Security Standards (PCI DSS) are vital in establishing baseline security measures for financial industry professionals who face challenges safeguarding sensitive information. However, organizations must understand that compliance with these standards does not equate to comprehensive security. Continue reading to better understand the foundations of offensive security and the importance of proactive measures beyond mere compliance to achieve a mature security posture in the financial industry.

As cybersecurity threats continue to evolve and become more sophisticated, the importance of robust security measures, coupled with comprehensive cybersecurity insurance, cannot be overstated. Cybersecurity insurance serves as a critical safety net for organizations, protecting them against the financial repercussions of cyber incidents such as data breaches, ransomware attacks, and business interruptions. Among the essential practices to strengthen security and meet insurance requirements, penetration testing, or pentesting, has emerged as a crucial method to identify and address vulnerabilities before malicious actors can exploit them. This article delves into the significance of pentesting for cybersecurity insurance, elucidating why it is indispensable for organizations aiming to safeguard their digital assets and secure favorable insurance terms.

While cyber attacks remain a persistent, year-round threat to organizations, cybersecurity professionals have discovered patterns in the frequency and intensity of attacks throughout the year. These attacks are influenced by various factors, including economic cycles, sporting events, and even the seasons. Understanding these patterns can help organizations prepare and reinforce defenses during high-risk periods. Here's a detailed look at when organizations are most vulnerable to cyber attacks.

In today's fast-paced tech landscape, startups are the driving force behind innovation. However, with rapid growth and development comes increased vulnerability to cyber threats. As a startup founder or leader, you might wonder if investing in offensive security services is necessary at your stage. The answer is a resounding yes, and here's why.

The Unique Vulnerability of Tech Startups

Tech startups face a perfect storm of cybersecurity challenges:

1. Valuable intellectual property
2. Limited resources for security
3. Rapid scaling and frequent changes
4. Attractive targets for cybercriminals

These factors make startups particularly susceptible to cyber attacks, which can be devastating for a young company still establishing its reputation and customer base.

The Open Worldwide Application Security Project (OWASP) is an essential resource for developers, particularly those working with cloud-based systems. As cloud computing continues to dominate the tech landscape, understanding the security challenges and solutions in this environment is crucial. This article, focusing on OWASP's contributions to cloud application security in 2024, offers vital insights into how developers can fortify their cloud applications against emerging threats.

This is a continuation of the Sage 300 case study series where we explore the process of discovering and developing exploits for six (6) different vulnerabilities we found in Sage 300 that would have allowed users to bypass authentication, decrypt sensitive data including stored passwords, and obtain direct database access

In the first part of our Sage 300 case study, we showed how the Sage 300 authentication was a façade that could allow a low privileged TEST user to gain unrestricted access to the database, and (in some configurations) even the underlying host. We also showed how it was possible to exploit these issues by copying and pasting a password in an ISM file and then unmasking a password textbox. While simple, this method involved overwriting the ADMIN password, which wasn’t particularly elegant.

In this part of the case study, we will aim to completely subvert this application’s access controls by figuring out how the Database Setup utility is retrieving and decrypting the SQL password, which would allow us to simply read and decrypt the SQL password from the exposed ISM files, and probably all the other user passwords too. To accomplish this, we’ll need to get our hands dirty with some reverse engineering

Note that this portion of the case study will get quite technical. If you can’t make it through, we suggest you skip to Part 3.

This is a continuation of the Sage 300 case study series where we explore the process of discovering and developing exploits for six (6) different vulnerabilities we found in Sage 300 that would have allowed users to bypass authentication, decrypt sensitive data including stored passwords, and obtain direct database access.

In the first part of our Sage 300 case study, we introduced Sage 300, explored the process an administrator would take to secure an installation based on the vendor documentation, highlighted red flags in the vendor documentation that raised questions about the design of the application’s security controls, investigated those security controls, and figured out how to exploit design flaws to impersonate users, access the database directly, and execute code on the underlying database system.

In the second part of our Sage 300 case study, we walked through the process of reverse engineering the encryption algorithm used by Sage 300 so we could decrypt passwords stored in the ISM files and, in the process, discovered a pattern of hardcoded secrets being used through the application binaries. We explored each vulnerability we discovered to figure out the impact and then developed proof-of-concept code snippets to exploit each one. In the end we had developed the capability to extract plaintext user credentials and SQL strings from the ISM files, decrypt passwords stored in the PORTAL database (Web Screens functionality), obtain administrator access to the Apache Solr instance associated with the Global Search feature, and retrieve other secrets stored in configuration files.

Software solutions have had to evolve rapidly to keep pace with cybersecurity threats. Today, nearly every significant software solution is loaded with security features to protect against a range of threats. One of the most important security features included in modern software products is access controls. Access controls are mechanisms that control which users can access, modify, and/or delete specific resources. Organizations rely on these access controls to prevent unauthorized personnel from accessing privileged data and software functionality, and to track the access of legitimate users so that the organization can respond to insider threats. With cyberattacks and insider threats on the rise, what happens when the access control mechanisms that organizations have grown to rely on are found to be critically flawed?

In this series of articles, we’ll explore the process of discovering and developing exploits for six (6) different vulnerabilities we found in Sage 300 that would have allowed users to bypass authentication, decrypt sensitive data including stored passwords, and obtain direct database access.

This series is the full technical disclosure we committed to in the Vulnerability Brief we published in April. If you’re a Sage 300 user, administrator, or partner looking for a high-level overview of the issues and remediation guidance, please see that article instead.

This week saw the publication of 294 new CVE IDs. Of those, 99 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 10% were of critical severity, 33% were high, 57% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• The highly popular WordPress plugin, “Advanced Custom Fields”, which boasts more than 2 million users, was found to have been affected by an XSS vulnerability which would allow an unauthenticated attacker to conduct scripting attacks against site admins.
• A particular model of Cisco phone adapter was found to allow unauthenticated users to force firmware updates on the device, resulting in complete compromise of the system. The devices are end-of-life and Cisco has stated they will not be releasing a fix.
• OpenText BizManager, a popular document management system, had a vulnerability disclosed this week which would allow for the takeover of admin accounts.
• Acronis, a security vendor specializing in backup solutions, had a CVE published this week for two products affected by information disclosure vulnerabilities. Interestingly, the vulnerabilities were addressed by Acronis a year ago in an official advisory.

This week saw the publication of 501 new CVE IDs. Of those, 430 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 20% were of critical severity, 13% were high, 67% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• Apache Superset disclosed a vulnerability affecting multiple versions of the Superset server. The issue has been known since October 2021 but was finally patched this last week. Apache is urging users to update immediately.
• The highly popular print server “PaperCut” has disclosed multiple critical severity vulnerabilities which are being actively exploited in the wild. Unauthenticated attackers can exploit affected PaperCut servers to execute remote code. Trend Micro, the researchers who initially discovered the vulnerability, have announced that they will wait until May 10th to release technical details. Horizon3 and Huntress Labs have preempted Trend Micro by releasing their own blog posts and PoC exploits publicly.
• APC, an incredibly popular battery backup and electrical product producer, has disclosed a vulnerability affecting the software used to manage their products remotely. This vulnerability’s severity could potentially be exacerbated as these products are commonly relied on during disaster recovery situations.
• ESET has released research showing that they were able to retrieve highly sensitive information from networking technology purchased on the secondhand market. ESET was able to retrieve network and application configuration information in addition to authentication secrets even from devices which were said to be securely wiped by a third-party service.