Congressional Hearing on Grid Security
On Tuesday, July 27, the US House Subcommittee on National Security held a hearing focused on the security of country’s electric grid. Federal officials testifying at the hearing expressed concerns, including inadequate security features in grid equipment and the power grid’s resilience to withstand multiple major incidents, and made suggestions to improve security, including greater domestic production of grid equipment.
- Most of the cybersecurity related issues are nothing new here – the new focus is really on supply chain security. The telling quote: “Large power transformers are only manufactured abroad…” and can take up to a year to be procured and delivered. The pandemic pointed out in a big way that while “just in time inventory” approaches reduce cost/increase profit, natural or political disruptions to transportation and delivery can lead to severe and prolonged outages. Mandatory backup capacity or increased availability of domestic sources raises costs but also raises resiliency and availability.
- Looking beyond the security of the components that operate the grid, leverage new collaboration opportunities to collaborate with CISA and peers to facilitate not only getting help when there is a problem, but also how to best implement pending standards, and possibly drive input in their creation. Irrespective of who your supplier is, foreign or domestic, evaluate their ability to deliver components needed to restore or augment your services. Include their supply chain challenges in the analysis.
- The risk associated with long lead times for grid components, to specifically include some large transformers, has been identified since the Clinton Administration. It has not decreased.
Read more in
- Defending the U.S. Electric Grid Against Cyber Threats
- What Can Be Done to Enhance Electrical Grid Security?
- Congress Analyzes Security of Vulnerable U.S. Electric Grid
Joint Advisory Enumerates 30 Most Exploited Vulnerabilities of 2020
A joint cybersecurity advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) lists the top 30 routinely exploited CVEs in 2020.
- This advisory yet again highlights vulnerabilities in perimeter security devices. Over the last couple of years, attackers have realized the poor code quality affecting not just home and small business appliances, but enterprise appliances as well. Your best defense is to limit your attack surface and disable as many features as possible. Do not expose any administrative web applications outside a tightly controlled administrative network.
- Use this information to refine your risk based approach to vulnerability mitigations. Where you have products susceptible to these vulnerabilities, review the mitigations and IOCs to make sure that you have a comprehensive fix as well as being equipped to detect attempted or actual exploitation. Next, include your development team in reviewing the Mitre 2021 CWE top 25 most dangerous software weaknesses.
- It has been very obvious that IT operations (who in most organizations is responsible for patching servers and PCs) have been consumed with just keeping the applications and services running as the pandemic drove the need to support full time work from home and caused workforce and support disruptions. Time to patch has increased. Security mitigations must take that into account – increasing visibility, asset inventory (essentially Implementation Group 1 of the CIS Critical Security controls) but also putting shielding and/or segmentation around vulnerable systems that are just going to take longer to patch. When hurricanes are hitting every few days, you have to leave the plywood up over the windows – hoping the windows get stronger does not increase safety.
- To ensure that patching gets necessary attention and resources, effective patching should be both measured and reported to stake holders.
Read more in
- Alert (AA21-209A) | Top Routinely Exploited Vulnerabilities
- CISA’s Top 30 Bugs: One’s Old Enough to Buy Beer
- FBI reveals top targeted vulnerabilities of the last two years
- CISA, FBI Name the Most Exploited Vulnerabilities Over the Past Year
- Feds list the top 30 most exploited vulnerabilities. Many are years old
- Here’s a list of the flaws Russia, China, Iran and pals exploit most often, say Five Eyes infosec agencies
NSA Guidance on Wireless Device Security
The US National Security Agency (NSA) has published wireless device security guidance for people traveling or working remotely. The cybersecurity information sheet “describes how to identify potentially vulnerable connections and protect common wireless technologies, and lists steps users can take to help secure their devices and data.”
- Just a week ago, Apple patched the SSID Format String flaw that in some cases could lead to arbitrary remote execution when joining a malicious WiFi network. It comes back down to reducing your attack surface again: Turn off radios you are not using. This can be challenging for a mobile device that isn’t doing much without network connection and a Bluetooth connection for headsets.
- This does a good job explaining the risks as well as a providing tables of Do’s and Don’ts you should incorporate into your UAT program. This is not just Wi-Fi, this is also about Bluetooth, NFC, and mitigations which are easy to take and raise the bar on the security of those services. Don’t forget to remind users that even with these mitigations, the area being used to perform work still needs to be appropriate, beware of who can see and hear your screen, conversation and any paper notes or documents in use.
- Wireless attacks do not scale well; the risk has always been from the wired side. While still vulnerable, and perhaps only for the moment, cellular is safer than WiFi (except in Washington DC). Devices that connect directly to the public networks should not also connect to the enterprise network. Business travelers should practice good hygiene.
Read more in
- Securing Wireless Devices in Public Settings (PDF)
- NSA shares guidance on how to secure your wireless devices
Biden Memorandum on Critical Infrastructure Cybersecurity
President Joe Biden has issued a national security memorandum focused on improving critical infrastructure control system cybersecurity. The memo directs the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) to develop benchmarks for entities that manage the country’s critical infrastructure.
- Not much new here, but more reports coming. Similar to the Congressional hearing item, the technical and policy issues around critical infrastructure are well known, the supply chain disruption issue and lack of resiliency is the area where prioritized actions are needed.
- Most of the critical infrastructure is managed by the private sector, not government. The two most important components of the nation’s infrastructure are power and finance. One of those is doing a much better job of security than the other.
Read more in
- National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems
- Biden issues memo to push critical infrastructure cybersecurity upgrades
- White House Issues Memo on US Critical Infrastructure Security
- Biden orders CISA and NIST to develop cybersecurity performance goals for critical infrastructure
FBI Official Tells Legislators Not to Ban Ransomware Payments
FBI Cyber Division assistant director Bryan Vorndran told US legislators that while the agency does not recommend that ransomware victims pay operators’ demands, banning ransomware payments could backfire. Vorndran told the Senate Judiciary Committee that banning payments could place “ U.S. companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities.”
- This is a complex topic and has to be considered carefully. If you do elect to make a payment, understand how you’re impacted by the Office of Foreign Assets Control (OFAC) in addition to local or national legislation. Build relationships needed for reporting and response of a ransomware attack now. Leverage references like the StopRansomware.gov web site to get a leg up on preparedness.
Read more in
- Top FBI official advises Congress against banning ransomware payments
- US Government Unlikely to Ban Ransomware Payments
Iranian Railway Cyberattack Used New Wiper Malware
Earlier this month, a cyberattack disrupted train service in Iran. The attack that affected the country’s state-owned rail system and its transportation ministry website used wiper malware that had not been seen before. Researchers from SentinelOne write that the cyberattack was “orchestrated via a set of batch files nested alongside their respective components and chained together in successive execution.”
- Read the report from SentinelOne to see how this new malware works. The report includes links to IoCs and YARA rules you can implement to aid detection and hunting activities. This wiper is designed to completely cripple a target’s systems, and includes functions ranging from changing passwords, disabling screen savers and altering boot records to creating processes and executing commands, reinforcing the need for those indicators.
- The current hostile environment requires that enterprises may have to recover whole networks, rather than simply a file or two. Ensure the capability to recover entire applications in hours to days.
Read more in
- MeteorExpress | Mysterious Wiper Paralyzes Iranian Trains with Epic Troll
- New destructive Meteor wiper malware used in Iranian railway attack
- Hackers used never-before-seen wiper in recent attack on Iranian train system
WordPress Download Manager Updated to Fix Vulnerabilities
Developers of the WordPress Download Manager plugin have released an update to address two security issues: an information disclosure vulnerability and a file upload vulnerability. The WordPress Download Manager plugin is installed on more than 100,000 sites.
- The patch was released on May 5th, less than 24 hours after the developers were notified of the flaw. If you are using the WordPress Download Manager plugin, make sure you’re using version 3.1.25 or later. The file upload weakness could be used to upload executable content to perform a site takeover, while the information disclosure weakness allowed for a path traversal exploit to allow viewing of arbitrary or sensitive files, e.g, wp-config.php. Make sure you are either updated or remove this plugin if not actively used.
- Does it bear repeating that WordPress plugins should never be included by default but only after careful consideration and must be carefully managed?
Read more in
ATM Jackpotting Arrests in Poland
Law enforcement authorities in Poland have arrested two people from Belarus for their alleged roles in an ATM jackpotting scheme. The suspects allegedly targeted ATMs in at least seven European countries; all the targeted machines were the same brand and model.
- The investigation leveraged the EMPACT framework and included authorities from Poland, Germany, Austria, Switzerland, Czech Republic and Slovakia. The attacks required physical access to the ATMs and necessitated drilling holes or melting parts to access the connection used by the laptop to compromise the ATM. As sexy as it sounds to jackpot an ATM, remember they not only have tamper detection but also surveillance making it unlikely your actions would go undetected.
- Intuitively one might conclude that these attacks constitute a significant risk. However, they do not scale well, require physical access, and result in limited losses (thousands to low tens of thousands of dollars per ATM.) Cash just isn’t what it used to be.
Read more in
Prison for PHI Thief
A US district judge in Texas has sentenced Amanda Lowry to 30 months in prison for her role in a scheme to steal protected health information (PHI). In December 2020, Lowry pleaded guilty conspiracy to obtain information from a protected computer. Lowry and two co-conspirators were indicted in September 2019.
Read more in
- Grayson County Woman Who Stole and Sold Protected Health Information Sentenced to 2 ½ Years in Federal Prison
- Cyberthief Who Stole PHI Sentenced To Prison
UC San Diego Health Discloses Data Breach
University of California San Diego Health says that a phishing attack led to the exposure of employee, student, and patient information. Attackers has access to the data between December 2, 2020 and April 8, 2021. The compromised information includes lab results, medical diagnoses, and other sensitive data.
- Notifications to impacted individuals will not be sent until the investigation is complete and will offer one year of credit monitoring and identity theft protection through Experian IdentityWorks. Actions are already underway to prevent recurrence including updating credentials and disabling access points. If you are a UC San Diego Heath employee, student or patient, monitor your accounts and credit report for unexpected activity, or, if you don’t already have it, seek out your own identity and credit protection solution.
- A single user clicking on bait should not compromise the enterprise. Browsing and e-mail are the applications where users are most likely to encounter bait. These should be isolated from mission critical applications.
Read more in
- Substitute Notice of Data Breach
- UC San Diego Health Breach Tied to Phishing Attack
- Hackers breach UC San Diego hospital, gaining access to SSNs and medical info
South African Logistics Company Suffers Cyberattack
A cyberattack against South Africa’s Transnet SOC Ltd caused significant disruption of port operations earlier this month. The attack was severe enough for Transnet to declare force majeure, unforeseeable circumstances that prevent an entity from fulfilling contractual obligations. Transnet has restored port operations.
- Lots of luck with that defense. Cyber attacks are not only “foreseeable” but inevitable. The issue is not whether they can be predicted but whether they are appropriately resisted.
Read more in
- South Africa Port Operator Declares Force Majeure Over Cyber Attack
- ‘Death Kitty’ Ransomware Linked to South African Port Attack
Mitigations for PetitPotam Windows NTLM Relay Attack
Microsoft has released mitigations to help users protect systems from the PetitPotam Windows NT LAN Manager (NTLM) relay attack that could make Windows systems reveal password hashes. Microsoft’s recommended mitigation is to disable NTLM authentication on Windows domain controllers.
- These last few weeks have provided attackers with a number of interesting new opportunities for lateral movement. PrintNightmare, Summer of SAM, and now PetitPotam are all very applicable and it will likely take months (years?) to completely patch or mitigate them. One more reason to up your detection game for these exploits. Make sure you have relevant indicators covered.
