Amnesty International Spyware Report
Amnesty International’s Security Lab “has uncovered widespread, persistent and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware.” The Forensic Methodology Report also includes a forensic tool to detect the spyware’s presence on mobile devices.
- Great report by Amnesty and a must read for anybody doing IR on mobile devices. Remember that the exploits used may be “high end” now, but they tend to trickle down the food chain. For the rest of us, the lesson to learn is that you absolutely need to keep your mobile devices up to date, and yes, a text message may be used to run arbitrary code on your device.
- iPhones and Android phones have been harder targets to compromise than Windows PCs but this Pegasus use points out they are far from impenetrable. In the SANS 2021 New Threat and Attack report, SANS instructor Heather Mahalik points out many of the key issues and action steps.
- While far from mass surveillance, and while most of the targets were political, some appeared to be targeted for mere celebrity. While such surveillance might not be illegal in all the countries engaged in it, it qualifies as abuse and misuse everywhere. Here it would require a warrant issued by a court based upon probable cause to believe a crime.
Read more in
- Forensic Methodology Report: How to catch NSO Group’s Pegasus
- This tool tells you if NSO’s Pegasus spyware targeted your phone
- mvt-project / mvt
- An Explosive Spyware Report Shows the Limits of iOS Security
Akamai DNS Problems Cause Internet Outage
Akamai says that an Edge DNS service problem was to blame for a July 22 Internet outage affecting the availability of numerous major websites, but has not yet detailed the cause of the problem. Akamai has implemented a fix and says the issue was not due to a cyberattack.
- Yet another choke point that can take down large parts of the Internet. Resilience comes from redundancy and diversity. It doesn’t help to have multiple servers if they all run the same software and configuration. Luckily Akamai was pretty quick in resolving the issue.
- As the internet moves to more centralized services to localize information to increase performance/access to content, the stability becomes only as good as those services. While Akamai only has 9.6% of the CDN share, they have major players such as Oracle, AWS, Microsoft and AT&T. When engaging these services, have a frank discussion on failure impacts and their mitigations. You will need to define your actions, including customer communications, possibly reimbursement, in the event of an outage.
- Having deep visibility into network traffic can often quickly differentiate between internal or external services having performance and issues caused by denial of service or other attacks. Great opportunity for the NOC and the SOC to use common instrumentation and tools to speed detection, resolution and restoration.
Read more in
- Today’s massive Internet outage comes courtesy of Akamai Edge DNS
- Akamai has trouble and the internet hiccups again
- Akamai DNS global outage takes down major websites, online services
Microsoft Offers Workaround for Windows 10 Security Accounts Manager Vulnerability
Microsoft has released a workaround for a privilege elevation vulnerability that affects the Windows 10 Security Accounts Manager database. The flaw could be exploited to access data and create new accounts.
- The fix is to restrict access to the system32\config directory and then remove (and recreate) any volume shadow copies (system restore points) to assure the changes in privileges are captured.
- Keep watching Microsoft’s KB article for updates. Initially, server versions of Windows were not believed to be vulnerable but the most recent update showed recent server versions as vulnerable.
- Just a reminder that accounts should be periodically reauthorized and reconciled to real people.
Read more in
- Windows Elevation of Privilege Vulnerability
- Microsoft Issues Windows 10 Workaround Fix for ‘SeriousSAM’ Bug
Fortinet Issues Updates to Fix Use After Free vulnerability in FortiManager and FortiAnalyzer
Fortinet has released updates to fix a serious use after free vulnerability in FortiManager and FortiAnalyzer network management solutions. The flaw can be exploited to allow remote code execution as root if the fgfmsd daemon is enabled. Foertinet has also provided a workaround.
- My usual comment: Don’t expose it to the internet if it doesn’t need to be exposed. These are not the actual firewall / VPN endpoints but the software used to manage them.
Read more in
- FortiManager & FortiAnalyzer – Use after free vulnerability in fgfmsd daemon
- Fortinet’s security appliances hit by remote code execution vulnerability
- Fortinet fixes bug letting unauthenticated hackers run code as root
Apple Updates for Multiple Products
Apple has released updates for iOS, watchOS, tvOS, iPadOS, and macOS. While the iOS update (iOS 14.7) includes fixes for 37 security issues, it does not fix the zero-click vulnerability in iMessenger that can be exploited by Pegasus spyware.
- Probably the most notable fix is the patch for the WiFi SSID format string vulnerability. Initially, this was only considered a DoS issue. But Apple confirmed that this can be used to execute code. On relatively recent iOS versions, this requires the user to join the oddly named WiFi network. But on older versions, this exploit will execute without user interaction.
- While these updates don’t include the patch for Pegasus, there are enough other issues to warrant applying the patches immediately, particularly for iOS and iPadOS as some of the flaws are remotely exploitable. The NSO group, who are behind the Pegasus spyware, are investing heavily in exploits to maintain visibility into mobile devices, which hopefully will drive increases in security options to reduce their attack surfaces.
Read more in
- Apple security updates
- Apple Issues Urgent iPhone Updates; None for Pegasus Zero-Day
- iPadOS 14.7 and macOS Big Sur 11.5 come with plenty of bug fixes and security updates
TSA Issues Second Pipeline Security Directive
The Department of Homeland Security’s (DHS’s) Transportation Security Administration (TSA) has issued a second cybersecurity directive for pipelines. While TSA has not released specifics of the directive, the agency notes that the “Security Directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”
- Make sure you’ve implemented the required security controls and contingency plan, that you’re monitoring those controls as well as regularly testing your emergency response plan. Consider not only conducting internal design reviews, but also hiring third parties or peer organizations for a reciprocal review to identify any gaps. Expect regulators to audit your activities here.
Read more in
- DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators
- TSA Issues Second Directive for Pipeline Operators Amid China Concerns
- TSA Issues Cybersecurity Requirements for Pipelines
- DHS releases new mandatory cybersecurity rules for pipelines after Colonial ransomware attack
- TSA announces new pipeline security order
- TSA pushes more cybersecurity mandates on critical pipeline owners, emphasizing ransomware
CISA/FBI Security Advisory Details Chinese State Sponsored Cyberattacks Against US Oil and Gas Pipeline Companies
A joint security advsory from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) “provides information on a spearphishing and intrusion campaign conducted by state-sponsored Chinese actors that occurred from December 2011 to 2013, targeting U.S. oil and natural gas (ONG) pipeline companies.” The advisory includes a list of indicators of compromise and suggests mitigations to bolster pipeline security.
- If you were wondering how they operate, the alert outlines how they obtained access and actions you can watch for. The mitigations apply to any sort of OT you’re operating – to include strong spam/email security filters and secure remote access with multi-factor authentication. Make sure you’re really doing the mitigations listed. Your SOC should tell you the IOCs are well known to them; if not, have them not only incorporate them but also make sure they have appropriate threat feeds to stay current.
Read more in
- Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013
- Chinese state hackers breached over a dozen US pipeline operators
Linux Privilege Elevation Flaw Affects Most Releases
A security flaw affecting the kernel of most Linux distributions could be exploited to gain root privileges. The issue affects all Linux kernel versions that have been released since 2014. The flaw was discovered by researchers at Qualys.
- The exploit uses a 1GB pathname, 5GB of memory, uses 1 million inodes and exploitation requires system access. This can be partially mitigated by setting /proc/sys/kernel/unprivileged_userns_clone to 0 and /proc/sys/kernel/unprivileged_bpf_disabled to 1 to prevent mounting long directories in a user namespace and prevent a user from loading a eBPF program into the kernel. The long term fix will be to apply kernel updates when released. BSD derived kernels (FreeBSD, macOS, etc.) are not vulnerable.
Read more in
- Qualys Security Advisory | Sequoia: A deep root in Linux’s filesystem layer (CVE-2021-33909)
- Nearly All Linux OSes Have a Pair of Privilege Escalation Flaws
- New Linux kernel bug lets you get root on most modern distros
Kaseya Obtains REvil Master Decryptor
Kaseya says it has obtained a universal decryption key to help affected customers recover from REvil ransomware. Kaseya was hit with a supply chain attack at the beginning of July that infected more than 1,000 organizations with REvil.
- As REvil has gone off-the-air, Kaseya and their source are the only places you can get a REvil decryption tool. Kaseya has engaged Emsisoft to help all affected customers. Kaseya is actively contacting customers who were impacted.
- What’s fascinating about this story is how the REvil community shut down and went dark before they received any payment. Apparently all the visibility they were getting put them at too much risk, so they ‘virtually fled’. This is good news as it shows we can put enough pressure on these threat actors to change behavior. Now the question is, can we continue to apply even more pressure / deterrence to stop future attacks? As for the decryptor key, remember that recovering data is only half the battle. Infected companies now have to rebuild all their systems to ensure their integrity, so there is a huge amount of work still ahead.
