The Cybersecurity Express – 17 September, 2024
The platform hums with the quiet energy of anticipation as you stand, ticket in hand, gazing down the track. You can feel it in the air — the Cybersecurity Express is approaching, ready to whisk you away on an electrifying journey through the world of cyber threats, vulnerabilities, and digital defenses. The low rumble of wheels on iron signals its arrival, and your pulse quickens. Today’s destination promises to unveil the latest revelations, the kind that make waves in the world of IT security and beyond. The station clock ticks slowly, heightening your excitement. Where will this ride take you? What secrets will be uncovered?
The sleek train glides into view, its doors sliding open with a hiss. You step inside, greeted by the hum of conversation and the soft glow of screens filled with news feeds and alerts. As you take your seat, you sense the imminent thrill of the unfolding journey — a deep dive into cybersecurity’s most pressing issues, from high-profile breaches to sophisticated phishing schemes. The conductor’s voice echoes softly overhead, “Next stop: Fortinet Data Breach.” You lean back, ready to immerse yourself in the insights and details of the day’s featured story. Buckle in — this is no ordinary ride.
ServiceNow Instances Found Leaking Corporate Knowledge Base Data
A recent security investigation has revealed that over 1,000 misconfigured ServiceNow enterprise instances are exposing sensitive corporate Knowledge Base (KB) articles, potentially providing external users and malicious actors with access to critical internal data. The exposed information includes personally identifiable information (PII), internal system details, user credentials, access tokens for live production systems, and other vital data depending on the topic of the Knowledge Base article.
The exposure was discovered by Aaron Costello, Chief of SaaS Security Research at AppOmni, who identified that despite ServiceNow’s 2023 security updates, these KB leaks persist due to misconfigurations. The issue lies with ServiceNow’s User Criteria permission system, which many organizations rely on instead of Access Control Lists (ACLs) to manage access to Knowledge Base content. Unfortunately, these permission settings are often improperly configured, leading to unintended data exposure.
ServiceNow is a widely used cloud-based platform that helps organizations manage digital workflows, spanning IT service management, HR tasks, customer service, security operations, and more. One key feature is the Knowledge Base, a repository where organizations store and share internal resources such as how-to guides, FAQs, and procedural documents. However, many of these articles contain sensitive corporate information and are not intended for public access.
While ServiceNow’s 2023 update aimed to strengthen ACLs and prevent unauthorized access, it did not adequately address access to Knowledge Base articles, which often rely on User Criteria. This limitation leaves numerous instances vulnerable to exploitation by attackers, who can access these exposed articles without authentication by querying improperly secured public-facing widgets.
The vulnerability identified by Costello enables threat actors to retrieve sensitive data through brute-force attacks. Knowledge Base article IDs follow an incremental format (e.g., KB0000001), allowing attackers to use tools like Burp Suite to send HTTP requests and incrementally guess valid article IDs. Once a valid KB article number is found, attackers can access the contents, including any sensitive data the article may contain.
To demonstrate this risk, AppOmni developed a proof-of-concept (PoC) attack that showed how external actors could exploit public-facing widgets to retrieve exposed KB articles by capturing a session token and using it to issue HTTP requests.
To mitigate these risks, AppOmni recommends that ServiceNow administrators take immediate action to secure their Knowledge Base instances. Specifically, admins should ensure that proper “User Criteria” settings are applied to block unauthorized access. The criteria “Any User” or “Guest User” should be avoided unless explicitly necessary, as they can lead to unrestricted external access.
Admins are also advised to implement specific security properties to safeguard data:
· glide.knowman.block_access_with_no_user_criteria (True):** Automatically denies access if no User Criteria are set.
· glide.knowman.apply_article_read_criteria (True):** Requires explicit “Can Read” permissions for individual articles.
· glide.knowman.show_unpublished (False):** Prevents access to draft or unpublished articles.
· glide.knowman.section.view_roles.draft/review (Admin):** Limits access to draft and review states to specified admin roles.
Additionally, ServiceNow’s out-of-the-box (OOB) rules that restrict Guest Users from accessing Knowledge Bases by default should be activated to enhance security. This ensures that Guest Users are automatically added to the “Cannot Read” list, requiring administrators to explicitly grant access when necessary.
The exposure of sensitive Knowledge Base data in over 1,000 ServiceNow instances underscores the importance of proper configuration and security practices. Organizations using ServiceNow are encouraged to review their User Criteria settings and implement recommended security measures to protect sensitive data from unauthorized access. With the rise in data breaches and cyberattacks, ensuring the confidentiality of corporate information is more critical than ever.
Cybercriminals Exploit HTTP Headers for Large-Scale Credential Theft via Phishing Attacks
Cybersecurity researchers have identified a new phishing campaign that leverages HTTP header manipulation to deliver spoofed login pages designed to steal users’ credentials. The campaign, which has been active since May 2024, uses a sophisticated method of delivering malicious links through the `Refresh` HTTP headers, allowing attackers to bypass typical detection mechanisms and deceive victims with pre-filled login pages.
Unlike traditional phishing tactics that rely on HTML content, these attacks use the HTTP response header, redirecting victims’ browsers to malicious sites before the web page is even fully loaded. According to researchers from Palo Alto Networks’ Unit 42 team, this method allows attackers to automatically refresh or reload web pages without requiring user interaction, thus streamlining the attack.
The campaign has affected large corporations, government agencies, and schools, with South Korea and the U.S. being key targets. Researchers have identified more than 2,000 malicious URLs associated with the campaign, with 36% of the attacks targeting the business and economy sectors, followed by financial services (12.9%), government (6.9%), health and medicine (5.7%), and IT industries (5.4%).
The infection chain starts with phishing emails containing links to domains that appear legitimate or are compromised, luring recipients into clicking. Once clicked, the victim is redirected through a sequence of malicious URLs embedded in the `Refresh` response header. The final destination is a credential-harvesting page, where victims are tricked into entering their login details on a fake email login form that pre-populates their email addresses for added authenticity.
Attackers also take advantage of legitimate services like URL shortening and marketing tools to mask their malicious intent. These tactics, combined with the carefully crafted domains, increase the success rate of the phishing attempts while making it harder for automated defenses to detect them.
Phishing, along with business email compromise (BEC), remains a lucrative vector for threat actors. According to the FBI, BEC attacks alone have caused global organizations losses exceeding $55 billion between 2013 and 2023, underscoring the seriousness of these cyber threats.
In addition to the phishing attacks, researchers have observed an uptick in scams involving deepfake videos of public figures promoting fraudulent investment schemes. These scams, which have been circulating on social media platforms since mid-2023, lure victims into fake investment platforms that promise high returns but ultimately steal their funds. After signing up, victims are typically contacted by phone, encouraged to invest more money, and eventually find themselves unable to withdraw funds.
Another emerging cybercrime trend involves entities like Greasy Opal, a Czech Republic-based cybercriminal group offering automated CAPTCHA-solving services at scale. Greasy Opal, which has been operational since 2009, provides a range of services, including credential stuffing, fake account creation, and social media spam tools. These services, sold for as little as $190 with a $10 monthly subscription, are used by cybercriminals to infiltrate networks and execute large-scale attacks.
Greasy Opal has developed advanced machine-learning algorithms capable of bypassing CAPTCHA protections, further aiding cybercriminals in credential theft and other malicious activities. One of its clients, Storm-1152, a Vietnamese cybercrime group, has reportedly sold 750 million fraudulent Microsoft accounts.
The increasing sophistication of phishing attacks and services offered by groups like Greasy Opal highlights the need for organizations to enhance their cybersecurity measures. Businesses should prioritize employee training, implement robust email filtering systems, and continuously monitor for signs of phishing or BEC activities to mitigate the growing threat landscape.
Fortinet Confirms Data Breach Exposing Limited Customer Information
On Thursday, Fortinet confirmed a data breach that exposed sensitive customer information after a hacker, known as ‘Fortibitch’ leaked files allegedly stolen from the company. The hacker claims to have accessed 440 GB of data from Fortinet’s Azure SharePoint instance and subsequently made the stolen data available on a popular hacking forum when the company refused to pay a ransom.
The stolen data, stored in an Amazon Web Services (AWS) S3 bucket, allegedly contains sensitive customer details. The hacker provided access information for the files, but several users on the forum reported difficulties in downloading the data. While the validity of the data leak is still being assessed, Fortinet has acknowledged the security incident in a public notice.
According to Fortinet’s statement, the breach affected less than 0.3% of its customer base. The company emphasized that only a limited number of files were compromised, all of which were stored on a third-party cloud-based shared file drive. Fortinet assured that the company’s core operations, products, and services were unaffected, and no evidence points to unauthorized access to other critical resources or systems.
Although the hacker attempted to extort Fortinet by demanding a ransom, the breach did not involve ransomware or encryption of the company’s data. Fortinet stated that it did not pay any ransom, and the attacker did not manage to penetrate its corporate network.
In its security notice, Fortinet confirmed that, to date, there has been no indication that the breach has resulted in any malicious activity affecting its customers. “Given the limited nature of the incident, we have not experienced, and do not currently believe that the incident is reasonably likely to have a material impact on our financial condition or operating results,” Fortinet added.
Fortinet has been proactive in responding to the breach, immediately launching an internal investigation, which was further validated by external forensic experts. The company has also notified law enforcement and cybersecurity agencies as part of its response to the incident.
Fortinet’s prompt confirmation and response to the breach underscore its commitment to transparency and maintaining the trust of its global client base. However, the incident serves as a stark reminder of the importance of robust cloud security practices, even for industry-leading cybersecurity companies.
While Fortinet’s products and services remain unaffected, the breach highlights the risks posed by third-party cloud environments and the necessity for ongoing security vigilance. Organizations should continue to prioritize strong access controls, rigorous monitoring, and incident response plans to mitigate the risk of unauthorized access to sensitive data.
The data leak also raises questions about ransom negotiations in the face of cyber extortion. Fortinet’s refusal to pay the ransom, coupled with its transparent approach to informing stakeholders, sets a positive precedent for handling such situations. However, the evolving threat landscape suggests that organizations must remain prepared for the increasing sophistication of cyberattacks.
This wraps up today’s issue. Wherever you are out there in the digital world just stay safe, install the latest patches and keep a watchful eye out for anything that might want to deceive you. Thank you so much for being a wanderer on The Cybersecurity Express and we look forward to welcoming you on board the next time.