- PetitPotam affects Windows Server 2008 through 2019. If you cannot disable NTLM, then make sure you’re either using signing features such as SMB signing or Extended Protection for Authentication (EPA). Also make sure your Active Directory Certificate Services (AD CS) servers are configured to protect against NTLM relay attacks. See Microsoft KP5005413 for mitigations.
- The guidance from Microsoft is not new but being highlighted because of a new attack method. Most technology cannot be deployed as is; investment in people and process is required to ensure proper configurations. Same is true with security solutions; people need to follow a process to tune, detect, and respond to attacks.
Read more in
- Microsoft Rushes Fix for ‘PetitPotam’ Attack PoC
- Microsoft shares mitigations for new PetitPotam NTLM relay attack
- You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick
- KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
- Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
- topotam / PetitPotam
No More Ransom Project Has Helped Millions of Ransomware Victims
The No More Ransom Project has saved organizations nearly €1 billion in payments to ransomware operators. In the five years that it has been operating, the No More Ransom Project has helped millions of ransomware victims recover files after attacks. The No More Ransom portal is available in 37 languages. It has more than 120 tools capable of decrypting more than 150 strains of ransomware.
- This project by Europol has been a great success and is a portal I have used successfully when working with companies impacted by ransomware. The NoMoreRansom www.nomoreransom.org is a great example of how public and private partnership can work together to tackle cybercrime
- This is a great example of an effective, action-oriented partnership between government agencies (Europol and Politie, the Dutch national police organization) and vendors (initially Kaspersky and McAfee, now many more) to provide free help to individuals and businesses. No More Ransom emphasizes prevention/avoidance though essentially security hygiene, since at the front end ransomware attacks are like all other attacks. The collection of encryption tools as the last resort recognizes the unique recovery aspects of a ransomware event.
- This sort of assistance is critical to reduce the frequency certainty of ransomware payments. That reduction is necessary to turn the tide on operators. This service provides decryption, reporting, and prevention tools to members. To obtain a decryption tool, ransomware victims upload two encrypted files and the ransom note to their Crypto Sheriff for a match. If matched, the decryptor includes detailed instructions for use. If not matched, users are advised to check again shortly as tools are being continuously added.
- Working together has always proved to be better than working in isolation. I recommend leveraging these resources so we improve as an industry and hopefully slow down ransomware attacks.
Read more in
- Unhacked: 121 Tools Against Ransomware on a Single Website
- No More Ransom saves almost €1 billion in ransomware payments in 5 years
Apple Releases iOS/iPadOS 14.7.1 and macOS 11.5.1
Just five days after releasing 14.7 and macOS 11.5, Apple has released an update to address an IOMobileFrameBuffer vulnerability which can be used to execute arbitrary code with kernel privileges. CVE-2021-30807 was reported by an anonymous researcher.
- iOS 14.7.1 is only about an 80mb delta if you’ve installed 14.7. If you’re still rolling out your requirement to go to iOS/iPadOS 14.7 and macOS 11.5, then switch to 14.7.1/11.5.1. This vulnerability is being exploited in the wild.
- While annoying to have to patch your systems twice in two weeks, I applaud Apple for the fast response. A lot has been written about the increase in 0-Days Apple patched this year, but I think the real story isn’t the increase of 0-Days but instead Apple finally paying more attention to them and calling them out in special patches like this.
Read more in
- Apple security Updates
- Apple fixes zero-day affecting iPhones and Macs, exploited in the wild
- Apple patches zero-day vulnerability in iOS, iPadOS, macOS under active attack
Malware Authors are Using Uncommon Programming Languages
According to researchers at BlackBerry, malware creators are increasingly using arcane programming languages to improve the development process and to evade detection and hinder analysis. In particular, instances of malware written in Go, Rust, Nim, and DLang are on the rise.
- Not sure if I would call languages like “Go” uncommon, but reverse analysis tools and debuggers are only now starting to support it well. This will give attackers an advantage. But this is also not new. Go has been reported as an up-and-coming malware language for a couple years now due to its concurrency support and ease of supporting network clients and servers.
- Too many host-based defensive tools are easily tricked by using a slight variation of payloads. Attackers recognize this and can queue up a list of payloads using Rust, Go, Dart, Julia, etc. Application safe listing isn’t perfect, but it’s a heck of a lot more reliable than trying to play catch-up each time a new payload variant is identified.
- Not only might Go and Rust binaries be better for evading signature detection, but they could also run more stealthily than PowerShell. PowerShell post-exploitation tools are easy to write, but also easy to log and reverse engineer. The more attackers shift from PowerShell to compiled code, the more difficult it will be to track them.
- Pentesters have done the same thing, transitioning through PowerShell, compiled Python executables, cscript.exe XML files, etc; now we’re on to Golang and Rust. On top of that, we use wrappers and encoders – all to avoid signature-based detection. In your environment, what type of *behavioral* detections do you have? Will you catch additions to admin groups, inter-workstation communications, and heavy/odd Active Directory requests?
- On the other hand, the commonly used languages are vulnerable to procedures being contaminated by their data (e.g., buffer overflows.) We really need to move in the direction of strongly typed object-oriented languages. One more instance where we know what to do but lack the will to do it.
Read more in
- Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
- Attackers’ Use of Uncommon Programming Languages Continues to Grow
- Malware Makers Using ‘Exotic’ Programming Languages
- Attackers Rely on ‘Exotic’ Languages for Malware Creation
NIST’s NCCoE Chooses Companies to Demonstrate Zero Trust Architectures
The US National Institute of Standards and Security’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) has selected 18 tech companies to demonstrate zero trust architectures. The project is intended to “demonstrate several approaches to a zero trust architecture, … designed and deployed according to the concepts and tenets documented in NIST Special Publication (SP) 800-207, Zero Trust Architecture. The example implementations will integrate commercial and open-source products that leverage cybersecurity standards and recommended practices.” NIST in in the process of drafting zero trust architecture guidance for federal agencies.
- “Zero Trust” being specifically mentioned in President Biden’s Executive Order has ratcheted up the already high level of hype around the term. To achieve Zero Trust, you basically have to implement all of the CIS Critical Security Controls – you can’t determine what to trust (let alone enforce trust decisions) if you don’t have reliable visibility, network access control, configuration management, privilege management, application control, etc. A key indicator of this: most of the 18 security vendors participating in the NIST project are well known vendors who two years ago sold the same products but didn’t have “Zero Trust” in their marketing campaigns.
- As vendors struggle for position in support of E.O. 14028, agencies need to focus on their plan for the EO, including secure configurations, comprehensive MFA, encryption at rest, transit and in use (in memory) as well as clearly defining which systems are and are not in scope. You are still going to need segmentation and other protections for OT and other specialized IT. When the dust settles, these efforts will yield a demonstration of Zero Trust implementations which follow NIST SP 800-207, and should provide needed insight to make an informed selection to meet the EO requirements.
- While “zero trust” is too often used as marketing hype, enterprise security is too often porous. While it is widely accepted, a single user clicking on a bait message should not expose the entire enterprise. Any initiatives for improvement are welcome. That said, we know what to do; we lack the will to do it.
Read more in
- 18 Companies to Participate in NIST ‘Zero Trust’ Project
- NCCoE Announces Technology Collaborators to Demonstrate Zero Trust Architectures
- Zero Trust Architecture
Newest Version of Firefox Does Not Support FTP
Mozilla has released Firefox 90. The newest version of the browser does not support File Transfer Protocol (FTP). In a blog post, Mozilla says the decision to remove support for FTP was made because of security issues; of particular concern is that the protocol transfers data in cleartext. FTP was disabled by default in Firefox 88.
- FTP was deprecated in Chrome at the beginning of 2020 and has been disabled by default since Firefox 88 was released in April of 2020. If you have FTP servers, you should be replacing them with secure alternatives, either shared drives (Box, Google Drive, OneDrive, etc.) or services built on SFTP, FTPS, HTTPS, MTS. When implementing a file transfer service, be sure to keep it updated, secure and replace it before support is dropped.
- Good riddance to bad rubbish. Both the protocol and the servers have been leaking sensitive information for decades. It is a clear case of convenience trumping security.
Read more in
Amnesty International Calls for Surveillance Tech Moratorium
The recent release of a report from the Pegasus Project revealed that NSO Group’s Pegasus surveillance technology has been used to spy on government officials, human rights activists, journalists, and others around the world. “Amnesty International is calling for an immediate moratorium on the export, sale, transfer and use of surveillance technology until there is a human rights-compliant regulatory framework in place.”
- As long as the surveillance technology use risk remains, the best stance is to provide users with training to be proactive in securing their mobile devices. Keep them updated, only install apps from Apple/Google/corporate app stores, don’t leave them unattended, block unknown callers and texters, use loaner devices on foreign travel, implement device sanitization and verification processes to support international use.
- There is little chance that a “regulatory framework” will deter nation states from surveillance of their citizens.
Read more in
- Scale of secretive cyber surveillance ‘an international human rights crisis’ in which NSO Group is complicit
- Amnesty Urges Moratorium on Surveillance Technology in Pegasus Scandal
Florida Dept. of Economic Opportunity Discloses Data Breach
A data breach at the Florida Department of Economic Opportunity’s (DEO) unemployment benefits system compromised information associated with nearly 58,000 accounts. The information may have been compromised between April 27 and July 16, 2021, according to a letter sent to affected claimants.
- Breached information included SSN and driver license numbers, bank account numbers, home addresses, phone numbers, DOB and claim information. They are not providing credit monitoring, so if you think you’re affected, and don’t have credit monitoring already, today’s the day to get it. If you do have it, check it, make sure alerts are configured and working.
Read more in
Brazil’s Cyberattack Response Network
Brazil ‘s government has established the Federal Cyber Incident Management Network to help government entities respond to cyberattacks more quickly. Other organizations may join the network on a voluntary basis.
- Increased communication, sharing, and notifications will help participating entities improve their preparedness and response. Success depends on building an appropriate trust/privacy model, particularly if you wish to entice/include non-government entities in the network.
Read more in
Amnesty International Spyware Report
Amnesty International’s Security Lab “has uncovered widespread, persistent and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware.” The Forensic Methodology Report also includes a forensic tool to detect the spyware’s presence on mobile devices.
- Great report by Amnesty and a must read for anybody doing IR on mobile devices. Remember that the exploits used may be “high end” now, but they tend to trickle down the food chain. For the rest of us, the lesson to learn is that you absolutely need to keep your mobile devices up to date, and yes, a text message may be used to run arbitrary code on your device.
- iPhones and Android phones have been harder targets to compromise than Windows PCs but this Pegasus use points out they are far from impenetrable. In the SANS 2021 New Threat and Attack report, SANS instructor Heather Mahalik points out many of the key issues and action steps.
- While far from mass surveillance, and while most of the targets were political, some appeared to be targeted for mere celebrity. While such surveillance might not be illegal in all the countries engaged in it, it qualifies as abuse and misuse everywhere. Here it would require a warrant issued by a court based upon probable cause to believe a crime.
Read more in
- Forensic Methodology Report: How to catch NSO Group’s Pegasus
- This tool tells you if NSO’s Pegasus spyware targeted your phone
- mvt-project / mvt
- An Explosive Spyware Report Shows the Limits of iOS Security
Akamai DNS Problems Cause Internet Outage
Akamai says that an Edge DNS service problem was to blame for a July 22 Internet outage affecting the availability of numerous major websites, but has not yet detailed the cause of the problem. Akamai has implemented a fix and says the issue was not due to a cyberattack.
