Cybersecurity News Headlines Update on June 30, 2021

Cyber Insurance Does Not Appear to be Improving Cybersecurity

A paper from Britain’s Royal United Services Institute (RUSI) “explores whether cyber insurance can incentivise better cyber security practices among policyholders, … [and] finds that the shortcomings of cyber insurance mean that its contribution to improving cyber security practices is more limited than policymakers and businesses might hope.”

Note:

The important quote in this report is something I told insurers back in the early 2000’s when I was at Gartner: “The difficulties inherent in understanding cyber risk, which is anthropogenic and systemic, mean insurers and reinsurers are unable to accurately quantify its causes and effects.” OK, I didn’t use the term “anthropogenic” – I had to look that up: basically, it means “caused by humans.” My version: bad guys exploit vulnerabilities in people and software. There are no tables of material strengths for either people or software, thus human engineering and software engineering are oxymorons – they are not engineering disciplines and broad, rigid standards can’t be driven by insurance companies. The report’s number one recommendation is that “essential security hygiene” be mandated, in this case the UK Cyber Essentials which is similar to the CIS Critical Security Controls Implementation Group 1.
Cyber insurance is too new to expect it to affect business. At this point, insurance companies are experimenting with the product and collecting data to refine their business. I hope insurance companies will bring the same data-driven approach they use for other insurance products to cyber security in the future.
Purchasing cyber insurance doesn’t alleviate the responsibility to implement cyber security. The past year, with ransomware payouts by insurers, has been the first time they are operating in the red, so I expect insurers to either stop or modify their coverage for ransomware, or raise the bar by developing a cybersecurity “clean bill of health” (aka minimum standards) before providing coverage, as well as monitoring breach and incident notifications to ensure their insured clients are maintaining a healthy cyber security posture.

Microsoft Investigating Malware-Signing Incident

Microsoft is investigating an incident in which its Windows Hardware Compatibility Program (WHCP) certified what turned out to be a malicious driver. The driver, known as Netfilter, has been used in gaming environments; it has the capacity to decrypt Internet traffic and send it to another machine. Microsoft has suspended the account through which the driver was submitted.

Note:

The scary part is that this malicious driver was apparently intended to cheat at online games. This wasn’t a sophisticated state-sponsored or organized crime organization, but an individual managed to get Microsoft to sign a malicious driver to either play appearing to come from other countries or to reduce the network speeds of competitors.
So far, the good news is Microsoft does not believe a signing certificate was compromised. So, looks like an issue with the WHCP testing and certification process. Every software testing process has to continually be improved but app stores/driver testing etc. are highly effective in reducing the volume of malicious software and updates that cause any meaningful damage.

Google Play is Increasing Developer Account Security

Google is rolling out stronger security practices for Google Play developer accounts. Google will require a contact name, a physical address, phone and email verification, and declaration of account type. Developer accounts will also have mandatory two-factor authentication.

Note:

The changes are being phased in; starting in August new accounts must specify account type and contact information, and 2FA will be required. Later this year all existing accounts must also set their type, update contact information, and enable 2FA. Google is also providing guidance on keeping your account in good-standing. This will help trace applications to known good sources; when coupled with Play Protect, the security and integrity of applications in the Play Store will increase as well.
Another example of continual improvement around application testing and certification, and 2FA being mandated.

Microsoft Security Response Team: New Activity from SolarWinds Threat Actors

In a blog post late last week, Microsoft’s Security Response team wrote that it “is tracking new activity from the NOBELIUM threat actor … [that includes] password spray and brute-force attacks.” The threat actor compromised a computer used by a Microsoft customer support employee. From there, the actors launched targeted attacks. (Please note that the WSJ story is behind a paywall.)

Note:

How do you think you’d fare in a password spray attack? (Where a few common passwords are used to try to access a large number of accounts.) Make sure externally facing services use MFA, and where passwords are used integrate the password process with data breach checks to disallow common or compromised passwords. Make sure that you’re getting alerts from these sorts of activities. Then engage a team to attempt password compromise to verify your position.

Communication Chip Vulnerabilities Can be Exploited with the Wave of a Phone

A researcher and consultant from IOActive has detected vulnerabilities in near-field communication (NFC) chips that are used in ATMs and point-of-sale (POS) systems all over the world. NFC chips allow users to tap or wave a payment card over a reader. Josep Rodriguez created an app that allows an Android phone to mimic NFC communications. The app could be used to crash POS devices, steal payment card data, and alter transactions.

Note:

ALL input has to be validated. We have seen vulnerabilities in other communication protocols, not just NFC, where developers implemented the standard without considering non-standard transmissions. The best example is probably various 802.11 implementations that followed the standard and expected the SSID to be limited to 32 bytes, only to be “surprised” with malicious actors triggering buffer overflows by using longer SSID strings.
The net effect is that NFC interface can be used to trigger a buffer overflow, and indicates caution is needed when adding new interfaces to legacy systems. In this case, the exploit could be used to read mag-stripe data from cards but not an EMV card or chip PIN. As a user, it’s best to use the chip reader over the mag stripe reader when a choice is presented.

Zyxel Firewalls and VPNs are Being Attacked

Zyxel has published an advisory warning that they ”recently became aware of a sophisticated threat actor targeting Zyxel security appliances with remote management or SSL VPN enabled in the USG/ZyWALL, USG FLEX, ATP, and VPN series.” The attacker tries to access targeted devices through WAN.

Note:

Only allow WAN based administration of your VPN from trusted devices. Verify the security settings are as they should be. After applying the update from Zyxel, and someone logs in as admin, the VPN a security check will pop up to alert of any security misconfigurations. Even without a pop-up, double check things are as you expect.

Cisco Adaptive Security Appliance Vulnerability is Being Actively Exploited

Attackers are actively exploiting a known vulnerability in Cisco Adaptive security Appliance (ASA) after researchers published proof-of-concept exploit code. Cisco released an initial fix for the flaw in October 2020, and issued a second fix in April 2021 after determining that the earlier fix was incomplete.

Note:

This flaw permits unauthenticated XSS attacks against a user of the web services interface on a vulnerable service. There are no published workarounds or mitigations other than updating your firmware here; make sure that you’re actually running an affected product, e.g. vulnerable release of the ASA software plus a vulnerable AnyConnect or WebVPN configuration.
Patches have been out now for a couple of months. With a PoC available now, exploitation attempts are likely already underway.

NIST Defines Critical Software for Executive Order

The US National Institute of Standards and technology (NIST) has released a definition of “critical software.” The definition is one of the requirements from the cyber executive order signed in May. NIST writes “EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes: is designed to run with elevated privilege or manage privileges; has direct or privileged access to networking or computing resources; is designed to control access to data or operational technology; performs a function critical to trust; or, operates outside of normal trust boundaries with privileged access.”

Note:

It is a pretty broad definition, which is realistic. The Critical Software part of the EO is on a fast track – by July 11 NIST/NSA will publish minimum standards and requirements vendors need to meet in testing their source code. This can be a very good thing: while many major software vendors already will likely meet the requirements, many security software products and lots of open source tools likely do not.
This definition is very broad, including operating systems and web browsers. Read the table as well as the definition, then turn to the FAQs to understand scope, definitions and applicability; such as embedded, Open Source and GOTS, all of which could be EO-critical. While initial focus is on-premise software, cloud based products and services are also in scope. Expect more information and guidance as we move forward with the EO implementation.

Ireland Health Service Executive Still Operating Under EHR Downtime

More than six weeks after a ransomware attack, the Ireland Health Service Executive is still operating under electronic health record (EHR) downtime. Patients have been informed that they could experience significant delays in care; they are also being asked to bring healthcare-related documents to appointments. Recovery costs are expected to be at least $600 million.

Note:

Key lesson here, ransomware attacks cost far more than just the ransom. There are tremendous costs in the down and recovery time, having to rebuild both systems and networks to truly ensure the systems can be trusted again. What is frightening here is the potential cost in lives due to delayed care.

FIN7 Cybercrime Group Member Sentenced to Prison

A Ukrainian individual was sentenced to seven years in prison for his role in the FIN7 cybercrime group, which is also known as Carbanak and Navigator. Andrii Kolpakov was also ordered to pay $2.5 million in restitution.

My Book Network-Attached Storage Devices are Being Remotely Wiped

Users of Western Digital My Book network-attached storage (NAS) devices have been reporting that their devices received a remote factory reset command and that their files have been deleted. Western digital is urging users to disconnect their devices from the Internet while the issue is investigated.

Note:

I will say it yet again: DO NOT EXPOSE NETWORK ATTACHED STORAGE TO THE INTERNET. This is not just a problem with Western Digital. All of these devices have had numerous vulnerabilities. These devices are marketed for simple Internet file sharing, but their rich history of vulnerabilities shows how they should never be used for anything other than internal file sharing.
Unfortunately, users almost certainly connected these devices directly to the Internet. But we can’t blame users for this. They paid a premium for hardware that promised to provide a service. Western Digital suspended the program in 2015, leaving users who wanted to continue to use the devices as advertised with little choice but to expose the devices. Users unwittingly gravitated to the availability leg of the CIA triad (probably without even realizing said triad exists).
“Remote factory reset command” – what could possibly go wrong? could possibly go wrong? Network-Attached Storage devices should be on a network segment that is not visible to the Internet.

Vulnerabilities in Dell SupportAssist

Researchers from Eclypsium have discovered four vulnerabilities in the BIOSConnect feature of Dell SupportAssist. When chained together, the flaws “allow a privileged network adversary to impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level of the affected device.” The flaws affect 128 models of Dell PCs and tablets. Server-side updates released in late May address two of the flaws; Dell has released client-side firmware updates to address the other two flaws.

Note:

Dell’s SupportAssist has a level of access to your system unlike any other software. To provide remote support with the ability to not only recover systems with corrupt boot partitions, but also be able to flash BIOS, SupportAssist has the ability to completely take over your system, and these vulnerabilities will transfer this ability to an attacker. Note that this will require a BIOS update, not just a “software update.”
This highlights why enterprises need to look very carefully at OEM software and ensure that it is removed where not needed. Dell SupportAssist is not something most organizations would want/need and yet is installed on practically every Dell machine sold. Security 101 mandates minimizing attack surface and this is no exception. Take this opportunity to review the other applications (particularly OEMs) installed on your golden image and remove anything not explicitly needed by a large percentage of your workforce.
The best mitigation is to apply the BIOS updates now, then apply the updates to BIOSConnect when they are released in July. Don’t use BIOSConnect to update the BIOS; use other patching mechanisms to install updates with verified signatures. Alternatively, you can disable BIOSConnect, which can be done locally, but may be better performed using their DCC remote system management tool. Don’t let users locally update their systems via the “BIOS Flash Update – Remote” (F12) option until the system has the known good BIOS installed.

OIG Report: Medicare Needs to Improve Hospital Medical Device Security Assessments

A report from the Office of Inspector General for Health and Human Services (OIG HHS) says that the Centers for Medicare & Medicaid Services (CMS) does not have adequate protocols in place to assess the cybersecurity of networked medical devices in hospitals. In the report OIG HHS writes that they “recommend that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals, in consultation with Department of Health and Human Services (HHS) partners and others.”

