Qualys is actively tracking threats which target containers. In our recent analysis, we have identified a few docker instances executing a malware which we term as “LibMiner”. This malware has the capability to deploy and execute Cryptominer. It uses a unique technique for lateral movement across the containers as well as Linux systems, executing on unprotected Redis servers and initiating mining on them. The malware has the ability to protect its termination, thus making it impossible to gain control over it. This blog post uncovers the unique techniques and tactics used by LibMiner.
Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.
In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.
The January release includes 5 CIS Benchmark policies, 4 Qualys Security Configuration and Compliance policies, and 1 DISA STIG policy. Apart from adding a new technology support, it also provides updates to several existing policies in the Qualys Content Library.
Qualys’ Certification Page at CIS has been updated.
Web applications and REST APIs can be susceptible to a certain class of vulnerabilities that can’t be detected by a traditional HTTP request-response interaction. These vulnerabilities are challenging to find but provide a way for attackers to target otherwise inaccessible, internal systems. An attacker can potentially use this to their advantage. Essentially, a vulnerable application (or API) can be used as a proxy for an attack against a separate internal application, a cloud service, or other protected system.
Update January 17, 2020: A new detection in Qualys Web Application Scanning was added. See “Detecting with Qualys WAS” below.
Citrix released a security advisory (CVE-2019-19781) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.
Data is the most valuable asset that an organization holds, and the most common target for malicious attackers. According to Forbes, in the first six months of 2019, data breach incidents exposed an astounding 4.1 billion records worldwide. Hackers successfully attacked government agencies as well as private corporations, keeping everyone under a constant threat of exploit. Although data breaches are not a new phenomenon anymore, what stood out in this year’s attacks was the sophistication in which these attacks were carried out. Learned users as well as experienced officials fell prey to the traps, resulting in massive information leakage.
Recent reports this year revealed nearly 1 million computer systems are still vulnerable and exposed to BlueKeep in the wild. These systems are still easy targets for an unauthenticated attacker (or malware) to execute code leveraging this patchable vulnerability. Because so many systems are still vulnerable, Qualys has added its BlueKeep dashboard directly into the product, so you can more easily track and remediate this vulnerability.
The library of out-of-the-box profiles in Qualys File Integrity Monitoring (FIM), with their preconfigured content, provide a scalable solution to detect and identify critical changes, incidents, and risks resulting from normal as well as malicious events. With the help of these profiles, users can easily track file changes across global systems to comply with the security standards and regulations that are most commonly used and adhered to.
Earlier this year the Qualys Web Application Scanning team discovered and reported an open redirect vulnerability (CVE-2019-11016) in Elgg, an open source rapid development framework for socially aware web applications, which the Elgg team promptly fixed.
Versions of the Elgg framework before 1.12.18 and 2.3.x versions before 2.3.11 are vulnerable to open redirect via the $url parameter. An attacker could abuse the functionality by entering a particular path that triggers an open redirect to an attacker-controlled website.
Because this type of vulnerability is not uncommon, QID 150051 in Qualys Web Application Scanning (WAS) was improved to report if this type of open redirect vulnerability is found in a scanned web application.