Read more in
- Updates Regarding VSA Security Incident
- Kaseya gets master decryptor to help customers still suffering from REvil attack
- The Kaseya Ransomware Nightmare Is Almost Over
- Kaseya obtains decryption key for victims of massive ransomware attack
- Kaseya obtains universal decryptor for REvil ransomware victims
Saudi Aramco Acknowledges Data Leak
Saudi Aramco says that some of its files were leaked as a result of a breach affecting a third-party contractor, and maintains that its own networks were not breached. Earlier this summer, the attacker demanded $50 million in cryptocurrency to delete the data they stole.
Read more in
UK’s Northern Trains Ticket Kiosks Hit by Ransomware
Northern Trains, a publicly owned company that operates railways in the north of England, was hit with a ransomware attack. The attack prompted the company to take its self-service ticket kiosks offline.
- San Francisco’s Bay Area Rapid Transit (BART) suffered a similar ransomware impact back in 2016. Often, risk analysis efforts have a blind spot around kiosk and point of sale systems that generate a lot of revenue or reduce a lot of cost. As the old movie line goes: “Follow the money!”
Read more in
- Northern Train’s ticketing system out to lunch as ransomware attack shuts down servers
- Hundreds of touchscreen ticket machines are offline after a ransomware attack
Prison Sentence for Fatal Swatting Attack
A Tennessee man has been sentenced to five years in prison for his role in a swatting attack that resulted in death. Shane Sonderman and co-conspirators repeatedly digitally harassed a man who died of a heart attack after police were called to his home under false pretenses.
- The engagement often starts with an attempt to get credentials or otherwise obtain some desirable cyber account, which when ignored the gangs then escalate to various levels, ultimately initiating a sometimes fatal swatting attack. If you find yourself being harassed contact your local law enforcement to reduce the risks of a fatal engagement.
Read more in
Vulnerability Leaves Password Hashes Exposed in Recent Versions of Windows
Some recent versions of Windows leave the SAM and SYSTEM hive exposed to be read by all local users. These hives contain hashed passwords, and are often the target of privilege elevation exploits. But as security researchers Jonas Lyk and Benjamin Deply found, some recent versions of Windows leave these hives exposed as shadow copies. Initially, only the brand new beta of Windows 11 was found vulnerable, but additional research showed that some recent versions of Windows 10 are vulnerable as well.
- “Summer of SAM” as well as the remnants of “PrintNightmare” are offering two different relatively straight forward privilege escalation exploits to attackers. Make sure your end point visibility is sufficient to detect these attacks. As I am writing this, “Summer of SAM” is still developing. Watch out for guidance from Microsoft for mitigation and detection techniques. Do not fall for random “patches” that will be offered by malicious actors.
Read more in
Hotfix Available for D-Link Router Vulnerabilities
Multiple vulnerabilities in the D-LINK DIR-3040 wireless router could be exploited to expose data, execute code, and cause denial-of-service conditions. D-Link has released a firmware hotfix to address the flaws. Users are urged to update to firmware version 1.13B03.
- So sad to see another hardcoded password. I will take the log disclosure vulnerability. But hardcoded passwords? And before I forget: Turn off internet access to administrative interfaces on these devices. Even if your router isn’t affected by this particular vulnerability.
- The update, released July 15th, addresses the five vulnerabilities, which include both hard-coded passwords and a telnet server which can be launched without authentication. The telnet server allows logging into the CLI using a default credential stored in the firmware. D-Link is working to further refine the update, so watch for added updates after you apply this fix now.
- Enterprises that use large numbers of these routers should systematically apply the fix. SOHO users who have only one or two may find it cheaper to simply replace or upgrade the device. Given that these vulnerabilities were more the result of design and intent, rather than error or omission, consider changing brands. That said, it is likely that many vulnerable devices will never be replaced or updated.
Read more in
- DIR-3040 :: Rev. Ax :: FW v1.13B03 :: CVE-2021-21816 / CVE-2021-21817 / CVE-2021-21818 / CVE-2021-21819 / CVE-2021-21820 -Multiple Vulnerabilities
- Vulnerability Spotlight: Multiple vulnerabilities in D-LINK DIR-3040
- D-Link issues hotfix for hard-coded password router vulnerabilities
CISA Alert AA21-200A – Tactics, Techniques, and Procedures of Indicted APT40 Actors
A Joint Cybersecurity Advisory from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) provides information about the Chinese Advanced Persistent Threat (APT) group APT40. The advisory lists tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help cybersecurity practitioners identify and remediate APT40 intrusions and established footholds.
- These CISA alerts are great to direct your hunt team. You may not be a victim of this particular actor, but the same TTPs are used by others as well and these reports are a great reality check for your detection tools to make sure you have visibility where it matters.
- I welcome the focus on adversary behaviors (TTPs) over Indicators of Compromise (IoCs). If organizations can detect and respond to these TTPs, it will force the actor to change, which will cost them resources. Operate under assumed breach to focus on detecting adversary behaviors.
- While this focuses on ATP40, the mitigations apply broadly and should be reviewed for general applicability in your organization. In combination, these mitigations are extremely powerful defenses, and many should look familiar. Hand the IOCs to your SOC to ensure they are incorporated in your SIEM, then check for any matches.
Read more in
- CISA Alert AA21-200A – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department
REvil Disappearance Leaves Kaseya Victims in the Lurch
The REvil ransomware group‘s disappearance from the Internet has left some of its victims in a tough spot. Victims lacking adequate backups currently have no recourse unless the REvil operators release the master keys or law enforcement seizes the keys. One unnamed victim paid the ransom but the key they received did not work to decrypt their data.
- Don’t plan on the ransomware operator providing you a working decryption key or tool, and don’t expect them to remain in business/reachable. This becomes even more complex with services such as REvil which offers services to affiliates, but you have no direct interaction with the affiliate. Focus now on being prepared for a ransomware attack: disconnected differential backups, updated user training, MFA your accessible services, and administrator accounts, verify you are running secure configurations and patches/updates are applied in a timely fashion. Leverage the StopRansomware.gov site for even more comprehensive guidance.
Read more in
- What’s Next Step for REvil Ransomware Victims?
- Kaseya victim struggling with decryption after REvil goes dark
Law Firm Discloses February Ransomware Attack
A law firm that handles cases for “dozens of Fortune 500 and Global 500 companies” has acknowledged that it suffered a ransomware attack in February 2021. Campbell Conroy & O’Neil, P.C., says that the attackers compromised client information, including “names, dates of birth, driver’s license numbers / state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials.”
- The information release so far does not detail how the malware got installed, but odds are very high it started with a phishing attack that compromised reusable passwords. This is a good item to show your Chief Legal Counsel to get some backing for requiring all privileged accounts to use multi-factor authentication and checking that key services firms (like law firms) are doing so.
- Campbell is offering 24 months of credit monitoring, fraud consultation and identity theft restoration to individuals with compromised SSN’s or equivalent. Because Campbell is a legal firm, one would expect they would rely on their ability to litigate as an attack response; even so, ransomware preparedness and cyber hygiene must be in place no matter who you are.
Read more in
- Ransomware hits law firm counseling Fortune 500, Global 500 companies
- Law firm for Ford, Boeing, Exxon, Marriott, Walgreens and more hacked in ransomware attack
- Campbell Conroy & O’Neil Provides Notice of Data Privacy Incident
Moldova Court of Accounts Suffers Cyberattack
The Moldovan Court of Accounts has suffered a cyberattack that wiped out its data, including its audits of public financial organizations and government agencies. The Court of Accounts has taken down its website while it investigates the attack and restores its data.
Read more in
Microsoft Takes Down 17 Domains Used in Business eMail Compromise Campaign
Microsoft obtained a court order that allowed the company to take down malicious “homoglyph” domains that are being used to conduct fraud. In all, Microsoft took down 17 domains that were crafted to appear legitimate through variations in spelling or the use of characters that are similar in appearance.
- A homoglyph is one of two or more graphemes, characters or glyphs with shapes that appear identical or very similar. The idea is user<@>legitdomain.com and user<@>hoimoglyph.com are visually identical so the message will be accepted as genuine. E.g., replacing upper case I with lower case L. The attack targeted small businesses in North America and solicited a fraudulent wire transfer using the logos and otherwise legitimate email addresses from the business they were impersonating.
Read more in
- Microsoft takes down domains used to scam Office 365 users
- Microsoft secures court order to take down malicious ‘homoglyph’ domains
- In the United States District Court for the Eastern District of Virginia | Microsoft v. John Does 1-2…
MITRE Engenuity Evaluates ICS Cybersecurity Solutions
MITRE Engenuity has published the results of its evaluation of five industrial control systems (ICS) cybersecurity solutions. The solutions were voluntarily submitted by Armis, Claroty, Microsoft/CyberX, Dragos, and the Institute for Information Industry. The report examines the solutions’ responses to a simulated Triton attack.
