Reseachers have discovered hundreds of thousands of servers running Prometheus open source monitoring software on the open Web are exposing passwords, tokens, and opportunities for denial of service (DoS) and remote code execution.

As a leader among open source observability tools, Prometheus is used widely by organizations to monitor the performance of their applications and cloud infrastructure. But it comes with a catch: As noted in its documentation, “It is presumed that untrusted users have access to the Prometheus HTTP endpoint and logs. They have access to all time series information contained in the database, plus a variety of operational/debugging information.”

Apparently, a whole lot of users either aren’t aware of the ways in which Prometheus is exposed by default, or don’t realize the value of the data that’s exposed along the way. Using Shodan, researchers from Aqua Nautilus discovered more than 40,000 exposed Prometheus servers, and more than 296,000 exposed “exporters,” which the program uses to collect data from monitored endpoints. The researchers found sensitive data in those servers and exporters, and opportunities for “repojacking” and DoS attacks.

What Prometheus Exposes

On first impression, the data Prometheus collects might seem rather bland: application performance metrics, metrics associated with particular cloud tools, CPU, memory, and disk usage, for example.

“We think that it’s only statistics — it’s only information about the health of the system. That’s the problem,” says Assaf Morag, director of threat intelligence at Aqua Nautilus. Probing the data from the perspective of an attacker reveals all kinds of information that could lubricate cyberattacks.

“We noticed that we can actually see plaintext passwords and tokens, and API addresses of internal locations that should be kept hidden,” Morag says. For example, he found one exposed and unauthenticated instance of Prometheus belonging to Skoda Auto, the Czech automobile manufacturer, which revealed some of the company’s subdomains, and Docker registries and images.

Besides exposing secrets, open Web Prometheus servers and exporters also carry a risk of DoS. There’s the ‘/debug/pprof’ endpoint, for example, which helps users profile remote hosts, and is enabled by default by most Prometheus components. In their testing, the researchers demonstrated that they could overload the endpoint to disrupt communications or outright crash Amazon Web Services Elastic Compute Cloud (AWS EC2) instances or Kubernetes pods.

“The result was conclusive: We ended up stopping virtual machines each time we ran our script,” Morag reports. To drive home the significance of such an attack scenario, he jokes, “I read somewhere that Kubernetes clusters run in fighter jets. I don’t think that they are exposed to the Internet, but [it goes to show] we run Kubernetes in lots of places today.”

Repojacking Opportunities in Prometheus

Users can protect their Prometheus servers and exporters by taking them offline, or at least adding a layer of authentication to keep out prying eyes. And, of course, there are tools designed to mitigate DoS risks.

Less easily solved is a third issue in the platform: Several of its exporters were found vulnerable to repojacking attacks.

The opportunity for repojacking can occur whenever a developer changes or deletes their account on GitHub and doesn’t perform a namespace retirement. Simply, an attacker registers the developer’s old username, then plants malware under the same title as the developer’s old, legitimate projects. Then any projects that reference this repository but aren’t updated with the correct redirect link can end up ingesting the malicious copycat.

Prometheus’ official documentation referenced several exporters associated with freely claimable usernames, meaning that any attacker could have stepped in and taken advantage to perform remote code execution. Aqua Nautilus reported the issue to Prometheus, and it has since been addressed.

Repojacking opportunities are likely far more widespread than is realized, Morag emphasizes, so organizations need to be monitoring any discrepancies between the projects they rely on and the links they follow to access them. “It’s not that difficult,” he says. “But if you’re doing it for millions of open source projects, that’s where the problem starts. If you use an automated [scanning tool], you could be safe.”

A new Linux rootkit malware called Pumakit has been discovered that uses stealth and advanced privilege escalation techniques to hide its presence on systems.

The malware is a multi-component set that includes a dropper, memory-resident executables, a kernel module rootkit, and a shared object (SO) userland rootkit.

Elastic Security discovered Pumakit in a suspicious binary (‘cron’) upload on VirusTotal, dated September 4, 2024, and reported having no visibility into who uses it and what it targets.

