On February 6th, 2024, JetBrains disclosed a serious vulnerability in the TeamCity On-Premises product.
The issue, CVE-2024-23917, allows attackers who can access the TeamCity installation via HTTPS to bypass authentication mechanisms and gain administrative privileges on the affected systems.
Upon successful exploitation of these vulnerabilities, attackers can execute arbitrary commands on the vulnerable system. This includes the creation of new users, installation of additional modules or code, and, in general, system compromise.
JetBrains has released an update to mitigate this issue. Users are urged to update as quickly as possible.
How do I find potentially vulnerable TeamCity installations with runZero? #
From the Services Inventory, use the following query to locate assets running the vulnerable products in your network:
product:TeamCity
Additional fingerprinting research is ongoing, and additional queries will be published as soon as possible.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
On February 2, 2024, AnyDesk disclosed that they have been the victim of a cyber attack that has compromised production systems.
This compromise led AnyDesk to revoke its current code signing certificate, as well as reset all passwords for various cloud services.
The company indicates in their statement that they do not have any evidence that end-user systems have been compromised. They do, however, recommend users change passwords if they are used for both AnyDesk and other services. The company also recommends that users update to the latest version of AnyDesk with the new code signing certificate.
What is the impact?
According to the company they do not have any evidence that end-user systems have been compromised. However, they state that their production systems have been impacted and have revoked their existing code signing certificate.
Are updates or workarounds available?
As part of its statement, AnyDesk urged users to change their passwords if the same password is used for AnyDesk and other services. Additionally, they recommend that users update to the latest version of AnyDesk, which uses the new code signing certificate.
How do I find AnyDesk installations with runZero?
From the Services Inventory, use the following query to locate AnyDesk clients:
product:AnyDesk
Additional fingerprinting research is ongoing, and additional queries will be published as soon as possible.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
Have you ever thought about what it would be like to open a bank?
Arguably, today it’s easier than ever to start a new bank. The popularization of internet banks and online banking means you no longer need ATMs, hard currency, vaults, physical branches, tellers, or security guards.
So why isn’t everybody just doing it?
It’s the regulations.
To run a bank, you’ll need to navigate a multifaceted, regularly shifting environment where regulations, laws, and standards are complex, demanding, and sometimes contradictory. Right off the bat, this requires a non-trivial effort to understand the legal intricacies, nuances, and ramifications of compliance.
Then, you’ll need to spend time and money ensuring the right tools and processes are put in place to ensure compliance with all requirements.
Let’s examine the many cybersecurity compliance hurdles financial institutions face.
Imagine Huxley Credit Union is coming to a web browser near you. Here’s what you must comply with for cybersecurity if you start a local credit union doing business only in the United States:
This cornerstone regulation mandates financial institutions, including credit unions, to implement security measures to protect non-public personal information (NPPI) of members. The Federal Trade Commission (FTC) Safeguards Rule under GLBA sets specific security standards and incident reporting requirements.
This anti-money laundering (AML) and cybercrime prevention law requires credit unions to establish AML programs, conduct customer due diligence, and monitor transactions for suspicious activity. Robust cybersecurity measures are vital for effective AML compliance.
(Not to be confused with CISA, the DHS agency.) This law encourages the sharing of cybersecurity threat information between private sector entities and the federal government. While not a direct compliance requirement, credit unions may participate in information-sharing initiatives to enhance their cybersecurity posture.
The NCUA issues regulations and guidance related to information security and cybersecurity for credit unions. Credit unions must follow NCUA guidelines to ensure the security of member information and avoid regulatory enforcement actions.
Credit unions may be subject to state-specific data breach notification laws, which require prompt disclosure of security incidents involving personal information. Examples include Massachusetts’s 201 CMR 17.00 or New York’s 23 NYCRR 500. Failure to comply with these laws can lead to penalties imposed by state regulators.
There are other frameworks for the industry that apply as well:
If a credit union processes credit or debit card transactions, it must comply with PCI DSS requirements to secure cardholder data and payment systems. Non-compliance can lead to fines imposed by payment card networks.
While not a regulation, the FFIEC CAT provides a framework for self-assessing cybersecurity preparedness. Credit unions using the CAT demonstrate proactive adherence to best practices.
This is a voluntary framework for managing cybersecurity risks. Implementing relevant parts of the framework can improve a credit union’s overall cybersecurity posture.
To recap, all the above are just for cybersecurity. There will be other regulations to consider for the rest of the business — each with their own requirements and standards to meet.
Setting up tools and systems to ensure compliance isn’t a one-and-done event either.
Compliance is a continuous process. And to make matters worse, regulations change — with the updated versions imposing new or altered requirements. For example:
2021: Clarifications on multi-factor authentication (MFA) and risk assessments.
2020: Updates on incident response, encryption, and vendor management.
