News


  • CHT Security Red Team Discovered a Vulnerability in the MCU System of a Well-Known ‎Video Conferencing Software

    SummaryVulnerability List[CVE-2021-32536] Cross Site ScriptingDetails1. Cross Site ScriptingDescriptionA reflected cross-site scripting (XSS) vulnerability was found in the MCU system 5.5. Arbitrary web scripts would be injected via HTTP-GET.ImpactIt will affect the users of the MCU system. Browsers might be manipulated if a malicious URL has been clicked.VersionV5.5Credits* Lai, Yu-Jen (CHT Security)

    More
  • CHT Security Red Team Discovered Several Vulnerabilities in a Well-Known Domestic Door Access Control and Personnel Attendance Management System

    CHT Security Red Team discovered a use of hard-coded credentials (CVE-2021-35961) and a path traversal vulnerability (CVE-2021-35962)in a well-known domestic door access control and personnel attendance management system. The vulnerabilities are briefly described as follows:CVE-2021-35961:The vulnerability of hard-coded default credentials in the system allows unauthenticated remote attackers to obtain administrators permission and execute arbitrary functions. This vulnerability is classified in A6 - Security Misconfiguration of OWASP TOP 10 2017.CVE-2021-35962:Path traversal vulnerability in the system allows remote attackers to download confidential files without permission. This vulnerability is classified in A5 - Broken Access Control of OWASP TOP 10 2017.The vendor has released related patches after receiving our report. If your organization or enterprise is using the affected door access control and personnel attendance management system, it is recommended to contact the vendor for patching and updating as soon as possible.CHT Security also recommends the following measures:Enterprise: Contact the vendor to install the patch as soon as possible.System vendor: Implement input validation in the applications. It is recommended to adopt Secure Software Development Life Cycle (SSDLC), provide secure coding training, and regularly conduct security tests, such as Source Code Security Analysis and Penetration Testing, to effectively ensure product security for the clients.

    More
  • General Manager Jeff Hung Delivered a Speech at InnoVEX 2022

    General Manager of CHT Security, Mr. Jeff Hung, delivered a speech at InnoVEX 2022 of COMPUTEX on Cybersecurity Governance and Countermeasures from Common Cybersecurity Issues.Video source: InnoVEX

    More
  • CHT Security Won the First Cybersecurity Best Service of the Best Choice Award

    CHT Security, the leading cybersecurity company, won the first cybersecurity best service of the COMPUTEX Best Choice Award regarding its Security Operation Center (SOC) service on 24th May.The key success factor to win this award is the comprehensive cybersecurity solutions ranging from security assessment, monitoring, incident response and digital forensics throughout all the process of attacks. SOC team of CHT Security possesses superior technology capabilities namely evaluation, red teaming, monitoring, co-relation analysis, reverse engineering, digital forensics and RD, with a full-range technology coverage and innovative vibe. The team keeps themselves posted by the latest international virus and malware intelligence as well as the emerging attack methods by executing critical cases and participating cyber range drills to accumulate the experience and techniques in responding to the incidences. In addition, the team introduced AI/ML technology to independently developed many automation and early warning systems. It has also been highly commended by providing cloud services to enhance service ability.Top Rated SOC Monitoring ExpertiseThe evaluation comprises of the aspects of process, quality, expertise, innovation, foresight and global market potential and then given a professional appraisal for each candidate. The major reason for CHT Security outstood from the other providers is because of the new technology utilization. CHT Security is the only MSSP which integrated Managed Detection and Response (MDR) services among cloud, network and endpoint into SOC to improve the accuracy and visibility. In addition, CHT Security provides Breach and Attack Simulation (BAS) service to validate the effectiveness of protection. Moreover, the team not only introduced AI deep-learning methodology but also made best use of ISP threat intelligence to enhance detection ability. Furthermore, the high-quality cybersecurity talents are encouraged to pursue international certificates to deliver better cybersecurity service.Independent Development of Cybersecurity Software ToolAnother reason for CHT Security standout is the ability of developing own brand cybersecurity product, SecuTex Network Protection with NP network protection and ED endpoint detection, to improve the function of detection protection capability. SecuTex NP network protection is like a dashcam in the Internet to provide always-on packet sniffing, intrusion detection and forensic analysis combining sandbox and professional analysis validation. SecuTex NP is the best choice when it comes to cybersecurity management regarding network and the recurrence of previous behavior of incident. SecuTex ED endpoint detection is the assessment tool for endpoint PC/server, comprising of Government Configuration Baseline check, software re-evaluation, malicious detection and so on. It is the best choice as far as the risk and countermeasures are concerned.Since the Best Choice Award is established in 2002, cybersecurity service award debut at the Best Choice award evaluation to discover the potential cybersecurity company and then expand the overseas market by the well-known COMPUTEX marketing strategy with Best Choice Award branding. It is worth noting that the advanced technology of CHT Security is the advantage in expanding overseas. Despite the epidemic stroke global economy, CHT Security still thrived from the adversity. CHT Security is not only the leading MSSP in Taiwan market but also looking for expanding the market overseas via the advantage of Best Choice Award recognition.About CHT SecurityWith years of experiences in cyber defense practices and the RD capabilities, CHT Security delivers comprehensive cybersecurity service and solutions. Now it is the leading MSSP in Taiwan. The company is ISO 27001, ISO 27701, ISO 20000 and ISO 17025 certified with more than 50 CVEs and awarded 2021 Taiwan Managed Security Services Company of the Year Award by Frost Sullivan, Infosec Quality Award Infosec Excellence Award by BSI, Championship Winner of International Bug Bounty Challenge held by ITRI and Championship Winner of HITCON Defense Contest. In the governments annual review, CHT Security is the only cybersecurity company that achieved the top rating for consecutive years. CHT Security provides telco-centric cybersecurity solutions and undertakes many large-scale projects from government, critical infrastructure, financial, high-tech manufacturing and medical industries. Moreover, CHT Security now delivers comprehensive cyber security solutions to over 300-thousand households, 20-thousand SMEs, and 200 large enterprises government institutions.