Generally, these tools are used by advanced threat actors targeting critical infrastructure and enterprise systems for espionage, financial theft, and disruption operations. 

The Pumakit

Pumakit employs a multi-stage infection process starting with a dropper named ‘cron,’ which executes embedded payloads (‘/memfd:tgt’ and ‘/memfd:wpn’) entirely from memory.

The ‘/memfd:wpn’ payload, which executes in a child process, performs environment checks and kernel image manipulation and eventually deploys the LKM rootkit module (‘puma.ko’) into the system kernel.

Embedded within the LKM rootkit is Kitsune SO (‘lib64/libs.so’), acting as the userland rootkit that injects itself into processes using ‘LD_PRELOAD’ to intercept system calls at the user level.

Stealthy privilege escalation

The rootkit follows a conditional activation, checking for specific kernel symbols, secure boot status, and other prerequisites before loading.

Elastic says Puma utilizes the ‘kallsyms_lookup_name()’ function to manipulate system behavior. This indicates the rootkit was designed to only target Linux kernels before version 5.7, as newer versions no longer export the function and, therefore, can’t be used by other kernel modules.

“The LKM rootkit’s ability to manipulate system behavior begins with its use of the syscall table and its reliance on kallsyms_lookup_name() for symbol resolution,” explains Elastic researchers Remco Sprooten and Ruben Groenewoud.

“Unlike modern rootkits targeting kernel versions 5.7 and above, the rootkit does not use kprobes, indicating it is designed for older kernels.”

Puma hooks 18 syscalls and multiple kernel functions using ‘ftrace,’ to gain privilege escalation, command execution, and the ability to hide processes.

The kernel functions ‘prepare_creds’ and ‘commit_creds’ are abused to modify process credentials, granting root privileges to specific processes.

The rootkit can hide its own presence from kernel logs, system tools, and antivirus, and can also hide specific files in a directory and objects from process lists.

If the hooks are interrupted, the rootkit reinitializes them, ensuring that its malicious changes aren’t reverted and the module cannot be unloaded.

The userland rootkit Kitsune SO operates in synergy with Puma, extending its stealth and control mechanisms to user-facing interactions.

It intercepts user-level system calls and alters the behavior of looks like ls, ps, netstat, top, htop, and cat to hide files, processes, and network connections associated with the rootkit

It can also dynamically hide any other files and directories based on attacker-defined criteria and make malicious binaries entirely invisible to users and system admins.

Kitsune SO also handles all communications with the command and control (C2) server, relaying commands to the LKM rootkit and transmitting configuration and system info to the operators.

Besides file hashes, Elastic Security has published a YARA rule to help Linux system administrators detect Pumakit attacks.

Dec 12, 2024Ravie LakshmananVulnerability / Cloud Security

Cybersecurity researchers are warning that thousands of servers hosting the Prometheus monitoring and alerting toolkit are at risk of information leakage and exposure to denial-of-service (DoS) as well as remote code execution (RCE) attacks.

“Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and API keys,” Aqua security researchers Yakir Kadkoda and Assaf Morag said in a new report shared with The Hacker News.

The cloud security firm also said that the exposure of the “/debug/pprof” endpoints used for determining heap memory usage, CPU usage, and others, could serve as a vector for DoS attacks, rendering the servers inoperable.

As many as 296,000 Prometheus Node Exporter instances and 40,300 Prometheus servers have been estimated to be publicly accessible over the internet, making them a huge attack surface that could put data and services at risk.

The fact that sensitive information, such as credentials, passwords, authentication tokens, and API keys, could be leaked through internet-exposed Prometheus servers has been documented previously by JFrog in 2021 and Sysdig in 2022.

“Unauthenticated Prometheus servers enable direct querying of internal data, potentially exposing secrets that attackers can exploit to gain an initial foothold in various organizations,” the researchers said.