2020: Version 4.0 released with updated requirements for encryption, logging, and vulnerability management.
2019: Updates in version 3.2.1 on incident response and service provider controls.
Ongoing amendments and interpretations focusing on cybercrime prevention and suspicious activity monitoring.
Failing to keep up with regulatory changes can have substantial material impacts, alongside the reputational damage.
In 2023, OneMain Financial Group paid a $4.25 million fine pursuant to a consent order to settle alleged violations of NYDFS’s Cybersecurity Regulation (23 NYCRR Part 500). These included improperly storing passwords and not sufficiently managing risk from third-party data storage. Even though the regulation became effective in 2017, the consent order cited violation as late as 2021, indicating a significant failure to keep up with regulatory changes.
Different interpretations of the language used in regulations can lead to additional costs or unexpected penalties.
Real-life example: Interpreting requirements
In 2003–2004, I led numerous secured email projects to help bring institutions into compliance with a new regulation. In particular, we had to ensure that all email communication between the company and its customer was secured.
All but one of my customers interpreted the regulation to mean they had to authenticate the recipients. It took additional cost and effort to maintain a database of email addresses and passwords, and support the forgotten password and password reset functionalities, but was deemed necessary.
There was one exception among my customers who interpreted the regulation more minimally. This company believed that the payload had to be encrypted in transit, but no more. Hence, we implemented a one-click, passwordless envelope.
I’m not aware of what’s happened since then. If it turned out that they were never in violation due to this interpretation, then many other institutions spent more time, effort, and cost than necessary for compliance.
More recently, the Security and Exchange Commission (SEC) released an update stating:
“The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.”
How an institution interprets ‘material’ can materially impact cost and effort (pun intended).
A bank may expose itself to fines or penalties with a stricter interpretation of ‘material’. While with a looser interpretation, it may end up doing unnecessary work.
Unfortunately, regulatory deadlines typically apply to large swathes of institutions simultaneously. So you can’t wait to see how the agency judges your peers and then act accordingly.
Even when — or especially when — financial institutions are expending significant effort on compliance, they mustn’t lose sight of the fact that their primary purpose is to service customers.
Borrowers and depositors come from all walks of life, with varying levels of tech-savviness and tolerance for hurdles to accessing and moving their money.
Compliance could be easier if banks could put more onus on customers. But if a bank required a retinal scan for each online banking login, customers would offboard in droves.
Following regulations would be less complicated if banks could spend a longer period undertaking certain processes. But if a bank took three weeks to vet a digital transfer, they would lose out to their speedier competitors.
Complying with these various regulations and requirements would be challenging enough if each bank had just a single database. But that is not remotely the case.
Financial institutions deal with millions, even billions of records, typically spread across several databases and systems: countless customers, accounts, transactions, financial instruments, and internal operations.
Transaction data, in particular, stands out as a data type with extremely high velocity. This makes it difficult to conduct any sort of real-time monitoring that regulations may require. Monitoring is made even harder given that the data is often unstructured (e.g. email messages) or binary (e.g. uploaded screenshots or Microsoft Word documents).
Compounding the problem, financial data often comes from legacy systems. Compliance when working with legacy data from legacy systems becomes drastically more difficult.
Real-life example: Making sense of Kafkaesque legacy data and systems
Several years ago, I was building a secured messaging system for a bank. They had three different types of global unique identifiers (GUIDs). (Yes, I realize that those aren’t truly GUIDs, but that’s what they called them.)
Even further back in time, the three different types of GUIDs had been pulled into a single denormalized table. A customer could have one, two, or three of these GUIDs, in any combination!
My code had to painstakingly examine other fields to see which GUID to use for which purpose, and to extract data from other systems. To make things more Kafkaesque, the GUIDs were called TBP, CIF, and UWN, and no one could tell me what the acronyms stood for.
Let’s not forget that it’s not just the data stored in-house that needs managing in a compliant way. Banks are also responsible for ensuring data security and compliance when data is shared with or handled by third parties.
Here is a non-exhaustive list of third parties that banks typically interoperate with:
ACH Network, Zelle, Fedwire, Real Time Payments (RTP), Visa Direct, Mastercard Send, SWIFT, SEPA, CHIPS, TARGET2, Visa, Mastercard, American Express, Discover
The Clearing House Payments Company (CHIPS), Depository Trust & Clearing Corporation (DTCC), National Clearing House (NCH)
Fiserv Cardholder Verification Value (CVP), Early Warning Services (EWS), Riskified, Accertify
Moody’s Analytics, S&P Global Market Intelligence, LexisNexis, Dun & Bradstreet
From keeping up with changing regulatory requirements to meeting customer expectations, and from deciphering ambiguous meanings to unpacking legacy data, cybersecurity compliance is a complex challenge for financial institutions.