- Yet another choke point that can take down large parts of the Internet. Resilience comes from redundancy and diversity. It doesn’t help to have multiple servers if they all run the same software and configuration. Luckily Akamai was pretty quick in resolving the issue.
- As the internet moves to more centralized services to localize information to increase performance/access to content, the stability becomes only as good as those services. While Akamai only has 9.6% of the CDN share, they have major players such as Oracle, AWS, Microsoft and AT&T. When engaging these services, have a frank discussion on failure impacts and their mitigations. You will need to define your actions, including customer communications, possibly reimbursement, in the event of an outage.
- Having deep visibility into network traffic can often quickly differentiate between internal or external services having performance and issues caused by denial of service or other attacks. Great opportunity for the NOC and the SOC to use common instrumentation and tools to speed detection, resolution and restoration.
Read more in
- Today’s massive Internet outage comes courtesy of Akamai Edge DNS
- Akamai has trouble and the internet hiccups again
- Akamai DNS global outage takes down major websites, online services
Microsoft Offers Workaround for Windows 10 Security Accounts Manager Vulnerability
Microsoft has released a workaround for a privilege elevation vulnerability that affects the Windows 10 Security Accounts Manager database. The flaw could be exploited to access data and create new accounts.
- The fix is to restrict access to the system32\config directory and then remove (and recreate) any volume shadow copies (system restore points) to assure the changes in privileges are captured.
- Keep watching Microsoft’s KB article for updates. Initially, server versions of Windows were not believed to be vulnerable but the most recent update showed recent server versions as vulnerable.
- Just a reminder that accounts should be periodically reauthorized and reconciled to real people.
Read more in
- Windows Elevation of Privilege Vulnerability
- Microsoft Issues Windows 10 Workaround Fix for ‘SeriousSAM’ Bug
Fortinet Issues Updates to Fix Use After Free vulnerability in FortiManager and FortiAnalyzer
Fortinet has released updates to fix a serious use after free vulnerability in FortiManager and FortiAnalyzer network management solutions. The flaw can be exploited to allow remote code execution as root if the fgfmsd daemon is enabled. Foertinet has also provided a workaround.
- My usual comment: Don’t expose it to the internet if it doesn’t need to be exposed. These are not the actual firewall / VPN endpoints but the software used to manage them.
Read more in
- FortiManager & FortiAnalyzer – Use after free vulnerability in fgfmsd daemon
- Fortinet’s security appliances hit by remote code execution vulnerability
- Fortinet fixes bug letting unauthenticated hackers run code as root
Apple Updates for Multiple Products
Apple has released updates for iOS, watchOS, tvOS, iPadOS, and macOS. While the iOS update (iOS 14.7) includes fixes for 37 security issues, it does not fix the zero-click vulnerability in iMessenger that can be exploited by Pegasus spyware.
- Probably the most notable fix is the patch for the WiFi SSID format string vulnerability. Initially, this was only considered a DoS issue. But Apple confirmed that this can be used to execute code. On relatively recent iOS versions, this requires the user to join the oddly named WiFi network. But on older versions, this exploit will execute without user interaction.
- While these updates don’t include the patch for Pegasus, there are enough other issues to warrant applying the patches immediately, particularly for iOS and iPadOS as some of the flaws are remotely exploitable. The NSO group, who are behind the Pegasus spyware, are investing heavily in exploits to maintain visibility into mobile devices, which hopefully will drive increases in security options to reduce their attack surfaces.
Read more in
- Apple security updates
- Apple Issues Urgent iPhone Updates; None for Pegasus Zero-Day
- iPadOS 14.7 and macOS Big Sur 11.5 come with plenty of bug fixes and security updates
TSA Issues Second Pipeline Security Directive
The Department of Homeland Security’s (DHS’s) Transportation Security Administration (TSA) has issued a second cybersecurity directive for pipelines. While TSA has not released specifics of the directive, the agency notes that the “Security Directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”
- Make sure you’ve implemented the required security controls and contingency plan, that you’re monitoring those controls as well as regularly testing your emergency response plan. Consider not only conducting internal design reviews, but also hiring third parties or peer organizations for a reciprocal review to identify any gaps. Expect regulators to audit your activities here.
Read more in
- DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators
- TSA Issues Second Directive for Pipeline Operators Amid China Concerns
- TSA Issues Cybersecurity Requirements for Pipelines
- DHS releases new mandatory cybersecurity rules for pipelines after Colonial ransomware attack
- TSA announces new pipeline security order
- TSA pushes more cybersecurity mandates on critical pipeline owners, emphasizing ransomware
CISA/FBI Security Advisory Details Chinese State Sponsored Cyberattacks Against US Oil and Gas Pipeline Companies
A joint security advsory from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) “provides information on a spearphishing and intrusion campaign conducted by state-sponsored Chinese actors that occurred from December 2011 to 2013, targeting U.S. oil and natural gas (ONG) pipeline companies.” The advisory includes a list of indicators of compromise and suggests mitigations to bolster pipeline security.
- If you were wondering how they operate, the alert outlines how they obtained access and actions you can watch for. The mitigations apply to any sort of OT you’re operating – to include strong spam/email security filters and secure remote access with multi-factor authentication. Make sure you’re really doing the mitigations listed. Your SOC should tell you the IOCs are well known to them; if not, have them not only incorporate them but also make sure they have appropriate threat feeds to stay current.
Read more in
- Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013
- Chinese state hackers breached over a dozen US pipeline operators
Linux Privilege Elevation Flaw Affects Most Releases
A security flaw affecting the kernel of most Linux distributions could be exploited to gain root privileges. The issue affects all Linux kernel versions that have been released since 2014. The flaw was discovered by researchers at Qualys.
- The exploit uses a 1GB pathname, 5GB of memory, uses 1 million inodes and exploitation requires system access. This can be partially mitigated by setting /proc/sys/kernel/unprivileged_userns_clone to 0 and /proc/sys/kernel/unprivileged_bpf_disabled to 1 to prevent mounting long directories in a user namespace and prevent a user from loading a eBPF program into the kernel. The long term fix will be to apply kernel updates when released. BSD derived kernels (FreeBSD, macOS, etc.) are not vulnerable.
Read more in
- Qualys Security Advisory | Sequoia: A deep root in Linux’s filesystem layer (CVE-2021-33909)
- Nearly All Linux OSes Have a Pair of Privilege Escalation Flaws
- New Linux kernel bug lets you get root on most modern distros
Kaseya Obtains REvil Master Decryptor
Kaseya says it has obtained a universal decryption key to help affected customers recover from REvil ransomware. Kaseya was hit with a supply chain attack at the beginning of July that infected more than 1,000 organizations with REvil.
- As REvil has gone off-the-air, Kaseya and their source are the only places you can get a REvil decryption tool. Kaseya has engaged Emsisoft to help all affected customers. Kaseya is actively contacting customers who were impacted.
- What’s fascinating about this story is how the REvil community shut down and went dark before they received any payment. Apparently all the visibility they were getting put them at too much risk, so they ‘virtually fled’. This is good news as it shows we can put enough pressure on these threat actors to change behavior. Now the question is, can we continue to apply even more pressure / deterrence to stop future attacks? As for the decryptor key, remember that recovering data is only half the battle. Infected companies now have to rebuild all their systems to ensure their integrity, so there is a huge amount of work still ahead.
Read more in
- Updates Regarding VSA Security Incident
- Kaseya gets master decryptor to help customers still suffering from REvil attack
- The Kaseya Ransomware Nightmare Is Almost Over
- Kaseya obtains decryption key for victims of massive ransomware attack
- Kaseya obtains universal decryptor for REvil ransomware victims
Saudi Aramco Acknowledges Data Leak
Saudi Aramco says that some of its files were leaked as a result of a breach affecting a third-party contractor, and maintains that its own networks were not breached. Earlier this summer, the attacker demanded $50 million in cryptocurrency to delete the data they stole.
Read more in
UK’s Northern Trains Ticket Kiosks Hit by Ransomware
Northern Trains, a publicly owned company that operates railways in the north of England, was hit with a ransomware attack. The attack prompted the company to take its self-service ticket kiosks offline.
- San Francisco’s Bay Area Rapid Transit (BART) suffered a similar ransomware impact back in 2016. Often, risk analysis efforts have a blind spot around kiosk and point of sale systems that generate a lot of revenue or reduce a lot of cost. As the old movie line goes: “Follow the money!”
Read more in
- Northern Train’s ticketing system out to lunch as ransomware attack shuts down servers
- Hundreds of touchscreen ticket machines are offline after a ransomware attack
Prison Sentence for Fatal Swatting Attack
A Tennessee man has been sentenced to five years in prison for his role in a swatting attack that resulted in death. Shane Sonderman and co-conspirators repeatedly digitally harassed a man who died of a heart attack after police were called to his home under false pretenses.
- The engagement often starts with an attempt to get credentials or otherwise obtain some desirable cyber account, which when ignored the gangs then escalate to various levels, ultimately initiating a sometimes fatal swatting attack. If you find yourself being harassed contact your local law enforcement to reduce the risks of a fatal engagement.
Read more in
Vulnerability Leaves Password Hashes Exposed in Recent Versions of Windows
Some recent versions of Windows leave the SAM and SYSTEM hive exposed to be read by all local users. These hives contain hashed passwords, and are often the target of privilege elevation exploits. But as security researchers Jonas Lyk and Benjamin Deply found, some recent versions of Windows leave these hives exposed as shadow copies. Initially, only the brand new beta of Windows 11 was found vulnerable, but additional research showed that some recent versions of Windows 10 are vulnerable as well.
- “Summer of SAM” as well as the remnants of “PrintNightmare” are offering two different relatively straight forward privilege escalation exploits to attackers. Make sure your end point visibility is sufficient to detect these attacks. As I am writing this, “Summer of SAM” is still developing. Watch out for guidance from Microsoft for mitigation and detection techniques. Do not fall for random “patches” that will be offered by malicious actors.
Read more in
Hotfix Available for D-Link Router Vulnerabilities
Multiple vulnerabilities in the D-LINK DIR-3040 wireless router could be exploited to expose data, execute code, and cause denial-of-service conditions. D-Link has released a firmware hotfix to address the flaws. Users are urged to update to firmware version 1.13B03.
- So sad to see another hardcoded password. I will take the log disclosure vulnerability. But hardcoded passwords? And before I forget: Turn off internet access to administrative interfaces on these devices. Even if your router isn’t affected by this particular vulnerability.
- The update, released July 15th, addresses the five vulnerabilities, which include both hard-coded passwords and a telnet server which can be launched without authentication. The telnet server allows logging into the CLI using a default credential stored in the firmware. D-Link is working to further refine the update, so watch for added updates after you apply this fix now.
- Enterprises that use large numbers of these routers should systematically apply the fix. SOHO users who have only one or two may find it cheaper to simply replace or upgrade the device. Given that these vulnerabilities were more the result of design and intent, rather than error or omission, consider changing brands. That said, it is likely that many vulnerable devices will never be replaced or updated.
Read more in
- DIR-3040 :: Rev. Ax :: FW v1.13B03 :: CVE-2021-21816 / CVE-2021-21817 / CVE-2021-21818 / CVE-2021-21819 / CVE-2021-21820 -Multiple Vulnerabilities
- Vulnerability Spotlight: Multiple vulnerabilities in D-LINK DIR-3040
- D-Link issues hotfix for hard-coded password router vulnerabilities
CISA Alert AA21-200A – Tactics, Techniques, and Procedures of Indicted APT40 Actors
A Joint Cybersecurity Advisory from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) provides information about the Chinese Advanced Persistent Threat (APT) group APT40. The advisory lists tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help cybersecurity practitioners identify and remediate APT40 intrusions and established footholds.