In addition, it has been found that the “/metrics” endpoint can not only reveal internal API endpoints, but also data about subdomains, Docker registries, and images — all valuable information for an attacker conducting reconnaissance and looking to expand their reach within the network.

That’s not all. An adversary could send multiple simultaneous requests to endpoints like “/debug/pprof/heap” to trigger CPU and memory-intensive heap profiling tasks that can overwhelm the servers and cause them to crash.

Aqua further called out a supply chain threat that involves using repojacking techniques to leverage the name associated with deleted or renamed GitHub repositories and introduce malicious third-party exporters.

Specifically, it discovered that eight exporters listed in Prometheus’ official documentation are vulnerable to RepoJacking, thereby allowing an attacker to recreate an exporter with the same name and host a rogue version. These issues have since been addressed by the Prometheus security team as of September 2024.

“Unsuspecting users following the documentation could unknowingly clone and deploy this malicious exporter, leading to remote code execution on their systems,” the researchers said.

Organizations are recommended to secure Prometheus servers and exporters with adequate authentication methods, limit public exposure, monitor “/debug/pprof” endpoints for any signs of anomalous activity, and take steps to avoid RepoJacking attacks.

Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) — such as .shop, .top, .xyz — that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds. Meanwhile, the nonprofit entity that oversees the domain name industry is moving forward with plans to introduce a slew of new gTLDs.

Image: Shutterstock.

A study on phishing data released by Interisle Consulting finds that new gTLDs introduced in the last few years command just 11 percent of the market for new domains, but accounted for roughly 37 percent of cybercrime domains reported between September 2023 and August 2024.

Interisle was sponsored by several anti-spam organizations, including the Anti-Phishing Working Group (APWG), the Coalition Against Unsolicited Commercial Email (CAUCE), and the Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG).

The study finds that while .com and .net domains made up approximately half of all domains registered in the past year (more than all of the other TLDs combined) they accounted for just over 40 percent of all cybercrime domains. Interisle says an almost equal share — 37 percent — of cybercrime domains were registered through new gTLDs.

Spammers and scammers gravitate toward domains in the new gTLDs because these registrars tend to offer cheap or free registration with little to no account or identity verification requirements. For example, among the gTLDs with the highest cybercrime domain scores in this year’s study, nine offered registration fees for less than $1, and nearly two dozen offered fees of less than $2.00. By comparison, the cheapest price identified for a .com domain was $5.91.

Currently, there are around 2,500 registrars authorized to sell domains by the Internet Corporation for Assigned Names and Numbers (ICANN), the California nonprofit that oversees the domain industry.

The top 5 new gTLDs, ranked by cybercrime domains reported. Image: Interisle Cybercrime Supply Chain 2014.

Incredibly, despite years of these reports showing phishers heavily abusing new gTLDs, ICANN is shuffling forward on a plan to introduce even more of them. ICANN’s proposed next round envisions accepting applications for new gTLDs in 2026.

John Levine is author of the book “The Internet for Dummies” and president of CAUCE. Levine said adding more TLDs without a much stricter registration policy will likely further expand an already plentiful greenfield for cybercriminals.

“The problem is that ICANN can’t make up their mind whether they are the neutral nonprofit regulator or just the domain speculator trade association,” Levine told KrebsOnSecurity. “But they act a lot more like the latter.”

Levine said the vast majority of new gTLDs have a few thousand domains — a far cry from the number of registrations they would need just to cover the up-front costs of operating a new gTLD (~$180,000-$300,000). New gTLD registrars can quickly attract customers by selling domains cheaply to customers who buy domains in bulk, but that tends to be a losing strategy.

“Selling to criminals and spammers turns out to be lousy business,” Levine said. “You can charge whatever you want on the first year, but you have to charge list price on domain renewals. And criminals and spammers never renew. So if it sounds like the economics makes no sense it’s because the economics makes no sense.”

In virtually all previous spam reports, Interisle found the top brands referenced in phishing attacks were the largest technology companies, including Apple, Facebook, Google and PayPal. But this past year, Interisle found the U.S. Postal Service was by far the most-phished entity, with more than four times the number of phishing domains as the second most-frequent target (Apple).

