The Security team of Jenkins announced 34 zero-day vulnerabilities in 24 of its plugins, which has rocked the world. The vulnerabilities range from XSS, stored-XSS, to passwords and token disclosures. The list of vulnerable plugins and overview of their impact can be found in this Bleeping Security article.

Jenkins 0 Days and its Impact

The various Jenikns’ plugins have varying impacts. Based on what plugin your organisation is using, it may see varying degrees of risk to its Jenkins setup and can result into compromise of its supply chain. 

Here we are listing few common vulnerabilities and their impacts

Vulnerability	Maximum Impact	Affected Plugins
Stored XSS	Credential theft, account takeover	Plot Plugin, build-metrics Plugin, Rich Text Publisher Plugin, Matrix Reloaded Plugin, eXtreme Feedback Panel Plugin, Validating Email Parameter Plugin, Deployment Dashboard Plugin,
XSS (Cross Site Scripting)	Credential theft, account takeover	GitLab Plugin, TestNG Results Plugin, Project Inheritance Plugin, Recipe Plugin
CSRF (Cross Site Request Forgery)	Credential reste, token theft, account takeover	XebiaLabs XL Release Plugin, Matrix Reloaded Plugin, Recipe Plugin, XPath Configuration Viewer Plugin, Rename Or Delete Plugin, Failed Job Deactivator Plugin
Missing Permission Checks	Credential theft, Unauthorised actions	XebiaLabs XL Release Plugin, requests-plugin, build-metrics Plugin, Recipe Plugin, Deployment Dashboard Plugin, RQM Plugin, Rename Or Delete Plugin, Failed Job Deactivator Plugin
Passwords stored in Plain Text	Mass Credential theft	Deployment Dashboard Plugin, Skype notifier Plugin, Jigomerge Plugin, Elasticsearch Query Plugin, Cisco Spark Plugin, RQM Plugin, hpe-network-virtualization Plugin
Tokens, API Kyes or secrets Stored in Plain Text	Session Takeove / rAccount Takeover	Build Notifications Plugin, RocketChat Notifier Plugin, OpsGenie Plugin

Remediation

Applying patches is the best and recommended way to fix vulnerabilities. In this incident, Jenkins is yet to provide fixes for many of the vulnerabilities and still remains a potentially risky, zero-day candidate. 

In absence of patches, disabling the vulnerabile plugins is the best option from the security side, but disastrous if it affects the organisation’s engineering processes.

In such cases we always recommend strong Passwordless authentication. Absence of credentials make most of the attacks irrelevant even in the presence of vulnerable plugins.

Better prepare for 0 Day attacks

You cannot stop 0-day attacks and cannot predict them coming. What helps is sticking to security basics and best practices. Other proactive things an organisation can do is to adopt Passwordless Authentication for its entire Software Engineering infrastructure.

Passwordless solutions like PureAUTH also contain the impact of session takeovers arising from token theft with the use of XSS, by enforcing convenient but regular logins.

Making your Software Engineering Infrastructure passwordless can contain the impact of 95% of such 0-day vulnerabilities without any security configuration change.

A critical vulnerability in Citrix’s Application Delivery Management (ADM) technology was reported & patched this week. 

Tracked with CVE-2022-27511, Citrix reported that, if left unattended, exploitation of the vulnerability could enable remote attackers to reset admin passwords. (reference: Citrix ADM vulnerability)

Overview

Citrix ADM is a virtual appliance, that gives centralized management solution. It simplifies operations by providing administrators with enterprise-wide visibility and automating management jobs that are getting ran across multiple instances. 

Citrix ADM is known to ship with a built-in admin account nsroot, with default credentials nsroot (reflecting its legay of NetScaler).

As a best practice, admins change the default passwords to restrict unauthorised access.

Citrix has documented various means to restore default admin password by resetting ADM node. 

With the exploitation of CVE-2022-2751 vulnerability, an adversary can force Citrix-ADM to restore the nsroot account’s default credentials as a recovery measure from a system corruption, on the very next reboot.

The Problem

Right from network gears, management consoles, virtual appliances we have seen all systems being shipped with a root account with default credentials. 

