Cybersecurity News Headlines Update on May 30, 2021

VMware Updates Address Flaws in vSphere Client. VMware has released updates to address two vulnerabilities in its vSphere Client. The first is a critical severity “remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in.” The second is a moderate-severity “vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins.”

Note:

Limit access to your vCenter infrastructure to authorized devices only, just as you would limit access to system consoles to prevent unauthorized attempts to “fiddle” with things. Note that the vulnerable Virtual SAN Health plugin is present even if you don’t have a VMware VSAN. The vulnerable plugins can be disabled by setting them to incompatible not disabled as a temporary mitigation; the long term fix is to rapidly apply the updates. There are three CVEs impacting five plugins. If you disable the plugins, they remain disabled after the patch until you explicitly re-enable them. Note that some third-party plugins may no longer function after the update as additional changes were made in vCenter Server to improve overall security.
Not only should you patch this flaw as soon as possible, but you should also double check that the vSphere console is not exposed to the Internet. Access should only be possible via a VPN or from a local management network. As a quick workaround: disable the vSAN client if you are not using it.
Here in Maryland the 17-year cicadas are coming out of the ground. When they last went underground in 2004, we were just recovering from the impact of Windows buffer overflow/input validation flaws being exploited in the Slammer/Blaster/Sasser and other attacks. Sad to see VMWare shipping software all these years later with those same well-known software development mistakes in such a mission critical product. Critical not just to patch your systems but to make sure your supply chain does so as well.
Input validation is difficult but necessary. Failure to do it properly is a continuing and widespread problem. It is aggravated by the fact that the developer cannot easily foresee the environment in which his code may run. It is simplified when the use of the input is tightly constrained, e.g., to a limited code set. Allowing special characters, especially in repetition or combination, which may trigger escape from processes down in the stack, is particularly dangerous. Anecdotal evidence suggests that input validation is not taught in training programs, or even in colleges and universities.

Read more in:

Chrome 91. Google has released Chrome 91 to the stable desktop channel. The updated browser includes fixes for 32 security issues. At least eight of the flaws fixed are rated high severity; they include use after free vulnerabilities, a heap buffer overflow flaw and an out-of-bounds write flaw.

Note:

Google Chrome has a reasonable robust auto-update. As you are reading this: Exit Google Chrome, start it up again, and check if you are up to date. It is a good idea to restart Google Chrome from time to time anyway, and it can help keep it up to date.
When I see use after free bugs, I flash back to teaching myself C; memory management requires discipline as well as tools to make sure that you didn’t miss anything. When deploying the update, watch for Chromium based browsers, Edge, Brave, etc. If you’re manually updating, check to make sure you’re all the way to version 91.0.4472.77.

Read more in:

“Disappointment” with Federal Network Hygiene Drove Elements of US Cybersecurity Executive Order. Anne Neuberger, the White House deputy national security advisor for cyber and emerging technologies said the Solar Winds compromise impact that resulted in the recent Executive Order by President Biden pointed out the need for immediate and measurable improvements to security of federal systems and networks. She listed improved skills in Security Operation Centers, enabling and emphasizing more proactive threat hunting and the Government using its buying power to drive the demand for secure, tested software.

Note:

The bad news is the US government is like an enormous ship and often inputs from the captain and top staff seem to get lost in the long and torturous path to the engines and rudder. The good news is that even small course corrections can have a huge impact and occasionally (like mandates to government agencies to move to DNSSEC and DMARC, or to buy only certified, testing cryptographic software) the government can actually lead private industry. There is an opportunity for that to happen here.
Agencies already have requirements to implement endpoint protections, continuous monitoring, ongoing validation of secure baselines, dynamic software to allow and deny capabilities with regular reporting to DHS through the CDM program. That program provided for first year licensing of products and an added year of maintenance. Where it falls short is the resources to implement are unfunded, licenses are difficult to obtain, and the new processes can create disruption to existing processes intended to keep systems within an acceptable level of risk. The new EO seeks to further raise the bar on federal systems, but success will require ongoing funding for staff at the agencies and sites which need to implement the new controls as well as training and hiring of SOC staff. Care must be taken not to assume all incidents can be monitored and responded to from a centralized control point.
“Secure software” and “supply chain” are related but separate problems. One has no reason to believe that SolarWinds’ code was not tested or secure. The problem was that they distributed code that they did not even know was there. Caveat Emptor will not solve the supply chain problem, even when the buyer has the market power of the sovereign. Suppliers must be accountable for what they distribute.

SolarWinds Threat Actors Targeting Government-Related eMail Accounts. In a blog post, Microsoft writes that the same threat actors believed to be responsible for the SolarWinds attack have targeted email accounts at government agencies, think tanks, NGOs, and consultancies in 24 countries. The attacks were launched after gaining access to USAID’s Constant Contact email marketing services account.

Note: While we assume we’re largely ignoring email streams from services like Constant Contact, make sure that your users truly are looking at the legitimacy of messages and reporting/blocking them as needed as these services are an excellent way to craft a really convincing looking phish.

Read more in:

DHS/TSA Issues Pipeline Security Directive. The US Department of Homeland Security’s (DHS’s) Transportation Security Agency (TSA) has issued a security directive to enhance pipeline security. The directive has three requirements: pipeline owners and operators must report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of detection; designate a cybersecurity coordinator who will be available to TSA and CISA 24/7; and conduct an assessment to check for compliance with TSA’s pipeline cybersecurity rules, develop remediation measures for detected gaps, and report them to TSA and CISA within 30 days. Failure to comply with the guidelines will result in fines. The directive is effective as of Friday, May 28, 2021.

Note:

The requirement that the identified Cybersecurity Coordinator be a U.S. Citizen eligible for a security clearance sets the stage for CISA and DHS to communicate sensitive or classified threat intelligence data in the future. The challenge for operators is to designate more than one Cybersecurity Coordinator for depth of coverage, and make sure that all coordinators meet the requirements. If you’ve outsourced your monitoring and response capabilities, make sure the provider can meet the requirements before designating them. Develop supporting processes and templates for consistent reporting to CISA. Make sure external incident reporting doesn’t exclude internal awareness.
While pipelines are, at one level, transportation mechanisms, they are also part of the energy infrastructure. DHS should be asking whether TSA is the most appropriate regulator. Note that the Internet, the attack vector, is both unregulated and supranational.

Read more in:

GAO Official: Federal Agencies Must Take Steps to Protect Their Networks from Supply Chain Attack. In testimony before a US House subcommittee earlier this week, Vijay D’Souza, director of information technology and cybersecurity at the Government Accountability Office (GAO) said that federal agencies are struggling with supply chain security. Just six agencies have shared with GAO their plans to make security protocol changes following the SolarWinds Orion attack; none of the agencies has implemented all recommended changes.

Note:

Some agencies are still stuck in the forensics/remediation stages of the Solar Winds events and haven’t come up for air yet. When you do, don’t forget to consider the impacts of open source code implemented in your own products. Sometimes the cost of analysis for weaknesses and remediating them exceeds the gains of using pre-written code. Think carefully before adopting a model to wait for bug fixes to come from the open source community as those may not only impact your time to deliver but also, themselves, introduce new issues. When planning/making changes in supply chain security, make sure your procurement and legal teams have a seat at the table.
Suppliers must be held accountable if they recklessly or negligently distribute malicious code.

Read more in:

NASA OIG Report: Decentralized Approach to Cybersecurity Poses Risks. A report from NASA’s Office of Inspector General (OIG) “found that NASA’s ability to prevent, detect, and mitigate cyber-attacks is limited by a disorganized approach to Enterprise Architecture.” The report cited “a fragmented approach to IT, with numerous separate lines of authority” at the agency. OIG made several recommendations, including integrating Enterprise Architecture and Enterprise Security Architecture.

Note:

NASA is a distributed agency with multiple data centers and locations with external partnerships and collaborations resulting in a very porous network. Even so, the process of establishing access to one of their systems and processing data is rigorous, with validation of the far end system and clear definitions of responsibilities, data protection, and incident reporting requirements. Security is further complicated by the mixture of institutional IT and mission-specific systems. While many business functions can be centralized, mission systems are unlikely to be, which means you need a distributed security team empowered to manage the risks for mission systems and assure conventional IT remains within the enterprise risk boundaries. This requires teamwork and open lines of communication.
To be meaningful, IT and security architectures must consider how business/mission and IT governance work. NASA is like many companies in private industry, with a dozen Centers (business units) that have CIOs and much local authority and lots of local use of contractors, insourcing and outsourcing. Too often in security I see “bring back the mainframe – that will solve the security problems” architectures that don’t match the business/mission needs or governance methods. Security processes need to support the way business is done, not try to effect organizational change to match old approaches to security.
The same could be said for just about every public, private, and non-profit organization in the world. This is not easy.
To quote Harry DeMaio, “security architecture is derivative of and subservient to the IT architecture.” As a security architect, one’s first step is to ask for an expression of the IT architecture. In response, one is often met with a list of the materials used but with no description of how they were used or related to one another.

Read more in:

Fujitsu Takes Down ProjectWEB Platform After Hackers Steal Government Data. Fujitsu has taken down its ProjectWEB collaboration and file-sharing platform after threat actors gained access to the system and stole data. The incident affected several Japanese government agencies and at least one airport. The incident was discovered on Monday, May 24; ProjectWEB was taken down the following day.

Read more in:

Apostle Disk-Wiping Malware Pretends to be Ransomware. Researchers from SentinelOne have detected new disk-wiping malware that masquerades as ransomware. The malware, which has been dubbed Apostle, has been used against targets in Israel. The campaign has been active since at least December 2020.

Note:

Those continuous differential backups you’ve implemented will also help you recover from a disk wipe attack. Be sure you know what is (and what is not) backed up when planning your recovery strategy. Note that this campaign is setting up persistent back doors and exfiltrating data, as well as using the victim’s VPN services, so make sure you’ve got plans to validate and secure your VPN as well as re-imaging systems where not necessarily wiped but have their webshells and IPsec Helper. Be prepared for data release ransom requests.
If one is vulnerable to breaches, the availability, integrity, reliability, and usefulness of one’s data is at risk. Extortion may be the least of one’s worries.

Read more in:

Google Researchers Discover New “Half-Double” Rowhammer Attack Technique. Google researchers have discovered a new technique to exploit the Rowhammer vulnerability. Dynamic random access memory (DRAM) chips are getting smaller, and as a result, the Half-Double Rowhammer attack can flip bits not just in adjacent rows, but in rows father away.

Note: Decreasing feature size and hardware optimizations for performance will make it more and more difficult to defend against these attacks.