At least some of that increase is likely from a prolific cybercriminal using the nickname Chenlun, who has been selling phishing kits targeting domestic postal services in the United States and at least a dozen other countries.

Interisle says an increasing number of phishers are eschewing domain registrations altogether, and instead taking advantage of subdomain providers like blogspot.com, pages.dev, and weebly.com. The report notes that cyberattacks hosted at subdomain provider services can be tough to mitigate, because only the subdomain provider can disable malicious accounts or take down malicious web pages.

“Any action upstream, such as blocking the second-level domain, would have an impact across the provider’s whole customer base,” the report observes.

Interisle tracked more than 1.18 million instances of subdomains used for phishing in the past year (a 114 percent increase), and found more than half of those were subdomains at blogspot.com and other services operated by Google.

“Many of these services allow the creation of large numbers of accounts at one time, which is highly exploited by criminals,” the report concludes. “Subdomain providers should limit the number of subdomains (user accounts) a customer can create at one time and suspend automated, high-volume automated account sign-ups – especially using free services.”

Dec. 4, 10:21 a.m. ET: Corrected link to report.

Microsoft is among those in the blast radius of General Motors’ decision to wind up its autonomous taxi business, Cruise.

In a filing made to the US Securities and Exchange Commission (SEC) this week, the company said it expected to record an impairment charge to the tune of approximately $800 million in the second quarter of fiscal year 2025. It will categorize the charge as “Other income and expense” and estimated that the impact would be approximately $0.09 to second quarter diluted earnings per share.

Cruise robotaxis parked forever, as GM decides it can’t compete and wants to cut costs

READ MORE

Microsoft noted that the charge wasn’t included in the second-quarter guidance provided on October 30. However, even then, it was clear that things were not going well for Cruise. General Motors’ announcement that it was pulling the plug refocusing Cruise’s operation earlier this week did not come as a surprise considering the technical challenges encountered by the self-driving outfit.

A few weeks before GM gave up on the robotaxis, a Vulture from El Reg’s San Francisco office snapped a picture of a parking lot full of resting Cruise cabs.

The autonomous taxis became available for public hire in February 2022, but a succession of incidents meant the robocabs were required to have a human at the wheel, thus defeating the point of the system.

Microsoft announced its minority investment in January 2021, joining Honda and other institutional investors. All told, the players invested $2 billion at the time, bringing the post-money valuation of Cruise to $30 billion.

What a difference a few years makes.

Microsoft was also meant to be Cruise’s preferred cloud provider. Company boss Satya Nadella said, “As Cruise and GM’s preferred cloud, we will apply the power of Azure to help them scale and make autonomous transportation mainstream.”

However, rather than making autonomous transportation mainstream, at least via the medium of autonomous taxis, Microsoft is instead taking an $800 million charge.

According to Nikkei Asia, Honda will also dissolve its self-driving vehicle partnership with GM. ®

Abiola Kayode, a 37-year-old Nigerian national, has been extradited from Ghana to the United States to face charges of conspiracy to commit wire fraud. 

Kayode, who was on the FBI’s Most Wanted cybercriminal list, is charged with participating in a business email compromise (BEC) scheme and romance fraud from January 2015 to September 2016, defrauding businesses of over $6 million. The scheme involved Kayode’s co-conspirators impersonating high-level executives and directing company employees to make fraudulent wire transfers. The funds were then diverted to accounts controlled by Kayode and others, many of which belonged to victims of romance scams.

The Treasury Department sanctioned Kayode and five others involved in the schemes in 2020. The sanctions block these individuals’ property and generally prohibit U.S. persons from conducting business with them. 

Several of Kayode’s alleged accomplices have already been sentenced. Adewale Aniyeloye received 96 months in prison, Pelumi Fawehinimi got 72 months, and Onome Ijomone was sentenced to 60 months for their roles in the scams. Another partner in crime, Alex Ogunshakin, was recently sentenced to 45 months following his extradition from Nigeria.

