FDIC Rule for Banks to Report Breaches
The US Department of the Treasury’s Office of the Comptroller of the Currency, the Federal Reserve, and the Federal Deposit Insurance Corporation (FDIC) have finalized cybersecurity incident notification requirements for banks. The new rule requires banks to report security incidents to the FDIC within 36 hours after detection. The rule defines a qualifying cybersecurity incident as an event that “results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” The rule takes effect April 1, 2022, with full compliance extended until May 1, 2022.
- Some will be excited about this 36 hour disclosure timeline, but as an IR practitioner, I’m pretty sure it’s not going to be a net positive. First, while it’s obvious that hiding a breach is counter to the public’s interest, it’s not clear what a 36 hour timeline will do to protect customers that a five day deadline won’t. Second, every time I’ve seen accelerated disclosure timelines like this, there’s a countering force where organizations try to thread the legal needle of what precisely constitutes an incident. The definition in this case is fairly comprehensive – so much so that it’s hard to imagine what doesn’t constitute a reporting requirement. Overly broad definitions like this don’t serve the public interest. Instead, they provide a convenient excuse for organizations to interpret the rules to avoid “reporting every little thing.”
- It’s interesting to see regulators outside of the EU adopt GDPR type regulations, in particular with regards to mandatory reporting. However, I hope the FDIC will learn from some of the issues experienced when GDPR was first introduced by ensuring it has enough resources to deal with the volume of reports it will received and that it gives clear guidance as to what determines a breach to be reportable. Finally, it is also critical that reported breaches are followed up to ensure the victim organisations investigate and remediate the breach properly and they simply don’t treat the reporting requirement as a box ticking exercise.
- There was a lot of squishy language (like “good faith estimate”) in the original wording that was eliminated in response to comments, a good thing. But, the basic definition of a “notification incident” is still pretty broad. For example, outages cause by service provider downtime that would still not violate the service providers SLAs could be considered a “notification incident.” The other issue will be do the Treasury Agencies use all this data to proactively alert banking institutions of potential coming attacks or is it just a data collection effort?
- Work with your regulator to understand the final order as it gets refined and clarified over the next six months. Develop a clear understanding of what the notification criteria mean for your financial institution and be sure you know exactly who and how you are supposed to file the notification with.
Read more in
- Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (PDF)
- New rule says banks now have 36 hours to report a security incident to the FDIC
- US Banks Will Be Required to Report Cyberattacks Within 36 Hours
- Banks must report major cyber incidents within 36 hours under finalized regulation
- Regulators: Banks Have 36 Hours to Report Cyber Incidents
Sky Routers Patched 17 Months After Vulnerability Disclosure
Sky Broadband has rolled out a fix for a critical DNS rebinding vulnerability affecting six million Sky routers in the UK. The flaw could be exploited to access the router’s home network, change router configuration, and traverse the network to access other devices. The flaw was first disclosed to Sky in May 2020 and was initially set to be mitigated by November 2020. Sky says that as of October 22, 2021, 99 percent of affected routers have received the update.
- Consumers often have no choice but to wait for ISPs to apply patches to equipment supplied by the ISP. Having ISPs roll out patches *should* make things easier for users, but ISPs do need to perform and not leave users hanging with unpatched equipment.
- This patch took entirely too long to implement, though it was a fairly complex attack not likely to be exploited en-masse. That doesn’t change the severity of the vulnerability though. Organizations setting clear timelines with researchers and researchers holding organizations to those timelines will keep everyone safer. I know Google Project Zero takes a lot of heat for its mandatory disclosure timelines, but that’s what keeps bugs like this from going unpatched for more than a year.
- After you make sure that your router is updated, provided you didn’t replace it waiting on this critical update. You’re going to want to check your systems for exploitation. Encourage Sky to come out with bug fixes in a more timely fashion.
Read more in
- 6M Sky Routers Left Exposed to Attack for Nearly 1.5 Years
- Six million Sky routers exposed to takeover attacks for 17 months
Biomanufacturing ISAC Issues Advisory on Tardigrade Malware
The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) has published an advisory describing malware that has been used to target biomanufacturing firms. Dubbed Tardigrade, the malware was first detected in the wake of a ransomware attack. It has the functionality of a trojan, and uses sophisticated detection evasion techniques. Tardigrade is ”actively spreading” in the biomanufacturing industry.
- This report is definitely interesting, but it should be noted that at the time of publication for this NewsBites there are significant questions about the BioISAC report in the CTI community. I haven’t personally reviewed the sample yet, but have reviewed the BioISAC report and am working with people who have directly analyzed the sample. We’ll publish more on this in the next NewsBites. If the story hadn’t already gained major national media attention, we likely wouldn’t have included it here given the questions about the original reporting.
Read more in
- BIO-ISAC Releases Advisory to Biomanufacturers
- Devious ‘Tardigrade’ Malware Hits Biomanufacturing Facilities
- Biomanufacturing companies getting hit by hackers potentially linked to Russia
Server Problems Lock Some Tesla Owners Out of Their Vehicles
On Friday, November 19, Tesla owners around the world reported being unable to communicate with their vehicles using the Tesla app. For some Tesla owners, the app is their only method of unlocking their vehicles. Elon Musk said the problem was due to “accidentally increased verbosity of network traffic.”
- As our world becomes more and more reliant on the Internet and computers, I hope that manufacturers will recognize the need to implement manual backup.
- Musk reported that steps were taken to prevent recurrence. While on-line and electronic access to vehicles is really cool, make sure you have a plan B. If your Tesla has a key fob support, make sure that you have a working fob as a backup, otherwise map out what you would do if you can no longer access or drive your vehicle. Be sure to test Plan B at least once.
- Handing your car keys to the “cloud” may not be a great idea when it rains “verbose network traffic.”
- I’m not sure any Tesla models can only be unlocked via a mobile app to Tesla server connection but if anyone has bought a vehicle that works that way, hard to be sympathetic. I can pretty much guarantee the multiplication of (cell phone availability times Internet connection to server) times (server availability) times (server connection to car) results in an availability number way lower than most people need for getting into their car…
Read more in
- Some Tesla owners unable to unlock cars due to server errors
- Tesla server outage allegedly leaves owners unable to drive their cars
FBI Flash Alert: FatPipe 0-Day is Being Actively Exploited
The FBI has issued a Flash Alert warning of an actively exploited 0-day in FatPipe WARP, MPVPN, and IPVPN Software. An unknown threat actor has been exploiting the flaw in FatPipe MPVPN networking devices since May 2021. The vulnerability allows the attacker to obtain a foothold and maintain a persistent presence in targeted systems. According to the TLP:White alert, “The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity.”
- Patch this before leaving for the long weekend if possible. This vulnerability is being exploited already (for a few months!). I know, this will not be easy for a device like a load balancer, but the alternatives aren’t pretty. The vulnerability fits well into the ransomware actor playbook.
- Make sure that you rolled out the updates to your FatPipe WARP, MPVPN and IPVPN devices; disable UI and SSH access from the WAN interface; deploy the IOCs and verify you’re not seeing any malicious activity. If you find indicators of related activity, reach out to your local FBI office.
Read more in
- An APT Group Exploiting a 0-day in FatPipe WARP, MPVPN, and IPVPN Software (PDF)
- FBI Issues Flash Alert on Actively Exploited FatPipe VPN Zero-Day Bug
Some Healthcare Entities Delayed Patient Breach Notification
In the past several weeks, three US healthcare entities have exceeded the Health Insurance Portability and Accountability Act’s (HIPAA’s) 60-day patient breach notification requirement. None of the entities – Sea Mar Community Health Centers in Seattle; Lakeshore Bone and Joint Institute in Chesterton, Indiana; and Putnam County Memorial Hospital in Missouri – provided a reason for the delayed notification.
