful admin, when in fact they were communicating with the attacker.


The full impact of this is still being determined.  However, corporate email for many of their customers became unavailable, business websites no longer resolved, and sensitive information was most likely communicated to the attacker.


InGuardians recommends that all businesses consider domain hijacking as a potential event in their Business Continuity Plans (BCP).  It’s important to stay vigilant in ensuring continued ownership of domains. It’s also important to have plans to use secondary domains for web and email traffic in the event of having lost ownership of a domain.

InGuardians recommends building your own capabilities to gather counter-intelligence and to proactively monitor your organizations digital footprint.  Consider scripts or services for monitoring DNS changes to the domains that you control.


Wikipedia list these options as a means to prevent an unwanted domain transfer:

  • Use strong email passwords and enable two-factor authentication if available.
  • Disable POP if your email provider is able to use a different protocol.
  • Tick the setting “always use https” under email options.
  • Make sure to renew your domain registration in a timely manner – with timely payments and register them for at least five (5) years.
  • Use a domain-name registrar that offers enhanced transfer protection, i.e., “domain locking” and even consider paying for registry locking.

Additional Resources

02/12/2018 Smart devices add exposure and threat during a breach and are a source of intelligence and forensic data during incident response.

A common challenge in any incident response is figuring out how access was gained, which vulnerability or exploits were used, and how to prevent recurrence. Many breaches are not single events, but the end of a longer series of probes, penetrations, and exfiltrations. The reality is that we are often dealing not with “a breach,” but a series of incidents that can have been going on longer than many realize.

The explosion of smart devices creates many more opportunities not only to reveal information, but for attack vectors. A “phishing” email might be read on an employee’s cell phone and not directly breach a corporate system. But, it might install malware on that phone so the next time it is in WiFi or Bluetooth proximity of a business network the malware starts searching for new opportunities. This shifts what would have been an external penetration to an internal one.

The specific impact to InGuardians customers is relatively low.

The real challenge is in mapping the many additional connections to your networks, and identifying where such connections are logged – if at all. You cannot effectively investigate the cause or source of a breach if you do not have a clear record of the network.

InGuardians recommends regular review of network architecture as it develops, not merely as planned. Systems and connections often grow organically and in creeping increments, and too often expedient solutions are imperfectly documented. It is important to know what the network looks like today, to know where device access logs are stored, and whether they have ever been reviewed.  InGuardians highly recommends robust egress filtering and monitoring.

InGuardians also recommends reviewing the policy for the devices managed by your organization.  Secretary of Defense Mattis is reconsidering DoD’s policies for every personal electronic device that “transmits a two-way signal”.  That’s much more than just cell phones, but you should at least know WHAT you allow.

Additional Resources

02/05/2018 Strava heatmap exposes sensitive military bases invokes the law of unintended consequences.

Something as innocuous as a running application paired with cloud access and GPS location data allowed users to identify sensitive military and government bases and users.  The Guardian newspaper used a script to generate GPS data to upload to a Strava account.  Following this, they used the application to find other users that also do the same run.  The runs matched sensitive locations such as military installations and classified government facilities.  They identified 50 users by name.

With so many interconnecting devices, where is the boundary of your data.  If you don’t know where your data is, and where it goes, you cannot secure it.  With multiple devices providing cloud or syncing functionality, the ease at which data can unintentionally leak out of the environment is astounding.  

Impact from the Strava heatmap to InGuardians customers is relatively low.  The issue does present us with the conundrum of securing our data, performing operational security, and still being able to use that data and the many applications that have become intrinsic to our businesses.   

InGuardians primary recommendation is analyze the potential exfiltration threats that applications pose, and create policy to deal with these accordingly.  Some examples of applications and policies in this arena would be: social media use policy, onsite photography or mobile phone use, or modifying the meta data.

InGuardians also recommends implementing a Mobile Device Management (MDM) solution to enforce policy onto the devices managed by your organization.  Implementing steps in order to lock down functionality on these devices based on your internal processes and policies is critical.  Unknown, unmanaged devices should not be allowed on your network.  The larger concern goes beyond “Strava” and may include data that is gathered but not publicly mapped.

Additional Resources

Strava Heatmap and related articles


07/25/2017 Mac malware (FruitFly) that was detected and patched in January, still making rounds according to BlackHat presenter.

In January, malware that infects Mac OS X was detected impacting organizations performing research in the biomedical field.  This malware leveraged old functions that have been around in OS X for many years.  The main goal of the malware appears to be surveillance, given that it captures screenshots, accesses the webcam, and reportedly performs key logging.

Apple released a patch for this issue in January when the malware was first detected.  Many news outlets are incorrectly reporting that there is no known way to detect this malware.  However, most all major AV companies have signatures to detect FruitFly.