We have also witnessed that system restore option resoters the default credentials even if admins change them for security reasons.

This has been an industry standard practices from ages. With more options for authentication and evolving threat landscape its time industry should also evolve and change the way factory-default-restores support more secure (or hard to exploit) options. 

Here are a few learnings from suh incidents that we can draw & work for better securing our systems.

Lession 1 : Restrict Remote Access by Default

By default remote access to admin accounts of devices/appliances should be restricted.  Since restoration of default credentials at any time will make system vulnerable to unauthorised access.

Disabling the remote access as part of default setting triggered with restoration of default passwords can restrict the possibility of exploitation by a remote / external threat actor to a great extent. 

This we can see very commonly in Ubuntu, a debian based system.

Lesson 2 : Federate Authentication

Its always better to maintain credentials at a centralised location. This consolidates and optimise the efforts to securely manage and protect them. This also reduces or eliminates the need for restoring the default credentials of devices.

Down side of this being the centralised credential store becomes a single point of failure for all your systems and appliances in your network. This leads to our third and final learning.

Lesson 3 : Eliminate Passwords

Moving away from password based authentication drastically reduces the attack surface of any enterprise. You can choose PKI / certificate based authentication for better security. 

Adopting passwordless authentication goes long way in protecting your systems from unseen future vulnerabilities which might be triggered due to use of passwords or default credentials.

PureAUTH Identity and Trust Platform

Citrix ADM incident CVE-2022-27511 is an another example of the risks associated with passwords. Eliminating passwords using a true passwordless solution like PureAUTH protects organisations from future, unforeseen vulnerabilities.

To learn more, about how PureAUTH is used by various organisations to secure access to their assets and Build Trust in all relevant user actions, schedule a demo with us.

You must be familiar with IaC (Infrastructure as a Code). If not, Stackify has a very good primer on this topic. Code Infrastructure (CIx) simply involves all the tools and systems involved in the Software Development Life Cycle (SDLC process) of an organisation.

Recent supply chain attacks makes it evident, that adversaries world over are targeting the CIx (in other words SDLC tools) of the global software manufacturers. This write up will briefly explain various attacks on Code Infrastructure (CIx) components with the references of some recent supply-chain incidents.

What Is Code Infrastructure (CIx)? 

Code Infrastructure (CIx) comprises of all the distributed applications / systems & artefacts that are involved with or result of each and every step involved in the Software Development Life Cycle (SDLC process). Here is how Code Infrastructure of a typical software engineering organisation looks like –

• Engineering Environment (developer machines and local repositories) 
• Code Management tools (version control systems, git* or Bit Bucket) 
• Code Auditing tools (code scanners etc) 
• Build Systems (build platforms like Jenkins, CICD pipelines) 
• Code Attestation (Key vaults used for code signing) 
• Package Distribution Systems ( popular tools like Jfrog)
• Deployment Platforms  (Cloud services, PaSS/SaaS)

  

Threats to your Code Infrastructure

CIx presents a vast attack surface which is not often properly secured. This is evident In all the recent supply chain attacks that we have witnessed. We have seen all the attacks targeted to one or more CIx components.

Incident	Target & Method	Reference
	Target – Build Systems Method – Insertion of untrusted code	Solarwinds – SunBurst
	Target – Code Attestation System  Method – Stolen Credentials	NVIDIA – Stolen Signing Keys
	Target – Deployed Vulnerable Code Method – Stolen Credential	Kaseya CVE-2021-30116
	Target – Code Management System Method – Stolen Credentials	NPM Supply-Chain Attack
	Target – Deployment Platforms Method – Stolen Credentials	Mime Cast – Attacks in Cloud

It becomes very crucial for enterprises to pay attention to their CIx and secure the attack vercorts applicable for each of these components.

How to secure CIx?

The majority of attacks we have seen are due to exploitation of the Identity & Trust framework. In all the cases Identity was managed by conventional passwords and MFA/2FA. The trust breach happened due to leaked signing keys (private keys), access to which was not properly secured.

