Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Thursday, 30 March, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Guest Blog: Ripple20 Zeek Package Open Sourced

Corelight is open sourcing a Zeek package that passively detects the presence of some of the tell-tale signs that Treck devices can exhibit

by Sabina
July 1, 2020
in Editor's News, Top 10 Stories
Corelight logo
Share on FacebookShare on Twitter

Recently, security research group JSOF released 19 vulnerabilities related to the “Treck” TCP/IP stack. This stack exists on many devices as part of the supply chain of many well known IoT/ICS/device vendors. Think 100s of millions/billions of devices and you are in the right ballpark.

The set of vulnerabilities is collectively known as “Ripple20” , and yes – like all big exploits it has its own website https://www.jsof-tech.com/ripple20/  (a fascinating read) and of course a logo. Refer also to the Treck response https://treck.com/vulnerability-reply-information/.

We at Corelight Research have been following developments closely, as there a number of key ingredients that add up to a dangerous situation here.

  • The vast number of vulnerable systems. As I developed this package I even found a printer that was vulnerable, and which was not on the list of known vulnerable devices.
  • The wide range of vendors that are affected. There are some very big names, you can read the list of affected vendors on the Ripple20 site.
  • The types of systems that are potentially vulnerable – anything from UPS, printers, lights, tractors, medical devices, cars, air conditioning systems, refrigerators… Who really knows?
  • The difficulty in patching. In most cases, IoT/ICS devices simply aren’t built for “automatic install” of security patches like modern end user systems are. You also need to know whether you even have these devices on your network in the first place, which isn’t trivial in its own right.
  • The depth of the vulnerability. Remote Code execution with a CVE rating of a perfect 10.0 – that’s as bad as it gets.
  • The attractiveness of these vulnerabilities to threat groups can’t be understated, to have such a stealthy foothold deep within a victim’s network is like the holy grail for some threat groups.
  • There WILL be more and more automated, commodity exploit kits becoming available in the near future – this is a common theme with exploit evolution. This tends to put the exploit tools in the hands of an ever increasing breadth of threat groups, lowering the bar of entry in terms of technical ability required to make use of these exploits.

I could go on and on but the tl;dr is: We need all the protection we can get.

If there is one silver lining, it’s that any discovery or exploit traffic must traverse the network, which of course means that Corelight and Zeek are right in our element.

Today we are open sourcing a Zeek package (https://github.com/corelight/ripple20) that passively detects the presence of some of the tell-tale signs that Treck devices can exhibit. The package also detects when such devices are being scanned by currently available discovery scanners, and when signs of exploitation are observed on the wire.

We hope the open sourcing of this Zeek package helps organizations defend against this threat.

Credit to JSOF who discovered these vulnerabilities and to all of the CERTs and vendors who are currently coordinating discovery and patching efforts.

 

Source: https://corelight.blog/2020/06/30/ripple20-zeek-package-open-sourced/

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Calling all Cybersecurity Heroes for Unsung Heroes Awards!

Next Post

US news sites attacked with WastedLocker ransomware

Recent News

cybersecurity training

Only 10% of workers remember all their cyber security training

March 30, 2023
Pie Chart, Purple

New API Report Shows 400% Increase in Attackers

March 29, 2023
Cato Networks delivers first CASB for instant visibility and control of cloud application data risk

Cato Networks Recognised as Leader in Single-Vendor SASE Quadrant Analysis

March 29, 2023
Outside of cinema with advertising

Back and Bigger Than Ever! The Inside Man Season 5 Takes a Stab at Power Hungry Adversaries

March 29, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information