According to the BlackHat presenter, the recent infections appear to be mostly home users.  This is likely due to the fact that all properly licensed versions of OS X have been patched by Apple through a behind-the-scenes update mechanism, as of January.

The impact of this particular issue is low at the moment.

Even with a low impact, the detection of this malware is a reminder to practice good opsec (operational security) and keep built-in webcams covered unless in use.  Also, it is a reminder that even Apple systems can be vulnerable to malware.

InGuardians recommends that organizations ensure that all operating systems are licensed and up-to-date with all relevant security patches.  InGuardians also recommends that organizations endpoint security products to properly monitor all operating systems, including Apple products.

Additional Resources

07/17/2017 Kaspersky anti-virus removed from two GSA Schedules

Kaspersky Anti-Virus (AV) has been removed from two GSA (Government Services Administration) schedules, due to concerns that the Kremlin may use Kaspersky products to compromise US Government computers.

A commonly used anti-virus product has been banned for purchase by any U.S. Government agencies which use GSA schedules 67 and 70.  While the US government has not yet banned Kaspersky products already purchased, or those purchased outside the GSA schedule, the Senate version of the 2018 defense bill places a blanket ban on Kaspersky products.  This bill has not yet been passed.   Many government and private organizations receiving funding from the U.S. or state governments are required to make such purchases via the GSA schedule.


This ban limits further acquisition of Kaspersky AV by those organizations required to follow GSA.  However, many organizations may already have this product entrenched within their infrastructure.  Still, organizations which are not required to adhere to the GSA schedule may decide to follow suit with the GSA’s ban on Kaspersky AV.  Organizations may have many questions on how to move forward.


Hold tight.  There is a significant amount of posturing and saber rattling on the geopolitical stage at the moment.  A number of independent research organizations are currently examining Kaspersky’s software, and reports should be forthcoming.
InGuardians recommends that organizations not rely on solely one vendor’s solutions for security products.  Organizations should evaluate multiple providers and select only those with which they can form a trusted relationship. In the event that trusted relationship becomes compromised, the organizations should have plans for contingencies which enable the removal and selection of a new vendor without losing coverage.  Most of our clients favor endpoint protection, in addition to layered application and network defenses, over traditional anti-virus.

Additional Resources

07/10/2017 DHS & FBI warn of attacks against US energy & manufacturing companies and employees

DHS and the FBI released a TLP:AMBER report warning US energy sector and manufacturing companies about ongoing cyber operations.  These operations include sophisticated physical and cyber attacks, as well as activities targeting employees and operators with the aim of infiltrating air-gapped networks.

Our customers in the energy sector have seen scanning and attacks increase in the last month, but one interesting twist about the report is the targeting of individual employees in order to infiltrate secure networks.  Many details regarding the attacks are now known to the public, in part because an irresponsible organization shared a TLP:AMBER report with the press.  The approach of going after operators and employees to target secure networks is reminiscent of how GHCQ hacked into Belgicom’s NOC.
This warning comes almost one month since Robert Lee and his team at Dragos released their research on the  CRASHOVERRIDE malware, along with ESET’s analysis of Industroyer. Keep in mind that Robert Lee will be presenting details on CRASHOVERRIDE at Black Hat in just a few weeks.

Your key operations and security staff should be trained in operational security (opsec). Include physical security tests and targeting specific roles and personnel as part of your routine security assessments.

Additional Resources

News regarding recent hacking of nuclear plant:

Historical piece on GCHQ targeting Belgicom employees:
07/03/2017 Wiperware disguised as ransomware strikes globally, taking advantage of unpatched systems and flat networks.

The recent wave of supposed ransomware attacks, NotPetya, spread rapidly due to non-segmented (“flat”) networks after its initial infection. It is reported to have first hit the Ukraine and subsequently spread internationally. Many of the targets that reported infection are industrial, financial, health or other components of critical infrastructure.

Whereas the Petya ransomware that first emerged last year was actual ransomware, the variant that wormed its way through non-segmented (“flat”) networks in June 2017 (NotPetya) does not allow for decryption of the data.  As such, InGuardians classifies this as wiperware.

NotPetya uses many different vectors to infect and perform subsequent infections.  Even though it does use the NSA exploits EternalBlue and EternalRomance that were addressed by Microsoft security update MS17-010, NotPetya also leverages many other vectors of attack.  It includes mimikatz, with that tool’s LSADump module.  This is used for recovering passwords with the aim of gaining administrative access locally and eventually at the domain level. NotPetya also uses PSExec as a means of subsequent infection, as well as WMI calls.

