loading..

Product

Our Product

We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.

loading..

Threatspy

Solutions

By Industry

Health Care

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecops

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

loading..

Threat Feeds

loading..

Threat Research

loading..

White Paper

loading..

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..

Our Story

loading..

Our Team

loading..

Careers

Press & Media

loading..

Contact Us
loading..
loading..

Request Demo

loading..

By submitting this form, you agree to our Subscription Agreement and Legal Policies.

background
background
loading..
loading..
loading..
Loading...

Healthcare

Security Breach

loading..
loading..
loading..

Another Indian Hospital Servers Down For 24 Hours Following Hack

Safdarjung Hospital of Delhi suffered a security breach less severe than AIIMS…

loading..
  04-Dec-2022
loading..
 3 min read

Related Articles

loading..

Exploit

RCE

vRealize

Horizon3's Attack Team warns of a new exploit that chains three critical vulnera...

Horizon3’s Attack Team has announced that it will release an exploit next week, which targets a vulnerability chain in VMware vRealize Log Insight (now known as VMware Aria Operations for Logs), that can allow for remote code execution (RCE) on unpatched appliances. The security researchers have warned [VMware](https://bit.ly/3eos6Sm) administrators that they have created an exploit that can be used to chain three of the four vulnerabilities recently patched by VMware. ## Vulnerabilities Patched in VMware vRealize Log Insight [VMware](https://www.vmware.com/security/advisories/VMSA-2023-0001.html) recently patched four security [vulnerabilities](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in the log analysis tool vRealize Log Insight. Two of these vulnerabilities are critical, allowing attackers to execute code remotely without authentication. The first vulnerability, CVE-2022-31706, is a directory traversal vulnerability that can be used to inject files into the operating system. The second vulnerability, [CVE-2022-31704](https://nvd.nist.gov/vuln/detail/CVE-2022-31704), is a [broken access control flaw](https://bit.ly/3XI1MYv) that can also be exploited by injecting maliciously crafted files in RCE attacks. In addition, [VMware](https://bit.ly/3r4Ia2x) addressed a deserialization vulnerability (CVE-2022-31710) that can trigger a denial of service states, as well as an information disclosure bug (CVE-2022-31711) that is exploitable to access sensitive session and application information. ## Easy to Exploit, but Requires Infrastructure Setup The researchers have stated that although the vulnerability is easy to exploit, the attacker must have some infrastructure setup to serve malicious payloads. Additionally, since vRealize Log Insight is not typically exposed to the internet, the attacker is likely to have already established a foothold somewhere else on the network. ## Only 45 Instances Publicly Exposed According to Shodan data, there are only 45 instances of vRealize Log Insight appliances publicly exposed on the internet. This is to be expected, as these appliances are designed to be accessed inside an organization's network. However, it is not uncommon for threat actors to abuse vulnerabilities in already breached networks to spread laterally to other devices, making these internal targets valuable. This recent discovery of the [VMware vRealize Log Insight](https://www.horizon3.ai/vmware-vrealize-cve-2022-31706-iocs/) unauth RCE exploits highlights the importance of timely patching and proactive security measures in organizations. This new threat can be a significant concern for organizations using this log analysis tool, as it can lead to complete control of the system by the attacker. ![VMware vRealize Log Insight unauth RCE exploit.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/V_Mware_v_Realize_Log_Insight_unauth_RCE_exploit_fa86e67fc5.jpg) ***Exploiting Unauthenticated Remote Code Execution on VMware vRealize Log Insight by Horizon3 Attack Team*** It is essential to keep a close eye on the latest cybersecurity developments and implement the latest measures to evade such attacks. One such action is to utilize a comprehensive vulnerability management solution such as [ThreatSpy](https://bit.ly/3PV3C4M). This not only empowers security & IT teams of any organization to remain secure ahead of the latest vulnerabilities and exploits, but it also adaptively addresses the issue by providing automated remediation solutions. With its heuristic approach features, ThreatSpy ensures that organizations can proactively mitigate security risks and exploitable vulnerabilities, both known & unknown, to safeguard their systems from potential attacks. Sign up for a free trial to witness [Threatspy](https://bit.ly/3Woo7JN) in action!

loading..
  30-Jan-2023
loading..
  3 min read
loading..

