Nobelium is Targeting Global IT Supply Chain Again
In a blog post, Microsoft says that they have observed new activity from the Nobelium cyberthreat actor. Nobelium has been linked to Russian foreign intelligence and was responsible for the Solar Winds attacks. The most recent activity is targeting “resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.” Microsoft has released advice for mitigation and remediation.
- The key point here is that managed service providers are often granted admin privileges on customer systems and these “… delegated administrative privileges are often neither audited for approved use nor disabled by a service provider or downstream customer once use has ended, leaving them active until removed by the administrators.“ When signing on for cloud services, all such delegated admin privileges should be minimized and processes need to be establish to ensure that they are removed whenever that service provider is terminated.
- Monitor all accounts with administrative privileges, whether used for insourced or outsourced support. Make sure that your account disablement procedures include provisions for changes of staff at a MSP and that they are not all using the same account, just as you would with your staff. If you terminate an external support contract, make sure all associated accounts and access is also disabled or deleted promptly.
- Another way to look at this is the SolarWinds attack was so successful, and the cost was so minimal, that Russian Intelligence has simply accelerated their efforts to continue to infiltrate and/harvest as much as they can targeting 3rd party infrastructure. Makes you wonder just how many of their attacks have been successful and we have yet to discover them.
- Caveat Emptor cannot address the supply chain as a means of distributing malicious code. Neither can we simply accept the risk. We must hold suppliers accountable, if not for the quality of their own code, at least when they recklessly distribute the code of others. Am I the only one that thinks that our tools and processes for managing the quality and content of software are inadequate?
Read more in
- New activity from Russian actor Nobelium
- NOBELIUM targeting delegated administrative privileges to facilitate broader attacks
- SolarWinds attacker on the move: Russia’s Nobelium crew has trebled attacks targeting MSPs, cloud resellers, says Microsoft
- Nobelium compromises at least 14 resellers and IT service providers, Microsoft warns
- SolarWinds hackers, Nobelium, once again strike global IT supply chains, Microsoft warns
Billing Software Flaw Exploited to Spread Ransomware
A critical vulnerability in BQE Software’s BillQuick Web Suite time and billing system is being exploited to deploy ransomware. The flaw can be exploited through SQL injection to remotely execute code. The vulnerability was detected by researchers from Huntress; they found nine vulnerabilities in all. BillQuick says an interim fix for some of the flaws will be available soon.
- The blog post by Huntress suggests that there are multiple exploits that are not yet patched. Get ready to patch this software again shortly. If possible: add additional access restrictions.
- Sqlmap was able to execute xp_cmdshell as well as bypass authentication to the BillQuick application. Note that the Huntress researchers worked to create a separate copy of the application rather than testing the live system as part of finding the root cause for malicious activity noted in production.
Read more in
- Threat Advisory: Hackers Are Exploiting a Vulnerability in Popular Billing Software to Deploy Ransomware
- Hackers used billing software zero-day to deploy ransomware
- BQE billing software vulnerability leads to ransomware attack
- BillQuick says patch coming after Huntress report identifies vulnerabilities used in ransomware attack
- BillQuick Billing App Rigged to Inflict Ransomware
Emsisoft Has Been Quietly Helping BlackMatter Victims Decrypt Data
Emsisoft found a flaw in the BlackMatter ransomware encryption algorithm that allowed the cybersecurity company to develop a decryptor. Emsisoft has been working with law enforcement to help organizations affected by BlackMatter regain access to their data without paying a ransom. The BlackMatter group learned about the decryptor a month ago and fixed the flaw.
- There is inherent risk in using a decryptor from the attackers. Check to see if a decryption key and tool are published for your particular ransomware before seeking the key from the ransomware gang. If you have the decryption key, look to companies such as Emsisoft for a decryptor which can use that key before using the attacker provided tool.
Read more in
- BlackMatter ransomware victims quietly helped using secret decryptor
- BlackMatter botched ‘tens of millions’ in ransoms after coding bug caught by Emsisoft
NPM Library Hijacked
Three versions of the ua-parser-js NPM library were found to contain malicious code. The supply chain attack affected three versions of the library: 0.7.29, 0.8.0, and 1.0.0. The NPM library is downloaded millions of times a week, and is used in thousands of projects. The library’s developer said, “I believe someone was hijacking my npm account and published some compromised packages.” The problem has been addressed in versions 0.7.30, 0.8.1, and 1.0.1.
- npm is the dumpster fire that keeps on giving. You MUST scan any libraries that you are including in your projects, or stop using node.js/npm if you can’t perform these scans.
- Make sure you’re incorporating the updated library in your build process. If you’re publishing code for others to use, make sure that you’ve followed the security practices for your source code repository such as using two-factor authentication, making sure accounts are not shared, managing access to data only giving contributors the specific rights needed and revoking access to users no longer working with you.
Read more in
- Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) – Questions about deprecated npm package ua-parser-js #536
- Malware Discovered in Popular NPM Package, ua-parser-js
- Popular NPM library hijacked to install password-stealers, miners
- Popular NPM Package Hijacked to Publish Crypto-mining Malware
Recent cybersecurity incidents affecting organizations in the healthcare sector include a ransomware attack against Central Indiana Orthopedics, a phishing incident affecting Professional Dental Alliance providers, a data exfiltration incident affecting the American Osteopathic Association, and a ransomware attack against PracticeMax.
- There is no such thing as being too small to be a target. There is such a thing as not having enough resources to assess your security or implement a good cyber security program. This you can outsource, and likely spend less than you would recovering from a breach. If you’re looking for a starting place, you can reach out for references is your local cyber security organizations or chapters (ISSA, CSA, ISACA, ISC2, etc.).
- Healthcare is very slow to roll out security changes. In the past, those organizations have been hiding behind the thought, “What are attackers going to do with our data? They can’t monetize it!” PHI wasn’t as directly monetizable. Of course, ransomware has significantly changed the game and healthcare orgs are significantly behind and aren’t nimble enough to take big steps forward. I predict more and more of this happening in healthcare in the next few years.
Read more in
CISA Advisory on B. Braun Infusion Pump Vulnerabilities
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory urging users to apply updates to address multiple vulnerabilities affecting certain B. Braun infusion pumps and battery packs. The flaws could be exploited to gain remote access to the devices.
- Beyond applying the update, make sure these types of devices are isolated. If you’re using Wi-Fi, it should be a separate network, with limited access, much as you would use segmentation on a wired network for control systems. Don’t expose these to the Internet and if remote access is required, use a VPN and an authorized secure bastion host.
- I’m so glad folks are giving this kind of device attention. I wish those with the skills to find these flaws good hunting. And for manufacturers, please hire quality pentesters and consider shipping devices (or at least firmware) to bug bounty hunters. This is a prime case of, “Find the bugs before the bad guys do.”
Read more in
- ICS Medical Advisory (ICSMA-21-294-01) B. Braun Infusomat Space Large Volume Pump
- CISA, B.Braun urge patch of critical SpaceCom infusion pump vulnerabilities
HHS Bulletin Lists Cybersecurity Issues Relevant to Healthcare Sector
The US Department of Health and Human Services Monthly Cybersecurity Vulnerability Bulletin for October 2021 lists the BrakTooth vulnerabilities, Conti ransomware, and the Medusa TangleBot as top security concerns for the healthcare sector. The bulletin also lists relevant vulnerabilities in products from Microsoft, Adobe, Apple, Cisco, WordPress and other companies.
A recurring theme is to secure your remote access components and keep products updated/patched. Go through the list to make sure you didn’t miss any tricks. Also make sure that you’re not only getting security bulletins for all your installed products but also that they are acted upon, which may mean you need to change the distribution.
Read more in
- News of Interest to the Health Sector (PDF)
- Top Healthcare Cyber Threats, Vulnerabilities to Watch For
Fix Available for Critical Vulnerability in Discourse
A critical remote code execution vulnerability in the Discourse opens source discussion platform affects versions 2.7.8 and earlier. The flaw has a CVSS severity score of 10. A fix was released on Friday, October 22.
- The blog post describing the vulnerability includes sufficient details to write an exploit. I would not be surprised to see vulnerable sites already being targeted while you read this. Please expedite this update if you run Discourse.
- If you cannot apply the update, you can add a rule to block requests with a path starting ‘/webhooks/aws’ in your WAF or other security module.
Read more in
- RCE via malicious SNS subscription payload
- CVE-2021-41163 Detail
- CISA urges admins to patch critical Discourse code execution bug
- CISA Urges Sites to Patch Critical RCE in Discourse
South Korea’s KT Telecommunications Company Outage Blamed on Routing Error
South Korean telecommunications company KT Corporation suffered an outage on Monday, October 25. The company initially said the issue was caused by a distributed denial-of-service (DDoS) attack, but later clarified that the problem was due to a border gateway protocol (BGP) configuration error. The incident affected all of KT’s 16.5 million customers, and lasted less than an hour.
- Bad BGP updates cause the network to fail rapidly and are slow to back-out and recover from. When needing access to the console port on your routers (remember that teal cable that came in the box you tossed in the back of the drawer?) – know what you would have to do to back out an erroneous update, verify that you have the access to your network gear when the routing is impacted, document the process.
Read more in
- South Korean telco KT suffers nationwide outage after routing error
- Large DDoS attack shuts down KT’s nationwide network
Guilty Plea in 2019 Kansas Water Utility System Breach
Wyatt Travnichek has pleaded guilty to damaging a computer during unauthorized access and tampering with a public water system. Travnichek was employed by Post Rock Rural Water District in Ellsworth County, Kansas between January 2018 and January 2019. His responsibilities included remotely monitoring the facility. In March 2019, Travnichek used the remote login capability to shut down the facility and shut off one of its filters.
- The system tampering happened two months after he resigned, and he used the company remote access system to do it. Disabling accounts when staff leave is critical. If you don’t remove disabled accounts, monitoring for their re-activation is also critical to detect malfeasance. Consider deactivating accounts which are not used frequently, particularly those used for remote access. When looking at this make sure that low frequency, but known/regular, events/use cases are factored in.
Read more in
Commerce Export Rule for Spyware and Hacking Tools
The US Commerce Department’s Bureau of Industry and Security (BIS) has published an interim rule that regulates the “export, reexport, or transfer (in-country) of certain items that can be used for malicious cyber activities.” The rule bars companies from selling spyware and other technologies to China, Russia, and several other countries without first obtaining a license from BIS. In determining whether or not to grant a license, BIS will look closely at the intended end-user of the technology. The rule takes effect in 90 days.
- This follows the changes made to the Wassenaar Arrangement (WA) in 2013 when they added cybersecurity items to the WA list, which resulted in comments and refinement of that language in the WA 2017 amendment. This rule attempts to implement that language. There is a 45-day comment period, which started October 20, 2021. A concern remains that tools can be used for malicious or sanctioned activities; and once licensed for an approved use, a malicious insider can use them for malfeasance. Further, researchers and our cyber security teams need the tools the advisories have to understand attacks, verify security and prepare response measures.
- As CTO of a company that sells a platform that will most likely fall in scope, I welcome this regulation. Current requirements are limited to export control checks. I do not want our attack platform (or any other platform for that matter) in the wrong hands. Current due-diligence background checks are based on ethics that other companies may not have.
- Many otherwise useful tools “can be used for malicious cyber activities.”