In the case of Solarwinds we can also see that the build systems built and distributed untrusted code. This happened due to the absence of a Trust framework which can automatically verify that the code being built is a work of a verified/trusted engineer and not a malicious actor.

The careful study of all supply chain attacks in recent times clearly shows the industry needs to move to a better Identity & Trust framework. We need better Identity management to control access to our CIx resources and robust Trust Framework to verify sanctity of the deliverables at each and every level in software engineering, both pre & post built.

PureAUTH Identity & Trust Platform

PureAUTH provides a breach resilient Identity & Trust Platform using its innovative Zero User Data Initiative (0UDI).

To learn more, how PureAUTH is used by various organisations to secure access to their CIx resources and Build Trust in all relevant user actions, schedule a demo with us.

The Incident

Many Avenger fans would have felt frustrated when they were not able to view the latest Hawkeye series 4th episode when Disney+ was down due to an AWS outage.

The outage also affected the competitor of Disney+ thats Netflix. Condesk, Tinder, Roku and many other services depended on AWS backbone were out last tuesday “US-EAST-1 region” as mentioned by Amazon.

Not just the entertainment providers but  Google, Venmo, DoorDash, Spotify, multiple banks and airline were also affected. The list goes on and shows how bad such outages could be.

Similar outage was seen last year, on 25th of November when 24 different AWS regions were down affecting many web services Roku, Adobe, Shopt, a delivery company backed by Target.

Outages in the past

The outage of public cloud service provider is not just an Amazon thing. We have seen Fastly one of the biggest CDN (content distribution network) going down for hours in June 2021

Though for a short span, Akamai also faced a disruption in July 2021,  on its Edge DNS service, and it took down platforms such as Zomato, Paytm, parts of Amazon, Airbnb, PlayStation Network, Steam, Disney+Hotstar.

In a more disrupting event, Microsoft Azure AD service was down for 14 hours in March this year. This event was 6 months after Azure AD went down blocking access to Azure, Teams, and more over a span of September 28 & 29, 2020 

Conclusion

Industry adopted cloud for better availability and redundancy. CDN companies became the backbone of the internet world wide assuring instant delivery of content and services. As we are seeing the repeated instances of cloud giants going down, this seems to be becoming a new normal.

At PureID what we have learnt is having High availability of a service through a cloud solution provider is not enough, we must provide redundant High Availability clusters with more than one cloud service provider. This may not be a feasible option for many enterprises as spreading data across multiple providers may have its own compliance and governance implications apart from the increase in cost and management overheads.

This is exactly where PureID emerges visionary and a leader as it can deliver its authentication services hosted across multiple public cloud vendors without any compliance or governance worry.

No data, no theft & No-PII so no worries, #GoPassworldess with PureAUTH.

Atlassian & Jenkins

Atlassian is a globally popular provider of software development and collaboration tools. Jenkins, an open source automation server has more than 200,000 deployments. Both are being actively attacked due to recently disclosed vulnerabilities CVE-2021-26084 &  CVE-2021-39124 in Atlassian products, as they are used in conjunction at many organisations. These security issues pose a serious threat of snowballing into another supply chain attack in 2021(2022?).

Attacks on Atlassian

Check Point Research (CPR) discovered many flaws in Atlassian’s Jira which would allow the attacker to take over a user’s account just by a single click. These security flaws would allow an attacker to perform cross site scripting attacks, CSRF attacks or session fixation attacks. The attacker could gain access to user accounts and acquire confidential information. CPR also found out that once a Jira account was taken over, it was possible to take over the Bitbucket account as well. Atlassian’s Bitbucket which is used by millions was also under this threat. The attacker could have had access to an organisation’s Bitbucket repository which would prove to be detrimental.

Attacks on Jenkins

Jenkins recently discovered a successful attack against its Atlassian Confluence service using CVE-2021-26084. Confluence integrates with Jenkins’ integrated identity system which also powers Jira, Artifactory, and numerous other services. They had to take their affected server offline and reset all the passwords.

Passwords at risk, are risk for Businesses

Patching for CVE-2021-26084 &  CVE-2021-39124 should fix the problem, but it is assumed that due to mass exploitation many organisation’s passwords are being compromised. Patching the servers will solve half of the problem. The other half of the problem which will have a massive impact on the masses is resetting the credentials.