Read more in:

FireEye: Threat Actors Using Simple Tools and Techniques to Target Operational Technology Systems. Researchers from FireEye’s Mandiant Threat Intelligence say they have observed an increase in threat actors targeting operational technology (OT) systems with rather unsophisticated tools and techniques. In most cases, these threat actors do not appear to be intent on causing specific physical results.

Note:

The Colonial Pipeline ransomware-driven shutdown and the Oldsmar, FL water contamination attack are recent examples where simple vulnerabilities were exploited, pointing out a lack of even the first level of essential security controls. The TSA and DHS are pushing security regulations onto the pipeline industry; industries in other critical infrastructure verticals where years of “self-regulation” have not kept up with modern IT architectures and modern attacker techniques should expect to see regulatory action as well.
The same could be said for almost any industry. In the vast majority of incidents, cyber attackers (especially criminals) are going to come in the easiest way possible. As several SANS Instructors have told me, cyber attackers do not get extra points or bonuses for using super advanced techniques; they are normal people just trying to get a job done. For the past four years, phishing and passwords have been the top two drivers of breaches in the VZ DBIR. Yes, there are some exceptionally advanced attacks (SolarWinds is a prime example) that have huge impact, but it is the fundamental TTPs that are driving most of today’s breaches.

Read more in:

Trend Micro Issues Firmware Update to Address Vulnerabilities in Home Network Security Station. Cisco Talos discovered stack-based buffer overflow and hard-coded password vulnerabilities in Trend Micro’s Home Network Security Station. The flaws could be exploited to obtain elevated privileges and to create files, change file permissions, and upload data to an SFTP server. Trend Micro has released an update to address the vulnerabilities.

Note:

Hard-coded passwords are sadly a standard “feature” in too many devices. Note that the password has been published. Particularly sad is that Trend Micro is selling this device to protect your network. One of the advertised features of this product is to protect you from “weak passwords”.
Hard-coded passwords are tempting and solve fewer problems than they fix. Not throwing Trend Micro under the bus here; I’ve fallen into that trap. If you have the affected product, update it. If your home workers have these devices, make sure they are updating to help protect the integrity of those remote networks.
SOHO users of only one of these devices, may find it more convenient to update the device rather than the firmware.

Read more in:

Update Available for Simple 301 Redirects by BetterLinks WordPress Plugin. The developer of the Simple 301 Redirects by BetterLinks plugin for WordPress have released an update to address several vulnerabilities, including one that could be exploited to redirect traffic to a malicious website. The plugin has been installed on more than 300,000 sites. Users are urged to update to Simple 301 Redirects by BetterLinks version 2.0.4, which was released on May 5.

Note:

Make sure that your plugin is all the way to 2.0.4, released May 5; the April 15 patch didn’t fully address the problem. Verify it’s actually being used and uninstall it if not. Wordfence firewall rules were released April 8th and May 8th to the paid and free versions respectively.
WordPress plugins greatly and cheaply add value to WordPress. However, they are used “as is” with no representation of quality. They should be used only by design and intent, never by default, and must be scrupulously managed and maintained.

FBI Flash Alert: APT Group Exploiting Fortinet Vulnerabilities. The FBI issued a flash alert on Thursday, May 27, warning that APT threat actors exploited vulnerabilities in “a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government.” The alert lists indicators of compromise, including new user accounts, certain executable files, and unrecognized scheduled tasks. It also lists suggested mitigations.

Read more in:

Apple Releases Updates to Fix Three Zero-Days. Apple released updates to macOS 11.4, 10.15, 10.14; iOS and iPadOS 14.6; watchOS 7.5 and tvOS 14.6 to address three zero day vulnerabilities hackers exploited in the wild. The XCSSET malware exploited the weakness in CVE-2021-30713 to bypass macOS privacy protections while CVE-2021-30663 and CVE-2021-30665 impact WebKit on Apple TV 4K and Apple TV HD devices. Zero-day vulnerabilities have been showing up more in Apple’s security advisories, often tagged as exploited prior to fixes being released.

Note:

This is the second time this month that Apple has patched actively exploited vulnerabilities. Either Apple’s ecosystem is seeing more attention from attackers, or Apple is being more open in announcing if vulnerabilities are already exploited. Note that this round of updates provides patches for older versions of OS X, like Catalina and Mojave. The most important vulnerability is targeting developers via malicious XCode projects. Prioritize these patches if you are using XCode.
Apple is releasing updates as rapidly as they can to thwart exploits actively being exploited. Unfortunately, this is shortening the update cycle. Even though you likely haven’t finished applying the last OS updates from the beginning of May, you need to keep rolling forward to get these deployed. CVE-2021-30713 is a flaw in the Transparency, Consent and Control (TCC) framework, while the others are focused on webkit, which impacts both mobile and desktop operating systems. Push the updates to your ADE devices to have users install immediately so you can focus on desktop devices running the other operating systems.

Read more in:

Air India Customer Data Affected by SITA Breach. Air India has acknowledged that the SITA data security breach that occurred in February compromised its customers’ personal information. Approximately 4.5 million Air India customers are affected. The compromised information includes names, payment card data, and passport details.

Note:

When you have a data breach, timely notification of impacted parties is critical to allow them to take actions to protect themselves from further harm. Even if, as was the case here, a breach doesn’t include your password, plan to update the password to that service to a new unique one, enabling 2FA if available while you’re at it. Also review information stored to make sure the service has only what is absolutely needed.
Obviously, another supply chain security issue. But, this is also another example of “concentration risk” (like SolarWinds) where suppliers have large market share and offer attackers a highly leveragable target – compromise them and you have access to hundreds of high value targets. If you are in the transportation industry – Amadeus and Sabre have higher market share than Sita – good to use this item to recommend risk assessment be done of use of those services.

Read more in:

City of Tulsa Prevents Data Theft From Ransomware Attack. The city of Tulsa, Oklahoma, says it will not pay a ransom demanded by ransomware operators behind an attack on the city’s network. The city detected suspicious activity on its network and shut it down before the attackers could access information. Residents have been unable to pay their water bills either online or in person.

Note:

Nice to see a (even if just partial) success story of organizations preventing the full impact of ransomware. Ransomware isn’t that hard to detect once it starts “doing its thing,” so good for the city to pay attention and stop the ransomware before it exfiltrated the data (and I hope that assessment holds up).
We can’t call this a complete success story, since it is likely the usual phishing/missing patches/etc. technique were used at the front end of the attack but rapid detection and having reliable backups in place puts Tulsa way ahead of other cities that have suffered similar attacks.

Read more in:

Microsoft Will Retire Internet Explorer Next Year. Microsoft has announced that it will retire Internet Explorer on June 15, 2022, for certain versions of Windows 10. IE will be replaced with Microsoft Edge, which has an IE mode that is able to load legacy web pages requiring Internet Explorer.

Note:

About time. With Microsoft Edge now being based on Google Chrome, there was no need for Internet Explorer to stick around. And as a reminder: If you are designing web applications, do not design them to work with one specific browser, but stick as much as possible to standards that are common among different browsers.
Note that MS is not going to offer exceptions or extended support for IE11 after June 15, 2022. Investigate using Internet Explorer mode in Microsoft Edge to provide support for legacy applications which require IE11. Leverage the transition guide (query.prod.cms.rt.microsoft.com: Microsoft Edge + Internet Explorer mode) to use IE mode where needed. IE mode will be supported until 2029, but be aware of the limitations. docs.microsoft.com: IE mode supports the following Internet Explorer functionality

Read more in:

GAO Report on the Cyber Insurance Market. A report from the US Government Accountability Office (GAO) examines the evolution of the private cyber insurance market over the past five years, with a focus on how it has responded to increasingly frequent, destructive, and expensive cyberattacks.

Note:

Ben Wright and I have done several webinars examining how security operations are impacted if cyberinsurance is in place and how policy premiums are going up while coverages are going down. Key point to get across to management: having cyberinsurance can reduce incident costs by some fixed amount but they do not cap or transfer risk – and most importantly, cyberinsurance does not eliminate the need to understand and mitigate security gaps that are enabling incidents.
I’m going to channel my inner Bruce Schneier in here as economics and incentives drive behavior. Insurance companies covering ransomware attacks made it much easier for infected companies to pay, and much easier for cyber criminals to monetize, only incentivizing more attacks. It appears insurance companies may now realize their mistake, charging far greater premiums for far less payouts.
Some of the biggest growth in adoption of cyber insurance since 2016 has been in health care and education, which have been prime targets this past year. Even so, this is a fairly new market for insurers, meaning they don’t have a lot of historical loss and cyber event data which is used to quantify risk and set rates, which means premiums are likely to increase, and availability of insurance, particularly relating to ransomware, will decrease. If you have cyber insurance, talk with your broker about their plans, make sure you’re on the same page about what the coverage means. If you are seeking cyber insurance, you may have to look to more insurers to find a solution with the terms you’re expecting.

Read more in:

One Call Insurance Discloses Ransomware Attack. One Call Insurance in Doncaster, UK, was hit with ransomware on May 13. The attack appears to have been perpetrated by DarkSide, despite its recent announcement that it was shutting down operations.

Note: While DarkSide has retired their public facing presence, it is not safe to assume their criminal activities have ceased. Even if this is a look-alike attack, focus first on remediation and prevention of recurrence rather than attribution.

Read more in:

Toyota Discloses Subsidiaries Suffered Cyber Attacks. Toyota has acknowledged that two of its subsidiaries have recently experienced cyberattacks. Daihatsu Diesel Company, which designs engines, “experienced a problem in accessing its file server in the internal system on 14 May 2021.” The company stopped the infection from spreading to other offices and has initiated an investigation. Separately, Toyota’s Auto Parts Manufacturing Mississippi has reportedly suffered a ransomware attack.

FBI Conti Flash Alert: Conti Ransomware Group is Targeting Healthcare and First Responder Networks. In a Flash Alert, the FBI says that the Conti ransomware group hit at least 16 US healthcare and first responder networks within the last year. The alert provides technical details about the Conti ransomware, including indicators of compromise, and recommends mitigations, including implementing network segmentation and conducting regular data backups that are kept offline.

Note: Absolutely anyone and everyone is a target for cyber criminals, from hospitals and utilities to elementary schools and non-profits. Whatever ethics cyber-criminals may post are quickly forgotten when there is easy money to be made. And if even certain groups were to limit their targets, their ‘affiliates’ most likely will lack such ethical guidelines. In addition, it’s easy to accidentally infect unintended targets or not to realize who they are infecting.

Read more in:

FBI Analyst Indicted for Stealing National Security Documents. A US federal. grand jury in Kansas City, Missouri, has indicted Kendra Kingsley, an FBI employee, for allegedly removing classified documents from her workplace and taking them to her home. The documents were allegedly removed between June 2004 and December 2017. Kingsley worked as an intelligence analyst and held a top secret security clearance.

