JBS Paid $11M Ransom to Prevent Attackers from Leaking Stolen Data
Meat processing company JBS USA acknowledged that it paid $11 million to ransomware operators following an attack late last month. In a media statement, JBS says that most of its facilities were up and running when they paid the ransom, and that the decision to pay was made “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.” According to Security Scorecard, the JBS attack began with reconnaissance in February 2021. The attackers exfiltrated data from March 1-May 29 and encrypted the JBS environment on June 1.
- Some common threads between JBS USA and the Colonial Pipeline failures, beyond the initial lack of essential security hygiene and the decision to pay ransom: (1) Failure to detect large volumes of data exfiltration over long periods of active exploitation; and (2) lack of a tested process and plan for how to deal with an incident to minimize service interruptions. For JBS, this happened despite their stated IT spending and IT employee count being significantly higher than industry averages. All of this indicates a lack of investment in both IT processes to minimize vulnerabilities and security skills, planning, and processes to mitigate and respond.
- Make sure that your detection capabilities are where they need to be. Are all your locations protected at the same levels? Attackers were not only in the JBS Network for three months, but also exfiltrated 5 TB of data. Are you continuously watching for compromised passwords and taking steps to change them promptly when discovered? Are you looking for unexpected connections or unusual volumes of traffic? Verify your boundary protection and access devices are updated and secured. Ensure MFA is comprehensively enabled for all internet facing services. Augment your internal processes with periodic third-party assessments of your security posture.
- Wow, this is a big check. Profits like this will only fuel more aggressive attacks. However, to keep things in perspective, the FBI reported over $1.8 billion in losses due to BEC/CEO Fraud for 2020. We just don’t hear about these attacks because a while successful BEC attack does not shut down infrastructure, ransomware does.
- One must have a capability to detect breaches in hours to days. Extortion demands as the first indication of a breach is unacceptable.
Read more in:
- JBS USA Cyberattack Media Statement – June 9
- JBS Ransomware Attack Started in March and Much Larger in Scope than Previously Identified
- Ransomware-skewered meat producer JBS confesses to paying $11m for its freedom
- Ransomware: Meat firm JBS says it paid out $11m after attack
- JBS Paid $11M to REvil Gang Even After Restoring Operations
- JBS paid $11 million to REvil ransomware, $22.5M first demanded
- Meat supplier JBS says it paid $11 million ransom to keep attackers from stealing data
Fastly CDN Outage Knocked Portions of the Internet Offline
On Tuesday, June 8, many major websites experienced a period of unavailability, which was caused by an outage at content delivery network (CDN) Fastly. Fastly says the issue was due to a software bug that “was triggered by a valid customer configuration change” and that the issue was fixed within an hour.
- Promises to do better and not make mistakes in the future don’t carry the weight of a signed SLA for outsourced services. Make sure your SLA includes defined and measurable service delivery levels and corresponding financial penalties. Even though the disruption was detected in under a minute, it took most of an hour to achieve 95% restoration. External dependencies, with interrelated systems can extend recovery time even further. Document your configuration and known dependencies to aid troubleshooting and manage recovery expectations.
- One of the promises of cloud providers is to isolate customers from each other, and to keep one customer’s bad configuration from affecting others. While Fastly was quickly able to mitigate the underlying issue, I do not like the statement that the outage was triggered by a customer configuration change. It was triggered by a bug in Fastly’s code that allowed a single innocent customer to take down their system.
- Another good lesson about cloud service level agreements. Looks like this was about a maximum of a 3 hour outage, which according to Fastly’s SLAs would mean Gold and Enterprise customers impacted that long (or up to 7 hours) can request and get a 10% credit against their monthly charges. For many businesses, that will not come close to any business disruption costs. Internet connectivity overall has to be thought of just as electricity is thought of – backup plans need to be in place for long outages that may not even trigger any SLA credits, let alone cover disruption costs.
- Careful. Fastly and its customers are “edge” providers. While this failure impacted the “world wide web,” the internet, the transport layer, performed as intended.
Read more in:
- Summary of June 8 outage
- How an Obscure Company Took Down Big Chunks of the Internet
- How One Fastly Customer Broke the Internet
- Fastly’s global outage: Here’s what went wrong
- Not So Fastly: Global Outage Highlights Cloud Challenges
- Fastly internet outage explained: How one customer broke Amazon, Reddit and half the web
GitHub Adds RubyGems and PyPl to its Secret Scanning
GitHub has added PyPl and RubyGems to its secrets scanning capabilities. A GitHub blog post notes that “If one of these [package registry credentials] secrets is leaked, rather than compromising one product, it can compromise thousands.” GitHub has been scanning for and revoking secrets, also known as tokens, in users’ code since 2015.
- Thanks to GitHub for helping secure the open source ecosystem. With so many projects using GitHub, any change like this will help.
- GitHub has been pretty good over the years at adding bottom-up security features and services, including code testing tools and a well-managed bug bounty program. Looks like Microsoft’s acquisition of GitHub in 2018 did not negatively impact that, which is a good thing. There will not be a single top-down answer to supply chain security in software, any more than there is for the security/safety of the supply chain that runs from restaurants back to farms.
Read more in:
- Securing the open source supply chain by scanning for package registry credentials
- GitHub now scans for accidentally-exposed PyPI, RubyGems secrets
- GitHub Starts Scanning for Exposed Package Registry Credentials
Microsoft Patch Tuesday
On Tuesday, June 8, Microsoft issues fixes for 50 security issues. Six of the flaws –privilege elevation vulnerabilities in Microsoft DWM Core Library, Windows NTFS, and Microsoft Enhanced Cryptographic Provider; an information disclosure vulnerability in the Windows Kernel, and a remote code execution vulnerability on Windows MSHTML platform – are being actively exploited.
- This patch Tuesday is probably best characterized as “Mostly Harmless.” It contains a number of already exploited vulnerabilities, but for the most part, these are privilege escalation vulnerabilities.
- Patches for 0-Days, to include those actively exploited is becoming commonplace. And with current trends, privilege escalation flaws (CVE-2021-31956, CVE-2021-33639, CVE-2021-31201 and CVE-2021-31199) are just as valuable as RCE flaws such as CVE-2010-33742 since they provide more ways for the attacker to elevate privileges once they have an initial foothold. Regrettably, as indicated by the Colonial Pipeline and JBS attacks, the bar for initial entry is not where it needs to be. Judicious updates and application of security baselines is also a component in raising that bar.
Read more in:
- Security Update Guide
- Microsoft June 2021 Patch Tuesday
- Microsoft Patches Six Zero-Day Security Holes
- Extra urgency in June’s Patch Tuesday: Microsoft warns six more bugs are being exploited
- Microsoft fixes 50 vulnerabilities for June, but patch first the six exploited in the wild
- Microsoft June 2021 Patch Tuesday: 50 vulnerabilities patched, six zero-days exploited in the wild
Colonial Pipeline CEO Testifies at Congressional Hearings
Colonial Pipeline CEO Joseph Blount testified before the Senate and House Homeland Security Committees earlier this week. Blount said that Colonial Pipeline did not have a plan in place for dealing with the ransomware attack. He encouraged companies that suffer similar attacks to be transparent about their experiences. Blount was criticized for refusing recovery help from the Cybersecurity and Infrastructure Security Agency (CISA).
