F5 SIRT
139 TopicsCyber security 2024 summary and 2025 forecasts from the news
Notable security news for the week of Dec 22 nd – Dec 28 th 2024. This week editor isLior from F5 SIRT. As always, when a year ends, security websites and vendors summarize the most significant security issues that happened over the past year. And with every end, there is a beginning. Enter 2025 cybersecurity predictions: what will happen this year in the world of cybersecurity? Here is what I summarized regarding the end of year 2024 and 2025 prediction in the cybersecurity landscape. 2024cyber summary In 2024, the cybersecurity landscape was marked by significant incidents and evolving threats, with "more" being the keyword — more of everything. CVE details show a record number of 40,152 CVEs, around 10k more than last year. The CISA site - Known Exploited Vulnerabilities Catalog - shows significant growth in the actual exploitation of vulnerabilities. Large-scale incidents such as the Snowflake Data Breach, Salt Typhoon, and Fileless Malware, along with many other names that no one can really remember, have occurred. Then the true nature of software unexpectedly reveals itself, as seen in the CrowdStrike incident. One of the major breakthroughs in technology is the emergence of generative AI chatbot platforms, and as with any new technology, there is a need to secure it. Generative AI chatbots are becoming popular in web applications and are used to assist with specific, tailored actions relevant to users. These AI-driven chatbots use a wrapper on a commercial chat using APIs to operate, creating a whole new playground for attacks that now try to “convince” the chat to provide details it shouldn’t. Sounds familiar? totally familiar, but this time it is not XSS or SQLi; it is the LLM itself. Which is a great opportunity to mention the F5 AI Gateway. I guess we can consider 2024 as a year with unprecedented levels of security events (see my 2024 prediction more of everything). Enter 2025 So now you can ask yourself, will this continue in 2025 at the same growing rates? For sure! And will cybersecurity in 2025 be the year of AI security expansion? Beyond securing LLMs themselves, threat actors are expected to leverage artificial intelligence (AI) to enhance the sophistication of their attacks. This includes the use of AI for crafting more convincing phishing schemes, automating social engineering tactics, and deploying deepfakes for identity theft and fraud. But AI can also be used for protection and cyber defense: Integration of AI in Security Operations Centers (SOCs): AI is anticipated to play a central role in SOCs, automating tasks such as threat detection, vulnerability assessments, and incident response. Human analysts will focus on strategic decision-making and handling complex threats, enhancing overall operational efficiency. Security "co-pilots": AI-driven security operations centers (SOCs) will improve threat detection and automate incident response. Security controls assessment powered by AI: Using "AI Cyber Governance Platforms," AI will assist security personnel in understanding the real value of their security products and services, optimizing their arsenal to maximize protection. Agentic AI: Agentic AI is a software program designed to independently make decisions and take actions to achieve specific goals. Agentic AI is trending due to its ability to autonomously help CIOs realize their vision for generative AI to increase productivity. This all means that we are facing an even more intense year and as they say, "It is going to be interesting." Recommended reading: The Top 25 Security Predictions for 2025 New vulnerabilities While summarizing and doing prediction is nice exercise, the reality is that we have new vulnerability every week, here are two of them from last week: New critical Apache Struts flaw exploited to find vulnerable servers A recently patched critical Apache Struts 2 vulnerability tracked as CVE-2024-53677 is actively exploited using public proof-of-concept exploits to find vulnerable devices. Apache publicly disclosed theStrutsCVE-2024-53677flaw (CVSS 4.0 score: 9.5, "critical")” at Dec 11”, stating it is a bug in the software's file upload logic, allowing path traversals and the uploading of malicious files that couldlead to remote code execution. "We are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems,"reports Ullrich. https://www.bleepingcomputer.com/news/security/new-critical-apache-struts-flaw-exploited-to-find-vulnerable-servers/ Palo Alto Releases Patch for PAN-OS DoS Flaw — Update Immediately Palo Alto Networks has disclosed a high-severity vulnerability impacting PAN-OS software that could cause a denial-of-service (DoS) condition on susceptible devices. The flaw, tracked as CVE-2024-3393 (CVSS score: 8.7), "A denial-of-service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall," the companysaidin a Friday advisory. Palo Alto Networks said it discovered the flaw in production use, and that it's aware of customers "experiencing this denial-of-service (DoS) when their firewall blocks malicious DNS packets that trigger this issue." https://thehackernews.com/2024/12/palo-alto-releases-patch-for-pan-os-dos.html https://security.paloaltonetworks.com/CVE-2024-3393 Podcasts recommendation Finally, I have listen to those podcasts in the past week and they are worth the time spending on. Podcast - Three Buddy Problem Palo Alto network edge device backdoor, Cyberhaven browser extension hack, 2024 research highlights. https://securityconversations.com/episode/palo-alto-network-edge-device-backdoor-cyberhaven-browser-extension-hack-2024-research-highlights/ F5 DC : Announcing the new 'AI Friday' Podcast - Episode 1 Our own F5 folks talk about AI in a new podcast. Great job, looking forward for the next chapter. https://community.f5.com/kb/technicalarticles/announcing-the-new-ai-friday-podcast---episode-1/338527 See you all next year.247Views0likes0CommentsAttacks against Domain Specific Languages, EU Cybersecurity Laws, & Supply Chain Attacks
