Cybersecurity News Headlines Update on June 12, 2021

JBS Paid $11M Ransom to Prevent Attackers from Leaking Stolen Data

Meat processing company JBS USA acknowledged that it paid $11 million to ransomware operators following an attack late last month. In a media statement, JBS says that most of its facilities were up and running when they paid the ransom, and that the decision to pay was made “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.” According to Security Scorecard, the JBS attack began with reconnaissance in February 2021. The attackers exfiltrated data from March 1-May 29 and encrypted the JBS environment on June 1.

Note:

  • Some common threads between JBS USA and the Colonial Pipeline failures, beyond the initial lack of essential security hygiene and the decision to pay ransom: (1) Failure to detect large volumes of data exfiltration over long periods of active exploitation; and (2) lack of a tested process and plan for how to deal with an incident to minimize service interruptions. For JBS, this happened despite their stated IT spending and IT employee count being significantly higher than industry averages. All of this indicates a lack of investment in both IT processes to minimize vulnerabilities and security skills, planning, and processes to mitigate and respond.
  • Make sure that your detection capabilities are where they need to be. Are all your locations protected at the same levels? Attackers were not only in the JBS Network for three months, but also exfiltrated 5 TB of data. Are you continuously watching for compromised passwords and taking steps to change them promptly when discovered? Are you looking for unexpected connections or unusual volumes of traffic? Verify your boundary protection and access devices are updated and secured. Ensure MFA is comprehensively enabled for all internet facing services. Augment your internal processes with periodic third-party assessments of your security posture.
  • Wow, this is a big check. Profits like this will only fuel more aggressive attacks. However, to keep things in perspective, the FBI reported over $1.8 billion in losses due to BEC/CEO Fraud for 2020. We just don’t hear about these attacks because a while successful BEC attack does not shut down infrastructure, ransomware does.
  • One must have a capability to detect breaches in hours to days. Extortion demands as the first indication of a breach is unacceptable.

Read more in:

Fastly CDN Outage Knocked Portions of the Internet Offline

On Tuesday, June 8, many major websites experienced a period of unavailability, which was caused by an outage at content delivery network (CDN) Fastly. Fastly says the issue was due to a software bug that “was triggered by a valid customer configuration change” and that the issue was fixed within an hour.

Note:

  • Promises to do better and not make mistakes in the future don’t carry the weight of a signed SLA for outsourced services. Make sure your SLA includes defined and measurable service delivery levels and corresponding financial penalties. Even though the disruption was detected in under a minute, it took most of an hour to achieve 95% restoration. External dependencies, with interrelated systems can extend recovery time even further. Document your configuration and known dependencies to aid troubleshooting and manage recovery expectations.
  • One of the promises of cloud providers is to isolate customers from each other, and to keep one customer’s bad configuration from affecting others. While Fastly was quickly able to mitigate the underlying issue, I do not like the statement that the outage was triggered by a customer configuration change. It was triggered by a bug in Fastly’s code that allowed a single innocent customer to take down their system.
  • Another good lesson about cloud service level agreements. Looks like this was about a maximum of a 3 hour outage, which according to Fastly’s SLAs would mean Gold and Enterprise customers impacted that long (or up to 7 hours) can request and get a 10% credit against their monthly charges. For many businesses, that will not come close to any business disruption costs. Internet connectivity overall has to be thought of just as electricity is thought of – backup plans need to be in place for long outages that may not even trigger any SLA credits, let alone cover disruption costs.
  • Careful. Fastly and its customers are “edge” providers. While this failure impacted the “world wide web,” the internet, the transport layer, performed as intended.

Read more in:

GitHub Adds RubyGems and PyPl to its Secret Scanning

GitHub has added PyPl and RubyGems to its secrets scanning capabilities. A GitHub blog post notes that “If one of these [package registry credentials] secrets is leaked, rather than compromising one product, it can compromise thousands.” GitHub has been scanning for and revoking secrets, also known as tokens, in users’ code since 2015.

Note:

  • Thanks to GitHub for helping secure the open source ecosystem. With so many projects using GitHub, any change like this will help.
  • GitHub has been pretty good over the years at adding bottom-up security features and services, including code testing tools and a well-managed bug bounty program. Looks like Microsoft’s acquisition of GitHub in 2018 did not negatively impact that, which is a good thing. There will not be a single top-down answer to supply chain security in software, any more than there is for the security/safety of the supply chain that runs from restaurants back to farms.

Read more in:

Microsoft Patch Tuesday

On Tuesday, June 8, Microsoft issues fixes for 50 security issues. Six of the flaws –privilege elevation vulnerabilities in Microsoft DWM Core Library, Windows NTFS, and Microsoft Enhanced Cryptographic Provider; an information disclosure vulnerability in the Windows Kernel, and a remote code execution vulnerability on Windows MSHTML platform – are being actively exploited.

Note:

  • This patch Tuesday is probably best characterized as “Mostly Harmless.” It contains a number of already exploited vulnerabilities, but for the most part, these are privilege escalation vulnerabilities.
  • Patches for 0-Days, to include those actively exploited is becoming commonplace. And with current trends, privilege escalation flaws (CVE-2021-31956, CVE-2021-33639, CVE-2021-31201 and CVE-2021-31199) are just as valuable as RCE flaws such as CVE-2010-33742 since they provide more ways for the attacker to elevate privileges once they have an initial foothold. Regrettably, as indicated by the Colonial Pipeline and JBS attacks, the bar for initial entry is not where it needs to be. Judicious updates and application of security baselines is also a component in raising that bar.