- While healthcare organizations are at the top of the list of cyber targets these days, the current environment has made it difficult for any company to be adequately staffed for the expected workload, let alone incident response. If reporting is delayed, be sure to document the contributing factors and be prepared to defend that in court.
Read more in
Exchange Servers and Internal Reply-Chain Attacks
Attackers are exploiting Microsoft Exchange ProxyShell and ProxyLogon vulnerabilities to conduct spam campaigns. The attacks hijack email chains and inject the spam messages in existing email threads.
- The first mitigation is to make sure your on-premises exchange servers are fully patched. Make sure that your endpoint protection server solution is deployed to your servers (as opposed to the desktop version). Make sure the linked IOCs are incorporated into your SIEM. Look to see where moving to hosted exchange servers is on your roadmap; then move it up the list.
Read more in
- Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
- Microsoft Exchange servers hacked in internal reply-chain attacks
- Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns
- Attackers Hijack Email Threads Using ProxyLogon/ProxyShell Flaws
Breach Compromised GoDaddy Managed WordPress Customer Data
In a November 22 filing with the Securities and Exchange Commission (SEC), GoDaddy disclosed “unauthorized third-party access to [its] Managed WordPress hosting environment.” The intruder used a compromised password to gain access to GoDaddy systems in early September. GoDaddy detected the problem on November 17. The incident exposed up to 1.2 million users’ email addresses and subscriber numbers, the admin password originally used to provision the subscribers WordPress instance, SFTP usernames and passwords; in some cases, SSL private keys were also exposed. The account has been changed, passwords reset, SSL keys reprovisioned, and impacted users are being notified.
- Privileged accounts, particularly those used to configure multiple systems on behalf of others, need strong authentication which is replay resistant. If you must use a password, use the longest possible password the system support; if possible, regenerate that password on a frequent basis. Consider configuring these accounts with added access control and active monitoring to provide visibility to unusual actions as well as stop unauthorized inbound and outbound activities. If you are an impacted GoDaddy user, GoDaddy changed your Admin, SFTP and DB passwords, you will need to change your admin password twice, once through password recovery and a second time through the admin users’ interface to reset the ability to manage your site through the GoDaddy dashboard. Suggest having your users also reset their passwords. If your SSL certificate is impacted, a free Domain Validation SSL certificate with a one-year duration will be installed, which can be replaced at your leisure. Lastly, GoDaddy says to make sure you’re checking the health and security of your WordPress site, consider a firewall, your active plugins are auto updated and unused ones are deleted. Additionally, make sure that you configure multi-factor access on your GoDaddy subscriber account.
Read more in
- GoDaddy Announces Security Incident Affecting Managed WordPress Service
- Up to 1.2 million GoDaddy customers’ data exposed in breach
- Over a million WordPress sites breached
- GoDaddy hack causes data breach affecting 1.2 million customers
- SSL keys, sFTP passwords and more exposed after someone broke into GoDaddy Managed WordPress using ‘compromised password’
Wind Turbine Firm Vestas Acknowledges Cyberattack
Danish wind turbine manufacturer Vestas Wind Systems was the victim of a cyberattack on Friday, November 19. The company shut down IT systems in multiple locations to prevent the effects of the attack from spreading. Vestas said that the attackers compromised data.
- Some customer data exfiltrated and the IT systems are being verified for integrity prior to restarting services. Despite the Biden Administration publishing guidance to leave critical systems alone, attackers continue to target them. When the details of this attack are published, it’ll be a good use case to compare your current security readiness against.
Read more in
- Update on cyber security incident
- Wind turbine giant Vestas’ data compromised in cyberattack
- Wind turbine giant Vestas says data was compromised in security incident
- Turbine maker Vestas Wind Systems admits to cyber incident, refuses to confirm if ransomware is at play
Utah Imaging Associates Discloses Data Security Breach
Cyber intruders had access to the network of Utah Imaging Associates for about a week earlier this year. The radiology center says the incident affected nearly 600,000 people. The compromised data include names, Social Security numbers, health insurance policy numbers, and medical diagnosis, treatment, and prescription information.
- This incident was discovered and remediated September 4th 2021, the same day! Unfortunately, the initial intrusion started August 29th. Review which systems and services are exposed to the Internet, making sure critical systems are not in that list, that your backups are working and verified; make sure that you’re still conducting phishing exercises.
Read more in
- Utah medical center hit by data breach affecting 582k patients
- Utah Imaging Associates, Inc. Notifies Indivdiuals of Data Security Incident
US, UK, and Australia Warning About APT Activity
In a joint alert, law enforcement and cybersecurity agencies in the US, the UK, and Australia warn that cyberthreat actors with ties to Iran are targeting organizations in the healthcare and transportation sectors. The advanced persistent threat (APT) group is exploiting vulnerabilities in Microsoft Exchange ProxyShell and Fortinet.
- Review the mitigations in the bulletin irrespective of whether you see yourself as a target. Make sure that you’re keeping systems patched and updated. Take another look at allow/deny lists, particularly on servers which are purpose built to block the execution of unknown software. Make sure that you are always using MFA on privileged accounts and on any remotely accessible services.
Read more in
- Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities
- CISA: Iranian Government-Sponsored Threat Actors Targeting Healthcare
- US, Australia and UK warn Iranian hackers leveraging known vulnerabilities to deploy ransomware
Netgear Releases Updates to Fix RCE Flaw in Multiple Products
Netgear has released firmware updates to address a pre-authentication buffer overflow vulnerability that affects multiple products, including extenders, routers, DSL modem routers, AirCards, and cable modems. The flaw is due to the Universal Plug and Play daemon accepting unauthenticated HTTP SUBSCRIBE and UNSUBSCRIBE requests.
- As usual: Please update. Even if your router is not affected by this vulnerability: Double check if there is new firmware for it. It is so easy to miss an update. The UPNP protocol has had various issues over the years, and it should be disabled in your router if possible. It could be used to remove firewall rules, even if it works as designed.
- UPnP allows applications to setup forwarding automatically, rather than manually configuring these on your router. Even so, consider disabling it if you don’t need it. If you don’t have an option to automatically update your firmware, make sure that your processes include monitoring for security updates and verification of their timely installation. Disable unneeded services. Verify you’re on the distribution lists for your vendor’s security notifications. Check with your vendor to verify you remain eligible for updates, which may include service contracts or active lifecycle management.
Read more in
- Security Advisory for Pre-Authentication Buffer Overflow on Multiple Products, PSV-2021-0168
- Seamlessly Discovering Netgear Universal Plug-and-Pwn (UPnP) 0-days
- Critical Root RCE Bug Affects Multiple Netgear SOHO Router Models
GitHub’s Commitment to npm Security
In a blog post, GitHub details two incidents involving the npm registry and its subsequent investigations. GitHub also writes that it will begin requiring two-factor authentication (2FA) for maintainers and admins of popular npm packages. The requirement will start rolling out in early 2022.
- Good steps by GitHub to mitigate some of the larger issues around npm. At this point, there have been just too many compromised npm packages. I like GitHub proactively scanning for malicious code. Now we will have to see if the scans are sufficient to make a difference.
- Every movement away from reusable passwords is a good thing. Do your IT admins and other privileged user accounts still rely on reusable passwords for authentication?
- Active enforcement of mitigations, such as requiring strong authentications, versus providing it and waiting for users to maybe implement it, is a much stronger position to be in. Even if you’re not npm, you should ensure that 2FA is enabled for accounts updating your content.
- Opt-in to strong authentication leaves the balance between security and convenience to the end user. That is an appropriate default for many applications. As noted when this problem was first reported, this is not one of them.
Read more in
- GitHub’s commitment to npm ecosystem security
- NPM fixes private package names leak, serious authorization bug
- Vulnerabilities in NPM allowed threat actors to publish new version of any package
UK Government Guidance on Security Rules for Tech Mergers and Acquisitions
Section 3 of the UK’s National Security and Investment Act 2021 will give ministers the authority (and responsibility) to impose conditions on or even block technology mergers and acquisitions if there are national security issues involved. Technologies deemed relevant to national security include Artificial Intelligence, Computing Hardware, Cryptographic Authentication, and Data Infrastructure. The National Security and Investment Act takes effect in January 2022.
- Having controls on technology which impacts critical or sensitive processes and systems is important. When a product you’re using is merged or acquired, it’s a good idea to assess the new company to see if they remain in a supportive position. In government this is even more important. The intent of this legislation is good. The included categories are very broad, could allow for challenges relating to applicability.
Read more in
- UK government publishes guidance on security rules for tech takeovers
- National Security and Investment Act 2021: Statement for the purposes of section 3
CISA Cybersecurity Playbooks for Federal Agencies
The US Cybersecurity and Infrastructure Security Agency (CISA) has published incident and vulnerability response handbooks for Federal Civilian Executive Branch (FCEB) agencies. CISA writes that the “playbooks provide FCEB agencies with a standard set of procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents and vulnerabilities affecting FCEB systems, data, and networks.”
- There is also a promise that future versions of these playbooks will be used outside FCEB agencies. The practices currently captured already have broad applicability beyond the intended audience and include areas such as incident response, detection & analysis to containment, eradication, and recovery. The playbooks do include CISA/DHS reporting requirements, which are less applicable to the private sector; you’ll want to map those to your regulators. Lastly, leverage CISA resources and consulting to help you verify you’re good to go. These services are covered by tax dollars and are free to businesses within the US.
- Having a playbook is a good first step. Like everything else, it requires practice. Ensure the correct people are briefed and trained as much as possible. The more you test and measure people and process, the more opportunities to improve before the real test.
Read more in
- Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability Response Activities in FCEB Information Systems (PDF)
- CISA releases cybersecurity response plans for federal agencies
- CISA issues cybersecurity incident, vulnerability response playbooks for federal agencies
Microsoft Fixes Information Disclosure Vulnerability in Azure Active Directory
Microsoft has mitigated an information disclosure vulnerability in Azure Active Directory. The flaw was due to a misconfiguration issue that allowed private key data to be stored in clear text. Microsoft’s guidance lists its mitigations and suggested customer remediations for affected products and services.
- Check the notice for the specific technologies affected. If you’re using any of them, you need to follow the advice from MS to secure these credentials.
Read more in
- Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs
- CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory
- Microsoft Informs Users of High-Severity Vulnerability in Azure AD
DHS Cybersecurity Talent Management System
The US Department of Homeland Security (DHS) has launched the Cybersecurity Talent Management System (CTMS), which was created to help the department “more effectively recruit, develop, and retain cybersecurity professionals.” People hired through CTMS will be part of the DHS Cybersecurity Service, which will protect critical infrastructure from cyber threats.
- A key success factor will be using market-based pay rather than the old government GS scale wage. DHS has around 1,500 cyber security vacancies, 1,000 of which fit into CTMS, and looking for 150 people to hire in 2022.
- As a part-time government employee, infosec professional, and MBA, I’ve been amazed at how little the US Government (and much of industry, frankly) has done to try and attract top talent. The DoD figured this out years ago for medical professionals by instituting significant incentives above and beyond standard pay rates. Kudos to DHS for offering the same in infosec.
Read more in
- DHS announces new program to attract and retain cybersecurity talent
- The US government just launched a big push to fill cybersecurity jobs, with salaries to match
- US DHS Launches New System for Hiring, Retaining Cyber Talent
CISA Working Group on Space Infrastructure
The US Cybersecurity and Infrastructure Security Agency (CISA) has formed a cross-sector working group to assess risks to federal and private space infrastructure. CISA’s main focus will be ”mitigating cyber risks to position, navigation and timing (PNT) services and GPS.”
- The trick is there are not spare cycles on these systems to implement encryption or other hardening steps, and like OT, their lifecycle is measured in decades not years. It will likely take a phased approach, where replacement services are secure enough; the trick is funding that model as you can’t practically just land and re-launch existing infrastructure after modifications.
- Our acceptance, use of, and reliance on these services has exceeded our wildest expectations when they were introduced. They are so much a part of our daily lives that we are likely to notice them mostly in the breach. It should be obvious that the risks can only increase, perhaps exponentially, in proportion to our use and reliance; the issue is mitigating them.
Read more in
Oversight Committee Finds ‘Small Lapses’ Led to Ransomware Attacks
A memo from the US House Oversight and Reform Committee summarizes findings gained from investigations into the ransomware attacks against Colonial Pipeline, JBS USA, and the CNA Financial Corporation. Each of the three companies paid a ransom; and in each case, initial purchase in the company’s network was made through “minor security lapses,” such as a user account with a weak password and an employee downloading a phony browser update. The committee also says that “some companies lacked clear initial points of contact with the federal government,” impeding responses to the attacks.
- Rather than say “minor security lapses” I’d say “initial penetration was successful due to lapses in basic security hygiene which are easily preventable.” Not to mention that “weak password” is an oxymoron.
- Don’t forget to verify the small things are also done, such as account disablement, active monitoring and response, clear incident POC information, not just on your web site and DR plans, but also with your regulator, or security sector. Leverage security.txt files to provide contact information. Consider a [email protected] email list, which you are parsing with your SIEM, not directly reading.
Read more in
- Oversight finds ‘small lapses’ in security led to Colonial Pipeline, JBS hacks
- Supplemental Memo on Committee’s Investigation into Ransomware (PDF)
Middle East Eye News Site Compromised in Watering Hole Attack
Researchers at ESET have detected a watering hole attack that targeted several websites, including the Middle East Eye news site. The campaign was active between March 2020 and August 2021. The attacks targeted specific site visitors. The campaign also targeted government websites in Yemen, Syria, and Iran, and an Italian aerospace company.
Read more in
- Strategic web compromises in the Middle East with a pinch of Candiru
- Hackers Compromised Middle East Eye News Website to Hack Visitors, Researchers Say
FBI: Portal Compromised to Send Fake Cyberattack Alerts
The FBI has acknowledged that “a software misconfiguration … temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails.” The phony messages warned recipients of an impending cyberattack.
- If your company is involved in an FBI investigation: Expect a personal visit or at least a phone call instead of an email. That said, it can be difficult to establish trust in a situation like this (certainly check IDs). But one thing I always suggest is to participate in local InfraGard chapters which may help establish some relationship with local FBI agents before the incident.
- Major lessons learned from this one: (1) attackers are still constantly scanning exposed servers and finding and exploiting misconfigured and unpatched apps and servers; (2) that means quick detection and assessment of changes is still essential to beat them to the punch.
- This is a good example of why the advice “to not click on links or attachments in emails from untrusted sources” is so outdated. We should instead be coaching people to be wary of unexpected emails and to review them with care before actioning them.
- The Brian Krebs article includes details from an interview with Pompompurin, the person claiming responsibility for the attack. If the claims are accurate, the vulnerability demonstration is embarrassing, but a good reminder about the need to carefully pen test systems.
- Environmental drift is real. Point in time assessments are not the only way to spot them. Continuous (or close to) control validation and change management may have identified this “temporary software misconfiguration” earlier.
Read more in
- FBI Statement on Incident Involving Fake Emails
- FBI spams thousands after ‘software misconfiguration’
- Bad form: FBI server sending fake emails taken offline and fixed, no data impacted
- Hoax Email Blast Abused Poor Coding in FBI Website
- FBI confirms Law Enforcement Enterprise Portal compromise in cyberattack
Researchers at AT&T AlienLabs have detected new malware that could be used to target millions of routers and other IoT devices. The malware has more than 30 exploit functions. Dubbed BotenaGo because it is written in the Go open source programming language, the malware conducts scans to discover vulnerable devices.
- No big news here. These are the same routers and IoT devices that are compromised several times a day by a variety of different bots harvesting the internet for vulnerable devices to use them for crypto coin mining, DDoS attacks or as attack platforms.
- This should be a call-to-action for organizations to evaluate the devices permitted on the network. Vulnerable IoT or consumer-market devices are not just a home-network problem. These devices also appear on enterprise and government networks and introduce risks outside typical patch management and vulnerability remediation programs. IT asset management is a valuable resource for organizations to get an informed view about assets on their networks.
- Gratuitous and vulnerable code in many of these devices will result in their being put into botnets.
Read more in
- Millions of Routers, IoT Devices at Risk from BotenaGo Malware
- This mysterious malware could threaten millions of routers and IoT devices
- AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits
New Rowhammer Attack
Researchers from ETH Zurich, Vrije Universiteit Amsterdam, and Qualcomm Technologies have discovered vulnerabilities in DRAM memory devices. The flaws break mitigations that were put in place to prevent Rowhammer attacks. While previous Rowhammer attacks have involved simple uniform patterns of “hammering,” the new attack uses more complex patterns.
- The practicality of these attacks has been disputed at times, and I could not find any examples of them being used in actual breaches. But this may be more a fact of other, simpler vulnerabilities, still being available for privilege escalation. In the end, these vulnerabilities put a big dent in the myth that it is possible to separate processes on highly integrated hardware. For example, it may not be advisable to use shared systems like cloud computing for sensitive workloads.
Read more in
- Serious security vulnerabilities in computer memories
- DDR4 memory protections are broken wide open by new Rowhammer technique
- When the world ends, all that will be left are cockroaches and new Rowhammer attacks: RAM defenses broken again
CISA: ICS Equipment Advisory
The US Cybersecurity and Infrastructure Security Agency (CISA) has released an ICS advisory urging admins to install updates to address “vulnerabilities found in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations.” The flaws could be exploited to induce denial-of-service and buffer overflow conditions, which could result in remote code execution and data exposure.
Read more in
- Multiple Data Distribution Service (DDS) Implementations
- CISA warns of equipment vulnerabilities from multiple vendors
Nucleus:13 Vulnerabilities Affect Siemens Nucleus TCP/IP Stack
Critical vulnerabilities in Siemens Nucleus RTOS TCP/IP Stack could be remotely exploited to leak information, execute code, and create denial-of-service conditions. The vulnerabilities include type confusion, improper validation, and out-of-bounds read issues. The flaws, which are known collectively as Nucleus:13, pose risks to some medical devices. Siemens has released fixes for the flaws.
- These vulnerabilities remind me of similar flaws from days long past. Old vulnerabilities are new again when developers reinvent TCP/IP stacks. It’s another good reminder about the need to carefully pen test systems.
Read more in
- ICS Advisory (ICSA-21-313-03) Siemens Nucleus RTOS TCP/IP Stack
- ICS Medical Advisory (ICSMA-21-313-01) Philips MRI 1.5T and 3T
- 13 critical Nucleus TCP/IP flaws pose denial-of-service risk to medical devices
- Insufficient Access Controls Cause Philips MRI Vulnerabilities
- CISA Warns About Siemens, Philips Medical Device Flaws
Ohio Hospital Suffers Cyberattack
A cyberattack has forced Southern Ohio Medical Center (SOMC) to operate under electronic health record (EHR) downtime. SOMC has cancelled some patient appointments and has diverted ambulances to other facilities. SOMC initially disclosed the cyberattack in a social media post on Friday, November 11.
Read more in
- EHR Downtime Persists in Wake of Ohio Medical Center Cyberattack
- Ohio hospital diverting ambulances, canceling appointments amid cyberattack
Intel BIOS Vulnerabilities
A pair of high-severity vulnerabilities affecting the BIOS reference code in some Intel processors could be exploited to gain elevated privileges. Intel is releasing firmware updates to address the flaws.
Read more in
- BIOS Reference Code Advisory
- Intel® Processor Advisory
- High severity BIOS flaws affect numerous Intel processors
- High-Severity Intel Processor Bug Exposes Encryption Keys
Uneven Patching for macOS
Newer versions of macOS appear to be receiving patches for vulnerabilities earlier than older, though still supported, versions of the operating system. For example, the privilege elevation vulnerability that was recently exploited in watering hole attacks on some websites in Hong Kong was patched in macOS Big Sur 11.2 in February 2021, but was not fixed in macOS Catalina until September.
- This should not surprise anyone. Apple security is better than MS in part because it focuses on new code. History shows that it is willing to abandon legacy code and even systems.
Read more in
Card Skimming Devices Found at Costco
Costco has disclosed that payment card skimmers were discovered at Chicago-area Costco stores. Some customers have reported fraudulent charges on their accounts. Costco has notified affected customers.
- Whether or not organizations have on-site/physical locations in scope for pen testing, this is a good reminder that we absolutely need detective controls. In the same way retail organizations regularly count tills and reconcile store-wide totals, electronic payment systems should be inspected for tampering at least daily.
Read more in
- Costco discloses data breach after finding credit card skimmer
- Costco says card skimmers were found at Chicago-area warehouses, less than 500 people affected
- Costco Confirms: A Data Skimmer’s Been Ripping Off Customers
Microsoft Fixes Zero-Day Exchange Server Flaw
Microsoft has fixed vulnerabilities in on-premises Exchange Server 2013, 2016, and 2019. One of the flaws, a post-authentication vulnerability, has been exploited in “limited targeted attacks.” Microsoft is urging users to apply the updates immediately. The fixes were released as part of Microsoft’s Patch Tuesday.
- Unlike some of the other Exchange server flaws, this one requires authentication. But you probably still want to apply the Outlook 365 patch and move your email to the cloud if you are sick of patching Exchange.
Read more in
- Exchange Server bug: Patch now, but multi-factor authentication might not stop these attacks, warns Microsoft
- Microsoft patches Exchange glitch exploited in the wild
- Released: November 2021 Exchange Server Security Updates
Microsoft Patch Tuesday
Microsoft’s Patch Tuesday for November 2021 includes fixes for at least 55 security issues in its products. Two of the flaws are being actively exploited and four vulnerabilities were disclosed before Tuesday. Microsoft has acknowledged that the updates may cause authentication issues on Domain Controller running Windows Server.
- 55 patches is a big number, but in the spirit of Thanksgiving we can be thankful that November 2021’s patch load is lower than October’s 71. When you look at how often Google patches Android and Chrome and Apple updates iOS, it is pretty clear modern software will always have ongoing streams of vulnerabilities that require rapid patching with minimal disruption. Microsoft has been urging customers to patch faster by moving to a “cloud cadence” of faster patch eval and push out, but Microsoft’s monthly vulnerability Tuesday (vs. more frequent and timely patch releases) is also a limiting factor.
- It is worth noting that the number of vulnerabilities patched by MS per month has dropped from the high tens to the low tens over the last year.
Read more in
- Microsoft November 2021 Patch Tuesday
- Microsoft Patch Tuesday, November 2021 Edition
- Let us give thanks that this November, Microsoft has given us just 55 security fixes, two of which are for actively exploited flaws
- Microsoft: New security updates trigger Windows Server auth issues
- Authentication might fail on DCs with certain Kerberos delegation scenarios
Citrix Patches Critical Flaw Affecting ADC and Gateway
Citrix has fixed two vulnerabilities. The first is a critical uncontrolled resource consumption issue affecting its Application Delivery Controller (ADC) and Gateway products; the vulnerability could be exploited to crash networks without authentication. The second is a low-severity uncontrolled resource consumption issue affecting ADC, Gateway, and the Citrix SD-WAN WANOP Edition appliance; the flaw could be exploited to cause temporary disruption of the Management GUI, Nitro API and RPC communication.
- This is “just” a denial of service vulnerability. But these devices are usually responsible for all traffic in/out a network, and a DoS could be quite devastating. In addition to patching: Double check your IR playbooks to see how you would deal with your Citrix ADC being down. Do you have out-of-band remote access? If you do: How is this access monitored and secured? Who has credentials?
Read more in
- Critical Citrix DDoS Bug Shuts Down Network, Cloud App Access
- Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Edition appliance Security Update
US Secure Equipment Act Signed Into Law
US President Joe Biden has signed The Secure Equipment Act into law, closing what one FCC Commissioner has called “the Huawei loophole.” According to a White House statement, the law “requires the Federal Communications Commission to adopt rules clarifying that it will no longer review or approve any authorization application for equipment that poses an unacceptable risk to national security.” Small and medium-sized companies wanting to replace Huawei and ZTE equipment can request reimbursement from the FCC.
- While banning telecoms equipment that “poses an unacceptable risk to national security” sounds like a good thing, the list of those risky products is short (Huawei, ZTE, Hytera and Hangzhou Hikvision) and there don’t seem to be any defined criteria for how a product is determined to be an unacceptable risk, or how it would be removed from the list. Banning government purchase of unsecure products is a good thing – if it is done in a transparent way that drives suppliers to higher levels of security.
Read more in
- There’s no Huawei back now – Biden signs Act that forbids US buyers acquiring kit on naughty list
- US President Biden signs law to ban Huawei and ZTE from receiving FCC licences
Legislation Would Establish Rules for Financial Services Ransomware Response
US legislators have introduced a bill that would establish ransomware response rules for financial institutions. If the Ransomware and Financial Stability Act passes, financial institutions suffering ransomware attacks would be required to inform the Director of the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) about the details of the attack, including demanded ransom. The bill would also require financial institutions to obtain a Ransomware Payment Authorization prior to paying any ransomware demand over $100,000.
- Limiting the payout (without special approval) to $100,000 is a very interesting move. I’d like to think it would be at least somewhat successful in reducing the ransomware demands. Beyond lowering payments, I have a hard time believing this bill will help “ deter, deny, and track down hackers.” A $100k payout is still solid motivation.
Read more in
- Bill proposes large financial institutions to report ransomware attacks, cap payments
- New bill sets ransomware attack response rules for US financial orgs
- Congress Mulls Ban on Big Ransom Payouts Unless Victims Get Official Say-So
Queensland Water Supply Server Breached for Nine Months
According to a recent annual financial audit report, hackers had access to a server belonging to a Queensland (Australia) water supplier for nine months, from August 2020 through May 2021. SunWater operates dams, pumping stations, and pipelines. The audit report includes information from the examination of six Queensland water sector entities.
- As we measure incident response time, we should also measure our red team engagements with time metrics: time to meet objective, time to detect TTPs, time to respond, time to communicate to stakeholders, etc. We must improve these response times to limit impact to businesses.
- This scenario isn’t special other than it is critical infrastructure. Too often attackers are on the internal network and aren’t detected for months. I’d be very interested to learn how the breach was ultimately detected and use that as a lesson for other orgs. Unfortunately, I’d bet that the detection was by a third party.
Read more in
- Hackers undetected on Queensland water supplier server for 9 months
- FINANCIAL AUDIT 10 November 2021 Water 2021 Report 3: 2021–22 (PDF)
Google Researchers Detected Watering Hole Attacks Targeting Apple Devices
Google’s Threat Analysis Group (TAG) detected watering hole attacks targeting visitors to several Hong Kong websites. “The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.” Apple released a fix for the issue in September.
- According to Google TAG, this campaign targeted both iOS and macOS users, with a small number of exploit attempts delivered. This is a multi-exploit toolchain designed to gain privileged, remote access on vulnerable devices. We used to call this “sophisticated”, but it’s probably time to adjust our thinking since these complex exploit chains are increasingly common.
Read more in
- Analyzing a watering hole campaign using macOS exploits
- Google Caught Hackers Using a Mac Zero-Day Against Hong Kong Users
- Hackers Targeted Apple Devices in Hong Kong for Widespread Attack
- About the security content of Security Update 2021-006 Catalina
Palo Alto Networks Fixes Zero-Day in PAN-OS 8.1
Palo Alto Networks has patched a critical buffer overflow vulnerability in its firewalls that use the GlobalProtect Portal VPN. The flaw affects PAN-OS versions 8.1.17 and older. Researchers detected the vulnerability in November 2020 but did not notify Palo Alto Networks in September.
- You are only affected by this flaw if the VPN functionality is enabled.
- This news has been a cause for debate around penetration testing companies stockpiling 0days to use against their customers and not disclosing vulnerabilities to the vendor. A gentle reminder that any offensive security assessment is about providing business value. Some organizations may require 0days while other organizations function under assumed breach.
Read more in
- Palo Alto Networks Security Advisories
- Firm Held Onto Palo Alto VPN Zero Day for 11 Months
- Palo Alto Warns of Zero-Day Bug in Firewalls Using GlobalProtect Portal VPN
- Palo Alto Networks patches 9.8 severity CVE in popular GlobalProtect product
- Palo Alto Networks patches zero-day affecting firewalls using GlobalProtect Portal VPN
Former Broadcom Engineer Charged With Theft of Trade Secrets
A US federal grand jury has indicted former Broadcom engineer Peter Kisang Kim on multiple charges of theft of trade secrets. Kim worked at Broadcom for more than 20 years. He allegedly stole trade secrets; the purloined information was stored in non-public document repositories that were restricted to employees working on specific projects or within specific suborganizations. Kim allegedly took the data with him when he started working for a Chinese company.
- Insider threats are often left as a lower priority focus in many organizations. Defenders should baseline what “normal” activity is so that they can detect and respond to “abnormal” behavior. This applies to a malicious insider as well as a compromised internal user.
Read more in
- Former Broadcom engineer accused of pinching chip tech to share with new Chinese employer
- Former Broadcom Engineer Charged With Theft Of Trade Secrets
Threat Actors are Exploiting Known Flaw in Zoho Password Management Service
According to a report from Palo Alto Networks’ Unit 42, threat actors have exploited a known vulnerability in Zoho ManageEngine AdSelfService Plus to compromise networks at nine organizations in various sectors, including technology, defense, energy, and healthcare. The threat actors likely have ties to China. In mid-September, a US Cybersecurity and Infrastructure Security Agency (CISA) alert warned that the critical vulnerability was being actively exploited. Zoho has released updates to address the flaw.
- This flaw has been exploited since shortly after it was made public (and after a patch was released). Any vulnerable exposed system has likely been compromised. Palo Alto’s blog lists some IOCs to watch out for, but there are likely other groups using this relatively easy to exploit vulnerability.
- Reusable passwords are not only inherent unsecure, but they also require robust password reset processes since attackers have always targeted them. Self-service password reset software needs to be high security and ManageEngine did not live up to that. If you are using competing products for automated password reset, make sure you have applied all patches and chose a quality vendor.
Read more in
- Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
- APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus
- Hackers breach nine global organizations in ongoing espionage campaign
- State hackers breach defense, energy, healthcare orgs worldwide
- Hackers with Chinese links breach defense, energy targets, including one in US
- NSA Reports: Espionage Group Breaches Critical Systems
- You’ll never guess who’s been exploiting the ManageEngine service to steal passwords
Australian Cyber Security Centre: Attackers are Exploiting Known Flaw in Sitecore XP
A remote code execution flaw in the Sitecore Experience Platform (XP) content management system is being actively exploited, according to an alert from the Australian Cyber Security Centre (ACSC). Sitecore released a fix for the issue in October.
Read more in
- Active exploitation of vulnerable Sitecore Experience Platform content management systems
- Sitecore XP RCE flaw patched last month now actively exploited
- Security Bulletin SC2021-003-499266
Underwriters Laboratory Launches SafeCyber Platform
Underwriters Laboratory (UL) has introduced its SafeCyber Digital Security Platform, “a suite of cloud-based security solutions for connected products.” The “Maturity Path solution provides you with a secure development life cycle maturity assessment and a certification readiness score for … connected product lines.” Other solutions include Firmware Check and Field Monitoring.
- With last week’s announcement of the Minimum Viable Security Product baseline by Google, Salesforce, Okta, Slack and others, and this announcement by UL, there are fewer and fewer reasons for poor security in devices/”things.” The first step for security managers is to gain support for all procurement to include security processes and testing as part of the evaluation process.
Read more in
REvil Suspects Arrested
An international law enforcement operation has resulted in the arrests of seven individuals believed to be involved with the Sodinokibi/REvil ransomware operations. The US Department of Justice has seized “$6.1 million in funds traceable to alleged ransom payments.” The US State Department is offering up to $10 million for information that helps identify or locate leaders of the ransomware group.
- This is very welcome news and great to see, yet again, how international cooperation by various law enforcement agencies can have a real impact on those who target the vulnerable on the Internet. While a welcome victory, this is not the end of ransomware gangs but it does send a very strong message to them that the game, and cost of playing in the game, has changed significantly.
- This is great news but don’t let your guard down. These groups re-organize and there are more than enough criminals to go around. Continue to train and prepare for the next attack, whether ransomware or not, assume breach, and focus on detection and response.
Read more in
- Joint global ransomware operation sees arrests and criminal network dismantled
- Five Affiliates to Sodinokibi/REvil Unplugged
- Ukrainian Arrested and Charged with Ransomware Attack on Kaseya
- REvil Ransom Arrest, $6M Seizure, and $10M Reward
- The Biggest Ransomware Bust Yet Might Actually Make an Impact
- Ransomware: Suspected REvil ransomware affiliates arrested
- US seizes $6 million from REvil ransomware, arrest Kaseya hacker
- U.S. offers $10 million reward for leaders of REvil ransomware
- Suspected REvil scammers arrested amid ongoing crackdown on ransomware
- Ukrainian cuffed, faces extradition to US for allegedly orchestrating Kaseya ransomware infection
Operation Cyclone Disrupts Clop Ransomware Group’s Operations
An international law enforcement effort dubbed Operation Cyclone has disrupted operations of the Clop ransomware group. Six alleged members of the group were arrested in Ukraine earlier this year. Several cybersecurity companies provided threat intelligence for the operation.
- A reminder as to why it is so important for victims of cybercrime to report these crimes to law enforcement. The more information we share with the authorities, the more data and intelligence they have. This allows agencies such as Europol to analyse that data, leading to more effective operations and arrests.
- Another bit of good news on the ransomware front. Keep your guards up and keep training your teams to detect and respond to the inevitable next attack.
- Ransomware attacks are popular among criminals because they believe that the risk of punishment is low. That risk is clearly going up. Law enforcement begins with and relies upon victims providing essential intelligence.
Read more in
- INTERPOL-led operation takes down prolific cybercrime ring
- Cybersecurity firms provide threat intel for Clop ransomware group arrests
- Operation Cyclone deals blow to Clop ransomware operation
Electronic Health Record Security Issues
Philips and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories about a pair of SQL injection vulnerabilities in the Philips TASY Electronic Medical Record HTML5 system. The flaws affect versions 3.06.1803 and earlier. Also, QRS Healthcare Solutions recently disclosed a data security incident that compromised personal data, including health information, of some clients’ patients.
- In 2021 there is no excuse why a vendor is rolling out products with SQL Injection flaws in them. SQL Injection is consistently in the CWE/SANS Top 25 Most Dangerous Software Errors.
- Of course, parsing inputs is not an issue limited to health records. Parsing inputs gets harder and harder when one does not know the environment in which one’s product will run. However, it seems very unlikely that one does not know that one’s product will use a database and that it must resist the insertion of SQL commands. Note that the database manager cannot protect itself; it cannot know enough about the intent of the application to recognize malicious inputs.
Read more in
- ICS Medical Advisory (ICSMA-21-308-01) Philips Tasy EMR
- Philips Tasy EMR HTML5 (2021 November 4)
- EHR Vendors’ Disclosures Are Latest Security Risk Reminders
- Philips healthcare infomatics solution vulnerable to SQL injection
Medical Device Incident Response Playbook
A new publication from the Cloud Security Alliance IoT Working Group aims to help healthcare organizations mitigate security risks. The document provides guidance not only for incident response, but also for incident response preparation.
- While it is likely that some, not to say many, healthcare organizations do not have mature incident response plans, most should prefer and concentrate on security measures that operate early.
Read more in
- New playbook has in-depth tips for medical device cyber incident response
- Motivated by WannaCry attack, group unveils medical device incident response playbook
- CSA Medical Device Incident Response Playbook
Defense Contractor Discloses Phishing Attack, Data Theft
A US government contractor has disclosed a phishing attack that resulted in data theft. Electronic Warfare Associates acknowledged that its email system was breached and that the attackers exfiltrated personal information. The breach occurred in August 2021. The attack was detected when the thief attempted to use the stolen data to commit wire fraud.
Read more in
ITIC Recommendations on ICT Supply Chain Security Risks
In September, the US Department of Commerce’s Bureau of Industry and Security issued a request for public comments on Information Communications Technology (ICT) supply chain risks. The Information Technology Industry Council (ITIC) responded to the request with policy recommendations, which include “continu[ing] to build and leverage robust public-private partnerships to address ICT supply chain challenges [and] mak[ing] investing in critical technologies a national priority.”
- The solution to the supply chain risk must start with supplier accountability. We should be demanding a machine-readable software bill of materials in all products along with a statement of intended use and expected environment.
Read more in
- ITI Comments Responding to Bureau of Industry and Security Request for Public Comments on Risks in the Information and Communications Technology Supply Chain (RIN #0694-XC07; Docket No. 210910-0181) (PDF)
- ITI Offer Recommendations to U.S. Department of Commerce on Risks in the ICT Supply Chain
- Commerce Department Fielding Comments on ICT Supply Chain
- Notice of Request for Public Comments on Risks in the Information Communications Technology Supply Chain (September 20, 2021)
CISA Binding Operational Directive on Vulnerability Patching for Federal Agencies
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a Binding Operational Directive (BOD) that requires federal agencies to patch known security flaws within certain timeframes. The BOD includes a catalog of nearly 300 known vulnerabilities that are being actively exploited. The flaws, some of which date back to 2017, each have deadlines for patching.
- Every year like clockwork, the US Federal government Office of Inspectors General produces audits that invariably repeat the findings of previous year’s OIG reports about federal agencies having failed to patch well-known vulnerabilities. There will be much complaining about this BOD but in the past such BODs or other “over the transom dictates” from OMB have driven actual movement in actual improvements in the security levels of government systems. There is no way for any government agency to even talk about “Zero Trust” without first having decent essential security processes such as vulnerability assessment and management.
- This enhances the previous BOD 19-02 which required critical vulnerabilities to be patched in 15 days and high vulnerabilities in 30 days. One key component added is a due date for remediating these known exploited vulnerabilities. Use the CISA catalog of known exploited vulnerabilities to help prioritize your patching efforts as well as verify that you’re not missing any required dates. Everyone should leverage this catalog. This BOD also requires agencies which are still using the old CyberScope quarterly submissions to either be reporting vulnerability status via the CDM dashboard by October 1, 2022 or provide CyberScope submissions bi-weekly.
- This Binding Operation Directive is much more specific and actionable than the 2019 BOD which simply stated “thou must have a vulnerability management program.” In this directive, both the vulnerabilities and required dates for patching are specifically called out. This does two things. First, it makes it very easy to measure which agencies have truly acted and complied. Second it makes it much easier for agencies to act on as agencies no longer have to decide what to patch: they simply follow CISA guidance. The easier a requirement, the more likely it will be followed. As a bonus, once agencies are done with patching, they will have the processes in place for a long-term vulnerability management program.
Read more in
- Binding Operational Directive 22-01 | Reducing the Significant Risk of Known Exploited Vulnerabilities
- CISA passes directive forcing federal civilian agencies to fix 306 vulnerabilities
- CISA Issues New Directive for Patching Known Exploited Vulnerabilities
- CISA urges vendors to patch BrakTooth bugs after exploits release
- CISA tells agencies to fix hundreds of software flaws, prep for future vulnerabilities
- CISA Directs Federal Agencies to Patch Known Vulnerabilities
Linux Kernel TIPC RCE Flaw
A remote code execution flaw in the Linux Kernel’s Trans Inter Process Communication (TIPC) module can be exploited locally and remotely. The heap overflow vulnerability could be exploited to gain kernel privileges.
- This is a serious flaw, but likely only affecting few systems. Only kernels 5.10 through 5.15 include the vulnerable component, and it has to be specifically enabled. The TIPC protocol is typically used on cluster systems and not used on “average” Linux installs. The protocol may be exposed via UDP on port 6118 (but can also be used directly over ethernet).
- This affects kernel version 5.10. The flaw was reported October 19th, a patch released October 21st, and a fix was added to the mainline repository, released October 29 under version 5.15. The attack doesn’t require privileges. If you’re using TIPC, update now.
Read more in
- Remote code execution flaw patched in Linux Kernel TIPC module
- Critical Linux Kernel Bug Allows Remote Takeover
- Critical RCE Vulnerability Reported in Linux Kernel’s TIPC Module
Cisco Releases Multiple Updates
Cisco has released patches for multiple vulnerabilities, including two critical flaws in Catalyst Passive Optical Network (PON) switches Optical Network Terminal. One of the flaws involved a hardcoded password for a debugging account; the second vulnerability involves static SSH keys.
- The debugging account can only be accessed over Telnet. Make sure you don’t have telnet enabled for your routers; it’s supposed to be disabled by default. Fixing the static SSH keys, which are part of Cisco Policy Suite, requires generating new SSH keys and propagating them to all machines, as well as updating to version 21.2.0, which will automatically generate new keys on installs but _NOT_ on upgrades. See the fixed releases of Cisco’s security advisory for the procedure. tools.cisco.com: Cisco Policy Suite Static SSH Keys Vulnerability
Read more in
- Cisco fixes hard-coded credentials and default SSH key issues
- Cisco Plugs Critical Holes in Catalyst PON Enterprise Switches
- Cisco Catalyst PON Series Switches Optical Network Terminal Vulnerabilities
- Cisco Security Advisories
Commerce Department Sanctions Spyware Companies
The US Department of Commerce’s Bureau of Industry and Security has published an updated list of entities sanctioned “for engaging in activities that are contrary to the national security or foreign policy interests of the United States.” The newly added organization are NSO Group, Candiru, Positive Technologies, and Computer Security Initiative Consultancy.
- The entities list restricts the “export, re-export, and in-country transfer of items subject to the EAR to persons (individuals, organizations, companies) reasonably believed to be involved, have been involved, or pose a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.” And there will be no exceptions, which means you can get into substantial penalties (civil and criminal as well as fines) for doing business with one of these entities.
Read more in
- US Dept of Commerce sanctions NSO Group, Positive Technologies, other makers of snoopware
- Commerce Dept sanctions NSO Group, Positive Technologies and more for selling spyware and hacking tools
- US blacklists maker of Pegasus spyware that helps governments spy on activists
- US Sanctions Could Cut Off NSO From Tech It Relies On
CISA’s Subpoena Power Helps Mitigate Vulnerabilities
The US Cybersecurity and Infrastructure Security Agency (CISA) has used 35 administrative subpoenas since the authority was first granted, according to agency director Jen Easterly. CISA has the authority to conduct Internet scans with the purpose of detecting industrial systems with vulnerabilities; they can then subpoena Internet service providers to discover who owns the identified systems and notify the owners about the flaws.
- These activities have resulted in a reduction of vulnerabilities since they started this work. CISA offers their services to public and private sector companies in the US, including scanning, posture assessment and training, free of charge; they are taxpayer funded. It may be better to directly engage them rather than find later you’ve got an issue.
Read more in
US State Department Offers Reward for Info That Helps Bring DarkSide Operators to Justice
The US State Department is offering “a reward of up to $10,000,000 for information leading to the identification or location of any individual(s) who hold(s) a key leadership position in the DarkSide ransomware variant transnational organized crime group.” DarkSide was behind the Colonial Pipeline ransomware attack last spring.
- The idea is to leverage techniques that work with traditional crimes to get traction on cyber criminals. In this case, the amount of the reward, $10M and a subsequent $5M, should help incentivize participation. Leveraging all options available is the most likely way to make forward progress against ransomware gangs. One example was the offensive actions by U.S. Cyber Command and a foreign government to compromise systems belonging to the REvil gang which caused them to shutter their business.
- This is both a good and sad thing. Good in that motivators like this can truly lead to the arrest and capture behind those involved in these large scale crimes. At $10 million, cyber criminals may be motivated to even turn in their own. The sad part is in today’s world this is one of the few ways we can apply pressure to and deter threat actors, one of the few ways we can make it risky for them to operate. The problem we have now is most threat actors can act with impunity and continue to attack as much as they want. It’s like playing a game of football where you can only play defense. This is one of the very few ways we can play offense.
Read more in
- Reward Offers for Information to Bring DarkSide Ransomware Variant Co-Conspirators to Justice
- US: $10M Reward for DarkSide Ransomware Actors
- State Department offers $10 million to bring DarkSide ransomware leadership to justice
- US offers $10 million reward for information on DarkSide leaders, $5 million for affiliates
Another NPM Library Hijacked
The Command-Option-Argument, or ‘coa’ NPM library is downloaded about 9 million times weekly and is used by nearly 5 million open source GitHub repositories. The last stable version of ‘coa’ was released in 2018, but within the last few days, several new versions have appeared. Developers are reporting that the new releases are breaking their builds.
- Yet another issue. Have you found a way yet to manage your npm libraries? If you are using node.js, inventorying and vetting npm packages should be a top priority.
- COA is a command line parser for Node.js projects. COA was untouched since version 2.0.2 in December 2018. The newer versions have been removed; even so, make sure your builds are back to 2.0.2. The same code injected into COA was also found in the previous hack of ‘ua-parser-js.’
- While NPM offers strong authentication to its users, it is opt-in. Given their role, perhaps it is time to change the default.
Read more in
BlackMatter Says It’s Closing Up Shop. Again.
Earlier this week, the BlackMatter ransomware group said it would shutter operations “due to certain unsolvable circumstances associated with pressure from the authorities.” Cybersecurity experts are wary of taking the announcement too seriously. This is not the first time the group has claimed to be closing down.
- BlackMatter closing job does not help existing victims. No keys were released. There have been reports of BlackMatter affiliates moving victims to the Lockbit infrastructure for payments.
- BlackMatter was a rebranding of DarkSide after the Colonial Pipeline attack. While it is expected that this cycle is not finished, ongoing and increased pressure from law enforcement should make it harder for this type of rebranding to continue. In the meantime, remain vigilant; the threat is not gone.
Read more in
- BlackMatter ransomware gang says it’s disbanding – again – after Ukraine arrests
- Does BlackMatter’s demise mean anti-ransomware efforts are working?
HHS OCR Bulletin: Address Security for Legacy Systems
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published a bulletin that urges healthcare organizations to manage the security risk of legacy systems. The Health Insurance Portability and Accountability Act (HIPAA) requires “requires covered entities and their business associates to implement safeguards that reasonably and appropriately secure the electronic protected health information (ePHI) that these organizations create, receive, maintain, or transmit.”
- OCR defines a “legacy” system as “an information system with one or more components that have been supplanted by newer technology and for which the manufacturer is no longer offering support.” I think they should just call them “unsupportable” systems to make the issue gain more traction. The OCR advice is solid for trying to reduce the risk of unsupportable systems, but many exist because much longer (often infinite) lifecycles were estimated for devices, software, and systems than is realistic when technology advances are shortening. Budgets and planning should be assuming shorter lifecycles – think cell phone replacement lifecycles, not refrigerator lifecycles.
- This bulletin also requires added mitigations and assessments of legacy systems. The concern is that your legacy system would not be able to protect ePHI at the same level as newer systems as they are not engineered to the current threat landscape. The bulletin includes a good list of mitigations for legacy systems to include upgrading to a newer/supported version where possible, segmentation/isolation, increased authentication strength, removing unneeded software and increased firewall rules with supporting monitoring. Even with those in place, expect pressure to replace legacy systems with newer versions to include cloud-based alternatives.
- “Reasonable and appropriate” is bureaucratic language intended to avoid accountability. Fortunately, healthcare covered entities now have more prescriptive language to guide them in securing their systems. For a targeted sector where breaches risk injury and death, the bar is very high. Recent events suggest that isolating clinical applications from those facing the public networks (e.g., e-mail and browsing) is urgent.
Read more in
Trojan Source Attack Exploits
Researchers from the University of Cambridge “have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic.” Dubbed Trojan Source, the “attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers.”
- It is often assumed that editors used to create and review code are simple “text editors.” But even traditional editors like emacs and vi have support for Unicode. Modern languages like Swift have embraced Unicode to provide developers coding in languages other than English a better experience, and it is for example possible to use Unicode characters as variable names. This trend will make mitigating this vulnerability more difficult. On the other hand, this threat will mainly manifest itself if code is reviewed manually. For automated source code review tools, it should be trivial to detect abuses of this feature. In the end, I would consider this problem not relevant enough to worry much about it.
Read more in
- Trojan Source: Invisible Vulnerabilities
- Trojan Source: Invisible Vulnerabilities (PDF)
- ‘Trojan Source’ Bug Threatens the Security of All Code
- ‘Trojan Source’ Hides Invisible Bugs in Source Code
- ‘Trojan Source’ potentially opens organizations to supply chain attacks
- Programming languages: This sneaky trick could allow attackers to hide ‘invisible’ vulnerabilities in code
- New ‘Trojan Source’ Method Lets Attackers Hide Vulns in Source Code
Researchers from Qihoo 360’s Netlab have released information about what they are calling the largest botnet to be discovered in the wild in the past six years. Pink, as the researchers have dubbed it, comprises more than 1.6 million infected devices, most of which are in China. Pink’s main activity is launching distributed denial-of-service (DDoS) attacks and injecting ads into websites.
- Note that this botnet has been active since at least November 2019. Sadly, there are so many variants of different IoT botnets active, it is hard to even distinguish the different “brands.” QiHoo 360 made its research public after a takedown attempt for this botnet. This botnet also focused on vulnerable systems inside China. The Pink botnet is also one of the few botnets to take advantage of DNS over HTTPS (DoH).
- Operators were able to observe attempts to secure infected devices and take actions to reacquire them by also applying updates in real-time. Pink also leveraged DNS over HTTPS to obfuscate C2 host/address resolution activities.
Read more in
CISA Identifying Crucial Critical Infrastructure
The US Cybersecurity and Infrastructure Security Agency (CISA) has begun identifying elements of the country’s critical infrastructure that could cause cascading failures if they experience cyberattacks. The idea is to bolster protection for these “primary systemically important entities” to protect them from cyberattacks and other disruptions.
- Identified critical infrastructure will be subject to more stringent cybersecurity standards, commensurate with risks associated with a critical rating. Without supporting funding and resources, for implementation and lifecycle, improvements are unlikely.
- It appears that the US government has identified so many industries as critical, and the term critical infrastructure is now so broad, that it is losing its value. CISA, backed by the Homeland Security Committee, are looking to up the game by redefining what is truly critical identified as “primary systemically important entities” so they can focus their most critical resources on those “entities” and ensure they have both the resources to succeed and the necessary motivation to act BEFORE being compromised.
- The most obvious examples are finance and the power grid. However, recent events in transportation and distribution suggest that everything is connected to everything else.
Read more in
- CISA starts identifying targets most necessary to protect from hacking
- CISA Begins Program to Identify Critical Infrastructure
- CISA director endorses prioritizing ‘systemically important’ critical infrastructure
- Federal push to identify, protect critical groups from hackers gains momentum
Researchers have detected five vulnerabilities in Free SWITCH telecommunications stack software. The flaws include authentication issues, information leakage, and susceptibility to denial-of-service. The issues have been addressed in FreeSWITCH 1.10.7, which was released on October 25.
- Discovery of these vulnerabilities relies on SIPVicious PRO rather than the open source version of that tool. The open source version focuses on SIP while the PRO version targets real-time communication. Web Real-Time Communication (WebRTC) could be used to disconnect calls or otherwise causing a DOS condition. If you’re using FreeSWITCH, update to 1.10.7. If your switch is exposed to the Internet, investigate a SIP router or firewall to further protected it.
Read more in
- Multiple flaws in telecoms stack software FreeSwitch uncovered
- Killing bugs … one vulnerability report at a time
12 Arrested in Connection with Ransomware Attacks
Law enforcement officials in Ukraine and Switzerland have arrested 12 individuals believed to be involved in ransomware attacks that targeted critical infrastructure and large organizations. The arrests are the result of a cooperative effort involving law enforcement agents from eight countries as well as Europol and Eurojust.
- Well done to all involved in this and it’s great seeing the frequency of these operations and arrests increasing. A clear indication that law enforcement agencies are becoming more adept and sharing intelligence and cooperating in running operations.
Read more in
- 12 Targeted for Involvement in Ransomware Attacks Against Critical Infrastructure
- Multinational Police Force Arrests 12 Suspected Hackers
- Police Arrest Suspected Ransomware Hackers Behind 1,800 Attacks Worldwide
FTC Consumer Financial Data Protection Rules
The US Federal Trade Commission is proposing to update rules requiring financial institutions to report security incidents affecting customer data within 30 days of detection. The FTC is accepting comments on its proposal for amending the Standards for Safeguarding Customer Information rule. The FTC has also “updated [a] rule that strengthens the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information.”
- At core this requires the use of encryption to protect information and allow access to information only to those who need to access it. Be prepared to audit access rights and make sure you have no over-permissioned users as well as appropriate separation-of-duties. This also requires financial institutions to designate a person to oversee their information security program and report regularly to the board or a senior officer in charge of information protection.
Read more in
- Standards for Safeguarding Customer Information (PDF)
- FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches
- FTC wants to know when financial data is compromised, will require encryption
- FTC Beefs Up Security Mandates for Financial Sector
Toronto Transit System Hit with Ransomware Attack
A ransomware attack disrupted the Toronto Transit Commission’s network late last week. The incident was detected on Friday, October 29. The attack escalated over the weekend; it affected online systems used for vehicle operator communications, online booking, internal email and other services. The Ann Arbor (Michigan) Area Transportation Authority reported a system disruption last week.
Read more in
- Ransomware strikes Toronto transit system, disrupting some services
- Some Toronto Transit online services down after ransomware attack
- Ann Arbor’s TheRide latest victim of cyber attack
Cyberattack Affects Some Healthcare Networks in Canadian Province
A cyberattack on October 30 shut down the networks of health systems in the Canadian province of Newfoundland and Labrador. The incident also affected communications; residents reported being unable to place phone calls to health centers or 911.