Varun Uppal, founder and CEO of Shinobi Security Over the weekend, airports across Europe were thrown into chaos after a cyber-attack on one of their technology suppliers rippled through airline...

The post When Airports Go Dark: What The Weekend’s Cyber-attacks Tell Us About Business Risk appeared first on Cyber Defense Magazine.

The Digital Battlefield: How AI is Reshaping Cybersecurity and Fraud Prevention Crocodiles aren’t the only predators lurking in the shadows anymore. Today’s most dangerous hunters wear digital camouflage, wielding artificial...

The post Innovator Spotlight: Darwinium appeared first on Cyber Defense Magazine.

By Kim Crawley

The impact of some software vulnerabilities is so far-reaching and affects so many applications that the potential damage is near impossible to measure. The series of vulnerabilities known as Spring4Shell is a perfect example.

The vulnerability is found in the Spring Framework, which is used in too many Java-based applications to name. Its framework contains modules that include data access and authentication features, so there’s a potential disaster if an attacker can exploit it.

Vx-underground shared news of the discovery of Spring4Shell and linked to a proof-of-concept exploit via Twitter on March 30. The vulnerability facilitates remote code execution and impacts Spring Core in JDK (Java Development Kit) 9 through 18. Frustratingly, Spring4Shell pertains to a bypass for another remote code execution vulnerability that researchers discovered in 2010. That alone emphasizes how critical Spring4Shell is, and how difficult it is to patch or otherwise mitigate.

Because Spring Framework’s modules have so many functions and because of how Spring Framework is used in so many different types of networking applications, there are many ways to exploit Spring4Shell.

One worrisome example is how Spring4Shell has been used to execute Mirai malware and acquire remote root access maliciously. 

First surfacing in 2016, Mirai botnet malware has been used by attackers to execute crippling assaults and now it’s coming back with a vengeance. It works by infecting routers and servers and giving attackers the ability to control massive botnet networks. One of the most damaging Mirai attacks hit the Dyn DNS network hard and took out much of the internet in October 2016.

Now, Spring4Shell is aiding the return of Mirai. Spring4Shell’s bugs have been used to write a JSP web shell into web servers with a carefully coded request. Then remote attackers use the shell to execute commands with root access. Mirai is downloaded to a web server’s “/tmp” folder before execution.

Spring4Shell is similar in many ways to Log4Shell, which was initially discovered in November 2021. Log4J is Apache’s Java logging utility that’s been implemented in a plethora of network logging applications from 2001 to today. It’s a little bit of useful software code that’s run in a wide variety of internet servers and services. Exploiting the Log4Shell vulnerability can give attackers administrative access to all kinds of internet targets. Ars Technica’s Dan Goodin called it “arguably the most severe vulnerability ever,” and Apache started deploying patches on Dec. 6. It has not been an easy job because there are multiple CVEs and they aren’t simple to fix. 

Spring4Shell and Log4Shell both pertain to Java’s vast libraries and resources. Java is one of the most commonly used application development technologies on internet servers and on a variety of types of endpoints, especially Android devices. The downside to a technology being so popular and useful is that it’ll also be a prime target for attackers. Inevitably, there will be many more devastating Java library vulnerabilities discovered in the years to come.

Businesses should quickly work to patch Spring4Shell and Log4Shell vulnerabilities across their entire networks. 

Rigorous, continuous pentesting can help organizations spot these vulnerabilities quickly. The more traditional approach to pentesting just isn’t robust enough to help organizations find and fix the latest complex vulnerabilities. 

Reach out today to discover how Synack can help. 

The post What’s the Spring4Shell Vulnerability and Why it Matters appeared first on Synack.

By Kim Crawley

As technology is becoming more complex and smarter, attackers are growing increasingly sophisticated and cunning. That’s why it’s important to take an offensive approach to security and to hunt for vulnerabilities with the same adversarial mindset, approach and tools that malicious hackers use to carry out attacks.

Two of the most common approaches to offensive security are red teaming and pentesting, disciplines in which specialists simulate real-world attacks, conduct rigorous vulnerability assessments, stress test networks with hacking tools and look for more than just the most common digital flaws.

It’s also important to understand the differences between red teaming and pentesting as well as where the Venn diagram between the two overlaps. Let’s take a look. 

Pentesting: Striking Like the Attacker To Find Vulnerabilities

A penetration test is essentially an engagement that simulates a cyberattack to find weaknesses in systems and networks. Pentesters will mimic malicious hacks to test security preparedness, patches and upgrades to systems. This can also apply to physical security, too (can a criminal break into the building?) and social engineering. 