Note:

The insider threat (both malicious like this one, and well intentioned accidents) and the need to protect stored sensitive data from such unauthorized disclosure don’t get the press coverage that ransomware does, but usually are the cause of the most damaging breaches. Privilege management and access behavior monitoring won’t catch everything but they would have avoided or minimized the damage in most insider attacks.
Classified is, despite what you may have seen in the movies, not something you can work on at home. It has handling, access, and need-to-know requirements with published consequences. When I was young it was emphasized that having a clearance is not the same as need-to-know. (One does not just “show up” at a classified briefing.) The information in your enterprise should also have classification with clearly defined access and handling requirements. Be clear about what can be processed locally and remotely, and where it can and cannot be stored, and what the storage requirements are. Train users on this regularly, particularly when things change.

Read more in:

Mercari is Victim of Codecov Supply Chain Attack. Online marketplace Mercari has disclosed that the Codecov supply chain attack compromised its customer data. Earlier this year, attackers compromised the Codecov Bash Uploader, which allowed them to harvest authentication credentials for Codecov customers. Mercari learned that a malicious actor used their authentication credentials to access private repositories in April. Mercari has deactivated the compromised credentials.

Read more in:

Fix Available for WordPress Statistics Vulnerability. An SQL injection vulnerability in the WP Statistics WordPress plugin could be exploited to access database information without the need for logging in. The plugin is installed on 600,000 WordPress sites. The issue was disclosed to the plugin developer on March 13, 2021, and an updated version was released on March 25.

Note: Initial reports indicated you had to be authenticated to exploit this vulnerability; further research found an unauthenticated user can exploit this. This exploit uses time-based blind SQL Injection so exfiltrating information is very slow. If you are using a WAF, the enabled SQL Injection module should block the attack; make sure WP Statistics is either updated to version 13.0.8 or uninstalled it if unused.

Read more in:

Restaurant Reservation WordPress Plugin Flaw Patched. The ReDi Restaurant Reservation WordPress plugin has been updated to address a persistent cross-site scripting vulnerability. The flaw could be exploited to steal reservation information and personal customer data. The plugin developer was notified of the vulnerability on April 15 and released an updated version 10 days later.

Note: Make sure that you updated to version 21.0426 or higher of the plugin. A public POC was released Sunday. Lack of input sanitization made exploitation easy by entering a malicious JavaScript in the comment field which is saved to the database without changes, meaning it is executed when the restaurant is viewing the reservation.

Read more in:

SolarWinds Supply Chain Attack Affected 37 Companies in US Defense Industrial Base. In testimony before the US Senate Armed Services cyber subcommittee, Rear Adm. William Chase III told legislators that 37 companies within the defense industrial base were affected by the SolarWinds supply chain attack. Chase also noted that the Department of Defense (DOD) was not affected by SolarWinds or by Hafnium.

Note: Key quote here: “… the Cybersecurity Maturity Model Certification, DOD’s nascent program for improving the cybersecurity of the defense industrial base, would not necessarily have prevented the intrusions.” Maturity models are great for identifying and communicating the most dangerous gaps in security processes but do NOT focus on actual testing and continual monitoring. Simple example: many software vendors that achieved the highest levels on the software Capability Maturity Model continued to deliver code with well-known vulnerabilities. Active monitoring and testing are needed to deal with software supply chain attacks.

Hackers Scanning for Exchange Server Vulnerabilities Within Minutes of Disclosure. Researchers from Palo Alto networks say that hackers were scanning for vulnerable Exchange Servers within minutes after Microsoft disclosed the four zero-day vulnerabilities. The report also says that Remote Desktop Protocol accounted for 32 percent of security issues.

Note:

To support work from home, many organizations hurriedly pushed out RDP-based approaches and attackers have been taking advantage of that (also see the Sophos news item below). As we return to the “new normal,” more secure ways of supporting remote access should be top priority as part of the plan for employees returning to some amount of working from the office.
While Exchange vulnerabilities are the newest shiny thing to exploit, don’t lose sight of other less sexy vulnerabilities. Your email IT team should already be on a rapid cadence of patching Exchange, even though you’ve already asked them to start migrating to your chosen cloud email solution, so the rest of your team can focus on the regular bouts of OS and application patches. In case you missed it, Wind River released updates to VxWorks which may impact many of your OT systems.

Read more in:

CNA Paid $40M Ransom After March Attack. CNA Financial Corporation, the Chicago-based insurance company, reportedly paid a $40 million ransom demand after its network was hit with a ransomware attack earlier this year. CNA paid the sum two weeks after the attack, which locked employees out of the network and compromised customer data. A company spokesperson said that “CNA is not commenting on the ransom.”

Note:

This incident pre-dates the recent ransomware attack that hit AXA, another large cyber insurance carrier that had issued coverage to Colonial Pipeline, who also paid ransom. AXA recently announced it would stop issuing policies that would cover ransom payments – more carriers are likely to do the same. CNA Financial has over $10B in annual revenue and is in the top ten of cyberinsurance policy issuers and offered a “CyberPrep” service to policy holders, a “ … proactive program of cyber risk services designed to help identify, mitigate and respond to persistent and emerging threats.” I’d like to hear if they were using their own service and what went wrong.
Before making the payment, CNA checked guidance and informed their regulators, including the Office of Foreign Assets Control, which enforces economic and trade sanctions against targeted foreign countries and regimes, terrorists and drug traffickers; and the FBI. While payment is not desired, being aligned with legal and regulatory guidance will minimize future blowback. Transparency about the event and relating actions has shown itself to be the best option as you need a consistent message not only for customers but also for employees, board members, shareholders and regulators if appropriate. With the current volume of ransomware payback, regulators are focusing on how to slow it down; make sure the relevant guidance hasn’t changed prior to making a decision.
WOW, that is a big number! Please remember though, ransomware is nothing more than a type of malware. It’s not a new attack method, it’s a new monetization method, albeit a very profitable one, and thus the reason we are seeing exponential growth. Also remember there are other attacks just as costly but not nearly as public, such as CEO fraud. This attack method costs billions of dollars a year, but it’s hardly in the news as companies rarely go public when it happens.

Read more in:

Dragos: Water Utility Watering Hole Found During Oldsmar Investigation. While investigating the Oldsmar Water Treatment facility cyberattack, Dragos found a “watering hole”: malicious code hosted on a Florida water utility contractor’s website. Although a city of Oldsmar browser had visited the WordPress-based site earlier in the day of the attack, it does not appear that the watering hole figured into the Oldsmar attack. “Dragos’s best assessment is that an actor deployed the watering hole on the water infrastructure construction company site to collect legitimate browser data for the purpose of improving the botnet malware’s ability to impersonate legitimate web browser activity.”

Note:

This blog is an exploration of how sometimes intrusions don’t align no matter the coincidence. It’s a great learning style blog for intrusion/cyber threat intelligence analysts.
Do not worry too much about the attacks that you identify. Worry about the ones you do not see. In this case, the highly visible initial attack may have been a “good thing” as it started an investigation that revealed more stealthy unrelated attacks happening at the same time.

Read more in:

Ransomware Hits New Zealand’s Waikato District Health Board. A ransomware attack hit the network of Waikato District Health Board in New Zealand on Tuesday, May 18. Most of the organization’s IT systems are down and hospitals are taking only urgent cases. Some elective surgeries are being postponed.

Note: Even though we’ve seen announcements that ransomware operators are not going to target healthcare organizations, or other critical sectors, you cannot assume that you’re no longer a target. Per DHB Chief Executive Kevin Snee, this attacked originated from a malicious email attachment. Emphasizing the need to validate both technical controls and UAT are where they need to be. Also make sure that your DR plans addresses routing customers to alternate providers while services are offline versus having them wait. Talk to those providers ahead of time if you’re going to use that option, and offer reciprocal support to sweeten the pot.

Colonial Pipeline CEO Defends Paying Ransom. Colonial Pipeline CEO Joseph Blount acknowledged paying the $4.4 million ransom, saying it “was the right thing to do for the country.” The attack was detected on May 7 and the ransom was paid later that same day. (Please note that the WSJ story is behind a paywall.)

Note:

The choice to pay is harder than ever. Double Encryption (multiple ransomware strains, with two payouts), extortion for exfiltrated information, or threats of cyber-attack for non-payment, let alone the desire to return to operation, make things complex. Hold a tabletop exercise to go analyze the landscape and determine at which point, if any, you’d make a payment and why. Include key stakeholders in the process and obtain management support. If applicable share with your regulator to determine what their response will be and adjust accordingly.
It appears from the limited reports, that Colonial Pipeline was not prepared for such an attack and did not have a plan for how to deal with it. While the decision to meet extortion demands is a business, rather than a security, decision, it should be done only in accordance with a plan made before the attack. This decision appears to have been made in the absence of any plan.
Chainalysis reported last week that “Known payments to ransomware attackers rose 337% from 2019 to 2020, when they reached over $400 million worth of cryptocurrency. Attackers show no signs of slowing down in 2021, and have already taken in more than $81 million from victims so far.”

Read more in:

Ireland Healthcare System Ransomware Attack. The ransomware operators responsible for the attack against Ireland’s Health Service Executive has released a free decryption key, but say they intend to expose patient data. The attackers also targeted Ireland’s Department of Health, which managed to prevent the ransomware from executing. Officials say it will be “many weeks” before systems are fully restored.

Note:

The ransomware gang made a decryptor available for free after the HSE refused to pay. It isn’t clear if the decryptor worked. But the data was leaked, and is now being used in scams. Scammers are calling individuals, pretending to be associated with healthcare providers, and are using personal data about recent medical procedures to trick victims into providing bank account access data. It is not clear if these scams are conducted by the ransomware gang or scavengers taking advantage of the data leaks.
In addition to recovering from the technical impact of the breach, the Irish healthcare providers will have difficulties restoring trust with clients and recovering from these additional effects of the attacks.
Many weeks to restore services probably exceeds most of our RTO projections. The question is are you prepared for large scale system recovery? Do you have contracts in place to bring in help? Do you have documentation on how to rebuild components and what the interdependencies are? Is your recovery priority and order still accurate? Did you incorporate all those cloud services you’ve been migrating to? Conducing a formal exercise to recreate a system from the backup to include running a parallel business process is essential and a valuable learning experience.

Read more in:

ID Theft Resource Center: Notable April Breaches. The Identity Theft Resource Center’s notable data breaches in April 2021 include the theft of personally identifiable information belonging to 132,000 GEICO customers, the exposure of private information belonging to 72,000 people participating in a Pennsylvania Department of health contact tracing program, and the compromise of personally identifiable information held by the ParkMobile parking app.