Read more in:

Colonial Pipeline CEO Testifies at Congressional Hearings

Colonial Pipeline CEO Joseph Blount testified before the Senate and House Homeland Security Committees earlier this week. Blount said that Colonial Pipeline did not have a plan in place for dealing with the ransomware attack. He encouraged companies that suffer similar attacks to be transparent about their experiences. Blount was criticized for refusing recovery help from the Cybersecurity and Infrastructure Security Agency (CISA).

Note:

  • Remember the “For Want of a Nail” proverb. Could you be undone by the use of a compromised password? Do you have remote access which requires only a reusable password? Did you really decommission old insecure access methods or were they left enabled “just in case?” The complexity and pace of a modern enterprise stresses the ability to pay attention to all the details, and with the current ROI on hacking, it is more critical than ever to do so. Encourage your analysts to automate themselves out of a job, meaning to automate repetitive and mundane tasks so they have the bandwidth to keep up with the changes and growth of adopted technology. Participate in their implementation to make sure you have visibility and relationships established up front.

Read more in:

More Updates: Adobe and Intel

On Tuesday, June 8, Adobe released updates to address more than 40 security issues in Acrobat, Reader, Photoshop, Experience Manager, After Effects and other applications. On the same day, Intel released 29 security advisories to address nearly 80 vulnerabilities in a variety of products.

Note:

  • Adobe’s Acrobat and Reader updates need to be applied quickly. For Intel, the tricky part is BIOS updates. For some of them, you may need to wait for OEM patches instead of applying Intel’s patches directly.
  • We’re not catching a break this month. Adobe Creative Cloud, which can drive the updates to their other products on endpoints, itself needs updating and should do so automatically. The affected applications will not apply updates until they are quit and relaunched. As this month’s Microsoft and Apple OS patches require reboots, leverage that, by forcing the reboot immediately or via a maximum timeout.
  • Patching continues to be an expensive and inefficient way to achieve quality. At best, it is only marginally effective.

Read more in:

IoT Message Broker Vulnerabilities

Researchers at the Synopsys Cybersecurity Research Center have found denial-of-service vulnerabilities in three open-source IoT message brokers, RabbitMQ, EMQ X, and VerneMQ. All three flaws involve Message Queuing Telemetry Transport (MQTT) protocol client input handling and can be exploited with a malicious MQTT message. The vulnerabilities were disclosed to project maintainers in March and all three have released fixes. Users should update to RabbitMQ version 3.8.16 or later; EMQ X to version 4.2.8 or later; and VerneMQ version 1.12.0 or later.

Read more in:

Chrome Update Includes Fix for Actively Exploited Flaw

Google has updated its Chrome browser to version 91.0.4472.101 on the stable channel for Windows, Mac, Linux. The browser has been updated to address 14 security issues, including a type confusion vulnerability in the V8 open source and JavaScript engine that is being actively exploited.

Note:

  • Chromium browsers are not far behind. The group which developed the exploit for CVE-2021-30544 also developed the exploit to MSHTML (CVE-2021-33742), making it prudent to update Chrome and Chromium browsers expeditiously Where possible push the updates rather than waiting on user action.
  • Google Chrome vulnerabilities are becoming common entry points for more targeted attacks. This vulnerability is already being exploited; expect more soon. The easiest way to improve your chances of having an up-to-date Google Chrome is to exit it once a day and restart it. With all the time we spend using web browsers, they are often just left running which may prevent updates from being applied. Restarting your browser is like rebooting your operating system after applying a patch.
  • It is really time that more vendors start to push out software with security fixes when the fixes are ready and proven stable and IT groups update configuration management processes away from the antiquated “wait for Vulnerability Tuesday” (or worse for servers) to patch everything at once.

Read more in:

Vulnerabilities in Rockwell Automation ISaGRAF5

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory warning of multiple vulnerabilities in Rockwell Automation ISaGRAF5 Runtime. The flaws could be exploited to execute code remotely, disclose information, or cause denial-of-service conditions. The issues affect products from Schneider Electric and GE, which have taken steps to mitigate the issues; other vendors’ products may be affected as well.

Note:

  • Storing a credential in the clear in a configuration file that you read without verification isn’t something we can afford to do anymore, no matter that it was easy and how well it worked. Apply the updates to ISaGRAF Runtime, restrict access to the ICS, particularly TCP ports 1131 and 1132, and restrict access to the Runtime’s folder.

Read more in:

CISA Fact Sheet on Ransomware Threat to Operational Technology

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a fact sheet on the increased threat of ransomware to operational technology (OT) assets and control systems. CISA urges “critical infrastructure asset owners and operators [to] adopt a heightened state of awareness and voluntarily implement recommendations” that include identifying critical processes; implementing network segmentation between IT and OT networks; and developing and testing “workarounds or manual controls to ensure that critical processes – and the industrial control system (ICS) networks supporting them – can be isolated and continue operating without access to IT networks.”

Read more in:

Ransomware Hits Community College in Iowa

The Des Moines (Iowa) Area Community College (DMACC) cancelled all classes for four days after its network was hit with a cyberattack. DMACC has asked students, faculty, and staff not to use Microsoft Office 365 or Blackboard. As of Thursday, June 10, classes with in-person components are being held at their regular times. Virtual classes have not yet resumed.

Read more in:

NY State Senate Passes Right to Repair Bill

New York’s State Senate has passed The Digital Fair Repair Act, a bill that would allow consumers to rep[air their own electronic devices. The New York State Assembly has not yet passed its version of the bill.