- Remember the “For Want of a Nail” proverb. Could you be undone by the use of a compromised password? Do you have remote access which requires only a reusable password? Did you really decommission old insecure access methods or were they left enabled “just in case?” The complexity and pace of a modern enterprise stresses the ability to pay attention to all the details, and with the current ROI on hacking, it is more critical than ever to do so. Encourage your analysts to automate themselves out of a job, meaning to automate repetitive and mundane tasks so they have the bandwidth to keep up with the changes and growth of adopted technology. Participate in their implementation to make sure you have visibility and relationships established up front.
Read more in:
- Threats to Critical Infrastructure: Examining the Colonial Pipeline Cyber Attack (video)
- ‘I put the interests of the country first’: Colonial Pipeline CEO on why oil biz paid off ransomware crooks
- Colonial CEO touts corporate cyber transparency, defends his own
- Colonial Pipeline CEO says company didn’t have plan for potential ransomware attack
- Congress pummels Colonial Pipeline CEO over government coordination after disruptive ransomware incident
- Colonial Pipeline CEO talks ransom with lawmakers
- House Probes Specifics of Colonial Ransomware Attack
- Colonial Pipeline CEO: Cybersecurity Mandates From TSA Might Help
More Updates: Adobe and Intel
On Tuesday, June 8, Adobe released updates to address more than 40 security issues in Acrobat, Reader, Photoshop, Experience Manager, After Effects and other applications. On the same day, Intel released 29 security advisories to address nearly 80 vulnerabilities in a variety of products.
- Adobe’s Acrobat and Reader updates need to be applied quickly. For Intel, the tricky part is BIOS updates. For some of them, you may need to wait for OEM patches instead of applying Intel’s patches directly.
- We’re not catching a break this month. Adobe Creative Cloud, which can drive the updates to their other products on endpoints, itself needs updating and should do so automatically. The affected applications will not apply updates until they are quit and relaunched. As this month’s Microsoft and Apple OS patches require reboots, leverage that, by forcing the reboot immediately or via a maximum timeout.
- Patching continues to be an expensive and inefficient way to achieve quality. At best, it is only marginally effective.
Read more in:
- Adobe issues security updates for 41 vulnerabilities in 10 products
- Latest Product Security Updates
- Intel® Product Security Center Advisories
- Intel’s latest patch set plugs some serious holes in CPU, Bluetooth, server, and – ironically – security lines
- Intel Plugs 29 Holes in CPUs, Bluetooth, Security
IoT Message Broker Vulnerabilities
Researchers at the Synopsys Cybersecurity Research Center have found denial-of-service vulnerabilities in three open-source IoT message brokers, RabbitMQ, EMQ X, and VerneMQ. All three flaws involve Message Queuing Telemetry Transport (MQTT) protocol client input handling and can be exploited with a malicious MQTT message. The vulnerabilities were disclosed to project maintainers in March and all three have released fixes. Users should update to RabbitMQ version 3.8.16 or later; EMQ X to version 4.2.8 or later; and VerneMQ version 1.12.0 or later.
Read more in:
- CyRC Vulnerability Advisory: Denial of service vulnerabilities in RabbitMQ, EMQ X, and VerneMQ
- DoS vulns in 3 open-source MQTT message brokers could leave users literally locked out of their homes or offices
- RabbitMQ: RabbitMQ 3.8.16
- EMQ X Broker
- VerneMQ: VerneMQ 1.12.0
Chrome Update Includes Fix for Actively Exploited Flaw
- Chromium browsers are not far behind. The group which developed the exploit for CVE-2021-30544 also developed the exploit to MSHTML (CVE-2021-33742), making it prudent to update Chrome and Chromium browsers expeditiously Where possible push the updates rather than waiting on user action.
- Google Chrome vulnerabilities are becoming common entry points for more targeted attacks. This vulnerability is already being exploited; expect more soon. The easiest way to improve your chances of having an up-to-date Google Chrome is to exit it once a day and restart it. With all the time we spend using web browsers, they are often just left running which may prevent updates from being applied. Restarting your browser is like rebooting your operating system after applying a patch.
- It is really time that more vendors start to push out software with security fixes when the fixes are ready and proven stable and IT groups update configuration management processes away from the antiquated “wait for Vulnerability Tuesday” (or worse for servers) to patch everything at once.
Read more in:
- Stable Channel Update for Desktop
- New Chrome 0-Day Bug Under Active Attacks – Update Your Browser ASAP!
- Google Patches Chrome Zero-Day Used by Commercial Exploit Company
Vulnerabilities in Rockwell Automation ISaGRAF5
The US Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory warning of multiple vulnerabilities in Rockwell Automation ISaGRAF5 Runtime. The flaws could be exploited to execute code remotely, disclose information, or cause denial-of-service conditions. The issues affect products from Schneider Electric and GE, which have taken steps to mitigate the issues; other vendors’ products may be affected as well.
- Storing a credential in the clear in a configuration file that you read without verification isn’t something we can afford to do anymore, no matter that it was easy and how well it worked. Apply the updates to ISaGRAF Runtime, restrict access to the ICS, particularly TCP ports 1131 and 1132, and restrict access to the Runtime’s folder.
Read more in:
- ICS Advisory (ICSA-20-280-01) Rockwell Automation ISaGRAF5 Runtime
- ISaGRAF Vulnerabilities in IEC 61131-3 Programming and Engineering Tools (PDF)
- Flaws in Rockwell Software Impact Products From Schneider Electric, GE and Others
CISA Fact Sheet on Ransomware Threat to Operational Technology
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a fact sheet on the increased threat of ransomware to operational technology (OT) assets and control systems. CISA urges “critical infrastructure asset owners and operators [to] adopt a heightened state of awareness and voluntarily implement recommendations” that include identifying critical processes; implementing network segmentation between IT and OT networks; and developing and testing “workarounds or manual controls to ensure that critical processes – and the industrial control system (ICS) networks supporting them – can be isolated and continue operating without access to IT networks.”
Read more in:
Ransomware Hits Community College in Iowa
The Des Moines (Iowa) Area Community College (DMACC) cancelled all classes for four days after its network was hit with a cyberattack. DMACC has asked students, faculty, and staff not to use Microsoft Office 365 or Blackboard. As of Thursday, June 10, classes with in-person components are being held at their regular times. Virtual classes have not yet resumed.
Read more in:
- Hackers Force Iowa College to Cancel Classes for Four Days
- DMACC Class Information for Thursday, June 10, 2021
NY State Senate Passes Right to Repair Bill
New York’s State Senate has passed The Digital Fair Repair Act, a bill that would allow consumers to rep[air their own electronic devices. The New York State Assembly has not yet passed its version of the bill.