- These CISA alerts are great to direct your hunt team. You may not be a victim of this particular actor, but the same TTPs are used by others as well and these reports are a great reality check for your detection tools to make sure you have visibility where it matters.
- I welcome the focus on adversary behaviors (TTPs) over Indicators of Compromise (IoCs). If organizations can detect and respond to these TTPs, it will force the actor to change, which will cost them resources. Operate under assumed breach to focus on detecting adversary behaviors.
- While this focuses on ATP40, the mitigations apply broadly and should be reviewed for general applicability in your organization. In combination, these mitigations are extremely powerful defenses, and many should look familiar. Hand the IOCs to your SOC to ensure they are incorporated in your SIEM, then check for any matches.
Read more in
- CISA Alert AA21-200A – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department
REvil Disappearance Leaves Kaseya Victims in the Lurch
The REvil ransomware group‘s disappearance from the Internet has left some of its victims in a tough spot. Victims lacking adequate backups currently have no recourse unless the REvil operators release the master keys or law enforcement seizes the keys. One unnamed victim paid the ransom but the key they received did not work to decrypt their data.
- Don’t plan on the ransomware operator providing you a working decryption key or tool, and don’t expect them to remain in business/reachable. This becomes even more complex with services such as REvil which offers services to affiliates, but you have no direct interaction with the affiliate. Focus now on being prepared for a ransomware attack: disconnected differential backups, updated user training, MFA your accessible services, and administrator accounts, verify you are running secure configurations and patches/updates are applied in a timely fashion. Leverage the StopRansomware.gov site for even more comprehensive guidance.
Read more in
- What’s Next Step for REvil Ransomware Victims?
- Kaseya victim struggling with decryption after REvil goes dark
Law Firm Discloses February Ransomware Attack
A law firm that handles cases for “dozens of Fortune 500 and Global 500 companies” has acknowledged that it suffered a ransomware attack in February 2021. Campbell Conroy & O’Neil, P.C., says that the attackers compromised client information, including “names, dates of birth, driver’s license numbers / state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials.”
- The information release so far does not detail how the malware got installed, but odds are very high it started with a phishing attack that compromised reusable passwords. This is a good item to show your Chief Legal Counsel to get some backing for requiring all privileged accounts to use multi-factor authentication and checking that key services firms (like law firms) are doing so.
- Campbell is offering 24 months of credit monitoring, fraud consultation and identity theft restoration to individuals with compromised SSN’s or equivalent. Because Campbell is a legal firm, one would expect they would rely on their ability to litigate as an attack response; even so, ransomware preparedness and cyber hygiene must be in place no matter who you are.
Read more in
- Ransomware hits law firm counseling Fortune 500, Global 500 companies
- Law firm for Ford, Boeing, Exxon, Marriott, Walgreens and more hacked in ransomware attack
- Campbell Conroy & O’Neil Provides Notice of Data Privacy Incident
Moldova Court of Accounts Suffers Cyberattack
The Moldovan Court of Accounts has suffered a cyberattack that wiped out its data, including its audits of public financial organizations and government agencies. The Court of Accounts has taken down its website while it investigates the attack and restores its data.
Read more in
Microsoft Takes Down 17 Domains Used in Business eMail Compromise Campaign
Microsoft obtained a court order that allowed the company to take down malicious “homoglyph” domains that are being used to conduct fraud. In all, Microsoft took down 17 domains that were crafted to appear legitimate through variations in spelling or the use of characters that are similar in appearance.
- A homoglyph is one of two or more graphemes, characters or glyphs with shapes that appear identical or very similar. The idea is user<@>legitdomain.com and user<@>hoimoglyph.com are visually identical so the message will be accepted as genuine. E.g., replacing upper case I with lower case L. The attack targeted small businesses in North America and solicited a fraudulent wire transfer using the logos and otherwise legitimate email addresses from the business they were impersonating.
Read more in
- Microsoft takes down domains used to scam Office 365 users
- Microsoft secures court order to take down malicious ‘homoglyph’ domains
- In the United States District Court for the Eastern District of Virginia | Microsoft v. John Does 1-2…
MITRE Engenuity Evaluates ICS Cybersecurity Solutions
MITRE Engenuity has published the results of its evaluation of five industrial control systems (ICS) cybersecurity solutions. The solutions were voluntarily submitted by Armis, Claroty, Microsoft/CyberX, Dragos, and the Institute for Information Industry. The report examines the solutions’ responses to a simulated Triton attack.
- I’m a big fan of more testing for security products and in general the MITRE Engenuity ATT&CK evaluations are well done. But MITRE admits they do *not* directly address false positives. With so many products claiming to use machine learning/artificial intelligence to raise detection rates, false positive rates (or how much tuning is required to keep false positives at a workable level) is key to evaluating. These evaluations can give you good data on doing your own POC/bakeoff, but don’t replace the need to do so.
- All testing has limitations, late testing particularly so. Not all systems are as easily tested as others; complex systems should be designed to facilitate effective testing. Tests should be part of the product specification (rather than something thought up after the fact). Testing should be continuous throughout development, from component testing to final system test Testing should first demonstrate that the system performs as intended and only then that it is resistant to attack. The attack modes should be identified and addressed during development rather than sprung as a surprise at the end.
Read more in
- TRITON ICS Evaluation 2021
- Open and fair evaluations based on ATT&CK®
- ICS security evaluations may help improve detection of subtle attack clues
- MITRE announces first evaluations of cybersecurity tools for industrial control systems
DoJ Charges Alleged Members of Chinese Hacking Group
The US Department of Justice (DoJ) has unsealed an indictment charging four Chinese citizens with conspiracy to commit computer fraud and conspiracy to commit economic espionage. The individuals allegedly participated in “a campaign to hack into the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018.”
Read more in
- Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research
- DOJ charges four members of Chinese government hacking group
- US indicts members of Chinese-backed hacking group APT40
- US Accuses China of Using Criminal Hackers in Cyber Espionage Operations
US Formally Blames China for Exchange Server Attacks
The US, along with a group of allies and partners, has accused the People’s Republic of China of being responsible for the Microsoft Exchange server attacks earlier this year and of exhibiting a “pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world.” The Biden administration has not issued formal sanctions against China’s government.
- This action triggered two bulletins from: one in Top of the News and one below. The actions behind making the accusation and implementing the sanctions are long and complex and, while welcome, should not change your approach to defending your systems, nor should you expect a measurable decrease in attempted attacks.
- This is significant in the manner that it was coordinated and announced not only by the US but by NATO, the European Union, Australia, England, Canada, Japan, and New Zealand. At the same time, the US Department of Justice charged four Chinese nationals. The pressure on both China and Russia to stop protecting malicious actors operating out of their country will hopefully result in a positive outcome but we will have to wait and see.
Read more in
- The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China
- U.S., allies accuse China of hacking Microsoft and condoning other cyberattacks
- US: Chinese Government Waged Microsoft Exchange Attacks
- US, allies blame China-linked hackers for Microsoft Exchange breach
CISA Alert (AA21-200B) Chinese State-Sponsored Cyber Operations: Observed TTPs
A Joint Cybersecurity Advisory from the National Security Agency (NSA), Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) provides technical details about the tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. The “advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.”
- Even if you’re not worried about APTs, read the information as to how a well-resourced adversary operates to better understand how you could be compromised. The information includes detection, defenses and mitigation options for most actions. Many of these are things that you should already be doing.
- The TTP that jumped out the most for me on this one was the use of steganography to hide stolen data inside of other files stored on GitHub. This is very difficult to detect and probably not the focus of most organizations. As your detections mature, take a look at the more sophisticated TTPs for detection and response.
Read more in
SonicWall Warns of Active Attacks Against VPN Appliances
SonicWall has issued an urgent security notice warning of active attacks “targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware.”
- These vulnerabilities have been known for months, and have been exploited for months. You will need to decommission these devices or if possible upgrade them to a 9.x or 10.x firmware. Upgrades will likely require a valid subscription. Remember that many security devices will work only if you continue to pay subscription fees.
- Attackers will always focus their efforts on our blind spots. As endpoint protection has evolved dramatically in recent years to provide greater visibility to the desktop, we’ve seen an increase in attacks against security appliances, such as firewalls and VPN concentrators, where endpoint security products can’t be installed. This attack is focused on an SMB product line, but enterprise products from Cisco, Juniper, F5, Palo Alto Networks, and Citrix have had similar issues within the last year. Earlier this week, Microsoft reported attacks against SolarWinds Serv-U product being launched from compromised home routers. So, this serves as a great reminder that “appliances” should be included your regular patch and vulnerability management program, and organizations should consider the risk and impact if an employee’s home routers is compromised, as well.
- VPNs are still the predominant remote access to the corporate network and remain a critical boundary protection device. As such, you need to keep them secured, patched and current. While implementing MFA, verifying the security and patching them with nominal disruption is tricky enough; you need to add lifecycle replacement to your list. That means you’re going to have to identify and implement the replacement early enough to have the users cut over before the old solution goes out of support. Then you need to retire the old one, as in dispose of it, to avoid the temptation to fall back to an unsupported, no longer secure solution.
Read more in
- Urgent Security Notice: Critical Risk To Unpatched End-Of-Life SRA & SMA 8.X Remote Access Devices
- SonicWall releases urgent notice about ‘imminent’ ransomware targeting firmware
- SonicWall Warns Firewall Hardware Bugs Under Attack
- SonicWall warns of ‘critical’ ransomware risk to EOL SMA 100 VPN appliances
WooCommerce Releases Fix for Critical Flaw in WooCommerce Block
The developers of the WooCommerce e-commerce platform for WordPress have released updates to address a critical SQL-injection vulnerability that is being actively exploited. The issue affects the Woo Commerce Block feature, which is installed on more than 200,000 WordPress sites.
- You MUST patch this vulnerability today. This vulnerability is already being exploited.
- Updates were released to all vulnerable versions, about 90 updates in total. This means you can update to a fixed version without having to worry about compatibility issues. That said, you still need to press forward to get to the latest versions of these plugins if you’re continuing to use them. Note that the Wordfence paid version had two firewall rules to detect and block exploitation as of July 14th and 15th. The free version will get these rules August 13th and 14th.
Read more in
- Critical SQL Injection Vulnerability Patched in WooCommerce
- WooCommerce fixes vulnerability exposing 5 million sites to data theft
- Zero-Day Attacks on Critical WooCommerce Bug Threaten Databases
US Government Reveals Measures to Fight Ransomware
The Biden administration has revealed several measures aimed at preventing ransomware attacks. US State Department will pay up to $10 million for information about cyberattacks that target the country’s critical infrastructure and were conducted “at the direction or under the control of a foreign government.” There are also plans to cut ransomware operators off from cryptocurrency, and the Cybersecurity and Infrastructure Security Agency (CISA) has launched the Stop Ransomware website which will serve as a clearinghouse for resources to help businesses and state and local governments protect their networks.
- These are all good things but what is missing here is the most proactive step: the US government driving increased use of multi factor authentication to replace reusable passwords in government and critical infrastructure applications. President Biden’s Executive Order on cybersecurity did emphasize MFA – the publicity around ransomware should be used to main gains in eliminating reusable passwords before attention moves on.
- The trick is to disrupt the effectiveness of the tactics used with ransomware. A multi-faceted, multi-agency effort is underway to do this and includes task forces and rewards for information on ransomware gangs and even conferences. The StopRansomware.gov web site is set up to deliver information regarding what ransomware is, what to do if compromised, and how to avoid it. Core to avoidance is good cyber hygiene and good user behavior. The site breaks this down into understandable bites and has references from multiple sources to help preparedness. Conduct a ransomware tabletop exercise to see how prepared you really are. Implement any lessons learned, look at adding this to your annual DR exercise.
- I somehow feel we are still very much in the wild-wild west stages of cybersecurity. Instead of WANTED posters being posted on the frontier cities of the old cowboy days, we have cyber WANTED posters for the international community. It’s a step in the right direction (we are no longer homesteaders on our own having to protect the farm) but we have so much further to go (we need the sheriffs to help enforce international law). I checked out the CISA new ransomware site and love it! The problem we have in the US is that so many organizations are putting out information (CISA, FTC, FBI, NCSA, IRS), it can be both overwhelming and conflicting for its citizens).
- These measures may change the risk/reward of ransomware and reduce the efficiency of the black market. In the meantime, enterprises need to reduce the attack surface and raise the cost of attack. Consider strong authentication, structured networks, and least privilege access control.
Read more in
- Biden administration stepping up efforts to respond to ransomware attacks
- Rewards for Justice – Reward Offer for Information on Foreign Malicious Cyber Activity Against U.S. Critical Infrastructure
- Stop Ransomware
- U.S. Government Offers $10 Million for Info on Hackers Targeting Critical Infrastructure
- The White House Announces Additional Steps To Combat Ransomware
- US government launches plans to cut cybercriminals off from cryptocurrency
- Agencies Unveil Plans to Fight Ransomware—Including Paying for Tips
- White House announces $10 million bounty for state sponsored cybercriminals
- US State Department offering $10 million reward for state-backed hackers
- State Dept. to Pay Up to $10M for Information on Foreign Cyberattacks
REvil Ransomware Websites Offline
According to multiple researchers, websites related to the REvil ransomware have been taken offline. It is not clear why the sites are unavailable; they have been unreachable since Tuesday, July 13.
- Ransomware gangs need to be careful to attract just the right amount of attention and notoriety. Too little, and victims will not pay as the actor is not yet established as reliable. Too much and law enforcement will take note and pressure ISPs / Registrars to disconnect payment sites even if the individuals themselves are out of reach. It is very possible that REvil is just rebranding or selling assets to a different group.
- As exciting as the prospect is of them being shut down, hold the applause until you see an announcement from law enforcement stating they took them down. Otherwise, expect them to re-emerge, probably from a different locale.
Read more in
- REvil ransomware gang’s websites vanish soon after Kaseya fiasco, Uncle Sam threatens retaliation
- REvil websites down after governments pressured to take action following Kaseya attack
- REvil Ransomware Site Goes Offline
CISA: Agencies Must Mitigate PrintNightmare Vulnerability
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive (ED) instructing federal agencies to take action to protect systems from being attacked through the Windows Print Spooler service vulnerability known as PrintNightmare. The ED lists six actions that agencies must complete by Wednesday, July 21.
- All agencies are required to disable print services on AD controllers, apply the patches to all Windows servers and workstations, then either disable print spoolers, restrict installation of printer drivers to administrators via GPO or registry keys, by July 20th. These are good practices to consider even if you’re not impacted by this directive. Don’t forget to address cloud-based Windows servers or workstations, whether directly or indirectly (third-party) managed.
Read more in
- Emergency Directive 21-04 | Mitigate Windows Print Spooler Service Vulnerability
- CISA orders federal agencies to patch Windows PrintNightmare bug
- CISA orders agencies to disable Microsoft Print Spooler in response to ‘PrintNightmare’ flaw
- CISA Emergency Directive: Patch ‘PrintNightmare’ Flaw
Microsoft Patch Tuesday Includes Fix for PrintNightmare
On Tuesday, July 13, Microsoft released fixes for nearly 120 security issues, including 13 that are rated critical. Four of the flaws are being actively exploited. One of the critical flaws addressed in the updates is the PrintNightmare print spooler vulnerability. Microsoft also fixed a pair of privilege elevation vulnerabilities reportedly exploited by Candiru spyware.
- This update includes fixes for four zero-day flaws, and the official patch for PrintNightmare. Even with this fix, look to restrict print driver installation to administrators only as the CISA ED 21-04 suggests. Don’t lose sight of the other updates released, including fixes for SharePoint and Exchange which deserve special attention due to their exploitability.
- Pro tip: you can gauge the quality of your pentesters with this kind of vulnerability. Yes, they can probably move laterally and escalate privilege, but can they give you viable recommendations that fit your operations model? Do those recommendations apply to just this vuln-of-the-day, or are they generally applicable to your vulnerability management program?
Read more in
- Microsoft Releases Patches for 4 Exploited Zero-Day Flaws
- What follows Patch Tuesday? Exploit Wednesday. Grab this bumper batch of security updates from Microsoft
- Microsoft fixes 117 vulnerabilities, four exploited in the wild
- Microsoft July 2021 Patch Tuesday: 117 vulnerabilities, Pwn2Own Exchange Server bug fixed
- Microsoft Patch Tuesday, July 2021 Edition
Microsoft Discloses New Windows Print Spooler Flaw
Microsoft has shared information about a new, as-yet unpatched vulnerability affecting Windows Print Spooler. This vulnerability is separate from the PrintNightmare flaw; it is a local privilege elevation vulnerability that “can only be exploited locally to gain elevated privileges on a device.” The flaw has been given a CVSS score of 7.8.
- The Windows Print Spooler is the gift that keeps on giving. The reason is an architectural choice made many Windows versions ago. Printer drivers are code provided by users, and this code executes as System. This will not be fixable unless you heed Microsoft’s advice and disable users’ ability to provide printer drivers. Everything else will just be a bandaid until the architecture is fixed in a future Windows version.
- Vulnerabilities that require device access to exploit do not result in large scale or widespread attacks.
Read more in
- Windows Print Spooler Elevation of Privilege Vulnerability
- Microsoft Warns of New Unpatched Windows Print Spooler Vulnerability
- Microsoft shares guidance on new Windows Print Spooler vulnerability
Adobe Patch Tuesday
On Tuesday, July 13, Adobe released updates to address 28 security issues affecting Acrobat and Reader, Framemaker, Illustrator, Dimension, and Bridge. 22 of the flaws are rated critical.
- The Acrobat and Reader flaws are a priority 2, as in no active exploit but historically targeted application, while the others are a priority 3 as they are not a historically targeted platform. Even so, the base CVSS scores suggest not sitting on these updates. Typically users need to close these applications before an update can be performed, and with the Microsoft patches queued up, it’d be a good time for a forced reboot to ensure that happens.
- Patching is a necessary but expensive way to achieve software quality. Consider applications in the cloud and thin clients to reduce your cost.
Read more in
- Recent bulletins and advisories
- Adobe Patches 11 Critical Bugs in Popular Acrobat PDF Reader
- Adobe updates fix 28 vulnerabilities in 6 programs
ICS Patch Tuesday: Siemens and Schneider Electric
Siemens has released 18 security advisories that address nearly 80 vulnerabilities in its products. Schneider Electric has released six advisories that address 25 vulnerabilities in a variety of the company’s products. Among the flaws for which Schneider has release fixes is a critical authentication bypass issue in Schneider Electric Modicon programmable logic controllers (PLCs).
- As other items point out, July will be a busy patching month and IT resources that support OT patching may be consumed dealing with the volume of Microsoft, Adobe and VPN patches. Good idea to review segmentation and monitoring around any Siemens and Schneider device usage.
Read more in
- ICS Patch Tuesday: Siemens and Schneider Electric Address 100 Vulnerabilities
- Siemens Security Advisories
- Cybersecurity Support Portal
- Schneider Electric Security Notification | 13-Jul-21 Document Reference Number – SEVD-2021-194-01
- Researchers find big flaw in a Schneider Electric ICS system popular in building systems, utilities
Tools From Spyware Vendor Candiru Exploited Windows Zero-Days (Now Patched)
Citizen Lab and Microsoft report that cyberespionage made by an Israeli spyware company have been used by governments to snoop on journalists, politicians, human rights activists and others. Some of the tools exploited vulnerabilities in Windows which were patched earlier this week.
- The Citizen Lab report not only outlines the malware functionality, C&C infrastructure and how to identify it, but also shows the lucrative nature of this sort of offering. Apply the patches, and keep an eye on the IOCs as a well-funded group like this will find other ways to exploit systems.
Read more in
- Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus
- Fighting cyberweapons built by private businesses
- A private Israeli firm has helped governments hack journalists and human rights advocates
- Mysterious Israeli Spyware Vendor’s Windows Zero-Days Caught in the Wild
- Microsoft: Israeli firm used Windows zero-days to deploy spyware
- Microsoft, Google, Citizen Lab blow lid off zero-day bug-exploiting spyware sold to governments
Kaseya Patch Progress
Kaseya reports that it has released a patch for VSA on-premises customers and has deployed the fix to its VSA software-as-a-service (SaaS) infrastructure. While the VSA SaaS update was complete by 8AM ET on Monday, July 12, Kaseya performed ”unplanned maintenance” across its SaaS infrastructure later that afternoon to address performance issues caused by so many users coming back online at the same time. That maintenance was complete as of 3:30 PM ET on July 12.
- The patch does alter some of the VSA module’s functionality. Read Kaseya’s documentation for details. Kaseya published a hardening guide for on premise customers to go with the patch. It strongly recommends to first verify that the system is not already compromised, and Kaseya does offer links to tools to assist. Users will need to reset passwords after applying the patch.
- Restarting services after an outage is tricky and requires planning, practice, and communications to prevent a crash or other denial of service. While you have plans for limited scope maintenance outages, have you looked at what happens if you had to turn everything off and on? If you’re using dynamic scaling, do you have a sufficient minimum level of services before turning the entry point (typically a load balancer/WAF) on? Did you remember to include the state of supporting services? Now that you’ve got that figured out on-premise, talk to your cloud and outsource providers about what their plans are and how it impacts your users.
Read more in
- Important Notice July 12th, 2021
- Kaseya claims SaaS restoration going swimmingly
- At long last: Kaseya restores VSA services shelved after ransomware row
- Kaseya ransomware attack: What we know now
- Kaseya issues patch for on-premise customers, SaaS rollout underway
- Kaseya Releases Security Patch as Companies Continue to Recover
Colorado Passes Consumer Data Privacy Law
Colorado is the third state, after California and Virginia, to enact a consumer data privacy law. Under the new law, Colorado residents can opt out of allowing businesses operating within the state to collect, store, and sell their information. The Colorado Privacy Act takes effect in 2023.
- Ideally, before this takes effect in July 2023 there will be national privacy legislation to set a standard minimum level across all states in the US. The Colorado wording has lots of exclusions compared to California and Virginia andlike CA and VA and most draft state legislation, includes the require for a Data Protection Assessment but doesn’t define the term. The EU GDPR regime published a template for the Data Protection Impact Assessment required by GDPR, can be found at gdpr.eu: Sample DPIA template (PDF)
- Having added states passing privacy laws raises the bar and complicates things for organizations doing business in multiple locations. You’re going to have to make sure your employees are trained on the requirements to fully comply with the regulations. The training program has to be derived from the data you collect and process, and builds on cyber hygiene practices such as only collecting the minimum amount of required data, not storing it any longer than needed, protecting it at rest and in transit, as well as defining what actions a request to “be forgotten” entail.