Note:

This past year has raised the bar on hospital attacks, taking advantage of potentially weakened security or shortness of staffing. This comes back to the core critical controls – knowing what you have and what it’s supposed to be doing, as well as keeping it updated. This requires monitoring and alerting; use caution as some active processes, such as scanning, can be harmful to OT devices. Segment wherever possible, particularly guest, staff and operational network services. Schedule validation of your security posture, hire a trusted partner to identify issues overlooked and opportunities to improve, then work to implement them. Don’t overlook staff or training shortfalls.
In the US, the oversight of security of medical devices has multiple agencies involved, and many different forms of “certification” – but all continue to suffer from lack of enforcement to drive changes in procurement and operations issues to increase security levels. On the privacy side, HIPAA has started to have some teeth – I think the privacy aspect will be the more likely avenue for progress than any hope for meaningful raising of the CMS bar in the security related elements of the Conditions of Participation in the Medicare program.
Again, intuition serves us poorly. The first step in medical device security is to hide them. Healthcare in general, and patient care institutions in particular, need to segment their networks, such that medical devices are hidden, and patient care apps are hidden from those applications that, like e-mail and browsing, must be connected to the public networks.

Google’s Unified Vulnerability Schema to Manage Vulnerabilities in Open Source

On Thursday, June 24, Google announced “a unified vulnerability schema for open source.” The schema builds on Google’s Open Source Vulnerabilities database that was released in February 2021. In a blog post announcing the schema, Google’s Open Source Security team and the Go team write that the “unified format means … a more complete view of vulnerabilities in open source for everyone, as well as faster detection and remediation times resulting from easier automation.”

Note:

Google is pushing forward with schema and interchange standards that it finds value in, while larger industry efforts like the Open Source Security Foundation (which Google is part of) continue to move slowly. The Internet has a long history of that, while the telecoms space has a long history of large industry group efforts going on forever without security gains.
Security of the open source components is an increasing concern. Google is attempting to move forward with a standard to help solve this problem at Internet speed, which will help identify and provide the focus necessary to increase the overall security of open source. Even so, make sure that the open source components or libraries you use are actively maintained and include fixes for flaws identified.

CISA Acting Director Responds to Senators Questions About SolarWinds

Responding to a letter from US Senator Ron Wyden (D-Oregon) regarding the SolarWinds supply chain attack, Cybersecurity and Infrastructure Security Agency (CISA) acting Director Brandon Wales said that federal agencies could have prevented subsequent attacks if they had implemented certain firewall configurations, but noted that “it would be impractical for CISA to direct individual agencies to adopt specific network and device configurations on a broad scale, particularly given the unique operational requirements of each agency,… [and that the configurations] may not be feasible given operational requirements for some agencies.”

Note:

CISA can and does provide excellent guidance, but individual agencies implement according to their situation and accepted level of risk. With the current information sharing efforts, CISA will be better prepared to see overall trends and best practices to help make their guidance even more relevant. Keep an eye on their bulletins watching for gaps in your overall protections, even if you’re not a federal agency, and participate in their information sharing to help with the fidelity of CISA’s recommendations.

Proposal Would Identify “Systemically Important Critical Infrastructure”

A proposal supported by some US legislators and the Cyberspace Solarium Commission would identify organizations deemed “systemically important critical infrastructure,” or SICI. The organizations would be classified SICI if they would cause economic, public health, or national security problems in the event of a cyberattack. The owners of the SICI-identified organizations would receive priority federal aid and protection from lawsuits if they meet as-yet unwritten cybersecurity standards.

Note:

This is a tough one. Sometimes the only way to get significant improvements in security posture is to introduce regulatory requirements to avoid the temptation to opt out or otherwise minimize cybersecurity efforts. And the accompanying reporting/validation requirements can be burdensome and regarded as purely bureaucratic. While the proposal offers federal aid and legal protection to sweeten the pot, releasing the draft for public comment would go a long way toward building the needed partnership with industry as well as helping to solicit input on keeping the overhead minimalized. Working with industry peers to develop resource and information sharing, while protecting privacy and reputation of those involved also goes a long way toward helping organizations raise their own bar.

Unpatched Pling Vulnerabilities

Researchers from Positive Security have discovered two vulnerabilities affecting Linux marketplaces based on the Pling platform. No fixes are yet available for the wormable cross-site scripting vulnerability and the remote code execution vulnerability.

Note:

The Positive Security writeup includes the information necessary to replicate the exploit. If you haven’t seen how that works, it’s worth a look. Another lesson here is to watch for bug reports coming to posted contacts to support responsible discovery. Reports need to be responded to and acted on as well as treated as an attempt to help. Respect the input from the third party even if you disagree. Expect disclosure and be prepared with fixes or mitigations.

VMware Releases Carbon Black Update to Fix Critical Vulnerability

An update for VMware Carbon Black App Control management server includes a fix for an authentication bypass vulnerability. Exploitation of the flaw requires network access. VMware has released Carbon Black App Control versions 8.6.2 and 8.5.8 as well as a hotfix for versions 8.1.x and 8.0.x.

Note:

Network access to the management server is required to exploit the vulnerability; there are no workarounds other than applying the update. Make sure you are monitoring the access to that server and allow logins only from authorized devices. While you’re looking at VMware, be sure you’re pushing out the updates for VMware tools for Windows, VMRC for Windows and VMware App Volumes.
It is always a sad day when a security product suffers from very elemental security vulnerabilities. An attacker will be able to bypass Carbon Black, or maybe even use it against you. Apply the hotfix.

SonicWall Updates Fix Incomplete Patch from October

SonicWall has released updates for its VPN Network Security Appliance that fix a vulnerability that was insufficiently addressed in a patch released in October 2020. The memory leak vulnerability could be exploited to access sensitive information.

Note:

Incomplete patches like this make it even more difficult for defenders to track vulnerabilities. In addition, these types of vulnerabilities have been exploited in several recent ransomware attacks.
The fix was released June 22nd and you need to roll it out. While this vulnerability is not being actively exploited, SonicWall VPN and email security products remain a target for multiple exploits including the new FIVEHANDS ransomware, so don’t wait too long to deploy.

Ransomware: Iowa’s Wolfe Eye Clinic Attack Affects 500,000 People

Wolfe Eye Clinic is notifying 500,000 current and former patients that their personal information may have been compromised in a ransomware attack that was detected in February 2021. Wolfe did not pay the ransom. In a separate, related story, FBI director Christopher Wray told legislators at a Senate budget hearing that there needs to be incentive for private sector organizations that are victims of ransomware attacks to notify the FBI promptly and work with them transparently.

Note:

Wolfe Eye Clinic did engage third-party IT specialists and forensic investigators to help determine the scope of the compromise and information exposure; you should have similar plans in place should you become a victim. Add FBI reporting to the list if it’s not already there. Working with FBI still allows you to make decisions regarding payment or recovery while helping them identify and ultimately take action against ransomware gangs.

Tulsa Data Stolen in Ransomware Attack is Posted Online

Information stolen from the City of Tulsa, Oklahoma in a May 2021 ransomware attack has been published online. The leaked files contain personally identifiable information including names, dates of birth, and driver’s license numbers. The City of Tulsa has notified residents and urged them to monitor financial accounts and credit reports.

E-ISAC Members Now Have New Tool to Share Information

Neighborhood Keeper, developed by Dragos with the support of the US Department of Energy (DOE) is a “sensor-enabled data collection and information-sharing network.” The collected data are anonymized, so they can be shared with government as well.

Note:

Great news. Information sharing is one of the most powerful and underused tools to secure organizations. Finding the right balance between sharing and anonymizing data is tricky. I hope we will hear more about this tool and any lessons learned from it.
Having indicators from peers helps provide relevant actionable data to be better prepared for an incident. Anonymizing the data will help with reputation risk, but it is important to know what anonymizing means and who is processing your data. In this case passive sensors are providing metadata to Neighborhood Keeper to provide distributed alerts, and requests for assistance from other ISAC members are also encrypted and allow for private communication with temporary identification options to permit assistance without revealing specifics.
This is a fantastic example of community and government working together. It won’t solve all our problems in the utility space, but it is a good start. Kudos to both DoE and Dragos for leading this initiative.

Intruder Deleted Programs from San Francisco Area Water Treatment Facility Network

NBC News reports that in January 2021, a hacker accessed the network at a San Francisco-area water treatment plant. The malicious intruder was in possession of the username and password for a TeamViewer remote access account that belonged to a former employee. The intruder allegedly deleted programs that control drinking water treatment. The incident was detected the following day; the passwords have been changed and the programs reinstalled.

Note:

It’s incredibly important to disable departing employee’s accounts immediately, particularly if they can be used for remote access to services. Further, RDP services such as TeamViewer need to require multi-factor access as well as follow the vendor secure configuration guidelines. Verify these settings remain in place, only current users have access and no access is configured which can bypass those settings.
It is often a manual process for smaller organizations to remove access when an employee leaves. Another advantage of a two-factor authentication approach (which should have been required for TeamViewer remote access) is the ability to revoke the credential in one action and simplify dealing with broad removal of access.
One more instance in which strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) would have been helpful. Management has always been better at getting terminated employees off the payroll than in revoking online privileges. That problem is complicated by the modern economy where often as many as half of those with privileges are consultants, contractors, temporary, and part-time workers.

Google is Pushing Out Massachusetts COVID Contact Tracing App

Google appears to be force-installing the Massachusetts MassNotify COVID-19 contact tracing app on residents’ Android devices. Users are reporting that the app has been installed even if they have not activated Android Exposure Notification on their devices. It also appears that the app is not yet active; users have been unable to open it or to uninstall it. In a statement to 9to5Google, Google wrote “This functionality is built into the device settings and is automatically distributed by the Google Play Store, so users don’t have to download a separate app.”

Note:

Exposure notification services are built-in to Android and iOS devices, and can be enabled, configured or disabled by the end user without the use of an explicit application. Even so, some regions are distributing notification applications to streamline the process. This install is not a full install of the MassNotify application per-se; users will see “Settings -> Google -> COVID-19 Exposure Notifications” which can be removed by uninstalling “Massachusetts Department of Health.”
I am in favor of COVID contact tracing apps, and Google did a good job implementing them. But in the end, this is a question of trust. Google is not a trusted entity when it comes to how they collect and use personal data. Having them push out an application without user consent casts the Google data-collection machine shadow on this project.
Public health services have been actively engaged in contact tracing for more than one hundred years. It has been effective in all but eliminating some diseases and has ensured timely treatment for millions. This tracing has been so successful in protecting privacy that most people do not even know that it exists. Technology holds the promise to make it even more timely and comprehensive. Let us not become so fearful that we forego this opportunity.

GEA-1 Encryption Algorithm Weakness Was Intentional

A paper from researchers at several European universities and research institutions suggests that the GEA-1 encryption algorithm had a deliberately baked-in weakness. The algorithm was used in cellphones in the 1990s and 2000s. Following the paper’s publication, the European Telecommunications Standards Institute (ETSI), which developed the algorithm confirmed that the weakness was deliberate, noting that it was introduced to meet encryption export regulations.

