What is a WAF?

A Web Application Firewall (WAF) is a security solution designed to protect web applications by monitoring and filtering HTTP/HTTPS traffic between a web application and the Internet. Unlike traditional firewalls that create a barrier between servers, WAFs are specifically designed to protect web applications from various cyber threats. They do this by inspecting incoming and outgoing traffic and blocking malicious requests based on predefined rules.

How Does a WAF Work?

A WAF operates by placing itself between the web application and the end user. It acts as a shield, analyzing each request and response to detect and block malicious activity. The core functionality of a WAF includes:

1. Traffic Monitoring and Filtering: A WAF continuously monitors web traffic for suspicious patterns. It filters out malicious requests before they reach the web application, ensuring only legitimate traffic is allowed through.
2. Rule-Based Protection: WAFs use a set of predefined rules to identify and block threats. These rules are based on known attack signatures and patterns, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
3. Customizable Security Policies: Administrators can customize WAF policies to suit the specific needs of their web applications. This flexibility allows for more precise protection tailored to the unique threat landscape of each application.
4. Real-Time Threat Intelligence: Many modern WAFs leverage real-time threat intelligence to stay updated on the latest attack vectors. This ensures that the WAF can quickly adapt to emerging threats and provide continuous protection.

The Importance of WAF in Cybersecurity

The importance of a Web Application Firewall in cybersecurity cannot be overstated. Here’s why WAFs are essential:

1. Protection Against Common Attacks: Web applications are prime targets for attackers using techniques like SQL injection, XSS, and CSRF. A WAF provides a robust defense against these common attack vectors, safeguarding sensitive data and maintaining application integrity.
2. Compliance Requirements: Many regulatory frameworks and industry standards, such as PCI-DSS and GDPR, require organizations to implement security measures to protect web applications. Deploying a WAF helps meet these compliance requirements and avoid hefty fines.
3. Enhanced Visibility and Monitoring: A WAF provides detailed insights into web traffic, allowing administrators to identify potential threats and vulnerabilities. This enhanced visibility is crucial for proactive threat management and incident response.
4. Cost-Effective Security Solution: Compared to dealing with the aftermath of a cyberattack, implementing a WAF is a cost-effective way to secure web applications. It helps prevent data breaches, which can result in significant financial losses and damage to an organization’s reputation.

How WAF Protects Web Applications

A WAF offers comprehensive protection for web applications through various mechanisms:

1. Blocking Malicious Traffic: By filtering out malicious requests, a WAF prevents attackers from exploiting vulnerabilities in the web application. This reduces the risk of data breaches and unauthorized access.
2. Rate Limiting and DDoS Protection: WAFs can detect and mitigate Distributed Denial of Service (DDoS) attacks by rate limiting requests. This ensures that legitimate users can access the application even during an attack.
3. Preventing Data Leakage: WAFs monitor outgoing traffic for sensitive information, such as credit card numbers or personal data. They can block or mask this data to prevent it from being exposed to unauthorized parties.
4. Virtual Patching: When vulnerabilities are discovered in a web application, it can take time to deploy patches. A WAF can provide virtual patching by blocking exploit attempts, buying time for developers to implement permanent fixes.

Conclusion

In conclusion, a Web Application Firewall (WAF) is a critical component of modern cybersecurity strategies. It provides robust protection against a wide range of web-based attacks, ensuring the security and integrity of web applications. By monitoring and filtering traffic, a WAF not only protects sensitive data but also helps organizations meet compliance requirements and enhance overall security posture. Investing in a WAF is a proactive step toward safeguarding your web applications and maintaining the trust of your users.

Understanding what a WAF is and recognizing its importance in cybersecurity is essential for any organization looking to protect its digital assets. With the ever-evolving threat landscape, deploying a WAF is not just an option but a necessity.

Bitlocker is a software for encrypting data drives, which comes pre-installed on modern Windows systems such as Windows 10, 11, as well as Windows Server 2016, 2019, and 2022. Microsoft claims in the Bitlocker documentation that the application, when used with a Trusted Platform Module (TPM), provides “maximum protection”.

The validity of this statement was tested in a video released on Saturday on the YouTube channel Stacksmashing. At least on systems with external TPM chips, the protection seems to be bypassed within a very short time using an inexpensive single-board computer.

A TPM is designed, among other things, to securely store cryptographic keys like the one from Bitlocker and to transfer them to the CPU when needed, allowing the user to access their encrypted data. The key transfer occurs via an LPC bus (Low Pin Count).