- The “Right to Repair” does have significant impact on security. Locked down devices are too often left vulnerable after vendors abandon support for them and customers are left with costly replacements as their only option.
- As more states consider the user’s right to repair, it opens options for users to more affordably maintain their own equipment and small businesses to enter the space. This is a good time to review your acceptance of risks for employees having their issued systems repaired. Consider the risks of OEM versus after-market components as well as data protection requirements irrespective of who, how or where the work is done.
- In our space, the impact of state legislation may extend way beyond the boundaries of the state. Congress has the responsibility and authority to regulate interstate commerce. State initiatives such as this occur when Congress fails. As with most legislation, “the devil is in the details.” Drafting legislation that accomplishes its goal while avoiding unintended consequences is difficult.
Read more in:
- New York Senate Passes Electronics Right-to-Repair Legislation
- Senate Bill S4104 | Enacts the digital fair repair act
Australian Federal Police Arrest Hundreds Using Data Gathered Through Backdoored Chat App
The FBI was able to trick criminals into using an FBI-developed app, ANoM, to communicate with each other. The app was distributed on phones configured for the purpose of using the app, and starting in 2018, distributed on black markets. This week, several law enforcement agencies worldwide searched hundreds of locations in a coordinated effort using information collected from the ANoM app. The raids led to 224 arrests, the seizure of 3.7 tons of drugs, and the disruption of 20 “threats to kill.”
- Finally a “good” supply chain attack and congratulations to everybody involved in executing just a massive operation. But maybe also a subtle reminder that your end-to-end encryption depends on the vendor doing what they promised.
- The takedown involved about 4,000 law enforcement officers processing 25 million messages and executing 525 search warrants across Australia. It is estimated the ANoM app had 9,000 users world-wide. This is an excellent example of international cooperation of law enforcement agencies. Unfortunately, like burning a successful 0-Day, this also marks the end of the ANoM apps viability. Part of the decision to stop monitoring and making arrests was a blog posting (since deleted) detailing the behavior of the ANoM app, this March, which didn’t correctly attribute the backdoor to the FBI.
Read more in:
- An FBI encryption-cracking app has exposed a global drug operation, with connections into Australia
- Australian cops, FBI created backdoored chat app, told crims it was secure — then listened to 9,000 users’ plots
- AFP used controversial encryption laws in its ‘most significant operation in policing history’
- ANOM: Hundreds arrested in massive global crime sting using messaging app
US Dept. of Justice Recovers Portion of Colonial Pipeline Ransom
The FBI has recovered $2.3 million of the $4.4 million in Bitcoin paid to the Colonial Pipeline ransomware operators. Colonial Pipeline had taken early steps to notify the FBI which helped them track the payment to a specific cryptocurrency wallet. The FBI seized the bitcoin with the aid of court documents.
- While there is little guarantee of a positive outcome, early collaboration with a group such as the FBI can allow them to disrupt and trace cryptocurrency transactions. While only part of the overall solution, shutting down the ability to easily process and launder cryptocurrency is a step in the right direction for discouraging or stopping ransom payments.
- Your organization should have an active and trusted partnership with law enforcement BEFORE incidents happen. Take your local FBI out to lunch quarterly and get to know them; it’s an investment that can pay literally millions in return. This is especially true for financial attacks like CEO fraud, where law enforcement can often claw back (retrieve) stolen funds if reported within 72 hours of the incident.
- While it isn’t clear yet how the FBI gained access to the private key, this is clearly an important success and shows how law enforcement may be able to recover some of the funds. More important than the monetary loss to the criminals is the fact that it does disrupt the fragile trust between ransomware actors if they are not able to pay parts of their supply chain.
Read more in:
- Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside
- Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang
- First on CNN: US recovers millions in cryptocurrency paid to Colonial Pipeline ransomware hackers
- US seizes $2.3 million Colonial Pipeline paid to ransomware attackers
- US recovers most of Colonial Pipeline’s $4.4M ransomware payment
- US recovers millions in cryptocurrency paid to Colonial Pipeline hackers: report
- U.S. Recoups ‘Millions’ In Cryptocurrency Ransom Paid To Colonial Pipeline Hackers
Threat Actors are Targeting Unpatched VMware vCenter and Cloud Foundation Software
Threat actors are actively scanning for unpatched versions of VMware vCenter Server and VMware Cloud Foundation software. VMware released fixes for the critical remote code execution vulnerability in late May, but systems remain unpatched.
- There are three things you can do to mitigate this attack: (1) Make sure vCenter is not exposed to the Internet (2) Disable the vSAN Client Plugin if possible, and (3) Patch. For details on disabling the vSAN and other plugins see VMware KB 83829.
kb.vmware.com/s/article/83829: How to Disable VMware Plugins in vCenter Server (83829)
- This vulnerability doesn’t require authentication to exploit, so you cannot depend on your authentication solution to protect you. Restrict vCenter access to authorized devices only. Make sure that your patch/update processes include vCenter. Verify this update is applied.
Read more in:
- Unpatched VMware vCenter Software
- Patch now: Attackers are hunting for this critical VMware vCentre flaw
- This is not a drill: VMware vuln with 9.8 severity rating is under attack
- Attackers are scanning for vulnerable VMware servers, patch now!
- US Cyber Command, CISA warn of hackers exploiting critical VMware flaw
- ALERT: Critical RCE Bug in VMware vCenter Server Under Active Attack
Colonial Pipeline CEO to Testify Before House and Senate Committees This Week
Colonial Pipeline CEO Joseph Blount is scheduled to testify at the Senate and House Homeland Security Committee hearings on Tuesday, June 8 (Senate) and Wednesday, June 9 (House). According to written testimony, Blount paid the $4.4 million ransom to get the pipeline “back up and running” as quickly as possible. In the document, Blount also indicated that the company believes the attackers gained initial access to the organization’s network with a compromised VPN account password. Although the account was no longer being used, it was still able to access Colonial Pipeline’s network. The account has since been deactivated.
- For the past three years, the Verizon DBIR has identified the human as one of the primary driver of breaches. In fact, for their 2021 report they put a number to it: 85%. The top two human risks for the past three years? Phishing and passwords. 2FA is probably the number one control I would suggest organizations start with.
Read more in:
- Testimony of Joseph Blount, President and Chief Executive Officer Colonial Pipeline Company (PDF)
- Colonial Pipeline CEO paid ransom to swiftly restart pipeline – testimony
- Colonial Pipeline contacted local FBI offices, prosecutors after attack -company
- Hackers Breached Colonial Pipeline Using Compromised Password
- Hackers Breached Colonial Pipeline Using Compromised VPN Password
Another Pipeline-Related Attack: LineStar Integrity Services
LineStar Integrity Services, a company that provides pipeline compliance, technology, and integrity maintenance solutions, was hit with a ransomware attack around the same time as the Colonial Pipeline attack. While the company has not made any public statement about the attack, 70 GB of internal LineStar data were recently posted to a leak website.