Note:

There are many more cases where export controls around cryptography resulted in unsecure systems and technology being built – unfortunately during the formative years of the internet/World Wide Web infrastructure. The over-reliance on SSL and the still extremely low implementation levels of persistent data encryption are direct results. Societally (and within enterprises) the overall benefits of strong protections on data overall outweighs the negative impact of law enforcement/security monitoring warrant-free visibility into the data.
While GEA-1 was used in 2G networks, and the weakness is not present in the current GEA-3 and GEA-4 algorithms, some GPRS networks still have GEA-1 fallback, and phones as recently as 2018 still supported the GEA-1 and GEA-2 algorithms. Risks of fallback can be minimized by using devices which don’t include radios which support GPRS fallback, typically newer than 2019, or if supported, configure for 5G/LTE only.
Not only do government mandated backdoors not provide much value, they tend to weaken security for future generations of devices that need to stay backward compatible.
Governments have long resisted air-side encryption. (In the US during WWII it was illegal) This is not the first time that air-side encryption in mobile telephone service has been deliberately compromised. While such encryption may not protect the conversations of targets of choice of nation states, mostly “persons of interest” in criminal investigations, it does offer some protection against large scale surveillance and protects targets of opportunity from organized crime.

WaterISAC Survey of US Water and Wastewater Utilities

According to a survey of US water and wastewater utilities conducted by the Water Sector Coordinating Council (WSCC) and the Water Information Sharing and Analysis Center (WaterISAC), 38 percent of water utilities have identified all IT-networked assets and 31 percent have identified all OT-networks assets. Just 60 percent of respondents say they include cybersecurity in their risk assessments. Respondents also listed their top needs for support from the federal government: water-sector-specific training and education; technical assistance, assessments, and tools; cyberthreat information; and federal loans and grants.

Note:

Most water utilities are run by small local governments. They have the same disadvantages of small businesses in the commercial sector, compounded by the complexities of local funding issues. The most glaring controls needs are very much in line with the essential security hygiene levels (Implementation Group 1) of the CIS Critical Security controls, but most respondents indicated a lack of the trained cybersecurity staff. Any funding for infrastructure improvements should target some funding for this area.

Ransomware: Fertility Clinic Says Patient Data were Compromised

Personal information belonging to 38,000 patients of a fertility clinic in Atlanta, Georgia, was compromised in an April 2021 ransomware attack. Reproductive Biology Associates and My Egg Bank North America. The compromised data include names, addresses, Social Security numbers, lab results and other sensitive information.

Note:

While ransomware requires the total compromise of a network, it begins with a breach. A breach is a breach is a breach. If one is breached, then extortion is only one of the bad things that may result. Resist breaches and detect them early, i.e., hours to days. Recovery may be too late and ineffective.

Wegmans Discloses Data Leak

US supermarket chain Wegmans has notified some customers that their personal information was compromised due to misconfigured cloud-based databases. Wegmans said is learned of the exposed data from a third-party security researcher. Compromised data include names, phone numbers, Shoppers Club numbers, and email address and passwords for Wegmans.com accounts.

South Korean Nuclear Research Agency’s Network Infiltrated

The internal network of South Korea’s Korea Atomic Energy Research Institute (KAERI) was infiltrated on May 14. The perpetrators are believed to be threat actors working on behalf of North Korea. The intruders appear to have exploited a vulnerability in an unnamed VPN.

Note:

There have been a wave of VPN vulnerabilities and attacks, notably impacting Pulse Secure, SonicWall, Fortinet FortiOS and Citrix. Make sure that your VPN has been updated and configured to current security baselines. Ensure no users can bypass multi-factor authentication and that any old VPN services were fully decommissioned, rather than left running “just in case.”

Does Malicious Hotspot Break iPhone WiFi Functionality? Not Really

Reports of a malicious Wi-Fi hotspot damaging iPhones’ Wi-Fi functionality are exaggerated. A bug in iOS causes iPhones’ Wi-Fi functionality to be disabled when it joins a network with a certain SSID. Users can restore Wi-Fi functionality by resetting the device’s network settings, which will delete its saved Wi-Fi passwords.

Note:

An interesting old format string vulnerability. Luckily, the risk from this problem is minimal. A victim has to join a very “odd” looking WiFi network. I doubt a lot of people will fall for that. Still, it may be a good idea to look out for pranks involving this SSID. To recover, you will need to reset your network settings which may erase some stored credentials for other networks.
Use caution joining a wireless network that has a name which looks like a format statement. (E.g., %p%s%s%s%s%n) While legal, that SSID may not be a network designed for general use. Recovery involves resetting your device network settings – which means all the stored wireless networks are forgotten and you will need to join them again. It’s not a bad idea to do this from time to time so your device is only searching for currently used preferred networks.

Baltimore County Public Schools Ransomware Recovery is Expensive

According to information obtained by a local television news station, Baltimore County (Maryland) Public Schools has already spent more than $8 million recovering from a November 2020 ransomware attack. The incident prevented 115,000 students from accessing remote instruction for a week. The school system’s insurance covered $2 million of the incurred costs.

Note:

This was a different event from the Baltimore City incident of 2019. There haven’t been many details made public on the cause of the incident, but odds are high that it started with a phishing attack obtaining reusable passwords. That means the $9,180 cost of Duo (Presidio) multi-factor authentication would have been a very high ROI expenditure if it had been done *before* the attack. Let’s throw in the $743,500 for Dell/Carbon Black “Windows Security Software” and the cost of those two items done proactively is still less than the $860K paid to Kroll for Forensics Investigation and Triage, and significantly less than the $6M+ cost of the incident even after the insurance payout.
Take the cost of recovery into consideration when proposing security measures. Remember you may have to provide identity protection When personal information is exfiltrated. Once you have funding, execute fully; don’t stop with a partial solution.
Another example of how cyber criminals will target and attack anyone, including elementary schools, hospitals, non-profits and small mom-and-pop stores, the very organizations where ransomware costs can be devastating and wipe out their ability to operate.

Thousands of VMware vCenter Servers Still Unpatched

Researchers from Trustwave say that there are thousands of instances of unpatched VMware vCenter Server that are publicly exposed. VMware released fixes for flaws in its vCenter Server in late May. The flaws could be exploited to take control of vulnerable systems.

Note:

They may still be unpatched. But by know, they are almost certainly exploited. Please check any unpatched system you find for compromise.
Much like was seen with the equally high severity Exchange and Pulse Secure flaws, IT ops patching performance of these high leverage attack targets has suffered as IT ops has been consumed with keeping work-from-home going and now trying to transition to some level of back to work. Realistically, workaround, mitigation and enhanced monitoring will be needed by many organizations – more trouble tickets pointing out missing patches is not the solution.
If you haven’t patched, isolate your VCenter services now. Catch your breath and plan your update. Implement now.

Google’s SLSA Framework for Supply Chain Security

Google’s Supply chain Levels for Software Artifacts (SLSA) framework aims to “ensure the integrity of software artifacts throughout the software supply chain.” SLSA was inspired by Google’s internal code review process, Binary Authorization for Borg.

Note:

SLSA is a well thought out, multi-level framework that includes code review, testing, authorization and policy definition at various levels. As organization create new app dev processes to move to newer methodologies like DevOps, there is an opportunity to embed these concepts into those processes and the tools used.
Kudos to Google for this effort. Well-structured code is efficient to review. Too much product code is not well structured or reviewed. If review was working we would not be spending so much on patching. Suppliers must be held accountable for what they distribute for code review to be even marginally effective.

Apple Releases Emergency Update for Older iOS Devices

Apple has released iOS 12.5.4, which patches three vulnerabilities, including two flaws that “may have been actively exploited.” The two zero-days – a memory corruption flaw and a use-after-free issue – affect the Safari browser WebKit engine. These vulnerabilities are the eighth and ninth zero-day flaws Apple has patched since the start of the calendar year.

Note:

Apple will not continue to provide updates to IOS 12 much longer given the release of iOS 15 is planned for this fall. While you’re getting these updated, initiate plans to replace them with current devices.

CISA Advisory: ZOLL Defibrillator Dashboard Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of multiple vulnerabilities in the ZOLL defibrillator dashboard. The six flaws could be exploited to remotely execute code, access information, elevate privileges, and obtain application credentials. The flaws affect all versions of the ZOLL defibrillator dashboard prior to 2.2. Users are urged to update to the most current version.

Note:

The flaw affects the monitoring dashboard, not necessarily the devices themselves. But by compromising the dashboard, service alerts from devices may go unnoticed leading to faulty defibrillators. It is sad that the list of flaws in the dashboard reads like a list commonly found in low cost consumer devices.
Bastion devices and services, which sit between your control systems and users, need to be hardened and monitored. This service was marketed for wide access to manage defibrillators remotely, so you may have Internet accessible services. Prefer a model where you provide secure access VPN, VPN tunnel, etc. over bastion services for control systems.

Vulnerability in Peloton Bike+ and Tread Interactive Tablet

A vulnerability in the Peloton Bike+ and Peloton Tread interactive tablet could be exploited to gain root device access. From there, attackers could install malware, spy on Internet traffic and user data, or control the equipment’s camera and microphone. The flaw was discovered by McAfee’s Advanced Threat Research (ATR) team. Exploiting the vulnerability would require physical access to the equipment or access somewhere in the supply chain. The ATR team notified Peloton of the vulnerability in March; Peloton pushed out a fix in early June.

Note:

Apply the June update. You will need to actively monitor the peloton site for update notifications. Don’t allow unauthorized USB devices to be connected.
Exploitation of the vulnerability requires physical access to the device. Patch, but do not panic.

NATO Members Say Article 5 Could be Invoked for Cyberattacks

NATO members have endorsed NATO’s Comprehensive Cyber Defence Policy, which affirms that Article 5 could be invoked in response to a cyberattack. Article 5 says that “an attack against one Ally shall be considered an attack against us all.” The decision to invoke Article 5 would be made on a “case-by-case basis.”

Note:

Ten / twenty years ago we used to say that no-one died from cybersecurity. In today’s world that has changed. As our world has become so interconnected the physical and cyber lines are blurring. My concern is not so much all-out cyberwar, but more like NotPetya where one country targets another country, and then accidentally impacts critical infrastructure at a global level. If you look at history that is how so many the largest wars started, from smaller nation-state incidents with un-intended, cascading consequences.
News reports yesterday suggested that President Biden is considering “response in kind.” However, because the US and Western Europe are so much more vulnerable than their potential adversaries, this is, at least, an arguably bad idea. “People who live in glass houses should not throw stones.” They may find the same stones thrown back at them. Remember Stuxnet.

US Government Agencies Move to IPv6 Necessary but Brings New Risks

US government agencies have a mandate to migrate most Internet-connected systems from IPv4 to IPv6 by the end of fiscal year 2025. Office of Management and Budget (OMB) Deputy Federal Chief Information Officer Maria Roat said that the transition is necessary because “IPv4 … can’t keep up with the continued growth of the number of users on the internet and the explosion of connected technologies.” Roat and OMB senior policy analyst Carol Bales noted that the move to IPv6 supports cybersecurity mandates made in the May 12, 2021, executive order on cybersecurity. CISA cybersecurity specialist Branko Bokan said, “IPv6 also opens up this whole new world of new threat landscapes and threat service.”