Note:

  • The “Right to Repair” does have significant impact on security. Locked down devices are too often left vulnerable after vendors abandon support for them and customers are left with costly replacements as their only option.
  • As more states consider the user’s right to repair, it opens options for users to more affordably maintain their own equipment and small businesses to enter the space. This is a good time to review your acceptance of risks for employees having their issued systems repaired. Consider the risks of OEM versus after-market components as well as data protection requirements irrespective of who, how or where the work is done.
  • In our space, the impact of state legislation may extend way beyond the boundaries of the state. Congress has the responsibility and authority to regulate interstate commerce. State initiatives such as this occur when Congress fails. As with most legislation, “the devil is in the details.” Drafting legislation that accomplishes its goal while avoiding unintended consequences is difficult.

Read more in:

Australian Federal Police Arrest Hundreds Using Data Gathered Through Backdoored Chat App

The FBI was able to trick criminals into using an FBI-developed app, ANoM, to communicate with each other. The app was distributed on phones configured for the purpose of using the app, and starting in 2018, distributed on black markets. This week, several law enforcement agencies worldwide searched hundreds of locations in a coordinated effort using information collected from the ANoM app. The raids led to 224 arrests, the seizure of 3.7 tons of drugs, and the disruption of 20 “threats to kill.”

Note:

  • Finally a “good” supply chain attack and congratulations to everybody involved in executing just a massive operation. But maybe also a subtle reminder that your end-to-end encryption depends on the vendor doing what they promised.
  • The takedown involved about 4,000 law enforcement officers processing 25 million messages and executing 525 search warrants across Australia. It is estimated the ANoM app had 9,000 users world-wide. This is an excellent example of international cooperation of law enforcement agencies. Unfortunately, like burning a successful 0-Day, this also marks the end of the ANoM apps viability. Part of the decision to stop monitoring and making arrests was a blog posting (since deleted) detailing the behavior of the ANoM app, this March, which didn’t correctly attribute the backdoor to the FBI.

Read more in:

US Dept. of Justice Recovers Portion of Colonial Pipeline Ransom

The FBI has recovered $2.3 million of the $4.4 million in Bitcoin paid to the Colonial Pipeline ransomware operators. Colonial Pipeline had taken early steps to notify the FBI which helped them track the payment to a specific cryptocurrency wallet. The FBI seized the bitcoin with the aid of court documents.

Note:

  • While there is little guarantee of a positive outcome, early collaboration with a group such as the FBI can allow them to disrupt and trace cryptocurrency transactions. While only part of the overall solution, shutting down the ability to easily process and launder cryptocurrency is a step in the right direction for discouraging or stopping ransom payments.
  • Your organization should have an active and trusted partnership with law enforcement BEFORE incidents happen. Take your local FBI out to lunch quarterly and get to know them; it’s an investment that can pay literally millions in return. This is especially true for financial attacks like CEO fraud, where law enforcement can often claw back (retrieve) stolen funds if reported within 72 hours of the incident.
  • While it isn’t clear yet how the FBI gained access to the private key, this is clearly an important success and shows how law enforcement may be able to recover some of the funds. More important than the monetary loss to the criminals is the fact that it does disrupt the fragile trust between ransomware actors if they are not able to pay parts of their supply chain.

Read more in:

Threat Actors are Targeting Unpatched VMware vCenter and Cloud Foundation Software

Threat actors are actively scanning for unpatched versions of VMware vCenter Server and VMware Cloud Foundation software. VMware released fixes for the critical remote code execution vulnerability in late May, but systems remain unpatched.

Note:

  • There are three things you can do to mitigate this attack: (1) Make sure vCenter is not exposed to the Internet (2) Disable the vSAN Client Plugin if possible, and (3) Patch. For details on disabling the vSAN and other plugins see VMware KB 83829.
    kb.vmware.com/s/article/83829: How to Disable VMware Plugins in vCenter Server (83829)
  • This vulnerability doesn’t require authentication to exploit, so you cannot depend on your authentication solution to protect you. Restrict vCenter access to authorized devices only. Make sure that your patch/update processes include vCenter. Verify this update is applied.

Read more in:

Colonial Pipeline CEO to Testify Before House and Senate Committees This Week

Colonial Pipeline CEO Joseph Blount is scheduled to testify at the Senate and House Homeland Security Committee hearings on Tuesday, June 8 (Senate) and Wednesday, June 9 (House). According to written testimony, Blount paid the $4.4 million ransom to get the pipeline “back up and running” as quickly as possible. In the document, Blount also indicated that the company believes the attackers gained initial access to the organization’s network with a compromised VPN account password. Although the account was no longer being used, it was still able to access Colonial Pipeline’s network. The account has since been deactivated.

Note:

  • For the past three years, the Verizon DBIR has identified the human as one of the primary driver of breaches. In fact, for their 2021 report they put a number to it: 85%. The top two human risks for the past three years? Phishing and passwords. 2FA is probably the number one control I would suggest organizations start with.

Read more in:

Another Pipeline-Related Attack: LineStar Integrity Services

LineStar Integrity Services, a company that provides pipeline compliance, technology, and integrity maintenance solutions, was hit with a ransomware attack around the same time as the Colonial Pipeline attack. While the company has not made any public statement about the attack, 70 GB of internal LineStar data were recently posted to a leak website.

Read more in:

Google’s Open Source Insights Project

Google’s Open Source Insights Project aims to help developers visualize their dependencies. The Open Source Insights site “provides an interactive view of the dependencies of open source projects.”

Note:

  • Nice work Google! Not only does this project illustrate dependencies among components, but Google is also flagging know vulnerable versions of components to make mitigation easier.

Read more in:

GitHub Policy Update

GitHub has updated its policies regarding malware and exploit code hosted on the site. In a blog post, GitHub CSO Mike Hanley writes that they “explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits.” The new policy includes clarification about when GitHub may disrupt attacks, noting that “We do not allow use of GitHub in direct support of unlawful attacks that cause technical harm, which we’ve further defined as overconsumption of resources, physical damage, downtime, denial of service, or data loss.”

