The importance of exercises in IT security

While the saying "No plan survives first contact with the enemy" is certainly true, this fact rarely leads to resignation and surrender. Rather, attempts are made to keep the delta between plan and reality as small as possible, even after fine contact, through constant practice and training. Transferred to the preparation for IT security incidents (incident readiness), this means regularly and thoroughly practicing emergency plans, backup-restore processes, and the like. One way to do this is by conducting IT security exercises.

Introduction

As we already demonstrated through our recent advisories (Asus M25 NAS, Phoenix Contact, NetModule , Festo)  ONEKEY's "zero day identification" module is quite versatile when it comes to finding bugs in PHP, Lua, or Python code we find in firmware uploaded to ONEKEY's platform. However, we recently discovered that we were missing an interesting source for PHP taint analysis: PHP wrappers.

PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem functions such as fopen(), copy(), file_exists() and filesize(). They are sometimes used to read the content of HTTP requests or command line arguments by using php://input, php://stdin, or php://fd/0 (ok the last one is a bit far-fetched and came up when we discussed potential sources for the taint analysis, but you get the point :) ).

Introduction

This is the fourth security advisory we release together with ONEKEY that is related to the introduction of a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY's platform. You can find the first three here: Asus M25 NAS Vulnerability, Multiple Vulnerabilities in NetModule Routers, and Unauthenticated Configuration Export in Multiple WAGO Products.

Phoenix Contact is a manufacturer of industrial grade routers. The vulnerabilities identified within the web management interface allow authenticated users to execute arbitrary commands with elevated privileges or to access any file on the system.

Cyberangriffe gehören zu der weltweit am schnellsten wachsenden Form an Kriminalität. Ein guter Indikator für den aktuellen Zustand ist die Tatsache, dass laut Medienberichten die Versicherbarkeit von Unternehmen gegen Cyberangriffen deutlich schwerer geworden ist. Die Versicherer schrauben den erforderlichen Reifegrad an Sicherheit hoch. Und genau das wird die Ablöse der derzeit gängigen Self-Assessments durch qualifizierte Audits mit der Hinterlegung zwingend erforderlicher Evidenzen mit sich bringen.

Geschäftsführung ist in der Pflicht

Durch die Richtlinie (EU) 2022/2555 erfolgt eine wesentliche Erweiterung der betroffenen Unternehmen und deren Pflichten. Ab 2024 kann davon ausgegangen werden, dass in Österreich ca. 3.000 Unternehmen, unterteilt in 16 Sektoren, ab 50 Mitarbeitern und 10 Mio. EUR Umsatz, nachweislich Cybersecurity Maßnahmen umsetzen müssen. Die nationale Gesetzgebung wird die Überprüfung der Einhaltung der Mindeststandards übernehmen und in weiterer Folge Geschäftsführer von Betreibern kritischer Infrastrukturen in die Pflicht nehmen.

Introduction

This is the third security advisory we release in cooperation with ONEKEY that is related to the introduction of a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY’s platform.

NetModule is an Original Equipment Manufacturer of industrial grade routers. The vulnerabilities identified within the web management interface allow authenticated users to execute arbitrary commands with elevated privileges or to access any file on the system.

As a Cyber-Incident Response provider, we at CERTAINITY have to deal with Ransomware- and other cyberattacks that do have devastating effects on the affected organization. In this blog post, we outline the most important do’s and don’ts when dealing with Cyber-Incidents. Cyber incident response refers to the actions taken by an organization to manage and contain the impact of a cyberattack or data breach. Effective cyber incident response is crucial to minimizing the damage caused by a cyber incident and restoring normal operations as quickly as possible.

As shown in our previous security advisory for the Asus M25 NAS from our research cooperation with ONEKEY, we recently introduced a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY’s platform. 

This module reported two potential issues within a WAGO Series PFC100  configuration API: a path traversal and a command injection vulnerability. The command injection turned out to be a false positive (we strengthened our analysis capabilities since then) but it got us to investigate a specific PHP file where we identified that the authentication and authorization code blocks were commented. 

The final proposal of the European Cyber Resilience Act is publicly available since September 2022 and so are the results of the EU's impact assessment of the planned regulation. While the overall need for the European Cyber Resilience Act or a similarly targeted regulation is out of question so is the fact that it will impact enterprises throughout Europe in the market of digital product development and sales.

In this article we will offer a high-level analysis of the regulation itself, provide some clarification regarding its scope and the potential impact as well as immediate remediation steps enterprises can take to address the requirements. This article will mostly focus on issues relevant for digital product developers and manufacturers.

ONEKEY and CERTAINITY - together for more cybersecurity

In October we announced our joint research cooperation, and we are able to present you our first findings.

We recently deployed the first component of our “zero-day identification” module, which aimed at identifying vulnerability patterns in scripting languages. It’s been a long time coming and we want to share a few technical details about it with you.

Our objective is to support identification of vulnerability patterns in both scripting languages and compiled binaries. We started off with scripting languages as it seemed to be the easiest path to get results fast. Our first order of business was to identify the distribution of scripting languages within our corpus based off our file categorization. These statistics guided us in choosing which languages to support first.

CERTAINITY offers all employees ample opportunities for professional and personal growth – during interesting customer projects and via dedicated trainings.

Michael Brunner decided to take this offer to expand his already profound security architecture knowledge and attended the SABSA foundation courses in October 2022. SABSA is a proven methodology for developing business-driven, risk and opportunity focused Security Architectures at both enterprise and solutions level that traceably support business objectives. Thereby, it is ensured that security services are designed, delivered, and supported as an integral part of IT management infrastructure and in accordance with business needs.