Pacific Northwest National Laboratory Responds to DoE RFI on Securing Critical Electric Infrastructure

The Pacific Northwest National Laboratory (PNNL) has submitted comments in response to the Department of Energy’s (DoE’s) April 20 request for information on Ensuring the Continued Security of the United States Critical Electric Infrastructure. PNNL’s response comprises “six suggested concepts that should significantly improve the overall security and resilience of the electric infrastructure systems.”

Akamai Prolexic DDoS Service Outage Has Worldwide Impact

On Thursday, June 17, an outage affecting one of Akamai’s Prolexic DDoS services disrupted online services of some airlines, financial institutions, and other businesses around the world. In a blog post, Akamai writes that the problem was caused by a routing table value that was “inadvertently exceeded.” Service has been restored.

NSA Guidance on Securing Video and VoIP Communications

The US National Security Agency (NSA) has issued guidance on securing Unified Communications/Voice and Video over IP (UC/VVoIP) systems. The technical report “outlines best practices for the secure deployment of UC/VVoIP systems and presents mitigations for vulnerabilities due to inadequate network design, configurations, and connectivity.”

Linux Polkit Privilege Vulnerability Can be Exploited to Get Root Shell

A fix is available for a privilege elevation vulnerability in the polkit system service that is installed by default on many Linux systems. The flaw was introduced in a commit seven years ago, shipping with polkit v. 0.113. The researcher who discovered the flaw says it “is surprisingly easy to exploit.” The fix was released on June 3, 2021.

Note:

Check your Linux distributions, for applicability; this applies to RHEL 8, Fedora 21 (or later), Debian “Bullseye,” and Ubuntu 20.04 among others. Think of Polkit as an alternative to sudo, where some commands require explicit permission and others are simply executed. Exploiting the weakness, which uses simple commands, requires interrupting the command at the right point to trigger the vulnerable code. The mitigation is to patch the affected systems now, particularly on any internet facing Linux systems.
systemd is further confirming its reputation as a security nightmare. But remember that Polkit replaces sudo, which in itself has had a spotty history. It isn’t easy to allow for the flexible assignment of elevated privileges. Update as your Linux distribution makes updates available.

Cybersecurity COO Charged in Connection with Georgia Medical Center Cyberattack

The US Department of Justice (DoJ) has charged Vikas Singla with multiple counts of intentional damage to a protected computer and a single count of obtaining information by computer from a protected computer. The indictment alleges that in 2018, Singla launched a cyberattack against Gwinnett Medical Center, which is now known as Northside Hospital System. The attack allegedly involved disruption of the facility’s phone system and printer network and the theft of information from a digitizing device. Singla is the chief operating officer (COO) and co-founder of Securolytics, a network security company that specializes in the health care sector.

Note:

This is a tough one – Securolytics has been around for 5 years and has some very high profile/experienced and local investors. Good reminder that whenever any third party is given access to networks or systems, those credentials and passwords should be removed at the end of the engagement – no matter how trusted the 3rd party. Also points out that any “Thing” with an IP address is a potential compromise point.
This appears to be a case of insider threat from a third-party service provider. Not only do you need to worry about your own insider threat, but you also need to make sure that you know what access you’re providing your third-party providers, and understand how they are vetting their staff to address insider threats. Make sure your credential management extends to any credentials used by the service provider. Lastly, make sure your contract includes sufficient recourse if anything goes wrong, keeping in mind the sensitivity of data shared, which may include sensitive network topology and system information. Make sure contract termination processes are documented and processes followed to not leave any outdated access paths.

Dept. of Energy Subcontractor Sol Oriens Acknowledges Cybersecurity Incident

A US Department of Energy (DoE) subcontractor has acknowledged that its “network environment” was hit with a cyberattack. Albuquerque, New Mexico-based Sol Oriens says that it became aware of the incident last month and that the attackers managed to steal some documents; the company told Fedscoop that they have brought in a cyber forensics company to investigate the breach. Sol Oriens works with DoE’s National Nuclear Security Administration.

Note:

If Sol Oriens had classified or critical security information, that would have been stored and processed on isolated networks and not reachable in this attack. The contract from NNSA would have stringent data protection and handling restrictions as well. Ask how you’re protecting your most sensitive information form this sort of attack. DOE offers a cyber security test called the “Cybersecurity Capability Maturity Model (C2M2),” which energy sector organizations can use to assess the security of their networks. If you’re not in the energy sector, look at the guidance documents to see where you can better assess your security posture, then make improvements.
www.energy.gov: Cybersecurity Capability Maturity Model (C2M2) Program
Peer connection between one’s network and those of contractors might expand both the attack surface and the population of potential attackers. Consider zero trust, next generation firewalls, and strong authentication (at least two kinds of evidence, at least one of which is resistant to replay, e.g. one time passwords).

Australian Signals Directorate Wants Critical Infrastructure Providers to Share Cyber Incident Information

An unnamed but well-known company in Australia refused the help from the Australian Signals Directorate (ASD) after the company’s network was hit with a cyberattack. For nearly two weeks, the company rebuffed ASD’s offers of assistance, and even then, they accepted only generic advice. Three months later, the company experienced another cyberattack. ASD director-general Rachel Noble said that this incident underscores the need for increased authority for ASD “to expect these critical infrastructure providers to actually have better cybersecurity standards in the first place.”

Note:

ASD is known for their cyber expertise, detection and response capability. And while it is tempting to reject an offer of help from “the government,” that help can really augment your response capabilities. If you do accept help, participate fully, leverage all the resources that can be brought to the table. Assess relevant government agencies, such as ASD and CISA ahead of time, to both understand what they have to offer and build a relationship before you need one.

Shadow Figment: A Honeypot for Critical Infrastructure Attackers

The US Department of Energy’s (DoE’s) Pacific Northwest National Laboratory (PNNL) has developed what is essentially a honeypot designed to attract hackers intent on disrupting elements of critical infrastructure networks. Dubbed Shadow Figment, “the technology uses artificial intelligence to deploy elaborate deception to keep attackers engaged in a pretend world—the figment—that mirrors the real world. The decoy interacts with users in real time, responding in realistic ways to commands.”

Note:

This is part of PNNL’s overall PACiFiC (Proactive Adaptive Cybersecurity for Control) approach to protecting operational technology (control systems) from attack. The effort is addressing Situational Awareness, Analytics, Decision Support and Defense. Defense includes deception with the intent of discovering hackers’ activities early on. While honeypots are not new, the technology leveraged here uses “model-driven dynamic deception” which is much more realistic than a static decoy. The model is intended to behave as the genuine control system would, making it harder for the attacker to discover the ruse.
Honeypots / deception are useful in two primary ways. For most organizations, they can greatly simplify detection; anything that interacts with them is by definition suspicious. However, when dealing with more interactive / advanced threats, honeypots / deception can be a powerful way to turn the tables, in both collecting good information (intel) and putting out bad information. DoE / PNNL is the perfect organization to lead an effort like this, and a powerful way to take the offensive against our scariest threats.

House Oversight Committee Asks JBS for Documentation of Decision to Pay Ransom

The US House Oversight and Reform Committee wants to know JBS USA CEO Andre Nogueira’s reasons for paying $11 million to ransomware operators. In a letter, committee chair Rep. Carolyn Maloney (D-New York) “request[s] documents related to JBS Foods USA’s recent decision to pay a $11 million ransom” be submitted to the Oversight and Reform Committee by June 24.

Note:

While congress is paying more attention to ransomware attacks and why payments are made, you need to focus on your cyber security posture. Make sure that you’re ready for such an attack; verify training, detection, and response capabilities are where they need to be. Conduct tabletop exercises to make sure not only that responses are known, including fail-over options for offline systems, but also that any external services or responders needed are current, relevant, and still able to help.
It’s easy for government to say, “Don’t pay,” but when organizations are unable to operate, and the impact cripples both the company and their community, there may be few options. I would love to see our government spend less time on the “pay / don’t pay” discussion and focus more on inflicting pain / repercussions on those leading the attacks.
The decision to pay extortion is a business decision and the responsibility of the enterprise. It should be made in advance of a demand, as part of a documented response plan. The decision should take into account the fact that it funds a criminal economy and raises the risk to the community. Providing a safe environment in which to do business is the responsibility of government. Needless to say, government will resist contributions to the criminal economy.

Codecov Retiring Bash Uploader Used in Attacks

Codecov is retiring the Bash script uploader that was compromised and used in supply chain attacks earlier this year. Codecov is replacing it with a NodeJS-based uploader. According to a Codecov blog post, the new uploader “is shipped as a static binary executable on the Windows, Linux, Alpine Linux, and macOS operating systems.” It is currently in beta.

Note:

Not sure if the move to NodeJS fixes any actual security issues. It may actually make things more complex to secure going forward. The move may be more related to keeping the code base maintainable by current developers.

The Top 20 Secure PLC Coding Practices Project

The Programmable Logic Controller (PLC) Security Top 20 List is scheduled to be released on Tuesday, June 15. The list will be hosted by the International Society of Automation (ISA) Global Security Alliance.

Note:

SANS has demonstrated that such lists can be helpful and effective in improving quality and reducing risk. However, “20” is a long list and ordering is important. Ordered list should end in “other.”

Unpatched Vulnerabilities in Akkadian Provisioning Manager

Three high-severity security flaws in the Akkadian Provisioning Manager could be exploited collectively to allow remote code execution with elevated privileges. The vulnerabilities were discovered by researchers at Rapid7. The flaws – use of hard-coded credentials; improper neutralization of special elements used in an OS command; and exposure of sensitive information to an unauthorized actor – are present in version 4.50.18 of the Akkadian platform. There are currently no patches for the vulnerabilities.

Note:

Include sweeping for passwords in configuration files to your CI/CD process. Make sure they are not stored in your software repositories and they don’t get needlessly pushed to production. Require passwords to be set on deployment; don’t provide defaults which are either unlikely to be changed or can be used with a default deployment to exploit weaknesses.

Avaddon Ransomware Group Closes Up Shop, Sends Decryption Keys to BleepingComputer

The ransomware operators behind the Avaddon ransomware claim to have shut down operations and have turned over all decryption keys to BleepingComputer.com. The Avaddon group has recently been contacting victims and pressuring them to pay the demanded ransom, but has been accepting victims’ counteroffers without further negotiation.

JBS Paid $11M Ransom to Prevent Attackers from Leaking Stolen Data

Meat processing company JBS USA acknowledged that it paid $11 million to ransomware operators following an attack late last month. In a media statement, JBS says that most of its facilities were up and running when they paid the ransom, and that the decision to pay was made “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.” According to Security Scorecard, the JBS attack began with reconnaissance in February 2021. The attackers exfiltrated data from March 1-May 29 and encrypted the JBS environment on June 1.