Pentesters can be part of external, third-party vendors that an organization hires to test from an outsider’s perspective or internal employees who regularly test their employer’s network with insider knowledge. Traditional pentests often provide a small number of testers on site for two weeks once a year and testers are compensated for their hours spent on the target.  Furthermore, pentesters must respect the legal contracts they’ve signed with clients or employers and they must work within the scope defined in the contract. If breaking physical locks or running vulnerability scans on a network segment is outside of the defined scope, they won’t test those targets.

Red Teaming: Laser-Focused on Infiltrating Targets

Red teamers also conduct pentests, but they aren’t looking to find every single vulnerability or weakness. They are more focused on infiltrating intended targets, and often by any means necessary. They want to find the most effective way into an organization or system and see how much damage they could do once inside. 

Red teams will also tailor-make attack methods to their intended targets. So, red teams are often less constrained in the types of attacks they can use to breach an organization. They have more freedom to get creative and use their skills how they see fit. 

Red teams also often compete against blue teams that will run defensive operations simultaneously. Because of the depth of the red teaming exercises, these engagements tend to last much longer than pentesting. 

Synack Experts on Pentesting and Red Teaming

Ryan Rutan, Senior Director of Community for the Synack Red Team, has first-hand experience of how crucial both effective pentesting and red teaming can be when performed  effectively.

Here’s what he had to add: 

“Pentesting can uncover a large swathe of vulnerable attack surfaces at once. Once all the CVSS (Common Vulnerability Scoring System, a standard for understanding vulnerabilities) sorting pans out, you have a list of things you can fix in the next day, week or month. That is often enough time for the next pentest to roll around to start the process all over again. Maintaining that actionable cadence can be difficult, but important for DevSecOps fluidity, and, let’s face it, blue side (cyber defensive) morale.  

In my opinion, red teaming starts once many iterations of this cycle have been completed, and the target organization has made conscious countermeasures to threats identified in the pentesting results. Red teaming goes after specific critical objectives and typically has a much stricter scope or defined success criteria. The scope is often overlayed on top of past known vulnerable attack surfaces to test proper patching and mitigation.

In both cases, pentesting and red teaming, ethical hackers imitate adversaries to bolster blue side defences, but how they go about the process and to what degree makes all the difference. To sum it all up, pentesting helps tell you where you are vulnerable. Red teaming helps tell you what is safe. These two offensive security tactics work hand in hand to solidify a better defense in-depth posture that is tailored to meet the needs and capabilities for a given organization.”

Tim Lawrence, a solutions architect at Synack, describes pentesting and red teaming this way: “Penetration testing is the act of actively looking and trying to exploit vulnerabilities on authorized systems to evaluate the security of the system.

Red teaming is when an authorized team looks for weaknesses in an enterprise’s security by conducting simulated attacks against the target. The outcome is to improve the security of the enterprise by showing the impact to the business, and also to learn how to defend and alert against attacks.”

Duration, Domain and Adversary Emulation

Daniel Miessler is a well regarded expert on security testing methodologies and also how to approach cybersecurity from the defensive side. His website and podcast are definitely worth checking out. He now works as the head of vulnerability management and application security for Robinhood. 

When I asked him for his views on pentesting versus red teaming, he directed me to something he’s already written. In “The Difference Between a Penetration Test and a Red Team Engagement,” he summarizes the distinctions between penetration tests and red teams:

“Duration: Red Team engagements should be campaigns that last weeks, months, or years. The blue team and the target’s users should always be in a state of uncertainty regarding whether a given strange behavior is the result of the Red Team or an actual adversary. You don’t get that with a one or two week assessment.

Multi-domain: While Penetration Tests can cross into multiple domains, e.g., physical, social, network, app, etc.—a good Red Team almost always does.

Adversary Emulation: The item that separates a random Penetration Test from a real Red Team engagement is that Penetration Tests generally involve throwing common tools and techniques at a target, whereas a Red Team should be hitting the organization with attacks that are very similar to what they expect to see from their adversaries. That includes constant innovation in terms of tools, techniques, and procedures, which is in strong contrast to firing up Nessus and Metasploit and throwing the kitchen sink.”

I recommend reading his entire post for more context.

The Synack Approach to Pentesting and Red Teaming

Synack knows that today’s cyberthreat landscape requires continuous pentesting for effective defense because traditional pentesting habits are frequently slow, disruptive and often can’t scale across an entire organization. 

The Synack Platform combines the best aspects of pentesting and red teaming with a pentest that harnesses the best human talent and technology and on-demand security tasks from a community of the world’s most skilled 1,500 ethical hackers. Synack focuses on finding vulnerabilities that matter, so organizations can find and fix new, exploitable vulnerabilities faster. 

Learn more about the Synack difference here: Synack365.

The post Red Teaming and Pentesting: Understanding the Differences and Values of Both appeared first on Synack.