They face a huge array of complicated and continually evolving regulations, laws, and standards on cybersecurity. Ensuring compliance with these requires a comprehensive and robust security program, including tools and processes to generate periodic reports or disclosures, processes to remediate any violations, and the staff to make it all happen.
And while all of this costs time and money, the costs of non-compliance — either through fines or cybercrime — are considerably heftier.
All of this is why you won’t, after all, see Huxley Bank in a web browser near you any time soon.
Try runZero for free
Find out what’s connected to your network in less than 20 minutes.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
Andrew Click-Horn is our versatile software engineer, whose philosophy on flexibility extends beyond the realm of coding and into his personal life. Andrew is a full stack engineer who focuses on frontend architecture here at runZero, AKA a lot of the stuff that the user won’t see but it will directly affect their experience. When Andrew isn’t coding and collaborating with coworkers he’s hanging out at home with his family and two cats! He likes to play video games and has a big backlog of original 2002 Xbox games. He’s chipping away at the list and of course, adding more games along the way. He also enjoys going on nature walks with his son and photography.
Read on to learn more about Andrew’s experience at runZero and his secret to success!
Q&A
► What do you love most about your job?
I love being able to improve the user experience and it’s important to me that the user has a good time with the product. I try to understand a user’s “why”, what outcomes they’re trying to achieve, and how their life can be made easier by improving that. It’s pleasing to hear when people not only use your product but also enjoy using it!
On that same subject, sometimes you get negative feedback, and that’s nice too because it starts a feedback loop. You listen to the user’s issues, work to improve them, and then hopefully you get more feedback saying, “Wow, that’s great! Thanks for actually listening.” It’s really easy to enjoy this process when collaboration is explicitly encouraged by management. In our discussions, we bring up different decision points and chat about the pros and cons. It’s a healthy dialogue and everybody is really good at providing positive or negative feedback when necessary. We assume good intentions and it’s a super positive environment.
► What makes runZero different from other organizations that you’ve worked at?
I’ve worked at places where management was extremely toxic or I was kind of siloed, just working on my own thing. Whereas at runZero, I feel that management at every level is super mindful of the employees. Whether that be our needs as employees, understanding the importance of employer retention, making sure we feel like the work we do is appreciated, or just generally driving innovation forward and encouraging collaboration, they take care of our crew. Going back to the C word there. Collaboration.
Honestly, the remote aspect can be a little challenging at times but I feel like our meetings here are more productive because folks are mindful to be detail-oriented and take feedback in stride. That’s necessary. When you’re in an in-person environment, I feel like it’s a lot easier to hold things back or not bring them up ever because “you’ll figure it out eventually”. A lot of our collaboration comes down to Zoom meetings or Slack messages and it works out well. In an office, it was really easy to get carried away with talking to multiple people about whatever is in the news or what have you and take up tons of time talking. Whereas with the kind of asynchronous communication that we have or even over Zoom, it’s a lot easier to pare it down and be really intentional about what you’re saying and doing.
► What do you think is the most important skill that a successful professional needs to have?
Hands down, it’s being flexible. Every successful person that I’ve met, or known, has been able to roll with punches, learn new skills, and take feedback in stride. I can’t think of any reason why somebody should not strive to be flexible. If you’re able to learn a new and necessary skill for work or you’re able to shift into a position that you might not like – you grow as a person. Pushing yourself out of your comfort zone may feel uncomfortable at first, but with time, maybe you’ll learn to like it. I feel when someone’s inflexible, unwilling to learn, or unwilling to improve, they will miss opportunities to grow and won’t be successful.
► What was the last show you watched?
It’s hard to remember exactly which show I watched last since I have a two-year-old. It was probably either Blues Clues, Cars on the Road, or Miss Rachel.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
On January 22nd, Fortra disclosed a serious vulnerability in its GoAnywhere Managed File Transfer (MFT) product.
This issue, CVE-2024-0204, allows attackers to bypass authentication controls and create new administrative user accounts. Such accounts can then be used to access the system with full administrative privileges. This vulnerability has a CVSS score of 9.8, indicating that it is a critical vulnerability.
It is unknown if this vulnerability is being actively exploited in the wild.
Upon successful exploitation of this vulnerability, attackers can execute arbitrary commands on the vulnerable system. This includes the creation of new users, installation of additional modules or code, and, in general, system compromise.
How do I find potentially vulnerable Fortra installations with runZero? #
From the Services Inventory, use the following query to locate assets running the vulnerable products in your network that expose a web interface and which may need remediation or mitigation:
_asset.protocol:http AND protocol:http AND (last.http.body:"alt=%GoAnywhere Web Client" OR http.body:"alt=%GoAnywhere Web Client")
Additional fingerprinting research is ongoing, and additional queries will be published as soon as possible.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