Note:

I’ve used the ITRC data for many years – it is “breach-centric” but has been using a consistent methodology over the years. The takeaway here: just because ransomware is getting all the press coverage, the most important issue is NOT pay ransom/don’t pay, it is that the same weaknesses being exploited in ransomware attacks are continuing to enable breaches and many other forms of damaging attacks.
While health departments have been quietly doing contact tracing for generations, privacy concerns about its use have been raised in the light of the pandemic. A breach of this kind gives some credence to those concerns.

CISA Announces Firmware Mitigation Plan. In a presentation at the RSA Conference, officials from the Cybersecurity and Infrastructure Security Agency (CISA) announced a campaign to mitigate firmware vulnerabilities. The campaign’s goals include software bills of material that include the firmware level, vendors explaining the intent of system components, and code analysis.

Note:

Unlike the ingredients in food, when something goes bad on the SBOM it can be patched rather than recalled or disposed of. The trick is not only the continuous monitoring but also application of fixes in the field. Not just commodity desktops and servers but also IOT devices need to be actively monitored and updated. The consumer will need an “easy button” to succeed. I’m still trying to decide if I liked write-protected firmware better as updates are a lot easier, yet malicious code can also be written there.
Knowing what is supposed to be there improves one’s ability to recognize what is not supposed to be there.

RSA Execs May Now Talk About the 2011 Hack. The 2011 theft of SecurID seeds from RSA “was the original massive supply chain attack,” writes Andy Greenberg. The 10-year non-disclosure agreements have expired, allowing RSA employees to tell their stories of the attack.

Note:

The RSA hack was enabled by a phishing attack against an employee who was running an outdated version of Windows and Microsoft Office, with no application control or privilege restrictions on external downloaded apps. The employee clicked on what looked like an internal spreadsheet and an Adobe Flash vulnerability was exploited and the game was over – sound familiar? Ten years later, the majority of attacks are enabled by these same failures in a small number of essential hygiene steps. Use any of the recent headline grabbers to get support from above to drive the well-known changes needed.
The question is, would this attack work today in your organization? Are your detection and response capabilities up to tracking malicious actors on your network? While the desired responses are obvious, make sure that your assumption is founded on real input and testing. Detection and response to attack needs to replace missing these entirely or finding out from someone else.

Sophos Report: Cyberattackers’ Dwell Time is Less Than Two Weeks. Sophos has published its Active Adversary Playbook 2021, a report that “details attacker behavior and impact as well as the tactics, techniques and procedures (TTPs) seen in the wild by Sophos’ frontline threat hunters and incident responders.” Among the findings: 30 percent of attacks involved Remote Desktop Protocol at the start, and attackers’ median dwell time prior to detection was 11 days.

Note:

Some very good news! One of the key lessons I learned from Richard Bejtlich is that “attacker dwell time” should be a strategic security metric for almost every organization. As we all know, fool-proof prevention is not possible; cybersecurity is about resilience. Dwell time is a great way to measure that. Several years ago we were measuring dwell time in months, now it appears to be weeks.
This suggests that our goal should be to detect breaches in hours to days. Few enterprises have such a goal and fewer still are measuring and reporting results.

Read more in:

International Student Health Insurance Data Breach. Guard.me, a Canadian company that provides health insurance to students traveling and studying abroad, has suffered a data breach that exposed personally identifiable information. Guard.me took down its website after detecting suspicious activity on May 12. The company has begun notifying affected students by email. The company’s reporting and notification obligations will vary based on where each affected individual resides.

Read more in:

RAT Campaign Targeting Aviation and Travel Organizations. A malware campaign is targeting aviation and travel companies an infecting IT systems with remote access trojans (RATs). The campaign is using spear-phishing emails to gain an initial foothold in the systems. The malware harvests screenshots, keystrokes, browser data, and other information.

Note:

As things start to open up, and users are starting to plan travel and vacations, we need to double down on both awareness training and implementation of technical controls. Beyond reminding users to be careful with unknown attachments and links, think twice about unusual requests received via email. Also, make sure that your anti-phishing tools are enabled and working, and add tools to check attachments and URLs before they get to the end-user. If you don’t have these tools, make sure that you don’t have existing options which can be enabled/licensed before looking to external sources.
I feel like it is time for two high level reminders: (1) damaging malware attacks that steal information without trying for a ransom payment are still active, even though the press coverage focuses largely on the “exciting” ransomware attacks; and (2) the front end of both “OG” malware and ransomware attacks use the same initial phishing to exploit reusable credentials, similar malware insertion, etc. steps and require the same essential security controls to reduce risk. Use the hype to get backing to make changes that protect information overall.
If an enterprise is a “target of choice,” strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) may not be sufficient protection but it may well be enough to remove the enterprise from the “target of opportunity” population. While it cannot prevent users from clicking on bait, it does resist reuse of passwords. The almost universal use of mobiles has reduced both its cost and its inconvenience. It is effective, efficient, and broadly applicable.

Read more in:

CISA SolarWinds Eviction Guidance. The US Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has published Eviction Guidance for Networks Affected by SolarWinds and AD/M365 Compromise. The guidance provides step-by-step instructions for removing the “adversary from compromised on-premises and cloud environments.”

Note: This is a comprehensive approach to resolving and removing the adversary from systems impacted by the SolarWinds compromise. This is also a resource-intensive and prescriptive process; read the whole thing before starting to implement it. If you have Orion, walk through the guidance to make sure you have your bases covered. Verify you have adequate protections and assurances that you’re not currently compromised and can detect/respond to future actions.

Read more in:

DISA’s Zero Trust Reference Architecture. The US Defense Information Systems Agency (DISA) has released version 1.0 of the Department of Defense’s (DoD’s) Zero Trust Reference Architecture. The document is designed to ensure that DoD will have a common guide to “a more secure, coordinated, seamless, transparent, and cost-effective IT architecture that transforms data into actionable information and ensures dependable mission execution in the face of a persistent cyber threat.”

Note:

Jump to page 17 and look at the DISA Zero Trust Maturity model. The Preparation and Baseline Phases basically require that you have implemented all of the Center for Internet Security Critical Security Controls – including multi-factor authentication and sensitive data encryption. To achieve “zero trust” you have to first have a trustable infrastructure as the foundation; it cannot be sprayed onto systems/processes that don’t have the basic controls and skills in place.
This architecture builds on the existing DOD ICAM reference architecture which is key to implementation. It also includes a maturity model you can leverage when planning your Zero Trust architecture and implementation. Be sure to understand the concepts, tenets, and required capabilities before attempting to implement.

Read more in:

Ireland’s Health Services Executive and Department of Health Hit with Ransomware Attacks. Ireland’s Health Services Executive (HSE) suffered a ransomware attack on May 13. HSE shut down most major IT systems after discovering the attack; healthcare providers have been unable to access patients’ electronic health records. HSE is beginning to restore its IT systems. Ireland’s Department of Health has been hit with a similar attack, but managed to avoid having files encrypted.

Note: The HSE has been hit by the Conti Ransomware and the Wizard Spyder cybercrime gang are most likely behind this attack. This is a double extortion attack whereby there is a ransom demand to decrypt the data but also a demand to prevent the stolen data to be released onto the web. The Irish government has stated they will not pay the ransom, which in my opinion is the right approach. This is a despicable attack impacting on the provision of health services to patients. Paying ransoms is not going to rid us of the scourge of ransomware attacks. We now need governments worldwide to wake up to the threat these criminals pose to organizations, to our societies, our economies, and the lives of innocent people and to work together to rid us of this threat.

Read more in:

AXA Asian Operations Hit with Ransomware Attack. AXA, the French insurance company that recently said it would no longer write policies to cover ransomware payments, says that its Asia Assistance division was hit with a ransomware attack. The incident affects operations in Thailand, Malaysia, Hong Kong, and the Philippines.

Note:

While the trend for cyber insurance carriers like AXA to not cover ransomware/extortion is focused in France, this attack is not necessarily connected to that. Ransomware payouts have advanced to the point where cyber insurers are actually losing money, so expect them to continue to manage that liability by not issuing new policies and likely changing the terms for existing policies upon renewal. The extortion threat includes a promise not only to leak the pilfered data but also to execute a DDOS attack against AXA. The question is, will threats of increased attacks coupled with data release reverse trends to stop payments? Keep an eye on this to gauge your response if you wind up in the victim’s shoes.
This comes at the time when AXA announced that it will no longer pay for ransom as part of its cyber insurance policies. These insurance payments have fueled the rise of ransomware and just maybe, this attack was retribution for the announcement.
Several layers of irony here, as Reuters has reported that Colonial Pipeline had cyberinsurance policies in place and one of the insurance carriers was AXA.
The insurance industry has a responsibility to ensure that their products do not create a “moral hazard.” AXA has rightly concluded that covering ransomware has the potential to create such a risk.

Read more in:

Toshiba Tec Group Subsidiaries Hit with Ransomware Attack. European subsidiaries of Toshiba Tec Group were reportedly hit with ransomware. As a precaution, Toshiba Tec Corp severed network connections between Japan and Europe. The company manufactures barcode scanners, point-of-sale systems. and other equipment.

Read more in:

DarkSide Disappears. The DarkSide group, which is believed to be responsible for the ransomware attack that caused the Colonial Pipeline shutdown, says it is ceasing operations. DarkSide claims to have lost access to its servers and that its cryptocurrency funds had been seized.

Note:

One should not take announcements like this too seriously. They may come back in a couple months under a different name. Until the pipeline breach, Darkside has been pretty good about staying out of the news. They are likely trying to move back out of the limelight to the “dark side.”
The BitMix cryptocurrency mixing service used by the Avaddon, DarkSide, and REvil ransomware operators to “wash” their funds has also allegedly ceased operation. The leaders of the DarkSide group are closely tied to the REvil gang, which just announced they were putting restrictions on what kinds of organizations their affiliates could hold for ransom, prohibiting “social sector” (healthcare and educational institutions) and “gov-sector” of any country as well as requiring affiliates to get approval before infecting victims. While well intended, the affiliates, including DarkSide, will more likely switch to a different platform with fewer restrictions.
Don’t get too excited; they are not shutting down and leaving cybercrime, they are simply transitioning to a new identity that will be harder for law enforcement to track. I also thought it was interesting to see DarkSide’s statement that they would not target specific industries (healthcare, education, etc). In some ways that is good business as it can help keep them under the radar. However, even if they followed such ethical guidelines (which I doubt), others will not. In addition, cyber criminals are human and make mistakes; they can and will accidentally infect unintended targets.

Read more in:

UK Government Seeks Input on Digital Supply Chain Security. The UK government’s Department for Digital, Culture, Media and Sport (DCMS) is seeking input regarding measures to improve cybersecurity for digital supply chains and IT managed service providers. DCMS has opened a survey and will be accepting responses through July 11, 2021.

Note: Hold suppliers accountable for what they distribute.

Read more in:

TSA Role in Pipeline Security is Scrutinized. The Colonial Pipeline ransomware attack has prompted lawmakers and government officials to revisit the Transportation Security Agency’s (TSA) role in regulating natural gas pipeline cybersecurity. While TSA has oversight of pipeline security, the agency’s pipeline security office is meagerly staffed and has established only voluntary assessments. In contrast, the electricity sector is subject to mandatory audits and fines for not meeting standards. Legislators have introduced a bill that aims to strengthen pipeline security. (Please note that the WSJ story is behind a paywall.)

Read more in:

Bizarro Banking Trojan. A banking trojan is being used to harvest online banking credentials for dozens of financial institutions in South America and Europe. Known as Bizarro, the malware targets Android mobile devices. It kills browser processes and disables autocomplete, forcing users to log in to accounts so it can harvest credentials. Bizarro also has the capacity to hijack bitcoin wallets.

Note: Beware of over-permissioned applications. Beyond only installing applications from the vendor (Google/Apple) or enterprise app store, review your devices regularly and remove unused applications. Keep the remaining apps and OS updated. Replace devices before the vendor stops providing regular OS and Security updates.

Volue’s Exemplary Transparency in Face of Ransomware Attack. Norwegian technology company Volue has been praised for its transparency regarding a ransomware attack that infected its systems earlier this month. Volue has posted daily updates about the attack and the company’s recovery process. The company has also provided email addresses and phone numbers for its CEO and CFO so customers can contact then directly with questions.

Note: Here is a model of external communication during an incident which you should compare with your current communication model and adjust where necessary. Take hints from Volue’s web site below – frequency of update, contact information and communication in the relevant languages of their customers.

Read more in:

Biden Signs Executive Order on Improving the Nation’s Cybersecurity. President Joe Biden has signed an executive order (EO) on cybersecurity. The order establishes more stringent security requirements for government contractors, and directs government agencies to use the procurement process to encourage vendors to implement a secure software development process. It also requires government agencies to use multi-factor authentication and encryption. The EO also calls for adoption of a zero-trust security model.

Note:

Plenty of fluff in the Executive Order but three very good things: (1) Establishing the Cyber Safety Review Board, modeled after the National Transportation Safety board; (2) 180-day deadline for moving to multi-factor authentication and encrypting data at rest; and (3) the federal government using its buying power to drive higher levels of supply chain security. While deadlines will inevitably be missed, these three things are critical and measurable bar-raisers. The “Zero Trust” mandate less so – until any organization first gets to essential security hygiene then puts strong authentication in place, it is not possible to even come close to implementing “zero trust.”
While the order is codified into regular requirements, take the time to assess your environment and start planning your implementations. Increased cloud adoption and zero trust require supporting monitoring, validation, and assessment processes to make sure that you don’t lower your security or become the victim of the next cloud data breach. Look to NIST and CISA as well as industry analysts to develop guidelines. While it will be incredibly valuable to talk to peer agencies to leverage lessons learned from similar implementations, make sure you clearly understand what type of information and systems they were protecting. Expect vendors to come calling with solutions, verify they are actually aligned with requirements prior to jumping in.
Better than not. However, if top-down executive orders were effective, our government would long since have been more secure than commerce. We may govern top-down but we implement from the bottom up. If government buying power was effective, would there still be the overwhelming market preference for open, general, flexible, and feature rich over security?

Read more in:

Microsoft Patch Tuesday. On Tuesday, May 11, Microsoft released updates that address 55 security issues in Edge, Exchange Server, Microsoft Office, the Windows RDP Client, and other products. Four of the fixed vulnerabilities are rated critical: an HTTP Protocol Stack remote code execution (RCE) vulnerability, a Hyper-V RCE vulnerability, an OLE Automation RCE vulnerability, and a Scripting Engine Memory Corruption vulnerability in Internet Explorer 11.

Note:

The number of vulnerabilities patched is small. But the http.sys vulnerability should be addressed as soon as possible. Luckily, it only applies to specific (very recent) versions of Windows. Currently I am not aware of a public exploit. Expect one to be released in a couple of weeks. You likely have about a week to get this one patched before you will join Colonial Pipeline and others in the news.
Good news only 55 security issues, bad news, four are critical – including CVE-2021-31166 – which applies to desktops and servers. CVE-2021-25419 applies to IE 11, on desktops and servers. Assume IE 11 is still on systems, unless you’re explicitly removing it. You should be off IE 11 this year. Look at Edge’s IE Compatibility mode option for applications which expect IE. And there are also four more patches for Exchange. Even if you’re on MS 365, make sure you’re not still in hybrid mode which means you would still have legacy Exchange servers which need patching.

Read more in:

FragAttacks Vulnerabilities Affect Millions of Wi-Fi Devices. A group of recently-detected fragmentation and aggregation attacks (FragAttacks) affects most Wi-Fi devices; some of the flaws date back more than 20 years. Three of the vulnerabilities are design flaws in the Wi-Fi 802.11 standard. Some vendors have released updates.

Note:

The vulnerabilities themselves aren’t critical, but need to be patched as vendors release updates. Consider all Wifi gear that is Linux based vulnerable (which is probably 90% of it). I do suggest you read the writeup to learn more about how these Wifi protocols work, and why there may be more vulnerabilities where these came from.
Joshua Wright identified many of these vulnerabilities ten years ago. What’s new here is the identification of flawed implementations. While flaws in the 802.11 standard aren’t going to be rectified soon if at all, implementation flaws are being addressed. CVE-2020-24586, CVE-2020-24587 and CVE-2020-24588 weaknesses are generally low risk because they require close proximity to the AP to exploit and have very limited impact when exploited. Even so, it’s a good time to make sure your wireless firmware is updated.
While perhaps counter-intuitive, one is far more likely to be attacked on the wire side than on the air side.

Read more in:

Federal Trade Commission’s Report to Congress on Right to Repair. A US Federal Trade Commission (FTC) report submitted to Congress found “scant evidence to support manufacturers’ justifications for repair restrictions.” With regard to cybersecurity concerns, the report notes that “The record contains no empirical evidence to suggest that independent repair shops are more or less likely than authorized repair shops to compromise or misuse customer data. Furthermore, although access to certain embedded software could introduce new security risks, repair advocates note that they only seek diagnostics and firmware patches.”

Note:

This is a victory for repair shops and technicians who want to repair devices and may elect to not use OEM parts. Even so, review the risks of having your devices serviced by third parties. Look to how you can be assured that information is not compromised and that non-OEM hardware doesn’t introduce disallowed functions or procedures. Decide if you want to allow employees to take a corporate device to be repaired at their own discretion or if you want a more rigorous process followed.
One more attack vector? Maintenance and repair are part of the supply chain.

Read more in:

Verizon’s 2021 Data Breach Investigations Report: Human Interaction Plays a Part in Most Breaches. According to Verizon’s 2021 Data Breach Investigations Report (DBIR), 85 percent of data breaches involved human interaction. These breaches include phishing, business email compromise, lost or stolen credentials, and human error and misuse. Gabe Bassett, senior information security data scientist for the Verizon Security Research team and co-author of the report said, “I think it’s very easy in security to forget that what we’re securing is not the computer. What we’re securing is the organization. The organization is the people as well.”

Note:

As someone who is passionately focused on the human side of cybersecurity, this year’s report is exciting as it brings far more visibility into the role people play. As a huge fan of the VZDBIR, I’ve always struggled to piece together all the Action elements to better understand the broad role people play; this year the DBIR team did that for us, getting the numbers of 85%. This year they also added a new Pattern (Social Engineering) and a call-out on Security Culture. Cybersecurity is no longer just a technical challenge but a human one also, and the VZDBIR provides the data to help us better understand and address that challenge.
Changing human behavior is critical, but we know safety controls are always required even in very mature areas like “don’t use your blow dryer in the tub” – that is why we required Ground Fault Interrupt circuits for all outlets near water. The majority of attacks still start with a phishing front end to obtain credentials – non-resuable passwords pair user awareness to reduce clicks rates are the solution, not one or the other.
While true, we did not need the DBIR to tell us that. It should not be the case that one user clicking on a bait message should compromise an entire enterprise. Strong authentication and network segmentation, not to mention “zero trust,” would make us far more robust than we are. At a minimum, we should be isolating systems used for browsing and e-mail from mission critical applications, e.g., operating a pipeline. These are widely applicable and efficient measures. We know what to do. Can’t we just get on with it?

Colonial Pipeline Reportedly Paid $5 Million Ransom. Bloomberg reports that Colonial Pipeline paid ransomware operators nearly $5 million. The decryption key provided by the operators proved to be so slow that Colonial Pipeline also used backups to restore its systems. Earlier reports indicated the company did not intend to pay the ransom.

Note:

Note that even with the application or decryption key to restore your encrypted systems, progress may not be as rapid as expected. You may need to use multiple approaches, such as also continuing to rebuild systems from backup to get back online in a timely fashion. Ask how long it would take to rebuild your infrastructure from backup, then compare that with your expected RTO/RPO. Conduct exercises to make sure you actually can rebuild systems; run test transactions to make sure they match your production systems. Adjust where needed.
Three key things really popped out for me on this one. First, it appears that it was not the OT networks that were infected but Colonial’s IT billing system. One of the reasons Colonial stopped the flow of gas is because they would not be able to bill for it. Two, even though that they paid the ransom they still could not decrypt their data. This surprised me as this was such a high-visibility incident, most likely the cyber criminals made a mistake. Finally, this incident really reinforced for me how the scale and sophistication of the RaaS community has exploded.
Compared to other recent ransomware incidents, this payout sounds small. But I am sure the ransomware gang will invest it right back into better tooling for its next attack.
Those who pay extortion may not get the protection that they pay for and their neighbors will be more at risk.

Read more in:

Biden Says Colonial Pipeline Attack Was Not State-Sponsored. President Joe Biden said that while there is reason to believe that the ransomware operators responsible for the Colonial Pipeline attack are in Russia, an FBI report says that the attack was not backed by the Russian government. Biden also said that the US plans “to pursue a measure to disrupt [the ransomware operators’] ability to operate.”

Note: DarkSide is a ransomware as a service organization; effectively anyone can use their services so specific attribution is complex if not impossible. The focus needs to be on mitigations and preparedness. In OT and critical infrastructure, Availability is key versus the Integrity or Confidentiality legs of the CIA triad. Verify that those systems can operate reliably without your supporting IT systems, and make sure you don’t have unexpected avenues of compromise.