Jordan_Zebor is your editor once again for this issue of This Week In Security. This week I will cover some interesting research which highlights Attacks against Domain Specific Languages, some new EU Cybersecurity Laws, & a few more instances of Supply Chain Attacks. Attacks against Domain Specific Languages The article highlights new attack techniques discovered in Open Policy Agent (OPA) and Terraform by security researcher Shelly Raban, who uncovered vulnerabilities in the supply chain and configuration management of these infrastructure-as-code and policy-as-code tools. The research explores how attackers can exploit these DSLs to compromise cloud identities, enable lateral movement, and exfiltrate data through various malicious techniques, such as credential theft and DNS tunneling. Open Policy Agent (OPA) Attacks OPA, a policy engine, uses Rego, a domain-specific language (DSL), to make policy decisions. Attackers can exploit vulnerabilities in OPA's supply chain by gaining access to the policy storage and uploading malicious policies. Once the malicious policy is fetched during a regular update, it can execute harmful actions like credential exfiltration. This can be done by abusing OPA's built-in functions, such as opa.runtime().env for accessing environment variables or http.send for exfiltrating sensitive data to an external server. Additionally, attackers can use DNS tunneling via the net.lookup_ip_addr function to stealthily transmit sensitive information, such as credentials, to a malicious server. Terraform Attacks Terraform, a popular Infrastructure-as-Code (IaC) tool, uses the HashiCorp Configuration Language (HCL) for declarative configurations. Terraform's CI/CD pipelines often run the terraform plan phase on pull requests, which can inadvertently trigger malicious code execution if a pull request includes a compromised module or data source. One risk arises from the use of external and HTTP data sources, which can be manipulated to exfiltrate sensitive information, such as AWS credentials, to an attacker-controlled server. Terraform also uses provisioners like local-exec and remote-exec, which can run arbitrary code on the local or remote infrastructure, making them a target for attackers who could deploy malicious scripts or even cryptocurrency miners. These attack techniques highlight the importance of securing IaC and PaC tools to prevent malicious code from being executed during the infrastructure provisioning or policy evaluation phases. New EU Cybersecurity Laws The new cybersecurity laws in the EU establish a European Cybersecurity Alert System and amend the Cybersecurity Act of 2019 to enhance security standards for managed security services. The first law creates a pan-European network of cyberhubs to improve coordinated threat detection and response across borders, leveraging AI and advanced data analytics. It also introduces a Cybersecurity Emergency Mechanism and a European Cybersecurity Incident Review Mechanism to support member states in preparing for and recovering from major cyberattacks. The second law focuses on certifying managed security services, ensuring higher quality and reducing market fragmentation by creating a unified certification scheme. These laws are beneficial because they foster stronger international collaboration, improve threat detection and response, and enhance the quality of cybersecurity services across Europe. By using data analytics, the alert system can enable faster and more effective responses to cyberattacks. However, the laws may also have potential drawbacks, such as the complexity of managing cross-border cooperation and ensuring privacy while sharing sensitive threat information. Software Supply Chain Attacks Software supply chain attacks involve the compromise of trusted software packages or their distribution channels to introduce malicious code that can harm users. The Ultralytics AI library, a widely used Python package for artificial intelligence applications, and the Solana Web3.js JavaScript SDK, utilized by decentralized applications to interact with the Solana blockchain, were both targeted in separate incidents that exploited vulnerabilities in their build processes to inject malicious payloads. Ultralytics AI The Ultralytics AI module, a popular Python package for AI, was compromised in a supply chain attack that introduced a cryptocurrency miner in versions 8.3.41 and 8.3.42. The malicious code, which caused high CPU usage, was injected through a vulnerability in the library's build environment via GitHub Actions Script Injection. After being flagged by a researcher, the compromised versions were removed, and a new release fixed the security flaw. While the payload was a miner, more severe malware risks, like backdoors, remain a concern. Solana Web3.js In a separate attack, the Solana Web3.js JavaScript SDK was modified to steal private keys from developers and users in versions 1.95.6 and 1.95.7. The malicious "addToQueue" function exfiltrated keys, sending them to an attacker-controlled server. The breach occurred via a compromised publish-access account. Developers were advised to upgrade to the latest release and rotate keys. The stolen funds amounted to an estimated $184,000. That's it for this week. Hope you enjoyed the content.114Views3likes1CommentF5 BIG-IP Advanced WAF – DOS profile configuration options.