The YouTuber identified the contacts of the TPM chip on the motherboard of his notebook, through which he could intercept the data transfer with a Raspberry Pi Pico. It took only 43 seconds to read the Bitlocker key, including the time to open the notebook case.

Subsequently, he was able to access the data on the Bitlocker-protected SSD using a Linux system – both reading and writing – using the key.

It is important to note that this attack is only possible with external TPM chips. Modern CPUs, both from Intel and AMD, typically have integrated TPMs, which means that the key transfer occurs within the CPU and cannot be easily intercepted via contacts on the motherboard.

Security researchers had already pointed out the possibility of such attacks on systems with external TPM chips in the summer of 2021. This is due to the unencrypted transmission of the encryption key, allowing the key to be intercepted via the TPM contacts.

According to JetBrains, the vulnerability could allow threat actors to exploit susceptible instances of TeamCity On-Premises, potentially granting them administrative control. This affects all versions from 2017.1 through 2023.11.2. However, version 2023.11.3 addresses this issue.

The discovery of the flaw is credited to an external security researcher on January 19, 2024. JetBrains advises users to update their servers to version 2023.11.3 or apply a security patch plugin if immediate updating is not feasible. For servers accessible over the internet, JetBrains recommends making them temporarily inaccessible until mitigation measures are in place.

While there’s no evidence of exploitation yet, it’s worth noting that a similar vulnerability (CVE-2023-42793, with a CVSS score of 9.8) in the same product was actively exploited by threat actors shortly after its public disclosure last year, including ransomware groups and state-sponsored entities associated with North Korea and Russia.

According to Ivanti, the vulnerability stems from an XML external entity or XXE flaw within the SAML component of Ivanti Connect Secure (versions 9.x, 22.x), Ivanti Policy Secure (versions 9.x, 22.x), and ZTA gateways. Exploitation of this vulnerability grants unauthorized access to restricted resources.

The company uncovered this issue during an internal review as part of its continuous investigation into various security weaknesses discovered since the beginning of the year. Notable vulnerabilities include CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.

Affected versions of the products are as follows:

• Ivanti Connect Secure: 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1
• Ivanti Policy Secure: 22.5R1.1
• ZTA: 22.6R1.3

To address CVE-2024-22024, patches have been released for:

• Connect Secure versions: 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2
• Policy Secure versions: 9.1R17.3, 9.1R18.4, and 22.5R1.2
• ZTA versions: 22.5R1.6, 22.6R1.5, and 22.6R1.7

While Ivanti has not observed any active exploitation of the vulnerability, given the widespread abuse of CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, prompt application of the latest fixes is strongly recommended.

According to Fortinet’s bulletin released on Thursday, the vulnerability, categorized under CWE-787, involves an out-of-bounds write vulnerability in FortiOS, enabling remote unauthenticated attackers to execute arbitrary code or commands through specifically crafted HTTP requests. The company acknowledges the potential exploitation of this issue in the wild, although specific details regarding the exploitation methods or perpetrators remain undisclosed.

The affected versions include FortiOS 7.4 (from 7.4.0 to 7.4.2), FortiOS 7.2 (from 7.2.0 to 7.2.6), FortiOS 7.0 (from 7.0.0 to 7.0.13), FortiOS 6.4 (from 6.4.0 to 6.4.14), FortiOS 6.2 (from 6.2.0 to 6.2.15), and all versions of FortiOS 6.0, except FortiOS 7.6, which remains unaffected.

This disclosure aligns with Fortinet’s recent issuance of patches for CVE-2024-23108 and CVE-2024-23109, affecting FortiSIEM supervisor, where remote unauthenticated attackers could execute unauthorized commands via manipulated API requests.

Moreover, reports from the Netherlands government earlier this week unveiled a breach in their armed forces’ computer network by Chinese state-sponsored actors, exploiting known vulnerabilities in Fortinet FortiGate devices to implant a backdoor named COATHANGER.

Fortinet’s report this week also highlights the exploitation of N-day vulnerabilities, such as CVE-2022-42475 and CVE-2023-27997, by various threat actors targeting governments, service providers, consultancies, manufacturing, and critical infrastructure entities.

Previous instances have linked Chinese threat actors to zero-day exploitation in Fortinet appliances, deploying various implants like BOLDMOVE, THINCRUST, and CASTLETAP. The advisory from the U.S. government concerning a Chinese nation-state group named Volt Typhoon emphasizes the exploitation of known and zero-day vulnerabilities in networking appliances, including those from Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco.

