Mitiga Announces $30M Series B Led by SYN Ventures READ THE NEWS

Customers
Why Mitiga
Request a DemoEmergency Assistance
Home
»
Blog Main

Time and again, new vulnerabilities are discovered and published, just as we saw when VMWare announced new vulnerabilities in vCenter Server and Cloud Foundation in September. You are probably using these servers right now, in your network or cloud environments. These critical vulnerability disclosures do not offer a quick and easy patch – so if you are using either vCenter Server or Cloud Foundation, you must declare an emergency and treat it like you have already been compromised.  

According to Bob Plankers, Technical Marketing Architect at VMware, "This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server." Plankers went on to add: "In this era of ransomware it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.”

An attacker can compromise VMware vCenter Server using CVE-2021-22005 (a critical vulnerability with a CVSSv3 score of 9.8), which is “a file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance.” Regardless of the configuration settings, anyone who can access vCenter Server over the network can get access. This allows attackers to perform other malicious actions in your environments.

This VMWare security advisory also included 18 other vulnerabilities in vCenter Server 7.0, many of which had important severity ratings. These vulnerabilities also apply to Cloud Foundation 4.x (vServer Center). Fixed versions are available for all of them, and workarounds are available for some.  

Patches aren't enough

Working exploits became publicly available quickly, helping attackers to quickly target unpatched environments, which is why patching is a critical step. Fortunately, there are also detection methods and indicators of exploit available that can help defenders as they seek to determine whether their organization has been exploited by attackers. However - just patching is not sufficient, as VMWare indicated quite clearly in the VMWare vulnerabilities case.

When you are thinking about known vulnerabilities, particularly ones that are severe and announced with no patch available, or when there is a patch that requires considerable resources to implement (and therefore take time to put in place), there is another aspect to consider. It's important to determine whether a cybercriminal has already used the vulnerability against you in the past. Asking this question leads to compromise assessments and threat hunts in your environment. If you assume that bad guys have already used the vulnerability against you, indicators of compromise or artifacts can help you to either prove the thesis or determine that it has not been used against you and eliminate it as a potential problem in your environment.  

Hunting for evidence of attacks

When you are focusing on a specific vulnerability, you should be looking for evidence of it being used, or for evidence of the next steps of the attack. For example, the VM security advisory warned about vulnerabilities in vCenter Server and Cloud Foundation, which have the potential to lead to a large variety of attacks. But how far back should organizations look for evidence of exploitation?

Should you look for evidence in just the last 10 days? Do you need to look a bit further, perhaps in the last 30 days? Or do you need to do a more in-depth investigation, analyzing your data for the last three years? It may not be possible to conduct as thorough an investigation as you might like, because there is often a limit on forensic data retention, and an in-depth investigation is challenging if not impossible without forensic data.

That lack of forensic data is a problem because we know that attackers sometimes get access to an environment or network and stay for extended periods of time. In that period, how can you tell what they might have done without forensics to follow the trail? Even if they did not stay in the system, it may be that an attacker had access in the past and left, leaving behind more potential weaknesses. To take control when a critical vulnerability is disclosed, such as the vCenter Server and Cloud Foundation disclosures, patching quickly is step one. Analyzing your forensic data will give you a much better picture of what has happened and how to fix it, which means that you need to store forensic data for longer periods of time than is common, especially in cloud environments.  

Ongoing data collection improves IR

Collecting data on an ongoing basis for effective incident response is really a step you need to take prior to the four step incident response life cycle that NIST lays out. It is part of an overall readiness approach that improves an organization’s resilience, whether it is facing a data breach, a ransomware attack, a distributed denial of service attack, or something else. Proactively storing forensic data helps investigators examine a situation so your organization can make informed decisions quickly and bounce back faster after an attack. Attackers are always looking for easy entry points, and quickly exploiting zero- and one-day vulnerabilities is expected behavior from cybercriminals. Shifting your organization to a readiness mindset will help reduce the impact of these types of vulnerabilities and create more resilience in the case of future attacks.  

Protecting your enterprise against one of tday's most dangerous cyberthreats: ransomware

LAST UPDATED:

May 28, 2024

Don't miss these stories:

Cyber Trends for 2024: What Security Leaders Should be Executing Next

As we hurtle into this new year, it’s already clear that there is an evolving set of cyber risks that organizations will need to contend with successfully to manage threats and grow their organizational resilience in 2024. Below, I’ll outline three of the biggest ones, sharing recommendations and execution checklists that can help enterprises enhance their threat readiness and elevate security postures as the threat landscape continues to evolve.

How to Protect Your Business From the Most Dangerous Cyberthreats

Ransomware attacks are on the rise, and it now more important then ever to be prepared. Be prepared by having an up-to-date incident response plan. Learn more.

Stop Ransomware Attackers From Getting Paid to Play Double-Extortionware Games

In the past, many companies relied on backups to get back to business quickly if they were attacked. Reliable, secure backups separated from the primary environment made it much more difficult for an attacker to access and encrypt them. That long-standing process no longer deters double-extortionware actors — instead, today’s attackers not only encrypt the data but also exfiltrate it.

SEC Cyber Disclosure Rule FAQ: What Leaders are Asking Us

The U.S. Securities and Exchange Commission (SEC) recently implemented a new rule mandating stringent cybersecurity incident reporting and disclosure requirements for public companies.

Log4Shell - identify vulnerable external-facing workloads in AWS

Cloud-based systems should be thoroughly searched for the new Log4j vulnerability (CVE-2021-44228). But this is a daunting task, since you need to search each and every compute instance, from the biggest EC2 instance to the smallest Lambda function. This is where Mitiga can help.

For Incident Response, Give Peacetime Value a Chance

As an IR vendor, it is important to keep your customers up to date and prepared between breach attempts. Learn how to increase your peacetime value now.