F5 BIG IP Advanced WAF is the perfect tool for detection and prevention of application Distributed Denial-of-Service (DDoS) attacks against a web application. This article will review the possible configurations of the dos profile also known as Adv WAF anti DDoS feature to stop those attacks.184Views2likes0CommentsF5 NGINX HTTP Request Header Rules: What’s Permitted and What’s Not
When managing web servers like F5 NGINX, it's crucial to understand the rules that govern HTTP headers—particularly which characters are allowed or disallowed in both header names and values. HTTP headers play a vital role in the communication between a client and server, carrying essential metadata such as content type, length, and caching policies. NGINX strictly enforces these rules to ensure compliance with HTTP/1.1, HTTP/2, and HTTP/3 protocols. Misconfigured headers or the use of improper characters can lead to a range of issues, including security vulnerabilities, degraded performance, or even rejected requests. One common security threat,HTTP Request Smuggling, exploits desynchronization between devices involved in handling the request, such as frontends, caching servers, load balancers, and web servers. These attacks rely on inconsistencies in how each device parses the request, enabling malicious actors to inject hidden or split requests. This article outlines the allowed and disallowed characters in HTTP request headers as enforced by NGINX, which I compiled throughcode review, test case review and manual testing for HTTP Smugglingon NGINX version "nginx/1.25.5 (nginx-plus-r32-p1)". If I missed something please let me know bycontacting the F5 SIRT. Allowed Characters Header Names Lowercase letters: (a-z) Uppercase letters: (A-Z) Allowed in HTTP/1.1 Disallowed in HTTP/2 and HTTP/3, which require lowercase. Digits: (0-9) Hyphen: (-) Underscore: (_)Allowed in all versions only ifunderscores_in_headers is enabled Colon: (:) Allowed only as a prefix inHTTP/2 and HTTP/3 pseudo headers. Header Values Printable ASCII characters: Characters from ! to ~, including digits, letters, punctuation, and symbols, are allowed. Space: (0x20) Allowed within the value. Horizontal Tab (HT): (0x09) Generally allowed within values but with exceptions in headers such as Content-Length and Host (details below). Disallowed Characters Header Names Control Characters: ASCII control characters (<= 0x20), including space and horizontal tab, are disallowed in header names. DEL (0x7f): The delete character is not allowed. Colon: (:) Disallowed in header names except forHTTP/2 and HTTP/3 pseudo headers. Uppercase Letters: (A-Z) Disallowed in HTTP/2 and HTTP/3 header names (must be lowercase). Special characters: Characters such as ()<>@,;:\"/[]?={} are implicitly disallowed as they don’t belong to any allowed category for header names. Header Values Null Character: (\0) Disallowed in header values. Line Feed (LF): (0x0A) Not allowed within the value and used only to terminate headers. Carriage Return (CR): (0x0D) Not allowed within the value, used for header termination. Control Characters (<= 0x20) with special conditions for Horizontal Tab (HT): Horizontal Tab (HT, 0x09): Disallowed in the Host header value in HTTP/1. Disallowed in the pseudo-header values in HTTP/2 and HTTP/3. Disallowed in the Content-Length header value in HTTP/1. Summary This list of allowed and disallowed characters provides an overview of how NGINX handles HTTP headers across different protocol versions. While HTTP/1.1 is somewhat lenient with uppercase letters and certain characters, HTTP/2 and HTTP/3 enforce stricter validation rules, particularly for header names. Understanding these restrictions ensures your server configuration remains compliant with protocol specifications and avoids potential issues with malformed headers.292Views1like1CommentLet's Get Critical, Critical
MegaZoneis back again for a roundup of the security news that caught my eye for the week of November 10th - 16th, 2024. This time, I want to get Critical. Yes, let's get into the Critical - issues, of course. We're going to look at some very recent Critical issues making the rounds, as well as issues which made the charts in 2023 - including an old friend which keeps on giving. And I'll end with a critical issue for all of us in the cybersecurity field, one I feel strongly about. Atomic Batteries to Power! Turbines to Speed!187Views6likes2Comments