security
160 TopicsCyber security 2024 summary and 2025 forecasts from the news
Notable security news for the week of Dec 22 nd – Dec 28 th 2024. This week editor isLior from F5 SIRT. As always, when a year ends, security websites and vendors summarize the most significant security issues that happened over the past year. And with every end, there is a beginning. Enter 2025 cybersecurity predictions: what will happen this year in the world of cybersecurity? Here is what I summarized regarding the end of year 2024 and 2025 prediction in the cybersecurity landscape. 2024cyber summary In 2024, the cybersecurity landscape was marked by significant incidents and evolving threats, with "more" being the keyword — more of everything. CVE details show a record number of 40,152 CVEs, around 10k more than last year. The CISA site - Known Exploited Vulnerabilities Catalog - shows significant growth in the actual exploitation of vulnerabilities. Large-scale incidents such as the Snowflake Data Breach, Salt Typhoon, and Fileless Malware, along with many other names that no one can really remember, have occurred. Then the true nature of software unexpectedly reveals itself, as seen in the CrowdStrike incident. One of the major breakthroughs in technology is the emergence of generative AI chatbot platforms, and as with any new technology, there is a need to secure it. Generative AI chatbots are becoming popular in web applications and are used to assist with specific, tailored actions relevant to users. These AI-driven chatbots use a wrapper on a commercial chat using APIs to operate, creating a whole new playground for attacks that now try to “convince” the chat to provide details it shouldn’t. Sounds familiar? totally familiar, but this time it is not XSS or SQLi; it is the LLM itself. Which is a great opportunity to mention the F5 AI Gateway. I guess we can consider 2024 as a year with unprecedented levels of security events (see my 2024 prediction more of everything). Enter 2025 So now you can ask yourself, will this continue in 2025 at the same growing rates? For sure! And will cybersecurity in 2025 be the year of AI security expansion? Beyond securing LLMs themselves, threat actors are expected to leverage artificial intelligence (AI) to enhance the sophistication of their attacks. This includes the use of AI for crafting more convincing phishing schemes, automating social engineering tactics, and deploying deepfakes for identity theft and fraud. But AI can also be used for protection and cyber defense: Integration of AI in Security Operations Centers (SOCs): AI is anticipated to play a central role in SOCs, automating tasks such as threat detection, vulnerability assessments, and incident response. Human analysts will focus on strategic decision-making and handling complex threats, enhancing overall operational efficiency. Security "co-pilots": AI-driven security operations centers (SOCs) will improve threat detection and automate incident response. Security controls assessment powered by AI: Using "AI Cyber Governance Platforms," AI will assist security personnel in understanding the real value of their security products and services, optimizing their arsenal to maximize protection. Agentic AI: Agentic AI is a software program designed to independently make decisions and take actions to achieve specific goals. Agentic AI is trending due to its ability to autonomously help CIOs realize their vision for generative AI to increase productivity. This all means that we are facing an even more intense year and as they say, "It is going to be interesting." Recommended reading: The Top 25 Security Predictions for 2025 New vulnerabilities While summarizing and doing prediction is nice exercise, the reality is that we have new vulnerability every week, here are two of them from last week: New critical Apache Struts flaw exploited to find vulnerable servers A recently patched critical Apache Struts 2 vulnerability tracked as CVE-2024-53677 is actively exploited using public proof-of-concept exploits to find vulnerable devices. Apache publicly disclosed theStrutsCVE-2024-53677flaw (CVSS 4.0 score: 9.5, "critical")” at Dec 11”, stating it is a bug in the software's file upload logic, allowing path traversals and the uploading of malicious files that couldlead to remote code execution. "We are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems,"reports Ullrich. https://www.bleepingcomputer.com/news/security/new-critical-apache-struts-flaw-exploited-to-find-vulnerable-servers/ Palo Alto Releases Patch for PAN-OS DoS Flaw — Update Immediately Palo Alto Networks has disclosed a high-severity vulnerability impacting PAN-OS software that could cause a denial-of-service (DoS) condition on susceptible devices. The flaw, tracked as CVE-2024-3393 (CVSS score: 8.7), "A denial-of-service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall," the companysaidin a Friday advisory. Palo Alto Networks said it discovered the flaw in production use, and that it's aware of customers "experiencing this denial-of-service (DoS) when their firewall blocks malicious DNS packets that trigger this issue." https://thehackernews.com/2024/12/palo-alto-releases-patch-for-pan-os-dos.html https://security.paloaltonetworks.com/CVE-2024-3393 Podcasts recommendation Finally, I have listen to those podcasts in the past week and they are worth the time spending on. Podcast - Three Buddy Problem Palo Alto network edge device backdoor, Cyberhaven browser extension hack, 2024 research highlights. https://securityconversations.com/episode/palo-alto-network-edge-device-backdoor-cyberhaven-browser-extension-hack-2024-research-highlights/ F5 DC : Announcing the new 'AI Friday' Podcast - Episode 1 Our own F5 folks talk about AI in a new podcast. Great job, looking forward for the next chapter. https://community.f5.com/kb/technicalarticles/announcing-the-new-ai-friday-podcast---episode-1/338527 See you all next year.224Views0likes0CommentsAttacks against Domain Specific Languages, EU Cybersecurity Laws, & Supply Chain Attacks