Note:

  • The change in policy clarifies when they will disrupt activities causing harm, while still permitting POC exploit code. e.g., using GitHub for C2 is disallowed, but hosting the code for Metasploit or Mimikatz is permitted. They also suggest creating a SECURITY.md file with contact information to help in dispute resolution within the community. Read the updated GitHub policy to ensure you’re still following it, verify your repository has appropriate access controls, make sure only the code intended is stored there, check to prevent accidental inclusion of passwords or security keys.
  • The update does balance researchers’ abilities to share code while at the same time protecting the public. We will have to see how the policy is applied. But for example, having malware directly download additional code from GitHub is likely going to lead to the removal of the code.

Read more in:

WebExtensions Community Group

Major browser makers Microsoft, Google, and Mozilla have formed the WebExtensions Community Group (WECG) to examine ways “to advance a common browser extension platform.” The group will focus on browser extension security and performance. Other browser makers are invited to join WECG.

Note:

  • Take a look at the extensions in your browsers, removing the ones you’re not using; make sure they are updated and supported. The WECG is striving to have extensions maintain security, performance, privacy, and compatibility while prioritizing end user needs over developers. Their principles are inspired by the W3C TAG Ethical Web (www.w3.org: W3C TAG Ethical Web Principles) and HTML Design (www.w3.org: HTML Design Principles) principles. It is hoped that this specification has more adoption than the work done by the Browser Extension Community Group.

Read more in:

Microsoft’s ElectionGuard to be Piloted in Hart InterCivic Voting Machines

US voting machine vendor Hart InterCivic will pilot Microsoft’s ElectionGuard software in its Verity voting systems. ElectionGuard is open source software that ensures ballots are verifiable. The Verity machines will create paper backups, utilize encryption in a way that protects privacy while allowing votes to be counted, and let voters check whether their vote has been counted.

Note:

  • Remember the conversation of build vs. buy? Microsoft has developed software to help voting makers consistently implement needed transparency, security, and integrity, which can be independently verified and ultimately help the certification process. The downside is that any flaws in ElectionGuard may be present on all systems using it. Document the risks and ROI when making this decision.

Read more in:

Siloscape Malware Targets Windows Containers

A researcher at Palo Alto Networks Unit 42 has discovered the first known malware that targets Windows containers. “Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers.”

Note:

  • Verify your Kubernetes clusters are properly configured, whether local or cloud based. This exploit starts by leveraging known vulnerabilities in running containers, then impersonates the CExecSvc to obtain SeTcbPrivilege, using the undocumented NtImpersonateThread call, to create a global symbolic link to then access the C drive and try to create new Kubernetes deployments. The exploit doesn’t require admin privileges to be successful. The backdoor uses a Tor client to connect to a .onion C2 server. Verify your container image update process to ensure that patches are deployed in your running containers in a timely fashion.

Read more in:

CODESYS Vulnerabilities

Researchers from Positive Technologies have found 10 vulnerabilities in CODESYS automation software. The flaws could be exploited to remotely execute code on programmable logic controllers (PLCs). The vulnerabilities are due to insufficient verification of input data. CODESYS has released advisories (2021-06, 2021-07, and 2021-08) and updates.

Note:

  • This is another vulnerability that can be exploited without authentication. Control systems need proper isolation, permit only authorized devices network connections to them, particularly PLCs which are extremely sensitive to inappropriate connections or malformed communication. Make sure those isolated segments are actively monitored for inappropriate traffic.
  • Back in the days of the mainframe, I owned the input editor for a large multi-user system. Its job was easy; it dealt with a single, alpha-numeric, code set in a single level closed environment. Two generations go by and the Carnegie-Mellon CERT reports that more than half of the vulnerabilities reported to them resulted from input validation failures. I still thought of it as an easy problem. Then I heard an OWASP presentation that pointed out, among other things that made the problem hard, that the modern programmer had to deal with multiple expanded code sets and often did not know the environment in which his program would run. I now concede that it is a “hard problem” but one which must be addressed. PLCs are a single level closed environment.

Read more in:

University of Florida Health Hospitals Affected by Cyberattack

Two University of Florida (UF) Health hospitals were hit with a cyberattack that has them running under electronic health record (EHR) downtime. The incident has affected The Villages Regional Hospital and Leesburg Hospital. IT teams are investigating what is suspected to be a ransomware attack.

Read more in:

Threat Actors Exploited Pulse Secure Zero-Day to Break into MTA Systems

Cyberthreat actors believed to be operating with the support of China’s government exploited a Pulse Secure zero-day vulnerability to gain access to New York City’s Metropolitan Transportation Authority (MTA) computer systems earlier this spring. A forensic investigation revealed that the intruders attempted to remove evidence of their forays into the network, which raises the possibility that there have been system breaches that MTA has not discovered.

Note:

  • Pulse Secure had to patch multiple vulnerabilities this last year, and they have been exploited extensively.
  • We are now almost 18 months past the first advisories to patch the initial wave of Pulse Secure VPN vulnerabilities, and several months ago advisories came out about additional Pulse Secure vulnerabilities. Many IT operations have been struggling just to keep remote access for Work From Home running and patching has suffered – more compromise hunting is required to detect malware installs that occurred before patching, as recent DHS/CERT advisories have pointed out.
  • With a shift to increased remote work, your boundary protections are critical. Today’s combination traditional VPN, Zero Trust, CASB, VDI, and EDR require attention to detail including security configuration, judicious application of updates, and active monitoring (and response) for malfeasance. Make sure that you have the right skillsets on hand, supported with adequate, training funding and depth of coverage.
  • Breaches of infrastructure systems may not be obvious and may not be immediately exploited. Nation state attackers may save them for later use. Think “zero trust” and “least privilege.” Think urgency; the longer these systems remain vulnerable, the greater the risk that they are covertly compromised.