Read more in:
Google’s Open Source Insights Project
Google’s Open Source Insights Project aims to help developers visualize their dependencies. The Open Source Insights site “provides an interactive view of the dependencies of open source projects.”
- Nice work Google! Not only does this project illustrate dependencies among components, but Google is also flagging know vulnerable versions of components to make mitigation easier.
Read more in:
- Introducing the Open Source Insights Project
- How to use Google’s new dependency mapping tool to find security flaws buried in your projects
GitHub Policy Update
GitHub has updated its policies regarding malware and exploit code hosted on the site. In a blog post, GitHub CSO Mike Hanley writes that they “explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits.” The new policy includes clarification about when GitHub may disrupt attacks, noting that “We do not allow use of GitHub in direct support of unlawful attacks that cause technical harm, which we’ve further defined as overconsumption of resources, physical damage, downtime, denial of service, or data loss.”
- The change in policy clarifies when they will disrupt activities causing harm, while still permitting POC exploit code. e.g., using GitHub for C2 is disallowed, but hosting the code for Metasploit or Mimikatz is permitted. They also suggest creating a SECURITY.md file with contact information to help in dispute resolution within the community. Read the updated GitHub policy to ensure you’re still following it, verify your repository has appropriate access controls, make sure only the code intended is stored there, check to prevent accidental inclusion of passwords or security keys.
- The update does balance researchers’ abilities to share code while at the same time protecting the public. We will have to see how the policy is applied. But for example, having malware directly download additional code from GitHub is likely going to lead to the removal of the code.
Read more in:
- Updates to our policies regarding exploits, malware, and vulnerability research
- GitHub: Here’s how we’re changing our rules around malware and software vulnerability research
- GitHub’s new policies allow removal of PoC exploits used in attacks
- GitHub Updates Policy to Remove Exploit Code When Used in Active Attacks
WebExtensions Community Group
Major browser makers Microsoft, Google, and Mozilla have formed the WebExtensions Community Group (WECG) to examine ways “to advance a common browser extension platform.” The group will focus on browser extension security and performance. Other browser makers are invited to join WECG.
- Take a look at the extensions in your browsers, removing the ones you’re not using; make sure they are updated and supported. The WECG is striving to have extensions maintain security, performance, privacy, and compatibility while prioritizing end user needs over developers. Their principles are inspired by the W3C TAG Ethical Web (www.w3.org: W3C TAG Ethical Web Principles) and HTML Design (www.w3.org: HTML Design Principles) principles. It is hoped that this specification has more adoption than the work done by the Browser Extension Community Group.
Read more in:
- WebExtensions Community Group Charter
- Forming the WebExtensions Community Group
- Google, Microsoft, and Mozilla work together on better browser extensions
Microsoft’s ElectionGuard to be Piloted in Hart InterCivic Voting Machines
US voting machine vendor Hart InterCivic will pilot Microsoft’s ElectionGuard software in its Verity voting systems. ElectionGuard is open source software that ensures ballots are verifiable. The Verity machines will create paper backups, utilize encryption in a way that protects privacy while allowing votes to be counted, and let voters check whether their vote has been counted.
- Remember the conversation of build vs. buy? Microsoft has developed software to help voting makers consistently implement needed transparency, security, and integrity, which can be independently verified and ultimately help the certification process. The downside is that any flaws in ElectionGuard may be present on all systems using it. Document the risks and ROI when making this decision.
Read more in:
- Microsoft’s Vote Tracking Software Clears a Major Hurdle
- Microsoft’s ElectionGuard e-voting integrity system to go into Hart’s Verity platform
Siloscape Malware Targets Windows Containers
A researcher at Palo Alto Networks Unit 42 has discovered the first known malware that targets Windows containers. “Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers.”
- Verify your Kubernetes clusters are properly configured, whether local or cloud based. This exploit starts by leveraging known vulnerabilities in running containers, then impersonates the CExecSvc to obtain SeTcbPrivilege, using the undocumented NtImpersonateThread call, to create a global symbolic link to then access the C drive and try to create new Kubernetes deployments. The exploit doesn’t require admin privileges to be successful. The backdoor uses a Tor client to connect to a .onion C2 server. Verify your container image update process to ensure that patches are deployed in your running containers in a timely fashion.
Read more in:
- Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments
- First Known Malware Surfaces Targeting Windows Containers
- New Siloscape malware targets Windows containers and highlights security pitfalls
- Siloscape: this new malware targets Windows containers to access Kubernetes clusters
- Windows Container Malware Targets Kubernetes Clusters
- New Kubernetes malware backdoors clusters via Windows containers
Researchers from Positive Technologies have found 10 vulnerabilities in CODESYS automation software. The flaws could be exploited to remotely execute code on programmable logic controllers (PLCs). The vulnerabilities are due to insufficient verification of input data. CODESYS has released advisories (2021-06, 2021-07, and 2021-08) and updates.
- This is another vulnerability that can be exploited without authentication. Control systems need proper isolation, permit only authorized devices network connections to them, particularly PLCs which are extremely sensitive to inappropriate connections or malformed communication. Make sure those isolated segments are actively monitored for inappropriate traffic.
- Back in the days of the mainframe, I owned the input editor for a large multi-user system. Its job was easy; it dealt with a single, alpha-numeric, code set in a single level closed environment. Two generations go by and the Carnegie-Mellon CERT reports that more than half of the vulnerabilities reported to them resulted from input validation failures. I still thought of it as an easy problem. Then I heard an OWASP presentation that pointed out, among other things that made the problem hard, that the modern programmer had to deal with multiple expanded code sets and often did not know the environment in which his program would run. I now concede that it is a “hard problem” but one which must be addressed. PLCs are a single level closed environment.
Read more in:
- Positive Technologies Uncovers Critical Vulnerabilities in CODESYS; Serious Threat to Industrial Control Systems Worldwide
- 10 Critical Flaws Found in CODESYS Industrial Automation Software
University of Florida Health Hospitals Affected by Cyberattack
Two University of Florida (UF) Health hospitals were hit with a cyberattack that has them running under electronic health record (EHR) downtime. The incident has affected The Villages Regional Hospital and Leesburg Hospital. IT teams are investigating what is suspected to be a ransomware attack.
Read more in:
- Cyberattack Drives 2 UF Health Hospitals to EHR Downtime
- UF Health Florida hospitals back to pen and paper after cyberattack
Threat Actors Exploited Pulse Secure Zero-Day to Break into MTA Systems
Cyberthreat actors believed to be operating with the support of China’s government exploited a Pulse Secure zero-day vulnerability to gain access to New York City’s Metropolitan Transportation Authority (MTA) computer systems earlier this spring. A forensic investigation revealed that the intruders attempted to remove evidence of their forays into the network, which raises the possibility that there have been system breaches that MTA has not discovered.
- Pulse Secure had to patch multiple vulnerabilities this last year, and they have been exploited extensively.