Jordan_Zebor is your editor once again for this issue of This Week In Security. This week I will cover some interesting research which highlights Attacks against Domain Specific Languages, some new EU Cybersecurity Laws, & a few more instances of Supply Chain Attacks. Attacks against Domain Specific Languages The article highlights new attack techniques discovered in Open Policy Agent (OPA) and Terraform by security researcher Shelly Raban, who uncovered vulnerabilities in the supply chain and configuration management of these infrastructure-as-code and policy-as-code tools. The research explores how attackers can exploit these DSLs to compromise cloud identities, enable lateral movement, and exfiltrate data through various malicious techniques, such as credential theft and DNS tunneling. Open Policy Agent (OPA) Attacks OPA, a policy engine, uses Rego, a domain-specific language (DSL), to make policy decisions. Attackers can exploit vulnerabilities in OPA's supply chain by gaining access to the policy storage and uploading malicious policies. Once the malicious policy is fetched during a regular update, it can execute harmful actions like credential exfiltration. This can be done by abusing OPA's built-in functions, such as opa.runtime().env for accessing environment variables or http.send for exfiltrating sensitive data to an external server. Additionally, attackers can use DNS tunneling via the net.lookup_ip_addr function to stealthily transmit sensitive information, such as credentials, to a malicious server. Terraform Attacks Terraform, a popular Infrastructure-as-Code (IaC) tool, uses the HashiCorp Configuration Language (HCL) for declarative configurations. Terraform's CI/CD pipelines often run the terraform plan phase on pull requests, which can inadvertently trigger malicious code execution if a pull request includes a compromised module or data source. One risk arises from the use of external and HTTP data sources, which can be manipulated to exfiltrate sensitive information, such as AWS credentials, to an attacker-controlled server. Terraform also uses provisioners like local-exec and remote-exec, which can run arbitrary code on the local or remote infrastructure, making them a target for attackers who could deploy malicious scripts or even cryptocurrency miners. These attack techniques highlight the importance of securing IaC and PaC tools to prevent malicious code from being executed during the infrastructure provisioning or policy evaluation phases. New EU Cybersecurity Laws The new cybersecurity laws in the EU establish a European Cybersecurity Alert System and amend the Cybersecurity Act of 2019 to enhance security standards for managed security services. The first law creates a pan-European network of cyberhubs to improve coordinated threat detection and response across borders, leveraging AI and advanced data analytics. It also introduces a Cybersecurity Emergency Mechanism and a European Cybersecurity Incident Review Mechanism to support member states in preparing for and recovering from major cyberattacks. The second law focuses on certifying managed security services, ensuring higher quality and reducing market fragmentation by creating a unified certification scheme. These laws are beneficial because they foster stronger international collaboration, improve threat detection and response, and enhance the quality of cybersecurity services across Europe. By using data analytics, the alert system can enable faster and more effective responses to cyberattacks. However, the laws may also have potential drawbacks, such as the complexity of managing cross-border cooperation and ensuring privacy while sharing sensitive threat information. Software Supply Chain Attacks Software supply chain attacks involve the compromise of trusted software packages or their distribution channels to introduce malicious code that can harm users. The Ultralytics AI library, a widely used Python package for artificial intelligence applications, and the Solana Web3.js JavaScript SDK, utilized by decentralized applications to interact with the Solana blockchain, were both targeted in separate incidents that exploited vulnerabilities in their build processes to inject malicious payloads. Ultralytics AI The Ultralytics AI module, a popular Python package for AI, was compromised in a supply chain attack that introduced a cryptocurrency miner in versions 8.3.41 and 8.3.42. The malicious code, which caused high CPU usage, was injected through a vulnerability in the library's build environment via GitHub Actions Script Injection. After being flagged by a researcher, the compromised versions were removed, and a new release fixed the security flaw. While the payload was a miner, more severe malware risks, like backdoors, remain a concern. Solana Web3.js In a separate attack, the Solana Web3.js JavaScript SDK was modified to steal private keys from developers and users in versions 1.95.6 and 1.95.7. The malicious "addToQueue" function exfiltrated keys, sending them to an attacker-controlled server. The breach occurred via a compromised publish-access account. Developers were advised to upgrade to the latest release and rotate keys. The stolen funds amounted to an estimated $184,000. That's it for this week. Hope you enjoyed the content.112Views3likes1CommentF5 BIG-IP Advanced WAF – DOS profile configuration options.