DataWiper

Sandworm

Ukraine

Sandworm hackers strike again! Ukraine's national news agency targeted with a de...

A recent cybersecurity incident in Ukraine has brought to light the deployment of a cocktail of five different data-wiping malware strains on the network of the country's national news agency, Ukrinform. The Ukrainian Computer Emergency Response Team (CERT-UA) discovered the attack on January 17th, and as of January 27th, five samples of malicious programs were identified. These programs aimed to violate the integrity and availability of information by writing files and disks with zero bytes or arbitrary data, before subsequently deleting them. The list of destructive malware used in the attack includes CaddyWiper (Windows), ZeroWipe (Windows), SDelete (Windows), AwfulShred (Linux), and BidSwipe (FreeBSD). Notably, two of the five strains, ZeroWipe and BidSwipe, are either new malware or are tracked by the Ukrainians under different names than those used by anti-malware vendors. Further investigation by CERT-UA revealed that the attackers had gained remote access to Ukrinform's network around December 7th, and waited over a month to launch the malware cocktail. However, their attempt to wipe out all the data on the news agency's systems was unsuccessful, as the wipers only managed to destroy files on a limited number of data storage systems, which did not impact Ukrinform's operations. CERT-UA has linked the attack to the Sandworm threat group, a hacking outfit that is believed to be part of the Russian Military Unit 74455 of the Main Intelligence Directorate (GRU). Sandworm has previously been linked to other cyberattacks targeting Ukrainian targets, including a failed attempt in April to target a large Ukrainian energy provider using a similar tactic of deploying the CaddyWiper data wiper to erase traces left by Industroyer ICS malware. Since Russia invaded Ukraine in February 2022, multiple strains of data-wiping malware have been deployed on the networks of Ukrainian targets, including DoubleZero, HermeticWiper, IsaacWiper, WhisperKill, WhisperGate, and AcidRain. Furthermore, Microsoft and Slovak software company ESET have also linked recent ransomware attacks targeting Ukraine to the Sandworm hacking group.

loading..
  28-Jan-2023
loading..
  2 min read
loading..

Cloud

Appsec

Hack

Uncover the shocking truth behind the TSA No-Fly List snafu and the risks of usi...

Recently, a hacker discovered a list of 1.5 million individuals on TSA's no-fly list on an internet-exposed server belonging to CommuteAir. This Ohio-based airline company supports United Airlines operations on regional flights. This incident highlights the risky practice of using production data and sensitive information in development environments. The TSA list, which was [discovered](https://www.tsa.gov/travel/passenger-support/travel-redress-program#:~:text=TSA%20is%20among%20the%20U.S.,and%20over%20the%20United%20States) by Swiss hacker _"Maia arson crimew"_ on a Jenkins open source automation server, contained the names of more than 1.5 million individuals that the US government has barred from flying due to security concerns. The list is made available to airlines worldwide to screen passengers intending to fly from, to, or over the US. Erik Kane, corporate communications manager at CommuteAir, described the leak as resulting from a misconfigured development server. However, security experts have long warned about the dangers of using production data in development and testing environments. Quality assurance teams and developers often use raw production data when testing, developing, or staging apps because it is faster and more cost-effective than test data. However, development and test environments typically lack the security controls in a live, production setting. This can lead to over-permissions, lack of network segmentation, poor patch management, and a general lack of awareness of data-privacy requirements. Many organizations have taken additional precautions, such as masking, obfuscating, or encrypting sensitive and live production data before using it for testing or development. However, the practice of using raw production data and sensitive information in development and test settings continues to be quite rampant, according to security experts. Patrick Tiquet, vice president of security and architecture at Keeper Security, advocates that organizations avoid using production data in non-production environments, no matter how benign the data might appear. He notes that exposing sensitive data can not only open an organization to litigation or government-related trouble depending on the data, but it can also lead to an erosion of customer trust. The incident of [TSA No-Fly List Snafu](https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/) highlights the risk of keeping sensitive data in Dev Environments. Organizations that permit the practice must recognize that many data-privacy regulations require covered entities to apply specific controls for protecting sensitive data, regardless of where it might exist in the environment or how it is used. Using production data in a development environment could violate those requirements, and the security teams need to be included in the setup and continuous management of DevOps servers.

loading..
  27-Jan-2023
loading..
  3 min read