Many people responsible for network security claim that they thought they were patched against the NSA exploits. It’s key to note that NotPetya has multiple initial infection vectors, including phishing. Even if one of the NSA exploits became the vector of initial infection on an unpatched machine, the other vectors of subsequent infection allow it to spread unhindered through flat networks, full of otherwise patched systems.

Infections of NotPetya spread rapidly across non-segmented, or “flat,” networks, stealing credentials and leveraging privileges and trust.  The technical result is mangled data on infected systems.  This data is unrecoverable.  The business impact has been a shutdown of operations in many of the impacted targets.

The one common issue that allows the spread of NotPetya is networks that are not segmented with access control.  Logically segmented networks are still considered flat networks, as they lack access controls.  When access controls restrict traffic from traversing network segments, hosts are well isolated and this stymies infections of this type, containing them to a single host or portion of the network.

InGuardians recommends implementing restrictive access controls at the network level and isolating hosts using host-based firewalls or Private VLANs. InGuardians also recommends using Group Policies within Microsoft Active Directory to lock down endpoints and implement the Principle of Least Privilege, preventing the lateral spread from affected, internal systems.  These tactics are highly recommended to defend against modern malware attacks like NotPetya.

Additional Resources
Setting up Private VLANs

Implementing the Principle of Least Privilege within Various Versions of Windows

06/26/2017 Three Drupal updates patch critical vulnerabilities

One of the three critical vulnerabilities patched last week in the Drupal web content management system, allows for remote code execution.

Drupal is one of the most popular content management systems in use, and the vulnerability described in CVE-2017-6920 gives an attacker the same capabilities on the system as Drupal itself.
This vulnerability is in the PECL YAML parser, and is related to a bug found recently in PHP.  PHP updated their documentation alerting developers to not pass unsanitized user input to these functions, which did not “fix” the vulnerability.
Drupal updated their code, changing the way they pass input to the affected functions, and is no longer vulnerable to this attack vector.
YAML parsing vulnerabilities have led to quick widespread exploitation in the past, in multiple web frameworks and languages, and are thus considered quite dangerous.

Recent high profile website hack and defacements emphasize the need to check your content management system implementation and ensure it is up to date.

  • Tactical recommendation: If your organization has deployed Drupal, update to Drupal 8.3.4 or Drupal 7.56, as both branches include the fixes for these vulnerabilities.
  • Strategic recommendation: Consider using a static publishing script to separate your editing/publishing platform from your delivery system. This allows your team to reap the benefits of a content management system, and couples it with the security of a static site. WordPress, Drupal and other popular systems have static publishing plugins or scripts.
Additional Resources
Drupal update:
CVE Entries for the three Drupal vulnerabilities:
Example static publishing plugins:
06/19/2017 Nation states in the ransomware business


Nation states are now confirmed to be using ransomware campaigns to fund state coffers.   British National Cyber Security Center (NCSC) reported this week that the wannacry ransomware attack was launched from North Korea.  This follows the United States National Security Agency (NSA) assessment with the same conclusion.  Security experts believe that the attack was launched by the Lazurus Group tied to the government in Pyongyang.
This revelation further emphasizes the need for full backup, recovery and continuity plans to be tested and refreshed.  While most of our customers have a robust patching, backup and recovery processes in place, we see from news reports the impact wannacry had on critical production networks.  Many organizations have lost their data, or access to critical systems while being locked out during a ransomware attack.  E.G. British National Health Service systems were crippled during the wannacry attack

InGuardians recommends reviewing, testing and validating your patching, and backup/recovery processes.  Incident response capabilities should be tested as well, guided by an internal Red Team exercise designed to emulate the ransomware attack threat model.  InGuardians does not recommend paying for the return of your data.  See link below for new regulations that might impact the practice of paying your way out of ransomware.

Additional Resources

Articles related to this issue:

NIST Incident Response:

Bitcoin regulations to prevent infosec companies from helping organizations pay ransom:

06/12/2017 Powershell scripts execute in Powerpoint without macros


Microsoft’s powerful native scripting language, Powershell, is able to execute inside a Powerpoint presentation without using macros.  This presents an issue for many organizations that rely on blocking macros or documents with macros to minimize the risk of compromise via Microsoft Office documents.


InGuardians RedTeam operators used this very technique to compromise one of our toughest clients just last week.  This is a very real threat posing risk to the information security of your organization.  Determine which controls and audit measures best fit your security posture and move swiftly to lock down this threat vector.


InGuardians recommends first determining if systems need powershell.  If needed, ensure powershell is up to date.  Older versions of powershell do not have many of the security feature set that version 5 has. Take the necessary steps (outlined here: to detect powershell being used offensively on your systems.

Additional Resources

Excellent technical write-up on Powershell Security:

Recent article on this threat: