Cybersecurity News Headlines Update on September 29, 2021

Business Email Compromise Scheme Charges

US federal prosecutors are charging four people with conspiracy to commit wire fraud for their roles in a business email compromise (BEC) scheme. The individuals allegedly used phishing and social engineering to access targeted organizations’ networks and email services to conduct fraud.

Note

The techniques used by this group point out the three key issues: (1) On the front end, reusable passwords enabled phishing attacks that gave the attackers internal access; (2) once in, they were able to operate unnoticed for long periods of time; and (3) the processes for disbursing funds had no final “out of band” check that would have required a phone call or actual old fashioned face to face check before giving away large sums of money. That final one is largely outside the control of IT security but requirement strong authentication for privileged users and reducing time to detect are clearly essential security hygiene issues. Good to see the bad guys prosecuted; better to see them unsuccessful in the first place.
Multi-factor authentication for email, and all other externally facing services is more important than ever. Stolen reusable credential use has to stop being viable. Don’t just consider what a given service does, and the risk of exposure of that service, consider what else can be done with the credentials if captured. Make sure that your CFO has adequate controls on financial transactions to not only vet changes of account or process, but also be sure that validation is out-of-band and all parties verified. You may not be involved in these business processes as cyber security professionals, consider leveraging your contacts to get the right people in a meeting to present the concern. Don’t forget to invite your contacts to participate.
Ransomware gets all the media attention, yet BEC / CEO fraud is most likely a far costlier threat in dollar terms. The FBI reported over $1.8 billion in reported losses in 2020 alone. BEC is purely a financial attack, so technically it is not a breach, which means no one reports it. While ransomware impacts an entire organization and quickly becomes public, BEC only impacts accounts payable, so quite often most of the company will be in the dark if compromised. The key to protecting against BEC is ensuring your workforce knows and understands your processes and feels safe and comfortable following them, even if someone claiming to be the CEO is screaming at them to process a payment right away.
In addition to the recommendations above, employ multi-party controls. For example, separate the privilege of setting up payees or making changes to them (e.g., name and address, destination accounts) from that of issuing payments. In addition, require two parties to approve large (e.g,, above the 90th percentile) or non-routine payments. Such controls resist both errors of omission and fraud.

CISA TIC Office Draft IPv6 Transition Guidance

Draft guidance from the US Cybersecurity and Infrastructure Security Agency (CISA) Trusted Internet Connection (TIC) program office is designed to help agencies make the transition to IPv6 securely. The document ”is not intended to be prescriptive but rather facilitate decision-making in determining the appropriate level of security in IPv6 environments.” Comments will be accepted through October 15.

Note

Some good points in this document. If you consider implementing IPv6, take a look and consider following the guidance provided. IPv6 is having a hard time right now due to half-baked implementations by ISPs that solve very specific problems for the ISP and increase adoption rates, without unleashing the full potential of IPv6 to the user. IPv6 done right can improve security and allow for new end point focused architectures in line with many modern enterprise security trends.
The guidance is for networks where IPv6 is deployed rather than dual-stacked environments and provides a point-by-point comparison of TIC 3.0 security objectives and capabilities when considered from an IPv6 perspective. If your agency is using a TIC and following OMB M 21-07 which requires an 80% cutover to IPv6 by the end of FY2025 (9/30/25), these considerations are important to factor into your architecture and planning.

CISA Warns of VMware Vulnerability Being Exploited

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning that “Security researchers are … reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability.” CISA is urging users to update to a patched version.

Note

As previously reported there are no completely effective workarounds to this vulnerability. Apply the update. Also make sure that your management interfaces to your vCenter infrastructure are limited to authorized devices and users only. Don’t expose management and/or console services to the Internet.

IT-ISAC’s Food and Agriculture Special Interest Group

Recent ransomware attacks targeting food chain and agricultural organizations like New Cooperative, Crystal Valley, and JBS have highlighted the need for threat information sharing in that sector. The Information Technology Information Sharing and Analysis Center (IT-ISAC) ‘s Food and Agriculture Special Interest Group has been monitoring the attacks.

Note

Sharing incidents, preparedness and response information with your peers is moving beyond a good idea to a critical survival technique. Even if you have an organization such as IT-ISAC or CISA in your sector, leverage the relationships in your C-Suite to create relationships with peer businesses.
Be sure to join and support your industry ISAC(s).

QNAP Releases Fixes for QVR Video Management System

QNAP has fixed three vulnerabilities in its QVR video management system. Two of the vulnerabilities are rated critical. Those flaws affect some products running QVR that have reached end-of-life (EoL) but because they are still widely used, QNAP issued fixes for them.

Note

Network storage devices are a great prize for ransomware. Do take these vulnerabilities seriously, and while painful in some cases, expedite patching. Also consider other mitigating controls. For example, uninstall all unneeded features; these devices often come with various software packages that you may never use. And never expose any admin controls to the public internet.
If you have an affected product, update the firmware immediately, then start the project to replace it. I know they still work; the problem is these are EOL devices so you cannot expect ongoing vulnerability discovery and resolution. Recovery from a compromise of either content or network compromise will quickly outstrip the replacement cost.

Chrome Update

Google has updated the Chrome stable channel to version 94.0.4604.61 for Windows, macOS, and Linux to fix a high-severity flaw that is being actively exploited. The vulnerability is a use after free issue affecting the Portals web page navigation system for Chrome.

Note

Memory management issues such as use after free can be tricky to detect in the software development cycle. Make sure that your Chromium browsers are also updated – Brave, Edge, etc.

SonicWall Releases Fixes for Critical File Delete Vulnerability

SonicWall has released updates to address a critical vulnerability affecting Secure Mobile Access (SMA) 100 series appliances. The flaw could be exploited to remotely obtain administrator access on vulnerable devices. The issue is fixed in 10.2.1.1-19sv and later, 10.2.0.7-34sv and later, and 9.0.0.10-28sv and later. There are no workarounds available.

Note

This vulnerability includes path traversal flaws and arbitrary file deletion which can be leveraged to cause the device to reboot to factory default settings. SonicWall reports there are no workarounds for the vulnerability, so applying the update expeditiously is warranted.
I am not ready yet to say that each network perimeter security device needs a security device protecting it. But let’s start by removing access from admin interfaces, please?

FCC Rules for Huawei and ZTE Equipment Replacement Reimbursement

The US Federal Communications Commission (FCC) has published rules for certain carriers to apply for funds to pay for ripping out and replacing Huawei and ZTE network equipment and services. The rules apply to small carriers, as well as schools, libraries, and health care organizations that provide broadband services.

Note

This has been in the works since the FCC designation of ZTE and Huawei as national security threats in July of 2020. The reimbursements have both company size and date constraints. Carriers must have less than 10 million customers and many only be applied to replacement costs incurred with Huawei and ZTE equipment purchased before June 30, 2020 and replacement costs incurred after April 17, 2018. The costs may also be extended to replacement of towers and travel expenses directly related to the replacement activities. If you think you’re eligible, don’t hesitate, apply.

US Treasury Dept. Sanctions Cryptocurrency Exchange Over Ransomware Transactions

The US Treasury has sanctioned a cryptocurrency exchange for handling transactions for ransomware operators. Suex is registered as a business in the Czech Republic but operates through offices in Russia. According to the Treasury Dept., “Analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors. The sanctions include freezing Suex’s US assets and prohibiting companies doing business in the US from conducting transactions through Suex.

Note:

It is hard to find trustable statistics, but it appears that overall, less than 2% of transactions using “cryptocurrencies” are criminal in nature. Most of the transactions are investor trading, which is a different thing to worry about. But there should be global pressure and sanctions on exchanges that are enabling any criminal transactions.
With OFAC Sanctions in place, there are significant consequences for using their services in the U.S. Which means that if you’re deciding to pay a ransomware demand via Suex, you and your financial institution (FI) would be subject to sanctions or other enforcement actions, both of which are deal breakers for the FI.
This is an interesting way to undermine the payment flow these criminal gangs rely on. It also illustrates that tackling cybercrime needs a cohesive and wide ranging approach and not technical controls by themselves. In theory, this may be an effective way to undermine the payment flow these criminal gangs rely on and hopefully won’t turn into a “whack-a-mole” type operating.
I welcome the U.S. government stepping up their defense against ransomware by classifying it as a criminal, economic, and national-security threat. Cryptocurrency leverages blockchain which means we can trace transactions and they can’t be removed or hidden after they occur. Don’t let the government do all the work for you though; test, measure, and improve your ability to detect and respond to threats before impact.
To me this seems a far more effective approach than punishing victim companies that pay a ransom. Interesting to see US Treasury targeted SUEX as over 40% of its transactions were ransomware-related. This will obviously not stop ransomware attacks, but is a step in the right direction, targeting financial exchanges heavily involved in supporting criminal activities.
Chainanlysis and Treasury cooperated to produce a report on this effort: blog.chainalysis.com: Chainalysis in Action: OFAC Sanctions Russian Cryptocurrency OTC Suex that Received Over $160 million from Ransomware Attackers, Scammers, and Darknet Markets

VMware Releases 19 Fixes

VMware disclosed 19 vulnerabilities in its products and released fixes for the issues. One is a critical arbitrary file upload flaw in vCenter Server Analytics service. VMware has also offered a workaround for users who can’t patch right away, but notes that “patching … carries less technical debt and less risk than using a workaround.” Malicious actors are already scanning for servers vulnerable to the flaw.