- I’m a big fan of more testing for security products and in general the MITRE Engenuity ATT&CK evaluations are well done. But MITRE admits they do *not* directly address false positives. With so many products claiming to use machine learning/artificial intelligence to raise detection rates, false positive rates (or how much tuning is required to keep false positives at a workable level) is key to evaluating. These evaluations can give you good data on doing your own POC/bakeoff, but don’t replace the need to do so.
- All testing has limitations, late testing particularly so. Not all systems are as easily tested as others; complex systems should be designed to facilitate effective testing. Tests should be part of the product specification (rather than something thought up after the fact). Testing should be continuous throughout development, from component testing to final system test Testing should first demonstrate that the system performs as intended and only then that it is resistant to attack. The attack modes should be identified and addressed during development rather than sprung as a surprise at the end.
Read more in
- TRITON ICS Evaluation 2021
- Open and fair evaluations based on ATT&CK®
- ICS security evaluations may help improve detection of subtle attack clues
- MITRE announces first evaluations of cybersecurity tools for industrial control systems
DoJ Charges Alleged Members of Chinese Hacking Group
The US Department of Justice (DoJ) has unsealed an indictment charging four Chinese citizens with conspiracy to commit computer fraud and conspiracy to commit economic espionage. The individuals allegedly participated in “a campaign to hack into the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018.”
Read more in
- Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research
- DOJ charges four members of Chinese government hacking group
- US indicts members of Chinese-backed hacking group APT40
- US Accuses China of Using Criminal Hackers in Cyber Espionage Operations
US Formally Blames China for Exchange Server Attacks
The US, along with a group of allies and partners, has accused the People’s Republic of China of being responsible for the Microsoft Exchange server attacks earlier this year and of exhibiting a “pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world.” The Biden administration has not issued formal sanctions against China’s government.
- This action triggered two bulletins from: one in Top of the News and one below. The actions behind making the accusation and implementing the sanctions are long and complex and, while welcome, should not change your approach to defending your systems, nor should you expect a measurable decrease in attempted attacks.
- This is significant in the manner that it was coordinated and announced not only by the US but by NATO, the European Union, Australia, England, Canada, Japan, and New Zealand. At the same time, the US Department of Justice charged four Chinese nationals. The pressure on both China and Russia to stop protecting malicious actors operating out of their country will hopefully result in a positive outcome but we will have to wait and see.
Read more in
- The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China
- U.S., allies accuse China of hacking Microsoft and condoning other cyberattacks
- US: Chinese Government Waged Microsoft Exchange Attacks
- US, allies blame China-linked hackers for Microsoft Exchange breach
CISA Alert (AA21-200B) Chinese State-Sponsored Cyber Operations: Observed TTPs
A Joint Cybersecurity Advisory from the National Security Agency (NSA), Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) provides technical details about the tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. The “advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.”
- Even if you’re not worried about APTs, read the information as to how a well-resourced adversary operates to better understand how you could be compromised. The information includes detection, defenses and mitigation options for most actions. Many of these are things that you should already be doing.
- The TTP that jumped out the most for me on this one was the use of steganography to hide stolen data inside of other files stored on GitHub. This is very difficult to detect and probably not the focus of most organizations. As your detections mature, take a look at the more sophisticated TTPs for detection and response.
Read more in
SonicWall Warns of Active Attacks Against VPN Appliances
SonicWall has issued an urgent security notice warning of active attacks “targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware.”
- These vulnerabilities have been known for months, and have been exploited for months. You will need to decommission these devices or if possible upgrade them to a 9.x or 10.x firmware. Upgrades will likely require a valid subscription. Remember that many security devices will work only if you continue to pay subscription fees.
- Attackers will always focus their efforts on our blind spots. As endpoint protection has evolved dramatically in recent years to provide greater visibility to the desktop, we’ve seen an increase in attacks against security appliances, such as firewalls and VPN concentrators, where endpoint security products can’t be installed. This attack is focused on an SMB product line, but enterprise products from Cisco, Juniper, F5, Palo Alto Networks, and Citrix have had similar issues within the last year. Earlier this week, Microsoft reported attacks against SolarWinds Serv-U product being launched from compromised home routers. So, this serves as a great reminder that “appliances” should be included your regular patch and vulnerability management program, and organizations should consider the risk and impact if an employee’s home routers is compromised, as well.
- VPNs are still the predominant remote access to the corporate network and remain a critical boundary protection device. As such, you need to keep them secured, patched and current. While implementing MFA, verifying the security and patching them with nominal disruption is tricky enough; you need to add lifecycle replacement to your list. That means you’re going to have to identify and implement the replacement early enough to have the users cut over before the old solution goes out of support. Then you need to retire the old one, as in dispose of it, to avoid the temptation to fall back to an unsupported, no longer secure solution.
Read more in
- Urgent Security Notice: Critical Risk To Unpatched End-Of-Life SRA & SMA 8.X Remote Access Devices
- SonicWall releases urgent notice about ‘imminent’ ransomware targeting firmware
- SonicWall Warns Firewall Hardware Bugs Under Attack
- SonicWall warns of ‘critical’ ransomware risk to EOL SMA 100 VPN appliances
WooCommerce Releases Fix for Critical Flaw in WooCommerce Block
The developers of the WooCommerce e-commerce platform for WordPress have released updates to address a critical SQL-injection vulnerability that is being actively exploited. The issue affects the Woo Commerce Block feature, which is installed on more than 200,000 WordPress sites.
- You MUST patch this vulnerability today. This vulnerability is already being exploited.
- Updates were released to all vulnerable versions, about 90 updates in total. This means you can update to a fixed version without having to worry about compatibility issues. That said, you still need to press forward to get to the latest versions of these plugins if you’re continuing to use them. Note that the Wordfence paid version had two firewall rules to detect and block exploitation as of July 14th and 15th. The free version will get these rules August 13th and 14th.
Read more in
- Critical SQL Injection Vulnerability Patched in WooCommerce
- WooCommerce fixes vulnerability exposing 5 million sites to data theft
- Zero-Day Attacks on Critical WooCommerce Bug Threaten Databases
US Government Reveals Measures to Fight Ransomware
The Biden administration has revealed several measures aimed at preventing ransomware attacks. US State Department will pay up to $10 million for information about cyberattacks that target the country’s critical infrastructure and were conducted “at the direction or under the control of a foreign government.” There are also plans to cut ransomware operators off from cryptocurrency, and the Cybersecurity and Infrastructure Security Agency (CISA) has launched the Stop Ransomware website which will serve as a clearinghouse for resources to help businesses and state and local governments protect their networks.
- These are all good things but what is missing here is the most proactive step: the US government driving increased use of multi factor authentication to replace reusable passwords in government and critical infrastructure applications. President Biden’s Executive Order on cybersecurity did emphasize MFA – the publicity around ransomware should be used to main gains in eliminating reusable passwords before attention moves on.
- The trick is to disrupt the effectiveness of the tactics used with ransomware. A multi-faceted, multi-agency effort is underway to do this and includes task forces and rewards for information on ransomware gangs and even conferences. The StopRansomware.gov web site is set up to deliver information regarding what ransomware is, what to do if compromised, and how to avoid it. Core to avoidance is good cyber hygiene and good user behavior. The site breaks this down into understandable bites and has references from multiple sources to help preparedness. Conduct a ransomware tabletop exercise to see how prepared you really are. Implement any lessons learned, look at adding this to your annual DR exercise.
- I somehow feel we are still very much in the wild-wild west stages of cybersecurity. Instead of WANTED posters being posted on the frontier cities of the old cowboy days, we have cyber WANTED posters for the international community. It’s a step in the right direction (we are no longer homesteaders on our own having to protect the farm) but we have so much further to go (we need the sheriffs to help enforce international law). I checked out the CISA new ransomware site and love it! The problem we have in the US is that so many organizations are putting out information (CISA, FTC, FBI, NCSA, IRS), it can be both overwhelming and conflicting for its citizens).
- These measures may change the risk/reward of ransomware and reduce the efficiency of the black market. In the meantime, enterprises need to reduce the attack surface and raise the cost of attack. Consider strong authentication, structured networks, and least privilege access control.
Read more in
- Biden administration stepping up efforts to respond to ransomware attacks
- Rewards for Justice – Reward Offer for Information on Foreign Malicious Cyber Activity Against U.S. Critical Infrastructure
- Stop Ransomware
- U.S. Government Offers $10 Million for Info on Hackers Targeting Critical Infrastructure
- The White House Announces Additional Steps To Combat Ransomware
- US government launches plans to cut cybercriminals off from cryptocurrency
- Agencies Unveil Plans to Fight Ransomware—Including Paying for Tips
- White House announces $10 million bounty for state sponsored cybercriminals
- US State Department offering $10 million reward for state-backed hackers
- State Dept. to Pay Up to $10M for Information on Foreign Cyberattacks
REvil Ransomware Websites Offline
According to multiple researchers, websites related to the REvil ransomware have been taken offline. It is not clear why the sites are unavailable; they have been unreachable since Tuesday, July 13.