- We are now almost 18 months past the first advisories to patch the initial wave of Pulse Secure VPN vulnerabilities, and several months ago advisories came out about additional Pulse Secure vulnerabilities. Many IT operations have been struggling just to keep remote access for Work From Home running and patching has suffered – more compromise hunting is required to detect malware installs that occurred before patching, as recent DHS/CERT advisories have pointed out.
- With a shift to increased remote work, your boundary protections are critical. Today’s combination traditional VPN, Zero Trust, CASB, VDI, and EDR require attention to detail including security configuration, judicious application of updates, and active monitoring (and response) for malfeasance. Make sure that you have the right skillsets on hand, supported with adequate, training funding and depth of coverage.
- Breaches of infrastructure systems may not be obvious and may not be immediately exploited. Nation state attackers may save them for later use. Think “zero trust” and “least privilege.” Think urgency; the longer these systems remain vulnerable, the greater the risk that they are covertly compromised.
Read more in:
- The M.T.A. Is Breached by Hackers as Cyberattacks Surge
- Chinese threat actors hacked NYC MTA using Pulse Secure zero-day
- Chinese hackers used Pulse Secure zero day vulnerability to infiltrate MTA systems
IBM Announces School Systems Chosen to Receive Cybersecurity Grants
IBM has selected six US school systems to receive grants to help strengthen their cybersecurity. The school systems are Brevard Public Schools (Florida), Denver Public Schools (Colorado), KIPP Metro Atlanta Schools (Georgia), Newhall Independent School District (California), Poughkeepsie Independent School District (New York), and Sheldon Independent School District (Texas). “The grants will sponsor IBM Service Corps teams to help six U.S. K-12 public school districts proactively prepare for and respond to cyber threats.”
- Two of the most critical services governments provide are public education and election services. In the US, the way those two areas are governed and funded is antiquated and resistant to change. Volunteer and private industry support for increased security levels in both of those areas has really been needed and has turned into good investments for business as stability and security in those areas is good for business.
- The need for shoring up security in the education sector has become clear with the past year of successful attacks on school systems. Ransomware preparedness and response is at the top of the list for the IBM team help with “pain points.” The need is far greater than IBM alone can address; as cyber security professionals we should all be reaching out to our local school systems, leveraging our enterprise community outreach functions if possible, to see if we can help.
- The limited impact of these expenditures illustrates how big this problem is and how difficult it will be to remedy on a district-by-district basis. We need to make the public networks a safer environment for all users. It is time to operate these networks as the infrastructure that they are.
Read more in:
- IBM Education Security Preparedness Grant
- US schools land IBM grants to protect themselves against ransomware
NIST: Mobile Device Biometric Authentication for First Responders
A report from the US National Institute of Standards and Technology (NIST) “examines how first responders could use mobile device biometrics in authentication and what the unsolved challenges are.” The report is intended to help public safety organizations make choices about first responder authentication options. NIST is accepting comments through July 19, 2021.
- Have first responders read and respond to the draft. Responders I have talked to already leverage biometrics, and remind me to look at scenarios where biometric options fail, e.g, using fingerprint readers while wearing PPE. When creating security profiles for mobile devices, ensure that your device protections don’t interfere with life safety needs of responders. Safety needs to trump security, which means you may have a different configuration on some devices. Have clear support for those decisions at the highest levels.
- This report is more of a tutorial around mobile device biometrics that is strong on the challenges and really weak on “how to implement” guidance. Microsoft’s research showed that 99.9% of phishing attacks would be defeated just by mobile device text messaging, and over 80% of successful ransomware attacks start with successful phishing attacks. While first responders do have unique needs, we are in an emergency situation where reusable passwords have to be considered as dangerous as carcinogens like lead in consumer products or e coli in meat.
Read more in:
- Using Mobile Device Biometrics for Authenticating First Responders
- Using Mobile Device Biometrics for Authenticating First Responders (PDF)
- NIST Unveils Guide to Mobile Device Authentication for First Responders
White House Memo: Advice to Private Sector on Protection from Ransomware
Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, has released an open letter to corporate executives and business leaders urging them to take action to protect their networks from ransomware. The memo strongly recommends implementing the five best practices from the President’s Executive Order: back up data, system images, and configurations, and regularly test them, and keep the backups offline; update and patch systems promptly; test your incident response plan; check your security team’s work; and segment networks.
- Ben Wright of SANS and I have done a recent series of talks and a white paper around the ransomware issues. Key point (1) is that no security group or manager makes the pay/don’t pay decision – that will always be a business or legal/regulatory-driven decision. But Key Point (1a) is that security managers can provide critical input into required strategies and changes needed to reduce the risk of ransomware to an acceptable level that will enable the business decision to be “we don’t need to pay the ransom.” Brian Honan makes Key Point (1b) below.
- Private sector companies are primarily driven by profit goals and anything that does not help achieve those goals will always be neglected. Until we start speaking about cybersecurity in terms of business risk, private sector companies will continue to treat security as an IT problem and as a cost. And this cost-based focus is what has led many companies to have such poor cybersecurity protections. It is time we start to move our focus away from technical solutions and speak more about business risks to our boards and colleagues.
- I think one thing we need to get into the debate about ransomware is that paying the ransom does not make the cost of recovery any cheaper. In the case of Colonial Pipeline, who paid $4m for the decryption tool, they still reverted to their backups to restore their systems. The HSE in Ireland who got the decryption tool for free had to use a third party tool to make it work effectively. In both cases the IR teams are still having to go to each individual machine, verify that it is clean, remediate it, recover data onto it, and then bring it online – this has to happen whether you have the decryption key or not. So paying for the decryption key is not a magic wand that gets all your systems back online overnight. You are still looking at weeks if not months of work to get large estates back up and running.
- When reviewing your response plan, look carefully at your downtime procedures. Are you able to provide some level of service or will you be hard down? Consider the case of the Massachusetts Steamship Authority where they were still able to process cash ticket sales and operate their ferries. Make sure that your situational awareness is as good or better than your adversaries’. Start with the core CIS controls, making sure you know what hardware and software you have, that it is securely configured and your data is protected.
- And do not forget strong authentication (at least two kinds of evidence, at least one of which is resistant to replay). Credential replay is implicated in many ransomware attacks and other breaches. While this measure may not be sufficient for targets of choice, it will get most out of the target of opportunity population.
Read more in:
- What We Urge You To Do To Protect Against The Threat of Ransomware (PDF)
- White House sends out memo to private sector on cyberattack protections
DoJ Will Treat Ransomware Investigations with High Priority
According to a senior officials from the US Department of Justice, DoJ will give ransomware investigations a priority similar to that of terrorism investigations. Earlier this week, US Attorney’s offices across the country received guidance instructing them to share information about ransomware investigations with a Washington, DC-based task force.
- This is much needed and gives me hope. No matter how good any company is at security, if threat actors can operate any way they want without fear of retribution, anyone can and will be compromised. I think it’s interesting the government is taking the terrorism angle, as the motives of terrorists and criminals are very different, but as we are seeing, the impact at the human level can, in many ways, be the same. The sense of urgency appears to be great enough now to force the US government to take political and economic actions against other countries.