Post incident panic and downtime, cost & support needed to reset passwords can be avoided by going passwordless. This also helps in a big way to stop such vulnerabilities triggering supply chain attacks.

Making Atlassian & Jenkins Passwordless

PureAuth provides a passwordless way to authenticate which eliminates the risk of attacks when compared to an authentication method that uses passwords. The video below demonstrates passwordless authentication to Atlassian using PureAuth.

The VPN Meltdown

Throughout the March & April month, Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agent (CISA)  has reported numerous  incidents where old vulnerabilities in popular VPNs were exploited by organized (or state sponsored)   hackers, around the world.

Large numbers of malware families & malicious actors across the globe are on the spree of exploiting the old unpatched vulnerabilities in Fortinet as well as Zero-day in Pulse Secure VPN. 

The victims of the attacks are include sensitive segments like government agencies, Defense contractors & financial institutions amongst many others

The Impact

Digital Journal quoted Vinay Sridhara, CTO of Balbix Inc.,  “About 50,000 records belonging to banks, telecoms and government organizations were exposed by this data leak, including session-related information and plain-text usernames and passwords of Fortinet VPN users”. 

“What’s most concerning is that even if the vulnerability is patched, the credentials are still at risk for credential stuffing attacks,” he added.

People shifting to remote working has  increased the demand for SSL VPNs, also the attack surface + available targets for APT groups and cybercriminals. 

Credential Compromise

The passwords form both the VPNs Fortigate and Pulse Secure are being compromised using different CVEs.

Many unpatched vulnerabilities form the recent past have allowed an unauthenticated attackers to compromise a vulnerable VPN server. The attacker able to gain access to all active users and their plain-text credentials. 

Attackers could also execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

Affected VPN	CVE ID	Description	Impact
	CVE-2019-5591	Configuration vulnerability may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server, as default configuration does not verify the LDAP server Identity.	Information Disclosure(password files & private keys)
	CVE-2019-11510	arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable  Pulse Secure VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commands	Access to passwords

2FA/MFA Bypass

Its common recommendation & best practice to have 2FA or MFA along with passwords for VPN. Its generally believed that if for some reasons passwords are compromised the VPNs are still safe due to additional factors.

But during these attacks, we have seen that both the VPNs also suffer MFA/2FA bypass vulnerabilities.  This makes the commonly followed best practice and recommendation of having 2FA/MFA pointless. 

Affected VPN	CVE ID	Description	Impact
	CVE-2020-12812	Improper Authentication vulnerability in SSL VPN 2FA in FortiOS, results in a user to log successfully without being prompted for the 2FA (FortiToken) if they changed the case of their username.	Operational Risk, Improper Authentication2FA/MFA Bypass
	SlowPulse Malware family	Secrete Backdoor access allows hackers to disable or bypass 2FA/MA verification	Bypassing single & multi-factor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells

EFFECTIVE SOLUTION: GO PASSWORDLESS

Passwords are by far the weakest link when it comes to security today. Successful attacks involve lost, breached or re-used passwords and we have seen that 2FA/MFA are of no help. 

You cannot avoid the patch but you can definitely avoid passwords & the 2FA/MFA solutions and go passwordless with much more ease and convenience.

Today, the smartest & the most secure way to sign In on any VPN or enterprise applications is by going completely passwordless.

With PureAuth passwordless authentication, you can effectively mitigate the risk of having your password stolen by phishing and a number of other methods.

The usernames and passwords dumped (ab)using CVE2018- are being used to get access to the network even after the vulnerability is patched. VPNs being the first line of defense for any enterprise, do not leave it at the mercy of 2FA/MFA which can be easily bypassed. Go passwordless with PureID. Stolen passwords won’t affect you if there are no passwords.

You can check out our integrations for other popular VPNs PaloAlto, OpenVPN.