Read more in:

South Korea Will Review Energy Infrastructure Cybersecurity. Prompted by the Colonial Pipeline ransomware attack, South Korea’s Ministry of Trade, Energy and Infrastructure has ordered a cybersecurity of the country’s energy infrastructure. The minister of Trade, Industry, and Energy is urging entities that operate South Korea’s oil and gas pipelines, power grids, and emergency response systems to evaluate the security of their systems and report their findings to the ministry.

Adobe Patch Tuesday Includes Fix for Actively Exploited Flaw in Reader and Acrobat. On Tuesday, May 11, Adobe released updates addressing more than 40 vulnerabilities in a dozen of its products. One of the flaws, a critical use after free issue affecting Reader and Acrobat, is being actively exploited.

Note:

I’m the only one that hoped that post-Flash Acrobat and Reader patches would slow down, right? Your creative cloud users should have an update all queued up. For the rest of your systems, add this to the patches you’re rolling out. Note users will have to restart the app to apply the update. Uninstall where they are not needed to reduce future avenues of attack.
With Flash gone, Adobe’s patches dropped from the headlines somewhat. But they are still making a number of other wonderful products. Many of them, not just Acrobat, receive patches these days. For example, Magento is one of those wonderful products that was patched again (even if it was just a minor problem: It is easier to patch continuously as patches are released vs. making it a fire drill each time a critical vulnerability is released.)
Reader and Acrobat continue to be a problem. Everyone has them but not everyone needs or uses them. One favorite bait message continues to be “Click here to update Adobe Reader.”

Read more in:

Rapid7 Source Code Affected by Codecov Supply Chain Attack. Rapid7 says that some of its source code was compromised through the Codecov supply chain attack. In a blog post, Rapid7 writes, “A small subset of our source code repositories for internal tooling for our MDR service was accessed by an unauthorized party outside of Rapid7.” The affected repositories held some internal credentials, all of which have been rotated.

Read more in:

Colonial Pipeline: Dragos CEO Rob Lee on Pipeline Ransomware Attack. Dragos CEO Rob Lee says that the Colonial Pipeline ransomware attack “is the largest impact on the energy system in the United States we’ve seen from a cyberattack, full stop.” Lee says that Dragos has observed increasing ransomware attacks targeting industrial control systems and elements of critical infrastructure.

Note:

This attack is yet another reminder how ransomware is out of control and currently by far the largest threat facing organizations. Over the last few years, hundreds of millions in ransom payments have built a ransomware industry that in some cases dwarfs government budgets. This particular attack does however highlight another “supply chain” issue: The concentration of the flow of goods, be it shipments via the port of LA or the Suez Canal, a single pipeline being responsible for supplying refined gas to a large part of the US or the small number of chip manufacturers. This concentration has caused bottlenecks and easy exploitable vulnerabilities to the supply chain that are easily leveraged by criminals or nation states to hold economies hostage.
This last year has shown a dramatic increase in disruptive attacks, many taking advantage of health care systems involved with Covid-19 research. In recent months a renewed interest in disrupting or taking critical infrastructure offline has emerged. This past year of remote work seems to have exposed added attack vectors, as well as shown a light on existing ones. Operators, public or private, need to review their systems to make sure that they are following security best practices, and engage an external assessor. Don’t wait for attackers or your regulator’s audit to discover issues which need addressing.
This attack was motivated by money and has disrupted operations and, potentially, fuel supply and prices in the Northeast US. However, it is one more demonstration of the vulnerability of our infrastructure to adversarial nation states. The same breach could have been used to mis-operate the pipeline. “Security as usual,” the state of the practice, is not getting the job done. We must increase the cost of attack against our systems tenfold. We know what needs to be done. What will it take to motivate us to do it?

Read more in:

Colonial Pipeline: Ransomware Attack Disrupts Pipeline Operations. Colonial Pipeline is working to recover from a ransomware attack. Colonial Pipeline operates a 5,500 mile pipeline that carries fuel from Texas to New Jersey; it accounts for nearly half of the fuel used on the East Coast of the US. Colonial Pipeline shut down operations after discovering the ransomware. The company says it hopes to restore a significant level of service by the end of the week.

Note:

Connectivity is a double-edged sword. While it enables external services such as remote access or cloud based monitoring/analysis, the risks and security of those connections must be carefully examined. Both NSA and CISA have been publishing OT security guidance lately for you to leverage. Also look to your IT operation impact on OT: can those OT services operate if your IT systems go down? Are you ready for this sort of event? Be sure that your incident response plan is current and tested regularly. Colonial Pipeline brought in help right away and took immediate action to contain the incident and protect systems from further damage, and is now following their recovery plan as well as spinning up teams to address customer, regulator, and public concerns.
Details aren’t out yet, but the vast majority of successful ransomware attacks start with reusable passwords being obtained through phishing and other means. More recently, unsecure/unpatched remote access methods put in place during the pandemic have enabled direct attacks, as well. A December 2019 National Petroleum Council report submitted to the Department of Energy acknowledged that “The Council found that cyber threats to energy infrastructure control systems are increasing and security protections are being challenged due to increasing connectivity and growing malicious cyber activity,” but there does not seem to have been much progress forward on those essential security hygiene issues.

Read more in:

Colonial Pipeline: Government Response. At a White House press briefing on Monday, May 10, Press Secretary Jen Psaki, Homeland Security Advisor and Deputy National Security Advisor Dr. Liz Sherwood-Randall, and Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger spoke about the administration’s “whole-of-government” effort to help Colonial Pipeline. Dr. Sherwood-Randall noted that the attack “put the spotlight on the fact that our nation’s critical infrastructure is largely owned and operated by private-sector companies. When those companies are attacked, they serve as the first line of defense, and we depend on the effectiveness of their defenses.”

Note: It can cost three times as much to ship these fuels via rail car versus pipeline and even so the delivery capacity is lessened. If you have a critical service, is your fallback plan viable? Is the difference in cost and delivery acceptable? Do your customers see your service at the same level as criticality as you do? All of these need to be aligned. Build relationships with your regulator, law enforcement and cyber security firms now, while you don’t need them. Leverage any guidance they can offer. When is the last time you engaged a new external assessment team?

Read more in:

Colonial Pipeline: Regional Emergency Declaration. In the wake of the ransomware attack that has disrupted operations of a major fuel pipeline in the US, the US Federal Motor Carrier Safety Administration (FMCSA) has issued a regional emergency declaration. The directive relaxes rules for transporting fuel, allowing truck drivers to work longer hours to transport fuel. Colonial Pipeline delivers approximately 45 percent of fuel used on the East Coast of the US. The directive applies to drivers in 17 states and the District of Columbia. FMCSA is an agency of the US Department of Transportation (USDOT).

Read more in:

Colonial Pipeline: Darkside Ransomware Group. The FBI has confirmed that a ransomware group known as DarkSide is responsible for that attack affecting Colonial Pipeline. DarkSide has been operating since at least August 2020 and operates as ransomware-as-a-service. The group is believed to be operating in Eastern Europe or Russia, and has targeted mainly English-speaking organizations.

Read more in:

Insurer Will No Longer Reimburse Ransomware Payments in France. French insurance company AXA will no longer write policies that reimburse customers in France for ransomware payments. AXA will still cover clean-up costs for ransomware attacks and the change does not affect existing policies. The decision was made in response to concerns expressed by of French government officials. In a separate related story, an insurance company refused to cover the cost of ransom paid by an Indiana oil company.

Note:

See my comment above. This is a good thing. Ransomware has become as big as it is now due to cyber insurance payments feeding the development of new and more sophisticated ransomware.
Attackers are leveraging the trend of ransomware payout through the victim’s cyber insurance provider becoming a sure bet. Note the September 2020 report from insurance provider Coalition which showed a 260% increase in ransomware attacks among their policyholders and that 41% of all cyber insurance claims in the first half of 2020 were ransomware incidents. There is a larger call to de-incentivize ransomware, reducing the avenues of a sure payout. If you want to retain the option with your insurance provider into the future, expect a significant increase in premiums. It is time to revisit your cyber insurance risk assessment based on input from your provider.
SANS instructor Ben Wright and I are doing a May 20th webinar around ransomware and cyberinsurance: www.sans.org: Avoiding or Minimizing Ransomware Impact to the Bottom Line.
One hopes that their competitors will follow suit. Reliance on insurance to pay extortion has become a moral hazard. This is a risk that must be mitigated, not merely accepted or assigned.

Read more in:

CaptureRx Discloses Ransomware Attack. CaptureRx, a 340B drug pricing administrative services provider, recently disclosed that a ransomware attack compromised protected health information. The incident affected health care organizations in Pennsylvania, New York, and Vermont. CaptureRx notified affected healthcare organizations and assisted them with notifying affected patients. Compromised data include names, dates of birth, prescription information, and in some cases, medical record numbers.

Note:

This is third-party risk realized. When using a shared service, verify and accept the protections between client datasets as these can range from a field tag in a shared database to completely separate systems. Also understand who can access your data and how. Prefer solutions where your data is encrypted with different keys from other customers, ideally using keys you manage. Make sure you have adequate cyber provisions, including incident response, indemnification, and flow-down of your information protection requirements. Have your legal team not only review these provisions to ensure you both agree on what they mean, but also engage them on any pushback during contract negotiations.
Four years into extortion attacks, disproportionately targeting healthcare, there is simply no excuse for this. We really need to up our game. We have been focusing on threat intelligence but not using what it is telling us. We must increase the cost of attack across all systems and industry segments.

Read more in:

NCSC, CISA, FBI and NSA: Russian Threat Actors’ TTPs. The UK’s National Cyber Security Centre (NCSCX), the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the NSA have issued a joint alert listing the tactics, techniques, and procedures (TTPs) that Russian cyber threat actors are using. The report details 12 critical vulnerabilities that the threat actor group is currently exploiting.

Note:

The appendix to the report includes Snort and Yara rules you need to incorporate into your defenses. While your SOC is doing that, read the Mitigation Advice and Further guidance to make sure that you’re covered. The advice is relevant for many attackers, not just the Russian cyber threat actors. There should be no reason not to implement these mitigations and protections.
Post Solarwinds, and after many of the Exchange servers were patched, some threat actors had to find new ways to gain access to networks. This is a good thing. Cycling TTPs is expensive and risky to a threat actor as they diminish their arsenal of vulnerabilities, and risk discovery using less proven and familiar attack techniques.

Read more in:

Australian Parliamentary Services Shut Down MDM System to Protect It. A March outage affecting Australia’s Department of Parliamentary Services (DPS) was due to the department’s decision to take down its mobile device management system following an intrusion on the parliamentary network. The attack did not shut down the MDM system. DPS disclosed the new information in response to written questions from members of Parliament.

Note: One of the costs of incidents is downtime and too often downtime is caused by the response to the incident, not just by the attack. There are many software components or services that are similar to electricity – backups and work arounds need to be tested in advance (and regularly) just as UPS switchovers are tested.

NCSC Smart City Cybersecurity Guidance. The UK’s National Cyber Security Centre (NCSC) has published guidance for municipalities implementing smart city services, including public services like healthcare and emergency services, transportation services, and traffic light and streetlight management. The Connected Places Cyber Security Principles “recommends a set of cyber security principles that will help ensure the security of a connected place and its underlying infrastructure, so that it is both more resilient to cyber attack and easier to manage.”

Note:

This guidance includes references to other standards and best practices, provides a holistic approach to securing OT, and has broad applicability beyond a city or the UK. Use this not only when designing new systems but also when reviewing existing implementations.
It is nice for these agencies to be on record. However, the problem is not that we do not know what to do but that we lack the will to do it.

Read more in:

Scripps Health Still Operating Under EHR Downtime. California’s Scripps health is still operating under electronic health record (EHR) downtime following a ransomware attack that hit its servers earlier this month. The Scripps Health website and patient portal remain unavailable. The California Department of Public Health says that the Scripps “hospitals are operational and caring for patients using appropriate emergency protocols in inpatient areas.”

Ransomware Attack Disrupts Tulsa, Oklahoma Online Services. The city of Tulsa, Oklahoma, is recovering from a ransomware attack. The incident began over the weekend; the city made the decision to shut down systems to prevent the malware from spreading. Emergency response services, including 911, are not affected. Online services such as utility billing and bill payments are not available, but the city’s phone system is operating.

Read more in:

Biden Administration is Finalizing Executive Order Prompted by SolarWinds. In response to the SolarWinds supply chain attack, the Biden administration plans to release an executive order (EO) establishing cybersecurity standards for companies that conduct business with the US government. The EO is expected to include software development standards and plans for investigating cyber incidents. Basically, other EO is using the federal procurement process to effect change in the development process.

Note:

The US goverment using its buying power to drive higher standards in cybersecurity is a good thing, but it can’t be just be more maturity model/process certification paperwork requirements. Actual security testing of products and services needs to be part of the mandates. Also, the idea of a “Cyber NTSB” (first raised by Steve Bellovin many years ago, and more recently by Bellovin and Adam Shostack) is a really vital initiative that needs to come from the federal level to be effective.
Good step in the right direction, one that does not require legislation. That said, we need to hold accountable suppliers who distribute malicious code, including “back doors.” This may require legislation.

Read more in:

Google is Encouraging Users to Adopt 2FA. Google will prompt users to turn on two-factor authentication (2FA). Users who have already adopted 2FA will be asked to conform their identities. Eventually, Google and plans to automatically enroll users in two-step verification if their accounts are configured to allow it.

Note:

I’d like to see that “eventually” replaced with “next month” and see Google replaced with “Google, Microsoft, Facebook, Paypal…). Once again I will point to Microsoft’s research that replacing reusable passwords with simple (not perfect) 2FA like text messages to mobile phones is effective against 99.9% of phishing attacks and phishing the is the front end of the majority of successful breaches and ransomware incidents. Oh, and 90% of your board members are using 2FA at home on their personal devices and financial accounts.
Even better would be 2FA on by default, only disabled by exception. Make sure that all your accounts, not just Google, have 2FA enabled wherever possible. While you’re looking at the account, check for application passwords or trusted/logged in devices to make sure that they are current and still needed. Look for the trust relationship for that laptop you gave to your neighbor/co-worker/etc. or that smartphone you traded in last year.
Google has been a great champion of popularizing 2FA and developing usable solutions for end users. This work has been supported by data that shows that 2FA is preventing almost all phishing attacks. If Google can do it with its vast and diverse user base, so can you.
Given that people’s email accounts tend to be the nucleus for all their other online identities, this is a very welcome move and great to see someone like Google normalize security measures such as 2FA.
Fraudulent password reuse is involved in many, not to say most, breaches. Google’s offering of strong authentication to its users is a model for others. It offers sufficient choices to users to achieve effective security with a minimum of inconvenience. Its use by default is a step in the right direction. Strong authentication within the enterprise should, by now, be the default. One might really like to know what the voluntary adoption of Google’s strong authentication has been. While it might justify the pervasive belief that “strong authentication is too hard,” it just might prove that the opposite is true.

Read more in:

Fixes are Available for Exim Mail Server Vulnerabilities. Researchers at Qualys detected 21 security flaws in the Exim mail server. Some of the flaws could “be chained together to obtain full remote unauthenticated code execution and gain root privileges.” Admins are advised to update to Exim version 4.94.2 to address the vulnerabilities in the mail transfer agent. Exim maintainers also said that the 3.x release is obsolete and should no longer be used.

Note:

Some of these vulnerabilities go back to the original versions of Exim from 2004, so don’t assume the flaws are only for the newer versions you have deployed – update all of them. The Qualys Security Advisory (includes not only the technical details but also PoC code, which means you need to patch any externally facing Exim servers right away. Don’t forget to update the rest of your Exim installations. Take advantage of the Security Advisory information to learn how the exploit works and verify the updated version is not susceptible on a test or lab system.
Exim had similarly severe vulnerabilities about two years ago. What followed was a large wave of exploits against Exim servers by anybody who knew how to spell “EHLO”. It took about a month for an easy to use exploit to arrive. In short: You need to patch now if you run Exim (many Linux systems use it).

Read more in:

Dell Firmware Update Driver Vulnerabilities. Researchers at Sentinel labs found five high-severity vulnerabilities in a firmware update driver that has been installed on hundreds of millions of Dell systems since 2009. Two of the five vulnerabilities are memory corruption flaws, two are lack of input validation flaws, and the fifth is a code logic issue. Dell has provided remediation suggestions.

Note:

This flaw is “only” a privilege escalation vulnerability. But given the wide use of the utility, and its ability to modify firmware, it may become an interesting conduit to install more persistent back doors. Patch as you get around to it. The challenge will be to find all the instances of these drivers.
The list of impacted systems from Dell is long and comprehensive, and may suck all the joy out of the room. Note that on May 10th, the Dell notification solutions can be leveraged for automated deployment of the update when installed, even non-enterprise customers will be notified of the available update.
www.dell.com: Download notification applications

Read more in:

US Intelligence is Conducting Supply Chain Risk Review. Prompted by the SolarWinds attack, US intelligence agencies are undertaking a review of supply chain risks posed by Russian companies and US companies that conduct business in Russia. The FBI and other participating agencies will share their findings with the Commerce Department to determine whether vendors need to be excluded from US supply chains.

Note:

Given the state of the world’s current political climate I would hope that this review will not be confined to just Russian interests.
There will always be a geopolitical aspect to supply chain risk assessments, but just as all businesses learned early on that geo-blocking by country domains was rarely a workable solution, political decisions that do the same thing will have very little impact on the actual security level of products and services in company supply chains.
Given the number of participants in the supply chain, this will be a daunting task. Nor is it clear that identifying and eliminating weak links in advance is an efficient way to strengthen the chain.

Ryuk Ransomware Infection Traced to Pirated Software. Sophos Rapid Response team helped a European biomolecular research institute deal with a Ryuk ransomware attack. The infection has been linked to pirated software that a student working remotely downloaded. The software contained a keystroke logger, which stole sensitive information.

Note:

Several lessons here. The institute lost a week’s worth of data because their backups weren’t updating as expected. The malware was able to obtain access to the school’s network as remote services used reusable credentials. Make sure that remote connections include a host posture check before completing the connection, particularly if you permit access by non-enterprise devices. Require updated active endpoint protection. Consider carefully options of providing regular or discounted licenses for home use versions of enterprise software. Be prepared for human error, not just direct attacks.
I would encourage everyone to read the Sophos report. It is a great case study as to how many organisations are at risk as a result of COVID19 forcing people to work remotely, and in particular working from their own personal devices. Read the report and check to see if you have the appropriate controls in place to prevent your organization becoming a victim of a breach related to use of personal devices.
Ineffective supervision of novices is a fundamental problem of WFH. Consider teaming of novices with experienced people to achieve something like one-on-one supervision. Both halves of the team will benefit.

Read more in:

DDoS Attack Affected Belgian Government, Education, and Other Sites. A distributed denial-of-service (DDoS) attack targeted Belgian Internet service provider Belnet on Tuesday, May 4. The attack affected roughly “200 organizations … including universities, public administrations and research institutes.” The incident forced Belgium’s Parliament to postpone some meetings, and some law enforcement forces’ systems were affected as well.

Note: Do you have a contingency plan for operations if you, or your key services, are subject to a DDoS attack? And have you communicated that to users/customers? With the current remote work environment, in-person work-arounds are tricky and may not succeed. You likely have some ready work-arounds in place. How often have you, like me, rolled your eyes at the list of numbers for dialing into a VTC and clicked use computer audio? Or setup a meeting without a dial-in number? Those may still be working in this scenario. Do you have updated phone trees? Do they include customer incident response organizations?

Read more in:

Cisco Patches Flaws in SD-WAN vManage and HyperFlex Software. Cisco has released updates to address critical flaws in SD-WAN vManage and HyperFlex software. The vulnerabilities could be exploited to create rogue admin accounts and execute commands with root privileges. Cisco also released updates to address vulnerabilities in other software including Cisco Small Business 100, 300, and 500 Series Wireless Access Points and SD-WAN vEdge Software.

Read more in:

CISA FiveHands Ransomware Analysis. The US Cybersecurity and Infrastructure Security Agency (CISA) has published analysis of the FiveHands ransomware. Threat actors used FiveHands, along with publicly available tools and the SombRAT remote access trojan, to launch a ransomware attack against an unnamed organization. CISA notes that “the initial access vector was a zero-day vulnerability in a virtual private network (VPN) product.” The analysis report includes indicators of compromise and suggested mitigations.

Note:

Give AR21-126B to your SOC to incorporate the IoCs into their SIEM/SOAR products. You should both read AR21-126A for interesting analysis of the parts and pieces of this attack and review the mitigations – including decommissioning unused remote access devices, limiting the software users can install, enabling host based firewalls, and keeping things patched with updated active endpoint protection services.
The continued success of extortion attacks demonstrates the vulnerability of the cyber infrastructure. While indicators of compromise are valuable, we need less emphasis on tools and attacks, more on prevention and resilience.

Read more in:

NIST Taking Comments on HIPAA Security Rule Guidance. The US National Institute of Standards and Technology (NIST) is seeking comments on updates to its Introductory Resource Guide for Implementing the HIPAA Security Rule. The initial current version was published in 2008. NIST is taking comments through June 15, 2021.

Read more in:

Hack the Pentagon Expands Permissible Targets. The US Defense Department has expanded “its vulnerability disclosure program to include all publicly accessible DOD information systems.” Known familiarly as Hack the pentagon, the program was launched in 2016 and at the time was limited to DOD’s public facing applications and websites.

Note:

To date, over 29,000 vulnerabilities were reported on the previously in-scope systems; over 70% were determined to be valid. This number is expected to be much larger with the increased scope. In 2020, CISA directed all executive branch agencies to develop their own vulnerability disclosure programs. The Defense Department partnered with HackerOne to develop this program and has spent the last four years maturing it. Other agency programs may not be as well managed and may have a much smaller scope. Before researching a site, be sure that you have found and follow the rules of engagement and reporting processes.
Well-managed bug bounty programs continue to show very positive results but a key point: “well-managed” means not just a well-managed vulnerability finding/reward process, but also a well-managed process to rapidly fix the verified vulnerabilities and improving the dev process to make sure that same flaws don’t just reappear in the next version.
One continues to be concerned about “lone-wolf” “researchers. Participants in these programs should be identified in advance and work under supervision or in teams. We must be careful not to legitimize rogue hacking in the name of security.

Read more in:

Update Available for WordPress Antispam Plugin. The developers of the Spam protection, AntiSpam, FireWall by CleanTalk plugin for WordPress have released an updated version to fix an SQL vulnerability that could expose sensitive data. The plugin has been installed on more than 100,000 sites. Users are urged to update to the most current version of the plugin, 5.156 or later.

Note:

The SQL injection was enabled by failing to use prepared SQL statements. WordPress includes a function $wpdb-prepare() which will do this for you and encourages all developers with plugins which include database access to use it. If you’re a plugin developer, make sure that you are using it. The updated plugin was released March 10th; make sure your copy is updated. Wordfence firewall rules were released to the paid version March 4th, and to the free version April 3rd.
It should be clear by now that WordPress Plug-in quality is a risk. They should be installed only by design and intent, only where clearly indicated, and never by default. Once installed they must be actively managed.

Read more in:

NSA Guidance on Improving Operational Technology Cybersecurity. The US National Security Agency (NSA) has released a cybersecurity advisory urging owners and operators of operational technology (OT) to take steps to improve security. The advisory notes, “As OT components continue being connected to information technology (IT), IT exploitation increasingly can serve as a pivot to OT destructive effects.” NSA recommends that administrators carefully consider the need for each IT-OT connection and then harden those connections.

Note:

The NSA advisory below is only four pages and focuses on evaluating the risks around connectivity from IT to OT as well as guidance for improving the security of your OT systems. Understand, monitor, and document your OT access to those components as well as having gold images and configurations to enable restoration if needed. Segmentation and otherwise only allowing authorized access to OT is an achievable goal. Use the guidance to verify protections are in place as well as provide a plan to improve your cyber hygiene, then track that plan updating as needed. Remember to adjust your lifecycle expectation from years to decades when evaluating OT.
This short advisory is really just an update and summation of previous guidance from DoD, FBI, Canadian authorities and industry/academia experts that came out of analysis of the 2015 Ukrainian power grid attack. The first paragraph of the executive summary is good material for a push out to CXOs and boards of directors.

Read more in:

Microsoft Researchers Find Memory Allocation Vulnerabilities in IoT and OT Devices. Researchers from Microsoft have detected 25 memory allocation vulnerabilities that affect Internet of Things (IoT) and Operational Technology (OT) devices. The remote code execution flaws are the result of improper input validation. The researchers have shared their findings with affected vendors.

Note:

The blog from MSRC explains how these exploits work and provides suggested mitigations. Couple those suggestions with the guidance from NSA above on improving OT cyber security to develop a holistic approach to securing OT. As with any vulnerabilities, patch when available, monitor activity, segment and verify the allowed connections are what you think they are.=
The CISA ICS CERT advisory lists over twenty real time operating system versions that have the flaw (us-cert.cisa.gov: ICS Advisory (ICSA-21-119-04) Multiple RTOS). The list includes well-known names like Amazon, Apache, ARM, Google, Redhat, Samsung, and Windriver/VXWorks, along with many niche RTOS versions. Too often well-known safe coding practices are ignored for memory and processor constrained products, which is like auto manufacturers making the decision to not put oil and fuel filters in cars with small engines.

Read more in:

Pulse Secure Releases Fix for Critical Flaw That is Being Actively Exploited. Pulse Secure has issued fixes for several vulnerabilities, including a critical zero-day in the Pulse Secure VPN appliance that has been exploited to gain access to sensitive networks, including those at defense contractors and government agencies around the world. Several weeks ago, Pulse Secure released the Pulse Connect Secure Integrity Tool that customers can use to check for evidence of malicious activity.

Note:

This vulnerability was disclosed last week, and had already been actively exploited at the time. As usual: Assume compromise, don’t just patch and move on. A tool to verify the integrity of your PulseSecure firmware was made available last week.
If you haven’t yet patched the older vulnerabilities, now that the patch for these more recent ones is available it is time to shut down VPN services until all patching is complete. The US federal government deadline for doing so was April 23.
If you’re running Pulse Connect Secure 9.0RX or 9.1RX immediately update to version 9.1R11.4 after getting a clean bill of health from the Pulse Secure Integrity Tool. Don’t forget running the Integrity tool will reboot your device. Be sure to follow the guidance relating to expired certificates if you’re updating from versions prior to 9.1R8.x

Read more in:

Apple Releases iOS 14.5.1 to Fix Zero-Day Flaws. Apple has released multiple updates to address two critical remote code execution vulnerabilities in the WebKit engine that are being actively exploited. The updated versions include iOS 14.5.1, iOS 12.5.3, macOS Big Sur 11.3.1, and watchOS 7.4.1.

Note:

Even though you started the iOS 14.5 and macOS 11.3 updates last week, CVE-2021-30665 and CVE-2021-30663 apply to iOS 14.5, iPadOS 14.5, watchOS 7.4 and macOS 11.3. And because they are actively being exploited, you need to push the update to users who may have already updated to 14.5 or 11.3. Users updating now will be able to do so in a single step. If you have older devices on iOS 12, there is also an update for them. Better still replace these old devices, while Apple is has released security updates, application vendors have been dropping support for iOS 12.
Apple doesn’t release a patch within days of a recent point release unless they have to. Update!
It is now pass the stage where Apple should release patches in a manner similar to Microsoft’s patch Tuesday schedule. Apple’s devices have grown from being niche devices within many organisations to being used extensively in table, smartphone, and laptop format.

Read more in:

SAP Will Pay Millions in Penalties After Voluntarily Disclosing Software Export Violations. German software company SAP SE and the US Department of Justice (DoJ) have reached a non-prosecution agreement after SAP voluntarily disclosed export violations. “SAP acknowledged violations of the Export Administration Regulations and the Iranian Transactions and Sanctions Regulations.” SAP will pay more than $8 million in penalties.

Note: Export control is a big deal. It has implications not only when operating internationally but also when you employ foreign nationals, which are different from US persons. Be aware of embargoed countries, such as Iran, and make sure that your legal team is current on export control laws. Provide guidance to employees as part of their annual training.

Read more in:

At Least Five US Federal Agencies Possibly Breached Through Pulse Secure Vulnerability. In April, the US Cybersecurity and Infrastructure Security Agency (CISA) directed federal agencies to run the Pulse Connect Secure Integrity Tool and report their findings. CISA says that it is now aware of “at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access.”

Note: This is an unauthenticated attack vector and allows the bypass of 2FA. As such, you should be running the integrity checker as well as looking for evidence of unauthorized access to your network, whether public or private sector. Make sure that all accounts are active and authorized. Having a forensic image of your device prior to patching will aid analysis.

Read more in:

Chinese Hackers Infiltrate Russian Submarine Defense Contractor. Threat actors believed to be working on behalf of the Chinese government have used new back door malware to breach systems at a company that engineers Russian Navy nuclear submarines. The attack gained initial purchase through a spear phishing email.

Note: The attack leveraged the “Royal Road” RTF tool to deliver the PortDoor backdoor. While prior attacks leveraging Royal Road delivered a payload with the name “8.t” this variant includes a document which, when opened, drops the encoded file “e.o” which fetches the PortDoor implant. Make sure that your IOCs are updated.

Read more in:

Codecov Notifying Customers Affected by Supply-Chain Attack. Codecov has begun contacting customers affected by a supply chain attack that affected the company’s Bash Uploader. The breach went undetected for two months. Notifications that threat actors have downloaded repositories are being made through email and through the Codevcov application interface.

Hewlett Packard Enterprise Releases Fix for Critical Vulnerability in Edgeline Infrastructure Manager. Researchers at Tenable found a critical flaw in Hewlett Packard Enterprise (HPE) Edgeline Infrastructure Manager (EIM) that can be exploited to gain access to conduct remote authentication bypass attacks. The issue lies in the way administrator account password resets are handled. Users are urged to update to HPE EIM version 1.22 or newer.

Note: Exploitation of this vulnerability is trivial, and sadly, it is yet another example of an API not requiring authentication. Developers often ask for security advice regarding current frameworks and tools they are working with. In the end, it comes back to old stupid flaws we have been making for decades. Do not “chase the squirrel” but realize, that in the end, you are still dealing with HTTP requests that need to be validated, authenticated, and access controlled. Your output also still needs to be appropriately encoded. Newer frameworks may make this easier IF you read the respective guidance on how to take advantage of your framework.

Read more in:

Scripps Health Suffers Cyberattack. The Scripps Health hospital network was the target of a cyberattack over the weekend, forcing the southern California-based organization to divert some patients requiring critical care to other hospitals. The hospitals also postponed appointments scheduled for Monday, May 3, and patients were unable to access the Scripps Health online portal.

Read more in:

Swiss Cloud Hosting Provider Hit with Ransomware Attack. On Tuesday, April 27, Swiss cloud hosting provider Swiss Cloud was the target of a ransomware attack. While the incident has not affected all Swiss Cloud data centers, more than 6,500 customers experienced disrupted server availability.

Note:

Restoration from these sorts of attacks has been weeks versus days. Think about what you’ve deployed to hosting providers and what would happen if they were offline for a week or two. Ask if you have the ability to recreate those services without dependency on the offline hosting provider. Make sure you are leveraging location and path diversity and redundant services to minimize the risks of a single data center outage. Document your decisions; make sure senior management agrees.
This is an expected evolution in the modus operandi of the criminals behind ransomware attacks. They are motivated by money and will focus their efforts on organisations that are more likely to pay. Cloud service providers are therefore a ripe target given the amount of data and services they manage on behalf of their clients. I recommend doing some desktop exercises as to what would your organization do in the scenario where one of your cloud service providers gets hit by ransomware and your data is impacted?

Read more in:

Your Support Matters...