Read more in
- Information Security Controls: Cybersecurity Items | Interim final rule, with request for comments. (PDF)
- Commerce Tightens Export Controls on Items Used in Surveillance of Private Citizens and other Malicious Cyber Activities
- Commerce Department announces new rule aimed at stemming sale of hacking tools to Russia and China
- US rolls out new rules governing export of hacking, cyberdefense tools
- Uncle Sam to clip wings of Pegasus-like spyware – sorry, ‘intrusion software’ – with proposed export controls
- US govt to ban export of hacking tools to authoritarian regimes
Microsoft Releases Cybersecurity Tools for Nonprofits
Microsoft has launched its Security Program for Nonprofits. The company’s 2021 Digital Defense Report found that nongovernmental organizations (NGOs) and think tanks were the second-most targeted sector in cyberattacks; the most targeted sector was government. The program includes free access to AccountGuard, which alerts organizations when their Office365 accounts are being targeted by nation-state actors; free security assessments; and free training resources for administrators and end-users. Microsoft plans to make the tools available to 10,000 organizations within the first year, and 50,000 over the next three years.
- We have seen several times in the past where NGOs and similar organizations were used as “proving grounds” for new techniques connected to state actors. NGOs have an even harder time defending against these attacks due to their lack of resources, but are also often more willing to share providing the defensive community with valuable insight. Google has had similar programs as well protecting at risk organizations.
- This is a further expansion of the AccountGuard program, which was launched in 2018 for political customers, including campaigns, which then expanded into HeathCare, Human Rights Organizations and Journalists. Read the guidelines for eligibility (www.microsoft.com: Nonprofit eligibility) and if eligible, leverage this service, including the free assessments, to assure you’re maintaining a solid security posture.
- I’m very excited about this initiative and applaud Microsoft for it. In many ways this is similar to Google’s efforts to provide extra notifications and security options for highly targeted individuals. My one concern is that when you visit Microsoft’s landing page for this new program, it’s overwhelming with a huge number of resources. While to most security professionals this looks great, when you look at it from the lens of a NGO, it’s complicated and confusing. The problem for most NGOs is they are overwhelmed and horribly understaffed, they don’t know where to start with security. Hoping MS can make security simple for NGOs.
Read more in
- Strengthening cyber defenses for nonprofits
- Microsoft announces security programs for nonprofits as nation-state attacks increase
- Microsoft Launches Security Program for Nonprofits
DoJ Wants Private Sector to Work More Closely with Law Enforcement on Cybersecurity
Deputy Attorney General Lisa Monaco wants to know what gets in the way of private sector companies coordinating with law enforcement on cybersecurity. Monaco was speaking at a Department of Justice (DoJ) Criminal Division roundtable on Wednesday, October 20. She noted that companies experiencing cyberattacks “can help avoid liability through working with law enforcement.” Monaco also noted that law enforcement could help recover ransomware payments and discover decryption keys.
- The time to properly investigate and act may exceed your risk tolerance. Even so, develop a relationship with your local law enforcement and FBI offices and discuss the mechanisms and merits of providing the information and evidence they need to take action to help others before they are in the same situation.
- A key issue many private firms to cooperate with law enforcement is the lack of feedback or visibility of how their cases are progressing. While this lack of sharing back by law enforcement is understandable due to operational and investigative issues, it can be frustrating for private firms to see little or no return for the time and effort they often expend into assisting law enforcement. Law enforcement need to better understand this and examine ways that firms can see the benefits provided by their cooperation, even if it is just at a high level.
- Business is anxious to remediate attacks while law enforcement wants to preserve evidence. These motives are often at odds.
Read more in
- DoJ wants to know: What are the impediments to working with law enforcement?
- Justice Official Dangles Liability Protections to Encourage Private-Sector Breach Reports
CISA Favors 24 Hour Cyber Incident Reporting Time Frame
US Cybersecurity and Infrastructure Security Agency (CISA) executive director Brandon Wales said his agency supports a 24 hour cyber incident reporting time frame for critical infrastructure operators. Speaking at a Bloomberg event earlier this week Wales said, “We think 24 hours is the right amount of time, that brings it in early enough for us to use the information, but does give the company some time to determine whether this is a real incident or not.” A Senate bill currently in committee also proposes a 24 hour time frame; other proposed legislation would impose a 72 hour notification time frame.
- Some early interpretation of GDPR rules led to a flood of reports as companies over-reported to avoid fines. Reporting an incident within 24 hours after discovery is possible, but do not expect to have all the details and be ready for some errors that happen during the initial phases of the analysis.
- Any notification window needs to start after the incident is verified. Are you prepared to notify an external entity of an incident whether you have 24 or 72 hours to do so? Make sure you understand who needs to be involved in reporting, what constraints and concerns are present. This reporting would likely be an extension of the CISA’s Joint Cyber Defense Collaborative which you should be leveraging to extend and augment your planning, communications, joint cyber defense plans, etc.
- Until we can measure time-to-detection in hours to days, rather than weeks to months, this kind of legislation will have little impact.
Read more in
- CISA Leader Backs 24-Hour Timeline for Incident Reporting
- CISA seeks 24-hour timeline for cyber incident reporting
International Effort Disrupts REvil Ransomware Group
In a cooperative effort, law enforcement agencies and cybersecurity experts from multiple countries took steps to disrupt the REvil ransomware group. This is the second time that the REvil group has gone dark. Confirmed details are scarce.
- Multi-sector and country law enforcement collaboration is key to taking down these activities. As tempting as it is to take action when personally attacked, don’t. Leverage your relationship with law enforcement to let them take the action.
- This is good news and kudos to all those involved. With any luck any intelligence gathered as part of this operation will eventually lead to the arrest of those behind the REvil attacks. A note of caution on these type of operations is that hopefully they are being conducted with the appropriate court oversight and transparency.
- I welcome action being taken to disrupt any ransomware group. This will impact other groups and is a step in the right direction.
Read more in
- EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline
- Multiple governments involved in coordinated takedown of REvil ransomware group: Reuters
US Legislators Question Cybersecurity Emergency Measures for Railways and Aviation
Some US legislators are questioning whether the Transportation Security Administration’s (TSA’s) new cybersecurity rules for the railway and aviation industries are “appropriate absent an immediate threat.” The legislators are concerned that the prescriptive measures do not account for industry-specific issues.
Read more in
- Republican Senate leaders slam new TSA cybersecurity regulations for rail, aviation industry
- Senate Republicans raise concerns about TSA cyber directives for rail, aviation
- Hill Republicans to Biden: Pump brakes on emergency rail, aviation cybersecurity regs
MITRE Releases New Version of ATT&CK Framework
MITRE has released ATTA&CK v10. The newest version of the framework includes “a new set of Data Source and Data Component objects in Enterprise ATT&CK, complimenting the ATT&CK Data Source name changes released in ATT&CK v9.”
- ATT&CK is the industry standard and common language that allows our security teams to collaborate and work together. Apart from data sources, (sub)techniques, groups, and software have been updated based on contributions from the community. Other updates to look at are MacOS, Linux, ICS, mobile, and cloud. If you are not leveraging ATT&CK yet, now is a great time to start.
Read more in
- Updates – October 2021
- Introducing ATT&CK v10: More Objects, Parity, and Features
- Mitre releases latest version of its ATT&CK framework
Chrome No Longer Supports File Transfer Protocol
The most recent stable build of Google’s Chrome browser no longer supports File Transfer Protocol (FTP). Earlier builds had disabled FTP but still allowed users to choose to turn it back on; in Chrome 95, FTP support has been stripped from the codebase.
- Chrome just released a security update (See the CISA Alert: us-cert.cisa.gov: Google Releases Security Updates for Chrome), which means you need to deploy Chrome 95 now. FTP support was removed from Firefox back in July. This is no longer a feature you can turn back on. While you can deploy other FTP clients, a better solution is to move to secure file transfer/sharing options.
Read more in
- Feature: Remove FTP support (removed)
- Chrome Platform Status | Roadmap
- Not just deprecated, but deleted: Google finally strips File Transfer Protocol code from Chrome browser
AWS Fixes SQL Injection Vulnerability
A bug in MySQL left AWS Web Application Firewall customers vulnerable to SQL injection attacks. AWS fixed the flaw on October 1. The scientific notation bug dates back to 2013. The issue also affects MariaDB.
- Consider using ModSecurity with your Apache and nginx web services to augment SQL injection attack defenses. Applications must sanitize ALL inputs.
Read more in
- A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection
- Historic scientific notation bug foils WAF defenses
- AWS patches bug that left its WAF customers exposed to SQL injection
A remote code execution flaw exists in WinRAR version 5.70. This version of the free file archiver utility is two years old. The vulnerability was fixed in July 2021; users are advised to ensure that they are running WinRAR version 6.02 or later.
- Exploitation of this vulnerability is difficult. It only affects expired trial versions of the software. An attacker would have to intercept and manipulate the HTML contact retrieved by the applications license reminder. This reminder is only displayed if the trial license expired, and only every third time the software is used.
- This is a two-year old version of WinRAR running in free-trial mode. CVE-2021-35052 is fixed in 6.02. Make sure that installed versions are 6.0.2. The free-trial is only good for 40 days, either uninstall older copies or license them. The license is perpetual and cross-platform.
- One hopes that enterprise users of this product will see this warning. Many private users will not.
Read more in
- Bug in Popular WinRAR Software Could Let Attackers Hack Your Computer
- We regret to inform you there’s an RCE vuln in old version of WinRAR. Yes, the file decompression utility
Candy Corn Maker Hit with Ransomware
Ferrara Candy, the company that makes numerous confections, including Brach’s candy corn, was the target of a ransomware attack earlier this month. While the attack disrupted production, Ferrara says that they filled most of their Halloween orders in August. Ferrara has resumed production at some facilities.
- As a parent and grandparent who loves Halloween, my first reaction is this is hitting below the belt. Ferrara Candy makes 85% of the candy corn in the US during the Halloween season. Take this as a reminder that nobody is “safe” from attack, review your readiness, check to be sure that changes made recently were done securely. If appropriate, verify that your OT is separated from IT systems, allowing communication only to authorized systems via controlled interfaces.
- I can do without candy corn. But please ransomware actors: Leave the full size chocolate bars alone. All joking aside: No industry is safe when it comes to ransomware.
Read more in
Seven Year Sentence for Medical Center Data Theft
A federal judge in Pennsylvania has sentenced Justin Sean Johnson to seven years in prison for breaking into University of Pittsburgh Medical Center databases and stealing personal information. Johnson was found guilty of conspiracy to defraud the US and aggravated identity theft. Johnson sold the data to others who used it to file fraudulent income tax returns and to commit other forms of identity fraud. Three co-conspirators pleaded guilty to various charges in 2017.
Read more in
- Hacker in UPMC Data Theft, Fraud Case Gets Maximum Sentences
- Judge Sentences Michigan Man to 7 Years in Prison for Hacking UPMC HR Databases and Stealing Employees’ Personal Information
Treasury Reports on Virtual Currency and Ransomware
According to a Financial Trends Analysis report from the US Treasury’s Financial Crimes Enforcement Network, 10 ransomware variants have accounted for more than $5 billion in bitcoin transactions. A report from the Treasury’s Office of Foreign Assets Control spells out sanctions compliance guidelines for the virtual currency industry.
- If your organization is considering accepting “cryptocurrency,” make sure business, finance and legal managers are aware of the OFAC sanctions compliance guidance. The risk is not just the actual ransom obtained payments, using involved exchanges may put transactions using these alternative currencies at risk, as well.
- If you’re using cryptocurrency, check the OFAC status of your exchange. Remember, sanctioned does not mean approved in this context. The use restrictions apply to U.S. persons, meaning citizens and “green card” holders, irrespective of their location. Violations of sanctions carry both civil and criminal penalties ranging up to $1 million and/or 20 years in prison for each violation. Additionally, there is an option for civil penalties which can hold you liable even if you did not know you were engaging in a prohibited transaction. Your financial institution is well versed in OFAC and can help you with references and understanding of the issues and risks as they see them.
Read more in
- Treasury Dept. to Crypto Companies: Comply with Sanctions
- $5.2 billion in BTC transactions tied to top 10 ransomware variants: US Treasury
- Financial Trend Analysis: Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021 (PDF)
- Sanctions Compliance Guidance for the Virtual Currency Industry (PDF)
Microsoft Advises Updating PowerShell
Microsoft is advising system administrators to update PowerShell 7 to versions 7.0.8 or 7.1.5 to address two vulnerabilities. One of the flaws is a Windows Defender Application Control (WDAC) bypass flaw.; the other is an information disclosure flaw in .NDET Core.
- Currently, PowerShell is not updated with Windows Update. So please update this if you are using an affected version of PowerShell. Updates via Microsoft Update may be available in the future.
- Microsoft hasn’t yet incorporated PowerShell 7.0 or 7.1 updates into the Microsoft Update service, so you’re going to have push these updates to affected systems. PowerShell 7.2-preview.10 has support for Microsoft Update. Note PowerShell 7.1 installs in a new directory and runs side-by-side with PowerShell 5.1. Installing PowerShell7.1 replaces PowerShell 7.0.
Read more in
- Microsoft Security Advisory CVE-2021-41355 | .NET Core Information Disclosure Vulnerability
- Microsoft asks admins to patch PowerShell to fix WDAC bypass
Dutch Authorities Caution DDoS-for-Hire Service Customers
Authorities in the Netherlands have warned customers of distributed denial-of-service (DDoS) for hire services that they will face criminal prosecution if they use the services again. Police sent the warning letters to 29 people who had previously purchased DDoS services from a particular site.
- Hmm, one use of DDoS for service attack capabilities is OK in the Netherlands? I’m pretty sure bank robbers and arsonists don’t get a second strike, but some law enforcement action is better than no action.
- DDoS attacks are not just being used by attackers; gamers are also figuring out how to use them to knock rivals out of action. As such, the Dutch Authorities appear to be tempering their guidance to not place undue sanctions or otherwise treat the wrong individuals as criminals. While this does move the bar some, it can create confusion, and a more consistent message of “this is illegal and has consequences” whether service provider or consumer, may be more effective.
Read more in
CISA, NSA, and FBI Issue BlackMatter Ransomware Advisory
The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA) have released a joint advisory regarding BlackMatter ransomware, which was recently used in attacks against two agricultural companies: NEW Cooperative and Crystal Valley. BlackMatter operates as ransomware-as-a-service. The alert provides a technical overview of BlackMatter and offers detection signatures and mitigations.
- BlackMatter leverages LDAP and SMB to access AD and discover all hosts (and shared drives) on the network, encrypting them as it goes. They are also encrypting Linux-based machines, using a separate binary and routinely encrypt ESXi virtual machines. And in case you’re wondering, they don’t encrypt backups, they wipe or reformat the data stores instead. This leverages captured credentials, so augmenting your password processes to check breached passwords is a really good move. You privileged accounts (system administrators, Domain Administrators, and particularly your Enterprise Administrator) all need to be MFA. Take a look at time based access limits on accounts, some ransomware is now trying to act off-hours and this can help.
- According to the Verizon Data Breach Incident Report (DBIR) the time to detect breaches continues to be measured in weeks to months. Detection is more often passive, as in ransomware, than active. To be useful in resisting ransomware attacks, detection must be active and in hours to days. Set an objective for time to detection and implement a strategy to achieve it.
Read more in
- Alert (AA21-291A) BlackMatter Ransomware
- CISA, FBI, and NSA issue advisory on BlackMatter ransomware
- NSA, FBI, CISA Issue Advisory on ‘BlackMatter’ Ransomware
Israeli Hospital Suffers Ransomware Attack
An Israeli hospital cancelled non-emergency procedures following a ransomware attack last week. Healthcare providers at Hillel Yaffe Medical Center in Hadera are reportedly using pen and paper in the wake of the attack. Israel’s National Cyber Directorate has made indicators of compromise available to other organizations. Israel’s health Ministry has reportedly advised hospitals to print patient files to ensure continuity of care in the event of additional attacks.
- Rolling back to manual methods, such as pen and paper, allow the business to operate at least a limited capacity while incident response completes. If you’re in this position, be sure to allocate extra resources to update the restored electronic systems, and don’t wait for full restoration to verify handwritten records are legible. Also plan to validate that downstream actions are checked to avoid data integrity or other long-term issues.
Read more in
- Ransomware cyber attack on Hillel Yaffe computer systems
- Ransomware Attack on Israeli Medical Center Raises Alarm
- Israeli hospital cancels non-urgent procedures following ransomware attack
Sinclair Broadcast Group Suffers Ransomware Attack
Sinclair Broadcast Group, a Maryland-based media provider, suffered a ransomware attack over the weekend. Sinclair says that the attack encrypted company servers and workstations, disrupting networks. Sinclair also disclosed that the attackers stole data.
- Beyond making sure that you block entry points to your network, verify that you can tell when you’ve got malicious parties on your network. Can you detect malicious events in your network? Can you trigger on unexpected privilege escalation or modification? Are you reviewing account privileges regularly to ensure that only needed privileges are assigned? Do you know what to do when an incident is discovered?
- In their release, Sinclair used language that is often used when ransomware victims have to do a public statement: “As the Company conducts its investigation, it will look for opportunities to enhance its existing security measures.” Convince your management it will actually cost the company less if the release was able to say “Because the Company had improved our security measures before this attack, there was no financial impact to the Company or violation of our customers’ privacy.”
Read more in
- Sinclair Broadcast ‘Disrupted’ by Ransomware Attack
- Sinclair Broadcast Group suffers ransomware attack, the latest affecting media
- Sinclair Broadcast Group hit by ransomware attack
- Sinclair Broadcast ransomware attack demonstrates how ‘business is suffering’
- Sinclair Broadcast Group Provides Information On Cybersecurity Incident
Acer Discloses Second Cyberattack in Less Than a Week
Acer has suffered a second cyberattack in less than a week. The Taiwan-based computer maker confirmed that company servers in Taiwan were hit days after its after-sales service system in India was breached.
- Assume you are already compromised and actively look for signs of attack. When you find a deficiency in one area, look to make sure it doesn’t need to be addressed in other areas as well. Make sure you get to root causes (remember “ask why 5 times”) to help you and your IT staff better provision secure configurations in the future and prevent recurrence.
Read more in
- Acer confirms new attack on servers
- Acer hit with second cyberattack in less than a week, Taiwanese authorities notified
Missouri Governor Threatens Legal Action Against Journalist for Story About Security Flaw
Missouri’s governor has threatened to prosecute a journalist and the St. Louis Post-Dispatch newspaper after they ran a story about a vulnerability in a state education website. The paper disclosed the vulnerability to the Missouri state Department of Elementary and Secondary Education (DESE), which addressed the issue before the story was published.
- Use caution when responding to disclosed weaknesses, understand the activities needed to expose them and the situation under which they were performed before declaring they are illegal. In this case the SSN’s were revealed by going to the web page and clicking “view source,” which was then disclosed appropriately to DESE where it was addressed. Make sure that you’re regularly doing security testing and evaluation of your applications to minimize issues discovered and reported externally. Treat disclosed vulnerabilities as well intended, not malicious actions, and take action to address and acknowledge them promptly.
- To me as a non lawyer, the legal issues around security testing a public website are at murky enough to stay away from. Sadly, bruised egos can easily get in the way of fixing the actual security problem. Get permission first to avoid a lot of headaches.
Read more in
- Missouri Governor Vows to Prosecute St. Louis Post-Dispatch for Reporting Security Vulnerability
- Row over data leak disclosure by journalist further erodes researcher trust in government
- Missouri governor faces backlash and ridicule for threatening reporter who discovered exposed teacher SSNs
Former Flight School Employee Arrested for Allegedly Altering Aircraft Data
A former flight training school employee broke into the school’s systems and modified aircraft data. In some cases, aircraft that had needed maintenance were cleared to fly. Lauren Lide had been Flight Operations Manager at the Melbourne Flight Training school until she resigned from the company in November 2019. The intrusion and data tampering occurred in January 2020. Lide has been arrested and charged with fraudulent use of a computer and unauthorized access to a computer system or network.
- Another good example of why privileged accounts should be migrated from reusable passwords to multi-factor authentication. The account of the current Flight Operations Manager was used for the unauthorized access – even just using text messaging as the second factor would have prevented this damage.
- This is a case of a (former) disgruntled insider who, despite her credentials being disabled, was able to obtain current credentials with sufficient privileges to retaliate. Use of MFA would have prevented that access. Additionally monitoring for anomalous access patterns could help discover the illicit activity.
- From our perspective the issue is not the sensitivity of the data that was altered so much as that a former employee accessed the company’s systems. When granting privilege, be sure that you know how you will withdraw that privilege when the time comes.
Read more in
Microsoft Patch Tuesday
Microsoft’s October security release includes fixes for more than 70 issues, including a zero-day privilege elevation vulnerability in Win32 Driver that is being actively exploited. The batch fixes three additional previously disclosed vulnerabilities, as well as fixes for vulnerabilities in Windows 11, which was released earlier this month.
- About an average patch Tuesday. The already exploited privilege escalation should be patched quickly, but remember there are always more privilege escalation issues.
- There is a new MS Exchange fix (CVE-2020-26427) with a CVSS score of 9.0; make sure that your remaining on-prem services are patched, and only exposed to the Internet if absolutely necessary. The MysterySnail RAT has been found installed on systems where the Win32 driver bug (CVE-2021-40449) is being exploited. MysterySnail allows for data exfiltration, control of the compromised system and launching further attacks. This also includes another print-nightmare fix. The prior fix resulted in operational impacts, such as requiring administrative credentials for every print job. There are also fixes for Word, Hyper-V, SharePoint and DNS RCE vulnerabilities. The DNS vulnerability (CVE-2021-40469), per Jake Williams, could be leveraged to obtain remote control of a domain controller, where DNS services typically run, likely leading to domain administrator rights.
- This Microsoft Patch Tuesday is a doozy. I am not sure how the IT shops that are supposed to test patches before deployment will have sufficient time to test 70 patches or triage these correctly. Microsoft Exchange is the current gift that keeps on giving, but those not marked as “critical,” such as those Local Privilege Escalations, are probably the ones that attackers will go after in this batch. There may also be some interesting attacks against Windows Containers that indirectly show up in the form of Hyper-V Exploits or AppContainer exploits coupled with those Local Privilege Escalations.
Read more in
- Microsoft October 2021 Patch Tuesday
- Microsoft October 2021 Patch Tuesday: 71 vulnerabilities, four zero-days squashed
- Microsoft reports three critical vulnerabilities, a fourth ‘high’ vulnerability actively exploited
- Microsoft Patch Tuesday bug harvest festival comes to town
- Patch Tuesday, October 2021 Edition
- Microsoft Fixes Zero-Day Flaw in Win32 Driver
- Security Update Guide
Azure Customer Sustained 2.4 Tbps DDoS in August
Microsoft says that in August, it defended an Azure customer from a UDP reflection distributed denial-of-service (DDoS) attack that at its peak was measured at 2.4 terabits per second (Tbps). The attack traffic came from roughly 70,000 sources in Asia and the US.
- One advantage of migrating to the cloud is the benefit of scale. No business would be able to absorb a DDoS attack of this scale on its own. But for smaller attacks, in particular more application-specific attacks, a cloud application can also become a huge financial burden if the attack is not quickly mitigated.
- The ability for service providers to withstand an increasingly large volume of DDoS attacks is necessary for service delivery and most have solutions. Talk to your service providers to understand their protection model. Azure DDoS protection is enabled by the tenant at the virtual network level and is a separate product; leverage your account representative to understand the offering, pricing, and scaling model.
- It is almost impossible to resist denial-of-service attacks without the cooperation of an upstream provider. Steve Gibson tells that it took him 12 hours to find the right guy and 15 minutes for him to fix the problem. Be sure you know who to call.
Read more in
- Business as usual for Azure customers despite 2.4 Tbps DDoS attack
- Microsoft Azure fends off huge DDoS Attack
- Microsoft Azure customer hit by record DDoS attack in August
- Microsoft says Azure fended off what might just be the world’s biggest-ever DDoS attack
Google Warnings of State Sponsored Hacking
Google says that in 2021, it has sent more than 50,000 warnings of state-sponsored phishing and other attacks targeting its customers. A security engineer from Google’s Threat Analysis group (TAG) notes that “receiv[ing] a warning it does not mean your account has been compromised, it means you have been identified as a target.” Google urges users to enable two-factor authentication, and says that it plans to provide hardware security keys to 10,000 high-risk users.
- Kudos to Google for its continuing efforts to increase the use of multi-factor authentication, but most organizations need to take the same security steps to prevent business damage from all the very active non-state sponsored attackers that are behind the majority of attacks.
- Google is making an important point in saying that receiving a warning does not mean that your account is compromised. Too often, users mistake warnings for an actual compromise.
- Enable two-factor authentication on your Google accounts now, whether using workspaces or their free offering; don’t wait for an alert or worse that you’ve been targeted. If you receive one of the hardware tokens from Google, enable it, don’t file it; then talk to your team about implementing those keys for everyone.
- This is a very impressive service that Google provides. I’ve always admired Google’s push for cyber security (they were one of the very first vendors to publicly push and enable 2FA for users of their free services). Interesting side note: in Microsoft’s webcast yesterday on passwords, they stated that only 20% of enterprise Microsoft 365 customers enable 2FA. So while a powerful security solution, 2FA still has a low adoption rate.
- Google has been offering strong authentication options to its users for several years now. Their implementation allows their users a wide range of choices to balance security against convenience; it is a model for others to follow. While Google is releasing data, it would be useful if they told us what user adoption has been and what options users are choosing.
Read more in
- Google sent 50,000 warnings of state-sponsored attacks in 2021
- Google to give security keys to ‘high risk’ users targeted by government hackers
VirusTotal’s Ransomware Data Analysis
VirusTotal has published a report detailing its findings from analyzing 80 million ransomware samples. VirusTotal says that of those samples, 95 percent targeted Windows machines. The report breaks down ransomware activity by threat operator groups and geographic areas targeted. The data were collected between January 2020 and August 2021.
- Much interesting data in the report, but if you block replaced “ransomware” with “malware” most of the data would not change. Take the essential security hygiene steps to raise the bar against malware succeeding and you’ve simultaneously lowered the risk of a ransomware attack causing damage.
- Key points I took away from this report: 95% of all ransomware samples targeted Windows. Less that 5% of samples were related to exploits; the majority of infections were driven by social engineering or droppers. In other words, when it comes to malware, not a lot has changed in the past years. Remember, ransomware is NOT a new attack method, it is a new monetization method. What’s different is that ransomware has made malware a very profitable business model.
- Before you celebrate your systems not running Windows, note that two percent of attacks targeted Android, and there were also 1 million samples from macOS. Read the key take-aways in the report. Focus on privilege escalation patches and mitigations, keep your detection profiles updated, monitoring for new activities which needed to be added to your detection capabilities; lastly, keep your cyber resiliency and recovery strategies ready and current.
Read more in
- Ransomware in a Global Context (PDF)
- VirusTotal Shares Data on Ransomware Activity
- VirusTotal Shares Analysis of 80 Million Ransomware Samples
- VirusTotal Releases Ransomware Report Based on Analysis of 80 Million Samples
- Google’s VirusTotal reports that 95% of ransomware spotted targets Windows
MITRE Establishes New Organizations to Help Protect Critical Infrastructure and Healthcare Sectors from Cyberthreats
MITRE Labs has set up two new centers focused on cybersecurity. The Cyber Infrastructure Protection Innovation Center will address cybersecurity issues that affect the critical infrastructure; the Clinical Insights Innovation Cell will focus on health care cybersecurity issues. Both centers aim to bring together organizations from the public and private sectors.
- As these advance, they will be a source of information that can be leveraged to better our protection strategies for healthcare and critical infrastructure. It’s easy to lose sight of new strategies and techniques when you’re heads down operating and maintaining your current systems, and even more so if you’re busy responding to attacks or incidents.
- Mitre has some amazing people doing important work. I hope these initiatives get the traction required to help these areas of need.
- I worked in the healthcare space for a little over eight years and was doing so while getting more and more into this field. It was challenging to try and explain to doctors and healthcare executives the actual dangers posed by cyber security threats. Mainly because those threats impacted financial systems or industry secrets, it appears that ransomware and patient safety has changed that risk calculus. I’m happy to see MITRE step up here because healthcare organizations should be treated like power plants as critical infrastructure. Unfortunately, those systems will continue to be vulnerable without that level of oversight and thinking as the risk calculus is still not fully understood. I can’t wait to see what is occurring here.
Read more in
- MITRE Launches Centers to Protect Infrastructure and Health
- MITRE Launches Critical Infrastructure, Public Health Data Orgs
- MITRE Labs Launches Innovation Organizations for Critical Infrastructure, Clinical Health Data
NASCIO Report on Cloud Adoption
A report from the National Association of State Chief Information Officers (NASCIO) examines states’ gradual movement to cloud services. For more than a decade, state CIOs have said cloud services is among their top priorities; however, adoption appears to be slow. Of the 35 state CIOs responding, 89 percent say they are still using mainframes and 71 percent say they have not moved any mainframe applications to the cloud.
- While many businesses are finding the right balance of cloud versus on-premise services, state and federal agencies have been struggling with making sure the cloud service providers meet regulatory requirements. While federal agencies have the FedRAMP process to help, StateRAMP has only recently emerged for state and local government users to fill this need. StateRAMP will grant a certification to existing FedRAMP service providers and will work with providers not interested in FedRAMP certification to become StateRAMP certified. With this in hand, it becomes simpler to begin the path to figuring out what will be best in the Cloud.
- It’s not uncommon to see long-deprecated IT systems in SLTT networks. Because of financial limitations, they simply can’t manage to keep up. I’m thankful for services like Google Classroom that allow educational institutions (globally) to move to the cloud for free. At that point, “keeping up” just means updating end user devices and school networks.
- The NASCIO report is fascinating; it highlights a sector of the IT industry that is very far behind in its operations. Last year the state of New Jersey needed more COBOL programmers to retrofit their systems to absorb the volume of requests for aid. This report highlights how they are not the outlier. The states have several issues; the first is retrofitting their aging systems outside of the challenge of maintaining them. The second is attracting talent that can do so. If it is hard to do this at the state level, it’s even more challenging at the city level. States with a large budget may migrate their systems, but finding talent to maintain and operate those cloud instances will be very difficult as we have seen a severe shortage in the market. Two charts that are in the report highlight the problems. One asks how many have to MFaaS (Mainframe as a Service). The second details how many entities use IP addressing and not names to reach their systems. Those two charts alone show how difficult and challenging this migration will be for many shops. I guess offensive and defense teams will need to brush up on mainframes and JCL for a while longer.
Read more in
NHS Vaccine Passport Outage Causes Travel Problems
The UK’s National Health Service (NHS) vaccine passport, NHS Covid Pass, suffered a disruption on Wednesday, October 13. The feature is part of the NHS smartphone app. Users received error messages suggesting that the service was experiencing unusually high traffic volumes, which was limiting access. Some passengers at UK airports reported that they were unable to board their flights because they did not have sufficient proof of their vaccination status without access to NHS Covid Pass.
- Understand the requirements for proving vaccination status when traveling and have a backup option in case the primary option fails. In this case the airports were not accepting paper vaccination records, which we’ve carried for years for this purpose. For a digital application, screenshot the barcode or add it to your digital wallet. Note that you may have to update those as frequently as every thirty days.
- Always try and travel with physical backups of all your paperwork. It may seem counterintuitive as we are so used to the availability of systems. However, we should also acknowledge that many of these systems are new and have probably not been as tested as amazon.com. I would also suggest taking a screenshot for a backup. I try and travel with the physical US vaccine cards and pictures of them just in case.
Read more in
- NHS Covid Pass: Vaccine records access restored after outage
- Passengers couldn’t fly after NHS vaccine passport went offline
CISA Alert: Water and Wastewater Cyberthreats
A joint advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) warns of “ongoing malicious cyber activity” targeting water and wastewater facilities in the US. The threat actors have been targeting both IT and OT networks. The alert describes threat actors’ tactics, techniques, and procedures, and lists mitigations and resources for water facilities.
- If you’re a critical system operator, make sure you’re subscribed to these alerts. The mitigations for these attacks are to include segmentation, monitoring, and MFA for remote access and to remove unnecessary components from networks to reduce your attack surface. Read the bulletin for a comprehensive list along with resources you can leverage.
Read more in
- Ongoing Cyber Threats to U.S. Water and Wastewater Systems
- Feds warn of ongoing cyberattacks targeting water and wastewater companies
- US Water and Wastewater Facilities Targeted in Cyberattacks, Feds Warn
OVH Outage Due to Network Reconfiguration
Hosting provider OVH suffered an hour-long outage on Wednesday, October 13. The issue appeared to be related to routing configuration problems during scheduled maintenance. OVH founder Octave Klaba said that “a bad configuration of the router caused the failure of the network.” The outage reportedly affected only OVH’s IPv4 infrastructure.
- The complexity of the network infrastructure, which is required for modern service delivery and redundancy, heightens the need to carefully scrutinize changes prior to deployment. This is not only for big providers like OVH and FaceBook, but also for your enterprise where the configurations now include virtual networks to cloud providers, outsource or business providers and your locations. This is further complicated by increased remote access where network locations can be easily omitted from the VPN configuration. Read twice, deploy once, know how to back it out.
Read more in
- OVH blames hour-long global outage on human error during ‘routine’ network reconfiguration
- OVH hosting provider goes down during planned maintenance
- OVHcloud goes down in outage affecting global backbone
Apple Updates iOS Again
Apple has released updates for iOS and iPadOS to address a flaw that is being actively exploited. The critical memory corruption vulnerability in IOMobileFramebuffer is fixed in iOS and iPadOS 15.0.2. The flaw can be exploited to execute commands with kernel privileges. iOS 15.0.2 also includes several bug fixes.
- A detailed analysis and a PoC have been published for this vulnerability. You should not delay applying this patch.
- This is an emergency update to fix to a zero-day (CVE-2021-30883). You’re going to want to push this out to your ADE devices now, and for non-managed devices – you know the drill. The update also includes watchOS 8.0.1, which only includes bug fixes for Apple Watch Series 3 devices; no CVEs are included.