Despite China’s denial of allegations, accusations against the U.S. for conducting cyber attacks persist. These incidents underscore the significant threat posed by internet-facing edge devices, especially due to the absence of endpoint detection and response (EDR) support, making them vulnerable to abuse.

Fortinet states that these attacks typify the use of previously patched N-day vulnerabilities and subsequent living-off-the-land techniques, reminiscent of the tactics employed by the cyber actor or group known as Volt Typhoon, targeting critical infrastructure and potentially other associated entities.

Confirming the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21762 to its Known Exploited Vulnerabilities (KEV) catalog on February 9, 2024. Federal Civilian Executive Branch (FCEB) agencies have been directed to apply the necessary fixes by February 16, 2024, to safeguard their networks against potential threats.

Security researchers from Eclypsium emphasize that Shim is critical software in the boot process, utilized by most Linux distributions to support Secure Boot. While Red Hat maintains this application, it is deployed in all distributions supporting Secure Boot, including Debian, Ubuntu, Suse, and others.

The severity of CVE-2023-40547 has been rated as high by Red Hat and as critical by NIST. According to the Eclypsium researchers, the vulnerability can be exploited both locally and remotely. Remote attacks could occur, for example, through a man-in-the-middle attack on the traffic for providing files to support HTTP boot. Local exploitation is also possible, such as by using a bootable USB stick with a Linux live system, allowing the alteration of the boot order to selectively load an attacker’s Shim application, enabling privileged code execution without disabling Secure Boot.

The researchers caution that an attacker exploiting this vulnerability gains control over the system even before the kernel is loaded. This means the attacker has privileged access and can bypass all security checks implemented by the kernel and operating system. This facilitates the installation of bootkits, a type of malware executed before the operating system starts, typically granting extensive access rights.

Although a patch for CVE-2023-40547 is already available, and the issue has been addressed in Shim version 15.8, the researchers stress that the patch alone is insufficient. Additionally, an update of the Chain of Trust for Secure Boot is required. This entails updating the UEFI Secure Boot DBX (blacklist) to include the hashes of the vulnerable Shim software, as explained in the Eclypsium report.

The order of operations is crucial. Users must first update Shim and then apply the DBX update. The latter can be performed, for instance, using the fwupd tool by employing the “fwupdmgr update” command.

The vulnerabilities, grouped under the name Leaky Vessels, were apparently discovered as early as November 2023. One of the vulnerabilities (CVE-2024-21626) relates to the CLI tool runc (up to version 1.1.11), which is used to create and execute containers in Linux. The severity is rated as high with a CVSS score of 8.6.

The other three vulnerabilities (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653) are attributed to the toolkit Buildkit (up to version 0.12.4), used for example by the widely-used container virtualization solution Docker. These vulnerabilities range in CVSS scores from 8.7 up to the maximum severity of 10, indicating a high to critical severity level.

Patches have since been made available, with the vulnerabilities being addressed on January 31, 2024, with runc version 1.1.12 and Buildkit version 0.12.5. Relevant information regarding these patches can also be found with Docker, AWS, Ubuntu, and Google Cloud. Snyk strongly recommends users to diligently seek out updates for their container solutions and apply them as soon as possible.

“It is likely that you will need to update your Docker daemons and Kubernetes deployments, as well as any container build tools you use in CI/CD pipelines, on build servers, and on your developers’ workstations,” the company stated. Additionally, it’s crucial to inspect existing containers for potential compromise.

Tools for detecting misuse Snyk has provided two tools via Github intended to assist administrators in detection, emphasizing, however, that these tools do not rectify the vulnerabilities or prevent their exploitation. One of these tools is called the Leaky Vessels Dynamic Detector, which aims to detect exploitation attempts at runtime by searching for characteristic patterns associated with the vulnerabilities.

The second tool is named the Leaky Vessels Static Detector. “It scans Docker files and image layers to identify commands that appear to be attempting to exploit the vulnerabilities,” Snyk stated. However, it’s important to manually verify the findings afterward. Both tools are likely to produce some false negatives and false positives.

This could enable an attacker to tamper with calculations for engine performance, potentially leading to issues like tail strikes and unintended runway departures during aircraft takeoff, as explained by Antonio Cassidy from Pen Test Partners in a blog post.

Manipulating performance data via MitM attack ATS is a security measure that compels apps to use HTTPS, thus preventing unencrypted communication. However, this safeguard was found to be inactive in the examined Flysmart+ app, allowing a potential attacker to intercept, modify, and transmit sensitive data in encrypted form to the legitimate server – a classic Man-in-the-Middle (MitM) attack.

The researchers managed to access data downloaded from Navblue servers, including SQLite databases containing sensitive information about specific aircraft. Cassidy explained, “Many of these database tables are crucial for aircraft performance, weight, and balance.”

Attack via hotel Wi-Fi Nevertheless, the opportunities to exploit the vulnerability effectively seem limited. It appears necessary for an attacker to intercept synchronization with the Aeronautical Information Regulation and Control (Airac) database, which updates occur only approximately once a month.

However, Cassidy cautioned that it is relatively simple to identify pilots in hotels and their corresponding airlines – “and consequently the EFB apps they are likely using.” Since pilots from the same airline are often lodged in the same hotels, an attack could be carried out via the Wi-Fi networks of these accommodations to deliberately manipulate aircraft performance data.

Nevertheless, the vulnerability has since been addressed, nineteen months after the researchers reported it to Airbus. While this timeframe is extensive, according to a report by The Register, such delays are not unusual in the aviation industry due to the certification procedures commonly practiced there.

Three days later, the Federal Office for Information Security (BSI) issued a public security warning about the incident, which was also reported by Golem.de. However, according to this warning, the BSI did not assess the incident as critical.

The communication from Anydesk only mentioned the precautionary reset of passwords for the customer portal and stated that there were no indications of user data compromise. The BSI provided a general warning about potential further attacks due to possible leakage of source code and certificates, including the risk of Man-in-the-Middle or Supply Chain attacks.

There was no mention of a warning issued by the BSI to a selective group of users in critical infrastructure on January 29, 2024, classified as confidential (TLP AMBER-STRICT).

Anydesk released another report on February 5, 2024, advising customers to upgrade to client versions 7.0.15 and 8.0.8 for secure usage of the remote desktop software. While version 8.0.8 is available for Windows end-users, the custom client version 7.0.15 reportedly cannot be generated yet. It is expected to be available in one to two weeks, signed with a new certificate.

The document also refers to Anydesk’s FAQ, which provides specific answers to questions about the cyber incident. Anydesk denies the possibility of sessions being hijacked or malware being distributed through Anydesk servers.

For the first time, Anydesk mentioned that they conducted a security audit in mid-January 2024 following indications of compromise and found evidence of a hack. They claim to have thwarted the attack by executing an emergency plan. Overall, the manufacturer assures that they have the situation under control and have mitigated the consequences of the incident, stating that the remote desktop software can be safely used as long as clients are downloaded from the provider’s servers.

More from the French ANSSI Readers of my blog alerted me to a warning from the French Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), the French equivalent of the German BSI. In this ANSSI document dated February 5, 2024, the agency states that they were informed by the German BSI about a cyber incident at Anydesk on January 29, 2024.

The French agency not only mentions that all Anydesk clients (Linux, Windows, MacOS, Android, iOS, AppleTV, etc.) are affected but also recommends specific precautions as CERT-FR.

These precautions include identifying all Anydesk installations in companies, documenting them, and classifying them based on their sensitivity regarding machines, workstations, and servers. It is recommended to uninstall Anydesk solutions based on a risk assessment and consider alternative remote access solutions. I discussed the ANSSI suggestions on my blog, noting their advice to analyze systems with Anydesk installations for “oddities” dating back to December 20, 2023. This can only be interpreted as indicating suspicions of a hack at that time.

According to a regulatory filing with the U.S. Securities and Exchange Commission (SEC), HPE stated, “The threat actor accessed and extracted data starting from May 2023 from a small subset of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”

The intrusion has been attributed to APT29, a Russian state-sponsored group also known by aliases such as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes.

This disclosure follows Microsoft’s recent revelation implicating the same threat actor in breaching its corporate systems in late November 2023, targeting senior executives and personnel in the cybersecurity and legal departments to pilfer emails and attachments.

HPE was made aware of the incident on December 12, 2023, indicating that the hackers operated within its network without detection for over six months.

The company also noted a likely connection to a prior security event, also attributed to APT29, involving unauthorized access and extraction of a limited number of SharePoint files as early as May 2023, with HPE being alerted to the malicious activity in June 2023.

While emphasizing that the incident has not materially impacted its operations to date, HPE did not disclose the full extent of the attack or the specific email data compromised.

APT29, believed to be affiliated with Russia’s Foreign Intelligence Service (SVR), has been responsible for several notable cyber intrusions in recent years, including the 2016 breach of the U.S. Democratic National Committee (DNC) and the 2020 SolarWinds supply chain compromise.