Note

VMware sent a security alert to their security advisories mailing list. If you’re a vCenter Server user, and not subscribed to that list, you can sign up on the VMware Security Advisories page (www.vmware.com/security/advisories.html). This vulnerability applies to version 6.5, 6.7 and 7.0 of vCenter, and can be partly mitigated through perimeter protections, such as limiting access to ESXi, vCenter Server and vSphere management interfaces to only vSphere admins, from trusted locations. The full fix is to apply the update. Disabling the CEIP service, or not enabling it in the first place are not effective mitigations.
The vCenter file upload / code execution vulnerability should be easy to exploit and fits well into the current ransomware playbook. Needless to say: Do not expose vCenter to the Internet. It is like leaving your datacenter door unlocked. This vulnerability adds the “Free Servers” sign to the door.
VMware infrastructure should be in a separate management segment of the network. It should not be exposed to internal users and much less the Internet.

Apple Issues Patches for 0-day Flaws in Older Versions of macOS and iOS

Apple has released fixes for vulnerabilities in macOS Catalina and iOS that are being actively exploited. The Security Update 2021-006 for Catalina addresses a vulnerability that could be exploited to execute arbitrary code with kernel privileges. iOS 12.5.5 addresses three vulnerabilities that could be exploited to execute arbitrary code.

Note

While Apple has extended support for older operating systems, e.g., iOS 12.5, you should actively work to migrate to hardware which supports the newest versions which are going to have the greatest attention.

Port of Houston Fends Off Cyberattack

The Port of Houston (Texas) Authority says it successfully fended off a cyberattack last month. The attack involved the ManageEngine ADSelfService Plus password management and single sign-on solution. A September 16 joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and United States Coast Guard Cyber Command (CGCYBER) warned of the ManageEngine ADSelfService Plus.

Note

Always good to see stories of “pilot lands plane safely” vs. only hear about crashes. Not much detail yet on what the Port of Houston did right, but kudos to them for being able to issue a very short and positive press release that ended with a resounding microphone drop: “Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result.”
This is not the first time ports have been the target of cyber attacks and as our physical infrastructure continues to be more reliant and dependent on IT, these attacks will continue as criminals and nation state actors look to achieve their goals. In 2013, Europol reported hackers had breached the shipping systems in the Belgian port of Antwerp to enable their drug smuggling activity www.bbc.com: Police warning after drug traffickers’ cyber-attack.
This is outstanding. While details have not been published, other than a point of contact, it will be worthwhile looking at what the port did to defend itself to see if those are actions you could apply to improve your cyber posture.

Senate Committee Drafting Legislation That Would Update FISMA

Members of the US Senate Homeland Security and Governmental Affairs Committee are drafting legislation that would clarify the role of the Cybersecurity and Infrastructure Security Agency (CISA) in helping agencies improve their cybersecurity postures. The draft legislation would also update the federal Information Security Modernization Act (FISMA) to reflect the evolving cyber threat environment.

Note

FISMA and related rules/regulation on how government agencies protect government information and systems (including government used of privately owned infrastructure) are badly needed. However, most of the talk here is once again around requiring more reporting from industry to government vs. anything to drive critical government systems to reach essential levels of security hygiene and protection.
While increased reporting helps with visibility, what is needed is relevant security standards. Too often security controls are written from a perspective of what is possible with Windows systems in an office environment. The mission and scope of government systems ranges from office computing to leading edge research and critical systems. Guidance needs to be simplified and focused on core controls which can be broadly applied without having to spend lots of time tailoring/researching, applying overlays to determine what is indented and how they are applied. A greater percentage of controls need to be technical which enables them to be both monitored and implemented with automation while not preventing systems from completing their intended mission objectives.
One of the biggest challenges we have in the US is there are so many different departments and agencies involved in leading cybersecurity efforts. According to this report, the focus of updating FISMA would be to codify CISA as the central department in leading those efforts. While CISA is relatively new and huge / broad in scope, I like what I have seen in their efforts publishing resources supporting organizations.

Apple Deprecating TLS 1.0 and 1.1

Apple has deprecated the Transport Layer Security (TLS) 1.0 and 1.1 protocols in recent versions of macOS and iOS. TLS 1.0 dates back to 1999; TLS 1.1 dates back to 2006. The Internet Engineering Task Force (IETF) approved TLS 3.0 in March 2018. Apple plans to remove support for the older version ds of TLS in future releases.

Note

TLS 1.0/1.1 are broken and exploits are not terribly complex. But removing these old protocols doesn’t always improve security. For some older devices, the only option may be to switch to completely unencrypted communication. Network monitoring can be used to identify the use of weak TLS versions. Once you have an inventory of these legacy devices, you may come up with a plan to either replace them, or mitigate the vulnerability via other means such as network segmentation or the use of VPN appliances.
Apple’s move here should surprise no one. TLS 1 and 1.1 are aged protocols, and while most known attacks are somewhat esoteric, reasonable successors have hit the mainstream at this point. Businesses need to prepare for these deprecations; as always, make sure your mission critical systems are running current operating systems, as older and end of life OSes will often not support TLS 1.2 or 1.3. Do not assume your business won’t be impacted and start testing and migration plans now.
You should have moved to TLS 1.2 by now. It is widely supported and your security tools will continue to function. Use third-party reporting and testing services, such as SSL Labs, to verify your services are indeed using secure protocols and algorithms. Test TLS 1.3 before widely deploying as it has been known to break some security tools, such as web proxies which operate as a MITM.

Another Farm Co-op Hit with Ransomware

A Minnesota Farm Co-op is the second such organization to be hit with ransomware in less than a week. Crystal Valley said in a statement that it was alerted to the attack on Sunday, September 19. The attack rendered Crystal Valley’s payment system inoperable.

Note

Don’t depend on a critical infrastructure designation to prevent attacks. Make sure you have good cyber hygiene, your users are diligent, and you leverage resources, such as the CISA, for both guidance and resources to achieve those ends.

Wisconsin Law Requires Insurance Companies to Protect Data

A new law in Wisconsin will require insurance companies to protect customers’ personal information, including health data. Insurance companies will have to conduct risk assessments, establish information security programs, and work with third-parties tom ensure data security. The law takes effect on November 1, 2021.

Note

The legislation attempts to create a common standard for information protection, incident response, and breach notification. Regardless of regulatory requirements, you should assess your protection of sensitive company and customer data regularly to ensure you don’t have gaps, and verify that your notification and response plans are both current and tested. Don’t wait for the attackers or auditors to discover a gap in your plan.
If your industry isn’t already subject to data security regulations, it will be. Start looking at the “common sense” practices being called for across many of these different bills and start preparing your business for them now. The runway to implement given by these laws is not always generous. Also, pointing out these types of bills to your senior leaders may help get the funding to plan for this work in advance.
Unlike banking, and though engaged in interstate commerce, insurance companies are regulated by the states.

Lithuanian Smartphone Audit Warns on Chinese Smartphones

A recent report from Lithuania’s National Cyber Security Center (NCSC) examined three Chinese-made smartphones. NCDSC found security and privacy issues with Xiaomi ‘s 10T 5G and Huawei’s P40 5G. The NCSC’s “assessment analyses 4 cybersecurity risks related to the general security of factory-installed applications in the devices, threats of leakage of personal data, and restrictions on freedom of expression.”

Google is Expanding Android Permissions Auto-Reset to Millions of Devices

Android’s permission auto-reset feature automatically resets apps’ runtime permissions after they have not been used for several months. The feature was introduced in Android 11, which was released a year ago. Google says it plans to expand availability of the feature to devices running Android 6 and above starting in December 2021.

Note

Android is providing users with a relatively fine-grained system to assign permissions to applications. But these permissions are often confusing, and consumers often do not understand why an application needs certain permissions or how they could be abused. The result is that consumers will often just click “ok”. Resetting the permissions is an interesting and maybe a bit radical approach to force users to “start over”. Let’s hope this doesn’t lead to a flood of popup messages as applications are asking to have their permissions back.
Notice there haven’t been many stories of negative user experiences since Google rolled this out in Android 11. Imagine if the Windows operating system had more “reset to least privilege access” features baked in.
This is a good measure as we continue to run into issues with over-permissioned applications. Additionally, review your installed applications, uninstalling those you are not, or no longer, using. If you created accounts for those applications, be sure to also close those out.

NIST IoT Cybersecurity Labeling

The US National Institute of Standards and Technology (NIST) held the “Workshop on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software” last week. The Biden administration’s National Cybersecurity Executive Order mandates a labeling program for devices and applications that will provide information for consumers and small businesses to help them make decisions about technology purchases.

Note

A number of countries have put forward labeling schemes like this. It is the goal of these programs to make it easy for consumers to make informed decisions about the security features of a particular device. Akin to a nutrition label or restaurant health inspection grades, the information should be easy to comprehend and will hopefully lead to companies proactively improving the security of their devices to obtain a better rating. But to work, a significant number of manufacturers need to participate.
I think it took the FDA about 20 years to go from the original push for nutrition labels for food to get to the point where testing of products could be done in standard manners by industry and audited to some level by the FDA. Labeling schemes without defined testing requirements are useless.
There has been legislation proposed to require federal agencies to purchase IoT devices which meet security standards. Labelling needs to not only indicate the standards met, but also include information on verification. The current plan allows companies to self-attest to their security to expedite the process. Without independent verification against published standards, you cannot be sure the level of security is where you need it to be. Trust but verify.

FERC Wants Input on Updating Energy Utility Cybersecurity Requirements

The US Federal Energy Regulatory Commission (FERC) is seeking input regarding existing security requirements for companies that supply bulk electrical systems. The standards and requirements have existed for more than a decade. FERC is accepting public input through October 14, 2021.

Note

Comments are being solicited around the cost/benefit of the CIP Reliability Standards reporting requirements, not on the security requirements themselves. In 2018 and 2019 FERC expanded incident reporting requirements, on top of previous reporting and documentation requirements. Good opportunity for the industry to suggest ways to streamline the reporting flow to reduce the time spent.

Ransomware Vulnerabilities List

Researchers have begun compiling a list of vulnerabilities commonly exploited by different strains of ransomware to gain initial access to systems. The vulnerabilities are broken down by vendor and enumerated by their CVE IDs.

Note

A core part of the message here is that unmitigated or unpatched vulnerabilities are key to successful ransomware attacks. Leverage the CISA ransomware self-assessment security audit tool (released in June) as well as the information on response and prevention on the stopransomware.gov site to make sure that you’re well positioned for a ransomware attack.
Patch management is a prevention goal, especially for vulnerabilities being exploited in the wild. Unfortunately, 0-days will not have patches and the ability to detect and respond to the inevitable breach is now a requirement for all organizations.

Ransomware Attack Hits Iowa Farmers’ Co-op

An Iowa-based farmers’ cooperative has acknowledged that its network was the victim of a ransomware attack. New Cooperative, Inc. has taken its “systems offline to contain the threat.” The attack occurred late last week; the ransomware operators are reportedly demanding a $5.9 million payment. New Cooperative is finding alternate methods of ensuring that feed gets to animals. One source said that if the incident is not mitigated quickly, it could result in a “disruption in the grain, pork and chicken supply chain.”

Note

Earlier this year Biden asked Russia to steer clear of 16 critical sectors of the U.S. Economy. Among those is “food and agriculture.” The BlackMatter group, which is behind the Iowa attack, is claiming that the volume of production from their victims doesn’t meet the definition of critical. While ransomware groups may have their own code of “ethics” regarding what is and is not “off-limits,” don’t assume they are on the same page. Operate on a model that everything is fair game and protect your systems accordingly.
Poke a nation in the eye enough times, and your fortunes might just change… “Even six months ago, we probably would have said, ‘Ransomware, that’s criminal activity,’ But if it has an impact on a nation, like we’ve seen, then it becomes a national security issue. If it’s a national security issue, then certainly we’re going to surge toward it.” -GEN Paul Nakasone, Director of NSA and commander, USCYBERCOM

TTEC Discloses Ransomware Attack

Customer support and sales management company TTEC has confirmed that it experienced a ransomware attack earlier this month. TTEC issued a statement saying that “as a result of the incident, some of our data was encrypted and business activities at several facilities have been temporarily disrupted.” The company is working on restoring affected systems.

Note

TTEC provides customer support to large companies such as Verizon, Bank of America, Best Buy, Credit Karma, USAA, Dish Network and Kaiser Permanente. In this scenario there are two challenges: first, providing alternate customer service, or accepting long wait times; second verifying what data is stored with the service provider and of that data, what has been released or lost. Engage your legal team to understand what third-party liability clauses are in play and examine impacts on your service level agreements to your customers. Work closely with your provider to understand their service level and anticipated recovery plan.

Security.txt Files Provide Information About Vulnerability Disclosure

Some companies have adopted a proposed Internet standard that provides researchers with information about vulnerability disclosure. A Security.txt file will usually list links to vulnerability disclosure policies and a contact email address. Some also include bug bounty program information and public encryption keys.

Note

This is a very simple and cheap (free) way to provide current contact information to security researchers. You certainly should take advantage of this standard. For a description of various “well-known” files like security.txt, see isc.sans.edu: Not Everything About “.well-known” is Well Known. Unless of course you would rather not know about any security issues with your website/network.
While standards are still solidifying, it’s a good idea to implement this file, particularly if you’ve got a bug bounty program. Put it at the top of your web sites or known location such as /.well-known/ (see RFC8615.) Consider digitally signing your security.txt file. Make sure that the identified accounts are both monitored and have junk/spam filters enabled. More on the standard can be found on the securitytxt.org web site (securitytxt.org).

DHS OIG: CISA Needs to Update Dam and Levee Security Plans

A report from the US Department of Homeland Security Office of Inspector General (DHS OIG) says that the Cybersecurity and Infrastructure Security Agency (CISA) must update both cyber and physical security plans for the country’s dam and levees. DHS OIG made several recommendations, including updating the Dams Sector-Specific Plan to align with the emerging National Infrastructure Protection Plan; strengthening coordination with the Federal Emergency Management Agency (FEMA); and developing and implementing a strategy for Dams Sector stakeholders to use the Homeland Security Information Network Critical Infrastructure (HSIN-CI) Dams Portal to its fullest potential.

Note

If you have critical infrastructure, make sure that your plans are updated, to include information sharing, incident response and physical protections. The recommendations in the report can be leveraged to make sure you’re properly prepared. Make sure that you’ve established relationships with organizations such as the CISA and FBI well before you need them; don’t forget to maintain those relationships. You don’t want to find out that your contact has left or number changed in the midst of an incident.

Dept. of Commerce Seeking Comment on Supply Chain Draft Report

The US Department of Commerce’s Bureau of Industry and Security is seeking feedback regarding the content of “a report on supply chains for critical sectors and subsectors of the information and communications technology (ICT) industrial base.” Commerce is producing the report to comply with Presidential Executive Order 14017. Comments are being accepted through November 4, 2021.

Guilty Verdict in DDoS for Hire Services Case

A federal jury in Los Angeles found Matthew Gatrel guilty of three felonies for running two distributed denial-of-service (DDoS) for hire services. Gatrel was found guilty on charges of conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer. A co-conspirator pleaded guilty to criminal charges several weeks ago.

SEC Wants Security Incident Data from Organizations That Used SolarWinds Software

As part of an investigation, the US Securities and Exchange Commission is asking organizations that downloaded SolarWinds software to submit records related to any security incidents dating back to 2019. Some organizations have expressed concern that by submitting previously undisclosed information to the SEC, they are opening themselves to liability.

Note

This is a needed investigation, very little risk to companies that provide information given existing requirements to publicly disclose incidents with material impact.
What we have been missing in cybersecurity is a body similar to the US National Transportation Safety Board (NTSB), which investigates root causes in aviation accidents, to investigate and share the root causes and potential remedial actions in relation to cybersecurity incidents. However, a body that has the potential to sanction a firm over other regulatory issues is not the body to do this.

It’s Time to Update Everything

Recent updates from Apple, Google, and Microsoft include patches for vulnerabilities that are being actively exploited. Among the vulnerabilities Apple has fixed is a chain of exploits known as ForcedEntry, which has been used to install spyware without user interaction. Microsoft’s updates include a fix for the MSHTML rendering engine that can be exploited to execute arbitrary code. And Google’s update for Chrome includes fixes for two vulnerabilities that are being actively exploited.

Note

It isn’t easy to find good data around the impact of software updates these days but browsers on PCs, mobile apps, and cloud apps are all updated constantly without causing disruption. The risks of updating everything, everyday are way lower than old perceptions. If nothing else, the use of IaaS to rapidly QA updates has proven to be a huge win for security. The major barrier to overcome is IT operations staying locked into a “change is bad” mentality.
The sheer volume recently of critical patches that need to be applied has highlighted our need to focus efforts on securing the data and the applications that we rely on and not the underlying devices. Containerization and isolation technologies that can secure data and apps from other apps and the operating system are something to seriously consider for your endpoint security.
It will be a long weekend for operations teams waiting for change windows to apply patches for vulnerabilities that are being actively exploited.

Microsoft Patch Tuesday

On Tuesday, September 14, Microsoft released updates to address 86 vulnerabilities in Windows, Office, Azure, Edge, and other products. Three of the fixed flaws are rated critical, including one in the legacy MSHTML rendering engine that has already been exploited in targeted attacks.

Note

This patch Tuesday is interesting for the number of high-profile, already exploited, vulnerabilities is addresses. First of all, it includes a patch for the MSHTML vulnerability which is currently used by ransomware gangs. (It is used by others as well, but if you say “ransomware,” management listens and will let you patch it.) PrintNightmare gets another patch, and this patch will actually finally break some network printing. The hidden gem here is the patch for CVE-2021-38647, the Open Management Infrastructure. Never heard of it? You are not alone. But if you are running Linux in Azure, Microsoft likely installed it for you on your virtual machine and left it wide open to attack. Note that even after the patch was released, new Linux VMs in Azure still received the old vulnerable version. (May have been fixed by now).

Microsoft Fixes Critical Azure OMI Vulnerabilities

Microsoft has fixed four vulnerabilities in the Open Management Infrastructure, which is embedded in frequently-used Azure services. The four flaws, which have been dubbed OMIGOD, were detected by researchers at Wiz, who write, “The vulnerabilities are very easy to exploit, allowing attackers to remotely execute arbitrary code within the network with a single request and escalate to root privileges.”

Note

This patch was released as part of patch Tuesday. Note that at least for a day after patch Tuesday, newly created Linux VMs in Azure still received the vulnerable version. Linux VMs in Azure may have had this installed and enabled if you enabled certain management features for your virtual machines. Assume that the tool is installed if you are running Linux in Azure, and patching it is urgent as exploitation of the flaw is trivial if respective ports are reachable.

Microsoft Expanding Passwordless Account Features

Microsoft will soon begin rolling out passwordless features to all users. Previously, the features were available only to corporate customers. The password-free features will be available for Microsoft Authenticator and the Hello login service. Instead of passwords, users will be able to access accounts with fingerprints or face scans, hardware authentication tokens, and verification codes sent to phones or emailed.

Note

Anything that reduces the percentage of logins using reusable passwords is a good thing. But, we still have different “islands” of authentication approaches across the leading platforms (Apple, Facebook, Google, Microsoft, etc. Adoption of OAuth, OpenID Connect and SAML provide standard protocols but it is kind of like back in the days when railroads all use the same materials for the tracks but picked different spacing between the rails. “Interoperability” didn’t happen until all agreed on (or regulations demanded) track gauge standards.
People do not like two factor authentication. If you have to pick one factor, the password is usually the weaker part, and the part that causes more pain to users. For some applications, passwordless app-based authentication makes a lot of sense.
Passwords remain one of the weakest links in our lives. Moving to passwordless is the future but I fear the shift will take a significant amount of time.
The biggest problem with strong authentication is making it simple. What MS is doing helps and I really applaud this initiative BUT we could just end up making authentication complex again. I don’t know about you but
1. I already have three different authenticator apps and its most likely going to get worse.
2. Work and Personal authenticator apps are blending. I have one Authenticator app that is used for both work and personal accounts. In another odd case, I’m using MS Authenticator for my work Microsoft account and using Google Authenticator for my personal Microsoft accounts.
Authentication has the potential to once again get really confusing really fast as different organizations take different approaches using different technologies.

Former US Military and Intelligence Officers Will Pay Penalty for Providing Hacking Services to UAE Government

Three US citizens have agreed to a pay a penalty of $1,685,000 “to resolve a Department of Justice investigation regarding violations of U.S. export control, computer fraud and access device fraud laws.” All three, who are former US military or intelligence community employees, worked for a company that provided hacking services to the government of the United Arab Emirates.

Note

This is a slap on the wrist at best based on the annual salary they were making for multiple years according to Nicole Perlroth, NYT journalist and author of “This Is How They Tell Me The World Ends”

FTC Says Health Apps Must Comply with Health Breach Notification Rule

The US Federal Trade Commission (FTC) has voted 3-2 that the Health Breach Notification Rule now also applies to developers and vendors of health apps and connected devices. Companies that do not comply could face monetary penalties of more than $43,000 a day. The rule requires those organizations, and now apps, that handle health information notify the FTC, users, and in some cases the media in the event of a breach.

Universal Decryptor for REvil/Sodinokibi Released

Bitdefender has released a free universal decryptor for REvil/Sodinokibi ransomware. The decryptor, which Bitdefender developed with the help of law enforcement, will help victims who were hit with the ransomware before July 13, 2021. According to reports, the ransomware has re-emerged after a brief lull.

Note

This decryptor is for victims ransomed prior to July 13, 2021. Since those attacks, REvil has taken a two month sabbatical and is now back in operation with more resources than ever before. Stay “left of boom” (boom being encryption) by testing your detection and response.
Well done to Bitdefender and all the law enforcement agencies involved in this. Remember that if you are a victim of ransomware and cannot recover a critical device, the key to decrypt it may become available in the future. So store the device securely for recovery at a later date.

Adobe Patch Tuesday

On Tuesday, September 14, Adobe released fixes for vulnerabilities in numerous products, including Acrobat and Reader, Photoshop, Experience Manager, and ColdFusion. In all, the updates address 59 security issues, 36 of which are critical.

CISA and FBI Warn Zoho Flaw is Being Exploited

In a joint alert, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have warned that Advanced Persistent Threat (APT) actors are exploiting a vulnerability in Zoho ManageEngine ADSelfService Plus. Zoho ManageEngine ADSelfService Plus build 6114, which was released on September 6, fixes the flaw.

Ransomware Hits South Africa’s Justice Dept.

A ransomware attack has encrypted systems at South Africa’s Department of Justice and Constitutional Development. The incident occurred on September 6. As a result, “all electronic services provided by the department are affected, including the issuing of letters of authority, bail services, e-mail and the departmental website.”

OWASP App Security Weaknesses Draft Top 10 List

The Open Web Application Security Project (OWASP) has released a draft of its top 10 web software vulnerabilities. The first three items on the list are broken access controls, cryptographic failure, and injection. The list is a draft; OWASP is seeking input from data scientists, web designers, translators, and ASVS, testing guide, and code review guide leadership before releasing the final version.

Editor’s Note

Two of the three new top 10 vulnerabilities are kind of broad for the OWASP list but really important to prioritize: A04:2021-Insecure Design and A08:2021-Software and Data Integrity Failures, which incorporated the previous A108-2017 Insecure Deserialization. Both of these demand increased testing of commercially and internally developed software as well as software updates, but the larger goal is driving improvements early in the software design phase.
The nice thing about “Top x” lists is that they force you to focus on what actually matters. There are hundreds/thousands of potential things that can and will go wrong, but OWASP is doing a good job in narrowing it down to the issues that matter most. “Insecure Design” is an interesting addition, and in line with the current trend to “shift left.” Not a new concept by any means, but it looks like the renewed focus and better/catchier expression of the concept has finally caught on. OWASP hasn’t actually removed any issues from its top ten list, but managed to re-group some issues to better cover specific problems like XML External Entities by including the root cause of these vulnerabilities (misconfiguration in the case of XXE).
Following OWASP recommendations has been an efficient way to address web application security.

University of Minnesota Launches Center for Medical Device Cybersecurity

The University of Minnesota has launched the Center for Medical Device Cybersecurity. “CMDC was formed in response to a request from members of the medical device manufacturing industry to form a collaborative hub for discovery, outreach and workforce training in the emerging device security field.”

Note

Kudos for Boston Scientific, Smiths Medical, Optum, Medtronic, and Abbott Laboratories for providing funding to get this started but I have to quibble with the term “emerging device security field.” The vast majority of the vulnerabilities medical device manufacturers have been building into their devices are well known bad design/implementation choices that have been on the OWASP Top 10 for many years. I’d like to see the mission of this center focus more on improving the practices of device manufacturers rather than on tactics for protecting poorly designed, vulnerable devices from attacks.
It’s quite rare that pentesters have scope to attack medical devices, so it’s great to see an organization like this sponsoring their hackathon. Yes, this often comes down to “stunt hacking,” but if that raises awareness for the leaders who own the risk in these devices, hack away, friends!

House Committee Proposes Bill that Would Include Establishing FTC Data Security Bureau

US legislators have introduced a bill that would fund a Federal Trade Commission( FTC) Data Security Bureau. Members of the House Energy and Commerce Committee have proposed allocating $1 billion for the FTC to build the Data Security Bureau over 10 years.

Note

Back in 2013, SANS gave the FTC a SANS Difference Makers award and here is what we said: “It seems like regardless of who is president or what the state of the economy is, the FTC stays focused on its mission of consumer protection and, in particular, going after companies that don’t protect their customers’ information. The FTC doesn’t seem to need new laws or more money, it just keeps fighting for its customers.” I have confidence they will continue doing so regardless of the outcome of the draft legislation.
The FTC has been effective in punishing some of those that fail to meet their security commitments. It might be an efficient place to invest.

Vulnerability in WooCommerce Multi Currency WordPress Plug-in

An access control vulnerability in the WooCommerce Multi Currency plug-in for WordPress could be exploited to change the price of products in online stores. The plug-in detects shoppers’ locations and displays pricing in the local currency. The issue lies in the “Import Fixed Price” feature in WooCommerce Multi Currency versions 2.1.17 and older. Users are urged to upgrade to version 2.1.18.

Note

Interesting vulnerability somewhat reminiscent of vulnerabilities in early e-commerce sites that allowed users to overwrite prices in hidden form fields.

Google Chrome Update

Google has released Chrome 93.0.4577.82 to the stable channel for Windows , macOS, and Linux. The updates will be rolled out over the next few days. The newest version of the browser includes fixes for 11 security issues. Of those vulnerabilities, two are being actively exploited.

Note

Two already exploited flaws are patched with this update. Luckily, Google Chrome has a pretty good auto-update system. But you may need to restart the browser. (Good idea to take a break from death-scrolling social media feeds in your browser from time to time anyway.)

Olympus Medical Technology Company is Investigating Cyber Incident

Tokyo-based Medical technology company Olympus is investigating a cybersecurity incident that reportedly affected some of its IT systems in Europe, the Middle East, and Africa (EMEA) on September 8. Tech Crunch writes that “according to a person with knowledge of the incident, Olympus is recovering from a ransomware attack that began in the early morning of September 8.”

Yandex Hit with Huge DDoS Attack

Russia’s Yandex Internet company was the target of a massive distributed denial-of-service (DDoS) attack on August 19, 2021. The attack’s traffic peaked at 21.8 million requests per second. The attack us believed to have been launched through a botnet known as Mēris. Brian Krebs has disclosed that the KrebsOnSecurity website was the targeted of a Mēris DDoS attack on Thursday, September 9.

WordPress 5.8.1

WordPress 5.8.1 includes fixes for three security issues, including a cross-site scripting vulnerability and a data exposure vulnerability affecting the RESTful API. The US Cybersecurity and Infrastructure Security Agency (CISA) is urging users to update to the most recent version of WordPress.

Zero-Day MSHTML Flaw in Microsoft Windows

A remote code execution vulnerability in MSHTML is being actively exploited in targeted attacks. MSHTML, also known as Trident, is the proprietary browser engine for the Windows version of Internet Explorer. Microsoft has not yet released a patch but has published mitigations for the vulnerability.

Note

For now, follow Microsoft’s advice on how to disable ActiveX, but realize the mitigation may not be perfect. Microsoft’s workaround prevents the installation of new ActiveX controls, but an attacker may be able to use existing controls. Similarly, the protected view warnings appear to be easily bypassed. Let’s hope we will get a patch for this on Tuesday, but until then, the only thing we’ve got protecting us is vigilant users.
Trident is the embedded browser rendering HTML content within Office documents. By default, documents opened from the Internet are opened in protected mode or application guard and cannot execute the exploit. A user needs to be tricked into both opening the document and trusting it (disabling those protections); a key mitigation still requires user caution when opening Internet-provided documents. Microsoft’s Defender and Defender for Endpoint will detect and prevent this exploit. Verify your endpoint protection service does as well.
Zero-days and breaches are inevitable. While prevention is a goal, detection and response is the reality. Focus on detecting things like Microsoft Word spawning other processes that are not normal.

ProtonMail Alters Privacy Policy After Disclosing Activist’s IP Address

Following the revelation that it disclosed the IP address of a French activist to Swiss authorities, ProtonMail has removed a clause in its service policy that had stated “by default, we do not keep any IP logs which can be linked to your anonymous email account.” That section of the policy now reads, “ProtonMail is email that respects privacy and puts people (not advertisers) first.”

Note

Note that ProtonMail and ProtonVPN are two products by the same company. They use different privacy/logging policies. For the VPN product, IP addresses are not logged. As an easy “workaround”: Use ProtonVPN to connect to ProtonMail (or TOR if you want to stay more anonymous).
Review privacy claims carefully. Even with end-to-end encryption, consider that access logs are going to exist for some period, if for no other purpose than to support problem diagnosis and resolution. If you’re providing services aimed at protecting privacy, be clear about what is maintained and under what conditions it can be revealed. Expect increased used of anonymizing services such as Tor to further obfuscate users who truly wish not to be tracked.
Most agreements with service providers include a provision that allows them to comply with any legal service – warrants, subpoenas, and national security letters – without notifying the subjects. The Google Transparency Report shows that such service is frequent, growing, and expensive to comply with. A small number of large firms have begun to charge for the cost of compliance. All should do so; the cost of such compliance should not be borne by the constituents of the service providers.

White House Zero Trust Strategy

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) have released draft documents on zero-trust strategy and technical details as part of the administration’s efforts to move the government toward zero-trust architecture. Both agencies are taking public comment.

Note

Getting to “Zero Trust” first requires reaching the essential security hygiene level, as captured by the CIS Critical Security controls. Only after that can the functions called out as “Zero Trust” be implemented. The CISA “Zero Trust Maturity Model” released for review points that out: “Moving to a ZTA is non-trivial… zero trust may require a change in an organization’s philosophy and culture around cybersecurity.”
The comment period is open until October 1st. If you’ve got experience with Zero Trust, provide input so others can leverage your experience. One doesn’t just buy Zero Trust and click install. Foundational cyber security maturity must be in place to mitigate the risks of an anytime, any device, anyplace access model. DHS’s CDM project compels agencies to implement core critical controls to meet program requirements, e.g., hardware and software inventory of active devices, as well as configuration and vulnerability assessment status. These roadmap documents, when finalized, should be leveraged to plot the course between current state and Zero Trust. Be sure to include sufficient time and resources to implement identified shortcomings.
I love the concept of “Zero Trust” but have a hard time seeing how most organizations can implement it. When you have the budget, technical know-how and leadership support like Microsoft and Google, then absolutely. But for the literally millions of companies that are still struggling with the basics concepts of knowing what assets they have, keeping those assets patched and the use of strong passwords – the concept of “Zero Trust” is a loooooong way off. To make “Zero Trust” truly global, we have to first make it truly simple.
The expression “Zero Trust” got its currency as marketing hype, but the principles go back to the Orange Book. In those days we expected the principles to be the default. While I am a strong advocate for process-to-process isolation and strong process (to include users) to process authentication, both horizontally and vertically, I am not sure that the expression embraces all of that for many organizations. One hopes that CISA and OMB will embrace the Orange Book principles in their guidance. Otherwise, we may see a great deal of compliance that falls far short of the implied security.

SEC Sanctions Financial Services Firms Over Cybersecurity

The US Securities and Exchange Commission (SEC) has sanctioned financial services companies for failing to implement adequate cybersecurity protections. In all three cases, threat actors gained access to customers’ personally identifiable information. All three companies have agreed to settle charges, paying fined ranging from $200,000-$300,000.

Note

The SEC fines are small, and SEC requirements for cybersecurity are not very onerous, especially when compared to the EU GDPR requirements and consequences. But, the enforcement and penalties do catch the attention of CFOs and Chief Legal Counsels – good allies to help drive change like movement to strong authentication, essential security hygiene and increased supply chain security.
If you’re having trouble getting financial support for your Cyber initiatives, remember that your CFO and Corporate Lawyers pay attention to SEC sanctions/fines and other actions and can be leveraged to support initiatives to ensure data is protected, such as multi-factor authentication, encryption at rest, in use and in transit, and rights management.
These nominal fines are imposed only after the damage has been done.

FortiGate SSL-VPN Access Credentials Leaked Online

Fortinet has acknowledged that an attacks has leaked access credentials for 87,000 FortiGate SSL-VPN devices. The credentials were stolen through a vulnerability that has had an available fix since May 2019. Systems that have been patched are not protected unless their passwords were reset.

Note

These credential dumps have become rather common following the FortiGate vulnerability leaking user credentials. This latest leak has significant overlap with prior leak, and I wouldn’t worry too much about it. If you find an unpatched FortiGate appliance: Travel back in time to early 2019 and patch. Patching now is a nice thing to do but your credentials have been leaked, and attackers likely already used them.
You got the downtime, applied the FortiGate patch, verified it was in place. Did you remember to not just reset but change the passwords? Better still, switch to MFA so any compromised credentials are unusable. Make sure that you didn’t leave any reusable passwords behind, say for your Administrator or VIPs. System Administrators may be a harder sell than VIPs who usually want to be treated like everyone else.
Enable multi-factor authentication everywhere. Where to start? VPN interfaces is a great start.

Zoho Patches Critical Flaw

Zoho has patched a critical authentication bypass vulnerability in its ManageEngine ADSelfService Plus password management solution. The remote code execution issue affects REST API URLs. The flaw is being actively exploited.

Note

Yes, REST services need authentication too. It is sad how often we see these problems. I find developers sometimes get distracted by shiny tools and technology. Should be obvious that a system being used to manage enterprise-wide credentials needs special attention and should already be patched.
This most recent flaw in Zoho ManageEngine AdSelfService will be no surprise to administrators as this product has a history of significant vulnerabilities (9 CVEs with 4 critical vulnerabilities in 2021 to date). It’s important to understand the operational costs for a product, particularly for those intended to save money by allowing users to self-service password management.

Microsoft Fixes Azurescape Vulnerability

Microsoft has fixed a vulnerability in Azure Container Instances that could have let users access other users’ information. The vulnerability, “the first cross-account container takeover in the public cloud,” was discovered by researchers at Palo Alto Networks Unit 42. Microsoft has notified affected customers and urged them to “revoke any privileged credential that were deployed to the platform before August 31, 2021.”

Note

The Unit42 report, which explains how the exploits worked and shows how Microsoft responded to the issues as well as explains how controls failed, includes mitigations for your Kubernetes Environment. Irrespective of who is hosting it, start with the basics of keeping it patched and updated, do not send privileged access tokens anywhere but to the api-server as they can be used to masquerade as the token owner, and deploy policy enforcers to monitor and prevent suspicious activity.
This account takeover vulnerability quickly follows the Azure Cosmos DB account takeover flaw from two weeks ago. Organizations should take note: security responsibility for vulnerability remediation does not end with the cloud provider when using PaaS services; you also need to revoke and reissue keys to mitigate the chance of successful attacks.
The Azure CrossAccount Container flaw is both fascinating and a bit unsurprising. Are we surprised that Microsoft, and probably many other vendors, are running a dated version of the software, runC in this case, in their environments? Doing ops is hard; keeping software patched is hard. The part that is novel here is that being on the container host meant being able to move laterally into other customer containers. The troubling part for defenders is the unknown. Did an attacker understand this flaw before the vendor disclosure? The current best architecture option you have is to reduce processing and storage on container workloads to the smallest amount of time. I would start looking back at “Shared Responsibility.” How can a vendor provide more telemetry to teams running workloads in this manner? After several flaws have been found in Windows Container workloads, Azure Container Service, and Azure Functions, it appears that people are smelling blood in the water.

New Zealand Banks, Post Offices, and Others Recover From DDoS Attacks

A series of distributed denial-of-service (DDoS) attacks have targeted banks, post offices, and other organizations in New Zealand. The attacks appear to be part of the same campaign that last week attacked Vocus, a major Internet service provider in New Zealand. All entities appear to have recovered from the attacks.

Note

Talk to your ISP about their DDoS protections. These attacks show that your idea of being a target and attackers are likely very different. Also, even if the attack is not targeting you, a significant attack could take out your ISP which will ruin your day as well. Don’t forget to verify your outsourced and cloud services DDoS protections. If your service (ISP, Cloud, etc.) is not providing protections, research alternatives and develop a contingency plan. It’s no longer viable to unplug the Internet and remain operational.

United Nations Acknowledges its Systems Were Breached

The United Nations has confirmed that its systems were breached in April of this year, and that additional attacks related to the breach “have been detected and are being responded to.” The initial intrusion was made through a compromised account on the UN’s Umoja proprietary project management software. The account did not have two-factor authentication enabled.

CYBERCOM Warns that Critical Atlassian Vulnerability is Being Actively Exploited

On Friday, September 3, US CYBERCOM sent a tweet urging users to patch a critical vulnerability in Atlassian’s Confluence Server and Data Center. USCYBERCOM wrote, “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend.” Atlassian updated its August 25 advisory on September 3.

Note

Some clients are still very hesitant to do internal or assumed breach penetration tests. With all the ways into an environment (exposed services like this, identity abuse, phishing, insiders…), it’s hard to justify ignoring. See also: The Emperor’s New Clothes.
By the time you are reading this, consider all vulnerable Atlassian instances compromised. Only on-premise installs are affected. Atlassian already patched cloud instances.
This applies only to your self-hosted Confluence servers. The notice has been changed to reflect that exploitation does _NOT_ require an account on the system. Apply the patch to your Confluence servers now, and make sure that only those that need to be are exposed to the Internet. Double check for additional services which may themselves be Internet accessible and provide unintended exploitation paths.

Netgear Firmware Releases Updates to Fix Switch Vulnerabilities

Netgear has made firmware updates available for 20 products to address three high-severity security flaws. Proof-of-concept exploits and technical details for two of the vulnerabilities are publicly available. Most of the affected products are smart switches.

Note

Use the web interface of your Netgear switch or router, or the mobile management app if it has one, to check for and install any updates. For models that support it, enable automatic updates during times where it doesn’t matter if your device reboots. You can also cross-check the Netgear support site to verify you have the current firmware version.

Dallas School District Discloses Data Compromise

In a data security update, the Dallas (Texas) Independent School District has acknowledged that “a data security incident involving the district’s electronic records … may affect former and current students, alumni, parents, and district employees.” The breach affects students, parents, employees, and contractors dating back to 2010. The district learned of the incident on August 8, 2021.

Note

Most schools are returning to in-school classes but will need to maintain remote learning capabilities and connectivity. As that stabilizes, use this news item to justify checking if 11-year-old sensitive data really needs to be stored online and evaluate other essential data security precautions. School systems have many obstacles to securing systems and networks – minimizing what is available to attack can be a very useful first step.
The trick is making sure that students are not sharing extra data with the school provided IT systems, that they don’t install extra applications, only using school systems for schoolwork to minimize the data that is at risk in the event of a compromise of the school’s IT systems. Parents should ask what protections are in place with systems protecting their data. As challenging as remote learning and providing IT systems to students is, even prior to the pandemic, ask (and offer) if they need help or expertise, respecting the guidance and staff they have in place.

Jenkins Discloses Compromised Atlassian Confluence Server

Jenkins server developers have acknowledged that one of their Confluence servers was compromised. The intruders installed a cryptominer on the compromised server. The server in question hosted the no-longer-used Jenkins Wiki portal and had been deprecated since October 2019.

Note

You know those services you deprecated and didn’t retire because you needed them “just-in-case?” Me too. Time to go back and either retire them, or restore them to a managed/patched state, as well as double check them for compromise. Also update your lifecycle processes to include setting a retirement date for the old service or equipment. Retirement needs to include data disposition or archive.
See the first story above. Let’s hope the Jenkins’ statement is correct and none of their software was compromised.

New Zealand Limited Internet Outage Caused by Response to Cyberattack

Vocus NZ, a major internet provider in New Zealand, said that its response to a distributed denial-of-service (DDoS) attack last week caused a widespread Internet outage. Vocus was reportedly blocking the DDoS launched against one of its customers; the actions it took caused customers in Auckland, Wellington, Christchurch to experience outages. The issue has been resolved.

Note

Collateral damage from DDoS attacks is quite common. ISPs often have to block some legitimate traffic initially to regain the ability to manage their networks. In some cases, filters can also cause additional load issues on routers.
DDoS attacks are becoming more common, with increased bandwidth and decreased duration. Some last only a few seconds, meaning automation is needed to effectively shut down these attacks. Work with your ISP and service providers to determine what their response capabilities are. They should be able to provide recent results of success or failure. DDoS prevention may be a separate service from your existing providers or something you must purchase and reconfigure your network routing to leverage. Make sure you have all the details before starting the engagement.

BrakTooth Bluetooth Vulnerabilities

Researchers at Singapore University of Technology and Design have identified a group of vulnerabilities affecting Bluetooth stacks implemented on system-on-a-chip circuits used by at least 11 vendors. Known collectively as BrakTooth, the flaws affect a variety of devices, including smartphones, laptop and desktop systems, and industrial equipment. The risks posed by the flaws include crashing device firmware create denial-of-service conditions, allowing arbitrary code execution, and creating a deadlock condition that prevents Bluetooth communication. Some affected vendors have released patches to address the issues.

Note

BrakTooth is attacking Bluetooth Classic and exploitation requires an attacker to be in radio range. This applies to not just your Smartphone or tablet, but also your laptop or any other devices with Bluetooth System on a Chip (SOC) components. The SANS ISC writeup lists tested vendors and patch status and notes that the vulnerability likely applies to Bluetooth Classic implementations not listed. Mitigations include: applying available updates, disabling Bluetooth where you’re not using it, and evaluating SOC implementations in your environment to consider the risks of exploit versus turning off that Bluetooth until it can be patched.
The bad news is that Bluetooth is widely supported and used for many sensitive applications. The good news is that Bluetooth range is measured in meters and attacks against it do not scale well.

Kaspersky: Attacks Against IoT Devices Doubled Over Six Months

Researchers at Kaspersky detected over 1.5 billion attacks against Internet of Things (IoT) devices during the first six months of 2021, more than twice as many as it detected during the previous six months. The attacks appear to be focused on stealing sensitive data, mining cryptocurrency, and adding devices to botnets.

Note

This is kind of a click-bait headline – for the last 5 years or so, various reports have showed the number of attacks against IoT devices growing 100-300% per year. Of course, the number of IoT devices is growing that fast, too. But the important part is do vulnerable IoT devices provide attack paths to your critical systems or information, not how many attacks are out there. Knowing if and where your roof leaks is important; how many raindrops fell in a storm, not so much.
Pretty meaningless statistic as IoT devices are already saturated with attacks. For years now, IoT botnets have achieved an overkill causing new devices to be compromised within minutes. Let’s see if recent arrests in China affecting the “Mozi” gang will have some affect (but many of these botnets are on autopilot and remain in a zombie state long after the groups behind it have ceased operations).
Over the last decade or so, there has been an explosion of IoT devices, both at home and work, which provide automation or assistance. The desire to monitor and/or interact with them has resulted in many being configured with increased accessibility. Make sure that your devices can talk only to services they need, and that they can’t cause peripheral harm if compromised. Where possible put them on an isolated network. Even home routers now include VLANs and Guest Network segments, which can be leveraged for this purpose.
Single application devices should be relatively easy to secure. However, the tendency of developers to include general purpose operating systems and the sheer number of the devices creates a large and porous attack surface and increases global risk for little return.

Windows 11 Will Have New Hardware Requirements

The Windows 11 operating system, which is scheduled to be released next month, has hardware requirements that prevent it from being installed on older devices. While there is a loophole that allows users to install Windows 11 older systems, Microsoft has indicated that users who choose to run Windows 11 on unsupported devices will not receive updates through Windows Update. Windows 11 is scheduled to begin rolling out in early October; Microsoft expects the rollout to continue through mid-2022.

Note

Your IT staff should be evaluating the hardware minimums for Windows 11 and updating your standard configurations so newly purchased systems can run a supported version of Windows 11, even if you’re not planning to migrate right away. Note that home versions require an Internet connection and a Microsoft.com account to complete installation and activation. Microsoft has released a compatibility check tool: www.microsoft.com/en-us/windows/windows-11#pchealthcheck

French Government Visa Website Data Breach

A French government website experienced a data security breach in August. Compromised data include names, email addresses, passport and identity card numbers and other information entered when applying for visas from the French government. In a press release, the French Ministry of Foreign Affairs and Ministry of the Interior say that no sensitive data, as defined by the General Data Protection Regulation (GDPR), were compromised.

Former Credit Union Employee Pleads Guilty to Computer Intrusion and Destruction of Data

A New York woman has pleaded guilty to destroying data belonging to her former employer. In June 2021, Juliana Barile was fired from her position as a remote worker for an unnamed credit union. A company employee reportedly asked the IT department to disable Barile’s network access after her termination, but the request was not acted upon. Barile then accessed the company’s file server and deleted 21.3 GB of data, including mortgage loan applications and other sensitive information.

Note

The risk of not automating the connection between an employee being terminated and their access being removed is a long-standing issue. However, this scenario is often a hole even for organizations that have tied those processes together: a part-time worker working remotely. Contract and part-time workers are not always handled through normal HR channels and VPN access is often not well-integrated into the access removal process. Good reminder to look into both of these issues.
Two days after being terminated she was able to login and within 40 minutes delete the data. Two lessons here, first employers must deactivate accounts of terminated employees immediately (while the person is being walked out if possible); second, former employees using those accounts for maleficence are always caught. Jeff Man reminded me that per PCI DSS: 8.1.3 Immediately revoke access for any terminated users.
Before granting privileges, be certain that you know how and when they are to be withdrawn.

Dallas Police IT Employee Fired for Deleting More than 22TB of Data

A Dallas Police Department IT employee has been fired after he was found to be responsible for deleting 22.5 TB of police data, including evidence. The city launched an audit after learning that 7.5 TB of evidence had been deleted in April. The audit revealed an additional 15 TB of deleted data, which includes police evidence and files from the city secretary’s office. The employee moved police evidence from cloud storage to a local server. A Dallas police investigation determined that the former employee’s action was not criminal.

Note

Ask if you could detect this sort of activity. DLP may not be at the top of your list, but information protection includes loss detection. Make sure that your records are not only properly stored and archived, but that they are in immutable form to prevent both deletion and alteration.
Not a lot of detail on this one, but it looks like employee error. But the impact is the same as if it was a more exciting ransomware event –“crown jewels” data is gone. There seems to be a lot of “we store it in the cloud, so it must be backed up” going around – that can be true if such services are being paid for, but data can be deleted permanently from the cloud by mistake just as easily as from an on-premises server.

Known Atlassian Confluence Vulnerability is Being Exploited to Install Cryptominers

Cyberthreat actors are exploiting a recently-disclosed vulnerability in Atlassian Confluence to install cryptomining software. Atlassian released an advisory about the remote code execution flaw on August 25; updates to fix the issue are available. Users are urged to upgrade as soon as possible.

Note

If you haven’t already, patch this before the long weekend. Confluence is a huge target and can be used to compromise your software development process. Details about the vulnerability and how to exploit it have been made public so seeing it exploited in the wild is no surprise.
The attacks are also being used to spread laterally through networks. Scan your Confluence servers to make sure they have been updated and that they haven’t been compromised. Don’t put off the update until after the holiday weekend, particularly for internet facing systems. Check the Atlassian bulletin for guidance confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

FTC Order Bans SpyFone and its CEO From Surveillance Business

The US Federal Trade Commission (FTC) has banned SpyFone and its CEO “from the surveillance business over allegations that the stalkerware app company secretly harvested and shared data on people’s physical movements, phone use, and online activities through a hidden device hack.” The FTC has also ordered the company to delete data that has been harvested illegally and to notify owners of devices on which the app had been surreptitiously installed.

Note

If you go to www.spyfone.com, it resolves to a NY-based company Spyphone, with tracker apps that are still in the Google Play and Apple app stores. Support King purports to be a remote support company but lists partners such as “One Click Root” and “One Click Jailbreak.” A good idea to check for any apps from with connections to Support King on mobile devices.
The app breaks Section 5 of the FTC Act which covers unfair or deceptive acts or practices. In 2018, it was discovered that the SpyFone S3 bucket was exposed and contained data from over 3600 devices. If they fail to notify users and continue to operate, each instance (device) can carry a civil penalty of up to $43,280.

CISA, FBI, and White House Advise Cyberthreat Vigilance Over Long Weekend

In a joint security advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI caution public and private sector organizations to be vigilant about the possibility of ransomware and other cyberattacks over the US Labor Day holiday weekend. The warning is based on the fact that several previous attacks, including the Colonial Pipeline ransomware attack and the Kaseya supply chain attack. Deputy National Security Advisor Anne Neuberger reiterated the advisory’s warning, noting that “We have no specific threat information or information regarding attacks this weekend, but what we do have is history, and in the past over holiday weekends, attackers have sometimes focused on security operation centers that may be understaffed, or a sense that there are fewer key personnel on duty as they may be on vacation.”

Note

Make sure that your SOC is manned during holidays, and that alerts are responded to. Incentivize staff with holiday and on-call pay, don’t expect them to yield their holiday without compensation. Create clear expectations of what is expected. I have seen on-call arrangements which require employees to carry and actively respond within an hour to an on-call cellphone or pager and require them to be sober during their coverage window.

Pac-Resolver NPM Code Library Updated to Fix Vulnerability

The Pac-Resolver NPM code library has been updates to fix a severe remote code execution flaw. Pac-Resolver is downloaded more than 3 million times a week.

Autodesk was Targeted in SolarWinds Attack

In a 10-Q filing with the US Securities and Exchange Commission (SEC), computer-aided design (CAD) software company Autodesk disclosed that its network was affected by the SolarWinds supply chain attack. In the filing, Autodesk writes that it “identified a compromised SolarWinds server and promptly took steps to contain and remediate the incidents.”

K-12 School System ISAC Publishes Essential Cybersecurity Protections

The K12 Security Information Exchange (K12 SIX) has published guidance aimed at helping K-12 school districts protect their networks from ransomware, phishing, and other cybersecurity threats. The documents lists 12 cybersecurity controls, organized into four categories: sanitize network traffic to/from the Internet; safeguard student, teacher, and staff devices; protect the identities of students, teachers, and staff; and perform regular maintenance. K12 SIX was founded in 2020 and operates as an information sharing and analysis center (ISAC) for K-12 education.

UK VoIP Operators Suffer DDoS Attacks

Two UK Voice over Internet Protocol (VoIP) operators have reported that they have been the targets of distributed denial-of-service (DDoS) attacks. VoIPfone is still experiencing outages as a result of the attack. VoIP Unlimited says it received a “colossal ransomware demand” after it was hit with a huge DDoS attack, and that its services are operational.

Note

POTS providers had a great record for reliability. VoIP operators will be challenged to meet it. If dependent upon telephone communications, consider cellular backup to VoIP.

Microsoft is Tracking Open Redirect Phishing Campaign

Microsoft is tracking a credential phishing campaign that uses open redirect links to manipulate users into visiting maliciously crafted websites. Microsoft says that the threat actors behind the attacks have used more than 350 unique domains.

Note

Make sure your email and endpoint protection services detect these links. Make sure the URL protection features are enabled. Note that while these tools rewrite URLs and some familiarization is needed, the current encoding used by open redirects which capture user trends and clicks is already heavily encoded making it impractical for a user to visually verify the target URL. Microsoft Defender for Office 365 is included with E5/G5 licensing and has these capabilities.
Open Redirects used to be part of the OWASP Top 10 list of web application vulnerabilities. But while they no longer make the “Top 10”, open redirects are common and often underestimated. Their use in phishing is pretty obvious, but in some cases, they can also be used to steal OAUTH credentials.
The Microsoft blog entry notes that “Today’s email threats rely on three things to be effective” but doesn’t list the most important enabling factor: the use of reusable passwords. Microsoft’s own research showed that 99.9% of phishing attacks would not have succeeded if simple text messaging as a second authentication factor was used. Another item in today’s NewsBites has US CISA finally putting single factor authentication in their Bad Practices list, along with using unpatchable software and default passwords.

Singapore Government CIO’s Office Creates Vulnerability Hunting Program

Singapore’s Government Technology Agency has established a Vulnerability Rewards Programme that will pay up to $5,000 for vulnerabilities found in public sector information and communications technology (ICT) systems. The program will initially be restricted to three systems, but will be expanded to include additional ICT systems. Participants must be approved before they begin hunting for vulnerabilities.

Note

Singapore had already been running well-managed bug bounty programs for several years with very positive results. The key is “well-managed” – not just managing the submission review and payout process, but also having the processes and playbooks in place for quickly remediating the vulnerabilities discovered. The next step is using the data to change software development and IT operations practices that resulted in vulnerable applications.
It’s wonderful to see more public entities moving this way. So many, at present, don’t even have clear points of contact for responsibly disclosing vulnerabilities found. Related: does your site have /.well-known/security.txt ?
Read the restrictions carefully. The programs are seasonal, focusing on 10 critical and “high-profile” systems during each run. Also hackers must meet a set of criteria before being permitted to participate; these checks are performed by HackerOne which will also provide the VPN gateway needed to investigate the identified targets. Violation of the terms of service will result in that access being terminated.

CISA Adds Single-Factor Authentication to Bad Practices Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added single-factor authentication to its list of Bad Practices. CISA notes that “The presence of these Bad Practices in organizations that support Critical Infrastructure or National Critical Functions (NCFs) is exceptionally dangerous and increases risk to our critical infrastructure.” Single-factor authentication is the third item to be added to the Bad Practices catalog; the first two are using unsupported or end-of-life software and using known or default passwords and credentials.

Note

Single-factor authentication needs to be minimized and eliminated where possible. Prioritize your actions based on the criticality of both the system and data processed. Where it remains, long passphrases, ideally checked against breach data, need to be used. Gain user support by using solutions which allow for single sign-on which fail-over to multi-factor authentication when accessed from non-trusted. Require endpoints/trusted devices to use MFA. Some authenticators can be configured to require MFA when the system attempting to use SSO has been logged in using single-factor authentication. Read the CISA National Critical Functions if you’re wondering what NCFs are.
www.cisa.gov/national-critical-functions
Of the current three Bad Practices listed, two of them are password-related. For the past three years the VZ DBIR has identified passwords as one of the top two drivers of breaches globally (phishing is the other). I’m a huge fan and supporter of MFA. Interested to see if / what CISA adds to this list in the future.

Google Transparency Report: Geofence Warrants Increased by a Factor of 10

According to Google’s most recent transparency report, the company saw a significant increase in geofence warrants last year. Geofence warrants capture device data from users within a specified area over a specific amount of time. The number of warrants Google received for US locations in 2018 was 941; in 2020, that number was just over 11,000. Geofence requests now account for more than 25 percent of all law enforcement data requests Google receives.

Note

While this will not tell you if your user data was requested, it is interesting to see the groupings by request types. In the US, the top requests have shifted from search warrants, subpoenas and preservation requests to search warrants, preservation requests and subpoenas, indicating an uptick in investigative activities. Preservation requests hold information for future actions relating to active investigations until they can compel its legal release, and if the information is released it is reported in the other categories.
Build it and they will come. The ability to ask for geofence warrants is too tempting to not use them. This may serve as warning what may happen with other surveillance features built into future devices.

OMB Memo Outlines Framework for Agency Cyber Incident Logging

A memo from the USA White House Office of Management and Budget (OMB) lays out a framework to help federal agencies comply with the Cybersecurity Executive Order requirements to log and store data related to cybersecurity incidents. The memo describes a tiered maturity model for event log management and sets target dates for measuring current practices and for achieving each tier.

Note

The guidance is useful even if you’re not impacted by E.O. 14028. Make sure that you have your bases covered: needed events are logged, with a consistent and reliable time source, that access to read and update logs is appropriate, that they are retained and secured to facilitate analysis and response activities. Agencies are required to assess and report their maturity as defined in the memo within 60 days, reach EL1 maturity within one year, EL2 within eighteen months and EL3 within three years. NIST SP 800-92 will be updated to include the requirements from this memo.
The UK’s National Cyber Security Centre (The NCSC) also has an excellent guide to help organisations tackle the challenge of monitoring their logs. Their Logging Made Easy (LME) guide is a great start for any organization. www.ncsc.gov.uk/blog-post/logging-made-easy

QNAP Working on Updates to Fix OpenSSL Vulnerabilities in Some NAS Devices

QNAP says it is developing updates to address vulnerabilities affecting its Network Attacked Storage (NAS) devices. OpenSSL released fixes for the heap-based buffer overflow and read buffer overrun issues last week. The flaws could be exploited to access memory data without authorization, cause denial-of-service conditions, or run arbitrary code. The issues affect QNAP NAS devices running QTS, QuTS hero, QuTScloud, and HBS 3 Hybrid Backup Sync.

Note

These specific OpenSSL vulnerabilities are not severe enough to lose any sleep over. Also, any device using OpenSSL (which means at least all Linux/BSD based devices) are vulnerable. Similar updates are available for other devices.
NAS devices need to be carefully protected, not only as exploits continue to surface, but also as they are now being targeted by Ransomware such as eChoraix which is specifically targeting QNAP and Synology devices. Make sure that your NAS device is only accessible by authorized hosts, that default credentials have been changed, and that any unused or unexpected applications are uninstalled.
NAS services and devices should not be connected to the public networks.

Microsoft Fixed Exchange Server ProxyToken Vulnerability in July

A vulnerability in Microsoft Exchange Server could be exploited to steal email. Dubbed ProxyToken, the flaw allows unauthenticated attackers to reconfigure mailbox operations. Microsoft fixed the vulnerability in the July 20-21 cumulative updates for Exchange.

Note

ProxyToken is different from ProxyShell, so make sure you’re checking on the mitigations for the correct vulnerability. We can no longer afford to treat Exchange and MS Server patches as items that need careful regression testing; these are now addressing actively exploited vulnerabilities and need to be applied judiciously with minimal evaluation. Take a look at your email/productivity solution and assess the viability of a cloud alternative to lessen the burden of the current vulnerability/mitigation/update cycles. Where you have migrated, make sure that you decommission old services once new functionality is verified. Set limits to that verification window to minimize risks.
Given that every halfway competent threat actor has been scanning for Exchange vulnerabilities this year, this vulnerability, while easily exploited, does not substantially alter the threat landscape. One possible issue may be that this vulnerability is used for more subtle but high impact configuration changes that are easily missed. For example, an attacker could configure forwarding email addresses.

Boston Public Library System Outage Blamed on Cyberattack

On Wednesday, August 25, the Boston Public Library (BPL) experienced a cyberattack that resulted in a broad system outage. A message on the BPL website reads, “The library is currently experiencing a significant system outage and online library services that require login are unavailable.” BPL is the third-largest public library system in the US.

Note

Make sure to test your communication plan for an outage like this ahead of time. Also make sure that there are routes to your public affairs staff to respond to media and other enquiries that will function during an interruption. Train users and set expectations for response during an outage.

Vulnerabilities in Delta Electronics DIAEnergie Management System

According to a security advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), eight vulnerabilities in Delta Electronics DIAEnergie management system could be exploited “to retrieve passwords in cleartext [due to a weak hashing algorithm], remotely execute code, cause a user to carry out an action unintentionally, or log in and use the device with administrative privileges.” The vulnerabilities affect DIAEnergie versions 1.7.5 and earlier. Delta was alerted to the issues in April but has not yet released fixes.

Note

The patch is targeted for September 15th. Given the plethora of weaknesses, take steps to isolate these devices only allowing communication with authorized devices. Monitor traffic for inappropriate connection attempts and don’t allow these to be directly reachable from the Internet; at a minimum, require a secure supported VPN for external access.

Business Email Compromise Scheme Charges

Note

Read more in

CISA TIC Office Draft IPv6 Transition Guidance

Note

Read more in

CISA Warns of VMware Vulnerability Being Exploited

Note

Read more in

IT-ISAC’s Food and Agriculture Special Interest Group

Note

Read more in

QNAP Releases Fixes for QVR Video Management System

Note

Read more in

Chrome Update

Note

Read more in

SonicWall Releases Fixes for Critical File Delete Vulnerability

Note

Read more in

FCC Rules for Huawei and ZTE Equipment Replacement Reimbursement

Note

Read more in

US Treasury Dept. Sanctions Cryptocurrency Exchange Over Ransomware Transactions

Read more in

VMware Releases 19 Fixes

Note

Read more in

Apple Issues Patches for 0-day Flaws in Older Versions of macOS and iOS

Note

Read more in

Port of Houston Fends Off Cyberattack

Note

Read more in

Senate Committee Drafting Legislation That Would Update FISMA

Note

Read more in

Apple Deprecating TLS 1.0 and 1.1

Note

Read more in

Another Farm Co-op Hit with Ransomware

Note

Read more in

Wisconsin Law Requires Insurance Companies to Protect Data

Note

Read more in

Lithuanian Smartphone Audit Warns on Chinese Smartphones

Read more in

Google is Expanding Android Permissions Auto-Reset to Millions of Devices

Note

Read more in

NIST IoT Cybersecurity Labeling

Note

Read more in

FERC Wants Input on Updating Energy Utility Cybersecurity Requirements

Note

Read more in

Ransomware Vulnerabilities List

Note

Read more in

Ransomware Attack Hits Iowa Farmers’ Co-op

Note

Read more in

TTEC Discloses Ransomware Attack

Note

Read more in

Security.txt Files Provide Information About Vulnerability Disclosure

Note

Read more in

DHS OIG: CISA Needs to Update Dam and Levee Security Plans

Note

Read more in

Dept. of Commerce Seeking Comment on Supply Chain Draft Report

Read more in

Guilty Verdict in DDoS for Hire Services Case

Read more in

SEC Wants Security Incident Data from Organizations That Used SolarWinds Software

Note

Read more in