- What this does is add to the list of topics which require expedient information sharing/reporting with Washington. Prioritizing activities also requires providing funds needed to acquire and train staff and equipment needed to support the work.
Read more in:
- Exclusive-U.S. to give ransomware hacks similar priority as terrorism, official says
- Justice Dept. to give ransomware attacks same priority as terrorism
FBI Says REvil Ransomware Group Responsible for JBS Attack; Company Says Facilities are Now Operational
The FBI has “attributed the JBS attack to REvil and Sodinokibi and [is] working diligently to bring the threat actors to justice.” JBS says that all its facilities are once again operational.
REvil is known for “double extortion” tactics, demanding ransom not only for the decryption key but also for not selling exfiltrated information, leveraging any potentially damaging content if possible. JBS wisely engaged help from the Australian Signals Directorate and the FBI to respond to the criminal aspects of the attack while working with their incident response provider to quickly restore operations.
Read more in:
- FBI Statement on JBS Cyberattack
- FBI attributes JBS ransomware attack to REvil
- JBS Foods ransomware gang: White House ‘engaging directly’ with Russia about attack on massive meat producer
- Attack on meat supplier came from REvil, ransomware’s most cut-throat gang
- FBI: REvil cybergang behind the JBS ransomware attack
- Ransomware Hits a Food Supply Giant—and Underscores a Dire Threat
- All global JBS facilities up and running following ransomware attack
- Meat chain JBS says US production is returning after ransomware attack
Massachusetts Steamship Authority Hit with Ransomware Attack
A ransomware attack affecting the Massachusetts Steamship Authority’s computer network has affected its operations. Customers were unable to make reservations or purchase tickets online or by phone. (Please note that the WSJ story is behind a paywall.)
- As with other service related attacks, OT systems are able to operate, but supporting systems, in this case online ticketing and reservations, are unavailable. Even so, they are able to process cash transactions.
- The fact that a “Steamship Authority” can be crippled by ransomware shows that everybody can be affected.
- Jeh Johnson commented on TV this morning that the extortion demands are tailored to the ability to pay and lower than the cost of recovery by other means, such that, as in Colonial Pipeline, paying it is an attractive individual business choice while collectively it perpetuates the problem.
Read more in:
- Massachusetts’ largest ferry service hit by ransomware attack
- Ransomware attack will impact Massachusetts Steamship Authority into Thursday
- NYC’s Subway Operator and Martha’s Vineyard Ferry Latest to Report Cyberattacks (Paywall)
- NY & Mass. Transportation Providers Targeted in Recent Attacks
Fujifilm Shuts Down Network in Wake of Ransomware Attack
Fujifilm has shut down parts of its network after becoming aware of a possible ransomware attack. The Tokyo-based company has also “disconnected from external correspondence.”
Read more in:
- Unauthorized access to Fujifilm servers
- Fujifilm becomes latest ransomware victim as White House urges business leaders to take action
- Fujifilm shuts down computer systems following apparent ransomware intrusion
- FUJIFILM shuts down network after suspected ransomware attack
Massachusetts Hospital Discloses Ransomware Attack
Sturdy Memorial Hospital in Attleboro, Massachusetts, has disclosed that its network was hit with a ransomware attack in February 2021. Analysis revealed that patient medical and financial data were compromised. The hospital paid a ransom to prevent data from being leaked. The incident also affected healthcare providers that had partnered with Sturdy Memorial for coordination of patient care. The hospital is now notifying affected patients.
Read more in:
- Notice of Data Security Incident
- Sensitive medical, financial data exposed in extortion of Massachusetts hospital
US Supreme Court Ruling Reins in CFAA’s Reach
A ruling from the Supreme Court limits the scope of the Computer Fraud and Abuse Act (CFAA). The case, Van Buren v. United States, involves a former police officer who accepted money for using his access to a law enforcement database to look up license plate information. The written majority opinion notes that the court’s job was to “decide whether Van Buren… violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.’ He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”
- Limiting the scope of the CFAA is a huge win for cyber security research. Having clear permission and defined scope when accessing and researching systems is still critical. Discovery of a device in a search engine, running with default credentials doesn’t by itself constitute permission to access or configure it.
- While not technically a violation of the CFAA, Van Buren was guilty of an abuse of his privilege and should be subject to other discipline. This is simply one more indication, as if any were needed, that the CFAA needs to be rewritten with more emphasis on what is done, i.e., misuse and abuse, and less on the concept of “authorization.”
Read more in:
- VAN BUREN v. UNITED STATES (PDF)
- Supreme Court Votes to Limit Computer Fraud and Abuse Act
- Supreme Court reins in definition of crime under controversial hacking law
- Supreme Court narrows scope of hacking law, but questions remain
- A Supreme Court ruling limits the reach of a landmark hacking law
- Supreme Court narrows Computer Fraud and Abuse Act: Misusing access not quite the same as breaking in
Amazon Sidewalk is Going Live Next Week
On June 8, 2021, Amazon smart devices, which include Echo and Ring, will automatically be integrated into the Amazon Sidewalk wireless mesh service. Sidewalk will “share a small portion of your internet bandwidth” to “extend the low-bandwidth working range of devices.” Users can opt out of participating through the Alexa and Ring apps.
- This is an opt-out service. If you take no action, you will be opted-in. The idea is to provide better connectivity for your Amazon devices where your network may have gaps, essentially an 80Kbps connection. Amazon cites the case of using their tracking devices to find a lost pet. The success of Sidewalk is dependent on the number of participating devices in any area. The downside is you have no visibility into which devices are connected to your network and what they are doing. The good news is you can opt out at your account level, not just the device level. In the Ring App, sidewalk is under the Control Center, in the Alexa App it is under Settings -> Account Settings -> Amazon Sidewalk. The option is only present when you’re connected to your Ring or Echo devices.
- By choosing to make this an opt-out service, Amazon is showing why updates to US national privacy laws are badly needed. When I worked on surveillance cases for the US Secret Service in the 1980s, to put a vehicle tracker on a suspect’s car that was connected to the car’s 12v system, we needed to get a court order because of the unauthorized use of the car owner’s “services.” What Amazon is doing here seems no different to me.
Read more in:
- Welcome to Amazon Sidewalk
- Amazon Sidewalk Privacy and Security Whitepaper (PDF)
- What Is Amazon Sidewalk, and Should You Disable It?
- How to opt out of (or into) Amazon’s Sidewalk network
- Amazon devices will soon automatically share your Internet with neighbors
Nobelium Spear Phishing Campaign Domains Seized
US authorities have seized two domains associated with a recent spear phishing campaign. The attackers are believed to be Nobelium, the threat actor likely responsible for the SolarWinds Orion supply chain attack. The spear phishing attacks masqueraded as messages from the US Agency for International Development (USAID) and targeted government agencies, think tanks, and non-governmental organizations (NGOs) around the world.