- Apple’s strategy of releasing updates versus issuing patches reduces the burden on end users. iOS users should consider setting “Automatic Updates” to “on.” Note that the updates often require 50% battery power or connection to external power such that “automatic” may be less than fully so.
Read more in
- About the security content of iOS 15.0.2 and iPadOS 15.0.2
- Emergency Apple iOS 15.0.2 update fixes zero-day used in attacks
- Apple releases iOS and iPadOS 15.0.2, with fixes for CarPlay, Photos, and more
- Apple releases iOS 15.0.2 with some Find My fixes
OMB Memo Spells Out Steps for Endpoint Detection and Response
A memo from the White House Office of Management and Budget (OMB) directs federal agencies to provide the Cybersecurity and Infrastructure Security Agency (CISA) with access to their current endpoint detection and response (EDR) deployments within the next three months. The memo outlines other steps for agencies to take “to further the goal of centrally managing the information needed to support host-level visibility, attribution, and response with respect to agency information systems.”
- As much as I hate to say it, these “over the transom” mandates from OMB have pretty much been necessary to drive major progress in the protection levels of government systems and information. An important point here is the both the Executive Order and the latest OMB memo use the phrase “endpoint detection response” NOT as a product category but as a capability – which requires process, and skills before implementing products. The Continuous Diagnostics and Mitigation (CDM) program has offered easy acquisition of the types of product needed – the people and skills to update processes and to effective make use of such products are needed.
- Buying an EDR is very different than tuning an EDR. Every organization is different and will require people and process to continually tune and improve the technology as the threat landscapes evolves. This is why it is so important to implement a program to test and measure your people, process, and technology to improve your detection and response. Purple teaming is one of the most efficient ways to do that.
- The intent of centrally monitoring activities on federal networks, in real-time, with automated response capabilities, is a lofty goal, particularly for specialized systems such as HPC and OT/ICS systems. Agencies are going to be providing CISA access to existing EDR deployments within 90 days, while CISA develops their continuous monitoring and response plan and ultimately publishes a playbook for best practices. The memo does not indicate any funding sources for EDR, agencies may wish to leverage CDM efforts and resources to augment EDR capabilities.
Read more in
- OMB orders federal agencies to let CISA access defenses of devices, servers
- White House tells agencies to clear the decks for EDR
- Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response (PDF)
GitHub Revokes Weak SSH Keys
GitHub has revoked weak SSH keys generated by GitKraken client versions 7.6.x, 7.7.x, and 8.0.0. The issue was due to a vulnerability in a GitKraken dependency. GitHub also revoked “other potentially weak keys created by other clients that may have used the same vulnerable dependency.”
- Nice work by GitHub (and GitKraken) responding to this. This issue isn’t obvious to the user, but sadly similar problems have happened before. For developers: “Don’t invent your own crypto” includes not inventing your own key generation.
- Have you checked the strength of the SSH keys you generated lately? Are you still using those keys you generated ten years ago? Do you really know all the places you left the public and private keys? Maybe it’s time to create new ones. When you generate the new ones, make sure you’re using the larger key sizes, such as 4096 bit RSA or 521 bit EDCSA keys.
Read more in
- Weak SSH Key Generation Fix in GitKraken v8.0.1s
- GitHub security update: revoking weakly-generated SSH keys
- GitHub revokes duplicate SSH auth keys linked to library bug
Password Spraying Attacks Targeting Office 365 Accounts
In a blog post, researchers from Microsoft Threat Intelligence Center (MSTIC) describe the activity of a hacking group that has been targeting Office 365 users with password spraying attacks. The hackers appear to have ties to Iran. Microsoft has been tracking what it has named the DEV-0343 cluster since July 2021. Targets include “US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.” MSTIC notes that Office 365 accounts that use multi-factor authentication are more resilient against this type of attack.
- Using cloud services like Office 365 without MFA is negligent. Office 365 credentials are at the top of the list of phishing attacks, and you don’t have to be a valuable/special target.
- There are no more excuses for not turning on MFA for our userbases. A well implemented MFA, such as in O365, does not pester users for new MFA codes every day, but instead is discretionary, meaning MFA is enforced when the user has changed significantly, or otherwise seem to be posing a risk. Turn on MFA now!
- You know I’m going to say it. Enable MFA for your Microsoft 365 accounts. Leverage conditional access to allow for SSO from trusted devices. Make sure you don’t disable MFA for VIP or System Admin accounts. Now review your settings for passwords. You really should be using long passphrases, checked against banned wordlists and data breach dumps. There are add-ins and/or services you can get to do this for you securely and transparently.
Read more in
- Iran-linked DEV-0343 targeting defense, GIS, and maritime sectors
- Microsoft: Iran-linked hackers target US defense tech companies
- Microsoft Exposes Iran-linked APT Targeting U.S., Israeli Defense Tech Sectors
- Iran-linked hackers targeted maritime and defense contractors, compromised Office 365 accounts
Updates Available for Improper Certificate Validation Flaw in LibreOffice, OpenOffice
An improper certificate validation vulnerability affecting LibreOffice and OpenOffice could be exploited by an attacker to manipulate documents so they appear to be signed by a trusted source. Fixes are available, but neither suite offers auto-updating. Users are encouraged to upgrade to LibreOffice 7.0.5 or 7.1.1 and later and OpenOffice 4.1.11 and later.
- OpenOffice and LibreOffice use digital signatures to help with the authenticity of Macros, which is a good idea. The problem is that neither office suite features automatic updates, so you’re going to have to download and deploy the updated packages at least semi-manually. Alternatively, you can disable macros, or not trust documents containing macros.
Read more in
- LibreOffice, OpenOffice bug allows hackers to spoof signed docs
- Apache OpenOffice: Content Manipulation with Certificate Validation Attack
- Content Manipulation with Certificate Validation Attack
US K-12 Cybersecurity Act Signed into Law
The US K-12 Cybersecurity Act was signed into law on October 8, 2021. The legislation calls for the Cybersecurity and Infrastructure Security Agency (CISA) to assess the cyber risks faced by K-12 school systems, develop recommendations for K-12 cybersecurity guidelines, and create an online toolkit that K-12 schools can use to implement those recommendations.
- When completed, CISA will be providing an online toolkit for schools to leverage so they can implement strategies and recommendations for increased cybersecurity. This should provide information needed to prioritize fixes and drive the budget/grant and other mechanisms needed to fund the improvements.
- Education and election systems in the US are driven and mostly funded by local governments and budgets. It would be good to see additional funding going to the Multi-State ISAC for specific efforts to add direct support to local school districts to provide the skills and resources that so many local school districts do not have to make progress in securing school operations, especially with the need for remote learning.
- Many school systems can pay extortion while rarely commanding the necessary special knowledge and skills to adequately secure their systems. Federal assistance should be welcome.
Read more in
Fertility Clinic Says Data Stolen in Ransomware Attack
In a filing with the US Securities and Exchange Commission (SEC), Quest Diagnostics disclosed that an August ransomware attack against the ReproSource fertility clinic led to a data breach. Compromised data include both health and financial data. Quest owns the Massachusetts-based fertility clinic.
- We’re entering a future where data is no longer private. Put it on the world-wide web and it is no longer yours; it will be leaked, and it will not remain a secret.
- RepoSource is providing credit and identity monitoring to affected patients but didn’t indicate how long that would be provided. Don’t wait for a breach; get your own identity and credit monitoring in place now where you can manage the duration of the coverage. Next, follow-up on issues identified; don’t ignore the alerts.
Read more in
Ukrainian Police Arrest Alleged DDoS-for-Hire Operator
Police in Ukraine have arrested an individual in connection with a DDoS for hire scheme. The individual controlled a botnet that controlled 100,000 devices. The botnet was also used to conduct brute-force password attacks, send spam, and plumb websites for exploitable vulnerabilities.
- Takedowns like this and last month’s takedown of the WireX Android botnet are a step in the right direction, but even so you cannot assume you’re covered. Talk to your service providers about DDoS protections to identify gaps, as well as understand what their protections actually do. Ask what trends they are seeing and how they are responding to them. Then look to either add solutions to fill those gaps, or have your board or senior management accept the risk of not addressing them.
Read more in
Medtronic Recalls Insulin Pump Remote Controllers Due to Cybersecurity Risks
Medtronic has recalled remote controllers for its MiniMed 508 and MiniMed Paradigm insulin pumps. The affected devices were distributed between August 1999 and July 2018. The remote controller devices are vulnerable to a capture-replay attack, which could be used to alter the level of insulin the pump dispenses.
- This vulnerability was discovered, and the initial limited recall announced, back in 2018. I hope the Medtronic Board of Directors, especially the members of the Medtronic Board’s Quality Committee read the opening line of the FDA medical device recall announcement “The FDA has identified this as a Class I recall, the most serious type of recall. Use of these devices may cause serious injuries or death.” While the attack path is not simple, avoiding life threatening vulnerabilities and the cost of product recalls should be pretty high on the Product Quality priority list but does not seem to have been.
- It is estimated that 31,000 devices need to be replaced. The balance between life-safety and security always comes down on the life-safety side. In the past, we’ve seen security flaws in medical devices which didn’t warrant this level of response; as exploitation of medical devices can be fatal, it is hoped that the threat of recalls like this will push suppliers to implement higher levels of security.
- My biggest fear with medical devices is not cyber attackers targeting and exploiting these vulnerabilities, but some random malware accidentally infecting and spreading through medical devices, causes unintended havoc and harm. In the military we called this “collateral damage.”
Read more in
- Medtronic Recalls Remote Controllers Used with Paradigm and 508 MiniMed Insulin Pumps for Potential Cybersecurity Risks
- FDA urges return of vulnerable, recalled Medtronic remote insulin pump controllers
- Medtronic urgently recalls insulin pump controllers over hacking concerns
- Patient Safety Concerns Grow Over Medical Gear Security
DHS Says TSA Will Impose New Cybersecurity Requirements for “High-Risk” Railway and Aviation Operators
On Wednesday, October 6, US Department of Homeland Security (DHS) Secretary Alejandro Mayorkas said that the Transportation Security Administration (TSA) will introduce regulations aimed at improving the cybersecurity of critical railway and aviation operators. The regulations will require that the organizations name a chief cyber official, establish cyberattack recovery plans, and report cyber incidents to the government. The regulations are expected to take effect by the end of this calendar year.
- The plan requires three actions (1) improve their cybersecurity processes, (2) identify a chief cyber official, and (3) inform the government when their network has been breached and have a draft cyber recovery plan on-hand to recover from the incident. While not obvious, incident reporting allows CISA/DHS to keep overall tabs on security across the nation and setting that up will help foster the needed relationship if you need to call upon them for their resources or expertise.
- This is just an initial step – any railway and aviation operator that didn’t have a named CSO and an incident recovery plan in this day and age should fire their CEO and replace their Board of Directors. Regulatory push to make essential security hygiene a mandatory cost of doing business is needed across most of the critical infrastructure sectors.
- I really hope TSA takes the approach NIST does and works hard to (and provides the time for) community input, feedback and involvement.
Read more in
- U.S. to tell critical rail, air companies to report hacks, name cyber chiefs
- TSA to impose cybersecurity mandates on major rail and subway systems
- New cybersecurity regulations released by TSA for trains and planes
- DHS to impose new cyber requirements on railway, subway and aviation operators
- TSA will require high-risk air and rail transit entities to report cyberattacks
Fixes Available for Apache HTTP Server Zero-Day
Apache has released a second update for its HTTP Web Server after an initial fix was deemed incomplete. Apache’s first fix for the path traversal vulnerability (CVE-2021-41773) was released in version 2.4.50 on Tuesday, October 5. Apache released version 2.4.51 on Thursday, October 7.