REFERENCES

• https://cve.mitre.org/cve/search_cve_list.html
• https://www.fortiguard.com/psirt
• https://www.darkreading.com/risk/fbi-and-cisa-warn-of-active-attacks-on-fortios-vulnerabilities/d/d-id/1340579
• https://healthitsecurity.com/news/fbi-cisa-apt-actors-exploiting-unpatched-fortinet-vulnerabilities
• http://www.digitaljournal.com/tech-and-science/technology/hacker-leaks-credentials-for-50-000-vulnerable-fortinet-vpns/article/581704

Online world majorly relies on passwords for access control and content security. Enterprises and individuals alike use passwords to keep sensitive information out of the wrong hands. However, enterprises are an extremely high value target for attackers and that level of attention cannot be handled by the humble passwords. 

In this blog I will be discussing 3 different ways passwords are failing the enterprises with 3 latest incidents. 

Sequoia Capital Phished, Hacked

Sequoia Capital, one of the biggest venture capital firms has told their investors that some of their personal and financial information might have been stolen, according to Axios. This was a result of their cybersecurity investigation indicating that a third party might have accessed this information. 

This incident resulted due to the email credentials of an employee who was phished successfully. Phishing attacks have always been very effective to steal credentials. Even after Sequoia has invested in many cyber-security companies, the inherent problem of passwords remains. When presented with an extremely convincing phishing page, giving away passwords is easy. Such phishing pages can be easily created using a tool like LogoKit.

Govt of India various Department’s Passwords Leaked

Sakura Samurai, a hacking group has found a number of exposed credential pairs, Sensitive files, Personally identifiable information, Sensitive police reports, Session hijacking and Remote code execution in some of the Indian government servers. While this list is alarming in itself, the data that might have been exposed in this breach would have far more impact due to the nature of data exposed.

Along with the above list, the credentials of servers that were stored on these exposed servers have been compromised. This allows attackers to access servers which might not have any other security flaw, simply because of the leaked passwords. This leads to a chain of breaches which cannot be stopped as more and more credentials are stolen, just like SUNBurst supply chain attack.

Yandex Insider shares passwords

On February 12th 2021, Yandex, the largest search company in Russia and one of the largest internet companies in Europe was hit by an insider attack. One of the employees with access rights to provide technical support for their mail service was selling access to the users’ mailboxes. A total of 4,887 mailboxes were compromised. The employee was one of the three administrators with the relevant access. 

The company said that they have blocked access to the affected mailboxes and notified the users to change their passwords. The breach was discovered during a routine security screening.

Go Passwordless

Eliminating passwords instantly improves enterprise security by greatly reducing the attack surface. Phishing & insiders attacks are totally eliminated by eliminating passwords. 

The daily headlines about premium organisations getting breached proves that no organisation is hack proof.  Only PureAUTH Passwordless platform provides Breach Resilience. Even in case of a breach, PureAUTH ensures the enterprise applications are secure from unauthorised access.

Amongst the many known cyber-attacks, Phishing takes the throne. Users, including the experienced ones, can fall prey to phishing. Phishing has become a very cost effective, low skill & straightforward way for cyber criminals over the years now to harvest credentials from across the globe. The effectiveness of phishing attacks is getting better and better with time with innovations in deceiving users. LogoKit is an advanced kit in this series which you cannot ignore.

What is LogoKit?

Logokit is a framework that generates dynamic login pages, in real time which look nearly identical to legitimate authentication widget of the subject application and has a better chance of deceiving the users to provide their credentials.  

This novel tool was discovered by RiskIQ, a threat intelligence firm, which has been following the kit since its evolution. Stats shared by RiskIQ mention that Logokit is already installed on 300+ domains over the past week and 700+ sites over the past month.

How is Logokit used in phishing?

Logokit is used for sending phishing links to the user’s email address.

“Once a victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google’s favicon database,” RiskIQ security researcher Adam Castleman said in a report on Wednesday.

After the user enters his password, Logokit makes a dynamic AJAX request and sends these credentials to an external source after which the user is redirected to a legitimate website.

“The victim email is also auto-filled into the email or username field, tricking victims into feeling like they have previously logged into the site,” he added.

How is Logokit different from standard phishing?