Read more in:

IBM Announces School Systems Chosen to Receive Cybersecurity Grants

IBM has selected six US school systems to receive grants to help strengthen their cybersecurity. The school systems are Brevard Public Schools (Florida), Denver Public Schools (Colorado), KIPP Metro Atlanta Schools (Georgia), Newhall Independent School District (California), Poughkeepsie Independent School District (New York), and Sheldon Independent School District (Texas). “The grants will sponsor IBM Service Corps teams to help six U.S. K-12 public school districts proactively prepare for and respond to cyber threats.”

Note:

  • Two of the most critical services governments provide are public education and election services. In the US, the way those two areas are governed and funded is antiquated and resistant to change. Volunteer and private industry support for increased security levels in both of those areas has really been needed and has turned into good investments for business as stability and security in those areas is good for business.
  • The need for shoring up security in the education sector has become clear with the past year of successful attacks on school systems. Ransomware preparedness and response is at the top of the list for the IBM team help with “pain points.” The need is far greater than IBM alone can address; as cyber security professionals we should all be reaching out to our local school systems, leveraging our enterprise community outreach functions if possible, to see if we can help.
  • The limited impact of these expenditures illustrates how big this problem is and how difficult it will be to remedy on a district-by-district basis. We need to make the public networks a safer environment for all users. It is time to operate these networks as the infrastructure that they are.

Read more in:

NIST: Mobile Device Biometric Authentication for First Responders

A report from the US National Institute of Standards and Technology (NIST) “examines how first responders could use mobile device biometrics in authentication and what the unsolved challenges are.” The report is intended to help public safety organizations make choices about first responder authentication options. NIST is accepting comments through July 19, 2021.

Note:

  • Have first responders read and respond to the draft. Responders I have talked to already leverage biometrics, and remind me to look at scenarios where biometric options fail, e.g, using fingerprint readers while wearing PPE. When creating security profiles for mobile devices, ensure that your device protections don’t interfere with life safety needs of responders. Safety needs to trump security, which means you may have a different configuration on some devices. Have clear support for those decisions at the highest levels.
  • This report is more of a tutorial around mobile device biometrics that is strong on the challenges and really weak on “how to implement” guidance. Microsoft’s research showed that 99.9% of phishing attacks would be defeated just by mobile device text messaging, and over 80% of successful ransomware attacks start with successful phishing attacks. While first responders do have unique needs, we are in an emergency situation where reusable passwords have to be considered as dangerous as carcinogens like lead in consumer products or e coli in meat.

Read more in:

White House Memo: Advice to Private Sector on Protection from Ransomware

Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, has released an open letter to corporate executives and business leaders urging them to take action to protect their networks from ransomware. The memo strongly recommends implementing the five best practices from the President’s Executive Order: back up data, system images, and configurations, and regularly test them, and keep the backups offline; update and patch systems promptly; test your incident response plan; check your security team’s work; and segment networks.

Note:

  • Ben Wright of SANS and I have done a recent series of talks and a white paper around the ransomware issues. Key point (1) is that no security group or manager makes the pay/don’t pay decision – that will always be a business or legal/regulatory-driven decision. But Key Point (1a) is that security managers can provide critical input into required strategies and changes needed to reduce the risk of ransomware to an acceptable level that will enable the business decision to be “we don’t need to pay the ransom.” Brian Honan makes Key Point (1b) below.
  • Private sector companies are primarily driven by profit goals and anything that does not help achieve those goals will always be neglected. Until we start speaking about cybersecurity in terms of business risk, private sector companies will continue to treat security as an IT problem and as a cost. And this cost-based focus is what has led many companies to have such poor cybersecurity protections. It is time we start to move our focus away from technical solutions and speak more about business risks to our boards and colleagues.
  • I think one thing we need to get into the debate about ransomware is that paying the ransom does not make the cost of recovery any cheaper. In the case of Colonial Pipeline, who paid $4m for the decryption tool, they still reverted to their backups to restore their systems. The HSE in Ireland who got the decryption tool for free had to use a third party tool to make it work effectively. In both cases the IR teams are still having to go to each individual machine, verify that it is clean, remediate it, recover data onto it, and then bring it online – this has to happen whether you have the decryption key or not. So paying for the decryption key is not a magic wand that gets all your systems back online overnight. You are still looking at weeks if not months of work to get large estates back up and running.
  • When reviewing your response plan, look carefully at your downtime procedures. Are you able to provide some level of service or will you be hard down? Consider the case of the Massachusetts Steamship Authority where they were still able to process cash ticket sales and operate their ferries. Make sure that your situational awareness is as good or better than your adversaries’. Start with the core CIS controls, making sure you know what hardware and software you have, that it is securely configured and your data is protected.
  • And do not forget strong authentication (at least two kinds of evidence, at least one of which is resistant to replay). Credential replay is implicated in many ransomware attacks and other breaches. While this measure may not be sufficient for targets of choice, it will get most out of the target of opportunity population.

Read more in:

DoJ Will Treat Ransomware Investigations with High Priority

According to a senior officials from the US Department of Justice, DoJ will give ransomware investigations a priority similar to that of terrorism investigations. Earlier this week, US Attorney’s offices across the country received guidance instructing them to share information about ransomware investigations with a Washington, DC-based task force.