Note:

Some common threads between JBS USA and the Colonial Pipeline failures, beyond the initial lack of essential security hygiene and the decision to pay ransom: (1) Failure to detect large volumes of data exfiltration over long periods of active exploitation; and (2) lack of a tested process and plan for how to deal with an incident to minimize service interruptions. For JBS, this happened despite their stated IT spending and IT employee count being significantly higher than industry averages. All of this indicates a lack of investment in both IT processes to minimize vulnerabilities and security skills, planning, and processes to mitigate and respond.
Make sure that your detection capabilities are where they need to be. Are all your locations protected at the same levels? Attackers were not only in the JBS Network for three months, but also exfiltrated 5 TB of data. Are you continuously watching for compromised passwords and taking steps to change them promptly when discovered? Are you looking for unexpected connections or unusual volumes of traffic? Verify your boundary protection and access devices are updated and secured. Ensure MFA is comprehensively enabled for all internet facing services. Augment your internal processes with periodic third-party assessments of your security posture.
Wow, this is a big check. Profits like this will only fuel more aggressive attacks. However, to keep things in perspective, the FBI reported over $1.8 billion in losses due to BEC/CEO Fraud for 2020. We just don’t hear about these attacks because a while successful BEC attack does not shut down infrastructure, ransomware does.
One must have a capability to detect breaches in hours to days. Extortion demands as the first indication of a breach is unacceptable.

Fastly CDN Outage Knocked Portions of the Internet Offline

On Tuesday, June 8, many major websites experienced a period of unavailability, which was caused by an outage at content delivery network (CDN) Fastly. Fastly says the issue was due to a software bug that “was triggered by a valid customer configuration change” and that the issue was fixed within an hour.

Note:

Promises to do better and not make mistakes in the future don’t carry the weight of a signed SLA for outsourced services. Make sure your SLA includes defined and measurable service delivery levels and corresponding financial penalties. Even though the disruption was detected in under a minute, it took most of an hour to achieve 95% restoration. External dependencies, with interrelated systems can extend recovery time even further. Document your configuration and known dependencies to aid troubleshooting and manage recovery expectations.
One of the promises of cloud providers is to isolate customers from each other, and to keep one customer’s bad configuration from affecting others. While Fastly was quickly able to mitigate the underlying issue, I do not like the statement that the outage was triggered by a customer configuration change. It was triggered by a bug in Fastly’s code that allowed a single innocent customer to take down their system.
Another good lesson about cloud service level agreements. Looks like this was about a maximum of a 3 hour outage, which according to Fastly’s SLAs would mean Gold and Enterprise customers impacted that long (or up to 7 hours) can request and get a 10% credit against their monthly charges. For many businesses, that will not come close to any business disruption costs. Internet connectivity overall has to be thought of just as electricity is thought of – backup plans need to be in place for long outages that may not even trigger any SLA credits, let alone cover disruption costs.
Careful. Fastly and its customers are “edge” providers. While this failure impacted the “world wide web,” the internet, the transport layer, performed as intended.

GitHub Adds RubyGems and PyPl to its Secret Scanning

GitHub has added PyPl and RubyGems to its secrets scanning capabilities. A GitHub blog post notes that “If one of these [package registry credentials] secrets is leaked, rather than compromising one product, it can compromise thousands.” GitHub has been scanning for and revoking secrets, also known as tokens, in users’ code since 2015.

Note:

Thanks to GitHub for helping secure the open source ecosystem. With so many projects using GitHub, any change like this will help.
GitHub has been pretty good over the years at adding bottom-up security features and services, including code testing tools and a well-managed bug bounty program. Looks like Microsoft’s acquisition of GitHub in 2018 did not negatively impact that, which is a good thing. There will not be a single top-down answer to supply chain security in software, any more than there is for the security/safety of the supply chain that runs from restaurants back to farms.

Microsoft Patch Tuesday

On Tuesday, June 8, Microsoft issues fixes for 50 security issues. Six of the flaws –privilege elevation vulnerabilities in Microsoft DWM Core Library, Windows NTFS, and Microsoft Enhanced Cryptographic Provider; an information disclosure vulnerability in the Windows Kernel, and a remote code execution vulnerability on Windows MSHTML platform – are being actively exploited.

Note:

This patch Tuesday is probably best characterized as “Mostly Harmless.” It contains a number of already exploited vulnerabilities, but for the most part, these are privilege escalation vulnerabilities.
Patches for 0-Days, to include those actively exploited is becoming commonplace. And with current trends, privilege escalation flaws (CVE-2021-31956, CVE-2021-33639, CVE-2021-31201 and CVE-2021-31199) are just as valuable as RCE flaws such as CVE-2010-33742 since they provide more ways for the attacker to elevate privileges once they have an initial foothold. Regrettably, as indicated by the Colonial Pipeline and JBS attacks, the bar for initial entry is not where it needs to be. Judicious updates and application of security baselines is also a component in raising that bar.

Colonial Pipeline CEO Testifies at Congressional Hearings

Colonial Pipeline CEO Joseph Blount testified before the Senate and House Homeland Security Committees earlier this week. Blount said that Colonial Pipeline did not have a plan in place for dealing with the ransomware attack. He encouraged companies that suffer similar attacks to be transparent about their experiences. Blount was criticized for refusing recovery help from the Cybersecurity and Infrastructure Security Agency (CISA).

Note:

Remember the “For Want of a Nail” proverb. Could you be undone by the use of a compromised password? Do you have remote access which requires only a reusable password? Did you really decommission old insecure access methods or were they left enabled “just in case?” The complexity and pace of a modern enterprise stresses the ability to pay attention to all the details, and with the current ROI on hacking, it is more critical than ever to do so. Encourage your analysts to automate themselves out of a job, meaning to automate repetitive and mundane tasks so they have the bandwidth to keep up with the changes and growth of adopted technology. Participate in their implementation to make sure you have visibility and relationships established up front.

More Updates: Adobe and Intel

On Tuesday, June 8, Adobe released updates to address more than 40 security issues in Acrobat, Reader, Photoshop, Experience Manager, After Effects and other applications. On the same day, Intel released 29 security advisories to address nearly 80 vulnerabilities in a variety of products.

Note:

Adobe’s Acrobat and Reader updates need to be applied quickly. For Intel, the tricky part is BIOS updates. For some of them, you may need to wait for OEM patches instead of applying Intel’s patches directly.
We’re not catching a break this month. Adobe Creative Cloud, which can drive the updates to their other products on endpoints, itself needs updating and should do so automatically. The affected applications will not apply updates until they are quit and relaunched. As this month’s Microsoft and Apple OS patches require reboots, leverage that, by forcing the reboot immediately or via a maximum timeout.
Patching continues to be an expensive and inefficient way to achieve quality. At best, it is only marginally effective.

IoT Message Broker Vulnerabilities

Researchers at the Synopsys Cybersecurity Research Center have found denial-of-service vulnerabilities in three open-source IoT message brokers, RabbitMQ, EMQ X, and VerneMQ. All three flaws involve Message Queuing Telemetry Transport (MQTT) protocol client input handling and can be exploited with a malicious MQTT message. The vulnerabilities were disclosed to project maintainers in March and all three have released fixes. Users should update to RabbitMQ version 3.8.16 or later; EMQ X to version 4.2.8 or later; and VerneMQ version 1.12.0 or later.

Chrome Update Includes Fix for Actively Exploited Flaw

Google has updated its Chrome browser to version 91.0.4472.101 on the stable channel for Windows, Mac, Linux. The browser has been updated to address 14 security issues, including a type confusion vulnerability in the V8 open source and JavaScript engine that is being actively exploited.

Note:

Chromium browsers are not far behind. The group which developed the exploit for CVE-2021-30544 also developed the exploit to MSHTML (CVE-2021-33742), making it prudent to update Chrome and Chromium browsers expeditiously Where possible push the updates rather than waiting on user action.
Google Chrome vulnerabilities are becoming common entry points for more targeted attacks. This vulnerability is already being exploited; expect more soon. The easiest way to improve your chances of having an up-to-date Google Chrome is to exit it once a day and restart it. With all the time we spend using web browsers, they are often just left running which may prevent updates from being applied. Restarting your browser is like rebooting your operating system after applying a patch.
It is really time that more vendors start to push out software with security fixes when the fixes are ready and proven stable and IT groups update configuration management processes away from the antiquated “wait for Vulnerability Tuesday” (or worse for servers) to patch everything at once.

Vulnerabilities in Rockwell Automation ISaGRAF5

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory warning of multiple vulnerabilities in Rockwell Automation ISaGRAF5 Runtime. The flaws could be exploited to execute code remotely, disclose information, or cause denial-of-service conditions. The issues affect products from Schneider Electric and GE, which have taken steps to mitigate the issues; other vendors’ products may be affected as well.

Note:

Storing a credential in the clear in a configuration file that you read without verification isn’t something we can afford to do anymore, no matter that it was easy and how well it worked. Apply the updates to ISaGRAF Runtime, restrict access to the ICS, particularly TCP ports 1131 and 1132, and restrict access to the Runtime’s folder.

CISA Fact Sheet on Ransomware Threat to Operational Technology

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a fact sheet on the increased threat of ransomware to operational technology (OT) assets and control systems. CISA urges “critical infrastructure asset owners and operators [to] adopt a heightened state of awareness and voluntarily implement recommendations” that include identifying critical processes; implementing network segmentation between IT and OT networks; and developing and testing “workarounds or manual controls to ensure that critical processes – and the industrial control system (ICS) networks supporting them – can be isolated and continue operating without access to IT networks.”

Ransomware Hits Community College in Iowa

The Des Moines (Iowa) Area Community College (DMACC) cancelled all classes for four days after its network was hit with a cyberattack. DMACC has asked students, faculty, and staff not to use Microsoft Office 365 or Blackboard. As of Thursday, June 10, classes with in-person components are being held at their regular times. Virtual classes have not yet resumed.

NY State Senate Passes Right to Repair Bill

New York’s State Senate has passed The Digital Fair Repair Act, a bill that would allow consumers to rep[air their own electronic devices. The New York State Assembly has not yet passed its version of the bill.

Note:

The “Right to Repair” does have significant impact on security. Locked down devices are too often left vulnerable after vendors abandon support for them and customers are left with costly replacements as their only option.
As more states consider the user’s right to repair, it opens options for users to more affordably maintain their own equipment and small businesses to enter the space. This is a good time to review your acceptance of risks for employees having their issued systems repaired. Consider the risks of OEM versus after-market components as well as data protection requirements irrespective of who, how or where the work is done.
In our space, the impact of state legislation may extend way beyond the boundaries of the state. Congress has the responsibility and authority to regulate interstate commerce. State initiatives such as this occur when Congress fails. As with most legislation, “the devil is in the details.” Drafting legislation that accomplishes its goal while avoiding unintended consequences is difficult.

Australian Federal Police Arrest Hundreds Using Data Gathered Through Backdoored Chat App

The FBI was able to trick criminals into using an FBI-developed app, ANoM, to communicate with each other. The app was distributed on phones configured for the purpose of using the app, and starting in 2018, distributed on black markets. This week, several law enforcement agencies worldwide searched hundreds of locations in a coordinated effort using information collected from the ANoM app. The raids led to 224 arrests, the seizure of 3.7 tons of drugs, and the disruption of 20 “threats to kill.”

