With the global spread of information technology comes an inevitable increase in the number of vulnerabilities in information systems. The reason is the neglect of secure development principles, vulnerable architecture of these systems, and the all-too-common human factor. In 2020 alone 18,103 vulnerabilities were found in software of various manufacturers. This is more than in any other previous year. More than half of these vulnerabilities (57%) are of high or critical severity, which causes significant risks to the owners of vulnerable software. Timely installation of patches can help mitigate these risks.
Detecting new vulnerabilities and bringing them to the attention of software manufacturers is crucial when it comes to increasing the security of information systems. Positive Technologies is an active contributor to this process. Positive Technologies adheres to the principles of responsible disclosure. First, all information regarding a detected vulnerability and details of its exploitation is provided to a corresponding vendor. Next, we offer consultation on how to eliminate this vulnerability. Finally, and only after the vendor releases an official security update, do we publish the results of our research online by agreement with this vendor.
In only the last three years, our experts detected and helped to eliminate hundreds of serious vulnerabilities (including critical vulnerabilities) in products of world-renowned software manufacturers:
- VMware vCenter Server (CVE-2021-21972), a platform designed for centralized management and automation of VMware vSphere, a key product in modern data processing centers.
- Citrix ADC and Citrix Gateway (CVE-2019-19781), solutions that are widely used in corporate networks, including for providing terminal access of employees to internal company applications from any device via the Internet.
- Cisco ASA (CVE-2020-3452, CVE-2020-3187, CVE-2020-3259), a series of hardware firewalls. Features include stateful firewalling, deep analysis of application-layer protocols, network address translation, and secure connection to local network via web interface or dynamic routing protocols.
- F5 BIG-IP (CVE-2020-5902, CVE-2020-5903), an application delivery controller (ADC) used by some of the world's biggest companies.
- Fortinet FortiWeb (CVE-2020-29015, CVE-2020-29016, CVE-2020-29018, CVE-2020-29019), a family of firewalls for web applications.
- Palo Alto PAN-OS (CVE-2020-2037, CVE-2020-2036, CVE-2020-2038, CVE-2020-2039), an operating system used by Palo Alto Networks next-generation firewalls (NGFW).
- SonicWall SonicOS (CVE-2020-5135, CVE-2020-5133, CVE-2020-5134, CVE-2020-5137, CVE-2020-5136, CVE-2020-5138, CVE-2020-5139, CVE-2020-5140, CVE-2020-5141, CVE-2020-5142, CVE-2020-5143), an operating system used by popular SonicWall firewalls. SonicWall ranks fifth among manufacturers of hardware security solutions worldwide.
Positive Technologies helped to eliminate vulnerabilities in the Intel Management Engine subsystem in modern Intel processors and fix security flaws in solutions of other major companies, such as Dell (CVE-2020-5366), Microsoft (CVE-2019-0697, CVE-2019-0726), and Check Point (CVE-2020-6020), as well as in industrial control systems by Schneider Electric (CVE-2018-7760), Moxa (CSA-20-056-01, CVE-2019-9098, CVE-2019-9099, CVE-2019-9102), Rockwell (ICSA-20-070-06), and Siemens (ICSA-19-036-04).
Our company is an active contributor to OWASP (Open Web Application Security Project). Our studies highlight key information security problems and promote best practices in information systems protection. Our studies include:
- Threat analysis research. Quarterly reports on evolving cyberthreats. The results of such studies help organizations to keep track of recent information security trends.
- Articles about darkweb ("Custom hacking services" and "Access for sale"). In these articles, we analyze malicious schemes used by attackers. Infosec experts can use our findings to timely forecast potential threats for their companies.
- Security assessments of IT infrastructure of major companies ("External pentests results" and "Internal pentests results"), in which we share key issues of network perimeters and local networks protection in depersonalized form. This information can help companies to avoid common mistakes and bear them in mind when building a security system for their IT infrastructures.
- Articles on vulnerabilities and threats in mobile applications and web applications vulnerabilities, in which we share our expertise and knowledge of security problems of these systems and offer protection solutions.
- Studies of vulnerabilities in online banking applications and ATMs, in which we discuss attack techniques, the most common vulnerabilities, and methods for their elimination.
- Analysis of ICS vulnerabilities, in which we share our knowledge of the most serious problems of ICS security and urge industrial companies to perform a more thorough analysis and protect equipment in the ICS segment of internal networks.
Another important aspect of our experts' daily work is the analysis of activities of cybergroups and publication of tools that help to effectively confront attackers. We actively contribute to the global struggle against cybercrime, analyze attackers' tactics and techniques, and share the results of our findings in our blog. Our specialists investigated attacks by such groups as:
- Higaisa (Winnti, APT41). The group became famous for its attacks on computer game developers.
- TaskMasters. The main objective of the group is to steal confidential information belonging to organizations. The attackers attempt to burrow into corporate information systems for extended periods and obtain access to key servers, executive workstations, and business-critical systems.
- Calypso. The group has been active since at least September 2016. The primary goal of the group is theft of confidential data.
- TA505. The group has been active since 2014. During six months in 2019, the group attacked at least 26 companies in 64 countries. Targets: banks, research institutes, energy companies, healthcare, and aviation. The malefactors are drawn towards finance and intellectual property.
During ransomware epidemics (such as NotPetya), our company was among the first ones to share recommendations on how to localize threats and recover systems.
All our expertise is available in public sources and is used as a basis for the development of our security solutions.
Positive Technologies calls upon all information security researchers to follow the principles of responsible disclosure and invites them to take part in the Positive Hack Days 10 international security forum.