Note:

  • This is much needed and gives me hope. No matter how good any company is at security, if threat actors can operate any way they want without fear of retribution, anyone can and will be compromised. I think it’s interesting the government is taking the terrorism angle, as the motives of terrorists and criminals are very different, but as we are seeing, the impact at the human level can, in many ways, be the same. The sense of urgency appears to be great enough now to force the US government to take political and economic actions against other countries.
  • What this does is add to the list of topics which require expedient information sharing/reporting with Washington. Prioritizing activities also requires providing funds needed to acquire and train staff and equipment needed to support the work.

Read more in:

FBI Says REvil Ransomware Group Responsible for JBS Attack; Company Says Facilities are Now Operational

The FBI has “attributed the JBS attack to REvil and Sodinokibi and [is] working diligently to bring the threat actors to justice.” JBS says that all its facilities are once again operational.

Note:

REvil is known for “double extortion” tactics, demanding ransom not only for the decryption key but also for not selling exfiltrated information, leveraging any potentially damaging content if possible. JBS wisely engaged help from the Australian Signals Directorate and the FBI to respond to the criminal aspects of the attack while working with their incident response provider to quickly restore operations.

Read more in:

Massachusetts Steamship Authority Hit with Ransomware Attack

A ransomware attack affecting the Massachusetts Steamship Authority’s computer network has affected its operations. Customers were unable to make reservations or purchase tickets online or by phone. (Please note that the WSJ story is behind a paywall.)

Note:

  • As with other service related attacks, OT systems are able to operate, but supporting systems, in this case online ticketing and reservations, are unavailable. Even so, they are able to process cash transactions.
  • The fact that a “Steamship Authority” can be crippled by ransomware shows that everybody can be affected.
  • Jeh Johnson commented on TV this morning that the extortion demands are tailored to the ability to pay and lower than the cost of recovery by other means, such that, as in Colonial Pipeline, paying it is an attractive individual business choice while collectively it perpetuates the problem.

Read more in:

Fujifilm Shuts Down Network in Wake of Ransomware Attack

Fujifilm has shut down parts of its network after becoming aware of a possible ransomware attack. The Tokyo-based company has also “disconnected from external correspondence.”

Read more in:

Massachusetts Hospital Discloses Ransomware Attack

Sturdy Memorial Hospital in Attleboro, Massachusetts, has disclosed that its network was hit with a ransomware attack in February 2021. Analysis revealed that patient medical and financial data were compromised. The hospital paid a ransom to prevent data from being leaked. The incident also affected healthcare providers that had partnered with Sturdy Memorial for coordination of patient care. The hospital is now notifying affected patients.

Read more in:

US Supreme Court Ruling Reins in CFAA’s Reach

A ruling from the Supreme Court limits the scope of the Computer Fraud and Abuse Act (CFAA). The case, Van Buren v. United States, involves a former police officer who accepted money for using his access to a law enforcement database to look up license plate information. The written majority opinion notes that the court’s job was to “decide whether Van Buren… violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.’ He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”

Note:

  • Limiting the scope of the CFAA is a huge win for cyber security research. Having clear permission and defined scope when accessing and researching systems is still critical. Discovery of a device in a search engine, running with default credentials doesn’t by itself constitute permission to access or configure it.
  • While not technically a violation of the CFAA, Van Buren was guilty of an abuse of his privilege and should be subject to other discipline. This is simply one more indication, as if any were needed, that the CFAA needs to be rewritten with more emphasis on what is done, i.e., misuse and abuse, and less on the concept of “authorization.”

Read more in:

Amazon Sidewalk is Going Live Next Week

On June 8, 2021, Amazon smart devices, which include Echo and Ring, will automatically be integrated into the Amazon Sidewalk wireless mesh service. Sidewalk will “share a small portion of your internet bandwidth” to “extend the low-bandwidth working range of devices.” Users can opt out of participating through the Alexa and Ring apps.

Note:

  • This is an opt-out service. If you take no action, you will be opted-in. The idea is to provide better connectivity for your Amazon devices where your network may have gaps, essentially an 80Kbps connection. Amazon cites the case of using their tracking devices to find a lost pet. The success of Sidewalk is dependent on the number of participating devices in any area. The downside is you have no visibility into which devices are connected to your network and what they are doing. The good news is you can opt out at your account level, not just the device level. In the Ring App, sidewalk is under the Control Center, in the Alexa App it is under Settings -> Account Settings -> Amazon Sidewalk. The option is only present when you’re connected to your Ring or Echo devices.
  • By choosing to make this an opt-out service, Amazon is showing why updates to US national privacy laws are badly needed. When I worked on surveillance cases for the US Secret Service in the 1980s, to put a vehicle tracker on a suspect’s car that was connected to the car’s 12v system, we needed to get a court order because of the unauthorized use of the car owner’s “services.” What Amazon is doing here seems no different to me.

Read more in:

Nobelium Spear Phishing Campaign Domains Seized

US authorities have seized two domains associated with a recent spear phishing campaign. The attackers are believed to be Nobelium, the threat actor likely responsible for the SolarWinds Orion supply chain attack. The spear phishing attacks masqueraded as messages from the US Agency for International Development (USAID) and targeted government agencies, think tanks, and non-governmental organizations (NGOs) around the world.

Note:

If one is not expecting a communication, one should simply throw it away. It is almost always the safest move. If one feels that they cannot do that, pick up the phone. Out-of-band confirmations are cheap and effective; they work in both directions.

Read more in:

Microsoft Acquires ReFirm Labs

Microsoft has acquired firmware analysis company ReFirm Labs. Microsoft says the acquisition will “enrich our firmware analysis and security capabilities across devices that form the intelligent edge, from servers to IoT.”

Note:

  • The most successful mergers/acquisitions over the past 5 years or so have been the big cloud platform players, like Salesforce, Amazon AWS, Google, and Microsoft buying small, innovative security vendors to build higher levels of security into their cloud infrastructure. The least successful cybersecurity M&As have been big IT companies buying security product companies just to increase revenue by selling security products. Building security in, versus “spending in depth,” is the key to real and sustainable levels of business protection.
  • With the recent rash of firmware-related vulnerabilities, ReFirm (the authors of Binwalk) should give Microsoft a huge leg up in analysis and response to firmware security issues including IoT and embedded device use cases. This acquisition further broadens the scope of protections offered under the Azure Defender umbrella, specifically Azure Defender IoT.

Read more in:

US Army Rescinds Workplace IoT Ban

The US Army appears to have rescinded a May 20, 2021, memo banning remote workers from using Internet of Things (IoT) devices in their workspaces. The ban was issued over concerns that IoT devices are constantly collecting data and listening.

Note:

  • The ban is essentially unenforceable; it is good OPSEC guidance. It’s still a good idea to be aware of the devices in your workspace. Just as you would question a stranger in a meeting, consider what these devices can capture and take action to remove or disable them when appropriate. Higher priority for the enterprise is making sure that you have good visibility into endpoint security and actions so you can respond appropriately.
  • Security is a space in which intuition does not serve us well, where “obvious” choices are wrong. Cooler heads have prevailed here. However, since many smart devices inside the SOHO router establish connections to the public networks by default, it will be difficult to give directions that are practical. We need standards, perhaps even regulation, that require smart devices to both encrypt and disclose what connections they make. While most home users will ignore the disclosures, they will empower WFH users.

Read more in:

Digital Flash Card Apps Exposed US Nuclear Weapons Secrets

Sensitive information about US nuclear missile bunkers in Europe was found online by searching for related terms, such as protective aircraft shelters (PAS) and Weapons Storage and Security Systems (WS3). The data were being used in digital flashcard apps. The compromised information includes camera positions, patrol frequency, unique identifiers on badges required for entry, and codewords guards use to indicate they are being actively threatened. The flashcards have been taken down.

Note:

  • “Shadow IT” at its worst. If you do not provide tools that are secure, employees will find their own. This may be an extreme case, but on a non-nuclear scale, this happens everybody with employees using personal email addresses because corporate mail filters are stripping content they need to do their job, or using the kids “gaming rig” for work because the company-provided laptop is too slow.
  • This is a nexus of benign, slightly obscure information augmented with specific information which makes it sensitive. We used to call this information mosaic. Use caution making online learning publicly available and make sure that accompanying completion records and feedback mechanisms are protected. Review regularly to ensure that both the presented information and accompanying meta-data remain secured.
  • Good reminder to sanitize all training and test data to remove sensitive information, and to make sure that any pen test engagement includes a strong research/reconnaissance phase.
  • When I taught young officers at the Naval Postgraduate School we called this “digital” OPSEC. They understood OPSEC.

Read more in:

Have I Been Pwned Open Sources Code Base and Will Receive Data from FBI

Last week, Have I Been Pwned (HIBP) founder Troy Hunt announced that the HIBP code base is now open source through the .NET Foundation. Hunt also announced that HIBP will provide the FBI with a means to share with HIBP lists of compromised passwords obtained in the course of investigations.

Note:

  • Have I Been Pwned is a great effort that has struggled to find appropriate funding. Troy Hunt has avoided the easy solution of selling out to a security vendor. This sounds like a great way to support this effort.
  • Have I Been Pwned has been powering other services for a while and is very useful as a retroactive password change reminder warning. But top priority should be in reducing the use of reusable passwords. Fixing the source of the leak is much better than getting faster at constantly mopping up.
  • This year marks thirty-five since Ken Weiss invented SecurID and in which I have been discouraging “exclusive reliance upon passwords.” Convenience continues to trump security. Passwords can be made resistant to dictionary, fuzzing, and even brute force attacks, but they are fundamentally vulnerable to replay and reuse.

Read more in:

Fix Available for Critical Flaw in HPE SIM

Hewlett Packard Enterprises (HP) has released an update to address a critical vulnerability in its System Insight Manager (SIM) software. The flaw was initially disclosed in December 2020; it arises from “a failure to validate data during the deserialization process when a user submits a POST request to the /simsearch/messagebroker/amfsecure page.” The flaw could be exploited to allow attackers with no privileges to execute code remotely. The flaw affects HPE SIM versions 7.6.x for Windows only.

Note:

  • This hotfix replaces the prior workaround where you had to disable “Federated Search” and “Federated CMS Configuration.” Note that hotfixes were also released for the Linux and HP-UX versions of the HPE SIM version 7.6.
  • This advisory was originally released in December. Later, HP upgraded it to a “no authentication required” remote code execution. Now we finally have a patch. Apply it.

Read more in:

SonicWall Offers Fix for Flaw in On-Premises Version of NSM

SonicWall has released updates to address “a post-authentication vulnerability (SNWLID-2021-0014) within the on-premises version of Network Security Manager (NSM).” Users are urged to upgrade to patched versions, Network Security Manager (NSM) 2.2.1-R6 and Network Security Manager (NSM) 2.2.1-R6 (Enhanced), as soon as possible. The issue does not affect software-as-a-service (SaaS) versions of NSM.

Note:

  • Make sure that management services are accessible only to authorized devices. Enable multi-factor authentication where supported and verify there are no end-arounds/shortcuts which could bypass your protections.
  • Luckily, this vulnerability requires valid user credentials to exploit. You may finish your coffee this morning before patching this one.

