Immunity CANVAS leak: What you need to know
Keith Buzzard, Chief Technical Architect
Earlier this week, Immunity’s CANVAS exploit platform was leaked to the VirusTotal database; making the usually cost-prohibitive tool available to a much wider audience. This leak of CANVAS v7.26 (released in September 2020) means that a wider pool of attackers—who generally use free tools, such as Metasploit—will have a much simpler and more powerful tool at their disposal.
What is CANVAS?
CANVAS is a tool developed for penetration testers and security professionals to test vulnerabilities in computer systems. However, because it isn’t cheap, it is usually only available to security companies and some of the more well-backed threat groups.
Why the leak matters
CANVAS is easier to use than free open source tools, which means that there are now more less-experienced attackers (they have the motivation but not the skill) wielding what is essentially an automated program from which they can launch attacks.
This incident serves to increase overall cyber risks to organisations of all types and sizes, as the threat landscape has expanded significantly.
What your organisation needs to do
This is certainly not the first time this type of leak has happened, nor will it be the last. Security professionals need these kinds of tools in order to do their jobs well and with that comes a level of risk.
This is one of those timely reminders to make sure you have good security controls in place, including:
Vendors want to make sure you keep using their products, so they are constantly working on improving their software and hardware. In the case of the exploits within CANVAS, because the version is from September 2020, it is likely that most have patches available. Make sure you have a patching regimen in place and all of your systems are up-to-date.
Regular penetration testing and vulnerability assessments
Because new vulnerabilities are discovered every day, a penetration test is only really valid for the day it was completed. That’s why it’s important to conduct vulnerability assessments and penetration tests fairly regularly.
Review Incident Response plans
Like vulnerabilities, risks and threats change often. Keeping on top of your organisation’s risk appetite, profile and response plans will enable you to limit the impact of an incident. It’s important to review your Incident Response and other plans at least annually and test them out to ensure your plan works and your team are prepared.
Review information security measures
All of this comes back to your information assets and keeping them safe. While technology goes some way towards keeping your important data secure, it’s processes, policies and procedures that really strengthen your defences. It’s recommended that your organisation is certified to the UK Government’s Cyber Essentials at a minimum or another Information Security Management System (such as ISO 27001) if appropriate. And, where required, maintain compliance with regulations like GDPR and PCI DSS. If there is an incident, you can demonstrate that your organisation takes cyber security seriously and limit the damage that may result.
Of course, like any professional security tool, there is always a risk that a threat actor will gain access and use it to get themselves into systems in which they aren’t welcome. But, how do we solve this problem in the long term? Plenty of industries handle dangerous substances and other items and they have been regulated. But we aren’t there yet when it comes to cyber security.
As the industry matures, better regulation may be the answer, but that’s a conversation for another blog post.
PGI can help your organisation defend its information assets
If your organisation would like help with your cyber security strategy, security testing, information security or Incident Response, we would be happy to have a no-obligation conversation with you about what you need. Contact us via firstname.lastname@example.org or +44 (0)845 600 4403