F5 BIG IP Advanced WAF is the perfect tool for detection and prevention of application Distributed Denial-of-Service (DDoS) attacks against a web application. This article will review the possible configurations of the dos profile also known as Adv WAF anti DDoS feature to stop those attacks.183Views2likes0CommentsThree Ways AI Can Hack the U.S. Election
The growing capability of AI content poses three very real threats to modern elections. We explain each, and take a glimpse at a possible solution to the growing AIpocalypse. In 2020, we covered Three Ways to Hack the U.S. Election. That article is every bit as relevant today as it was four years ago. At the time, we focused on the ways in which disinformation could be used to misinform and divide the nation. Now, the digital landscape has shifted with generative AI and deepfakes posing even more threats. In our recent article, Three Ways AI Can Hack the U.S. Election, we explore disinformation and deepfakes, voter suppression tactics, and the role bots have in spreading disinformation. (This is just a summary - click here to read the full article on f5.com/labs.) Disinformation and Deepfakes Election security is all about trust. Disinformation has become a geopolitical weapon, and it is easier than ever to create convincing fake content through generative AI and machine learning tools. AI manipulators can easily change aspects of video, such as backgrounds or facial expressions, to deepfake audio. The boundaries between real and fake have been blurred, with gen AI tools allowing anyone to create realistic content at virtually no cost. Voter Suppression Beyond creating fake content for disinformation, deepfakes can have other nefarious purposes. For example, in 2024, Steve Kramer, a political consultant, admitted to orchestrating a widespread robocall operation using deepfake technology to mimic President Joe Biden’s voice, which discouraged thousands of New Hampshire voters from participating in the state’s presidential primary. The call used caller ID spoofing to disguise its origins. Kramer spent $500 to generate $5 million worth of media coverage and was fined $6 million by the FCC for orchestrating illegal robocalls. Dissemination and Widening the Divide Bots and automation are a significant factor in spreading disinformation on social media platforms like X/Twitter. They can amplify false narratives, manipulate public opinion, and create the illusion of widespread consensus on controversial topics. Bots can share misleading content, interact with genuine users, and boost the visibility of posts, making it difficult for users to differentiate between organic engagement and orchestrated campaigns. AI can significantly enhance the capabilities of social media bots by creating fully-realized, convincing personas, interacting with real and fake users, and creating an illusion of authenticity. AI-enhanced bots can also craft highly realistic posts on a wide range of topics, making them powerful tools for influencing conversations and shaping public opinion. Future AI TV news, once considered trustworthy due to its live, real-time broadcasting, is becoming increasingly susceptible to fake news and AI-generated content. Advancements in AI could lead to AI-generated anchors delivering and reacting to real-world events in real-time, blurring the line between authentic and synthetic information. Emotionally intelligent AI can also be used to manipulate social divides by analyzing emotional cues in real-time, allowing disinformation campaigns to manipulate individuals and fuel polarization. This could further fuel polarization and divisive issues. Combating Fake and AI-generated Content The Coalition for Content Provenance and Authenticity (C2PA) protocol is a standards-based initiative developed by Adobe, Microsoft, Intel, and the BBC to combat disinformation and fabricated media, particularly in the era of AI-generated content. Figure 2. Example video with embedded C2PA digital watermark. Source: c2pa.org It attaches verifiable metadata to digital media files, allowing creators to disclose key information about the origin and editing history of an image, video, or document. C2PA uses cryptographic signatures to detect any tampering with metadata, allowing viewers to access information across platforms. This approach is crucial in combating AI-generated fake content, such as deepfakes, and providing reliable tools for publishers and consumers to judge the trustworthiness of digital media. Conclusion The threat of disinformation and AI is growing. While C2PA offers protection, its limitations include the lack of widespread adoption, the need for public education, and potential skepticism and distrust. Check out the full article written by David Warburton, Director of F5 Labs here.21Views0likes0CommentsBotPoke Scanner Switches IP
