Staying on top of cybersecurity news can seem like a daunting task in today’s rapidly-evolving world of cyber threats. That’s why we’re summarizing the most relevant cybersecurity vulnerabilities, advisories, and news for our many U.S. federal government customers. This post also offers insight on how customers can use Axonius to easily find devices affected by these vulnerabilities.
This advisory details vulnerabilities found in multiple real-time operating systems and supporting libraries. Those operating systems and libraries are widely used in IoT and medical devices, OT devices, and industrial control systems. Threat actors could exploit these vulnerabilities (dubbed as BadAlloc) for remote code injection or execution.
The vulnerabilities in this advisory span 25 different RTOS products and versions. Manually identifying devices running these products and the affected versions would be time consuming. There are many ways to go about discovering the devices with potentially vulnerable software with Axonius.
It’s likely you’d know which of the 25 affected products your organization owns and is running. This would help you narrow it down and take one of the above approaches to identifying the devices.
If you weren’t sure which products your organization had or wanted to double check, you could add all of these products and versions into a large complex query in Axonius. The results would bring back only the devices with the affected software and versions that you specify.
SonicWall published patches to mitigate three zero-day vulnerabilities affecting its hosted and on-premises email security products. An attacker could exploit these vulnerabilities (CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023) to take full control over a vulnerable system.
There are multiple ways to be able to identify devices affected by the SonicWall vulnerabilities with Axonius. The vulnerabilities affected versions of SonicWall email security products earlier than version 10.0.9. To find devices running these versions of SonicWall, you could conduct a complex query, which means that all of the query parameters need to be true in order for the query to return results.
For this complex query, you could select “Installed Software” and search for SonicWall and versions earlier than 10.0.9. If there are any devices running SonicWall version 10.0.9 or earlier, they will be shown in the query results.
AQL: ("specific_data.data.installed_software" == match([("name" == regex("SonicWall", "i")) and ("version_raw" < '0000000100000000000000009')]))
Pulse Connect Secure resolved multiple vulnerabilities (including three new CVEs — CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900) discovered in their products. According to a Reuters article, these vulnerabilities have been used to target U.S. government, defense, and financial organizations. Threat actors leveraged these vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and CVE-2021-22893, to gain initial access.
An easy way to identify Pulse Connect Secure Vulnerabilities )if you’ve run a recent vulnerability scan and have connected vulnerability scanners in the Axonius platform) is to search for the new CVEs disclosed for Pulse Connect Secure.
This query will return results if any of the vulnerabilities are observed on devices by any adapter connected in Axonius.
AQL: ("specific_data.data.software_cves.cve_id" == "CVE-2019-11510") or ("specific_data.data.software_cves.cve_id" == " CVE-2020-8260") or ("specific_data.data.software_cves.cve_id" == " CVE-2020-8243") or ("specific_data.data.software_cves.cve_id" == " CVE-2021-22893")
If you don’t have the ability to search by CVE but you’re tracking installed software applications in your Axonius dashboard, you can filter results and sift through all Pulse Connect Secure software without running a new query.
(4.2.2021) VMware Releases Security Update
VMware released a security update to address a vulnerability (CVE-2021-21982) in VMware Carbon Black Cloud Workload appliance. A malicious actor could exploit this vulnerability to take control of an affected system.
Based on the security alert from VMWare, it appears the affected Carbon Black Cloud Workload appliances are Linux-based. Since this information and the affected versions numbers are known, you can conduct a complex query in Axonius to find the devices with the affected versions running on the OS where the version was affected.
You would select the complex query for “Installed Software” and add lines for “Software Vendor” equals VMWare, software name contains “Carbon Black Cloud”, and “Software Version” earlier than 1.0.1. This would return all devices that have VMWare Carbon Black meeting these parameters but wouldn’t only be Linux devices. To further narrow it down to only the affected devices, you could add a separate line for “OS:Type” equals Linux. This query would then return all Linux devices running the affected versions of VMWare Carbon Black Cloud Workload appliances.
This Joint Cybersecurity Advisory from the FBI and CISA provides an overview of how ATP actors are actively exploiting known Fortinet FortiOS vulnerabilities (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591) to gain initial access to multiple government, commercial, and technology services. It also offers mitigation strategies.
For the Fortinet FortiOS vulnerabilities, we want to show how to use Axonius to validate if mitigation measures have been taken after vulnerabilities have been discovered.
FBI and CISA recommended 15 mitigation actions that organizations affected by the FortiOS vulnerabilities should take. From these, there are multiple actions that can be validated using Axonius. Here are a couple example queries:
(4.26.2021) CISA and NIST Release New Interagency Resource: Defending Against Software Supply Chain Attacks
CISA and NIST’s new interagency resource, Defending Against Software Supply Chain Attacks, provides an overview of software supply chain risks and recommendations. It also offers guidance on using NIST’s Cyber Supply Chain Risk management framework and the Secure Software Development Framework to identify, assess, and mitigate risks.
(4.26.2021) Alert (AA21-116A): Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders
This FBI and DHS report provides information on Russian Foriegn Intelligence Service’s cyber tools, targets, techniques, and capabilities to help businesses in conducting their own investigations and securing their networks.
(4.22.2021) CISA Incident Response to SUPERNOVA Malware
This report provides tactics, techniques, and procedures CISA observed during an incident response engagement following an APT actor’s long-time compromise of an entity’s enterprise network. The threat actor connected to the entity’s network via the Pulse Secure VPN appliance.
(4.15.2021) CISA and CNMF Analysis of SolarWinds-related Malware
This analysis from CISA and the DoD Cyber National Mission Force (CNMF) looks at additional SolarWinds-related malware variants known as SUNSHUTTLE and SOLARFLARE.
(4.13.2021) Justice Department announces court-authorized effort to disrupt exploitation of Microsoft Exchange Server vulnerabilities
The U.S. Department of Justice revealed how a court order allowed the FBI to enter networks of businesses to remove malicious web shells used by cyberattackers exploiting Microsoft Exchange Server vulnerabilities.
(3.31.2021) CISA Releases Supplemental Direction on Emergency Directive for Microsoft Exchange Server Vulnerabilities
This supplemental direction from CISA provides additional guidance for federal agencies on how they cloud use newly developed tools to investigate whether their Microsoft Exchange Servers have been compromised.
41 Madison Avenue, 37th Floor
New York, NY 10010