The Office of International Affairs at the Department of Justice played a significant role in securing Kayode’s extradition. The broader initiative, coordinated with the FBI, aims to combat the growing threat of cyber-enabled fraud schemes targeting vulnerable Americans. According to FinCEN, BEC fraud reports have skyrocketed, with attempts to steal nearly $9 billion from U.S. financial institutions since 2016.

It has been a busy month for the Justice Department’s focus on BEC scams. Last week, Okechuckwu Valentine Osuji, a 39-year-old Nigerian national, was sentenced to eight years in prison for running a business email compromise scheme from multiple countries, including the United States.

COMMENTARY

In the past, security professionals were true hackers at heart — passionate individuals who made money doing what they loved: breaking systems, pushing boundaries, and constantly learning. They grew their skills out of sheer curiosity and dedication.

Today, however, many in security are simply “professionals” who found a well-paying job but lack that hacker spirit. They’re not driven by a love of the challenge or a hunger to learn. They may take the occasional course or learn a few technical tricks — but often, they’re doing the bare minimum. This leads to weak security. Meanwhile, attackers? They still have that old-school hacker passion, constantly learning and evolving for the love of the challenge.

We’ve completely misunderstood how to do security. Instead of genuinely simulating bad guys and preparing for the real thing, we play around with automated tools and call it “offensive” security. Many red-team exercises simply follow a checklist of known exploits without adapting to the specific environment. In contrast, a genuine adversary simulation requires creativity and a deep understanding of the target’s weaknesses — crafting custom attack paths and adjusting tactics on the fly. It’s about going beyond technical skills and truly getting into the adversary mindset.

Let’s be real — technical skills alone aren’t going to save anyone. To outsmart attackers, we need to cultivate a hacker mindset: understand the motivations, tactics, and psychology behind attacks, focusing on creativity and adaptability rather than just checking boxes.

Why Adversaries Do What They Do

Too many defenders get stuck on the “how” of an attack — the technical exploits, tools, and vulnerabilities — but to stay ahead, we need to ask “why.” Attackers aren’t just pushing buttons; they’re making strategic decisions, choosing the path of least resistance and maximum gain specific to their objectives.

Attackers know defenders are predictable. They know defenders — often too focused on what looks scary instead of what’s actually vulnerable — will patch the big vulnerabilities while ignoring the misconfigurations or overly trusted third-party integrations. Red teams might overlook these, but real adversaries know they’re prime opportunities. Attackers exploit trusted integrations to move laterally or exfiltrate data without triggering alarms. This is why understanding the “why” behind attacks is crucial. Attackers aren’t just targeting technology — they’re going after the path of least resistance, and too often, that’s where we’re late.

Stop Being a Button-Pusher

Here’s the harsh truth: Relying solely on automated tools and predefined processes is a recipe for failure. While those tools are useful, attackers thrive on predictability, so the more security teams rely on the same tools and scripts, the easier it is for them to slip through.

Think about the SolarWinds breach, where attackers leveraged a trusted, automated process to compromise thousands of systems — because defenders didn’t critically assess their own tools. SolarWinds is a lesson in the danger of blind trust in automation. If you’re just pushing buttons, you’re making their job easy.

Attackers are constantly testing the boundaries — doing the unexpected, finding unnoticed cracks. To defend against that, you need to do the same. Be curious, be creative, and don’t be afraid to challenge the rules. That’s what attackers are doing every day.

Detecting Intent in the Cloud

The cloud is a whole new ballgame. Old perimeter defenses don’t cut it anymore — it’s about understanding intent. Attackers aren’t just exploiting vulnerabilities; they’re using legitimate cloud services against you, moving laterally, escalating privileges, and blending in with regular user activity.

Take the Sisense breach: The attacker exploited cloud misconfigurations and legitimate credentials to access sensitive data. They didn’t break in — they logged in. The attacker understood how to blend in with typical user activity. Recognizing intent in the cloud is critical; it’s about seeing the attacker’s goals and cutting them off before they succeed.

If you notice unusual activity, don’t wait for an alert. Assume intent and start digging. The faster you understand why something is happening, the faster you can stop it.

Building a Hacker Culture

Growing and honing a hacker mindset is a journey, and it won’t come from reading a book or taking a course. It takes time, practice, mentorship, and hands-on experience. Pair up newer team members with people who’ve been through the trenches, involve the defense team in red team exercises, and let them make mistakes. Real learning happens by doing.

Want to know if you have a hacker mindset? Try the Jack Attack Test (JAT), where creativity — not content — reveals true hacker thinking. For example, finding 10 different ways to “turn off the light” is similar to finding 10 ways to perform a denial-of-service (DoS) attack. Hackers think conceptually, while security professionals might get lost in the details, saying they “don’t know anything about electricity.”

Another thing: Give your team members the chance to think like attackers. Run attack simulations where they must step into the hacker’s shoes. Get a threat intel report, and make them explain the why, not the how. Challenge them to take unconventional approaches. Attackers are masters of the unexpected, and if defenders want to keep up, they need to be too.

Embracing the Adversary Mindset

At the end of the day, security isn’t just about tools — it’s about understanding how the enemy thinks and why they make certain choices. Every move they make — each target, exploit, and escalation — is deliberate. To stay ahead, defenders must adopt this mindset. By understanding the strategy behind their actions, defenders can identify weak points in their defenses. It’s not just about technology; it’s about understanding intent, anticipating the unexpected, and challenging the norm. No tool can replace a curious mind ready to step into an adversary’s shoes and do whatever it takes to stay ahead.

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders is to keep IT environments up and running. To guard against cyber threats and prevent data breaches, it’s vital to understand the current cybersecurity vendor landscape and continually assess the effectiveness of available solutions.

Luckily, the 2024 MITRE ATT&CK Evaluation — the most widely trusted resource to track which solutions are effective — is now available. This practical guide distills key takeaways and advice to interpret the results.

Cynet was the only vendor to achieve 100% Visibility and 100% Protection in the 2024 Evaluation.

That means the All-in-One Cybersecurity Platform detected 100% of the threats tested in the Detection Phase and blocked 100% of the attacks simulated in the Protection Phase of the Evaluation. Moreover, Cynet achieved the 100% detection with no false positives.

“These 2024 MITRE ATT&CK Evaluation results reflect our entire team’s commitment to secure success for Cynet partners, customers, and end users,” says Cynet Founder & CEO Eyal Gruner. “Achieving 100% Detection Visibility and 100% Protection is a motivating milestone that affirms the compelling advantages Cynet’s All-in-One Cybersecurity Platform is enabling for organizations around the world.”

This 2024 performance is notable after Cynet made history in the 2023 MITRE ATT&CK Evaluation. It was the first time ever a vendor delivered 100% Visibility and 100% Analytic Coverage with no configuration changes. However, it is important to note that MITRE does not rank vendors or declare “winners.” Cybersecurity leaders must interpret the data to determine which solution best fits their team’s unique needs.

What is the MITRE ATT&CK Evaluation?

MITRE is a nonprofit foundation that supports private sector companies “solving problems for a safer world.” Their annual ATT&CK Evaluation is regarded as the fairest and most unbiased technical test of competing security vendor solutions.

• MITRE uses simulated attacks in a controlled lab environment to evaluate how vendor solutions behave against a set of threats introduced in the exact same manner.
• Vendor solutions are tested consistently, without external, extraneous factors influencing the results as is the case in a real-world deployment.

This approach helps evaluate how effectively a solution can detect an abundance of discrete steps that might be used by an adversary to carry out an attack. Because MITRE uses the techniques of real threat groups, each technique presented represents what is likely to happen in a real-world scenario.

The Evaluation allows vendors to demonstrate whether their solution detects the threats presented as well as the information provided with each detection.

KEY RESULTS

Cynet delivered 100% Detection Visibility, perfectly detecting every attack action using no configuration changes and no delays.

The ability to detect threats is the fundamental measure of an endpoint protection solution.  Detecting attack steps across the MITRE ATT&CK sequence is critical for protecting the organization. Missing any step can allow the attack to expand and ultimately lead to a breach or other catastrophic outcomes.

This year, the attack sequence was executed over 16 steps, which were broken out into 80 malicious sub-steps. During Cynet’s testing, 3 of the sub-steps were not executed due to technical reasons and are considered N/A (not counted) which resulted in 77 total sub-step executed. Cynet detected every single one of the 77 sub-steps. Cynet had ZERO misses in this year’s MITRE testing and detected 100% of attacks over Windows and MacOS devices as well as Linux servers.

All 77 detections were performed without the need for configuration changes. Leaders reviewing vendor outcomes can see which vendors could accomplish detections only after they were allowed to make configuration changes.

Cynet delivered 100% Protection, blocking every attack sequence attempted.

Roughly half of the participating security vendors were unable to test all 10 attack steps planned for the Protection tests due to technical issues. MITRE was able to execute all 10 attack steps for Cynet. Cynet blocked every one of the 10 attacks steps – allowing no malicious activity to execute.

The following chart shows each participant’s Protection rate along with the number of steps blocked and number of steps executed (steps blocked/steps executed).

Cynet delivered 100% Prevention, blocking every attack in the first step attempted.

Protection measures whether any sub-step in a Protection step was blocked. For example, if a step consisted of 5 sub-steps, a vendor could miss the first four, block the fifth and consider the entire step blocked. Cynet defines Prevention as how quickly (early) in each of the 10 attack steps the threat was prevented.

Prevention measures the percentage of sub-steps that were blocked from executing.  Ideally a vendor would block the first sub-step in every step tested so that every subsequent sub-step in the step was considered to be blocked.  Using this measure, Cynet is the only vendor to achieve 100% Prevention – blocking every one of the 21 Protection sub-steps from executing.

Cynet is the leader in Overall Threat Visibility and Protection

The chart below compares each vendors overall visibility with prevention rate. Prevention rate is used as it’s a more rigorous measure of the solutions ability to block malicious attacks.

Conclusion

Partnering with the right cybersecurity vendor is one of the first and most effective steps you can take to enable the best protection possible for your organization or your clients.

The 2024 MITRE ATT&CK Evaluation results substantiate why Cynet’s All-in-One Cybersecurity Platform is an increasingly popular solution for fast-growing SMEs and MSPs.

By demonstrating that highly effective protection can be truly intuitive and affordable, Cynet sets an example competing vendors must now strive to emulate.

Sign up to see Cynet in action today.

Sponsored and written by Cynet.

Dec 12, 2024Ravie LakshmananCyber Crime / DDoS Attack

A global law enforcement operation has failed 27 stresser services that were used to conduct distributed denial-of-service (DDoS) attacks and took them offline as part of a multi-year international exercise called PowerOFF.

The effort, coordinated by Europol and involving 15 countries, dismantled several booter and stresser websites, including zdstresser.net, orbitalstress.net, and starkstresser.net. These services typically employ botnet malware installed on compromised devices to launch attacks on behalf of paying customers against targets of their liking.

In addition, three administrators associated with the illicit platforms have been arrested in France and Germany, with over 300 users identified for planned operational activities.

“Known as ‘booter’ and ‘stresser’ websites, these platforms enabled cybercriminals and hacktivists to flood targets with illegal traffic, rendering websites and other web-based services inaccessible,” Europol said in a statement.

“The motivations for launching such attacks vary, from economic sabotage and financial gain to ideological reasons, as demonstrated by hacktivist collectives such as KillNet or Anonymous Sudan.”

In a coordinated statement, the Dutch Politie said it has initiated prosecution against four suspects aged between 22 and 26, who are from Rijen, Voorhout, Lelystad and Barneveld, for carrying out hundreds of DDoS attacks.