- Not sure how much this helps. With each state pushing to have its own privacy laws it becomes a nightmare for business to adhere to them. Sooner or later we most likely will need some type of single, encompassing federal privacy law that organizations can follow.
Read more in
- Colorado’s new law ups need for privacy awareness training
- Colorado Gov. Polis signs data privacy act
SolarWinds Releases Hotfix for Serv-U Vulnerability
SolarWinds has released a hotfix to address a remote code execution vulnerability in its Serv-U Managed File Transfer and Serv-U Secured FTP products that is being actively exploited. The issue affects Serv-U versions 15.2.3 HF1 and earlier. SolarWinds learned of the vulnerability from Microsoft.
- Serv-U is a distinct product implementing remote access via SSH. Not all SolarWinds customers will have this component installed. If you do have it installed, review your logs for access from odd source IPs. This component has already been exploited in some targeted attacks.
Read more in
- Serv-U Remote Memory Escape Vulnerability
- SolarWinds patches critical Serv-U vulnerability exploited in the wild
- Solarwinds Confirms New Zero-Day Flaw Under Attack
- SolarWinds issues software update – one it wrote for a change – to patch hole exploited in the wild
- SolarWinds releases security advisory after Microsoft says customers ‘targeted’ through vulnerability
- SolarWinds Discloses Zero-Day Under Active Attack
Hackers are Increasingly Targeting Remote Management Tools
The Kaseya attack is just one example of cyber threat actors targeting remote management tools. Researchers attending the Black Hat conference next month plan to present techniques they used to take control of Jamf, a tool used to help manage large numbers of machines. Jamf’s CISO says the research being presented does not indicate vulnerabilities in the tool, but does underscore the need for secure configuration.
- Defenders seem more careful lately about exposing RDP to the internet, but penetration testers (and attackers!) still find remote management services and even SIEMs exposed. When they are, it’s often a matter of guessing single-factor user credentials, trying manufacturer default credentials, or firing the latest exploit from Metasploit or Github. These become much harder targets when access is restricted to necessary source IPs or when they’re behind multifactor VPNs – patched and well-configured!
- Fifteen months of extreme telecommuting has driven a huge spike in remote management and remote access services, which already were targets. With an increasingly target rich environment, you need to make sure that your services are properly secured, maintained, and identified. Look for new or unauthorized entry points, and make sure they are either converted to your enterprise solution or managed and secured to the same level as those enterprise options. This is more than war-dialing to find modems; this is now looking for connections to remote access cloud services as well as exposed services at your perimeter.
Read more in
DOD OIG: Additive Manufacturing Systems Expose DoD Network to Security Risks
According to a report from the US Department of Defense Office of Inspector General (DoD OIG), DoD failed to properly secure additive manufacturing systems (3D printers and associated workstations) because they were categorized as tools instead of IT. According to the report, “the DoD uses AM to create molds for personal protection body armor, parts for tactical vehicles, brackets for weapons systems, and medical implants and prostheses (artificial body parts). The DoD also uses AM to create spare parts on demand, which reduces the need to store or maintain large on hand inventories, allowing units to relocate quickly if mission requirements change.” The report recommends including additive technology in the DoD IT systems portfolio and upgrading all additive manufacturing systems to Windows 10.
- Additive Manufacturing is specialized IT, aka OT. It provides incredible just-in-time capabilities, and just like a CNC machine, it needs to be properly segmented, updated and monitored. Also like those CNC machines, they may not be able to run current operating systems, which drives the need to have additional protections. Remember you’re not only protecting them from inappropriate access, you are also protecting the rest of your network from potentially higher risk devices just like other OT components.
Read more in
- Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (DODIG-2021-098)
- Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (PDF)
- DOD’s 3D printers are vulnerable to hackers, IG finds
Intezer: Global Phishing Campaign Targets Energy Sector
Researchers from Intezer “found a sophisticated [cyber] campaign, active for at least one year, targeting large international companies in the energy, oil & gas, and electronics industries.” The threat actors gain an initial foothold in targeted systems through highly tailored spear phishing attacks.
- Make sure that your endpoint protections can detect fileless malware. This attack is using spoofed email and typosquatting to trick users into clicking. Make sure that you’ve implemented DMARC/DKIM/SPF in reject mode to reduce the likelihood of messages slipping through. With everything else going on, make sure that you didn’t put UAT on hold; studies have shown that information gets “stale” in under six months without reinforcement.
- Phishing has always been a primary attack vector (see VZ DBIR for past four years) simply because it works. What has changed is cyber attackers are continuing to improve their phishing kung fu, gaining better intel on their intended targets and learning what emotional triggers are the most effective. To prevent these types of attacks requires both technical controls and human training. No, AI is not going to solve this one.
Read more in
- Global Phishing Campaign Targets Energy Sector and its Suppliers
- Oil & Gas Targeted in Year-Long Cyber-Espionage Campaign
Patch Available for Actively Exploited Flaw in ForgeRock Access Management
ForgeRock has released an update to fix a critical pre-authorization remote code execution flaw in its Access Management platform. The flaw is being actively exploited. It affects Access Management versions older than 7.0 running on Java 8. Users are urged to apply the patch or one of the workarounds suggested in the ForgeRock security advisory.
Read more in
- Patch Fixing AM Vulnerability Now Available for ForgeRock AM 6.x
- AM Security Advisory #202104
- ForgeRock Open AM critical vulnerability
- Critical ForgeRock Access Management Vulnerability
- Critical RCE Vulnerability in ForgeRock OpenAM Under Active Attack
Cisco IP Desk Phone Vulnerabilities
Vulnerabilities in multiple models of Cisco IP desk phones could be exploited to eavesdrop on phone calls and to bug the rooms they are in. An attacker would need physical access to the targeted device to exploit the flaws. Cisco has released updates to address the vulnerabilities.
- Knowing what is connected to your network and categorizing what you find is one of the essential security hygiene requirements, such as in Implementation Group 1 of the CIS Critical Security Controls. Many Network Access Control products can identify or categorize IP phones or IoT devices that are detected on your networks.
- The vulnerability is in the Broadcom chipset, which means that a complete fix requires both Cisco and Broadcom updates. Exploitation needs physical access, removing the backplate, and sending specific impulses to the chipset, meaning unattended devices (in conference rooms, hallways, lobbies, etc.) are possible targets. Make sure you’re applying Cisco’s hardening and securing practices. Think of these as small computers, not just phones, when looking at risks. Check the Cisco site to see if you’re running impacted devices. If you are, deploy the update and keep an eye out for further patches.
Read more in
- Broadcom MediaxChange Vulnerability Affecting Cisco Products: July 2021
- An Office Phone Flaw Can’t Be Fixed by Cisco Alone
Ransomware Attacks Against School Systems on the Rise
The Multi-State Information Sharing and Analysis Center (MS-ISAC) observed a 19 percent increase in reported ransomware attacks against school districts between 2019 and 2020, and is projecting an 86 percent increase this year. Most school districts lack the cyber defenses of private organizations, and because so many districts are teaching remotely, every student device could be considered a point of entry for cyber criminals.
- As a father of three, stories like this break my heart. Most elementary schools are struggling to just teach the next generation. Ransomware attacks can devastate not only networks and budgets but the future lives of kids. Remember, cyber criminals have no ethics; absolutely anyone is a target. Until there is pain applied to the cyber criminal community, they will simply continue.
Read more in
CNA Financial Sends Breach Notification Letters About March Ransomware Attack
CNA Financial Corp. has begun notifying customers that their personal information may have been compromised during a March 2021 ransomware attack. The compromised data include names, Social Security numbers, and health benefits information. CNA reportedly paid $40 million to the ransomware operators.
- CNA is ranked as the seventh-largest commercial insurance provider in the U.S. and was a target of the Phoenix CryptoLocker attack. This ransomware uses remote desktop and compromised credentials to get a foothold. It even masquerades as legitimate software signed by “Saturday City Limited.” Make sure that your exposed services don’t allow reusable credentials. Never expose RDP directly to the Internet; place it behind a VPN with multi-factor authentication. Check regularly for newly exposed access paths, and either secure or remove them.
Read more in
- CNA Discloses Breach Related to March Ransomware Attack
- Insurance giant CNA reports data breach after ransomware attack
- Sample Notification Letter
Easterly Confirmed as CISA Director
The US Senate has unanimously confirmed Jen Easterly as director of the Cybersecurity and Infrastructure Security Agency (CISA). The agency has lacked an official director since November 2020, when Christopher Krebs was fired.
- Brandon Wales has been acting director since November 2020, and doing a great job, it will be easier for CISA to move forward with a formally appointed leader. Easterly is the third cyber position in the Biden administration with roots in the NSA, joining Chris Inglis, national cyber director and Anne Neuberger, National Security Council.
Read more in
- US Senate Approves Jen Easterly As CISA Director
- US Senate confirms Jen Easterly as head of cyber agency
- Senate confirms former White House, NSA official Jen Easterly as CISA director after delay
Kaseya Plans to Have VSA SaaS and On-Premises Updates Ready by Sunday, July 11
Kaseya is still working on patching both the software-as-a-service (SaaS) and the on-premises versions of its VSA software. The attackers managed to infect about 60 Kaseya on-premises customers, and from there, infect about 1,500 of those customers’ clients with REvil ransomware. Kaseya plans to have patches available for SaaS and on-premises VSA software by 4PM EDT Sunday, July 11. Kaseya has released a start-up readiness guide for on-prem VSA customers to “ensure [their] VSA server(s) is prepared to receive the VSA release patch, which contains critical security fixes.”
- Be aware of fake updates circulating. These fake updates will attempt to install backdoors instead of fixing the flaw. Be careful with any detection tools, patches, or protection tools distributed and always verify the source as well as the integrity of the file.
- The Kaseya article below lays out what you need to do for an on-premise server to prep for the upcoming patch, including isolation and checking for provided IOCs. Note that they have an agreement with FireEye to provide complementary endpoint security agents for your VSA server which you should implement.
Read more in
- Kaseya Announces New Service Restoration Date
- Kaseya offers pre-patch instructions for on-prem VSA customers
- On Premises VSA Startup Readiness Guide – July 7th, 2021
PrintNightmare Emergency Fix Can be Bypassed
Microsoft issued an emergency patch top address the critical Windows print spooler vulnerability known as PrintNightmare, but the patch falls short. Hours after Microsoft released the patch, a researchers demonstrated that it could be bypassed.
- Windows suffers from an architectural problem in running printer drivers as SYSTEM. The only way to properly mitigate this risk is to allow only administrators to install printer drivers. The latest patch does offer this option and it should be enabled.
- If you’ve already pushed out the patch, as many did, enable the “RestrictDriverInstallationToAdministrators” registry value to only allow administrators to install printer drivers. If end users are operating with administrative privileges on their endpoints, make sure that UAC is set to always prompt for credentials, which slows inadvertent installations. Other UAC settings have historically had bypass options which reduces their effectiveness. Test these settings before deploying widely.
Read more in
- Microsoft’s emergency patch fails to fix critical “PrintNightmare” vulnerability
- Microsoft struggles to wake from PrintNightmare: Latest print spooler patch can be bypassed, researchers say
- Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability
Cyberinsurance Companies Respond to Ransomware Situation
The insurance industry is taking steps to address the issue of ransomware. In June, a consortium of seven major cyber insurers established CyberAcuView, which “will compile and analyze cyber-related data to enhance value and service to policyholders and help ensure a competitive market for cyber insurance.” And earlier this month, the American Property Casualty Insurance Association (APCIA) published its Cyber Extortion/Ransomware Guiding Principles.
- In the long run, an effort like CyberAcuView could have positive impact by standardizing insurer requirements for “essential security hygiene” based on meaningful standards such as the CIS Critical Security controls. But, two things to keep in mind: (1) Long term means no likely meaningful impact before 2023 at the earliest; and (2) in both the long term and the short term, the presence or absence of cyberinsurance does not reduce what needs to be done to protect business and customer data and services.
- The phrase “closing the barn door after the horse has bolted” came to mind when reading this. There is a very strong argument that cyber insurance companies encouraged the growth in ransomware attacks by their preference to pay ransom demands for their clients who fell victim to attacks. It also highlights that cybersecurity has many complex challenges and simple solutions that seem attractive to business sponsors, such as cyber insurance, may not work as expected and can have serious implications in the long term.
- Cyber insurance companies got really good at negotiating payments for ransomware, resulting in a position where payment was virtually assured. Subsequently, while the rise in premiums in the last year has been 20%, the rise in claims has been 39% which results in a financially unsustainable position for the insurance companies. The good news is this has forced them to publish guiding principles and form alliance such as CyberAcuView to strengthen risk mitigation and stem this tide.
- Insurance, the assignment of risk to underwriters, should be used for things that have low rates of occurrence, high consequences, and which are difficult to mitigate.
Read more in
- Two cyber insurance industry initiatives grapple with rise of ransomware
- Consortium of Leading Cyber Insurers Announce the Launch of CyberAcuView
Guidance from the FBI and CISA describes Kaseya situation as a “supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers.” The attack began on July 2; just hours after Kaseya VSA servers were compromised, between 800 and 1,500 organizations became infected with ransomware. The attack affected Kaseya VSA on-premises customers; the company urged those customers to shut down their VSA servers. Kaseya also made the decision to take its software as a service (SaaS) servers offline as a precautionary measure.
- I hesitate to call this a supply chain attack as the malicious actors didn’t compromise the code base as much as they exploited a zero-day flaw. Even so, read and implement the guidance from CISA and Kaseya on improving your VSA instance security before returning it to operational status.
Read more in
- Kaseya ransomware attack updates: Your questions answered
- CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack
- Up to 1,500 businesses infected in one of the worst ransomware attacks ever
- Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Kaseya Flaw Reported in April
One of the vulnerabilities recently exploited in Kaseya’s Virtual System Administrator (VSA) software was reported to the company earlier this year. In April, the Dutch Institute for Vulnerability Disclosure privately reported seven security issues to Kaseya. Four of the flaws were addressed un April and May updates. The remaining three vulnerabilities were scheduled to be fixed in a forthcoming update. (Please note that the WSJ story is behind a paywall.)
- It does look like Kaseya dropped the ball fixing these vulnerabilities, causing harm to its customers. A robust vulnerability remediation program is a must-have for a software company and interactions with researchers reporting vulnerabilities need to be managed well. A well-managed bug bounty program can help streamline the process and set expectations for researchers reporting vulnerabilities.
- Prioritization of fixes is tricky. Kaseya is a great example of working with researchers who disclosed vulnerabilities, and assisted in verifying the patches resolved the issues. As with any vulnerability, there is a race condition of developing, verifying and deploying fixes versus malicious actors discovering and exploiting those weaknesses. In this case, one flaw – CVE-2021-30116, slated for a June patch release, lost the race. While it’s easy to second-guess here, note that the rapidly released PrintNightmare fixes fell short of resolving that issue, resulting in added fixes which can be just as disruptive as failing to release an update at all.
- This failure raises a number of questions. During this window, did Kaseya caution their customers or suggest workarounds? Did they have a duty to do so? Is our infrastructure too porous? Can we live with an infrastructure that is based upon late quality by patching? Raise your own questions, as well.
Read more in
- Kaseya VSA Limited Disclosure | Why We are Only Disclosing Limited Details on the Kaseya Vulnerabilities
- DIVD-2021-00011 – Kaseya VSA Limited Disclosure
- Software Firm at Center of Ransomware Attack Was Warned of Cyber Flaw in April (paywall)
- White hats reported key Kaseya VSA flaw months ago. Ransomware outran the patch
Kaseya Attack Takes Two Maryland Towns Offline
Among the victims of the Kaseya supply chain attack are two Maryland towns. The computer networks of Leonardtown and North Beach have been infected with REvil ransomware. Neither town has its own IT staff, and both were infected through Kaseya customers’ systems.
- The beauty of hiring an MSP is that they have expertise you don’t, common tools and processes, including 24×7 support for less than you can insource. That comes with a cost of having remote privileged access to your systems, and the risk of compromise, either through a flaw in their tools or staff. In a little to no IT staff model, make sure that you still have staff that knows how and where to shutdown impacted services as well as clear understanding of what service restoration entails. Lastly, irrespective of IT staff size, make sure that you have proven fallback procedures for IT failures.
- Small businesses and state, local, and tribal agencies that are totally dependent on service providers will unfortunately always have this kind of risk. However, one common “trick” that Leonardtown, MD was able to use to start restoring backups manually was to have a at least one PC that is never used be part of the backup strategy. Leonardtown (and others in the past) have taken advantage of the PCs of employees who were on vacation when the malware attack hit – have one PC where the user is always “on vacation.”
- Managed Service Providers owe a high standard of care.
Read more in
- Maryland towns impacted in Kaseya ransomware breach
- Maryland town knocked offline as part of massive ransomware attack
- ‘Shut down everything’: Global ransomware attack takes a small Maryland town offline
US Will Take Action Against Russian Cybercriminals if Russia Does Not
In a July 6 briefing, White House Press Secretary Jen Psaki said that “if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own.” Psaki also noted that the Kaseya supply chain attack has not yet been attributed to a specific threat actor.
- Specific attribution is tricky as the REvil Ransomware Service is available to any affiliate to use, for a percentage of the ransom collected. Also Russia historically has had a “so long as you don’t hack us we’re good” posture for malicious actors operating there. The recent stories of takedown of international operations, similar to REvil, depend on cooperation of law enforcement in all countries involved, without which shuttering the service, or determining the actual actors behind any given attack become moot.
Read more in
- Press Briefing by Press Secretary Jen Psaki, July 6, 2021
- Biden Faces Russian Ransomware Curtailment Challenge
- US warns Russia to take action after latest attacks
- US warns of action against ransomware gangs if Russia refuses
Mongolian Certificate Authority Website Compromised
Attackers compromised Mongolian certificate authority MonPass’s website and installed Cobalt Strike in its installer software. The backdoored installer was available for about a month earlier this year.
Read more in
- Backdoored Client from Mongolian CA MonPass
- Website of Mongolian certificate authority served backdoored client installer
- Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software
Right to Repair Movement is Gaining Traction
In a press briefing on Tuesday, July 6, White House Press Secretary Jen Psaki said that President Biden plans to issue an executive order (EO) that addresses right to repair. The EO will reportedly direct the Federal Trade Commission to draft rules that prevent manufacturers from limiting customers’ ability to repair products they have purchased, and direct the Department of Agriculture to establish rules allowing farmers to repair their own equipment. In a related story, the UK has rules that require manufacturers to make spare parts available to people who purchase electrical appliances, and the European Commission plans to introduce right-to-repair rules for smartphones, laptops, and tablets. Apple co-founder Steve Wozniak has voiced his support of the right to repair movement.
- Be careful what you ask for, you might get it. Agriculture and Cyber are different environments. The Apple founders fell out over the issue of “closed versus open” systems. I, for one, am glad that Jobs won.
Read more in
- Biden Sets Up Tech Showdown With ‘Right-to-Repair’ Rules for FTC
- Biden’s right-to-repair order could stop companies from blocking DIY fixes
- Press Briefing by Press Secretary Jen Psaki, July 6, 2021
- Right to repair movement gains power in US and Europe
- Steve Wozniak Voices Strong Support for the Growing Right to Repair Movement
Sage X3 Vulnerabilities Fixed in Updates
Four vulnerabilities, one of which is critical, in the Sage X3 enterprise resource planning (ERP) platform could be exploited to execute arbitrary code and take control of vulnerable systems. Fixes for the flaws have been released.
- Attackers are going after applications (like Solar Winds, Kaseya, etc.) that get the highly privileged access inside networks, and ERP and financial management apps are certainly targets. SAP, Oracle, and Workday are the “big dogs” in this market but Sage, along with Acumatica, Financial Force and Infor customers should review segmentation around these products and accelerate patching.
Read more in
- CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities
- Sage X3 Version 11 (June 2021)
- Critical Flaws Reported in Sage X3 Enterprise Management Software
- Critical Sage X3 RCE Bug Allows Full System Takeovers
Joplin, Missouri’s Computer System Hit with Cyberattack
The city of Joplin, Missouri’s computer network suffered an apparent cyberattack; its phone lines and online presence were both unavailable as of Thursday, July 8. The city’s 911 service is operational. Various city departments, including planning and zoning, and code enforcement, have counter service available and are accepting only cash and checks for payment.
Read more in
Cisco Talos: SideCopy APT Group Increasing Attacks in India and Pakistan
Researchers from Cisco Talos have “observed an expansion in the activity of SideCopy malware campaigns, targeting entities in India.” The SideCopy advanced persistent threat (APT) group has been active since at least 2019.
Read more in
- AInSideCopy: How this APT continues to evolve its arsenal
- InSideCopy: How this APT continues to evolve its arsenal (PDF)
- India under attack by rapidly-evolving advanced persistent threat actor SideCopy, says Cisco Talos
- SideCopy cybercriminals use new custom Trojans in attacks against India’s military
Kaseya Supply Chain Attack Affects Hundreds of Organizations
On Friday, July 2, ransomware operators exploited a vulnerability in Kaseya’s update mechanism to push REvil ransomware out to the IT services company’s customers. Kaseya develops software for Managed Service Providers (MSPs), which means the attackers’ reach could extend to hundreds if not thousands of organizations. The Coop supermarket chain in Sweden closed hundreds of stores for two days because its point-of-sale systems were affected. The attackers appear to be demanding a ransom of $70 million. Kaseya says it may begin restoring SaaS on Tuesday afternoon, July 6.
- Ransomware actors have been hitting MSPs for a while now. The advantage of attacking MSPs is that they provide trusted access to multiple organizations and a bigger “bang for the buck.” Now REvil did “take it up a notch” by simultaneously exploiting software used by MSPs. The entire scope of this attack will probably take a few more days to become clear and this will be a bad return to work from a long holiday weekend for many. If you are not affected by this attack: Take half a day this week to brainstorm how similar scenarios could affect your network: Which trusted suppliers have access to your network, and what software are you using to manage your network. How are you ensuring the integrity of this software after updates? And please: Do not exempt this software from anti-malware scans. Sometimes it is better to let the software break vs having the software break you.
- Your MSP has potentially sensitive access to your IT and is using their preferred tools to support your business. When you setup that access, you probably verified the security of the tools used and the scope of permissions granted to their accounts. Are you monitoring for a change in scope? Could you detect their tool going bad? Have you walked down what would happen if you turned that off? Kaseya advises on-premise VSA users to turn systems off until a patch can be deployed. The patch is planned for release 24 hours after the SaaS service is restored. The flaws exploited appear to be Zero-day vulnerabilities rather than a supply chain attack.
- This is a worrying change in tactics for those behind ransomware attacks as they move from phishing emails to ways to infiltrate the supply chain for many vendors. It is a reminder that given the modern business reliance on third party vendors and their downstream suppliers, we need to move beyond simply checklist exercises for managing third party risk. Any vendors who deploy tools or systems into our environments need to be assessed with additional scrutiny and appropriate controls. In particular, any software that requires excessive permissions, administrator access, or to be excluded from anti-virus software, as is the case with Kaseya.