Note:

Finally a “good” supply chain attack and congratulations to everybody involved in executing just a massive operation. But maybe also a subtle reminder that your end-to-end encryption depends on the vendor doing what they promised.
The takedown involved about 4,000 law enforcement officers processing 25 million messages and executing 525 search warrants across Australia. It is estimated the ANoM app had 9,000 users world-wide. This is an excellent example of international cooperation of law enforcement agencies. Unfortunately, like burning a successful 0-Day, this also marks the end of the ANoM apps viability. Part of the decision to stop monitoring and making arrests was a blog posting (since deleted) detailing the behavior of the ANoM app, this March, which didn’t correctly attribute the backdoor to the FBI.

US Dept. of Justice Recovers Portion of Colonial Pipeline Ransom

The FBI has recovered $2.3 million of the $4.4 million in Bitcoin paid to the Colonial Pipeline ransomware operators. Colonial Pipeline had taken early steps to notify the FBI which helped them track the payment to a specific cryptocurrency wallet. The FBI seized the bitcoin with the aid of court documents.

Note:

While there is little guarantee of a positive outcome, early collaboration with a group such as the FBI can allow them to disrupt and trace cryptocurrency transactions. While only part of the overall solution, shutting down the ability to easily process and launder cryptocurrency is a step in the right direction for discouraging or stopping ransom payments.
Your organization should have an active and trusted partnership with law enforcement BEFORE incidents happen. Take your local FBI out to lunch quarterly and get to know them; it’s an investment that can pay literally millions in return. This is especially true for financial attacks like CEO fraud, where law enforcement can often claw back (retrieve) stolen funds if reported within 72 hours of the incident.
While it isn’t clear yet how the FBI gained access to the private key, this is clearly an important success and shows how law enforcement may be able to recover some of the funds. More important than the monetary loss to the criminals is the fact that it does disrupt the fragile trust between ransomware actors if they are not able to pay parts of their supply chain.

Threat Actors are Targeting Unpatched VMware vCenter and Cloud Foundation Software

Threat actors are actively scanning for unpatched versions of VMware vCenter Server and VMware Cloud Foundation software. VMware released fixes for the critical remote code execution vulnerability in late May, but systems remain unpatched.

Note:

There are three things you can do to mitigate this attack: (1) Make sure vCenter is not exposed to the Internet (2) Disable the vSAN Client Plugin if possible, and (3) Patch. For details on disabling the vSAN and other plugins see VMware KB 83829.
kb.vmware.com/s/article/83829: How to Disable VMware Plugins in vCenter Server (83829)
This vulnerability doesn’t require authentication to exploit, so you cannot depend on your authentication solution to protect you. Restrict vCenter access to authorized devices only. Make sure that your patch/update processes include vCenter. Verify this update is applied.

Colonial Pipeline CEO to Testify Before House and Senate Committees This Week

Colonial Pipeline CEO Joseph Blount is scheduled to testify at the Senate and House Homeland Security Committee hearings on Tuesday, June 8 (Senate) and Wednesday, June 9 (House). According to written testimony, Blount paid the $4.4 million ransom to get the pipeline “back up and running” as quickly as possible. In the document, Blount also indicated that the company believes the attackers gained initial access to the organization’s network with a compromised VPN account password. Although the account was no longer being used, it was still able to access Colonial Pipeline’s network. The account has since been deactivated.

Note:

For the past three years, the Verizon DBIR has identified the human as one of the primary driver of breaches. In fact, for their 2021 report they put a number to it: 85%. The top two human risks for the past three years? Phishing and passwords. 2FA is probably the number one control I would suggest organizations start with.

Another Pipeline-Related Attack: LineStar Integrity Services

LineStar Integrity Services, a company that provides pipeline compliance, technology, and integrity maintenance solutions, was hit with a ransomware attack around the same time as the Colonial Pipeline attack. While the company has not made any public statement about the attack, 70 GB of internal LineStar data were recently posted to a leak website.

Google’s Open Source Insights Project

Google’s Open Source Insights Project aims to help developers visualize their dependencies. The Open Source Insights site “provides an interactive view of the dependencies of open source projects.”

Note:

Nice work Google! Not only does this project illustrate dependencies among components, but Google is also flagging know vulnerable versions of components to make mitigation easier.

GitHub Policy Update

GitHub has updated its policies regarding malware and exploit code hosted on the site. In a blog post, GitHub CSO Mike Hanley writes that they “explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits.” The new policy includes clarification about when GitHub may disrupt attacks, noting that “We do not allow use of GitHub in direct support of unlawful attacks that cause technical harm, which we’ve further defined as overconsumption of resources, physical damage, downtime, denial of service, or data loss.”

Note:

The change in policy clarifies when they will disrupt activities causing harm, while still permitting POC exploit code. e.g., using GitHub for C2 is disallowed, but hosting the code for Metasploit or Mimikatz is permitted. They also suggest creating a SECURITY.md file with contact information to help in dispute resolution within the community. Read the updated GitHub policy to ensure you’re still following it, verify your repository has appropriate access controls, make sure only the code intended is stored there, check to prevent accidental inclusion of passwords or security keys.
The update does balance researchers’ abilities to share code while at the same time protecting the public. We will have to see how the policy is applied. But for example, having malware directly download additional code from GitHub is likely going to lead to the removal of the code.

WebExtensions Community Group

Major browser makers Microsoft, Google, and Mozilla have formed the WebExtensions Community Group (WECG) to examine ways “to advance a common browser extension platform.” The group will focus on browser extension security and performance. Other browser makers are invited to join WECG.

Note:

Take a look at the extensions in your browsers, removing the ones you’re not using; make sure they are updated and supported. The WECG is striving to have extensions maintain security, performance, privacy, and compatibility while prioritizing end user needs over developers. Their principles are inspired by the W3C TAG Ethical Web (www.w3.org: W3C TAG Ethical Web Principles) and HTML Design (www.w3.org: HTML Design Principles) principles. It is hoped that this specification has more adoption than the work done by the Browser Extension Community Group.

Microsoft’s ElectionGuard to be Piloted in Hart InterCivic Voting Machines

US voting machine vendor Hart InterCivic will pilot Microsoft’s ElectionGuard software in its Verity voting systems. ElectionGuard is open source software that ensures ballots are verifiable. The Verity machines will create paper backups, utilize encryption in a way that protects privacy while allowing votes to be counted, and let voters check whether their vote has been counted.

Note:

Remember the conversation of build vs. buy? Microsoft has developed software to help voting makers consistently implement needed transparency, security, and integrity, which can be independently verified and ultimately help the certification process. The downside is that any flaws in ElectionGuard may be present on all systems using it. Document the risks and ROI when making this decision.

Siloscape Malware Targets Windows Containers

A researcher at Palo Alto Networks Unit 42 has discovered the first known malware that targets Windows containers. “Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers.”

Note:

Verify your Kubernetes clusters are properly configured, whether local or cloud based. This exploit starts by leveraging known vulnerabilities in running containers, then impersonates the CExecSvc to obtain SeTcbPrivilege, using the undocumented NtImpersonateThread call, to create a global symbolic link to then access the C drive and try to create new Kubernetes deployments. The exploit doesn’t require admin privileges to be successful. The backdoor uses a Tor client to connect to a .onion C2 server. Verify your container image update process to ensure that patches are deployed in your running containers in a timely fashion.

CODESYS Vulnerabilities

Researchers from Positive Technologies have found 10 vulnerabilities in CODESYS automation software. The flaws could be exploited to remotely execute code on programmable logic controllers (PLCs). The vulnerabilities are due to insufficient verification of input data. CODESYS has released advisories (2021-06, 2021-07, and 2021-08) and updates.

Note:

This is another vulnerability that can be exploited without authentication. Control systems need proper isolation, permit only authorized devices network connections to them, particularly PLCs which are extremely sensitive to inappropriate connections or malformed communication. Make sure those isolated segments are actively monitored for inappropriate traffic.
Back in the days of the mainframe, I owned the input editor for a large multi-user system. Its job was easy; it dealt with a single, alpha-numeric, code set in a single level closed environment. Two generations go by and the Carnegie-Mellon CERT reports that more than half of the vulnerabilities reported to them resulted from input validation failures. I still thought of it as an easy problem. Then I heard an OWASP presentation that pointed out, among other things that made the problem hard, that the modern programmer had to deal with multiple expanded code sets and often did not know the environment in which his program would run. I now concede that it is a “hard problem” but one which must be addressed. PLCs are a single level closed environment.

University of Florida Health Hospitals Affected by Cyberattack

Two University of Florida (UF) Health hospitals were hit with a cyberattack that has them running under electronic health record (EHR) downtime. The incident has affected The Villages Regional Hospital and Leesburg Hospital. IT teams are investigating what is suspected to be a ransomware attack.

Threat Actors Exploited Pulse Secure Zero-Day to Break into MTA Systems

Cyberthreat actors believed to be operating with the support of China’s government exploited a Pulse Secure zero-day vulnerability to gain access to New York City’s Metropolitan Transportation Authority (MTA) computer systems earlier this spring. A forensic investigation revealed that the intruders attempted to remove evidence of their forays into the network, which raises the possibility that there have been system breaches that MTA has not discovered.

Note:

Pulse Secure had to patch multiple vulnerabilities this last year, and they have been exploited extensively.
We are now almost 18 months past the first advisories to patch the initial wave of Pulse Secure VPN vulnerabilities, and several months ago advisories came out about additional Pulse Secure vulnerabilities. Many IT operations have been struggling just to keep remote access for Work From Home running and patching has suffered – more compromise hunting is required to detect malware installs that occurred before patching, as recent DHS/CERT advisories have pointed out.
With a shift to increased remote work, your boundary protections are critical. Today’s combination traditional VPN, Zero Trust, CASB, VDI, and EDR require attention to detail including security configuration, judicious application of updates, and active monitoring (and response) for malfeasance. Make sure that you have the right skillsets on hand, supported with adequate, training funding and depth of coverage.
Breaches of infrastructure systems may not be obvious and may not be immediately exploited. Nation state attackers may save them for later use. Think “zero trust” and “least privilege.” Think urgency; the longer these systems remain vulnerable, the greater the risk that they are covertly compromised.

IBM Announces School Systems Chosen to Receive Cybersecurity Grants

IBM has selected six US school systems to receive grants to help strengthen their cybersecurity. The school systems are Brevard Public Schools (Florida), Denver Public Schools (Colorado), KIPP Metro Atlanta Schools (Georgia), Newhall Independent School District (California), Poughkeepsie Independent School District (New York), and Sheldon Independent School District (Texas). “The grants will sponsor IBM Service Corps teams to help six U.S. K-12 public school districts proactively prepare for and respond to cyber threats.”

Note:

Two of the most critical services governments provide are public education and election services. In the US, the way those two areas are governed and funded is antiquated and resistant to change. Volunteer and private industry support for increased security levels in both of those areas has really been needed and has turned into good investments for business as stability and security in those areas is good for business.
The need for shoring up security in the education sector has become clear with the past year of successful attacks on school systems. Ransomware preparedness and response is at the top of the list for the IBM team help with “pain points.” The need is far greater than IBM alone can address; as cyber security professionals we should all be reaching out to our local school systems, leveraging our enterprise community outreach functions if possible, to see if we can help.
The limited impact of these expenditures illustrates how big this problem is and how difficult it will be to remedy on a district-by-district basis. We need to make the public networks a safer environment for all users. It is time to operate these networks as the infrastructure that they are.