If one is not expecting a communication, one should simply throw it away. It is almost always the safest move. If one feels that they cannot do that, pick up the phone. Out-of-band confirmations are cheap and effective; they work in both directions.
Read more in:
- Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development
- Feds seize two domains used by SolarWinds intruders for malware spear-phishing op
- Justice Department seizes domains used in Nobelium-USAID phishing campaign
- US Seizes Attacker Domains Used in USAID Phishing Campaign
Microsoft Acquires ReFirm Labs
Microsoft has acquired firmware analysis company ReFirm Labs. Microsoft says the acquisition will “enrich our firmware analysis and security capabilities across devices that form the intelligent edge, from servers to IoT.”
- The most successful mergers/acquisitions over the past 5 years or so have been the big cloud platform players, like Salesforce, Amazon AWS, Google, and Microsoft buying small, innovative security vendors to build higher levels of security into their cloud infrastructure. The least successful cybersecurity M&As have been big IT companies buying security product companies just to increase revenue by selling security products. Building security in, versus “spending in depth,” is the key to real and sustainable levels of business protection.
- With the recent rash of firmware-related vulnerabilities, ReFirm (the authors of Binwalk) should give Microsoft a huge leg up in analysis and response to firmware security issues including IoT and embedded device use cases. This acquisition further broadens the scope of protections offered under the Azure Defender umbrella, specifically Azure Defender IoT.
Read more in:
- Microsoft acquires ReFirm Labs to enhance IoT security
- Microsoft acquires ReFirm Labs to boost its IoT security offerings
- Microsoft Buys ReFirm Labs to Drive IoT Security Efforts
- Microsoft acquires firmware analysis company ReFirm, eying edge IoT security
US Army Rescinds Workplace IoT Ban
The US Army appears to have rescinded a May 20, 2021, memo banning remote workers from using Internet of Things (IoT) devices in their workspaces. The ban was issued over concerns that IoT devices are constantly collecting data and listening.
- The ban is essentially unenforceable; it is good OPSEC guidance. It’s still a good idea to be aware of the devices in your workspace. Just as you would question a stranger in a meeting, consider what these devices can capture and take action to remove or disable them when appropriate. Higher priority for the enterprise is making sure that you have good visibility into endpoint security and actions so you can respond appropriately.
- Security is a space in which intuition does not serve us well, where “obvious” choices are wrong. Cooler heads have prevailed here. However, since many smart devices inside the SOHO router establish connections to the public networks by default, it will be difficult to give directions that are practical. We need standards, perhaps even regulation, that require smart devices to both encrypt and disclose what connections they make. While most home users will ignore the disclosures, they will empower WFH users.
Read more in:
- US Army Apparently Rescinds IoT Device Ban
- Army rolls back short-lived IoT telework policy
- US Army tells remote workers to switch off their IoT devices (and then withdraws advice)
Digital Flash Card Apps Exposed US Nuclear Weapons Secrets
Sensitive information about US nuclear missile bunkers in Europe was found online by searching for related terms, such as protective aircraft shelters (PAS) and Weapons Storage and Security Systems (WS3). The data were being used in digital flashcard apps. The compromised information includes camera positions, patrol frequency, unique identifiers on badges required for entry, and codewords guards use to indicate they are being actively threatened. The flashcards have been taken down.
- “Shadow IT” at its worst. If you do not provide tools that are secure, employees will find their own. This may be an extreme case, but on a non-nuclear scale, this happens everybody with employees using personal email addresses because corporate mail filters are stripping content they need to do their job, or using the kids “gaming rig” for work because the company-provided laptop is too slow.
- This is a nexus of benign, slightly obscure information augmented with specific information which makes it sensitive. We used to call this information mosaic. Use caution making online learning publicly available and make sure that accompanying completion records and feedback mechanisms are protected. Review regularly to ensure that both the presented information and accompanying meta-data remain secured.
- Good reminder to sanitize all training and test data to remove sensitive information, and to make sure that any pen test engagement includes a strong research/reconnaissance phase.
- When I taught young officers at the Naval Postgraduate School we called this “digital” OPSEC. They understood OPSEC.
Read more in:
- US Soldiers Expose Nuclear Weapons Secrets Via Flashcard Apps
- US nuclear weapon bunker security secrets spill from online flashcards since 2013
Have I Been Pwned Open Sources Code Base and Will Receive Data from FBI
Last week, Have I Been Pwned (HIBP) founder Troy Hunt announced that the HIBP code base is now open source through the .NET Foundation. Hunt also announced that HIBP will provide the FBI with a means to share with HIBP lists of compromised passwords obtained in the course of investigations.
- Have I Been Pwned is a great effort that has struggled to find appropriate funding. Troy Hunt has avoided the easy solution of selling out to a security vendor. This sounds like a great way to support this effort.
- Have I Been Pwned has been powering other services for a while and is very useful as a retroactive password change reminder warning. But top priority should be in reducing the use of reusable passwords. Fixing the source of the leak is much better than getting faster at constantly mopping up.
- This year marks thirty-five since Ken Weiss invented SecurID and in which I have been discouraging “exclusive reliance upon passwords.” Convenience continues to trump security. Passwords can be made resistant to dictionary, fuzzing, and even brute force attacks, but they are fundamentally vulnerable to replay and reuse.
Read more in:
- Pwned Passwords, Open Source in the .NET Foundation and Working with the FBI
- FBI to Share Compromised Passwords With Have I Been Pwned
- Have I Been Pwned teams with FBI, gives open-source access to code
- ‘Have I Been Pwned’ Code Base Now Open Source
Fix Available for Critical Flaw in HPE SIM
Hewlett Packard Enterprises (HP) has released an update to address a critical vulnerability in its System Insight Manager (SIM) software. The flaw was initially disclosed in December 2020; it arises from “a failure to validate data during the deserialization process when a user submits a POST request to the /simsearch/messagebroker/amfsecure page.” The flaw could be exploited to allow attackers with no privileges to execute code remotely. The flaw affects HPE SIM versions 7.6.x for Windows only.
- This hotfix replaces the prior workaround where you had to disable “Federated Search” and “Federated CMS Configuration.” Note that hotfixes were also released for the Linux and HP-UX versions of the HPE SIM version 7.6.
- This advisory was originally released in December. Later, HP upgraded it to a “no authentication required” remote code execution. Now we finally have a patch. Apply it.
Read more in:
- HPE Systems Insight Manager AMF Deserialization Remote Code Execution
- HPESBGN04068 rev.3 – Hewlett Packard Enterprise Systems Insight Manager (SIM), AMF Deserialization of Untrusted Data, Remote Code Execution Vulnerability
- HPE Fixes Critical Zero-Day in Server Management Software
SonicWall Offers Fix for Flaw in On-Premises Version of NSM
SonicWall has released updates to address “a post-authentication vulnerability (SNWLID-2021-0014) within the on-premises version of Network Security Manager (NSM).” Users are urged to upgrade to patched versions, Network Security Manager (NSM) 2.2.1-R6 and Network Security Manager (NSM) 2.2.1-R6 (Enhanced), as soon as possible. The issue does not affect software-as-a-service (SaaS) versions of NSM.