    More
  • CHT Security Discovered Several Vulnerabilities in Well-known Official Document System

    CHT Security Red Team discovered an SQL Injection vulnerability (CVE-2021-22859) and a Broken Authentication vulnerability (CVE-2021-22860) in a well-known official document system. More than 20 organizations including government, education and financial sectors are affected. The vulnerabilities are briefly described as follows:CVE-2021-22859: The SQL commands can be executed for any user accessing the page. This vulnerability affects many systems of government and company. This vulnerability is classified in A1 - Injection of OWASP TOP 10 2017.CVE-2021-22860: It allows attackers to gain unauthorized data like users account and password without authentication. This vulnerability affects many systems of government and company. This vulnerability is classified in A2-Broken Authentication of OWASP TOP 10 2017.The vendor has released related patches after receiving our report. If your organization or enterprise is using the affected official document system, it is recommended to contact the vendor for patching and updating as soon as possible.CHT Security also recommends the following measures:Enterprise: Contact the vendor to install the patch as soon as possible.System vendor: Implement input validation in the applications. It is recommended to adopt Secure Software Development Life Cycle (SSDLC), provide secure coding training, and regularly conduct security tests, such as Source Code Security Analysisand Penetration Testing, to effectively ensure product security for the clients.

    More
  • CHT Security ISO 27701:2019 Certified

    CHT Security announced that the company is ISO 27701:2019 certified. ISO/IEC 27701:2019 (formerly known as ISO/IEC 27552 during the drafting period) is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.

    More
  • CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Human Resource Portal

    SummaryVulnerability List[CVE-2021-22853] - Broken Access Control[CVE-2021-22854] - SQL Injection[CVE-2021-22855] - Insecure DeserializationDetails1. Broken Access ControlDescriptionAttacker can use a crafted packet to access unauthorized sensitive data.ImpactAttackers can dump sensitive data via a specific data packet, such as all users personal information in the same group, further causing the login function not to work.Known Affected Softwareversion before 7.3.2020.11102. SQL InjectionDescriptionThere is a parameter affected by SQL Injection.ImpactAttackers can inject SQL syntax and obtain all data in the database without privilege.Known Affected Softwareversion before 7.3.2020.11103.Insecure DeserializationDescriptionThe specific function accepts any type of object to be deserialized.ImpactAttackers can send malicious serialized objects to execute arbitrary commands without privilege.Known Affected Softwareversion before 7.3.2020.1110CreditsTsungShu Chiu (CHT Security)

    More
  • CHT Security Awarded 2021 Taiwan Managed Security Services Company of the Year

    Congratulations! CHT Security Awarded 2021 Taiwan Managed Security Services Company of the Year.