Welcome to the October 2024 installment of the Sensor Intelligence Series (SIS), our monthly summary of vulnerability intelligence based on distributed passive sensor data. Below are a few key highlights from this month’s summary. Scanning for CVE-2017-9841 has significantly decreased, while CVE-2023-1389, an RCE vulnerability in TP-Link Archer AX21 routers, continues to be the most scanned CVE. The BotPoke scanner’s activity has shifted from a Lithuanian IP address to one in Hong Kong, with the new IP accounting for 31.5% of all traffic observed. Monthly averages for the 110 tracked CVEs have remained stable, while CVE-2017-18368 exhibited erratic scanning patterns. BotPoke Scanner Switches IP Address The BotPoke scanner, associated with an IPv4 address (141.98.11.114), disappeared from our logs this month. However, the scanning activity moved from Lithuanian to Hong Kong (154.213.184.3), which accounts for 31.5% of all traffic observed this month. The scanner continued targeting the same URIs and regions where our sensors reside. October Vulnerabilities by the Numbers Figure 1 shows October attack traffic for top ten CVEs we track, with CVE-2023-1389 dominating. Figure 1: Top ten vulnerabilities by traffic volume in October 2024. CVE-2023-1389 continues to dominate all other CVEs we track in terms of volume. Targeting Trends Figure 2 shows traffic volume and position changes over the past year, with heavy scanning for CVE-2023-1389 and decline for CVE-2017-9841, and CVE-2020-11625 rising to second place. Figure 2: Evolution of vulnerability targeting in the last twelve months. Note the continued falloff in scanning for CVE-2017-9814, and the slight increase in scanning for CVE-2020-11625. Long-Term Trends Figure 3 shows the top 20 CVEs’ traffic and monthly averages. Scanning for CVE-2017-8941 and CVE-2023-1389 showed a precipitous rise and fall, while CVE-2020-11625 rose from single digits to 1000s. The average of other 110 CVEs remained constant this month, with CVE-2017-18368 showing a jagged scanning pattern. Figure 3: Traffic volume by vulnerability. This view accentuates the recent changes in both CVE-2023-1389 and CVE-2017-9841, well as the increase in scanning for CVE-2020-11625 and CVE-2017-18368. To find out more about October’s CVEs and for recommendations on how to stay ahead of the curve in cybersecurity, https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip. See you next month!41Views0likes0CommentsContinued Intense Scanning From One IP in Lithuania
Welcome to the September 2024 installment of the Sensor Intelligence Series (SIS), our monthly summary of vulnerability intelligence based on distributed passive sensor data. Below are a few key takeaways from this month’s summary. Scanning for CVE-2017-9841 dropped by 10% (vs. August). CVE-2023-1389 continues to be the most scanned CVE we track, with a 400% increase over August. One IP address continues to be the most observed, accounting for 43% of overall scanning traffic observed. We see a spike in the scanning of CVE-2023-25157, a Critical vulnerability in the GeoServer software project. CVE Scanning Following on from our last month’s analysis, the scanning of CVE-2017-9841 has decreased by 10% compared to August and is down 99.8% from its high-water mark in June of 2024, and nearly vanishing from our visualizations. CVE-2023-1389, an RCE vulnerability in TP-Link Archer AX21 routers, has been the most scanned CVE for the last two months, increasing 400% over August. While this sort of swing in volume may seem remarkable, as we have noticed before, it’s not unusual when we analyze the shape of the scanning for a particular CVE over time. Following Up on an Aberration Last month, a pattern of scanning activity was identified coming from a specific IPv4 address (141.98.11.114), which was suspected to be the BotPoke scanner. Despite a slight decrease in scanning traffic, this IP continued to target the same URIs and regions where our sensors are located, accounting for 43% of the overall scanning traffic observed. A Brief Note on Malware Stagers Observed Our passive sensors, which do not respond to traffic, limit our ability to predict secondary actions after successful exploitation. However, we can show that some CVEs are attempted to be used and downloaded malware stagers. To view an example of the most common URL observed in September attempting to exploit CVE-2023-1389visit F5 Labs to read the full summary. September Vulnerabilities by the Numbers Figure 1 shows September attack traffic for the top ten CVEs, with CVE-2023-1389 dominating. Increased scanning for this vulnerability throws off the proportionality of this view. However, see the logarithmic scale (figure 3) for an easier view. Figure 2 shows a significant increase in scanning for CVE-2023-1389 over the past year, while a decline in scanning for CVE-2017-9841 persists. Long-Term Trends Figure 3 shows the traffic for the top 19 CVEs, with CVE-2017-8941 and CVE-2023-1389 showing significant increases. The average of the other 110 CVEs has fallen dramatically. CVE-2023-25157, a critical vulnerability in the GeoServer software project, has seen a dramatic increase in scanning. The log scale helps show changes in other top 10 scanned CVEs. To find out more about September’s CVEs and for recommendations on how to stay ahead of the curve in cybersecurity, check out the full article here. We’ll see you next month!74Views1like0Comments