- In version 2.4.49, Apache re-wrote a large part of the code that validates URLs. The goal was to improve the speed of this code. Sadly, the rewrite missed some common URL issues like URL encoding. Luckily the error was discovered quickly. I don’t think this version of Apache made it into any Linux distributions. Note that the initial fix, Apache 2.4.50, was incomplete and you should now be running Apache 2.4.51. But do not worry if you are running an earlier version. Many Linux distributions will stick to a particular version and only back-port security fixes. 2.4.49 and 2.4.50 are the only vulnerable versions that they were only “current” from September 15th to October 7th.
- Be aware of the Apache server version your distribution supports when looking at the update. For example, RHEL 7 is based on Apache version 2.4.6 while RHEL 8 uses 2.4.37 and patches will be applied to those versions rather than providing version 2.4.51, this is documented in the distribution backporting policy. Use this information to verify that your vulnerability scanners aren’t providing a false positive on the patched version.n
- This year seems to be the year of constant critical vulnerabilities and highlights that patching alone is insufficient for defenders to rely on for protection. A comprehensive vulnerability management program should be developed to determine how an organization can mitigate the impact of vulnerabilities while awaiting the application of patches or upgrades.
Read more in
- Apache HTTP Server project
- Apache emergency update fixes incomplete patch for exploited bug
- Apache Web Server Zero-Day Exposes Sensitive Data
- Additional fixes released addressing Apache HTTP Server issue
- Apache HTTP Server Project patches exploited zero-day vulnerability
- Running a recent Apache web server version? You probably need to patch it. Now
- Actively exploited Apache 0-day also allows remote code execution
New DOJ Initiative: US Government Contractors Can be Sued for Failing to Report Breaches
On Wednesday, October 6, US Deputy Attorney General Lisa Monaco announced the Justice Department’s Civil Cyber Fraud Initiative. Using the existing False Claims Act, the new initiative will allow the DoJ to sue federal contractors if they fail to report breaches or cyberattacks or if “they fail to follow required cybersecurity standards.” The False Claims Act includes a whistleblower provision.
- We have several decades of data that says lawsuits rarely result in enduring increases in security. I’d much rather see contractors and suppliers that commit fraud by not following required cybersecurity standards be suspended or barred from doing business with the federal government. The Federal Accounting Regulations already support doing so.
- Disclosure of breaches or incidents hits many companies square in the reputation risk soft spot. Part of disclosure must include an acceptable level of protection of that information. All of us with outsource, service or cloud contracts should verify they already include cyber provisions which include incident response and notification requirements as well as consequences for failure to report or meet information protection requirements. Verification that a provider is meeting required security standards is critical to ensuring your information is properly protected. That verification is not “one and done.” It needs to be updated regularly.
Read more in
- Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative
- US gov’t will slap contractors with civil lawsuits for hiding breaches
- U.S. govt to sue contractors who hide breach incidents
- New U.S. Government Initiative Holds Contractors Accountable for Cybersecurity
Pipeline Cybersecurity Rules Raise Concerns
In July 2021, the Transportation Security Administration (TSA) issued emergency pipeline cybersecurity rules. The cyberattack that shut down Colonial Pipeline for six days in May showed that voluntary cybersecurity guidelines for energy pipelines were insufficient. The new TSA rules were not released publicly. Through a Freedom of Information Act (FoIA) request, the Washington Post obtained a redacted copy of the rules issued and shared them with industrial cybersecurity experts. While some of the requirements, such as developing and testing incident response plans, met with positive reviews, some analysts expressed concern that the rules could actually hinder security. Implementation directions are vague in some areas and overly-prescriptive in others. SANS Technical Director of ICS and SCADA programs Tim Conway noted that “There are a ton of lessons learned from almost two decades of experience in other critical infrastructure sectors,” and said the industry should be involved in developing requirements.
- Cyber guidelines are exactly that, guidelines, a baseline or minimum. Take the opportunity to use them to find gaps. If there are controls that don’t make sense or are unachievable, document that, and be prepared to defend that conclusion to your regulator or auditor. Leverage your relationships with peers facing the same standards to find workable mechanisms to not only meet the requirements, but also increase security as well as make the overall process easier.
- This appears heavily rushed with very little industry input. There is a wealth of knowledge in our community. By taking more time to gather that community feedback, not only does TSA create a far stronger framework, but more likely to gain industry by in. NIST does a fantastic job doing this with their CFC process (Call For Comments) for NIST related frameworks and guidelines.
Read more in
- New emergency cyber regulations lay out ‘urgently needed’ rules for pipelines but draw mixed reviews
- July 2021 TSA pipeline security directive
The Atlantic Council’s Maritime Cybersecurity Report
During 2020, cyberattacks against the Maritime Transportation System (MTS) increased by 400 percent in a matter of months. US government released the National Maritime Cybersecurity Plan in December 2020 – more of a road map than an implementation guide. A report from the Atlantic Council offers 12 recommendations grouped into categories of First, Next, and Later.
- While fascinating, these types of increases in cyberattacks could probably apply to pretty much any industry that is heavily connected to and dependent on technology.
- Cybersecurity is essential to any network connected infrastructure. Yet such cautions and prescriptions continue to be necessary. Join and support the Surface Transportation ISAC.
Read more in
FDA Issues Medical Device Vulnerability Notification Best Practices
The US Food and Drug Administration (FDA) has published best practices for notifying patients of cyber vulnerabilities in medical devices. The document “provides helpful information and elements for industry stakeholders, federal partners, and other interested stakeholders … to consider when developing a cybersecurity communication strategy.” The elements include making the communication simple, timely, and relevant; acknowledging what is not known; and ensuring it is easy to find.
- We have repeatedly seen the need for concise, clear, understandable communication in the event of an incident. The guidance is intended to help develop a message non-technical users can understand and then take the needed action properly. Even with the best plan, users may still not read or understand what is expected; backup the message with a responsive contact center armed with simple guidance they can walk the users through.
Read more in
- Best Practices for Communicating Cybersecurity Vulnerabilities to Patients (PDF)
- FDA: How to Inform Patients About Medical Device Cyber Flaws
- Health care guides tackle device risk communication and insider, VPN security
SMS Routing Company Syniverse Discloses Breach in SEC Filing
Syniverse, a company that manages SMS routing for major US carriers, has disclosed that attackers had access to its databases for five years. In a filing with the US Securities and Exchange Commission (SEC), Syniverse wrote that “in May 2021, [they] became aware of unauthorized access to [their] operational and information technology systems by an unknown individual or organization.” An investigation revealed that the unauthorized access began in 2016.
- Syniverse, which processes messages for 300 carriers with a volume of about 740 billion messages/year, says they have fixed the identified vulnerabilities and are continuing to investigate the breach to determine if additional access paths exist. As their primary customer is the carriers rather than the customer whose messages are delivered, you will have to rely on your carrier for any notifications of impact or required follow-up actions.
- Yet another nail in the coffin of the use of SMS for security. Sadly, SMS replacement standards like RCS that would avoid relying on a “secure” forwarding network have never quite taken off.
- This is a major breach that could have long term implications given the sheer volume of data and messages that could have been accessed in that time. It also highlights the importance of ensuring any sensitive communications should be done via end to end encrypted solutions and not rely solely on the security of the messaging infrastructure.
Read more in
- Company That Routes Billions of Text Messages Quietly Says It Was Hacked
- Company that routes SMS for all major US carriers was hacked for five years
- Schedule 14A | M3-Brigade Acquisition II Corp. (Incident is mentioned at the bottom of page 69) (PDF)
Disgruntled Former Employee Strikes Twice in a Row
A UK man sabotaged networks of two former employers in less than two months. After Adam Georgeson was fired from his position as an IT technician at a UK secondary school, he accessed the school’s network, wiped data and changed staff members’ passwords. Georgeson was arrested while working at a new job at an IT company. Shortly thereafter, Georgeson was fired from that job as well. He accessed the company’s network, changed passwords and modified the customer contact phone system. Georgeson has pleaded guilty to two cyber hacking offenses.
- Having an expedited access termination process for employees involuntarily separated is critical to preventing retaliatory actions like this. Verify that the process is comprehensive, particularly with outsourced or cloud services which may have external entry points. Also expire or lock any MFA tokens. If accounts are disabled rather than removed, make sure any access or attempted reactivation is closely monitored.
- Two points on this one: (1) Once again, make sure processes and integration support removal of access with or before termination; but also (2) forward this to your CIO and HR manager and recommend that references be contacted before any IT or security employees are hired who will be given admin access.
- School systems often have very small IT staffs, resulting in a concentration of privilege and independence from knowledgeable supervision. Business enterprises are more likely to have sufficient staff that new hires need not be given administrative privileges and be subject to knowledgeable supervision.
Read more in
Critical Vulnerabilities in Honeywell Experion PKS and ACE Controllers
The US Cybersecurity and Infrastructure Security (CISA) has released an advisory warning of three vulnerabilities affecting Honeywell Experion Process Knowledge System (PKS) C200, C200E, C300 and ACE Controllers. The flaws include a critical unrestricted file upload vulnerability that has a CVSS score of 10.0; an improper neutralization of special elements in output vulnerability; and a relative path traversal vulnerability. The flaws could be exploited to remotely execute code, cause denial-of-service conditions, and allow attackers to access files and directories. Users are urged to patch as soon as possible.
- These are large industrial process controllers and as such access should be limited to authorized devices and services only. Make sure access is closely monitored to detect attempts to exploit the weakness. Start planning the outage to update the firmware now.
Read more in
- Multiple Critical Flaws Discovered in Honeywell Experion PKS and ACE Controllers
- ICS Advisory (ICSA-21-278-04) Honeywell Experion PKS and ACE Controllers
- SECURITY NOTIFICATION SN 2021-02-22 01 (PDF)
FCC Proposed Rulemaking to Fight SIM Swapping
The US Federal Communications Commission (FCC) is seeking feedback on its proposed rulemaking regarding SIM swapping and number port out fraud. Both these attacks can be used to take control of mobile phone numbers and with that access associated accounts. The draft rulemaking “proposes to amend the Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require carriers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or carrier. It also proposes requiring providers to immediately notify customers whenever a SIM change or port request is made on customers’ accounts.”
- Good to see the FCC finally taking action on this longstanding problem. Last year, Princeton researchers showed how shoddy SIM swapping authorization and authentication processes were still in use by most carriers. Next maybe the FCC will address the ease of cell number spoofing.
- Make sure that you’ve checked the security settings on your mobile account relating to SIM swapping. Some of the carriers have updated their controls, such as requiring an added PIN be created to authorize a legitimate swap. Even so, the wording can be tricky and should be read carefully. When setting up 2FA, select options other than SMS or a call to your mobile, and when those are the only choices the only option, they are still better than a reusable password.
- This is a hard problem. Carriers want to resist the small number of fraudulent swaps while not inefficiently burdening the large number of legitimate (lost, stolen, broken or new phones) swaps. At a minimum carriers should confirm all swaps out-of-band. Not expensive, not even necessarily inconvenient.
Read more in
- FCC Proposal Targets SIM Swapping, Port-Out Fraud
- The FCC proposes rules to fight SIM swap and port-out fraud
- Note of Proposed Rulemaking In the Matter of Protecting Consumers from SIM Swap and PortOut Fraud (PDF)
Coinbase MFA Vulnerability Exploited to Steal Cryptocurrency
Thieves were able to steal cryptocurrency from at least 6,000 Coinbase customers by exploiting a weakness in the Coinbase SMS multi-factor authentication (MFA) feature. Coinbase notified affected users last week. The breaches occurred between March and May 2021. To steal the cryptocurrency, an attacker would have needed a targeted Coinbase customer’s email address, password, and phone number, as well as access to the email account. Coinbase has since updated its SMS Account Recovery protocol to prevent bypassing the authentication process.
- Every authentication method, from passwords to 2FA to biometrics, requires a backup authentication approach in case the primary authentication method doesn’t work. Those processes need to be tested for weaknesses, as too often they prioritize ease of use/cost reduction over security. (See the FCC/SIM swapping item above.)
- Coinbase does not reveal a lot of details other than saying that the flaw is related to the 2FA recovery process. So far, I have not seen a system that recovers lost 2FA securely and efficiently. Too often, recovery means answering some security questions or calling a help desk, which will again ask some recovery questions. Worse: recovery systems that are buggy and let users disable 2FA by brute forcing a simple six digit code.
- Attackers were able to recover a user’s account, log in and transfer their funds to a non-Coinbase wallet. Coinbase has multiple MFA options, to include secure keys, TOTP and SMS as a last resort. Victims who had secured their account and lost funds are being reimbursed. If you have a Coinbase or other cryptocurrency wallet, revisit MFA options to move away from SMS if possible.
Read more in
- Coinbase sends out breach notification letters after 6,000 accounts had cryptocurrency stolen
- MFA Glitch Leads to 6K+ Coinbase Customers Getting Robbed
- Hackers rob thousands of Coinbase customers using MFA flaw
- Subject: Unauthorized Access to Your Coinbase Account
Bungled BGP Route Update Likely Cause of Facebook Outage on Monday
Monday’s outage affecting Facebook, Instagram, WhatsApp and other Facebook-owned properties was likely due to a bungled Border Gateway Protocol (BGP) route update. The problems began around 11:30 am EDT; Facebook services began coming back online roughly five hours later. The outage prevented some Facebook employees from entering buildings because the badge access system was not working.
- Outages and routing issues due to BGP mistakes are common enough that there is a website tracking them (e.g. see https://observatory.manrs.org/#/history ). For your next business continuity tabletop: Consider what will happen if your authentication servers are down due to a routing issue. Include the authentication servers used to authenticate local and remote users to make routing updates.
- The first thing that comes to mind is that the world’s economic output probably went up for the five hours that Facebook was off the air… Some of the longest outages are due to self-inflicted wounds – some of you may even remember the 9 hour+ January 1990 ATT telecoms outage when ATT pushed out a bad software update to their switches. Just as with DDoS and ransomware incidents, how to deal with extended outages of revenue-critical services is an important tabletop exercise.
- Reversing the BGP update required physical access to routers which were in buildings where the physical access systems were also offline. Make sure that there is a viable contingency plan for your physical access control system. Document the use cases which require physical access to IT components, making sure you’ve not overlooked options to further minimize that access. Test your contingency physical access controls regularly. Make sure that you don’t have single points of failure. Remember the productivity losses we attributed to the Microsoft Solitaire game on Windows? Social media seems to have stepped into that role and is available from about every platform a user has, not just their Windows systems. It may be time to revisit your incidental use policy with this outage in mind.
Read more in
- Facebook Outage: Yes, its DNS (sort of). A super quick analysis of what is going on.
- Facebook has finally given a reason for the six-hour outage Monday
- Why Facebook, Instagram, and WhatsApp All Went Down Today
- Facebook, WhatsApp, and Instagram down due to DNS outage
- Facebook, Instagram, WhatsApp, and Oculus are down. Here’s what we know [Updated]
- Facebook, Instagram, WhatsApp Suffer Widespread Outage
- Update about the October 4th outage
Apple AirTags Do Not Sanitize User Input
Apple AirTags do not sanitize the phone number input field; as a result, the devices could be used in drop attacks, in which AirTags laced with malicious code are strategically dropped in the hope that someone will pick it up and scan it. When AirTags are set to Lost Mode, anyone who finds it and scans it will see a message, presumably with the owner’s contact information. Because the AirTag phone number user input field is not sanitized, a malicious actor could enter malicious code in its place.
- It is not really the AirTags that should be sanitizing user input. Instead, Apple’s website displaying the link should properly encode the data to prevent XSS, and the API they use to receive the data the user configures for the link should properly validate input. The AirTag, a device the user controls, should not be used to implement security.
- Apple AirTags are about $30, which raises the bar on a malicious actor leaving them around to be scanned by an unwitting victim, as compared to USB flash drives which can be under $1; even so you may want to advise staff to be cautious, particularly VIPs. Two lessons here, first: input sanitization is always important, for every input. Second: respond to vulnerability disclosures. The researcher disclosed the weakness to Apple on June 20th with no response for several months despite follow-up communication. While Apple did finally respond and will be addressing this error in an upcoming update, the researcher disclosed the weakness as it had not been addressed for 90 days.
- Apple had previously only partially addressed stalking risk of AirTags, where the malicious actor drops an AirTag in someone’s bag or vehicle and has cheap and easy tracking. The good news is “drop attacks” are both expensive since AirTags cost much more than USB drives, and require physical access to the target. Good to warn executives they might receive malicious AirTags in the mail, just as “poisoned” USB drives were physically mailed out over the past couple of years.
Read more in
- Apple AirTag Bug Enables ‘Good Samaritan’ Attack
- Apple forgot to sanitize the Phone Number field for lost AirTags
- How one coding error turned AirTags into perfect malware distributors
Digitization Drives Changes in Risk Management
During a virtual panel hosted by Dragos, CISOs and other experts discussed the effect of digitization on risk management in manufacturing environments and other operational technology (OT) dependent environments. Companies are starting to make the change to centralized IT and cybersecurity operations rather than site-specific cybersecurity that varies from one plant to the next.
- As more components are reporting and accessing OT components, isolation is becoming more challenging. Make sure that you know what systems need to interact with your OT and restrict access to only those authorized systems and users. Monitor the networks they are using for unexpected behavior, protocols, or unauthorized devices. Don’t provide direct OT connectivity to the Internet.
- Standardization of security is essential to efficiency, ensuring that sensitive resources get the necessary and intended protection while expensive measures are reserved to only those resources that require them.
Read more in
- Digitization costs manufacturing plants ‘the luxury of isolation,’ changing risk management
- Digital transformation forces manufacturers to take a more unified asset management approach
RFID Military Weapons Tracking Poses Security Risk
An Associated Press (AP) report found that some US military units are using radio frequency identification (RFID) tags for firearms. The AP was looking into the military’s use of technology in keeping control of their firearm inventory as part of a larger investigation into stolen and missing military guns. The RFID tags are used to help with inventory. A Department of Defense (DoD) spokesperson said that department policy opposes the use of RFID tags in firearms except in very limited instances – in guns for firing ranges, and not in those used to protect military bases or in combat. The investigation found that it is relatively easy for adversaries to identify US troops through the RFID tags at a greater distance than the contractors that install the RFID systems claim. In addition, the tags are easy to clone.
- Don’t underestimate the range at which a transmitter like RFID tags can be read. Also, be aware of the ease of duplication. Lastly, consider the OPSEC tradeoff of easy remote/touchless read versus the adversary having that information.
- RFID is one of those tricky technologies that often falls in the creases of security programs. Like electronic locks, “smart” home devices, industrial wireless signals, and hardware tokens, these intersectional systems are often poorly understood – even by their vendors. Recommendation: give special attention to “The Weird” in your environment. The attack surface is all around us!
Read more in
- Military units track guns using tech that could aid foes
- Military’s RFID Tracking of Guns May Endanger Troops
Apache Workflow Misconfigurations Expose Sensitive Data
Researchers from Intezer have found that misconfigured instances of older versions of Apache Workflow are exposing sensitive information, including account credentials for Amazon Web Services, Google Cloud Platform, PayPal, and other platforms and services. The exposed customer information could be violations of data protection laws. Intezer has notified the organizations it identified as running misconfigured Apache Workflow instances.
- The blog post is a great read for anybody dealing with credentials (meaning everybody…). The mistakes shown go beyond Apache Workflow. Many of the issues outlined can be found in a wide range of code dealing with storing and using credentials securely.
- The workflows leverage stored credentials for accessing services. Review your workflows to make sure that you are not embedding credentials in scripts or variables, but rather use the connections functions to manage those credentials where they are encrypted. Even so, verify the plain-text password value wasn’t also stored in the extras field.
Read more in
- Misconfigured Airflows Leak Thousands of Credentials from Popular Services
- Misconfigured Apache Airflow instances expose credentials on AWS, PayPal and Slack
- Poorly Configured Apache Airflow Instances Leak Credentials for Popular Services
Phishing Scheme Used Telegram Bots
A phishing campaign that targeted at least eight Canadian banks used Telegram-based bots to gather account access information. The bots are being used to steal one-time passwords used in two-factor authentication.
- While 2FA, using SMS or a phone call are a huge step in the right direction, these verification methods are subject to interception. When configuring services to support MFA, enable TOTP, physical tokens, smart cards or other mechanisms not subject to interception before allowing SMS/Phone options.
Read more in
- Telegram bots are trying to steal your one-time passwords
- Telegram bots used in phishing operation that bypasses one-time passwords
- Cybercriminals going after one-time passwords with Telegram-powered bots
Johnson Memorial Health in Indiana Suffers Cyberattack
Johnson Memorial Health in Indiana is operating under electronic health record (EHR) downtime following a cyberattack on October 2. Johnson officials say that no appointments or surgeries have been cancelled. Another Indiana healthcare provider, Schneck Medical Center, was hit with a cyberattack in late September. A third Indiana healthcare provider, Eskenazi Health, experienced a cyberattack in August, which resulted in the theft of patient and employee data.
- They are operating under EHR downtime procedures, which were previously established and tested. Consider the viability of operating with key systems offline. Make contingency plans accordingly. If operation without those systems is not viable, and a suitable option cannot be determined, engage senior management before you consider that not operating is an acceptable alternative.
- Criminals are disproportionately targeting healthcare. Patients are put at risk of injury and death and clinical data is being lost that will never be recovered.
Read more in
- Cyberattack drives Johnson Memorial into EHR downtime procedures
- Cyberattacks Disable IT Networks at 2 Indiana Hospitals
Alleged Ransomware Operators Arrested in Ukraine
Law enforcement authorities have arrested two people in Ukraine for their alleged involvement with ransomware operations. In a coordinated effort between the French National Gendarmerie, the Ukrainian National Police, and the United States Federal Bureau of Investigation (FBI), with the coordination of Europol and INTERPOL, authorities made the arrests and seized $375,000 in cash, €217,000 in assets, and have frozen $1.3 million in cryptocurrency.
Read more in
- Ransomware Gang Arrested in Ukraine With Europol’s Support
- Ransomware operators behind hundreds of attacks arrested in Ukraine
- Police Seize Boxes of Cash in Raid on Alleged Ransomware Gang Members
ESET: Remote Desktop Protocol Attacks are Increasing
According to the ESET Threat Report T2 2021, there has been a significant increase in Remote Desktop Protocol (RDP) endpoint attacks. ESET statistics indicate a 104 percent increase in attacks against RDP servers since its June report.