Read more in:

Siemens Offers Fix for Flaw Programmable Logic Controllers

Siemens has released a firmware update to address a severe memory protection bypass vulnerability in its SIMATIC S7-1200 and S7-1500 Programmable Logic Controllers (PLCs). Researchers at Claroty detected the flaw and notified Siemens, who released updates on May 28.

Note:

  • Your PLCs should already be isolated as they don’t respond well to malformed or unexpected traffic. Additionally, apply the mitigations in the Siemens bulletin, including using passwords on S7 communication, limiting or blocking remote client connections, and enabling TLS, and apply the defense in depth measures in the Siemens Operational Guidelines for Industrial Security.
    cert-portal.siemens.com: Operational Guidelines for Industrial Security (PDF)
  • Firmware updates are a very expensive remedy for devices that are priced in the tens of dollars and employed in the millions.

Read more in:

The Apple M1 Chip Vulnerability and the Business of Bug Disclosure

Last week, Hector Martin disclosed a vulnerability in Apple’s M1 chip that “allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features.” The flaw is “baked in” to the chip, which means it cannot be fixed or patched. While the vulnerability is interesting, Martin notes that “nobody’s going to actually find a nefarious use for this flaw in practical circumstances.” He also writes that the website he created for the flaw, which he dubbed M1RACLES, to “poke fun at how ridiculous infosec clickbait vulnerability reporting has become lately. Just because it has a flashy website or it makes the news doesn’t mean you need to care.”

Note:

  • This allows two processes to access the EL0 register – which is only 2 bits wide for communication – and should be used as a reminder that all chips have flaws, not as a reason to panic. Use this as a chance to verify sure your services for M1 devices, including endpoint protection, patching and OS security configuration are enabled and working; adjust if needed.
  • A flashy logo/name/website has always been helpful to “sell” a vulnerability. The ability to covertly send messages between two cooperating processes exists in pretty much all PCs (a mock “PoC” was released in response to M1RACLE showing how one processing may modulate CPU load to send messages to other processes). It is also a long going issues in our industry that we focus on the new and shiny instead on the boring but necessary. Remember: Security is working best if it is boring, routine, and doesn’t feel like firefighting. The most important stories in this NewsBites (HPE flaw and Sonicwall vulnerability) will probably not make it into the “Top News” (… well … maybe now they will :) ) .
  • Kudos to Hector on this one. Instead of using FUD to draw attention to his finding, he was transparent and honest about its overall impact. Unfortunately, in our community sometimes researchers over dramatize their findings, causing more harm than good.

Read more in:

Food Processing Giant JBS Hit with Cyberattack

São Paulo-based food processing company JBS has shut down production at several facilities around the world following a cyberattack. Computer networks in in Australia, Canada, and the US were affected.

Note:

This is a growing trend we are going to see over the coming years: one business unit is infected in one country, which then infects all the other business units of the same company globally. However, these incidents are also impacting people’s daily lives, such as when hospital networks go down, gas lines can’t transfer gas, or in this case companies cannot process food. As the world has become so interconnected and interdependent, the impact of these events will only increase.

Read more in:

Swedish Infections Diseases Database Temporarily Taken Down After Attempted Intrusions

Sweden’s Public Health Agency (Folkhälsomyndigheten) temporarily took its infectious diseases database offline after detecting several attempted intrusions. The database, which is known as SmiNet, is also used to store information about COVID-19 infections. The database is once again operational; Folkhälsomyndigheten writes that “to further increase security, some adjustments have been made, which means certain restrictions when it comes to reporting data.”

Read more in:

US Army Requires Remote Workers to Remove IoT Devices from Workspace

In a May 25 memo calling for “teleworkers [to] incorporate strong cyber hygiene practices in their daily telework routine,” the US Army wrote that it is requiring all remote workers to remove Internet of Things (IoT) devices from their work areas. (any device with a listening function) The requirement applies to military and civilian employees and contractors.

Note:

  • I think unpatched VPN servers are much, much higher up in risk level for government telework, but the smart speaker vendors have not made it easy to prevent (or allow automated deletion) of audio recordings that are tagged “audio not intended for this device” but were saved anyway.
  • Think about the activities performed in your remote workspace. What conversations are happening, what is in view of your camera, what’s on your desk, what can be seen through the door or windows? Ask yourself not just who but what is listening. Smart assistants, while they don’t respond until they hear their wake word, are still listening. Consider muting the mic if you don’t wish to remove or turn it off. Remember also that open windows or doors, using speakers and speakerphones versus headsets are ways sensitive business information can be inadvertently shared. Have a clean desk policy for the remote workspace.
  • This is another example of a policy that sounds good at HQ, but when it hits reality most likely causes more harm than good (kind of like password expiration). How can people follow this policy? First, most people don’t even know all the IoT devices they have. Your coffee pot or light bulbs are often IoT. Even if you do know what devices you have, how can you possibly determine which ones have microphones or go about turning devices off / on every time you have a call? About the only way a remote worker could follow this policy if they created their own isolated, tech free room (aka SCIF) in their house, which is probably a better option if sensitive information is to be discussed.
  • “Strong cyber hygiene” is good advice but removing Internet of Things devices is over the top. All ‘things’ are not the same. As I sit in my work area, I cannot even identify, much less remove, all the smart appliances that I rely upon, including some that I rely upon for personal safety. (“Alexa, (‘I have fallen and I can’t get up.’) Call 911.”) One can eliminate all cyber risk simply by removing all computers but that is not practical advice. Some, e.g., classified, work should not be done in personal work areas.

Read more in: