Back to qualys.com
119 posts

PCI & QID 38598 “Deprecated Public Key Length”

PCI DSS v3.2 logoQID 38598 “Deprecated Public Key Length” will be marked as PCI Fail as of November 1, 2018 in accordance with its CVSS score.

Under PCI DSS merchants and financial institutions are required to protect their clients’ sensitive data with strong cryptography. Strong cryptography is defined in the Glossary of Terms, Abbreviations and Acronyms for PCI DSS as cryptography based on industry-tested and accepted algorithms.

NIST Special Publication 800-131A announced that RSA public keys shorter than 2048 bits are disallowed, so QID 38598 detected in ASV scans will result a PCI failure. ASV scan customers will need to obtain a 2048-bit or larger public key length certificate from their Certificate Authority.

Detecting Apache Struts 2 Namespace RCE: CVE-2018-11776

A new remote code execution vulnerability in Apache Struts 2, CVE-2018-11776, was disclosed yesterday. While this vulnerability does not exist with a default configuration of Struts, it does exist in commonly seen configurations for some Struts plugins.

Update August 24, 2018: A dashboard for this vulnerability is now available to download.

Continue reading …

Qualys BrowserCheck CoinBlocker Protects Users From Active Cryptojacking Campaigns

Qualys Malware Research Labs recently released the Qualys BrowserCheck CoinBlocker Chrome Extension. We have seen enthusiastic adoption from users across the globe in the first week since its release, which has given us enough telemetry data to indicate success in protecting users from popular cryptojacking attacks. This blog post details these detection statistics and analyzes a few interesting cryptojacking campaigns uncovered by Qualys BrowserCheck CoinBlocker.

About Qualys BrowserCheck CoinBlocker

Qualys BrowserCheck CoinBlocker protects users from browser-based coin-mining attacks. Along with blacklisting & whitelisting of domains, it also supports advanced JavaScript scanning to identify & block malicious JavaScript functions. The extension can also identify & block malicious coin-mining advertisements loaded inside iframes by third-party ads.

Download Qualys BrowserCheck CoinBlocker for free!

Qualys BrowserCheck CoinBlocker Detection Statistics

The world heat map below shows the geographical distribution of mining threats as a percentage of detections blocked by Qualys BrowserCheck CoinBlocker. The Top 5 countries where mining threats are detected and blocked are Bulgaria (33%) topped the list followed by India (18%), the United States (16%), Argentina (10%) and Thailand (9%).

Continue reading …

Staying Safe in the Era of Browser-based Cryptocurrency Mining

Qualys Malware Research Labs is announcing the release of Qualys BrowserCheck CoinBlocker Chrome extension to detect and block browser-based cryptocurrency mining, aka cryptojacking.

Cryptojacking

Cryptojacking attacks leverage the victim system’s resources via malicious JavaScript to mine certain cryptocurrencies. Attackers carry out these attacks by infecting popular sites with JavaScript that enables cryptojacking. Any visitor to such sites will download the JavaScript and unknowingly contribute its system resources to mine a cryptocurrency that is added to the attacker’s wallet. The resource-intensive mining process is carried out on victim systems typically consumes more than 70% of CPU, that reduces system performance, increases power consumption and can cause possible permanent damage to the system.

Continue reading …

QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure”

PCI DSS v3.2 logoQID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure Vulnerability” will be marked as a PCI Fail as of May 1, 2018 in accordance with its CVSS score.

Continue reading …

Meltdown/Spectre and Qualys Cloud Platform

In light of the recently released information about two security vulnerabilities, Qualys has considered the impact on the Qualys Cloud Platform and associated services. Qualys released a detailed advisory for customers of the Qualys Cloud Platform to help customers identify these vulnerabilities and to assist customers in their internal security assessment.  

Below, please find information about how Qualys has performed its assessment and is taking steps to protect its environment and the Qualys Cloud Platform:

Continue reading …

Processor Vulnerabilities – Meltdown and Spectre

UPDATE 1/4/2018: Qualys has released several QIDs for detecting missing patches for these vulnerabilities.
UPDATE 1/5/2018: Pre-built AssetView dashboards to visualize impact and remediation progress.

Vulnerabilities potentially impacting all major processor vendors were disclosed today by Google Project Zero. These vulnerabilities have been named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715). Organizations should inventory their systems by processor type, apply vendor patches as they become available, and track their progress. This article describes how Qualys can help in all three areas.

Continue reading …

New ‘Silence’ Banking Trojan copies Carbanak to Steal from Banks (Analysis with IOCs)

Dark Reading is reporting on a new banking trojan called ‘Silence’ that mimics techniques similar to the Carbanak hacker group targeting banks and financial institutions.  The attack vector is similar – target individuals using spear-phish emails to trick them into running a malicious attachment which will connect to download a dropper to further infect the user’s machine.  This attack does not use an exploit against a vulnerability, but rather takes advantage of social engineering to fool the user into executing the malicious payload and infecting their machine.

Silence is interesting in that the trojan’s capabilities include a screen grabber that will take multiple screenshots of the user’s active monitor and upload the real-time stream to a command and control server for monitoring by the adversary.  This technique allows the threat actor to identify which users have access to specific banking applications, systems, and accounts that they can use for financial gain.

Continue reading …

Bad Rabbit – Ransomware

(updated: 10/26/2017 with additional file hashes and mitigations)

A new ransomware campaign has affected at least three Russian media companies in a fast-spreading malware attack. Fontanka and Interfax are among the companies affected by the Bad Rabbit ransomware named by the researchers who first discovered it. The malware is delivered as fake Flash installer, it uses the SMB protocol to check hardcoded credentials. Bad Rabbit does not employ any exploits to gain execution or elevation of privilege. The Ukrainian computer emergency agency CERT-UA has issued an alert incident and mentioned that Odessa airport and Kiev subway were also affected. It is unsure whether this alert is regarding Bad Rabbit, but they suspect that it may be the start of a new wave of cyberattacks.

Continue reading …

Petya Ransomware: What You Need to Know

On Tuesday, a variant of the ransomware “Petya” began propagating in several countries across Europe. This new variant leverages the EternalBlue exploit used in WannaCry, and also takes advantage of misconfigured permissions to spread throughout the network.

EternalBlue is a leaked exploit developed by the NSA that leverages the vulnerability patched in MS17-010. All unpatched versions of Windows are vulnerable to EternalBlue, excluding recent versions of Windows 10. Microsoft has also chosen to release patches for some end-of-support versions of Windows.

Continue reading …