    More
  • CHT Security and Radware Team Up to Protect NCSoft Taiwan’s Product Launch During Massive DDoS Attacks

    Radware (NASDAQ: RDWR), a leading provider of cyber security and application delivery solutions, today announced that CHT Security, selected Radwares DefensePro DDoS Protection solution to safeguard gaming publisher NCSoft Taiwan from massive DDoS attacks during a very popular game launch. CHT Security is Taiwans leading managed security service provider and a subsidiary of Chunghwa Telecom, the largest telco in Taiwan.Supported by Radwares data center protection and CHT Securitys comprehensive professional services, the leading global gaming company was able to mitigate the DDoS attacks and introduce its new game without incident.As weve expanded our business, weve seen a large increase in DDoS attacks in Taiwan in recent years, said Jeff Hung, general manager for CHT Security. Based upon our long-standing, positive experience, we selected Radware to ensure NCSoft Taiwans successful product launch and have increased the use of DefensePro to support our business. The key success factor to this joint effort is the combination of CHT Securitys defense expertise in real-time tuning and the cutting-edge features of Radwares DefensePro to deliver high-quality and low-latency defense services against cyber threats.According to Radwares recently published Q3 DDoS and Application Attack Report, the number of DDoS attacks blocked during the first nine months of 2021, already exceeded the total number of malicious events blocked in 2020. Gaming and telecom endured the highest attack volumes, accounting for over 50% of the total blocked volume in the third quarter of 2021.DDoS attacks are becoming more frequent, sophisticated, and dangerous, said Yoav Gazelle, vice president of international sales for Radware. With the growing availability of attack tools and botnets, organizations need multi-layered DDoS protection backed by expert emergency response teams. We value our trusted relationship with CHT Security and are excited that it has chosen to safeguard its customers with our solutions.Radwares DefensePro provides automated DDoS defense and protection from fast moving, high volume, encrypted, or very short duration threats. It defends against IoT-based, Burst, DNS, and TLS/SSL attacks to secure organizations against emerging network multi-vector attacks, ransom DDoS campaigns, IoT botnets, and other types of cyber-threats.About CHT SecurityFounded in 2017, CHT Security is a subsidiary company of Chunghwa Telecom, the largest telco in Taiwan. CHT Security is now the leading managed security service provider in Taiwan with rich experiences in information defense practices, and the RD capabilities to deliver cyber security services and solutions, including security testing, SOC monitoring, incident response, and digital forensics, satisfying cybersecurity needs for enterprises and government institutions. CHT Security is ISO 20000, ISO 27001, and ISO 17025 certified, and was awarded the 2021 Taiwan Managed Security Services Company of the Year Award by Frost Sullivan. For more information, please visit www.chtsecurity.com.About RadwareRadware (NASDAQ: RDWR), is a global leader of cyber security and application delivery solutions for physical, cloud, and software defined data centers. Its award-winning solutions portfolio secures the digital experience by providing infrastructure, application, and corporate IT protection, and availability services to enterprises globally. Radwares solutions empower enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity, and achieve maximum productivity while keeping costs down. For more information, please visit the Radware website.Radware encourages you to join our community and follow us on: Facebook, LinkedIn, Radware Blog, Twitter, YouTube, and Radware Mobile for iOS and Android.Source:https://www.radware.com/newsevents/pressreleases/2021/radware-and-cht-security-team-up-to-protect-ncsoft-taiwans-product/

    More
  • CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Property Management System

    SummaryVulnerability List[CVE-2021-22856] - SQL Injection[CVE-2021-22857] - Directory Traversal[CVE-2021-22858] - Broken Authenticationand upload remote code executionDetails1. SQL InjectionDescriptionThere are several parameters that were affected by SQL Injection.ImpactThis vulnerability allows attackers to perform a SQL injection query string to bypass the login page and retrieve data from databases.Known Affected Softwareversion before the year 2021.2. Directory TraversalDescriptionThere are several parameters that can be manipulated by attackers.ImpactAttacker can download the files of the target machine for further analysis.Known Affected Softwareversion before the year 2021.3.Broken Authentication and Upload Remote Code Execution (File Upload RCE)DescriptionThere are several file upload fields that contain a vulnerability of misconfigured file upload filter.ImpactAttackers can upload unrestricted file that would allow attackers to gain access in the hosting machine.Known Affected Softwareversion before the year 2021.CreditsJalong Chen (CHT Security)

    More

For Financial Institutions

Security Assessment, ATM Drills for Offense & Defense, DDoS Drills, GDPR Consultant.

For Enterprises

Large Enterprises: Gateway Protection, Endpoint Protection, Data Security, Regular assessment, ISMS, In-depth Defense with ISPs.
SMB & Soho: Anti-virus, Anti-hacking, Internet Protection.

For Government Departments

Regulation Compliance, Regional Joint Defense, SOC, ISAC, Common Supply Contract.