- Ransomware gangs need to be careful to attract just the right amount of attention and notoriety. Too little, and victims will not pay as the actor is not yet established as reliable. Too much and law enforcement will take note and pressure ISPs / Registrars to disconnect payment sites even if the individuals themselves are out of reach. It is very possible that REvil is just rebranding or selling assets to a different group.
- As exciting as the prospect is of them being shut down, hold the applause until you see an announcement from law enforcement stating they took them down. Otherwise, expect them to re-emerge, probably from a different locale.
Read more in
- REvil ransomware gang’s websites vanish soon after Kaseya fiasco, Uncle Sam threatens retaliation
- REvil websites down after governments pressured to take action following Kaseya attack
- REvil Ransomware Site Goes Offline
CISA: Agencies Must Mitigate PrintNightmare Vulnerability
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive (ED) instructing federal agencies to take action to protect systems from being attacked through the Windows Print Spooler service vulnerability known as PrintNightmare. The ED lists six actions that agencies must complete by Wednesday, July 21.
- All agencies are required to disable print services on AD controllers, apply the patches to all Windows servers and workstations, then either disable print spoolers, restrict installation of printer drivers to administrators via GPO or registry keys, by July 20th. These are good practices to consider even if you’re not impacted by this directive. Don’t forget to address cloud-based Windows servers or workstations, whether directly or indirectly (third-party) managed.
Read more in
- Emergency Directive 21-04 | Mitigate Windows Print Spooler Service Vulnerability
- CISA orders federal agencies to patch Windows PrintNightmare bug
- CISA orders agencies to disable Microsoft Print Spooler in response to ‘PrintNightmare’ flaw
- CISA Emergency Directive: Patch ‘PrintNightmare’ Flaw
Microsoft Patch Tuesday Includes Fix for PrintNightmare
On Tuesday, July 13, Microsoft released fixes for nearly 120 security issues, including 13 that are rated critical. Four of the flaws are being actively exploited. One of the critical flaws addressed in the updates is the PrintNightmare print spooler vulnerability. Microsoft also fixed a pair of privilege elevation vulnerabilities reportedly exploited by Candiru spyware.
- This update includes fixes for four zero-day flaws, and the official patch for PrintNightmare. Even with this fix, look to restrict print driver installation to administrators only as the CISA ED 21-04 suggests. Don’t lose sight of the other updates released, including fixes for SharePoint and Exchange which deserve special attention due to their exploitability.
- Pro tip: you can gauge the quality of your pentesters with this kind of vulnerability. Yes, they can probably move laterally and escalate privilege, but can they give you viable recommendations that fit your operations model? Do those recommendations apply to just this vuln-of-the-day, or are they generally applicable to your vulnerability management program?
Read more in
- Microsoft Releases Patches for 4 Exploited Zero-Day Flaws
- What follows Patch Tuesday? Exploit Wednesday. Grab this bumper batch of security updates from Microsoft
- Microsoft fixes 117 vulnerabilities, four exploited in the wild
- Microsoft July 2021 Patch Tuesday: 117 vulnerabilities, Pwn2Own Exchange Server bug fixed
- Microsoft Patch Tuesday, July 2021 Edition
Microsoft Discloses New Windows Print Spooler Flaw
Microsoft has shared information about a new, as-yet unpatched vulnerability affecting Windows Print Spooler. This vulnerability is separate from the PrintNightmare flaw; it is a local privilege elevation vulnerability that “can only be exploited locally to gain elevated privileges on a device.” The flaw has been given a CVSS score of 7.8.
- The Windows Print Spooler is the gift that keeps on giving. The reason is an architectural choice made many Windows versions ago. Printer drivers are code provided by users, and this code executes as System. This will not be fixable unless you heed Microsoft’s advice and disable users’ ability to provide printer drivers. Everything else will just be a bandaid until the architecture is fixed in a future Windows version.
- Vulnerabilities that require device access to exploit do not result in large scale or widespread attacks.
Read more in
- Windows Print Spooler Elevation of Privilege Vulnerability
- Microsoft Warns of New Unpatched Windows Print Spooler Vulnerability
- Microsoft shares guidance on new Windows Print Spooler vulnerability
Adobe Patch Tuesday
On Tuesday, July 13, Adobe released updates to address 28 security issues affecting Acrobat and Reader, Framemaker, Illustrator, Dimension, and Bridge. 22 of the flaws are rated critical.
- The Acrobat and Reader flaws are a priority 2, as in no active exploit but historically targeted application, while the others are a priority 3 as they are not a historically targeted platform. Even so, the base CVSS scores suggest not sitting on these updates. Typically users need to close these applications before an update can be performed, and with the Microsoft patches queued up, it’d be a good time for a forced reboot to ensure that happens.
- Patching is a necessary but expensive way to achieve software quality. Consider applications in the cloud and thin clients to reduce your cost.
Read more in
- Recent bulletins and advisories
- Adobe Patches 11 Critical Bugs in Popular Acrobat PDF Reader
- Adobe updates fix 28 vulnerabilities in 6 programs
ICS Patch Tuesday: Siemens and Schneider Electric
Siemens has released 18 security advisories that address nearly 80 vulnerabilities in its products. Schneider Electric has released six advisories that address 25 vulnerabilities in a variety of the company’s products. Among the flaws for which Schneider has release fixes is a critical authentication bypass issue in Schneider Electric Modicon programmable logic controllers (PLCs).
- As other items point out, July will be a busy patching month and IT resources that support OT patching may be consumed dealing with the volume of Microsoft, Adobe and VPN patches. Good idea to review segmentation and monitoring around any Siemens and Schneider device usage.
Read more in
- ICS Patch Tuesday: Siemens and Schneider Electric Address 100 Vulnerabilities
- Siemens Security Advisories
- Cybersecurity Support Portal
- Schneider Electric Security Notification | 13-Jul-21 Document Reference Number – SEVD-2021-194-01
- Researchers find big flaw in a Schneider Electric ICS system popular in building systems, utilities
Tools From Spyware Vendor Candiru Exploited Windows Zero-Days (Now Patched)
Citizen Lab and Microsoft report that cyberespionage made by an Israeli spyware company have been used by governments to snoop on journalists, politicians, human rights activists and others. Some of the tools exploited vulnerabilities in Windows which were patched earlier this week.
- The Citizen Lab report not only outlines the malware functionality, C&C infrastructure and how to identify it, but also shows the lucrative nature of this sort of offering. Apply the patches, and keep an eye on the IOCs as a well-funded group like this will find other ways to exploit systems.
Read more in
- Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus
- Fighting cyberweapons built by private businesses
- A private Israeli firm has helped governments hack journalists and human rights advocates
- Mysterious Israeli Spyware Vendor’s Windows Zero-Days Caught in the Wild
- Microsoft: Israeli firm used Windows zero-days to deploy spyware
- Microsoft, Google, Citizen Lab blow lid off zero-day bug-exploiting spyware sold to governments
Kaseya Patch Progress
Kaseya reports that it has released a patch for VSA on-premises customers and has deployed the fix to its VSA software-as-a-service (SaaS) infrastructure. While the VSA SaaS update was complete by 8AM ET on Monday, July 12, Kaseya performed ”unplanned maintenance” across its SaaS infrastructure later that afternoon to address performance issues caused by so many users coming back online at the same time. That maintenance was complete as of 3:30 PM ET on July 12.
- The patch does alter some of the VSA module’s functionality. Read Kaseya’s documentation for details. Kaseya published a hardening guide for on premise customers to go with the patch. It strongly recommends to first verify that the system is not already compromised, and Kaseya does offer links to tools to assist. Users will need to reset passwords after applying the patch.
- Restarting services after an outage is tricky and requires planning, practice, and communications to prevent a crash or other denial of service. While you have plans for limited scope maintenance outages, have you looked at what happens if you had to turn everything off and on? If you’re using dynamic scaling, do you have a sufficient minimum level of services before turning the entry point (typically a load balancer/WAF) on? Did you remember to include the state of supporting services? Now that you’ve got that figured out on-premise, talk to your cloud and outsource providers about what their plans are and how it impacts your users.
Read more in
- Important Notice July 12th, 2021
- Kaseya claims SaaS restoration going swimmingly
- At long last: Kaseya restores VSA services shelved after ransomware row
- Kaseya ransomware attack: What we know now
- Kaseya issues patch for on-premise customers, SaaS rollout underway
- Kaseya Releases Security Patch as Companies Continue to Recover
Colorado Passes Consumer Data Privacy Law
Colorado is the third state, after California and Virginia, to enact a consumer data privacy law. Under the new law, Colorado residents can opt out of allowing businesses operating within the state to collect, store, and sell their information. The Colorado Privacy Act takes effect in 2023.