Standard phishing tool involves generating a foolproof login page for each and every target organisation or application for which the victim’s credentials need to be harvested. The approach being time consuming, costly and needs changes when there is a change in the webpages or design of the target.

 Logokit has innovatively solved this. A set of JavaScript embeddable functions are used by Logokit to impersonate the company’s webpage in real time, making it difficult for the user to differentiate. 

RiskIQ also stated that over the past month, Logokit was used to imitate services like Office 365, Adobe Document Cloud, and many cryptocurrency’s websites.

Also, being small in size, Logokit is hosted on several different most trusted platforms like Firebase, Oracle cloud, Github which in turn are extensively used in corporate environments.

 How does PureID Help?

We, at PureID, are helping enterprises become passwordless and protect its users from cyberattacks involving credentials. Our passwordless approach makes phishing attacks targeting the user credentials irrelevant.

References:

https://www.riskiq.com/blog/external-threat-management/logokit-phishing/

https://www.zdnet.com/article/new-cybercrime-tool-can-build-phishing-pages-in-real-time/

https://itigic.com/logokit-tool-that-creates-phishing-attacks-in-real-time/

katemangostar – www.freepik.com

Git Server with default credentials

When you set up things that are connected to the internet, they generally require protection from unauthorized access. This protection is often provided by passwords. In most of these cases, a default password with a username is given for first time configuration. As a general security practice, you are supposed to change this password. Nissan (North America) forgot this basic security practice for their Bitbucket Git server.

Proprietary source code stolen

The repository contained proprietary source code for Nissan mobile apps, diagnostics tool, dealer portal, Nissan internal core mobile library, client acquisition and retention tools, sales/marketing research tools and data, vehicle logistics portal and various other internal tools.

The Swiss based software engineer, Tillie Kottmann learned of the leak from an anonymous source and said that the leak originated from a Git server exposed to the internet with the credentials admin/admin, as username and password, in an interview with ZDNet. Close to 20GB of the data is now available to download using a torrent link. Nissan has said that the leaked data/code does not expose their customers or their vehicles.

Passwordless Authentication

During the configuration of servers it is easy to just use the configuration used for testing in deployment and forget to change the password. It is also not easy to set and remember a strong admin password without using a password manager, which is not practical when multiple users are using the application. It is also susceptible to phishing attacks.

Going passwordless rather than changing default passwords helps reduce attack surface and unauthorised access in a far better way. 

Our PureAuth platform integrates with GitHub as well as other SAML enabled applications and makes an enterprise more secure and resilient.

In 2018, a vulnerability (CVE-2018-13379) allowed attackers to read FortiOS files without authentication by sending a carefully crafted HTTP request. This vulnerability only existed in the SSL VPN. It affected FortiOS version 5.6.3 to FortiOS version 6.0.4.

According to CloudSEK this vulnerability has come back to haunt networks that use FortiOS and missed the memo in 2018, leaving them open to attacks. More than 49000 vulnerable targets for this particular CVE, were listed for sale on a hacking forum. These are the easy targets for attackers to make a huge profit by acquiring and selling sensitive data, or just hold the network ransom.

FortiOS SSL VPN vulnerability

The path traversal vulnerability allowed unauthorized access to passwd and shadow files stored inside the FortiOS, along with any private keys stored. These files may also contain the login information of the users on the FortiOS and can be read by using this vulnerability.

At the very least, attackers can cause serious downtime once they are in the network, they might deploy ransomware or exfiltrate sensitive data. The failure of even one endpoint may lead to the whole domain being taken over.

Bank_Security found that, in a later post, the hacker dumped login details from these vulnerable machines containing usernames, passwords with “full-access” privilege level and IP addresses of users of the VPN.

Source : @Bank_Security

Among the victims, there are some banks, government domains and many companies around the world.

Secure Authentication with PureID

The usernames and passwords dumped (ab)using CVE2018- are being used to get access to the network even after the vulnerability is patched. VPNs being the first line of defense for any enterprise, do not leave it at the mercy of 2FA/MFA which can be easily bypassed. Go passwordless with PureID. Stolen passwords won’t affect you if there are no passwords.

You can check out our integrations for other popular VPNs PaloAlto, OpenVPN.