Where are the women in cyber security? On the dark side, study suggests
Also, Royal ransomware metastasizes to other critical sectors, and this week's critical vulnerabilities
In Brief If you can't join them, then you may as well try to beat them – at least if you're a talented security engineer looking for a job and you happen to be a woman.
As we've noted before, the infosec world moves at a glacial pace toward gender equity. It appears that's not the case in the cyber criminal underground, according to Trend Micro, which recently published a study in which it claims at least 30 percent – if not more – of cyber criminal forum users are women.
For its study, Trend Micro looked at five English-language cyber crime forums: Sinister, Cracked, Breached, Hackforums and (now defunct) Raidforum. And it inspected five Russian-language sites: XSS, Exploit, Vavilon, BHF and WWH-Club.
To be fair, Trend Micro's methodology is a bit iffy – and the report itself admits as much. Users on these forums are are largely anonymous, necessitating use of tools like Semrush and uClassify's Gender Analyzer V5 to make what amounts to guesses – at best.
Nonetheless, Trend Micro said it analyzed posts and traffic on the ten forums and found that, for English language sites, some 40 percent of users appear to be women, and 42.6 percent of Russian cyber crime forum users were women, or at least write like them.
"When compared to Stack Overflow, a developer and programming forum, only 12 percent of visitors were female," Trend Micro said of its use of Semrush.
Gender Analyzer V5 is trained on 5,500 blog posts written by women, and the same number by men, in order to analyze language for signs of gendered usage, which Trend Micro used to analyze a subset of profiles on English site Hackforums and Russian XSS. According to the report, 36 percent of users at Hackforums were likely women based on their use of language, and 30 percent of XSS forum users were reportedly women based on the same analysis.
So, what does that all mean? According to Trend Micro, it indicates that the cyber criminal underground is more meritocratic than the white hat world.
"Developers are valued for their skills and experience, and not necessarily for their gender when it comes to conducting business in the underground," Trend Micro said. As such, they say that investigators should avoid defaulting to "he" when discussing cyber criminals. But there's a more obvious lesson to be learned here.
If you overlook qualified security professionals on the basis of gender, don't be surprised if they end up on your radar again. Though perhaps in the form of a researcher bearing a friendly breach notice, and not someone out for criminal profit.
Let's get critical
Topping this week's list of vulnerabilities is a pair of flaws in the CryptParameterDecryption function of Trusted Platform Module 2.0's reference implementation code – serious regardless of the score, which isn't yet listed in the CVE page for the vulnerabilities.
- CVSS ? – CVE-2023-1017 – A lack of length checks could allow an attacker to write two bytes past the end of the buffer;
- CVSS ? – CVE-2023-1018 – And the attacker can also use the same vulnerability to read two bytes past the buffer. If used together, exploitation can lead to local information disclosure or escalation of privileges.
Several models of Cisco IP Phones were found to be sporting a pair of vulnerabilities, one quite serious and one somewhat less so.
IP phone models 6800, 7800 and 8800 are all vulnerable to:
- CVSS 9.8 – CVE-2023-20078 – An unauthenticated remote attacker could inject arbitrary commands via the web-based management interface to inject arbitrary commands and execute them with root privileges.
In addition to the three models above, Unified IP Conference Phone 8831 and the same model with multi platform firmware, and Unified IP Phone 7900 series are vulnerable to:
- CVSS 7.5 – CVE-2023-20079 – The web-based management platform could allow an unauthenticated remote attacker to cause the device to reboot, resulting in denial of service.
In addition, Cisco Application Policy Infrastructure Controller and Cisco Cloud Network controller have a vulnerability, for which a CVE number wasn't provided:
- CVSS 8.8 – The web-based management platform for Cisco APIC and Cloud Network Controller are vulnerable to a cross-site request forgery attack.
CISA passed along seven industrial control system vulnerabilities this week, but only three of them ranked critical:
- CVSS 10 – CVE-2023-0776 – Baicells Nova 436Q, 430E and 430I; and Neutrino 430 LTE TDD eNodeB devices with firmware versions through QRTB 2.12.7 are vulnerable to HTTP command injections that enable remote shell code exploitation;
- CVSS 9.3 – CVE-2020-14521 – A whole bunch of Mitsubishi Electric Factory Automation engineering products contain a code execution vulnerability that could let an attacker obtain or modify data and cause denial-of-service conditions;
- CVSS 8.6 – CVE-2022-25161 – Several Mitsubishi Electric MELSEC iQ-F CPU modules include a pair of improper input validation bugs that could cause DoS requiring a system reboot to fix.
NIST identified just one new exploit in the wild this week:
- CVSS 7.5 – CVE-2022-36537 – The open source ZK Java Framework AuUploader servlet is being actively exploited to allow an attacker to retrieve the content of a file located in the web context.
As always, patches for these vulnerabilities are available, so if you find yourself responsible for any related hardware or software, get patching.
Royal ransomware: Not just a healthcare problem anymore
The FBI and Cybersecurity and Infrastructure Security Agency released an advisory this week warning that the Royal ransomware variant isn't just targeting the healthcare sector anymore. It's expanded its reach to numerous critical infrastructure sectors.
As the US Department of Health and Human Services warned the medical world in December, the FBI and CISA said that Royal and the folks behind it have made ransom demands as high as £9.1 million ($11 million) since coming onto the scene last September.
Along with healthcare, the FBI and CISA said that Royal's controllers have deployed it against manufacturing, communications and education organizations, though the pool of affected sectors isn't limited to those.
Royal ransomware uses a partial encryption technique that helps it evade detection, and typically break into systems compromised via phishing attacks. The FBI and CISA did say the group behind Royal has also leveraged compromised RDP connections and exploited public-facing applications to gain a foothold,. Brokers have also been used, the agencies said.
Ransomware attacks were reportedly down as of late 2022 – though with the caveat that, even at "lower" levels reported late last year, the total number of ransomware incidents was still higher than previous years.
To avoid a Royal pain in the rear, CISA and the FBI recommend following the standard list of mitigations for such threats – like requiring multifactor authentication, keeping software up-to-date and the like. ®