- This shouldn’t be news to anybody watching their logs over the last couple years. A number of large credential leaks focused on RDP. We looked at some of the increases in RDP scanning in April of last years when it was noted as a significant entry point for ransomware (isc.sans.edu: Increase in RDP Scanning). Since then, we have seen a steady rise in the number of sources scanning for RDP with occasional surges in reports (isc.sans.edu: Port 3389 (tcp/udp) Attack Activity). Note that this increase isn’t so much caused by remote working. These systems have been exposed before, but leaked credentials gave attackers new tools to attack these exposed systems.
- Two points on this one: (1) monthly or even quarterly changes in the technical targets of attacks aren’t very meaningful overall, since usually the next month or quarter will be very different. This one shows the growth mostly in attacks against targets in Spain, so often still regional info to be gained; and (2) there was a lot of emergency use of RDP to support work from home. By now that use should be replaced with more secure remote access approaches – see the NSA/CISA VPN guidance listed in another item in this issue of Newsbites.
- Whether exploited or not, your pentesters should tell you that services like RDP, VNC, SMB, etc. exposed to the internet are bad. Please, please, please put them behind a good VPN with MFA. See also: today’s article on VPN security. (-:
- With the increased telework, many added services were made Internet accessible, quickly. Those often include RDP, which makes access easy for users and malicious actors. Remote access must require multi-factor authentication to thwart the value of captured credentials. Put your RDP services behind a secure remote access gateway rather than exposing them directly to the Internet.
- Unsecure RDP connections are one of the top attack vectors that ransomware gangs use to infiltrate companies. Microsoft have published a guide on how to secure RDP (www.microsoft.com: Security guidance for remote desktop adoption). But you should also identify all remote management tools and platforms that are in place within your organization, ensure they are secured appropriately, and regularly conduct reviews to make sure they remain secure.
Read more in
- ESET Threat Report T2 2021
- Attacks against Remote Desktop Protocol endpoints have exploded this year, warns ESET’s latest Threat Report
Let’s Encrypt Root Certificate Expiration Causes Problems
A Let’s Encrypt root certificate expired, disrupting some popular websites and services. There has been advance warning that the IdentTrust DST Root CA X3 certificate would expire on September 30.
- Certificate management has long been overlooked – expired certificates are a continual source of self-inflicted denial-of-service attacks. This used to be just an internet-facing web server problem, but the increased use of SSL everywhere (both internally and with more than browser to server connections) it becomes more critical. Discovering what certificates are in use and when they will expire is the first step – should be considered a required function within asset inventory and vulnerability management processes.
- While you’ve been focused on getting all your sites to be TLS only, and implementing processes and automation to keep those current, don’t overlook the processes needed to keep your root certificate stores current. While you’re working to judiciously apply patches such as browser and OS updates which include updated certificates, don’t overlook application server/service updates which may also include local root certificate stores.
- This Let’s Encrypt issue is a good lesson in how vendors and manufacturers think about technology. Deploying certificates is a great and helpful idea. The part of the challenge that I believe many companies or technologists miss is day 2. How do you handle updates for maintenance items on devices that are not general-purpose computers? TVs, printers, light bulbs, Internet connected toasters? How do you revoke or update a certificate on a printer? An intermediary certificate with ten years of life on a device with a ten-year life span is ideal. Using that same certificate on a device created six months ago? Probably not ideal unless you can update it.
Read more in
- Fortinet, Shopify and more report issues after root CA certificate from Lets Encrypt expires
- Xero, Slack suffer outages just as Let’s Encrypt root cert expiry downs other websites, services
Ransomware Attack May Have Contributed to Patient’s Death
A lawsuit alleges that a 2019 ransomware attack against an Alabama hospital‘s network prevented healthcare providers from monitoring possible life-threatening conditions that eventually led to the death of a patient. (Please note that the WSJ story is behind a paywall.)
- Critical systems need adequate protection. Isolate systems which, if compromised, can result in loss of life, and limit access to only authorized systems and users. Verify those separations are in place on a regular cadence, removing any access which is no longer needed.
- Over the years there have been worms, distributed denial-of-service and ransomware attacks that tragically been associated with loss of life. Lawsuits have followed but have rarely if ever been successful. That doesn’t change the fact that functions that are life critical should be protected at a much higher level, with regularly tested backup approaches and prioritized monitoring.
Read more in
- A Hospital Hit by Hackers, a Baby in Distress: The Case of the First Alleged Ransomware Death (paywall)
- Baby’s Death Alleged to Be Linked to Ransomware
- CIVIL ACTION NO. 02-CV-2020-900171
NSA & CISA Guide on VPN Security
The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly released a guide to virtual private network (VPN) security. The guide offers advice for choosing a VPN as well as details for secure deployment.
- Sound advice and it may help justify spending some time reviewing VPN configurations. While some of the recommendations (for example limiting the IP addresses users connect from) may not be practical for a remote access solution, keeping your software up to date and implementing two factor authentication is a must at this point for any remote access solution.
- This guide encapsulates the basics for you to verify your VPN is well chosen and securely configured. Configure secure encrypted protocols, keep them patched and select products which you can verify are genuine. Make sure that multi-factor authentication doesn’t exclude any accounts. If you have the infrastructure to support certificate-based authentication, consider that as an option. Make sure certificates cannot be easily extracted and moved to unauthorized systems. Also make sure that your VPN grants access only to the services each user needs.
- It feels like we are rehashing this conversation again with SSL VPNs. Initially, we said that HTTPS-based VPNs were less than ideal, specifically those used to port forward through Java Applets. Now the guidance has shifted even more interestingly. Use standards-based protocols like IPSEC and be able to inspect the code itself. The interesting problem here is that all enterprise VPNs, with few exceptions, are closed sourced. The open source options lack many of the logging/auditing/firewalling features most organizations need. It sounds like an opportunity for someone to fill the gap. This problem is even more challenging when you get to the newer Service Defined Perimeter options which form Zero Trust. Almost all of these are opaque and sometimes with custom VPN Protocols—still excellent guidance from CISA and the NSA.
- Terminate VPNs on the application, not the operating system or the perimeter.
Read more in
- NSA, CISA Release VPN Security Guidance
- NSA, CISA partner for guide on safe VPNs amid widespread exploitation by nation-states
- Selecting and Hardening Remote Access VPN Solutions (PDF)
CISA Releases Insider Threat Assessment Tool
The US Cybersecurity and Infrastructure Security Agency (CISA) has released an insider threat self-assessment tool for public and private sector organizations. The Insider Risk Mitigation Self-Assessment Tool provides a list of questions to help organizations assess their risk posture. CISA says “The tool will also help users further understand the nature of insider threats and take steps to create their own prevention and mitigation programs.”
- When was the last time you assessed your insider threat posture? Use the CISA tool to take a fresh look at your posture. Use the assessment report to plan for any improvements, and note your successes.
- Keep in mind that while insider threat is low, consequences and risk are high. Focus on controls (e.g., vetting at hiring, supervision, training, separation of duties, job rotation, mandatory vacations, accountability, recognition, compensation).
Read more in
- CISA Launches Insider Threat Self-Assessment Tool
- CISA releases tool to help orgs fend off insider threat risks
- CISA Releases New Tool to Help Organizations Guard Against Insider Threats
FoggyWeb Backdoor Malware
A recent Microsoft Threat Intelligence Center blog post details newly detected malware being used by the Nobelium threat actor. The FoggyWeb post-exploitation backdoor is “capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.”
- This exploit is leveraging DLL search order hijacking and applies to both your on-premises and cloud based AD FS services. Read the Microsoft bulletin for techniques and IOCs used Microsoft provided security products, such as Defender, already detect Nobelium/FoggyWeb. Review your security settings, make sure credentials are issued using best practices, use HSM modules to prevent exfiltration of secrets by FoggyWeb. Use the Microsoft’s best practices guide for securing AD FS. docs.microsoft.com: Best practices for securing Active Directory Federation Services
- Once again, ADFS is back in the news. We talked about blood in the water, and this will not end for some time. Anyone who spends any time searching the internet will see that ADFS is used in some of the world’s largest and most important institutions. We should treat this just like we treat VPNs. It’s the edge of your network; in this case, it’s the edge of your identity perimeter. It’s also connected directly to Active Directory, and many times it’s part of the Azure Active Directory Flow.
Read more in
- FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor
- SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor
- Microsoft warns: Active Directory FoggyWeb malware being actively used by Nobelium gang
CISA and Girls Who Code Partnership
The Cybersecurity and Infrastructure Security Agency (CISA) is partnering with Girls Who Code “to develop pathways for young women to pursue careers in cybersecurity and technology.” CISA Director Jen Easterly said, “The gender gap that exists in the cybersecurity workforce contributes to the overall cyber workforce shortage that persists in the United States and globally, which ultimately makes us less prepared to deal with the threats of today and tomorrow.”
- SANS has a Girls Go Cyberstart initiative (https://girlsgocyberstart.org/) that has partnered with Girls Who Code in the past. Bringing women and minorities into cybersecurity both increases the size of the workforce and the effectiveness and diversity of security teams.
- This is an excellent opportunity as CISA is becoming not only more central in US government cyber security, but also interfacing with private sector, particularly critical infrastructure and is seeking needed cyber talent to meet its mission. The networking opportunities are outstanding.
Read more in
- CISA and Girls Who Code Announce Partnership to Create Career Pathways for Young Women In Cybersecurity And Technology
- CISA, Girls Who Code team up to build early career pipeline for women
Russian Cybersecurity CEO Arrested for Alleged High Treason
Authorities in Russia have arrested the CEO of a cybersecurity company on suspicion of high treason. Law enforcement raided the offices of Group-IB on September 29. Ilya Sachkov, CEO and co-founder of Group-IB, allegedly shared data with foreign intelligence entities.
- Given the recent high level political talks about ransomware, such as talks at the G7 summit, this is a worrying development. Group-IB have been very effective in sharing data with law enforcement in dealing with cyber-crime. Such actions against senior figures in cyber security companies may discourage others from sharing similar information and negatively impacting our ability at a global level to deal with the threat of cybercrime and in particular ransomware.
- When sharing data, particularly internationally, be very clear on export control and legal jurisdiction surrounding that information. Verify the agency which regulates your industry and the information category.
Read more in
- Russia arrests cybersecurity expert on treason charge
- Russia arrests cybersecurity firm CEO after raiding offices
Indiana Hospital Suffers Cyberattack
Schneck Medical Center in Indiana has disclosed that it was the victim of a cyberattack and that “Out of an abundance of caution, access to all IT applications within [its] facilities were suspended.” Most services at the facility appear to be unaffected.
- This shows the need for clear communications when responding to an incident. While some services are offline, such as the phone system, other changes, such as delaying certain procedures due to pandemic induced capacity constraints, are also being erroneously attributed to the attack. Communicate fully and clearly and provide regular updates during an incident.
Read more in
- Indiana hospital suspends IT systems in response to ongoing cyberattack
- Schneck Medical Center Victim of Cyberattack
US Lawmakers Want to Hear FBI’s Reasons for Delaying Release of Ransomware Decryption Key
US legislators are demanding that FBI director Christopher Wray appear before Congress to explain the agency’s reasons for withholding decryption key for the ransomware that infected Kaseya software. Last week, the Washington Post reported that the FBI obtained the key by accessing servers used by the criminals who launched the attack; the agency held onto the decryption key for nearly three weeks before sharing it with Kaseya.