Participating nations in PowerOFF include Australia, Brazil, Canada, Finland, France, Germany, Japan, Latvia, the Netherlands, Poland, Portugal, Sweden, Romania, the United Kingdom, and the United States.

The development comes a little over a month after German law enforcement authorities announced the disruption of a criminal service called dstat[.]cc that made it possible for other threat actors to mount distributed denial-of-service (DDoS) attacks.

Earlier this month, web infrastructure and security company Cloudflare said shopping and retail sites in the United States protected by Cloudflare experienced a significant rise in DDoS activity coinciding with the Black Friday/Cyber Monday shopping season.

The company also revealed that 6.5% of global traffic was mitigated by its systems in 2024 as being potentially malicious or for customer-defined reasons. Companies in the Gambling/Games industry were the most attacked during the time period, followed by the Finance, Digital Native, Society, and Telecom sectors.

The findings also follow the discovery of a “pervasive” misconfiguration bug present in enterprise environments that implement a CDN-based web application firewall (WAF) service, which could allow threat actors to bypass security guardrails erected before web resources and stage DDoS attacks. The technique has been codenamed Breaking WAF.

“The misconfiguration stems from the fact that modern WAF providers are also acting as CDN (content delivery network) providers, designed to provide network reliability and caching for web applications,” Zafran researchers said. “This dual functionality is at the heart of this widespread architectural blindspot of CDN/WAF providers.”

To mitigate the risk posed by the attack, organizations are recommended to limit access to their web applications by adopting IP allowlists, HTTP header-based authentication, and mutually authenticated TLS (mTLS).

Microsoft today released updates to plug at least 70 security holes in Windows and Windows software, including one vulnerability that is already being exploited in active attacks.

The zero-day seeing exploitation involves CVE-2024-49138, a security weakness in the Windows Common Log File System (CLFS) driver — used by applications to write transaction logs — that could let an authenticated attacker gain “system” level privileges on a vulnerable Windows device.

The security firm Rapid7 notes there have been a series of zero-day elevation of privilege flaws in CLFS over the past few years.

“Ransomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one,” wrote Adam Barnett, lead software engineer at Rapid7. “Expect more CLFS zero-day vulnerabilities to emerge in the future, at least until Microsoft performs a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws.”

Elevation of privilege vulnerabilities accounted for 29% of the 1,009 security bugs Microsoft has patched so far in 2024, according to a year-end tally by Tenable; nearly 40 percent of those bugs were weaknesses that could let attackers run malicious code on the vulnerable device.

Rob Reeves, principal security engineer at Immersive Labs, called special attention to CVE-2024-49112, a remote code execution flaw in the Lightweight Directory Access Protocol (LDAP) service on every version of Windows since Windows 7. CVE-2024-49112 has been assigned a CVSS (badness) score of 9.8 out of 10.

“LDAP is most commonly seen on servers that are Domain Controllers inside a Windows network and LDAP must be exposed to other servers and clients within an enterprise environment for the domain to function,” Reeves said. “Microsoft hasn’t released specific information about the vulnerability at present, but has indicated that the attack complexity is low and authentication is not required.”

Tyler Reguly at the security firm Fortra had a slightly different 2024 patch tally for Microsoft, at 1,088 vulnerabilities, which he said was surprisingly similar to the 1,063 vulnerabilities resolved in 2023 and the 1,119 vulnerabilities resolved in 2022.

“If nothing else, we can say that Microsoft is consistent,” Reguly said. “While it would be nice to see the number of vulnerabilities each year decreasing, at least consistency lets us know what to expect.”

If you’re a Windows end user and your system is not set up to automatically install updates, please take a minute this week to run Windows Update, preferably after backing up your system and/or important data.

System admins should keep an eye on AskWoody.com, which usually has the details if any of the Patch Tuesday fixes are causing problems. In the meantime, if you run into any problems applying this month’s fixes, please drop a note about in the comments below.