- Ideally, before this takes effect in July 2023 there will be national privacy legislation to set a standard minimum level across all states in the US. The Colorado wording has lots of exclusions compared to California and Virginia andlike CA and VA and most draft state legislation, includes the require for a Data Protection Assessment but doesn’t define the term. The EU GDPR regime published a template for the Data Protection Impact Assessment required by GDPR, can be found at gdpr.eu: Sample DPIA template (PDF)
- Having added states passing privacy laws raises the bar and complicates things for organizations doing business in multiple locations. You’re going to have to make sure your employees are trained on the requirements to fully comply with the regulations. The training program has to be derived from the data you collect and process, and builds on cyber hygiene practices such as only collecting the minimum amount of required data, not storing it any longer than needed, protecting it at rest and in transit, as well as defining what actions a request to “be forgotten” entail.
- Not sure how much this helps. With each state pushing to have its own privacy laws it becomes a nightmare for business to adhere to them. Sooner or later we most likely will need some type of single, encompassing federal privacy law that organizations can follow.
Read more in
- Colorado’s new law ups need for privacy awareness training
- Colorado Gov. Polis signs data privacy act
SolarWinds Releases Hotfix for Serv-U Vulnerability
SolarWinds has released a hotfix to address a remote code execution vulnerability in its Serv-U Managed File Transfer and Serv-U Secured FTP products that is being actively exploited. The issue affects Serv-U versions 15.2.3 HF1 and earlier. SolarWinds learned of the vulnerability from Microsoft.
- Serv-U is a distinct product implementing remote access via SSH. Not all SolarWinds customers will have this component installed. If you do have it installed, review your logs for access from odd source IPs. This component has already been exploited in some targeted attacks.
Read more in
- Serv-U Remote Memory Escape Vulnerability
- SolarWinds patches critical Serv-U vulnerability exploited in the wild
- Solarwinds Confirms New Zero-Day Flaw Under Attack
- SolarWinds issues software update – one it wrote for a change – to patch hole exploited in the wild
- SolarWinds releases security advisory after Microsoft says customers ‘targeted’ through vulnerability
- SolarWinds Discloses Zero-Day Under Active Attack
Hackers are Increasingly Targeting Remote Management Tools
The Kaseya attack is just one example of cyber threat actors targeting remote management tools. Researchers attending the Black Hat conference next month plan to present techniques they used to take control of Jamf, a tool used to help manage large numbers of machines. Jamf’s CISO says the research being presented does not indicate vulnerabilities in the tool, but does underscore the need for secure configuration.
- Defenders seem more careful lately about exposing RDP to the internet, but penetration testers (and attackers!) still find remote management services and even SIEMs exposed. When they are, it’s often a matter of guessing single-factor user credentials, trying manufacturer default credentials, or firing the latest exploit from Metasploit or Github. These become much harder targets when access is restricted to necessary source IPs or when they’re behind multifactor VPNs – patched and well-configured!
- Fifteen months of extreme telecommuting has driven a huge spike in remote management and remote access services, which already were targets. With an increasingly target rich environment, you need to make sure that your services are properly secured, maintained, and identified. Look for new or unauthorized entry points, and make sure they are either converted to your enterprise solution or managed and secured to the same level as those enterprise options. This is more than war-dialing to find modems; this is now looking for connections to remote access cloud services as well as exposed services at your perimeter.
Read more in
DOD OIG: Additive Manufacturing Systems Expose DoD Network to Security Risks
According to a report from the US Department of Defense Office of Inspector General (DoD OIG), DoD failed to properly secure additive manufacturing systems (3D printers and associated workstations) because they were categorized as tools instead of IT. According to the report, “the DoD uses AM to create molds for personal protection body armor, parts for tactical vehicles, brackets for weapons systems, and medical implants and prostheses (artificial body parts). The DoD also uses AM to create spare parts on demand, which reduces the need to store or maintain large on hand inventories, allowing units to relocate quickly if mission requirements change.” The report recommends including additive technology in the DoD IT systems portfolio and upgrading all additive manufacturing systems to Windows 10.
- Additive Manufacturing is specialized IT, aka OT. It provides incredible just-in-time capabilities, and just like a CNC machine, it needs to be properly segmented, updated and monitored. Also like those CNC machines, they may not be able to run current operating systems, which drives the need to have additional protections. Remember you’re not only protecting them from inappropriate access, you are also protecting the rest of your network from potentially higher risk devices just like other OT components.
Read more in
- Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (DODIG-2021-098)
- Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (PDF)
- DOD’s 3D printers are vulnerable to hackers, IG finds
Intezer: Global Phishing Campaign Targets Energy Sector
Researchers from Intezer “found a sophisticated [cyber] campaign, active for at least one year, targeting large international companies in the energy, oil & gas, and electronics industries.” The threat actors gain an initial foothold in targeted systems through highly tailored spear phishing attacks.
- Make sure that your endpoint protections can detect fileless malware. This attack is using spoofed email and typosquatting to trick users into clicking. Make sure that you’ve implemented DMARC/DKIM/SPF in reject mode to reduce the likelihood of messages slipping through. With everything else going on, make sure that you didn’t put UAT on hold; studies have shown that information gets “stale” in under six months without reinforcement.
- Phishing has always been a primary attack vector (see VZ DBIR for past four years) simply because it works. What has changed is cyber attackers are continuing to improve their phishing kung fu, gaining better intel on their intended targets and learning what emotional triggers are the most effective. To prevent these types of attacks requires both technical controls and human training. No, AI is not going to solve this one.
Read more in
- Global Phishing Campaign Targets Energy Sector and its Suppliers
- Oil & Gas Targeted in Year-Long Cyber-Espionage Campaign
Patch Available for Actively Exploited Flaw in ForgeRock Access Management
ForgeRock has released an update to fix a critical pre-authorization remote code execution flaw in its Access Management platform. The flaw is being actively exploited. It affects Access Management versions older than 7.0 running on Java 8. Users are urged to apply the patch or one of the workarounds suggested in the ForgeRock security advisory.
Read more in
- Patch Fixing AM Vulnerability Now Available for ForgeRock AM 6.x
- AM Security Advisory #202104
- ForgeRock Open AM critical vulnerability
- Critical ForgeRock Access Management Vulnerability
- Critical RCE Vulnerability in ForgeRock OpenAM Under Active Attack
Cisco IP Desk Phone Vulnerabilities
Vulnerabilities in multiple models of Cisco IP desk phones could be exploited to eavesdrop on phone calls and to bug the rooms they are in. An attacker would need physical access to the targeted device to exploit the flaws. Cisco has released updates to address the vulnerabilities.
- Knowing what is connected to your network and categorizing what you find is one of the essential security hygiene requirements, such as in Implementation Group 1 of the CIS Critical Security Controls. Many Network Access Control products can identify or categorize IP phones or IoT devices that are detected on your networks.
- The vulnerability is in the Broadcom chipset, which means that a complete fix requires both Cisco and Broadcom updates. Exploitation needs physical access, removing the backplate, and sending specific impulses to the chipset, meaning unattended devices (in conference rooms, hallways, lobbies, etc.) are possible targets. Make sure you’re applying Cisco’s hardening and securing practices. Think of these as small computers, not just phones, when looking at risks. Check the Cisco site to see if you’re running impacted devices. If you are, deploy the update and keep an eye out for further patches.
Read more in
- Broadcom MediaxChange Vulnerability Affecting Cisco Products: July 2021
- An Office Phone Flaw Can’t Be Fixed by Cisco Alone
Ransomware Attacks Against School Systems on the Rise
The Multi-State Information Sharing and Analysis Center (MS-ISAC) observed a 19 percent increase in reported ransomware attacks against school districts between 2019 and 2020, and is projecting an 86 percent increase this year. Most school districts lack the cyber defenses of private organizations, and because so many districts are teaching remotely, every student device could be considered a point of entry for cyber criminals.
- As a father of three, stories like this break my heart. Most elementary schools are struggling to just teach the next generation. Ransomware attacks can devastate not only networks and budgets but the future lives of kids. Remember, cyber criminals have no ethics; absolutely anyone is a target. Until there is pain applied to the cyber criminal community, they will simply continue.
Read more in
CNA Financial Sends Breach Notification Letters About March Ransomware Attack
CNA Financial Corp. has begun notifying customers that their personal information may have been compromised during a March 2021 ransomware attack. The compromised data include names, Social Security numbers, and health benefits information. CNA reportedly paid $40 million to the ransomware operators.
- CNA is ranked as the seventh-largest commercial insurance provider in the U.S. and was a target of the Phoenix CryptoLocker attack. This ransomware uses remote desktop and compromised credentials to get a foothold. It even masquerades as legitimate software signed by “Saturday City Limited.” Make sure that your exposed services don’t allow reusable credentials. Never expose RDP directly to the Internet; place it behind a VPN with multi-factor authentication. Check regularly for newly exposed access paths, and either secure or remove them.