- Make sure that management services are accessible only to authorized devices. Enable multi-factor authentication where supported and verify there are no end-arounds/shortcuts which could bypass your protections.
- Luckily, this vulnerability requires valid user credentials to exploit. You may finish your coffee this morning before patching this one.
Read more in:
- Security Advisory: On-Prem SonicWall Network Security Manager (NSM) Command Injection Vulnerability
- SonicWall urges customers to ‘immediately’ patch NSM On-Prem bug
Siemens Offers Fix for Flaw Programmable Logic Controllers
Siemens has released a firmware update to address a severe memory protection bypass vulnerability in its SIMATIC S7-1200 and S7-1500 Programmable Logic Controllers (PLCs). Researchers at Claroty detected the flaw and notified Siemens, who released updates on May 28.
- Your PLCs should already be isolated as they don’t respond well to malformed or unexpected traffic. Additionally, apply the mitigations in the Siemens bulletin, including using passwords on S7 communication, limiting or blocking remote client connections, and enabling TLS, and apply the defense in depth measures in the Siemens Operational Guidelines for Industrial Security.
cert-portal.siemens.com: Operational Guidelines for Industrial Security (PDF)
- Firmware updates are a very expensive remedy for devices that are priced in the tens of dollars and employed in the millions.
Read more in:
- The Race to Native Code Execution in PLCS
- SSA-434534: Memory Protection Bypass Vulnerability in SIMATIC S7-1200 and S7-1500 CPU Families (PDF)
- A New Bug in Siemens PLCs Could Let Hackers Run Malicious Code Remotely
- Siemens Patches Major PLC Flaw that Bypasses Its ‘Sandbox’ Protection
The Apple M1 Chip Vulnerability and the Business of Bug Disclosure
Last week, Hector Martin disclosed a vulnerability in Apple’s M1 chip that “allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features.” The flaw is “baked in” to the chip, which means it cannot be fixed or patched. While the vulnerability is interesting, Martin notes that “nobody’s going to actually find a nefarious use for this flaw in practical circumstances.” He also writes that the website he created for the flaw, which he dubbed M1RACLES, to “poke fun at how ridiculous infosec clickbait vulnerability reporting has become lately. Just because it has a flashy website or it makes the news doesn’t mean you need to care.”
- This allows two processes to access the EL0 register – which is only 2 bits wide for communication – and should be used as a reminder that all chips have flaws, not as a reason to panic. Use this as a chance to verify sure your services for M1 devices, including endpoint protection, patching and OS security configuration are enabled and working; adjust if needed.
- A flashy logo/name/website has always been helpful to “sell” a vulnerability. The ability to covertly send messages between two cooperating processes exists in pretty much all PCs (a mock “PoC” was released in response to M1RACLE showing how one processing may modulate CPU load to send messages to other processes). It is also a long going issues in our industry that we focus on the new and shiny instead on the boring but necessary. Remember: Security is working best if it is boring, routine, and doesn’t feel like firefighting. The most important stories in this NewsBites (HPE flaw and Sonicwall vulnerability) will probably not make it into the “Top News” (… well … maybe now they will :) ) .
- Kudos to Hector on this one. Instead of using FUD to draw attention to his finding, he was transparent and honest about its overall impact. Unfortunately, in our community sometimes researchers over dramatize their findings, causing more harm than good.
Read more in:
- M1RACLES: M1ssing Register Access Controls Leak EL0 State
- Covert channel in Apple’s M1 is mostly harmless, but it sure is interesting
- ‘OMG it’s a bug!’ Beware the bells and whistles around vulnerability disclosures
Food Processing Giant JBS Hit with Cyberattack
São Paulo-based food processing company JBS has shut down production at several facilities around the world following a cyberattack. Computer networks in in Australia, Canada, and the US were affected.
This is a growing trend we are going to see over the coming years: one business unit is infected in one country, which then infects all the other business units of the same company globally. However, these incidents are also impacting people’s daily lives, such as when hospital networks go down, gas lines can’t transfer gas, or in this case companies cannot process food. As the world has become so interconnected and interdependent, the impact of these events will only increase.
Read more in:
- Meat Plant Closures Are Spreading After a Cyberattack on JBS
- Food giant JBS Foods shuts down production after cyberattack
- JBS USA cyber attack affecting North American and Australian systems
Swedish Infections Diseases Database Temporarily Taken Down After Attempted Intrusions
Sweden’s Public Health Agency (Folkhälsomyndigheten) temporarily took its infectious diseases database offline after detecting several attempted intrusions. The database, which is known as SmiNet, is also used to store information about COVID-19 infections. The database is once again operational; Folkhälsomyndigheten writes that “to further increase security, some adjustments have been made, which means certain restrictions when it comes to reporting data.”
Read more in:
- Swedish Health Agency shuts down SmiNet after hacking attempts
- Information about SmiNet to users
- The Swedish Public Health Agency reports attempted data breaches against SmiNet
- Information on the next update of the number of cases of covid-19
US Army Requires Remote Workers to Remove IoT Devices from Workspace
In a May 25 memo calling for “teleworkers [to] incorporate strong cyber hygiene practices in their daily telework routine,” the US Army wrote that it is requiring all remote workers to remove Internet of Things (IoT) devices from their work areas. (any device with a listening function) The requirement applies to military and civilian employees and contractors.
- I think unpatched VPN servers are much, much higher up in risk level for government telework, but the smart speaker vendors have not made it easy to prevent (or allow automated deletion) of audio recordings that are tagged “audio not intended for this device” but were saved anyway.
- Think about the activities performed in your remote workspace. What conversations are happening, what is in view of your camera, what’s on your desk, what can be seen through the door or windows? Ask yourself not just who but what is listening. Smart assistants, while they don’t respond until they hear their wake word, are still listening. Consider muting the mic if you don’t wish to remove or turn it off. Remember also that open windows or doors, using speakers and speakerphones versus headsets are ways sensitive business information can be inadvertently shared. Have a clean desk policy for the remote workspace.
- This is another example of a policy that sounds good at HQ, but when it hits reality most likely causes more harm than good (kind of like password expiration). How can people follow this policy? First, most people don’t even know all the IoT devices they have. Your coffee pot or light bulbs are often IoT. Even if you do know what devices you have, how can you possibly determine which ones have microphones or go about turning devices off / on every time you have a call? About the only way a remote worker could follow this policy if they created their own isolated, tech free room (aka SCIF) in their house, which is probably a better option if sensitive information is to be discussed.
- “Strong cyber hygiene” is good advice but removing Internet of Things devices is over the top. All ‘things’ are not the same. As I sit in my work area, I cannot even identify, much less remove, all the smart appliances that I rely upon, including some that I rely upon for personal safety. (“Alexa, (‘I have fallen and I can’t get up.’) Call 911.”) One can eliminate all cyber risk simply by removing all computers but that is not practical advice. Some, e.g., classified, work should not be done in personal work areas.