HackerOne

Security Highlights: New CWE Rankings, Software Supply Chains, and Side-Channel Attacks

HackerOne Blog

The cybersecurity landscape moves so quickly that taking even a day off can cause you to fall behind. To help stay in the loop, we’ve rounded up critical pieces of cybersecurity news and resources from the past week.

MITRE Releases 2022 CWE Top 25

The popular CWE Top 25 list, which ranks the most dangerous software vulnerabilities, has been updated for 2022. The CWE Top 25 is updated annually by The MITRE Corporation with support from the U.S. Cybersecurity & Infrastructure Security Agency. 

Over 37,000 reported CVEs were analyzed to develop the rankings. The top ten vulnerabilities have shifted in order but remain the same top ten as last year. Out-of-bounds write and Cross-Site Scripting kept their spots at number one and two, respectively. Multiple race condition and command injection vulnerabilities increased in rank or entered the top 25 for the first time. 

The CWE Top 25 is a valuable resource for risk ranking and prioritizing vulnerability remediation. To learn more about CWEs, read our explainer blog

MITRE.org: 2022 CWE Top 25 Most Dangerous Software Weaknesses 

Software Supply Chain Attacks Persist

On June 29th, OpenSea, the leading NFT marketplace, disclosed a data breach. An employee at their email delivery vendor downloaded the email addresses belonging to OpenSea user accounts and newsletter subscribers. Stolen customer data was shared with an unknown third party, likely for criminal use. OpenSea has warned customers to be extra cautious about phishing and other impersonation scams. 

This breach is just the latest incident highlighting the risks posed by third-party vendors and software supply chains. Last year saw multiple incidents with global impact, including the SolarWinds breach and Log4Shell vulnerability. HackerOne’s Senior Security Technologist, Kayla Underkoffler, warns that despite well-known weaknesses in the supply chain, these issues are not going away at an industry level. 

But addressing the issue within your organization is possible and necessary. Kayla covers how your organization can effectively reduce the risk of supply chain attacks, starting with identifying and inventorying your vendors and their security controls.

Dark Reading: It's a Race to Secure the Software Supply Chain — Have You Already Stumbled?

Data Breach of Shanghai Police May Have Exposed Personal Records of One Billion Chinese Citizens

Researchers are investigating a massive data breach of Chinese citizens that includes names, national ID numbers, addresses, birthplaces, and crime reports related to those individuals. 

Reports indicate the data came from a compromise of the Shanghai police’s database. The breach was discovered late last week when it was listed for sale on a cybercrime forum for ten bitcoin (approximately $200,000). 

If details of the breach are accurate, this would be one of the largest in history. Wall Street Journal reporter Karen Hao contacted nine citizens whose information was contained in the leak. All nine confirmed the leaked information was accurate and “would be difficult to obtain from any source other than the police.” 

Microsoft and CISA Want You To Abandon Basic Auth Now

Microsoft’s Exchange cloud email platform users are urged to ensure their systems use secure authentication. The platform is in the process of retiring one of its authentication options, known as Basic Authentication.

Basic Authentication is insecure for many reasons, and both the U.S. Cybersecurity & Infrastructure Security Agency and Microsoft are telling organizations to migrate away from Basic Authentication immediately. 

Microsoft will begin disabling Basic Authentication starting October 1st, 2022. But they have urged users not to wait, warning in a statement, “every day your tenant has Basic Auth enabled, you are at risk from attack.” The secure replacement—Modern Authentication—uses OAuth and supports 2FA. 

How the Hertzbleed Vulnerability Works

Earlier this month, security researchers published their discovery of the Hertzbleed vulnerability. This vulnerability is a new type of side-channel attack which poses a risk to cryptographic algorithms and secure software. 

Side-channel attacks are a class of vulnerability that analyze the operation of computer systems to find security weaknesses. Previous side-channel attacks have used electromagnetic readings and highly sensitive microphones to steal data from computer systems.  Side-channel vulnerabilities have become a popular area of research for modern cryptographic algorithms, which are well-designed and difficult to “break” with traditional cryptanalysis. 

Luckily, the Hertzbleed vulnerability is primarily of academic interest for now. While researchers have demonstrated the vulnerability is exploitable, it's much more complicated than traditional vulnerabilities and requires direct access to the target computer and extensive analysis. So don’t worry about having to patch anything.

Hertzbleed works by monitoring the electrical frequency that CPUs operate at while performing operations. These frequencies change at the nanosecond scale, and researchers demonstrated these changes could be observed and analyzed to read the data being processed. 

If you want to learn more about state-of-the-art vulnerability research, Cloudflare has published an extensive explainer about how Hertzbleed works.

Stay Safe With HackerOne

Keeping up with the latest in cyber threats and software vulnerabilities is difficult enough. Protecting your entire attack surface is even harder. Earlier this year, HackerOne surveyed IT executives from over 800 organizations. Nearly half reported significant gaps in their ability to inventory or defend their attack surface. 

HackerOne can help your organization stay on top of the ever-changing threat landscape with Attack Resistance Management, designed to shrink the gap between your current attack surface coverage and your actual attack surface. Our platform has solutions to improve your organization’s security in every step of the software development lifecycle from pre-production to release. Contact us to learn more.

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report