Read more in
- CNA Discloses Breach Related to March Ransomware Attack
- Insurance giant CNA reports data breach after ransomware attack
- Sample Notification Letter
Easterly Confirmed as CISA Director
The US Senate has unanimously confirmed Jen Easterly as director of the Cybersecurity and Infrastructure Security Agency (CISA). The agency has lacked an official director since November 2020, when Christopher Krebs was fired.
- Brandon Wales has been acting director since November 2020, and doing a great job, it will be easier for CISA to move forward with a formally appointed leader. Easterly is the third cyber position in the Biden administration with roots in the NSA, joining Chris Inglis, national cyber director and Anne Neuberger, National Security Council.
Read more in
- US Senate Approves Jen Easterly As CISA Director
- US Senate confirms Jen Easterly as head of cyber agency
- Senate confirms former White House, NSA official Jen Easterly as CISA director after delay
Kaseya Plans to Have VSA SaaS and On-Premises Updates Ready by Sunday, July 11
Kaseya is still working on patching both the software-as-a-service (SaaS) and the on-premises versions of its VSA software. The attackers managed to infect about 60 Kaseya on-premises customers, and from there, infect about 1,500 of those customers’ clients with REvil ransomware. Kaseya plans to have patches available for SaaS and on-premises VSA software by 4PM EDT Sunday, July 11. Kaseya has released a start-up readiness guide for on-prem VSA customers to “ensure [their] VSA server(s) is prepared to receive the VSA release patch, which contains critical security fixes.”
- Be aware of fake updates circulating. These fake updates will attempt to install backdoors instead of fixing the flaw. Be careful with any detection tools, patches, or protection tools distributed and always verify the source as well as the integrity of the file.
- The Kaseya article below lays out what you need to do for an on-premise server to prep for the upcoming patch, including isolation and checking for provided IOCs. Note that they have an agreement with FireEye to provide complementary endpoint security agents for your VSA server which you should implement.
Read more in
- Kaseya Announces New Service Restoration Date
- Kaseya offers pre-patch instructions for on-prem VSA customers
- On Premises VSA Startup Readiness Guide – July 7th, 2021
PrintNightmare Emergency Fix Can be Bypassed
Microsoft issued an emergency patch top address the critical Windows print spooler vulnerability known as PrintNightmare, but the patch falls short. Hours after Microsoft released the patch, a researchers demonstrated that it could be bypassed.
- Windows suffers from an architectural problem in running printer drivers as SYSTEM. The only way to properly mitigate this risk is to allow only administrators to install printer drivers. The latest patch does offer this option and it should be enabled.
- If you’ve already pushed out the patch, as many did, enable the “RestrictDriverInstallationToAdministrators” registry value to only allow administrators to install printer drivers. If end users are operating with administrative privileges on their endpoints, make sure that UAC is set to always prompt for credentials, which slows inadvertent installations. Other UAC settings have historically had bypass options which reduces their effectiveness. Test these settings before deploying widely.
Read more in
- Microsoft’s emergency patch fails to fix critical “PrintNightmare” vulnerability
- Microsoft struggles to wake from PrintNightmare: Latest print spooler patch can be bypassed, researchers say
- Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability
Cyberinsurance Companies Respond to Ransomware Situation
The insurance industry is taking steps to address the issue of ransomware. In June, a consortium of seven major cyber insurers established CyberAcuView, which “will compile and analyze cyber-related data to enhance value and service to policyholders and help ensure a competitive market for cyber insurance.” And earlier this month, the American Property Casualty Insurance Association (APCIA) published its Cyber Extortion/Ransomware Guiding Principles.
- In the long run, an effort like CyberAcuView could have positive impact by standardizing insurer requirements for “essential security hygiene” based on meaningful standards such as the CIS Critical Security controls. But, two things to keep in mind: (1) Long term means no likely meaningful impact before 2023 at the earliest; and (2) in both the long term and the short term, the presence or absence of cyberinsurance does not reduce what needs to be done to protect business and customer data and services.
- The phrase “closing the barn door after the horse has bolted” came to mind when reading this. There is a very strong argument that cyber insurance companies encouraged the growth in ransomware attacks by their preference to pay ransom demands for their clients who fell victim to attacks. It also highlights that cybersecurity has many complex challenges and simple solutions that seem attractive to business sponsors, such as cyber insurance, may not work as expected and can have serious implications in the long term.
- Cyber insurance companies got really good at negotiating payments for ransomware, resulting in a position where payment was virtually assured. Subsequently, while the rise in premiums in the last year has been 20%, the rise in claims has been 39% which results in a financially unsustainable position for the insurance companies. The good news is this has forced them to publish guiding principles and form alliance such as CyberAcuView to strengthen risk mitigation and stem this tide.
- Insurance, the assignment of risk to underwriters, should be used for things that have low rates of occurrence, high consequences, and which are difficult to mitigate.
Read more in
- Two cyber insurance industry initiatives grapple with rise of ransomware
- Consortium of Leading Cyber Insurers Announce the Launch of CyberAcuView
Guidance from the FBI and CISA describes Kaseya situation as a “supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers.” The attack began on July 2; just hours after Kaseya VSA servers were compromised, between 800 and 1,500 organizations became infected with ransomware. The attack affected Kaseya VSA on-premises customers; the company urged those customers to shut down their VSA servers. Kaseya also made the decision to take its software as a service (SaaS) servers offline as a precautionary measure.
- I hesitate to call this a supply chain attack as the malicious actors didn’t compromise the code base as much as they exploited a zero-day flaw. Even so, read and implement the guidance from CISA and Kaseya on improving your VSA instance security before returning it to operational status.
Read more in
- Kaseya ransomware attack updates: Your questions answered
- CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack
- Up to 1,500 businesses infected in one of the worst ransomware attacks ever
- Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Kaseya Flaw Reported in April
One of the vulnerabilities recently exploited in Kaseya’s Virtual System Administrator (VSA) software was reported to the company earlier this year. In April, the Dutch Institute for Vulnerability Disclosure privately reported seven security issues to Kaseya. Four of the flaws were addressed un April and May updates. The remaining three vulnerabilities were scheduled to be fixed in a forthcoming update. (Please note that the WSJ story is behind a paywall.)
- It does look like Kaseya dropped the ball fixing these vulnerabilities, causing harm to its customers. A robust vulnerability remediation program is a must-have for a software company and interactions with researchers reporting vulnerabilities need to be managed well. A well-managed bug bounty program can help streamline the process and set expectations for researchers reporting vulnerabilities.
- Prioritization of fixes is tricky. Kaseya is a great example of working with researchers who disclosed vulnerabilities, and assisted in verifying the patches resolved the issues. As with any vulnerability, there is a race condition of developing, verifying and deploying fixes versus malicious actors discovering and exploiting those weaknesses. In this case, one flaw – CVE-2021-30116, slated for a June patch release, lost the race. While it’s easy to second-guess here, note that the rapidly released PrintNightmare fixes fell short of resolving that issue, resulting in added fixes which can be just as disruptive as failing to release an update at all.
- This failure raises a number of questions. During this window, did Kaseya caution their customers or suggest workarounds? Did they have a duty to do so? Is our infrastructure too porous? Can we live with an infrastructure that is based upon late quality by patching? Raise your own questions, as well.
Read more in
- Kaseya VSA Limited Disclosure | Why We are Only Disclosing Limited Details on the Kaseya Vulnerabilities
- DIVD-2021-00011 – Kaseya VSA Limited Disclosure
- Software Firm at Center of Ransomware Attack Was Warned of Cyber Flaw in April (paywall)
- White hats reported key Kaseya VSA flaw months ago. Ransomware outran the patch
Kaseya Attack Takes Two Maryland Towns Offline
Among the victims of the Kaseya supply chain attack are two Maryland towns. The computer networks of Leonardtown and North Beach have been infected with REvil ransomware. Neither town has its own IT staff, and both were infected through Kaseya customers’ systems.
- The beauty of hiring an MSP is that they have expertise you don’t, common tools and processes, including 24×7 support for less than you can insource. That comes with a cost of having remote privileged access to your systems, and the risk of compromise, either through a flaw in their tools or staff. In a little to no IT staff model, make sure that you still have staff that knows how and where to shutdown impacted services as well as clear understanding of what service restoration entails. Lastly, irrespective of IT staff size, make sure that you have proven fallback procedures for IT failures.
- Small businesses and state, local, and tribal agencies that are totally dependent on service providers will unfortunately always have this kind of risk. However, one common “trick” that Leonardtown, MD was able to use to start restoring backups manually was to have a at least one PC that is never used be part of the backup strategy. Leonardtown (and others in the past) have taken advantage of the PCs of employees who were on vacation when the malware attack hit – have one PC where the user is always “on vacation.”
- Managed Service Providers owe a high standard of care.
Read more in
- Maryland towns impacted in Kaseya ransomware breach
- Maryland town knocked offline as part of massive ransomware attack
- ‘Shut down everything’: Global ransomware attack takes a small Maryland town offline
US Will Take Action Against Russian Cybercriminals if Russia Does Not
In a July 6 briefing, White House Press Secretary Jen Psaki said that “if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own.” Psaki also noted that the Kaseya supply chain attack has not yet been attributed to a specific threat actor.
- Specific attribution is tricky as the REvil Ransomware Service is available to any affiliate to use, for a percentage of the ransom collected. Also Russia historically has had a “so long as you don’t hack us we’re good” posture for malicious actors operating there. The recent stories of takedown of international operations, similar to REvil, depend on cooperation of law enforcement in all countries involved, without which shuttering the service, or determining the actual actors behind any given attack become moot.
Read more in
- Press Briefing by Press Secretary Jen Psaki, July 6, 2021
- Biden Faces Russian Ransomware Curtailment Challenge
- US warns Russia to take action after latest attacks
- US warns of action against ransomware gangs if Russia refuses
Mongolian Certificate Authority Website Compromised
Attackers compromised Mongolian certificate authority MonPass’s website and installed Cobalt Strike in its installer software. The backdoored installer was available for about a month earlier this year.
Read more in
- Backdoored Client from Mongolian CA MonPass
- Website of Mongolian certificate authority served backdoored client installer
- Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software
Right to Repair Movement is Gaining Traction
In a press briefing on Tuesday, July 6, White House Press Secretary Jen Psaki said that President Biden plans to issue an executive order (EO) that addresses right to repair. The EO will reportedly direct the Federal Trade Commission to draft rules that prevent manufacturers from limiting customers’ ability to repair products they have purchased, and direct the Department of Agriculture to establish rules allowing farmers to repair their own equipment. In a related story, the UK has rules that require manufacturers to make spare parts available to people who purchase electrical appliances, and the European Commission plans to introduce right-to-repair rules for smartphones, laptops, and tablets. Apple co-founder Steve Wozniak has voiced his support of the right to repair movement.
- Be careful what you ask for, you might get it. Agriculture and Cyber are different environments. The Apple founders fell out over the issue of “closed versus open” systems. I, for one, am glad that Jobs won.
Read more in
- Biden Sets Up Tech Showdown With ‘Right-to-Repair’ Rules for FTC
- Biden’s right-to-repair order could stop companies from blocking DIY fixes
- Press Briefing by Press Secretary Jen Psaki, July 6, 2021
- Right to repair movement gains power in US and Europe
- Steve Wozniak Voices Strong Support for the Growing Right to Repair Movement
Sage X3 Vulnerabilities Fixed in Updates
Four vulnerabilities, one of which is critical, in the Sage X3 enterprise resource planning (ERP) platform could be exploited to execute arbitrary code and take control of vulnerable systems. Fixes for the flaws have been released.
- Attackers are going after applications (like Solar Winds, Kaseya, etc.) that get the highly privileged access inside networks, and ERP and financial management apps are certainly targets. SAP, Oracle, and Workday are the “big dogs” in this market but Sage, along with Acumatica, Financial Force and Infor customers should review segmentation around these products and accelerate patching.
Read more in
- CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities
- Sage X3 Version 11 (June 2021)
- Critical Flaws Reported in Sage X3 Enterprise Management Software
- Critical Sage X3 RCE Bug Allows Full System Takeovers
Joplin, Missouri’s Computer System Hit with Cyberattack
The city of Joplin, Missouri’s computer network suffered an apparent cyberattack; its phone lines and online presence were both unavailable as of Thursday, July 8. The city’s 911 service is operational. Various city departments, including planning and zoning, and code enforcement, have counter service available and are accepting only cash and checks for payment.
Read more in
Cisco Talos: SideCopy APT Group Increasing Attacks in India and Pakistan
Researchers from Cisco Talos have “observed an expansion in the activity of SideCopy malware campaigns, targeting entities in India.” The SideCopy advanced persistent threat (APT) group has been active since at least 2019.
Read more in
- AInSideCopy: How this APT continues to evolve its arsenal
- InSideCopy: How this APT continues to evolve its arsenal (PDF)
- India under attack by rapidly-evolving advanced persistent threat actor SideCopy, says Cisco Talos
- SideCopy cybercriminals use new custom Trojans in attacks against India’s military
Kaseya Supply Chain Attack Affects Hundreds of Organizations
On Friday, July 2, ransomware operators exploited a vulnerability in Kaseya’s update mechanism to push REvil ransomware out to the IT services company’s customers. Kaseya develops software for Managed Service Providers (MSPs), which means the attackers’ reach could extend to hundreds if not thousands of organizations. The Coop supermarket chain in Sweden closed hundreds of stores for two days because its point-of-sale systems were affected. The attackers appear to be demanding a ransom of $70 million. Kaseya says it may begin restoring SaaS on Tuesday afternoon, July 6.
- Ransomware actors have been hitting MSPs for a while now. The advantage of attacking MSPs is that they provide trusted access to multiple organizations and a bigger “bang for the buck.” Now REvil did “take it up a notch” by simultaneously exploiting software used by MSPs. The entire scope of this attack will probably take a few more days to become clear and this will be a bad return to work from a long holiday weekend for many. If you are not affected by this attack: Take half a day this week to brainstorm how similar scenarios could affect your network: Which trusted suppliers have access to your network, and what software are you using to manage your network. How are you ensuring the integrity of this software after updates? And please: Do not exempt this software from anti-malware scans. Sometimes it is better to let the software break vs having the software break you.
- Your MSP has potentially sensitive access to your IT and is using their preferred tools to support your business. When you setup that access, you probably verified the security of the tools used and the scope of permissions granted to their accounts. Are you monitoring for a change in scope? Could you detect their tool going bad? Have you walked down what would happen if you turned that off? Kaseya advises on-premise VSA users to turn systems off until a patch can be deployed. The patch is planned for release 24 hours after the SaaS service is restored. The flaws exploited appear to be Zero-day vulnerabilities rather than a supply chain attack.
- This is a worrying change in tactics for those behind ransomware attacks as they move from phishing emails to ways to infiltrate the supply chain for many vendors. It is a reminder that given the modern business reliance on third party vendors and their downstream suppliers, we need to move beyond simply checklist exercises for managing third party risk. Any vendors who deploy tools or systems into our environments need to be assessed with additional scrutiny and appropriate controls. In particular, any software that requires excessive permissions, administrator access, or to be excluded from anti-virus software, as is the case with Kaseya.
- Kaseya has a relatively small market share in the client management market, but (like system management and Solar Winds) attackers are targeting product areas where one compromise not only gives them deep access but that same access across many targets. Larger competitors to Kaseya VSA include BMC, CA, IBM Big Fix and ManageEngine – if you are using them, use this as spur to make sure you’d quickly notice if they went bad and to test resiliency plans if you had to shut them off in the event of compromise.
- With cyber criminals becoming so brazen, I wonder if / when they will begin to not only attack and ransom large corporations, but start ransoming entire countries, especially countries that don’t have the resources to retaliate.
- Caveat emptor! However, the buyer will rarely have sufficient visibility into the supply chain to adequately resist such attacks. The deeper down in the chain the supplier, the greater the potential damage. We must hold suppliers accountable for what they distribute or the services that they offer. Such accountability will include timely remedies but also consequential damages.
Read more in:
- Independence Day: REvil uses supply chain exploit to attack hundreds of businesses
- Kaseya says it’s seen no sign of supply chain attack, sets SaaS restoration target of Tuesday afternoon, on-prem fix to follow
- Kaseya ransomware attack: US launches investigation as gang demands giant $70 million payment
- Kaseya won’t release on-prem patch before SaaS restoration starts
- How REvil Ransomware Took Out Thousands of Business at Once
- Kaseya Attack Fallout: CISA, FBI Offer Guidance
- CISA, FBI share guidance for victims of Kaseya ransomware attack
New ACH Network Data Security Rule
The National Automated Clearinghouse Association (NACHA) has introduced a new security rule for ACH transactions. Organizations that process digital financial transactions must ensure that deposit data are unreadable when they are being stored electronically. The new rule, which took effect on Wednesday, June 30, applies to entities that process more than 6 million ACH transactions a year. Entities that process more than 2 million transactions a year will be subject to the rule on June 30, 2022.
- This was pushed back from 2020, so good to see NACHA making this long delayed move. Encryption is not required (truncation, tokenization, deletion are compliant) but this should provide a boost for persistent data encryption solutions, a good thing to aim for.
- In 2020, there were about 27 billion ACH payments for about $62 trillion USD. In Q1 of 2021, $17.3 trillion was processed. One accepted approach is to render the data, notably account numbers and routing numbers, unreadable via the use of tokenization. If that rings a bell, this is used by Apple, Google, and Samsung pay. The new regulations state passwords are not sufficient protection, and full-disk-encryption requires accompanying prescribed physical security measures.
- Participation in a cross-enterprise application carries responsibility. Fortunately for us, the requirements are only for things that we ought to be doing anyway.
Read more in:
- Supplementing Data Security Requirements (Phase 1)
- New data security rules instituted for US payment processing system
PrintNightmare Affects All Versions of Windows
A critical remote code execution vulnerability in the Windows Print Spooler service is being actively exploited. The flaw was accidentally disclosed last week when researchers published proof-of-concept code; they reportedly thought Microsoft had already issued a fix. Microsoft has acknowledged that “the code that contains the vulnerability is in all versions of Windows,” and it is working on a patch. Until the fix is available, Microsoft is recommending that users disable the Windows Print Spooler service or disable inbound remote printing.
- Save your network (and the environment): Turn off your print spooler. Sadly, the best way to protect yourself from exploitation is to disable printing. There are a number of other methods proposed (like limiting permissions on the directory used to store printer drivers), but it isn’t clear if they fully protect systems. For high value assets like domain controllers, turning off printing should be a no-brainer. Exploitation does require valid user credentials, and this will likely be the lateral movement and privilege escalation technique of choice years to come.
- Disable the print service with a GPO, allowing it only on defined print servers, to minimize risk of re-enablement. Don’t use a domain controller as a print server. The Print Spooler service is enabled by default.
Read more in:
- Microsoft Tries, Fails to Patch Critical Windows Vulnerability. Chaos Ensues
- Microsoft adds second CVE for PrintNightmare remote code execution
- Microsoft shares mitigations for Windows PrintNightmare zero-day bug
- Microsoft Issues New CVE for ‘PrintNightmare’ Flaw
- CISA Offers New Mitigation for PrintNightmare Bug
- Microsoft warns of Windows ‘PrintNightmare’ vulnerability that’s being actively exploited
Netgear Releases Fixes for Vulnerabilities in its DGN2200v1 Router
Netgear has released firmware updates to address a trio of vulnerabilities affecting its DGN2200v1 network router. The HTTPd authentication security could be exploited to leak data and to take control of vulnerable systems. The vulnerabilities affect DGN2200v1 running firmware versions older than v.126.96.36.199.
- These were discovered by Microsoft’s 365 Defender Research Team, formerly ReFirm Labs. Expect more disclosures as they work to expand their capabilities. If you have a Netgear router, make sure that you’re keeping the firmware updated, either via the management app, such as their Oribi, NightHawk, or Insight app (which are product specific), or by logging into the router and checking. If possible, setup automated updates in the middle of the night.
- The side channel vulnerability, while not the most serious issue, is something all developers should be looking out for. I am pretty sure that under the hood, many applications suffer from this same problem and yes, it is exploitable.
Read more in:
- Microsoft finds new NETGEAR firmware vulnerabilities that could lead to identity theft and full system compromise
- Security Advisory for Multiple HTTPd Authentication Vulnerabilities on DGN2200v1
- Microsoft reveals authentication failures, system hijack vulnerabilities in Netgear routers
- Microsoft warns of serious vulnerabilities in Netgear’s DGN2200v1 router
US and UK Cybersecurity Officials Warns of APT28 Brute Force Attacks
A joint cybersecurity advisory from the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC) warns of brute force cyberattacks allegedly conducted by Unit 26165 of Russia’s GRU military intelligence agency, sometimes called Fancy Bear or APT28. The attacks have targeted hundreds of organizations around the world.
- Mitigations include not only using MFA for all your externally reachable services, including cloud, but also making sure that account time-out and lockout settings are active to shutdown attempts to access accounts illicitly. Examine access to your externally facing services, and consider denying access from a-typical locations, such as TOR or other anonymizing VPNs; make sure that anomalous user detection is enabled and configured.
- Another example of how / why 2FA is becoming such a critical control in today’s world.
- Such attacks are characterized by an unusually high rate of failed logon attempts and are resisted by strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) and by raising the cost to attackers by slowing the subsequent prompts after failed attempts.
Read more in:
- Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments (PDF)
- Russian Hackers Are Trying to Brute-Force Hundreds of Networks
- Widespread Brute-Force Attacks Tied to Russia’s APT28
CISA Releases Ransomware Readiness Assessment Tool
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a tool to help organizations evaluate their cybersecurity posture with regard to ransomware. The Ransomware Readiness Assessment (RRA) is a new module in CISA’s Cyber Security Evaluation Tool (CSET). RRA can be used on both IT networks and industrial control system (ICS) networks.
- The RRA provides a consistent basis to evaluate your IT and OT/ICS security practices, using a graduated approach from basic controls, to advanced questions and tutorials; and includes a dashboard to track readiness/progress. Even if you think you have a solid posture and plan, (which was hard enough to do without guidance like this) it’d be a good idea to cross check with the RRA tool to see if you have gaps or missed some new data points. If you’ve been struggling to create your plan and assess your ransomware preparedness, this is the answer you’re looking for.
- I have looked at this tool and it is a very good start for organizations to determine how prepared they are against ransomware attacks. Another freely and useful resource is the Europol sponsored NoMoreRansom website www.nomoreransom.org which has lots of information in various languages on how to prevent and deal with ransomware.
- Ransomware requires a compromise of the target network. It is only one of many bad things that can happen to you after a breach. However, extortion has been so profitable and with so little risk that it has resulted in an increased rate of attacks and breaches. Resist breaches. Employ strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) and end-to-end application-layer encryption or structured networks.
Read more in:
- CISA’s CSET Tool Sets Sights on Ransomware Threat
- Ransomware Readiness Assessment CSET v10.3
- Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attack
- CISA Tool Helps Measure Readiness to Thwart Ransomware
Europol: Coordinated Action Takes Down VPN Service Used by Criminals
On June 29, 2021, law enforcement and judicial authorities in Europe, the US, and Canada “seized the web domains and server infrastructure of DoubleVPN” a VPN service frequently used by criminals.
Read more in:
- Coordinated Action Cuts Off Access to VPN Service Used by Ransomware Groups
- Authorities Seize DoubleVPN Service Used by Cybercriminals
- This VPN service used by ransomware gangs was just taken down by police
- International cops seize DoubleVPN, a service allegedly meant to shield ransomware attacks from investigators
- Multinational Police Raid Seizes DoubleVPN Servers
QNAP Fixes Vulnerability Affecting NAS Devices
QNAP has released updates to address an improper access control vulnerability in its Hybrid Backup Sync 3 (HBS 3), the company’s disaster recovery and backup application. The issue is fixed in QTS 4.3.6: HBS v3.0.210507 and later; QTS 4.3.4: HBS v3.0.210506 and later; and QTS 4.3.3: HBS v3.0.210506 and later.
- Don’t expose NAS devices to the Internet. Login to your QNAP device, update the OS and all loaded applications, remove/uninstall unused applications.
Read more in:
- Improper Access Control Vulnerability in HBS 3 (Hybrid Backup Sync)
- QNAP fixes critical bug in NAS backup, disaster recovery app
Windows Update Bug Preventing Azure Virtual Desktop Updates
A bug in Windows Updater is preventing Azure Virtual Desktop devices from downloading and installing security updates released after May 2021. Microsoft is investigating the issue; the company is “working on a resolution and will provide an update in an upcoming release.” Microsoft has provided two workarounds.
Read more in:
- Azure Virtual Desktops may not be able to update via Windows Server Update Services
- Windows Update bug blocks Azure Virtual Desktops security updates
Microsoft Releases Updates for PowerShell 7.0 and 7.1
Microsoft has released updated versions of PowerShell 7.0 and 7.1 to address a .NET Core remote execution vulnerability. Azure users are urged to update to the most recent versions: 7.0.6 and 7.1.3. The issue does not affect PowerShell 5.1.
Read more in:
- Update PowerShell versions 7.0 and 7.1 to protect against a vulnerability
- Microsoft Urges Azure Users to Update PowerShell to Patch RCE Flaw
- Microsoft warns of critical PowerShell 7 code execution vulnerability
Google Renews Nest Security Commitments
Google has committed to providing “critical bug fixes and patches” for its Nest smart home products for a minimum of five years. The company’s privacy commitments include validating Google Nest devices using an independent security standard, using verified boot to protect devices, and making it easier for users to see which devices are connected to their accounts.
- Google is providing updates and fixes five years from product launch, not your purchase date. Keep an eye on their support page, particularly for things like your Nest Thermostat and safety/security devices (Hello, Cameras, Locks, Protect) which are easily overlooked and forgotten. support.google.com: Google’s connected home devices and services
- Google and Nest have been using Internet of Secure Things Alliance standards and certifications which started up in 2018 or so and now has six authorized testing labs, a strong list of alliance members and certificated products, and Amazon, Facebook, Google, Honeywell and Silicon Labs on their board of directors. This critical mass makes it a usable standard to spec in procurements and RFPs.
- Technical controls are key to securing smart home devices like these, but so is making them easy for people to use / secure. Having the best technical standards in the world does little if the interface is confusing and people have no idea how to change the default password or enable automatic updating.