NIST: Mobile Device Biometric Authentication for First Responders

A report from the US National Institute of Standards and Technology (NIST) “examines how first responders could use mobile device biometrics in authentication and what the unsolved challenges are.” The report is intended to help public safety organizations make choices about first responder authentication options. NIST is accepting comments through July 19, 2021.

Note:

Have first responders read and respond to the draft. Responders I have talked to already leverage biometrics, and remind me to look at scenarios where biometric options fail, e.g, using fingerprint readers while wearing PPE. When creating security profiles for mobile devices, ensure that your device protections don’t interfere with life safety needs of responders. Safety needs to trump security, which means you may have a different configuration on some devices. Have clear support for those decisions at the highest levels.
This report is more of a tutorial around mobile device biometrics that is strong on the challenges and really weak on “how to implement” guidance. Microsoft’s research showed that 99.9% of phishing attacks would be defeated just by mobile device text messaging, and over 80% of successful ransomware attacks start with successful phishing attacks. While first responders do have unique needs, we are in an emergency situation where reusable passwords have to be considered as dangerous as carcinogens like lead in consumer products or e coli in meat.

White House Memo: Advice to Private Sector on Protection from Ransomware

Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, has released an open letter to corporate executives and business leaders urging them to take action to protect their networks from ransomware. The memo strongly recommends implementing the five best practices from the President’s Executive Order: back up data, system images, and configurations, and regularly test them, and keep the backups offline; update and patch systems promptly; test your incident response plan; check your security team’s work; and segment networks.

Note:

Ben Wright of SANS and I have done a recent series of talks and a white paper around the ransomware issues. Key point (1) is that no security group or manager makes the pay/don’t pay decision – that will always be a business or legal/regulatory-driven decision. But Key Point (1a) is that security managers can provide critical input into required strategies and changes needed to reduce the risk of ransomware to an acceptable level that will enable the business decision to be “we don’t need to pay the ransom.” Brian Honan makes Key Point (1b) below.
Private sector companies are primarily driven by profit goals and anything that does not help achieve those goals will always be neglected. Until we start speaking about cybersecurity in terms of business risk, private sector companies will continue to treat security as an IT problem and as a cost. And this cost-based focus is what has led many companies to have such poor cybersecurity protections. It is time we start to move our focus away from technical solutions and speak more about business risks to our boards and colleagues.
I think one thing we need to get into the debate about ransomware is that paying the ransom does not make the cost of recovery any cheaper. In the case of Colonial Pipeline, who paid $4m for the decryption tool, they still reverted to their backups to restore their systems. The HSE in Ireland who got the decryption tool for free had to use a third party tool to make it work effectively. In both cases the IR teams are still having to go to each individual machine, verify that it is clean, remediate it, recover data onto it, and then bring it online – this has to happen whether you have the decryption key or not. So paying for the decryption key is not a magic wand that gets all your systems back online overnight. You are still looking at weeks if not months of work to get large estates back up and running.
When reviewing your response plan, look carefully at your downtime procedures. Are you able to provide some level of service or will you be hard down? Consider the case of the Massachusetts Steamship Authority where they were still able to process cash ticket sales and operate their ferries. Make sure that your situational awareness is as good or better than your adversaries’. Start with the core CIS controls, making sure you know what hardware and software you have, that it is securely configured and your data is protected.
And do not forget strong authentication (at least two kinds of evidence, at least one of which is resistant to replay). Credential replay is implicated in many ransomware attacks and other breaches. While this measure may not be sufficient for targets of choice, it will get most out of the target of opportunity population.

DoJ Will Treat Ransomware Investigations with High Priority

According to a senior officials from the US Department of Justice, DoJ will give ransomware investigations a priority similar to that of terrorism investigations. Earlier this week, US Attorney’s offices across the country received guidance instructing them to share information about ransomware investigations with a Washington, DC-based task force.

Note:

This is much needed and gives me hope. No matter how good any company is at security, if threat actors can operate any way they want without fear of retribution, anyone can and will be compromised. I think it’s interesting the government is taking the terrorism angle, as the motives of terrorists and criminals are very different, but as we are seeing, the impact at the human level can, in many ways, be the same. The sense of urgency appears to be great enough now to force the US government to take political and economic actions against other countries.
What this does is add to the list of topics which require expedient information sharing/reporting with Washington. Prioritizing activities also requires providing funds needed to acquire and train staff and equipment needed to support the work.

FBI Says REvil Ransomware Group Responsible for JBS Attack; Company Says Facilities are Now Operational

The FBI has “attributed the JBS attack to REvil and Sodinokibi and [is] working diligently to bring the threat actors to justice.” JBS says that all its facilities are once again operational.

Note:

REvil is known for “double extortion” tactics, demanding ransom not only for the decryption key but also for not selling exfiltrated information, leveraging any potentially damaging content if possible. JBS wisely engaged help from the Australian Signals Directorate and the FBI to respond to the criminal aspects of the attack while working with their incident response provider to quickly restore operations.

Massachusetts Steamship Authority Hit with Ransomware Attack

A ransomware attack affecting the Massachusetts Steamship Authority’s computer network has affected its operations. Customers were unable to make reservations or purchase tickets online or by phone. (Please note that the WSJ story is behind a paywall.)

Note:

As with other service related attacks, OT systems are able to operate, but supporting systems, in this case online ticketing and reservations, are unavailable. Even so, they are able to process cash transactions.
The fact that a “Steamship Authority” can be crippled by ransomware shows that everybody can be affected.
Jeh Johnson commented on TV this morning that the extortion demands are tailored to the ability to pay and lower than the cost of recovery by other means, such that, as in Colonial Pipeline, paying it is an attractive individual business choice while collectively it perpetuates the problem.

Fujifilm Shuts Down Network in Wake of Ransomware Attack

Fujifilm has shut down parts of its network after becoming aware of a possible ransomware attack. The Tokyo-based company has also “disconnected from external correspondence.”

Massachusetts Hospital Discloses Ransomware Attack

Sturdy Memorial Hospital in Attleboro, Massachusetts, has disclosed that its network was hit with a ransomware attack in February 2021. Analysis revealed that patient medical and financial data were compromised. The hospital paid a ransom to prevent data from being leaked. The incident also affected healthcare providers that had partnered with Sturdy Memorial for coordination of patient care. The hospital is now notifying affected patients.

US Supreme Court Ruling Reins in CFAA’s Reach

A ruling from the Supreme Court limits the scope of the Computer Fraud and Abuse Act (CFAA). The case, Van Buren v. United States, involves a former police officer who accepted money for using his access to a law enforcement database to look up license plate information. The written majority opinion notes that the court’s job was to “decide whether Van Buren… violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.’ He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”

Note:

Limiting the scope of the CFAA is a huge win for cyber security research. Having clear permission and defined scope when accessing and researching systems is still critical. Discovery of a device in a search engine, running with default credentials doesn’t by itself constitute permission to access or configure it.
While not technically a violation of the CFAA, Van Buren was guilty of an abuse of his privilege and should be subject to other discipline. This is simply one more indication, as if any were needed, that the CFAA needs to be rewritten with more emphasis on what is done, i.e., misuse and abuse, and less on the concept of “authorization.”

Amazon Sidewalk is Going Live Next Week

On June 8, 2021, Amazon smart devices, which include Echo and Ring, will automatically be integrated into the Amazon Sidewalk wireless mesh service. Sidewalk will “share a small portion of your internet bandwidth” to “extend the low-bandwidth working range of devices.” Users can opt out of participating through the Alexa and Ring apps.

Note:

This is an opt-out service. If you take no action, you will be opted-in. The idea is to provide better connectivity for your Amazon devices where your network may have gaps, essentially an 80Kbps connection. Amazon cites the case of using their tracking devices to find a lost pet. The success of Sidewalk is dependent on the number of participating devices in any area. The downside is you have no visibility into which devices are connected to your network and what they are doing. The good news is you can opt out at your account level, not just the device level. In the Ring App, sidewalk is under the Control Center, in the Alexa App it is under Settings -> Account Settings -> Amazon Sidewalk. The option is only present when you’re connected to your Ring or Echo devices.
By choosing to make this an opt-out service, Amazon is showing why updates to US national privacy laws are badly needed. When I worked on surveillance cases for the US Secret Service in the 1980s, to put a vehicle tracker on a suspect’s car that was connected to the car’s 12v system, we needed to get a court order because of the unauthorized use of the car owner’s “services.” What Amazon is doing here seems no different to me.

Nobelium Spear Phishing Campaign Domains Seized

US authorities have seized two domains associated with a recent spear phishing campaign. The attackers are believed to be Nobelium, the threat actor likely responsible for the SolarWinds Orion supply chain attack. The spear phishing attacks masqueraded as messages from the US Agency for International Development (USAID) and targeted government agencies, think tanks, and non-governmental organizations (NGOs) around the world.

Note:

If one is not expecting a communication, one should simply throw it away. It is almost always the safest move. If one feels that they cannot do that, pick up the phone. Out-of-band confirmations are cheap and effective; they work in both directions.

Microsoft Acquires ReFirm Labs

Microsoft has acquired firmware analysis company ReFirm Labs. Microsoft says the acquisition will “enrich our firmware analysis and security capabilities across devices that form the intelligent edge, from servers to IoT.”

Note:

The most successful mergers/acquisitions over the past 5 years or so have been the big cloud platform players, like Salesforce, Amazon AWS, Google, and Microsoft buying small, innovative security vendors to build higher levels of security into their cloud infrastructure. The least successful cybersecurity M&As have been big IT companies buying security product companies just to increase revenue by selling security products. Building security in, versus “spending in depth,” is the key to real and sustainable levels of business protection.
With the recent rash of firmware-related vulnerabilities, ReFirm (the authors of Binwalk) should give Microsoft a huge leg up in analysis and response to firmware security issues including IoT and embedded device use cases. This acquisition further broadens the scope of protections offered under the Azure Defender umbrella, specifically Azure Defender IoT.

US Army Rescinds Workplace IoT Ban

The US Army appears to have rescinded a May 20, 2021, memo banning remote workers from using Internet of Things (IoT) devices in their workspaces. The ban was issued over concerns that IoT devices are constantly collecting data and listening.

Note:

The ban is essentially unenforceable; it is good OPSEC guidance. It’s still a good idea to be aware of the devices in your workspace. Just as you would question a stranger in a meeting, consider what these devices can capture and take action to remove or disable them when appropriate. Higher priority for the enterprise is making sure that you have good visibility into endpoint security and actions so you can respond appropriately.
Security is a space in which intuition does not serve us well, where “obvious” choices are wrong. Cooler heads have prevailed here. However, since many smart devices inside the SOHO router establish connections to the public networks by default, it will be difficult to give directions that are practical. We need standards, perhaps even regulation, that require smart devices to both encrypt and disclose what connections they make. While most home users will ignore the disclosures, they will empower WFH users.

Digital Flash Card Apps Exposed US Nuclear Weapons Secrets

Sensitive information about US nuclear missile bunkers in Europe was found online by searching for related terms, such as protective aircraft shelters (PAS) and Weapons Storage and Security Systems (WS3). The data were being used in digital flashcard apps. The compromised information includes camera positions, patrol frequency, unique identifiers on badges required for entry, and codewords guards use to indicate they are being actively threatened. The flashcards have been taken down.