- Kaseya has a relatively small market share in the client management market, but (like system management and Solar Winds) attackers are targeting product areas where one compromise not only gives them deep access but that same access across many targets. Larger competitors to Kaseya VSA include BMC, CA, IBM Big Fix and ManageEngine – if you are using them, use this as spur to make sure you’d quickly notice if they went bad and to test resiliency plans if you had to shut them off in the event of compromise.
- With cyber criminals becoming so brazen, I wonder if / when they will begin to not only attack and ransom large corporations, but start ransoming entire countries, especially countries that don’t have the resources to retaliate.
- Caveat emptor! However, the buyer will rarely have sufficient visibility into the supply chain to adequately resist such attacks. The deeper down in the chain the supplier, the greater the potential damage. We must hold suppliers accountable for what they distribute or the services that they offer. Such accountability will include timely remedies but also consequential damages.
Read more in:
- Independence Day: REvil uses supply chain exploit to attack hundreds of businesses
- Kaseya says it’s seen no sign of supply chain attack, sets SaaS restoration target of Tuesday afternoon, on-prem fix to follow
- Kaseya ransomware attack: US launches investigation as gang demands giant $70 million payment
- Kaseya won’t release on-prem patch before SaaS restoration starts
- How REvil Ransomware Took Out Thousands of Business at Once
- Kaseya Attack Fallout: CISA, FBI Offer Guidance
- CISA, FBI share guidance for victims of Kaseya ransomware attack
New ACH Network Data Security Rule
The National Automated Clearinghouse Association (NACHA) has introduced a new security rule for ACH transactions. Organizations that process digital financial transactions must ensure that deposit data are unreadable when they are being stored electronically. The new rule, which took effect on Wednesday, June 30, applies to entities that process more than 6 million ACH transactions a year. Entities that process more than 2 million transactions a year will be subject to the rule on June 30, 2022.
- This was pushed back from 2020, so good to see NACHA making this long delayed move. Encryption is not required (truncation, tokenization, deletion are compliant) but this should provide a boost for persistent data encryption solutions, a good thing to aim for.
- In 2020, there were about 27 billion ACH payments for about $62 trillion USD. In Q1 of 2021, $17.3 trillion was processed. One accepted approach is to render the data, notably account numbers and routing numbers, unreadable via the use of tokenization. If that rings a bell, this is used by Apple, Google, and Samsung pay. The new regulations state passwords are not sufficient protection, and full-disk-encryption requires accompanying prescribed physical security measures.
- Participation in a cross-enterprise application carries responsibility. Fortunately for us, the requirements are only for things that we ought to be doing anyway.
Read more in:
- Supplementing Data Security Requirements (Phase 1)
- New data security rules instituted for US payment processing system
PrintNightmare Affects All Versions of Windows
A critical remote code execution vulnerability in the Windows Print Spooler service is being actively exploited. The flaw was accidentally disclosed last week when researchers published proof-of-concept code; they reportedly thought Microsoft had already issued a fix. Microsoft has acknowledged that “the code that contains the vulnerability is in all versions of Windows,” and it is working on a patch. Until the fix is available, Microsoft is recommending that users disable the Windows Print Spooler service or disable inbound remote printing.
- Save your network (and the environment): Turn off your print spooler. Sadly, the best way to protect yourself from exploitation is to disable printing. There are a number of other methods proposed (like limiting permissions on the directory used to store printer drivers), but it isn’t clear if they fully protect systems. For high value assets like domain controllers, turning off printing should be a no-brainer. Exploitation does require valid user credentials, and this will likely be the lateral movement and privilege escalation technique of choice years to come.
- Disable the print service with a GPO, allowing it only on defined print servers, to minimize risk of re-enablement. Don’t use a domain controller as a print server. The Print Spooler service is enabled by default.
Read more in:
- Microsoft Tries, Fails to Patch Critical Windows Vulnerability. Chaos Ensues
- Microsoft adds second CVE for PrintNightmare remote code execution
- Microsoft shares mitigations for Windows PrintNightmare zero-day bug
- Microsoft Issues New CVE for ‘PrintNightmare’ Flaw
- CISA Offers New Mitigation for PrintNightmare Bug
- Microsoft warns of Windows ‘PrintNightmare’ vulnerability that’s being actively exploited
Netgear Releases Fixes for Vulnerabilities in its DGN2200v1 Router
Netgear has released firmware updates to address a trio of vulnerabilities affecting its DGN2200v1 network router. The HTTPd authentication security could be exploited to leak data and to take control of vulnerable systems. The vulnerabilities affect DGN2200v1 running firmware versions older than v.126.96.36.199.
- These were discovered by Microsoft’s 365 Defender Research Team, formerly ReFirm Labs. Expect more disclosures as they work to expand their capabilities. If you have a Netgear router, make sure that you’re keeping the firmware updated, either via the management app, such as their Oribi, NightHawk, or Insight app (which are product specific), or by logging into the router and checking. If possible, setup automated updates in the middle of the night.
- The side channel vulnerability, while not the most serious issue, is something all developers should be looking out for. I am pretty sure that under the hood, many applications suffer from this same problem and yes, it is exploitable.
Read more in:
- Microsoft finds new NETGEAR firmware vulnerabilities that could lead to identity theft and full system compromise
- Security Advisory for Multiple HTTPd Authentication Vulnerabilities on DGN2200v1
- Microsoft reveals authentication failures, system hijack vulnerabilities in Netgear routers
- Microsoft warns of serious vulnerabilities in Netgear’s DGN2200v1 router
US and UK Cybersecurity Officials Warns of APT28 Brute Force Attacks
A joint cybersecurity advisory from the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC) warns of brute force cyberattacks allegedly conducted by Unit 26165 of Russia’s GRU military intelligence agency, sometimes called Fancy Bear or APT28. The attacks have targeted hundreds of organizations around the world.
- Mitigations include not only using MFA for all your externally reachable services, including cloud, but also making sure that account time-out and lockout settings are active to shutdown attempts to access accounts illicitly. Examine access to your externally facing services, and consider denying access from a-typical locations, such as TOR or other anonymizing VPNs; make sure that anomalous user detection is enabled and configured.
- Another example of how / why 2FA is becoming such a critical control in today’s world.
- Such attacks are characterized by an unusually high rate of failed logon attempts and are resisted by strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) and by raising the cost to attackers by slowing the subsequent prompts after failed attempts.
Read more in:
- Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments (PDF)
- Russian Hackers Are Trying to Brute-Force Hundreds of Networks
- Widespread Brute-Force Attacks Tied to Russia’s APT28
CISA Releases Ransomware Readiness Assessment Tool
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a tool to help organizations evaluate their cybersecurity posture with regard to ransomware. The Ransomware Readiness Assessment (RRA) is a new module in CISA’s Cyber Security Evaluation Tool (CSET). RRA can be used on both IT networks and industrial control system (ICS) networks.
- The RRA provides a consistent basis to evaluate your IT and OT/ICS security practices, using a graduated approach from basic controls, to advanced questions and tutorials; and includes a dashboard to track readiness/progress. Even if you think you have a solid posture and plan, (which was hard enough to do without guidance like this) it’d be a good idea to cross check with the RRA tool to see if you have gaps or missed some new data points. If you’ve been struggling to create your plan and assess your ransomware preparedness, this is the answer you’re looking for.
- I have looked at this tool and it is a very good start for organizations to determine how prepared they are against ransomware attacks. Another freely and useful resource is the Europol sponsored NoMoreRansom website www.nomoreransom.org which has lots of information in various languages on how to prevent and deal with ransomware.
- Ransomware requires a compromise of the target network. It is only one of many bad things that can happen to you after a breach. However, extortion has been so profitable and with so little risk that it has resulted in an increased rate of attacks and breaches. Resist breaches. Employ strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) and end-to-end application-layer encryption or structured networks.
Read more in:
- CISA’s CSET Tool Sets Sights on Ransomware Threat
- Ransomware Readiness Assessment CSET v10.3
- Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attack
- CISA Tool Helps Measure Readiness to Thwart Ransomware
Europol: Coordinated Action Takes Down VPN Service Used by Criminals
On June 29, 2021, law enforcement and judicial authorities in Europe, the US, and Canada “seized the web domains and server infrastructure of DoubleVPN” a VPN service frequently used by criminals.
Read more in:
- Coordinated Action Cuts Off Access to VPN Service Used by Ransomware Groups
- Authorities Seize DoubleVPN Service Used by Cybercriminals
- This VPN service used by ransomware gangs was just taken down by police
- International cops seize DoubleVPN, a service allegedly meant to shield ransomware attacks from investigators
- Multinational Police Raid Seizes DoubleVPN Servers
QNAP Fixes Vulnerability Affecting NAS Devices
QNAP has released updates to address an improper access control vulnerability in its Hybrid Backup Sync 3 (HBS 3), the company’s disaster recovery and backup application. The issue is fixed in QTS 4.3.6: HBS v3.0.210507 and later; QTS 4.3.4: HBS v3.0.210506 and later; and QTS 4.3.3: HBS v3.0.210506 and later.
- Don’t expose NAS devices to the Internet. Login to your QNAP device, update the OS and all loaded applications, remove/uninstall unused applications.
Read more in:
- Improper Access Control Vulnerability in HBS 3 (Hybrid Backup Sync)
- QNAP fixes critical bug in NAS backup, disaster recovery app
Windows Update Bug Preventing Azure Virtual Desktop Updates
A bug in Windows Updater is preventing Azure Virtual Desktop devices from downloading and installing security updates released after May 2021. Microsoft is investigating the issue; the company is “working on a resolution and will provide an update in an upcoming release.” Microsoft has provided two workarounds.
Read more in:
- Azure Virtual Desktops may not be able to update via Windows Server Update Services
- Windows Update bug blocks Azure Virtual Desktops security updates
Microsoft Releases Updates for PowerShell 7.0 and 7.1
Microsoft has released updated versions of PowerShell 7.0 and 7.1 to address a .NET Core remote execution vulnerability. Azure users are urged to update to the most recent versions: 7.0.6 and 7.1.3. The issue does not affect PowerShell 5.1.
Read more in:
- Update PowerShell versions 7.0 and 7.1 to protect against a vulnerability
- Microsoft Urges Azure Users to Update PowerShell to Patch RCE Flaw
- Microsoft warns of critical PowerShell 7 code execution vulnerability
Google Renews Nest Security Commitments
Google has committed to providing “critical bug fixes and patches” for its Nest smart home products for a minimum of five years. The company’s privacy commitments include validating Google Nest devices using an independent security standard, using verified boot to protect devices, and making it easier for users to see which devices are connected to their accounts.
- Google is providing updates and fixes five years from product launch, not your purchase date. Keep an eye on their support page, particularly for things like your Nest Thermostat and safety/security devices (Hello, Cameras, Locks, Protect) which are easily overlooked and forgotten. support.google.com: Google’s connected home devices and services
- Google and Nest have been using Internet of Secure Things Alliance standards and certifications which started up in 2018 or so and now has six authorized testing labs, a strong list of alliance members and certificated products, and Amazon, Facebook, Google, Honeywell and Silicon Labs on their board of directors. This critical mass makes it a usable standard to spec in procurements and RFPs.
- Technical controls are key to securing smart home devices like these, but so is making them easy for people to use / secure. Having the best technical standards in the world does little if the interface is confusing and people have no idea how to change the default password or enable automatic updating.