Note:

“Shadow IT” at its worst. If you do not provide tools that are secure, employees will find their own. This may be an extreme case, but on a non-nuclear scale, this happens everybody with employees using personal email addresses because corporate mail filters are stripping content they need to do their job, or using the kids “gaming rig” for work because the company-provided laptop is too slow.
This is a nexus of benign, slightly obscure information augmented with specific information which makes it sensitive. We used to call this information mosaic. Use caution making online learning publicly available and make sure that accompanying completion records and feedback mechanisms are protected. Review regularly to ensure that both the presented information and accompanying meta-data remain secured.
Good reminder to sanitize all training and test data to remove sensitive information, and to make sure that any pen test engagement includes a strong research/reconnaissance phase.
When I taught young officers at the Naval Postgraduate School we called this “digital” OPSEC. They understood OPSEC.

Have I Been Pwned Open Sources Code Base and Will Receive Data from FBI

Last week, Have I Been Pwned (HIBP) founder Troy Hunt announced that the HIBP code base is now open source through the .NET Foundation. Hunt also announced that HIBP will provide the FBI with a means to share with HIBP lists of compromised passwords obtained in the course of investigations.

Note:

Have I Been Pwned is a great effort that has struggled to find appropriate funding. Troy Hunt has avoided the easy solution of selling out to a security vendor. This sounds like a great way to support this effort.
Have I Been Pwned has been powering other services for a while and is very useful as a retroactive password change reminder warning. But top priority should be in reducing the use of reusable passwords. Fixing the source of the leak is much better than getting faster at constantly mopping up.
This year marks thirty-five since Ken Weiss invented SecurID and in which I have been discouraging “exclusive reliance upon passwords.” Convenience continues to trump security. Passwords can be made resistant to dictionary, fuzzing, and even brute force attacks, but they are fundamentally vulnerable to replay and reuse.

Fix Available for Critical Flaw in HPE SIM

Hewlett Packard Enterprises (HP) has released an update to address a critical vulnerability in its System Insight Manager (SIM) software. The flaw was initially disclosed in December 2020; it arises from “a failure to validate data during the deserialization process when a user submits a POST request to the /simsearch/messagebroker/amfsecure page.” The flaw could be exploited to allow attackers with no privileges to execute code remotely. The flaw affects HPE SIM versions 7.6.x for Windows only.

Note:

This hotfix replaces the prior workaround where you had to disable “Federated Search” and “Federated CMS Configuration.” Note that hotfixes were also released for the Linux and HP-UX versions of the HPE SIM version 7.6.
This advisory was originally released in December. Later, HP upgraded it to a “no authentication required” remote code execution. Now we finally have a patch. Apply it.

SonicWall Offers Fix for Flaw in On-Premises Version of NSM

SonicWall has released updates to address “a post-authentication vulnerability (SNWLID-2021-0014) within the on-premises version of Network Security Manager (NSM).” Users are urged to upgrade to patched versions, Network Security Manager (NSM) 2.2.1-R6 and Network Security Manager (NSM) 2.2.1-R6 (Enhanced), as soon as possible. The issue does not affect software-as-a-service (SaaS) versions of NSM.

Note:

Make sure that management services are accessible only to authorized devices. Enable multi-factor authentication where supported and verify there are no end-arounds/shortcuts which could bypass your protections.
Luckily, this vulnerability requires valid user credentials to exploit. You may finish your coffee this morning before patching this one.

Siemens Offers Fix for Flaw Programmable Logic Controllers

Siemens has released a firmware update to address a severe memory protection bypass vulnerability in its SIMATIC S7-1200 and S7-1500 Programmable Logic Controllers (PLCs). Researchers at Claroty detected the flaw and notified Siemens, who released updates on May 28.

Note:

Your PLCs should already be isolated as they don’t respond well to malformed or unexpected traffic. Additionally, apply the mitigations in the Siemens bulletin, including using passwords on S7 communication, limiting or blocking remote client connections, and enabling TLS, and apply the defense in depth measures in the Siemens Operational Guidelines for Industrial Security.
cert-portal.siemens.com: Operational Guidelines for Industrial Security (PDF)
Firmware updates are a very expensive remedy for devices that are priced in the tens of dollars and employed in the millions.

The Apple M1 Chip Vulnerability and the Business of Bug Disclosure

Last week, Hector Martin disclosed a vulnerability in Apple’s M1 chip that “allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features.” The flaw is “baked in” to the chip, which means it cannot be fixed or patched. While the vulnerability is interesting, Martin notes that “nobody’s going to actually find a nefarious use for this flaw in practical circumstances.” He also writes that the website he created for the flaw, which he dubbed M1RACLES, to “poke fun at how ridiculous infosec clickbait vulnerability reporting has become lately. Just because it has a flashy website or it makes the news doesn’t mean you need to care.”

Note:

This allows two processes to access the EL0 register – which is only 2 bits wide for communication – and should be used as a reminder that all chips have flaws, not as a reason to panic. Use this as a chance to verify sure your services for M1 devices, including endpoint protection, patching and OS security configuration are enabled and working; adjust if needed.
A flashy logo/name/website has always been helpful to “sell” a vulnerability. The ability to covertly send messages between two cooperating processes exists in pretty much all PCs (a mock “PoC” was released in response to M1RACLE showing how one processing may modulate CPU load to send messages to other processes). It is also a long going issues in our industry that we focus on the new and shiny instead on the boring but necessary. Remember: Security is working best if it is boring, routine, and doesn’t feel like firefighting. The most important stories in this NewsBites (HPE flaw and Sonicwall vulnerability) will probably not make it into the “Top News” (… well … maybe now they will :) ) .
Kudos to Hector on this one. Instead of using FUD to draw attention to his finding, he was transparent and honest about its overall impact. Unfortunately, in our community sometimes researchers over dramatize their findings, causing more harm than good.

Food Processing Giant JBS Hit with Cyberattack

São Paulo-based food processing company JBS has shut down production at several facilities around the world following a cyberattack. Computer networks in in Australia, Canada, and the US were affected.

Note:

This is a growing trend we are going to see over the coming years: one business unit is infected in one country, which then infects all the other business units of the same company globally. However, these incidents are also impacting people’s daily lives, such as when hospital networks go down, gas lines can’t transfer gas, or in this case companies cannot process food. As the world has become so interconnected and interdependent, the impact of these events will only increase.

Swedish Infections Diseases Database Temporarily Taken Down After Attempted Intrusions

Sweden’s Public Health Agency (Folkhälsomyndigheten) temporarily took its infectious diseases database offline after detecting several attempted intrusions. The database, which is known as SmiNet, is also used to store information about COVID-19 infections. The database is once again operational; Folkhälsomyndigheten writes that “to further increase security, some adjustments have been made, which means certain restrictions when it comes to reporting data.”

US Army Requires Remote Workers to Remove IoT Devices from Workspace

In a May 25 memo calling for “teleworkers [to] incorporate strong cyber hygiene practices in their daily telework routine,” the US Army wrote that it is requiring all remote workers to remove Internet of Things (IoT) devices from their work areas. (any device with a listening function) The requirement applies to military and civilian employees and contractors.

Note:

I think unpatched VPN servers are much, much higher up in risk level for government telework, but the smart speaker vendors have not made it easy to prevent (or allow automated deletion) of audio recordings that are tagged “audio not intended for this device” but were saved anyway.
Think about the activities performed in your remote workspace. What conversations are happening, what is in view of your camera, what’s on your desk, what can be seen through the door or windows? Ask yourself not just who but what is listening. Smart assistants, while they don’t respond until they hear their wake word, are still listening. Consider muting the mic if you don’t wish to remove or turn it off. Remember also that open windows or doors, using speakers and speakerphones versus headsets are ways sensitive business information can be inadvertently shared. Have a clean desk policy for the remote workspace.
This is another example of a policy that sounds good at HQ, but when it hits reality most likely causes more harm than good (kind of like password expiration). How can people follow this policy? First, most people don’t even know all the IoT devices they have. Your coffee pot or light bulbs are often IoT. Even if you do know what devices you have, how can you possibly determine which ones have microphones or go about turning devices off / on every time you have a call? About the only way a remote worker could follow this policy if they created their own isolated, tech free room (aka SCIF) in their house, which is probably a better option if sensitive information is to be discussed.
“Strong cyber hygiene” is good advice but removing Internet of Things devices is over the top. All ‘things’ are not the same. As I sit in my work area, I cannot even identify, much less remove, all the smart appliances that I rely upon, including some that I rely upon for personal safety. (“Alexa, (‘I have fallen and I can’t get up.’) Call 911.”) One can eliminate all cyber risk simply by removing all computers but that is not practical advice. Some, e.g., classified, work should not be done in personal work areas.

Cyber Insurance Does Not Appear to be Improving Cybersecurity

Note:

Read more in:

Microsoft Investigating Malware-Signing Incident

Note:

Read more in:

Google Play is Increasing Developer Account Security

Note:

Read more in:

Microsoft Security Response Team: New Activity from SolarWinds Threat Actors

Note:

Read more in:

Communication Chip Vulnerabilities Can be Exploited with the Wave of a Phone

Note:

Read more in:

Zyxel Firewalls and VPNs are Being Attacked

Note:

Read more in:

Cisco Adaptive Security Appliance Vulnerability is Being Actively Exploited

Note:

Read more in:

NIST Defines Critical Software for Executive Order

Note:

Read more in:

Ireland Health Service Executive Still Operating Under EHR Downtime

Note:

Read more in:

FIN7 Cybercrime Group Member Sentenced to Prison

Read more in:

My Book Network-Attached Storage Devices are Being Remotely Wiped

Note:

Read more in:

Vulnerabilities in Dell SupportAssist

Note:

OIG Report: Medicare Needs to Improve Hospital Medical Device Security Assessments

Note:

Read more in:

Google’s Unified Vulnerability Schema to Manage Vulnerabilities in Open Source

Note:

Read more in:

CISA Acting Director Responds to Senators Questions About SolarWinds

Note:

Read more in:

Proposal Would Identify “Systemically Important Critical Infrastructure”

Note:

Read more in:

Unpatched Pling Vulnerabilities

Note:

Read more in:

VMware Releases Carbon Black Update to Fix Critical Vulnerability

Note:

Read more in:

SonicWall Updates Fix Incomplete Patch from October

Note:

Read more in:

Ransomware: Iowa’s Wolfe Eye Clinic Attack Affects 500,000 People

Note:

Read more in:

Tulsa Data Stolen in Ransomware Attack is Posted Online

Read more in:

E-ISAC Members Now Have New Tool to Share Information

Note:

Read more in:

Intruder Deleted Programs from San Francisco Area Water Treatment Facility Network

Note:

Read more in:

Google is Pushing Out Massachusetts COVID Contact Tracing App

Note:

Read more in:

GEA-1 Encryption Algorithm Weakness Was Intentional

Note:

Read more in:

WaterISAC Survey of US Water and Wastewater Utilities

Note:

Read more in:

Ransomware: Fertility Clinic Says Patient Data were Compromised

Note:

Read more in:

Wegmans Discloses Data Leak

Read more in: