Cybersecurity News Headlines Update on January 29, 2022

12 Year-Old Bug in Polkit Allows for Privilege Elevation

Researchers from Qualys identified a flaw in Polkit’s pkexec dating back to 2009. The memory-corruption vulnerability, dubbed PwnKit, allows a user with access to a vulnerable machine to elevate to root privileges. Discovered in November, tracked as CVE-2021-4034, patches have been released. Polkit, previously known as PolicyKit manages privileges in most Unix/Linux distributions, managing access to privileged processes from unmanaged processes.

Note

Patches should be available for all major Linux distributions, and the patch does not require a reboot. Privilege escalation vulnerabilities are often assigned a lower urgency. But this vulnerability is easy to exploit, and some of the exploits publicly available will not leave a mark in your logs.
Updates to Polkit have been released for RedHat/CentOS and other Linux distributions and are available through you regular repositories. IF you cannot patch, remove the set UID root permission from pkexec. (e.g., chmod 755 /bin/pkexec). Exploitation can be detected by looking for log entries, see the Qualys blog for examples; however, it is possible to exploit the flaw without leaving any traces in system logs.
Unix/Linux escalation of privilege vulnerabilities linger around for a significant amount of time since they are “only” privilege escalation and lower CVSSv3 score. Make the effort to get your systems patched for this vulnerability that is trivially exploited.
This bug is fascinating to me for several reasons. First, it indicates to researchers that other SUID binaries may have a similar issue, so I suspect we may see more of these. Second, this bug is dead simple to exploit. Almost all the POC’s available were written based on the initial writeup. It also does not deal with any type of ASLR or memory corruption bug in this exploit, so this universally works everywhere regardless of kernel or distribution version. Patch it now.

Water Sector Now Included in US ICS Cybersecurity Initiative

The Biden-Harris Administration is expanding the Industrial Control System (ICS) Cybersecurity Initiative to the country’s water sector. The 100-day Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan is a collaborative effort between the Environmental Protection Agency (EPA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council (WSCC).

Note

The water sector consists of thousands of businesses, many very small with little budget, making cyber improvements a challenge. Even so, the CISA is offering free vulnerability scans and technical assessments to help bridge the gap. These will be particularly helpful where services were outsourced or expertise is lacking to verify systems are appropriately secured.
The announcement acknowledges that the Water and Wastewater Sector is intensely local – very similar to election systems in the number and variety of local agencies providing water and sewage services. While past compromises in this section definitely in need of security attention, the same approaches and solutions that work for large scale electrical grids and energy systems will not work here.
Water is infrastructure and needs to be protected as such. However, it is not vulnerable to the kind of cascading failures that the power grid is. While there may be back-up and load sharing agreements, their invocation is not automatic.

OMB Releases Zero-Trust Architecture Strategy

The US Office of Management and Budget (OMB) has published a federal zero-trust architecture strategy. The strategy requires federal agencies “to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024.” The requirements include the use of strong multi-factor authentication; the “creat[ion of] reliable asset inventories through participation in CISA’s Continuous Diagnostics and Mitigation (CDM) program;” and “audit[ing] access to any data encrypted at rest in commercial cloud infrastructure.”

Note

At core, the driver to zero trust is that our legacy model of a hardened perimeter with (many) defined entry and exit points is not sufficient to prevent attack by modern adversaries. The executive order (EO 14028) required agencies to have a zero-trust implementation plan. This memo adds a requirement for agencies to build upon those plans within 60 days, as well as identify a zero-trust strategy implementation within 30 days of the memo. The memo has broad impact, not only in authentication, but also requiring more substantive application testing, DNS encryption, encryption of internal HTTP connections, comprehensive data protection and more. This memo provides a good set of security measures to consider regardless of public or private sector.
As your architecture moves from traditional on-prem to cloud and zero-trust, be sure your defenses and detections evolve as well. If you can’t detect password spraying and identity abuse, you may not any better off. Also: multi-factor authentication for all the things!
Non-federal agencies should review and apply similar guidance to meet the bar set by OMB.
I always think about definitions when I read headlines like this. Many will argue MFA alone is not Zero Trust. Do we know which Zero Trust Architecture definition we are going with today?
We need system-to-system and process-to-process isolation, and least privilege access control and we need them now, not two years from now. Setting a target of 2024 is the equivalent of granting a license to accept the risk (e.g., that a covert backdoor anyplace in the organization puts the entire organization at risk) until then.

NCSC’s Scanning Made Easy Project to Share NMAP Scripts

The UK’s National Cyber Security Centre and the Industry 100 have jointly launched the Scanning Made Easy (SME) project to help system owners and administrators find vulnerabilities in their networks. The project will release NMAP Scripting Engine scripts created by i100 partners and other cybersecurity experts.

Note

Practitioner’s note: after downloading new NSE scripts (usually to /usr/share/nmap/scripts/ or C:\Program Files (x86)\Nmap\scripts\), be sure to run “nmap –script-updatedb” as an elevated user. This updates Nmap’s local script database so that next time you run something like ” nmap -iL hosts.txt –script ‘vuln’ “, the appropriate new script will run.
The Nmap Scripting Engine is one of the most powerful and potentially underused free security tools available. Engaging the security community to crowdsource the development could be exactly what is needed to draw more interest and development effort to this underused tool. The latest version has around 600 scripts; however, only a little over 100 of those check for specific vulnerabilities. Some of the vulnerabilities are over 20 years old, and the newest CVE specifically mentioned in current NSEs is CVE-2018-15442. Of the current 344 CVEs listed in CISA’s Known Exploited Vulnerabilities Catalog (www.cisa.gov: Known Exploited Vulnerabilities Catalog), current NSE scripts only identify 2: CVE-2017-0143 (smb-vuln-ms17-010.nse) and 2017-5638 (http-vuln-cve2017-5638.nse). Both are nearly 5 years old. That’s a big gap and NCSC’s project should provide a valuable resource for little to no cost. The US could do similar with a project focused on detecting the CVEs in the Known Exploited Vulnerabilities Catalog.
This is going to be a useful library to help your scanning be more comprehensive. Even so, be sure to review each script to understand how it checks for vulnerabilities, if the check is intrusive (they are designed not to be), why it may have false positives as well as false negatives.
There are very few vulnerability scanners that are free. NMAP with their NSE scripts is one of the best options. I look forward to this project.

Google Drops FLoC for Topics API

Google is scrapping the Federated Learning of Cohorts (FLoC) Privacy Sandbox Initiative proposal and replacing it with the Topics API. In a blog post, Google notes that “Topics was informed by our learning and widespread community feedback from our earlier FLoC trials.” Google initially floated FLoC to replace third-party cookies in Chrome.

Note

Monetizing content via ads requires ads to be relevant to the user. Google is struggling hard to come up with a solution that will be accepted by users. This is not a technical problem. Companies like Google and Facebook lost user trust and no technical solution will get it back.
While privacy concerns effectively killed FLoC, the Topics API is still intended to provide tailored advertising based on your browsing habits. Their claim is “advertisers will only receive topics they have observed from other sites.” A user visits a site, browser infers topics of interest from browser history, a site with ads is visited, the topics of interest are relayed to the AdTech platform (via API), which then selects the ads to display. E.g., if you visit a lot of Football sites, advertising would be from Football related advertisers. The question is do we want revised/targeted tracking, are would no tracking (non-targeted) be preferred.
If the goal here is to provide less tracking of users and more privacy or anonymity of browsing, we cannot in good faith expect it to come from a company whose business model depends on this data. There are probably more impartial organizations that allow for “comments” that can design a more workable model. Although my snark meter will just remark that we will likely see tracking code in NFTs in the future, so buckle up.

Let’s Encrypt Certificate Revocation

Let’s Encrypt will revoke roughly 2 million certificates due to irregularities in its implementation of the TLS-ALPN-01 validation method. Let’s Encrypt plans to start the revocation process at 16:00 UTC on Friday, January 28. The organization estimated that less than one percent of active certificates are affected.

Note

The biggest issue with certificate revocations is knowing that somewhere in your organization they are being used. Site owners with impacted certs will get email, but not all those sites are even known by IT or IT security. This is probably a low impact event, but good to use as justification for improvement certificate management capabilities.
With a 90-day expiration and the automation of certificate rollout, this one will be one to watch. With 2 million websites, it would be good to know who did or did not get affected by this. If there was an outage, how long did it last? Unfortunately, this type of data is seldom easy to come by because there may not be any reporting, and outages may happen with no one talking about it. However, with Certification Transparency Reporting, we could ultimately figure out who was impacted and how quickly they rolled out new certificates. Maybe a good project for a research study.
If your certificate is revoked, your nightly run of certbot (or other ACME client) will get you an updated certificate. Avoid the temptation to run it repeatedly/rapidly so as not to DOS the Let’s Encrypt service.

Apple Updates

Apple has released updates for iOS, iPadOS, WatchOS, tvOS, and macOS. The updates include a fix for the Safari data leak issue that was disclosed earlier this month. The updates also address a memory corruption issue in the IOMobileFrameBuffer kernel extension that is being actively exploited.

Note

Two vulnerabilities have already been made public or are being exploited ahead of the release of the patch. For others, additional details were released shortly after the patches were released. Update by this weekend. But note that there are some issues, for example with Dropbox, as you are applying this update. Apple Music, which is a full rewrite for MacOS, may also require you to log out and log in again to re-authorize your system.
The iOS and iPadOS updates may feel benign as they only address 10 CVEs. The kicker is they include a fix to the CVE-2022-22587 zero day which is being actively exploited. Push the updates to your devices now. These updates are essentially monthly now, consider configuring your MDM to always push updates to your managed devices as they are released, along with user notification to reduce exposure windows.

Kentucky Hospital Cyber Incident

Taylor Regional Hospital in Kentucky has experienced a cyber incident that resulted in significant disruption. All hospital systems, including its phone system, are down; the facility is operating under electronic health record (EHR) downtime procedures.

Note

Before your local hospital has a cyber incident, verify options to use a different facility, both from a feasibility and insurance perspective. Also be prepared to have documentation on current medications and medical conditions much as you would on a first time visit to a doctor, even if you’re going to an impacted facility, as they may not have the back-end health care/history records.
I worked in healthcare for almost a decade back in the early 2000s. It was tough to justify endpoint security, segmentation, and other security items because the threat model was poorly defined. Specifically, after “worms” stopped being so prevalent, taking down systems. If patient safety or patient care isn’t a factor, it isn’t a priority in many places. Compliance and privacy are generally the more significant mover of the budget. It has taken almost another decade, but Ransomware has finally turned what was a hard sell into practically a requirement. Expect to see more focus in healthcare as more and more systems become Ransomware targets.

Ransomware Hits Electronics Company in Taiwan

Taiwanese company Delta Electronics was hit with ransomware attack that was detected on January 18. Delta is a contractor for Apple, Tesla, HP, and Dell. Delta says the attack affected only non-critical systems and that operations were not significantly disrupted. The company’s main website is still offline as of Thursday, January 27.

Note

Delta claims to be the largest supplier of switching power supplies. The Conti ransomware operators claim to have encrypted 1500 servers and 12,000 computers out of the approximately 65,000 devices on Delta’s network. Take that sort of impact to your next disaster exercise and see how you would recover from that sort of impact, then make sure you have leveraged logical and physical separation techniques to manage lateral movement.

FBI Warns of Malicious QR Codes

The FBI’s Internet Cyber Crime Center (IC3) has published a public service announcement warning that “Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information.” The PSA includes tips for users to protect themselves, which include not downloading apps from QR codes and not making payments on sites that have been navigated to with a QR code.

Note

Data from independent sources usually show QR code usage is pretty low, in the 5-10% of users, though the QR code industry shows much higher numbers. Good to warn users that QR codes are just like clickable links in email or text message – may have some convenience but carries risk. I think more importantly: never download a random app to read QR codes. If the camera app in your device doesn’t do QR codes, just don’t use them.
Treat QR codes like any other clickable link; only scan trusted codes. The native iOS and Android apps provide a pop-up with the site referenced by the QR code; if you’re not familiar with the site, don’t proceed. There is often an alternative to using the provided QR code. For example, many restaurants are now primarily providing menus by QR code, even so, they still have physical menus for those who don’t have a smartphone or are uncomfortable with the link.
While QR codes have been around for quite a while it was not until the pandemic hit that their use became more mainstream and people more familiar with using them. This is a good example of cybercriminals taking advantage of growing popularity in technology solutions and why cybersecurity pros need to keep abreast of how technologies are being utilized and subsequently abused so they can ensure the appropriate controls are in place.
I do not believe that it is helpful to tell users not to download apps using QR codes. Too often, there are legitimate apps that are offered via QR codes. But users should be considering what they are downloading, and where they are finding the QR code. The alternative, offering short URLs for users to type in, has the same problems as QR codes.
QR code adoption has increased since the pandemic; everyone knows how to scan a QR code at a restaurant. Unfortunately, this convenience is being exploited to direct end users to malicious sites. Count this as another feature that requires user awareness training.

Rust Update Addresses High-Severity Vulnerability

An update for the Rust programming language fixes a bug that could be exploited to delete files and directories from unpatched systems. According to the security advisory, the issue affects Rust versions 1.0.0 through 1.58.0; the maintainers have released Rust version 1.58.1 to address the flaw.

Note

This vulnerability is an interesting race condition, but can only be useful if an unprivileged user is calling a privileged (e.g. setuid/setgid) program. The sky is certainly not falling with this one, but there are two key takeaways from the example. First, TOCTOU (time of check/time of use) vulnerabilities are all over the place in code. Many Windows kernel vulnerabilities are TOCTOU. If you run an SDLC program, ensure you educate your developers on how to write code resistant to TOCTOU bugs. With increasing numbers of processing cores on our systems, these are especially problematic in multithreaded applications. The second takeaway is that vulnerabilities aren’t going away. Rust is widely celebrated for its security in defeating memory related bugs. But no programming language is immune to logic flaws such as race conditions and this is a primary example of that in action.
This was due to a time-of-check/time-of-use race condition, which may not always work. Updating to version 1.58.1 is the fix, as adding code to check prior to calling the “remove_dir_all” function will not mitigate the problem as those calls will also be subject to the same race condition.
On a penetration test, vulnerabilities like this usually fall into the “I didn’t know we had that!” category. If you aren’t small/technical enough to maintain full inventories with scripts and elbow grease, it may be time to invest in an automated solution. Not sure it’s worth the time/money spend? How long did it take you to find all the Log4J in your environment?

IRS Plans to Adopt Facial Identification to Access Accounts Online

The US Internal Revenue Service (IRS) plans to start using ID.me online identification service later this year, which requires users to submit bills and identity documents. While the ID.me service does not require users to submit photos of themselves, the IRS presents facial recognition as the default option. Civil liberties proponents have expressed concerns about the technology’s privacy and cybersecurity implications.

Note

The IRS is already using the service. I went through the procedure last week, and it appeared to be very thorough but of course, not very convenient. It required uploading various documents (passport, driver’s license) and in the end a video call to verify the information. The IRS also sent a letter a few days later verifying that I accessed the site online, which is a nice touch to prevent fraud. It is likely best to setup access yourself before someone else does it for you.
Fraudsters and criminals have long swarmed online IRS services to steal tax refunds, so good to see strong authentication finally being required here and that should pave the way for more federal, state and local government and contractor requirements for strong authentication. The government needs to do strong vetting and testing of the ID.me service.
Civil liberty groups are right to be concerned about the implementation of such technology for authentication means. Biometric data is one of the most sensitive type of personal data there is and why under the EU’s General Data Protection Regulation (GDPR) there are many prohibitions on its use.
ID.me is set up to do strong identity validation with the intent of preventing fraudulent account creation. As party of that, biometric and other sensitive information is needed to fully verify your identity. Additionally, ID.me supports multiple forms of MFA; when prompted, select the strongest form possible, steering away from SMS or phone calls as a second factor. The ID.me site says you can delete your biometric information; this appears to require deletion of your account. If you’re setting up an account, expect any interaction with the help desk to include a significant delay as they’re ramping up dramatically.
I love the idea of the IRS requiring strong validation/authentication for access to its databases. Ultimately a process/solution like this should be used for any public access to sensitive government resources.

FERC Soliciting Comments on New Rule

The Federal Energy Regulatory Commission (FERC) is soliciting comments on a proposed rule that would require the North American Electric Reliability Corporation to develop and adopt bulk power system cyber reliability standards. Current standards do not include network security monitoring.

Note

The lack of requirements for internal network monitoring is definitely a gap in NERC/FERC standards. Years ago, IDS products weren’t all that useful in SCADA/OT environments and networks but that has changed over the years. However, there are definitely specific skills needed to architect, deploy, and make effective use of monitoring those networks. Collecting data or even producing alerts isn’t the goal, quickly acting on potentially dangerous conditions is – and that takes more than technology.
Don’t wait for standards to implement segmentation and security monitoring of critical systems. CISA and others have been publishing best practices for securing these systems you can already leverage to get a jump on this. Check to see what protections you have in place, including monitoring, separation to include local and remote access restrictions for these systems.
The power grid is unique in the potential for a failure in one provider to spread to others.

DHS Warns of Potential for Russian Cyberattacks Against US Targets

In a bulletin sent to local governments and operators of the country’s critical infrastructure, the Department of Homeland Security (DHS) warned of the potential for cyberattacks launched on behalf of Russia’s government. The January 23 bulletin echoes warnings in recent alerts from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA).

Note

Review the CISA Insights document on implementing cybersecurity measures to protect against potential critical threats. (www.cisa.gov: Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats – PDF) This is a checklist of the fundamentals, irrespective of threat actor; covering reduction of attack steps, rapid detection and response as well as resilience to an incident. When verifying your capabilities make sure there is supporting evidence, don’t accept someone just checking the box.
Given the heightened geo-political tensions I recommend that organizations outside of the US take heed to these warnings too. We live in an ever more interconnected world and your organization could easily be targeted as part of the supply chain to an ultimate target located elsewhere.

CWP Bugs Could be Chained to Allow RCE

A pair of critical vulnerabilities in the Control Web Panel (CWP) open source control panel software could be chained together to allow remote code execution with root privileges on Linux servers. CWP is used on more than 200,000 servers.

Note

Web based admin portals, not just CWP, should never be exposed to the public Internet.
Make sure that you’re running the latest version of CWP 7 – 0.9.8.1122. CWP 6 (0.9.8.918) is definitely EOL; it is time to upgrade.
Another vulnerability in open-source software. Having an inventory of assets, including libraries and plugins, is a must. These should have been lessons learned by Log4j, Struts, and Heartbleed.

Critical SonicWall Flaw is Being Actively Exploited

Attackers are actively exploiting a critical unauthenticated stack-based buffer overflow vulnerability in SonicWall’s Secure Mobile Access gateways. The flaw can be exploited even when the web application firewall is enabled. SonicWall released fixes for this vulnerability and others in December 2021.

Note

We continue to see rapid exploitation of flaws in perimeter security devices. This has been a problem for the last few years now, and you need to apply updates to these devices quickly. Updating devices can be risky and you may need hands-on-site to recover, but the alternative is having the device exploited.
Make sure that you didn’t postpone deploying the patches because of the holidays. Remember the SMA 100 series of appliances include the SMA 200, 210, 400, 500v products. Double check and address any missed devices soonest. Also check your logs for any signs of successful exploit.
With our greater dependency on remote access solutions and gateways resulting from the pandemic, these security solutions are in turn being targeted by criminals, particularly ransomware gangs. So ensure you keep all such devices, not just those from SonicWall, updated, that you regularly review their rules and configurations to ensure they are valid, and most importantly that you proactively monitor them for any suspicious activity.
Your organization should have an inventory of all assets and monitor them for vulnerabilities and patches. Edge devices, that are accessible from anywhere on the Internet, should be top of the list when remote code execution patches are released.

Apple is Reportedly Working on a Fix for Data Leak Bug in Safari

Apple appears to be developing a fix for the data leak issue in Safari. Updates provided to developers – iOS 15.3 RC and macOS 12.2 RC – have addressed the vulnerability .The flaw is due to a problematic implementation of IndexedDB API that violates the Same-origin policy.

Note

The fix has been incorporated into the release candidate for the next iOS and macOS update. It may be released as soon as this week. The iOS security architecture doesn’t allow for a more granular quick update of Safari. All updates need to include a complete iOS image.
I expect Apple to release iOS and iPadOS 15.3, macOS 12.2 and Safari 15 updates this week. If you’ve not finished you prior update cycle, particularly for mobile devices, you may need to stop where you are and change the target as soon as the new versions drop.

Memorial Health Says Information Was Stolen Prior to Ransomware Attack

Ohio’s Memorial Health System has disclosed that personal information, including medical data, was taken from its systems prior to a ransomware attack that occurred last summer. The breach affects information belonging to more than 200,000 patients.

Note

Initial access occurred around July 10, but the investigation did not complete, and notification did not occur until December 9. Testing, measuring, and improving your resilience to ransomware threats should be part of your plan for this year if you have not started already. The best time to start already passed, the second-best time is now.

Man Pleads Guilty to Hacking College Networks

Timothy Spillane has admitted to breaking into computer networks at two suburban Philadelphia colleges. Spillane stole information and used it to file fraudulent tax returns. Spillane has pleaded guilty to accessing a protected computer without authorization.

Note

Remember when schools were hacked to alter grades? This attack targeted PII, W-2s, and financial information with the intent to file returns to fraudulently obtain tax returns. Fortunately, the attacker couldn’t guess the victims’ adjusted gross income for the prior year and was subsequently caught. Make sure your systems with this type of data are isolated and monitored, that information is encrypted in transit, storage, and if possible, when not in use (think encrypted fields). Review your network architecture. Make sure you no longer have a flat network when it comes to accessing systems, only exposing needed interfaces for self-service operations.

SMS Phishing Campaign Prompts Singapore to Introduce Internet Banking Security Measures

In the wake of an SMS phishing campaign that targeted the Oversea-Chinese Banking Corporation, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) are requiring financial institutions to implement security measures. The organizations will be required to take clickable links out of text messages and emails sent to customers; set default funds transfer thresholds to SG $100 (US $74); and impose a 12-hour delay for activating mobile software tokens. In a separate story, UnionBank of the Philippines is also adopting stronger security practices to protect its customers from fraud. UnionBank says it will no longer use clickable website links in promotional materials.

Note

These are interesting security measures in that they really strike at the intersection of confidentiality, integrity, and availability. Here, they’re protecting the integrity of the accounts by limiting availability of some features. On the issue of clickable links in text and emails, that train has unfortunately already left the station. While this will definitely stop some cybercrime, it will take some time to get people to adjust to the idea that any clickable link is an attack. That said, this is a gold mine for security awareness. Instead of trying to train users on which links are safe to click (which I think we can all agree has been an abject failure), end users can now be trained that *any* link from participating institutions is an attack. This heuristic will certainly be easier for users to apply reliably and consistently.
While these are good security measures, they also impact usability and remove the risk-based decision from the individual financial institution. The challenge to the FI is to train users to use alternative more secure methods, such as non-SMS authentication verification, out of band verification for transactions which exceed risk thresholds to support the expected transaction volume of modern banking users.
This measure from MAS/ABS along with the Philippines bank to no longer use clickable links in SMS and emails is an interesting strategy. Inconvenient from a user perspective but the extra steps to copy and paste the URL may give the user time to think about what they are about to do. This is, of course, if it does not become a habit.
Modern email clients (including browsers) and secure web gateways all give some level of protection to users when they click on embedded links in email. SMS messaging does not go through such protection which is why “smishing” is increasing. Until phone number spoofing is stopped or until such protections are available, it is a very good thing to make it clear that no responsible institution would include clickable links in a text message.

Zoom Fixes Zero-Click Vulnerabilities

Researchers from Google’s Project Zero have discovered two zero-click vulnerabilities affecting Zoom clients and Multimedia Router Services. The flaws were disclosed to Zoom in October 2021; they were addressed by November 24.

Note

This is a fantastic write-up exploring the zero-click attack surface of Zoom and the attacker opportunity for client-to-client exploitation. Zoom has fixed these vulnerabilities and significantly improved defenses against future attacks on their servers. Many thanks to Natalie Silvanovich from Google Project Zero for the write-up, and for motivating Zoom to make positive security changes.
While I certainly don’t recommend asking board members or CEOs to read the 8 page Google Project Zero blog entry, it is great example of the complexity of a commonly used service (Zoom) and how a skilled attacker (or pen tester/researcher) with tools and time can keep poking and prodding and find weak spots. In my briefings to boards, the closest analogy I have found that seemed to connect is deer eating my landscaping: they are hungry, devious and have lots of time. If I don’t regularly monitor and mitigate my vulnerabilities, sooner or later the damn things will get in and wreak havoc. And, if someone tells you this software is hacker proof or that deer don’t eat that type of shrub, don’t believe them.
Make sure you’re pushing out updated desktop clients to your users. If you’re not a zoom shop, make sure any endpoints with the application installed are also updated; while removing the app in this scenario is tempting, you need to understand the impact and have an exception process to mitigate business impact. If you’ve been ignoring the update zoom prompt, now would be a good time to click install and relaunch.
Zoom’s security, their team, and response process to vulnerabilities and threats have come a long way since the start of the pandemic.

Report Says Half of IoT Devices in Hospital Settings Contain Critical Vulnerabilities

According to a report from Cynerio, more than 50 percent of Internet-connected medical devices and other IoT devices in hospital settings have critical security issues. The report notes that IV pumps account for 38 percent of hospitals’ IoT footprints, and that 73 percent of those devices have vulnerabilities that could pose a threat to patient safety or expose data. In addition, many departments are running devices that are based on operating systems older than Windows 10.

Note

Not to downplay these results, but in 2020 a Rapid7 survey showed 80% of Exchange servers were missing critical patches overall and 60% in the healthcare vertical – and those vulnerabilities are much easier to exploit. That said, where lives are at stake, much higher standards are required. The biggest problem is the procurement of devices from vendors who claim they are restricted from patching them, or update the underlying OS, despite years of FDA guidance saying that is not true.
As anyone who has worked in healthcare can tell you, this is no surprise. And the “lots of medical equipment has unpatched vulnerabilities and many healthcare providers run legacy operating systems” is evergreen. Given the realities of technology and patient care, we need to start thinking of patient care equipment as operational technology (OT) and segment these networks appropriately. This should be done with the understanding that just like most utilities and manufacturing, healthcare will always have devices on the OT network with known vulnerabilities. Zero trust networking in the patient care networks can help mitigate some risk as well. I’m not advocating giving up on vulnerability management in patient care networks, but I look forward to the day when stories like this stop getting written because there’s just no realistic impact.
Shock and awe numbers like this are hardly useful without context. They sell clicks, but do not promote change. Healthcare IT is a complex multi stakeholder operation and needs to prioritize resources. Ransomware attacks significantly affected hospital operation and patient safety, but they did not take advantage of IoT vulnerabilities; they may have affected IoT devices, but not due to these vulnerabilities.
Like OT, these systems need proper segmentation and isolation as patching intervals are infrequent and will not only require regression testing, but also careful scheduling to not impact patients. Consider network layer protections that connect devices to the proper segment regardless of how they are connected. These protections can also be used to auto-quarantine unauthorized or rogue devices.
Sadly, this isn’t surprising in the slightest. Having worked with many medical orgs, we’ve seen these systems aren’t touched. Often no updates or people looking at the (in)security of these systems. Even if the updates exist, most organizations don’t have the buy-in to perform updates or the staff to manage it (again, buy-in). Ideally, if you’re in a situation like this (no ability to update), segment these systems from others.
Many, not to say most, of these appliances should not be visible to Cynerio.

SolarWinds Fixes Serv-U Vulnerability

SolarWinds has released updates to address a Serv-U vulnerability that was reportedly discovered when attackers attempted to use a Log4j attack to access the multi-protocol file server. SolarWinds issues fixes for the improper input validation vulnerability earlier this week.

Note

Input validation must be fundamental for all application development. Don’t solely rely on an external service, as they can be bypassed or misconfigured. Leverage testing harnesses which include fuzzing to insure you didn’t miss anything.
Input validation vulnerabilities are to information security as fat/salt/sugar is to nutrition: we could avoid them and be really healthy, but then we would be forced to only eat kale. Validation errors is simple use cases like forms are easily avoidable. In things like queries, not so easy to avoid but modern software testing tools used by skilled testers can find them. After all, the bad guys do just that – vendors need to be driven to be doing more of that before the bad guys.
This story is interesting because of how the vulnerability was identified.
The supply chain remains a way for attackers to insert vulnerabilities into many enterprise networks at the same time. Until we begin to hold suppliers responsible for distributing malicious code (does not now seem likely any time soon), consider quarantining supplier updates long enough for malicious code to be detected by others.

Biden National Security Memorandum Aims to Strengthen National Security Systems

On Wednesday, January 19, US President Joe Biden signed a National Security memorandum that provides details about how the May 20-21 executive order on cybersecurity applies to national security systems. The memo authorizes the national Security Agency (NSA) to issue binding operational directives that require federal agencies to take certain steps to mitigate threats to national security systems. The memo also directs the NSA to collect reports regarding incidents affecting national security systems.

Note

There was a lot of discussion in the EO about cross domain solutions (CDS) that are used to segment networks of different sensitivities (typically different levels of classification) and only allow specific data types/content to flow in each direction. Commercially, similar systems (often termed “data diodes”) are used to separate some IT and operational technology (OT) networks.
NSS systems are already held to a higher standard than unclassified systems, particularly cross domain components which require specific certifications and validations before they are authorized to operate. These systems are isolated and have many controls on how information enters or exits them. Care must be taken to not introduce impractical requirements which may cause a loosening of existing security measures.

CISA Insights Document Published in Response to Ukraine Attacks

The recent cyberattacks against targets in Ukraine have prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to publish an Insights document urging organizations to bolster their cybersecurity. The document urges to reduce the likelihood of a damaging cyber intrusion; take steps to quickly detect a potential intrusion, ensure that the organization is prepared to respond if an intrusion occurs, and maximize the organization’s resilience to a destructive cyber incident.

Note

A nice list of common-sense steps to take. They will protect you against many common attacks.If a new article about Ukraine can get you management attention and funding don’t let the crisis go to waste! Pick one item that you had difficulties getting resources for (e.g. 2FA for VPNs is one of my favorites, something you should be doing anyway).

Cooperative International Effort Takes Down VPNLab Infrastructure

Law enforcement authorities have seized and/or disrupted the servers that were used to host the VPNLabnet service. The service has been used by actors to facilitate criminal activity, including spreading ransomware. The takedown was a joint effort of law enforcement authorities from Europe and the US.

Note

It’s important to note that this isn’t just a service that was used by cybercriminals (I’m confident that pretty much every public VPN service is used by cybercriminals at some point). VPNLab was designed for use by and marketed to cybercriminals, a significant difference.
Always happy to hear collaboration, takedown, and ransomware in the same story. Kudos to the law enforcement working across borders as we all work together to fight the ransomware threats.

Information Disclosure Bug Affects Safari and iOS

An information disclosure bug in Safari and iOS is a violation of the same-origin policy. The issue has been present since the release of Safari 15 and iOS and iPadOS 15 in September 2021. A nosy website could obtain information about other abs a user has open.

Note

This is a serious, easily exploitable, vulnerability. Apple will hopefully release a patch shortly (a release candidate was made public yesterday). The underlying WebKit vulnerability was patched this week, but to update iOS/MacOS, a patch from Apple is required.
This vulnerability in Safari leaks information about the websites you visit. Private mode browsing helps, but does not fully mitigate this flaw. Compared to other browser same-origin policy bypass vulnerabilities, this one is mild, but it still warrants rapid patching due to the ease of attacker exploitation.
The flaw can be used to discover the names of services used, not their content. The fix requires an update to WebKit, which means all browsers used in iOS or iPadOS are vulnerable. Apple has not released a date for the update, but has reportedly made the necessary fixes and marked the issue closed, so I expect the next patch cycle to include it.

Cisco Fixes Critical Flaw in RCM for StarOS

Cisco has released updates to address multiple vulnerabilities in Cisco Redundancy Configuration Manager (RCM) for its StarOS Software. One of the flaws is a critical issue in the StarOS debugging service that could be exploited to “allow an unauthenticated, remote attacker to perform remote code execution on the application with root-level privileges in the context of the configured container.”

White House: REvil Arrests Include Alleged Colonial Pipeline Culprit

One of the individuals arrested in Russia in connection with the REvil ransomware group is believed to be responsible for the May 2021 ransomware attack against Colonial Pipeline. That attack temporarily led to fuel shortages in parts of the US.

Note

International cooperation is critical to prosecution having any impact at all, but politics still gets in the way. I don’t think there has been any meaningful progress on international cybersecurity laws since 2001 or so. The UN Governmental Group of Experts met and issued reports in this area every few years, nothing since then I don’t think. Maybe the pandemic spirit of international cooperation will carry over to cybersecurity…
There was a lot of political pressure to find those behind the Colonial Pipeline attack, as well as pressure from Russia that cooperation was contingent on the US not reacting to their activities in Ukraine, as well as Russia not wanting to acknowledge they had ransomware groups actively operating in their country. This makes international cooperation tricky and non-trivial. One hopes we would have moved beyond this, as it also allows operators more room to operate and maneuver without recrimination.

White House Open Source Software Security Summit

On Thursday, January 13, the White House hosted an Open Source Software Security Summit to discuss ways to improve the security of and support for open source software. The meeting included government officials as well as open source software stakeholders from technology and infrastructure organizations.

Note

A number of initiatives came out of the Heartbleed vulnerability back in 2014. For example, the Linux Foundation identified critical components in need of help. Companies like Google, Apple, Facebook and others are already contributing to open source. But they often miss older existing components that have lost support and are still relied upon. After Heartbleed, the Linux Foundation started a project to identify critical open source components that have either lost their maintainers or are in need of help (e.g. security assessments).
A great topic to see progress on but the only output of a meeting was an agreement to “continue discussions to support these initiatives in the coming weeks.” If private industry wants to show it has any ability to self-regulate, this is a great opportunity to see the vendors participating come out with a major announcement in those coming weeks with some 2022 milestones of actual changes to improve the baseline security of repositories and code.
The government doesn’t need private industry to improve the security or support of open source software. If the administration saw open source software security as a legitimate threat to national security, it could simply fund the maintenance it is asking industry to fund. The reality isn’t that simple. Choosing which open source projects to support (which will of course be seen as an endorsement) poses some immediate issues as will administering the program. But those challenges unfortunately don’t go away by pressuring private industry to provide the open source software support.
Open source expects active contributions from the community. If you’re improving, extending or fixing open source, you’re supposed to give those changes back. If you discover an issue you cannot resolve, report that too. Take a look at the license for any open source you’re using to make sure that you’re following any other expectations. I’ve seen prohibited use cases or expectations which are easily missed.
While the quality and protection of open source software may not be worse than that of the code that we pay for, it is clear that “many eyes” has not delivered on its intuitive promise. There does not appear to be any useful difference in the risk of code based upon its source.
I am not a fan of throwing money at the problem, but when it comes to open-source software leverage by multi-million- and billion-dollar companies, my opinion changes. Maintaining open-source software is a thankless, tedious job. The log4j showed the potential impact.

Microsoft Releases Out-of-Band Fixes for Problematic Updates

Microsoft has issued out-of-band updates to fix issues in Windows Server updates that were released last week. The initial updates were causing spontaneous Windows domain controller reboots, preventing Hyper-V from starting, and rendering Windows Resilient File System (ReFS) volumes inaccessible.

Note

This out-of-band fix was urgently needed to allow organizations to apply the January cumulative updates correctly. I know it isn’t easy for Microsoft to test all the possible DC configurations. But reliable and painless software updates is one of the things organizations purchasing software are looking for.
After pausing and/or rolling back some server updates last week, it’s time to test these revised updates and schedule their deployment. Trust the fixes to the update but verify them before enterprise deployment.

Microsoft: Wiper Targeting Ukrainian Organizations

Microsoft has warned of destructive wiper malware that is being used in targeted attacks against organizations in Ukraine. The Microsoft Threat Intelligence Center (MSTIC) says that the malware first appeared on Ukrainian systems on January 13, 2022. The malware is reportedly designed to look like ransomware, but lacks a recovery mechanism, leading researchers to believe its intent is to destroy data. The malware overwrites the Master Boot Record and displays a phony ransom message, then it corrupts multiple filetypes.

Note

The destructive malware which Microsoft has termed “WhisperGate” has been detected targeting many organizations similar to those that were hit with website defacements last week. The WhisperGate malware is designed to appear like ransomware at a very high level. However, a cursory inspection shows that there is no realistic possibility of recovery for victims. The destructive malware lacks features built into traditional ransomware, such as per-victim keying. If threat actors were hoping this would continue to appear to be ransomware (even under limited scrutiny) they missed a significant number of details. We should conclude that the threat actors are likely relatively sophisticated and don’t really care how the malware is perceived, in which case the ransomware connection is probably just there to preserve some semblance of plausible deniability.
Preparations for this strain are the same as any other; recovery is simplified as you don’t have to have the ransomware payment discussion. Be sure your recovery plans are tested and timelines realistic.
This is interesting; destructive malware is something that many companies have not had the luxury to experience. Instead, most companies experience traditional ransomware. Has your company modeled this?
This attack does not appear very sophisticated, nor does it leverage any innovative TTPs. Doing the “boring” basics, such as eliminating local administrative privileges to accounts that have email and internet access, will go a long way.

Russia Says Authorities Have Made Arrests and Seized Assets Related to REvil Ransomware Group

Russia says authorities there have arrested 14 people believed to have ties to the REvil ransomware group. The Russian Federal Security Service (FSB) says the arrests were made at the request of US authorities. The FSB reportedly seized millions of dollars’ worth of currency and material assets.

Note

Regardless of the current geo-political situation, these arrests should send out a strong signal to criminals who thought they were untouchable due to being based in Russia. It will be interesting to see what impact these arrests, coupled with other recent activities by law enforcement agencies in other countries, will have on the activities of ransomware gangs.
Many rightly viewed the arrests with suspicion, almost like the arrests were timed as top cover for something else Russia wanted to keep out of the news cycle. While that certainly is possible, we should still celebrate the takedown of this group of cybercriminals. This particularly impacts the affiliate model so many of these groups rely on to prosper. The affiliate model only works on trust and anytime law enforcement is believed to be sniffing around, trust in criminal organizations isn’t exactly at an all-time high.
International cooperation resulting in a takedown such as this is something to celebrate. It can be complicated in locations where operators are ignored so long as they don’t target that country’s assets. One hopes cryptocurrency was also secured, a skill which is needed with current cybercrime.
The articles today seem to conflict with one another, and maybe this is on purpose. While on the one hand we have a suspicion that Russia is involved in this Ukrainian malware, we have a conflicting story with REvil group being caught. It’s just interesting that these two stories show up in a similar timeline. Is Russian making it appear that they are playing ball with the world by arresting REvil ransomware gang while simultaneously attacking Ukraine? Only time will tell.
Many people have been suggesting this may be smoke and mirrors to take some pressure off our ransomware fight and/or geopolitical strategy. I welcome this over no action at all.

WordPress Vulnerability Affects Three Plug-ins

A cross-site request forgery vulnerability affects three different WordPress plug-ins: Login/Signup Popup, Side Cart Woocommerce, and Waitlist Woocommerce. All three are maintained by Xootix. The issue is fixed in Login/Signup Popup v2.3, Side Cart Woocommerce v2.1, and Waitlist Woocommerce v2.52.

Note

The issue is that all three functions didn’t properly implement a nonce check, allowing their security to be bypassed. The patched versions were released in December; make sure your auto-update installed them. Wordfence released firewall rules for free and paid versions on December 5th and November 5th respectively. Verify your WAF is getting updates for the latest plugin vulnerabilities.
I hope we can get away from WordPress at some point in time, but I feel that we will be talking about this in a decade. They need to completely re-write this concept of plugins.

Former DHS Official Pleads Guilty to Data and Software Theft

Charles Kumar Edwards has pleaded guilty to conspiracy to commit theft of government property and theft of government property. Edwards stole proprietary software and sensitive government databases. At the time of the theft, Edwards was a US Department of Homeland Security employee and acting inspector general. He has previously worked at the Transportation Security Administration and the US Postal Service Office of Inspector General.

Note

Insider threats continue to be the focus of more mature organizations. As mentioned earlier, do the “boring” basics first such as implementing the CIS Critical Controls, then focus on insider threats.
It appears he was attempting to create a copy of these applications, presumably with the intent of marketing them to agencies with similar requirements. While audits from an agency IG require turning over lots of information, it also requires proper custody of that information which itself must be audited. One hopes new processes to verify information is properly managed will ensue

Healthcare Sector Breaches in 2021

According to the US Department of Health and Human Services (HHS) HIPAA Breach Reporting Tool, there were 713 reported major health data breaches in 2021. In total, the breaches affected more than 45.7 million people. For this year so far, the HIPAA Breach Reporting Tool numbers show five major breaches affecting 1.6 million people.

Note

Don’t expect a reduction in attacks targeting the healthcare sector. With resources spread thin, look to leverage local CISA or other industry partnerships to assess and, if needed, help improve your security posture.

Oracle Critical Patch Update

Oracle plans to release its first Critical Patch Update of 2022 on Tuesday, January 18. The update will comprise fixes for nearly 500 security issues in various products.

Note

A number of Oracle products are using log4j. Watch for related updates and expedite these patches if possible. For earlier, less severe log4j vulnerabilities, Oracle released upgrades across several quarterly patch updates.
Many of these are application level flaws which can be exploited without authentication. Review the CPU quickly to see if the updates apply to applications used and (the E-Business suite is in the list) start planning your rollout of the corresponding updates.
Oracle has quarterly patch releases; this should not be a surprise to patch and vulnerability management teams. Time to analyze and prioritize based on your threat model.

Microsoft Patch Tuesday Includes Fix for Wormable Vulnerability

On Tuesday, January 11, Microsoft released fixes for nearly 120 security issues. Nine of the vulnerabilities are rated critical and six were previously disclosed. Microsoft has also noted that one of the flaws fixed this month is “wormable,” meaning it can spread without user interaction.

Note

This is the second wormable vulnerability in http.sys in 12 months. CVE-2021-31166, patched last May, was never widely exploited and aside from some PoC exploit leading to denial of service, no actual remote code execution exploit was published. Exploit mitigation techniques in kernel mode drivers make exploitation difficult and may buy us some more time in this case as well. Little detail has been published so far about this vulnerability.
The combination of disclosure and the RCE flaw in the HTTP stack means attackers are going to be working to discover unpatched systems and exploit them. Don’t make it any easier by neglecting to apply the entire bundle of patches, including the updates for Chromium Edge.
The term “wormable” gains more visibility for quicker patching. The versions of Windows that have this feature enabled by default varies. More details on the ISC post below.

CISA, NSA, and FBI Warn Russian Hackers Targeting US Critical Infrastructure

In a joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), and the FBI have warned that Russian state-sponsored cyberthreat actors are targeting US critical infrastructure entities. The advisory includes technical details about the activity as well as mitigations for organizations to implement.

Note

The bulletin explains what these threat actors target and how you can mitigate the risks. Don’t limit your scope of mitigations to just these products. Make sure that you’re keeping hardware and software updated, MFA on your entry points is comprehensive, monitoring is working as expected, verify your incident reporting chain. Now execute penetration tests to verify you’re not missing details.
Critical infrastructure being targeted isn’t anything new. But increased tensions with Russia may lead to an increase in activity. Not all that activity may be tightly coordinated but historically, “hacktivist” groups often get involved. Also see the story below about attacks against Ukrainian government websites last night.
This, like activities in Ukraine, are notable because of the current situation Russian state actors are likely to express displeasure online.
It is interesting to note other countries, such as the UK, are also issuing similar alerts. Given today’s interconnected world and our dependencies on supply chains every organization, whether you are located in the US or the UK, should take heed of these alerts and actions on the threat intel within them.
www.ncsc.gov.uk: NCSC joins US partners to promote understanding and mitigation of Russian state-sponsored cyber threats
For those who are actively involved in CTI or protecting against these specific, there is nothing radically new in these reports. However, joint reports like these are extremely helpful for several reasons. First, because it is a joint report from CISA, NSA and FBI, organizations don’t have to dig around different sites and dig out key information: it’s all provided to them by a combined trusted authority. Second, the report makes it very simple to understand who the threat actor is, the TTPs (mapped to the MITRE ATT&CK model) and what to do. Quite often the problem is cybersecurity is NOT lack of information, but being overwhelmed by information, data points and recommended actions. Reports like these cut through the noise and provide a single, actionable source. That is what I feel is a key role of government guidance, to help make cybersecurity easier for organizations to act on.

Windows Remote Desktop Protocol Vulnerability

A recent CyberArk blog post by Gabriel Sztenjworcel explains how using named pipes with RDP sessions can be used to gain file systems access on client machines, view and modify clipboard data, and intercept smartcard data. The exploit takes advantage of RDP Virtual Channels; some are the main RDP graphical and input data and connected to the remote desktop service, while others, such as the clipboard and printer redirection are handled by separate processes. Virtual channel data is passed between these processes using named pipes. Exploitation doesn’t require privileges, just access to the RDP server. Microsoft released a patch for CVE-2022-21893 on January 11th.

Note

This is the biggest news of the week that honestly isn’t getting enough attention. If you’re running legacy RDP servers, don’t miss out on this one. While the CyberArk advisory says the vulnerability extends all the way back to Server 2012R2, Microsoft is pushing patches for Windows 7 and Server 2008R2 through its extended security updates (ESU) channel for those who are subscribers. If you are running RDP on a legacy server and aren’t getting patches, make sure you understand the threat. If the threat actor has access to the server, they can retrieve files from any connected client (e.g. the systems admin) and certainly use that to gain code execution on the remote client’s machine. The threat actor need not have full control of the RDP server either; they only need an authenticated RDP client. Finally, given the verbosity of CyberArk’s writeup, we should expect threat actors to weaponize this vulnerability quickly. These “client to client” and “server to client” exploitation channels are unusual and likely aren’t in the threat model of most organizations. Make sure they become part of yours.
This isn’t a “huge” vulnerability, as it requires two users being connected (and authenticated) to the same RDP server. But it is interesting and should be patched quickly as it could easily be used to elevate privileges after obtaining a low privilege account.
The attack leverages the FIFO behavior of named pipes, allowing an attacker to create a new pipe with the right name which will be used by a new connection before the one created for that connection. This exploit impacts at least Windows Server 2012 R2 forward. Apply the RDP patch from Microsoft. Make sure you’re not directly exposing RDP to the Internet. Monitor RDP servers to make sure that unexpected activity is not occurring. If you’re developing applications which use virtual channels, make sure they are also not subject to a similar compromise.

Microsoft Pulls Windows Server Updates After Users Report Problems

Microsoft has pulled Windows Server updates it released on Patch Tuesday after users reported that they were causing problems. The update reportedly breaks Hyper-V and causes domain controllers to keep rebooting.

Note

Microsoft has been on a months-long bad streak of being in the news for failed patches or needing to push out patches for software vulnerabilities (like the Y2K22 issue) that should have been easily avoided or detected pre-release. It would be good to see Microsoft publish some analysis to see if this is just a random concentration of issues or if something systemic at Microsoft needs to be addressed.
Make sure you’ve pulled these from the list of patches you’re pushing out. Be prepared to roll back KB5009624, KB5009546 and KB5009557 (Server 2012R2, 2016 and 2019 respectively.) Even big shops like Microsoft can have QA issues, kudos for responding and pulling these back. Note to self, make sure code you tested/created in 2021 isn’t subject to Y2K22 issues, retest now.

SonicWall Issues Fixes for Flaws in SMA 100 Series Devices

SonicWall has released updates to address several vulnerabilities in its Secure Mobile Access 100 series of devices. The most critical of the vulnerabilities is a stack-based buffer overflow issue that could be exploited to allow unauthenticated remote code execution.

Note

The update from SonicWall was published a month ago; make sure you’ve installed it. Make sure your edge devices are at the top of your security update list. The report from Rapids7 will fuel the fire of attempted exploitation. The flaw is also present in the SMA 200, 210, 400, 410 and 500v products.

Maryland Dept. of Health Confirms Ransomware Attack

The Maryland Department of Health has acknowledged that their IT systems were hit with a ransomware attack in early December. Maryland CISO Chip Stewart says they have not paid a ransom. The December 4 attack was initially described as a network security breach. The department is still recovering.

Note

The MDH is following their COOP plan, purchasing, and deploying replacement systems smoothly and according to that plan. Make sure that your plan can be as smoothly executed, be sure to consider the impact of supply chain challenges similar to what we have faced recently.
Another NewsBites, another reported ransomware attack. This threat is not going away and impacts most organizations. There are many resources to ensure your organization is prepared. Here is a recent article/interview: medium.com: Repelling A Ransomware Attack: 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.

CISA Adds Known Exploited Vulnerabilities to Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added 15 new entries to its Known Exploited Vulnerabilities Catalog. CISA is directing federal civilian agencies to remediate three of the vulnerabilities – a VMware vCenter Server improper access control vulnerability, a Hikvision improper input validation vulnerability and a FatPipe WARP, IPVPN, and MPVPN privilege escalation vulnerability – by January 24. The remaining 12 vulnerabilities must be remediated by July 10.

Note

BOD 22-01 requires agencies to review the catalog making sure that they don’t have any unmitigated software as well as report the results of the review and mitigation status. The catalog includes mitigation due dates agencies must meet. As this catalog is expected to continuously update, this review and report cycle will need to be operationalized and hopefully properly funded. For those in the private sector, a regular scan of the catalog to see if you’ve got any gaps in your current mitigations would be a good practice.

Threat Actors Exploiting Cloud Services to Deliver RATs

Researchers from Cisco Talos have discovered a malware campaign that leverages public cloud infrastructure, like Amazon web services (AWS) and Azure Cloud Services, to spread three different remote access trojans (RATs). The campaign was first detected last fall.

Note

With the adoption of cloud services, most organizations are establishing trust relationships with service providers which can exceed, or cannot be limited to, the scope of subscribed services, allowing a direct path to malware stored there. Block access to the indicated domains, verify trust relationships are only in place for approved services, make sure both perimeter and endpoint protections are active and working, monitor for malicious activity.

GAO Report on Federal Response to SolarWinds and Microsoft Exchange Incidents

The US Government Accountability Office (GAO) released a report on the federal response to the SolarWinds and Microsoft Exchange incidents. The “GAO’s objectives were to (1) summarize the SolarWinds and Microsoft Exchange cybersecurity incidents, (2) determine the steps federal agencies have taken to coordinate and respond to the incidents, and (3) identify lessons federal agencies have learned from the incidents.”

Note

The report met the first two objectives very well but is really weak on the lessons learned and recommendations. In general, the report focuses almost completely on response and not at all on detection/prevention in the period between when the compromised Solar Winds software was active but before private industry notifications came out. After 8 years of spending on Continuous Diagnostic and Mitigation solutions, not a single mention of CDM in the report. Some IG audits have started to focus more on threat hunting and active testing. I’d really like to see GAO reports like this focus on proactive detection and prevention actions at least equally to reactive post-compromise response.
The report is big on response and coordination and highlights what did and didn’t work after the incidents. What is missing is steps agencies can take for improved detection and to mitigate the likelihood of recurrence. Make sure that your logging is sufficient in retention and separation to support forensic activities, that you have comprehensive detection and response systems, and you’ve verified your playbooks are operating properly. Reach out to your peers to keep that relationship current and healthy.
I would add supplier accountability. The more privileged or powerful a process or user, the more important as a control is accountability.

Several Ukrainian Government Websites Compromised

On Friday, January 14, several Ukrainian government websites were defaced with identical threatening messages in Russian, Ukrainian and Polish. These defacements come after tensions between Ukraine and Russia escalated the day before.

Note

These types of defacements are often the work of hacktivists and it is not clear at this point if these attacks abused a specific vulnerability common to these websites.
While it isn’t yet clear whether this is a state-affiliated attack, many have noted that the arrest of REvil ransomware operators may be top cover to get media attention away from these defacements. At this point, there’s no clear connection between these events. Kim Zetter reported that these attacks used a known CMS vulnerability, well within the reach of any script kiddie or hacktivist.
While this isn’t new, it is news because of the timing. With cyber attacks on top of land and sea posturing (strikingly reminiscent of 2014!), Ukraine and its allies have plenty of justification for concern.
While it can be argued that with sufficient time and resources any target can be compromised, don’t make it any easier than it has to be. Keep your services patched, make sure that only authorized accounts have access, and you’re using MFA for authentication.

Salesforce to Require Multi-Factor Authentication

Software company Salesforce has announced that as of February 1, 2022, it will start requiring users to enable multi-factor authentication (MFA) to access the company’s products. Salesforce has an MFA FAQ page.

Note

This should be the norm for at least all cloud services, and really all logins. Microsoft data showed that using any form of MFA would have thwarted 99.9 percent of successful account compromises. Users are increasingly doing so with the home accounts on banking and even social media. Use of MFA allows security resources to be focused on the extremely clever 0.1 percent of attacks vs. drowning from the simple 99.9 percent.
Great move. MFA is a must in particular for systems like Salesforce working with critical data. If you try to rely on other means to mitigate attacks against other critical systems (e.g. VPNs): Stop doing stupid things like relying on geofencing. Implement a solid MFA solution now.
You should already have configured your IDP to require MFA when accessing cloud and other Internet accessible services. Where you are enabling SSO from trusted devices, ensure those devices require strong authentication, additionally disable the ability to login directly to accounts bypassing your SSO/authentication process. Read the FAQ, including the types of second factor which explicitly disallowed.
Not only is this exciting from a security perspective (I’m a huge fan of 2FA / MFA) but it’s very impressive how Salesforce is rolling this out. Take a moment to read their MFA FAQ. It’s extensive, detailed, and well thought out. Some key things I found interesting: You have to use “strong” MFA, no SMS text messages or phone calls to obtain your one time code; you have to use technologies like local mobile authentication apps. Also, and this was a bit hidden, there are legal consequences if you don’t implement strong MFA. If you somehow work your way around the requirement and your data is compromised, you and NOT Salesforce are most likely legally responsible for any harm to your data. Is MFA perfect? Absolutely not. Will bad guys figure out ways around MFA? Absolutely. Security is ultimately about compromises and managing risk to an acceptable level. With passwords / accounts being a top two driver for breaches globally for the past three years (VZ DBIR), this is a step most organizations should be taking.
MFA should be enabled everywhere. Hopefully this move by Salesforce, given their user base, pushes more adoption.

FBI Warns of Attacks Using Malware-Laced USBs

In a recently-updates Flash alert, the FBI has warned of a ransomware campaign involving USB thumb drives. The threat actors have been sending the malware-laced drives through the US Postal Service and United Parcel Service (UPS), pretending to come from the US Department of Health and Human Services (HHS) or Amazon. The FBI says the campaign is targeting the defense industry.

Note

Fin7 did that back in 2020 as well. I guess it worked well enough for them to try again. For myself: I always wanted to have one of those USB micro controllers. If you work for Fin7 and are reading this: contact me for my mailing address. For everybody else: Sorry, no great defense against this in particular if people use their own systems in a home office environment.
In the SANS 2020 Top New Attacks and Threats Report, Ed Skoudis highlighted “poisoned USB devices” as a threat vector. I had actually received one in the US mail from China earlier that year, trying to get me to insert it in my computer to get $500 in free PayPal cash. You can download that report from www.sans.org: SANS Top New Attacks and Threat Report 2020
Don’t assume that risks of inserting the device will be offset by a media scan. Some NGAV products no longer scan media, rather they wait until an executable/dll/etc. is loaded into memory before analysis is performed. The USB thumb drive may be emulating a keyboard or network card. When in doubt, don’t insert it before you’ve fully vetted and tested, preferably on a system designed for that purpose. Consider requiring a kiosk to scan and transfer data from all externally provided media for your corporate systems.
If you speak MITRE ATT&CK, this technique is called Hardware Additions and is part of the Initial Access tactic. It has been documented since April 2018 (attack.mitre.org/techniques/T1200: Hardware Additions). In recent updates, MITRE has improved the mitigations and detections sections to provide more actionable information.

Apache: Downstream Vendors Should Contribute to Open-Source Maintenance

In a position paper to be presented at a White House Software Security meeting later this week, the Apache Software Foundation calls out for-profit companies that benefit from open-source software but do not, for the most part, contribute to its maintenance.

Note

The ASF recommendations to businesses are solid: Know where you are using open-source components so you can patch them. Contribute some of your resource to skilled vulnerability testing and contribute to speeding the discovery of vulnerability in open-source software. In 2014, after the Heartbleed OpenSSL vulnerability, the Linux Foundation started the Core Infrastructure initiative to gain support for raising the bar on the security of widely used open-source components. Adobe, Bloomberg, HP, Huawei and salesforce.com were early supporters but not much happened. The CII has now become the Open Source Security Foundation with the goal of “… to inspire and enable the community to secure the open source software we all depend on, including development, testing, fundraising, infrastructure, and support initiatives…” Microsoft, Google, AWS, JP Morgan Chase, Redhat, many others are listed as premier members and on the technical advisory committee.
When using open-source software, it’s expected that discovered vulnerabilities are reported back quickly. If you have fixes, report them as well. Apache has project teams which will respond immediately to reported issues. Once updates or fixes are released, typically in less than two weeks after the report, businesses need to jump on applying them.
One promise of open source was that many eyes would improve code quality, It has not proved to be true. CISA has identified more than 3000 products the use log4J. Now this may not mean that the code was seen by the same number of sets of eyes, but it was certainly seen by many Instead what we have seen is that what is everyone’s responsibility is no one’s responsibility. We need better accountability.

Millions of Vulnerable Versions of Log4j Have Been Downloaded Over the Past Month

Sonatype, the company that runs Apache Maven’s Central Repository, says they have observed four million downloads of vulnerable versions of Log4j since December 10. It is not clear why the number of vulnerable downloads is so high. Sonatype also noted that about 40 percent of the Log4j downloads over this past weekend were of the most recent versions.

Note

Speaking for my fellow developers: I know, we can’t help it. It is hard to break a habit. But please spend the extra time to actually read change notes and move on to a newer version of the libraries you are using. It is much easier to do so step by step as new versions are released vs doing a big “flag day” once a decade to move everything.
Where your CI processes are downloading libraries regularly, make sure they are downloading the current approved versions. Make sure you’ve qualified the fixed versions such as Log4j 2.17.1.

FTC’s Log4j Requirement May Prove Difficult

While the US Federal Trade Commission (FTC) has said it will pursue legal action against companies that fail to implement mitigations to protect customers from the Logj4 vulnerabilities, experts point out that identifying all instances of Logj4 is likely to prove difficult. And beyond that, in some cases companies may not have access to the vulnerable apps because they are hosted elsewhere or are on a SaaS platform.

Note

While the path the FTC wants to follow may be tricky, don’t count on that keeping you insulated. Be aware of which applications you have, both internally and outsourced/cloud services. Document risk decisions you have made and actions taken. Include supplier notices about Log4j applicability and remediation. Verify that your monitoring and defenses are operating as planned.

NHS: Attackers Exploiting Log4j Flaw in VMware Horizon Servers

The UK’s National Health Service (NHS) says that an unspecified group of threat actors is exploiting a Log4j vulnerability in VMware Horizon servers “in order to establish persistence within affected networks.” The NHS cyber alert lists indicators of compromise and suggested remediations. VMware has released updates to address the Log4j vulnerabilities.

Note

The VMware advisory VMSA-2021-0028 (www.vmware.com: VMware Response to Apache Log4j Remote Code Execution Vulnerabilities (CVE-2021-44228, CVE-2021-45046)) covers all their products impacted by the CVE-2020-44228 and CVE-2021-45046 vulnerabilities including update and mitigation information. Make sure that you review the status for ALL your VMware products, taking appropriate actions where needed. Note some products still don’t have a released patch be prepared to implement the identified mitigations.

URL Parsing Library Bugs

Researchers from Claroty and Snyk discovered eight vulnerabilities in 16 URL parsing libraries. Most of the issues were due to the use of multiple parsers in projects or specification incompatibility.

Note

Parsing URLs is hard. And it isn’t made easier by ever changing, and in part conflicting, standards. Great paper and a must read for anybody doing web development.
While the parsers have been updated to address the inconsistencies, due care is also required to make sure that you’re consistent in how you’re parsing URLs and that the returned information is the actual information you are seeking rather than a subset or omission of critical information. Consider standardizing on a standard library for consistent results.

QNAP Warns NAS Users to Protect Devices

In a Product Security Statement on January 7, QNAP urged its customers to take steps to secure their devices to protect them from active ransomware and brute force attacks targeting network-attached devices. The statement offers instructions for protecting Internet-connected devices.

Note

Looks like QNAP now agrees with what I have been posting here in the past to similar vulnerabilities: Get your NAS devices off the internet (or get pwn3d, which may be fun too).
Repeat after me: I solemnly swear not to expose NAS to the Internet. If you really must expose it, make sure that remote administration is disabled and follow the vendor guides for securing it. Monitor access, applications loaded and activity. Lastly, make sure you’ve got a disconnected backup in case it does get compromised, corrupted, or otherwise exploited.

Guidance to Protect Devices from Commercial Surveillance Tools

The US National Counterintelligence and Security Center (NCSC) and the Department of State have jointly published guidance to help people protect themselves from surveillance technology. According to the guidance, “Journalists, dissidents, and other persons around the world have been targeted and tracked using these tools.” The advisory suggests several security practices to guard against surveillance tools, but notes that “While these steps mitigate risks, they don’t eliminate them. It’s always safest to behave as if the device is compromised, so be mindful of sensitive content.”

Note

Enforce encryption, OS updates, and password requirements with your MDM, refrain from installing applications or updates “on the road” and use a trusted VPN anyplace you are unfamiliar with your connectivity regardless of method. In addition to the guidance, consider using a loaner device when on foreign travel, particularly to high-risk areas.
In the SANS 2020 New Attacks and Threat report (download from www.sans.org: SANS Top New Attacks and Threat Report 2020) SANS instructor Heather Mahalik detailed this type of threats to mobile phones and top mitigation approaches.

WordPress Security Update

The WordPress 5.8.3 Security Release includes fixes for four vulnerabilities: two SQL injection flaws, a cross site scripting flaw, and an admin object injection issue. The vulnerabilities affect WordPress versions 3.7 through 5.8. Three of the vulnerabilities have been rated high severity.

Note

Automatic updates should have already taken care of applying this update. If not, you can update your site via the administrator dashboard. You can also check the version using the WordPress CLI. If you’re on an older branch, and not able to move to 5.8.3, review the WordPress download site to ensure you’re on the latest for that version, then kick of the project to move to the 5.8 branch.

FTC Says Companies Could Face Legal Action for Failing to Mitigate Log4j Vulnerabilities

In a blog post, the US Federal Trade Commission warns, “It is critical that companies and their vendors relying on Logj4 act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.” The article cites the Equifax case, in which the company failed to patch a known vulnerability, exposing personal information of 147 million people. Equifax ended up paying $700 million to settle various legal actions.

Note

While some may pooh pooh the FTC’s cybersecurity related actions, it is telling that many attempts have been made by private industry to challenge their authority to do so. SANS gave the FTC a Difference Maker’s award in 2013 and the justifications for that award have held up over the years: “It seems like regardless of who is president or what the state of the economy is, the FTC stays focused on its mission of consumer protection and in particular, going after companies that don’t protect their customers’ information. The FTC doesn’t seem to need new laws or more money, it just keeps fighting for its customers.”
The FTC doesn’t want history to repeat itself. While a company could accept the risk of not addressing Log4j vulnerabilities, the FTC wants them to know that both the Gramm Leach Bliley Act (GLBA) and Federal Trade Commission act have specific directions to mitigate known software vulnerabilities. Long story short: update Log4j wherever you’re using it, make sure you’ve deployed your vendor updates, use a properly configured WAF if you can, monitor activity, and document actions taken.
Organizations should not see this as a one-off vulnerability and invest in building a program to track assets, vulnerabilities, and patches. Vulnerability management is hard, it is a process, and there is no end state. Implementing lessons learned from Log4j, like those learned during the Struts2 vulnerability that affected Equifax, will be ideal for your organization when the next big vulnerability is inevitably disclosed.
On the Log4J Issue, I am not sure how the FTC enforcement will fully happen. There are going to be a fairly large number of systems in which the actual code doesn’t exist, won’t compile, and is mission critical. I would imagine that this sets a very bad precedent, overall, but it’s not unexpected. We have been talking about regulation for years, and if the larger community does not regulate itself, someone else will. This is also compounded by the fact that Log4J may not even show up in the dependency chain directly but as a sub-dependency. We need to watch this carefully as this could start rolling down hill to the next “Exchange Vulnerability” that is not patched in time.

Attackers Exploiting Known Windows Vulnerability to Drop ZLoader

Hackers are exploiting a known vulnerability in Microsoft’s code signing process to install ZLoader malware. The campaign was first detected in November 2021. It uses legitimate remote monitoring and management software to gain initial access to the machine, and then uses a modified dynamic link library (DLL) file to install the malware. Microsoft released a fix for the vulnerability in its code signing process, Authenticode, in 2013. The fix was initially going to be pushed out to all users, but Microsoft decided to make it optional because of the risk of a high level of false positives.

Note

It’s easy to cast shade at Microsoft, but they’re right – this has an extremely high risk of false positives in many (if not most) environments. Even given the news of active use of the vulnerability, knee jerk implementation of fixes risks impacting system availability. It’s important to put this in context. This vulnerability does NOT allow threat actors access to systems. It only allows them to bypass intended code signing security checks *after* they’ve already accessed a system, meaning threat actors have already bypassed at least some security controls. To use a circus analogy, carefully consider whether enabling an additional safety net is worth blindfolding the trapeze artists. If you’re not sure and projected impacts are high, perform extensive testing first.
There are currently two mitigations. Either apply the Microsoft Authenticode fix to check certificate padding with the caveat that it causes some installers to be tagged with an invalid signature, or disable mshta.exe which is how the embedded scripts are executed, provided you’re not using it in your environment.
While this particular attack is to run unsigned DLLs, I would like to highlight that leveraging Microsoft signed binaries, scripts, and libraries (LOLBAS) has been around for some time and highlighted in RSAC Keynote by SANS in 2020: www.sans.org: The Five Most Dangerous New Attack Techniques
The LOLBAS project is maintained here: https://lolbas-project.github.io/

VMware Releases Fixes for Heap Overflow Flaw

VMware has issued updates for a heap overflow vulnerability that could be exploited to execute arbitrary code. The vulnerability affects the CD-ROM device emulation in ESXi versions 6.5, 6.7, and 7.0; Workstation versions 16.x; and Fusion versions 12.x. There is currently not a fix available for ESXi 7.0.

Note

Initially, I considered mitigating this issue by removing the CD-ROM device from workstations. But keep in mind that it is needed for example to install and update VMWare Tools. For VMWare Fusion and VMWare Workstation, you will likely not even have to upgrade. The fixed versions were released late last year (Workstation: Oct 14th, Fusion: November 18th).
If you cannot apply the patch, or it’s not available, the workaround is to remove unused hardware from virtual machines. Note they need to be shut down to do this. It’s not a bad idea to make sure that you’ve removed unused hardware which may have been added for testing or other long forgotten purpose.
We constantly see unpatched ESXi and unpatched vCenter in almost every customer environment on premise. The problem isn’t getting better – it’s getting far worse. Many companies that have a good desktop and server vulnerability management strategy fall flat in this regard. Patch where you can, segment where you cannot. We still see 6.5, 67, and 7.0. It would also be relevant for many of the Security Industry to patch their workstation builds.

Attackers Exploit Google Docs Bug to Send Phishing eMails

In a report, researchers from Avanan describe how attackers have been exploiting a flaw in Google Docs comments to send phishing emails. The attacks have primarily targeted Outlook users.

Note

This is a good issue to include in awareness training. Just because an email originated from a “trusted” entity like Google, or a link is located on Google docs, doesn’t mean it is safe.
When you add a comment to a Google Doc which has an “@” reference to the user, regardless of the source of that document, an email is sent to the user, including any malicious links or text in the comment, with a Google originating email address, making it feel trusted/legitimate. If you’re using URL rewriting tools, make sure all external email is in-scope. Make sure that your endpoint or perimeter protections include blocking/denying uncategorized and malicious web site access. At core protection still depends on user hygiene, not clicking unrecognizable links and being sure the comments are truly from a document they are collaborating on with a recognized partner.
Google has been slow to address this attack vector, which I think dates back as far as August 2020. This is one of those features that carry risks that can in many, probably most, cases be way more damaging than the benefit of the feature. Kinda like is anyone really missing Adobe Flash?

Honda Y2K22 Navigation System Clock Bug Might Not be Fixed Until August

A bug in the navigation system clocks used in some Honda and Acura vehicles caused the clocks to reset to 2002 on January 1, 2022. The issue appears to affect vehicle models from 2004 through 2012. Some vehicle owners were told that the problem would not be fixed until August.

Note

Software development needs to consider the time a particular system is supposed to be in operation, and the entire life cycle should be considered. As cars adopt more “smart” feature, it is important to remember that cars are expected to stay operational for 10+ years, unlike smart phones which are often considered obsolete in less than half that time. Simple bugs like this Honda Y2K22 issue do not make me feel very good about how well systems like smart phone integration APIs will perform 10 years from now.
It is easy to overlook the capacity of a variable being exceeded, in this case a signed int32 which cannot hold the date string for January 1, 2022. We should have learned this 22 years ago and documented these constraints, or better still chosen alternatives not subject to the limitations. Take a quick look through your application inventory to make sure you address systems with Y2K22 issues. One hopes that any Honda subscription services tied to the navigation systems will refund the charges until the issue is resolved.
Wouldn’t it be nice if Honda said “All car loan payments to Honda will be suspended from January to August to make up for the impact to our customers who paid a lot of money to buy our products.”

CISA Setting Up Network of State Cybersecurity Coordinators

The US Cybersecurity and Infrastructure Security Agency (CISA) is helping states find hire cybersecurity coordinators. Because each state has its own IT organizational structure, the coordinators’ jobs will vary. The network of coordinators will communicate with each other to share problem-solving experiences. Thirty-seven coordinators have been hired and five more positions are in the selection process.

Note

This is a great first step toward helping the “under-resourced counties and municipalities.” Here’s hoping legislation from Senators Hassan and King enable more collaboration between other agencies (like the National Guard) that may actually bring more resources to the fight.
Make sure you connect with your local CISA coordinator, they are a good contact for bringing resources, such as ransomware remediation, training, assessment tools, and advice at no added charge as they are taxpayer funded. It is easy to forget their mission includes both public and private sector.
I’m excited to read about this as CISA is both taking what appears to be a leading role in helping organize US cyber defenses in one of the most difficult areas to defend, and creating a network for better coordination and sharing. My question: is this attempting to replace functionality with the MS-ISAC, better align with MS-ISAC or fill in a gap? The US government has a reputation for solving problems by creating new organizations instead of improving existing ones.

Fertility Clinic and Online Pharmacy Both Disclose Information Security Breaches

Fertility Centers of Illinois (FCI) and online pharmacy Ravkoo have both notified current and former patients of data security breaches. FCI became aware of the breach in February 2021 and determined in August that patient data had been accessed. The Ravkoo breach occurred in late September 2021and learned a month later that patient data has been accessed.

Note

In the FCI incident no data was accessed in the electronic health record (EHR) system due to unspecified “security controls.” The disclosure notes that the data for almost 80k current and former patients was accessed in “administrative files and folders.” It seems likely that patient data, whether in scanned paper records or exported EHR data, was placed in locations that were accessible with AD domain logons. In my experience it’s also likely that all of this data wasn’t actually accessed by threat actors, but the organization lacks the auditing controls to know what specific data was taken so they reported everything in the accessed file shares. This not only increases notification costs, but also likely involved a substantial eDiscovery bill. Organizations handling regulated data should examine their filesystems for copies of regulated data and ensure they have appropriate auditing in place to detect access to that data.
Beyond testing and securing your primary applications, make sure that any archives or other locations that data is stored are also secured, particularly any systems where you digitized the paper records to get rid of storage rooms full of boxes of them. Remember that plan to save a fortune by moving unused data to low-cost cloud storage? Did you ever get a report on how it would be secured, including a risk assessment? Did you verify the security was as planned?

New Mexico, Arkansas Counties Hit with Ransomware

Bernalillo County, New Mexico and Crawford County, Arkansas, are both dealing with ransomware attacks. The Bernalillo County attack began early on January 5, 2022. Some government systems have been taken offline and most government buildings are closed to the public, but emergency services are operational. The Crawford County attack began in late December.

Note

When responding to a ransomware incident, isolating/shutting down and/or disconnecting affected systems is a good step. Make sure that your forensic team has what they need before wiping disks to reinstall, such as logs or system images so they can work on root cause as well as determine what data may have been exfiltrated. Keep in mind the encryption step is often the last thing done on the way “out the door” as it were.
Ransomware threat actors often don’t get payouts for attacks on municipalities. Attacks on municipalities in 2021 should generally be attributed to inexperience of the specific ransomware operators or desperation – neither of which bodes well.
I don’t think anyone predicted that we would not see ransomware in 2022. It is here and organizations must train, test, measure, and improve their people, process, and technology to detect and respond to these attacks before impact. We often call this “left of boom” where boom is exfiltration and encryption.

Log4j Database Search Tool

A search tool is now available to help navigate the Cybersecurity and Infrastructure Security Agency’s (CISA’s) increasingly unwieldy Log4j database. The list of affected products has grown to nearly 3,000. The emergence of the Log4j vulnerabilities and the degree to which affected products can be difficult to determine have both fed calls for a Software Bill of Materials.

Note

As we see more data calls of the form “Check the list of affected products against your installed software list,” searchable repositories make that far simpler. Beyond reporting, this is useful for analysis of your current possibly impacted products, using either the hosted or downloadable version of this tool. The data includes notes, references, and links to the vendor advisory/fix guidance.

Chrome Update Fixes 37 Security Issues

Google has updated the Chrome browser to version 97.0.4692.71 on the stable channel for Windows, Mac, and Linux. The updated version of Chrome fixes 37 security issues, including a critical use after free in storage flaw.

Note

Chrome is the gift that keeps giving. Is Chrome the new Flash? According to W3Schools, over 80% of their traffic in 2020 & 2021 was from Chrome making these rapid updates all the more disruptive. These vulnerabilities can have grave impacts including data corruption or malicious code execution, bottom line, time to update (again.) These fixes also impact Chromium based browsers (Edge, Brave, etc.) The good news is updates are already available for those browsers and simply waiting for the user to relaunch their browser.

Microsoft Releases Fix for Exchange Server Flaw that Disrupted eMail Delivery

Microsoft has released temporary fixes for a bug in Exchange Server that trapped email in transport queues. The issue, jokingly dubbed Y2K22, is due to a date check failure in the FIP-FS anti-malware scanning engine; the flaw affects on-premises Exchange Server 2016 and 2019.

Note

Representing dates properly remains a common problem. There are a number of standard solutions (e.g. ISO time formats or Unix timestamps), which are not foolproof but will beat and one-off implementation.
An obvious failure in Microsoft’s software development lifecycle and pre-release testing. Hopefully, Microsoft’s testing in the future will now routinely include setting clocks forward during test…
January 1st 2022 is when a signed 32bit Integer can no longer hold the date value, sometimes called a Y2K22 bug. There is a manual fix available from Microsoft which stops the FIP-FS scanning engine, removes old AV files, installs a new AV engine, and restarts services. A fully automatic fix is still being developed. You can download the Reset-ScanEngineVersion.ps1 script from https://aka.ms/ResetScanEngineVersion.

Kyoto University Research Data Lost in Supercomputer Backup Bug

In mid-December 2021, Japan’s Kyoto University lost 77TB of data when its supercomputer backup system deleted nearly all files that were more than 10 days old. The problem was due to a buggy software update from HPE. The incident deleted millions of files belonging to 14 research groups. The university says that data from four of the research groups cannot be restored.

Note

Doing backups well is hard and boring. Which means it doesn’t get done properly. Remember the old rule that data that doesn’t exist at least three times in three different physical locations (and at least one of them offline) should be considered already lost.
The old trope of testing patches probably doesn’t apply since most organizations won’t have multiple large-scale storage arrays with which to test patches on. Even then, the “test” likely can impact production data. Second, although the article suggests the impact was backup data, that seems a bit misleading. In some scientific research contexts, data stored on device other than where it was generated is noted as “backup” data. While the 77TB lost was characterized as having been generated over a three day period, that doesn’t mean it can be reconstituted in three days. It was generated over a specific three day period. I’ve been involved in a few research situations where this three day loss could destroy months or years of work. In a typical situation, the data is generated and then processed from a high redundancy storage cluster (such as the one that had the errant software update). Aggregate data of a much smaller size is then stored longer term. It is simply infeasible to say “keep multiple copies with offline backups” when you’re generating this much data on a daily basis, that’s why the org invested in such a high performance (and obscenely expensive) storage system in the first place.
HPC has graded storage, where data is migrated to slower and slower storage as the local on-line storage comes at a premium. The software which manages the migration of data, and ultimately deletion, is a critical component as it not only tracks data migration, but also maintains the working space needed for the system to continue to operate. The new script was deployed without quiescing the running scripts as well as fully testing the modified logic. The intention was to only remove log files more than ten days old. Recreating the lost data by re-running the experiments, in this case, may not be practical due to system availability coupled with the time and expense needed to prepare them to run.

China Is Targeting Western Social Media with Surveillance Technology

According to a Washington Post report, China is mining Western social media for data about “well known Western media journalists [and] … key personnel from political, business and media circles.” China has been using surveillance technology domestically, but an examination of bidding documents, contracts, and company filings show that China has expanded its purview beyond its borders.

Note

Consider regular internal or contracted OSINT hunts. These should be deep dives for corporate officers and at least sweeps for all employees/corporate identities. Use some of the tools on https://osintframework.com/ for a self-checkup!
China is not the only country doing this, and indeed your competitors may also be monitoring the social media activity of your key staff members. Start 2022 by running an awareness campaign to staff on how to secure their online social media accounts and how to better protect themselves and your business online.
Don’t count on the data collection terms published by social media sites to protect your data. If you don’t want it viewed publicly, don’t post it on social media. Also, review your profile with an eye to how that information could be used to target you, your employer, or co-workers.

Rhode Island AG Investigating Transit Authority Breach

Rhode Island’s Attorney General (AG) is opening an investigation into a data breach that affected the state’s Public Transit Authority (RIPTA). RIPTA disclosed the August 2021 breach last month telling victims that intruders had exfiltrated data related to RIPTA health plans. The AG’s office began receiving complaints from people who received a breach notice from RIPTA but who had no connection to the agency. It appears that the state’s former employee health plan administrator, UnitedHealthcare, was sending all state employee health claims bills to RIPTA, making the agency pick through to find the pertinent data. The Rhode Island AG is “reviewing this incident to determine whether the entities involved have complied with state laws regarding notification and safeguarding of personal information in their custody.”

Note

On the surface, sending all the state’s data to an agency and letting them figure out what was theirs, sounds like an easy fix which avoids omitting needed records. This also exposes data to an agency which they don’t have a need to know (regardless of regulation) for and adds liability to the receiving party to properly protect that data. Make sure that when you are sharing data, you only share the records which are in scope, and that both parties are appropriately protecting that data.

CISA: Manufacturing Sector Facing Increased Cyberthreats

In an Insights report, the US Cybersecurity and Infrastructure Security Agency (CISA) says “the Critical Manufacturing Sector is at risk from increased cyber-attack surface areas and limited cybersecurity workforces related to the COVID-19 pandemic.” Factors responsible for expanding the attack surface include increased remote work and the use of robotics. CISA suggests mitigations such as “developing cybersecurity and operational knowledge within the shop floor environment is essential, given reduced crew density. Additionally, cybersecurity teams within firms must invest in training for security analysts to be capable of remote monitoring of manufacturing environments.”

Note

Well, pretty much every sector is “… at risk from increased cyber-attack surface areas and limited cybersecurity workforces related to the COVID-19 pandemic.” And, the report is pretty lightweight – mostly pointing out possible risks of moves to robotic process automation bringing increased Internet exposure. But, good to use as ammunition if your company is planning on migrating to RPA technology in the near future.
When we entered the pandemic, we rapidly created remote management/monitoring capabilities for many systems, including some which may not be suited for it. We also stepped-up automation and other processes which allowed for operation with fewer humans. Take a pause and assess the security of those systems, making sure that only authorized devices and users can access those networks, be sure you can detect anomalous traffic and behavior. Assess for cases where you no longer need that access and remove it.

BlackBerry EoL

As of January 4, 2022, legacy services for BlackBerry 7.1 OS and earlier, BlackBerry 10 software, BlackBerry PlayBook OS 2.1 and earlier are discontinued. BlackBerry devices running these legacy services over WiFi or cellular networks will no longer be able to receive or send text messages, place calls – including 911 emergency calls.

Note

BlackBerry hardware running the Android OS are not impacted. In 2017 BlackBerry announced they would only support these legacy operating systems for two more years. The good news for the enterprise is if you have users who refused to upgrade because things were not broken, this is no longer the case; you can migrate them to a current supported device. The bad news is they likely want a replacement device asap; make sure you have some spare/loaner devices on-hand.
Blackberry were once the industry leaders for secure mobile communications. It is sad to see them come to EoL but a reminder from a cybersecurity perspective that reliance on a single technology to be your main security provider is not a wise long term strategy and that you should regularly review the technological solutions you rely on.

Healthcare Supply Chain Association Releases Security Guidance Documents

The Healthcare Supply Chain Association (HSCA) has published two documents for medical device manufacturers, healthcare delivery organizations, and service providers. HSCA notes that “Maintaining device and information security is a shared responsibility of the manufacturers and suppliers of connected devices and services as well as the healthcare delivery organizations (HDOs) that use them.”

Note

This document contains 50 requirements statements (search for “should”), 18 of which (the ones in the last two sections) are very good requirements to convince procurement to include in all RFPs and contracts for medical devices and services.
The guidance includes important notifications, such as warrantee and lifecycle information, partnerships to resolve security incidents in a timely fashion, as well as breach/incident sharing with the appropriate ISAOs without non-disclosure provisions. The problem is the guidance needs to be implemented. Healthcare providers will need to push on their suppliers to ensure they are complying with appropriate security practices prior to signing contracts. Suppliers need to make sure the providers understand the needed security when deploying their products and services. Then healthcare providers need to actively assess their protections regularly.

Broward Health Discloses Breach

Florida-based Broward Health has acknowledged that it experienced a data security breach that affects information of more than 1.3 million people. The incident occurred in October 2021. The breach appears to have been made through a third-party provider who had access to the Broward Health network.

Note

Indications are the third-party provider’s access was used to access another account which could access the exfiltrated data. In addition to resetting all passwords, Broward Health is implementing multi-factor authentication for all users as well as added minimum security posture requirements for devices they don’t manage connecting to their network. When providing remote services consider requiring not only MFA, but also VDI or similar protections to insulate your system from weaknesses in the connecting system. Only permit access to needed services, at all layers.

iOS HomeKit DoS Vulnerability

A denial of service vulnerability in Apple’s HomeKit software framework affects iOS versions 14.7 through 15.2. Dubbed DoorLock, the vulnerability was discovered by researcher Trevor Spinolas and reported to Apple in August 2021. HomeKit allows users to control their smart home devices through iPhones and iPads.

Note

An interesting vulnerability, but it isn’t clear if it is exploitable in “real life.” To exploit this issue, the victim would need to install a rogue application and give it permission to access the HomeKit configuration.
The flaw is triggered by changing the name of a HomeKit device to a string of over 500,000 characters. A partial fix is included in iOS 15 which limits the length of a name in a HomeKit device, which only works if all devices with access to that HomeKit are running iOS 15. When exploited, recovery requires restoring iOS devices and disabling Home Data until all HomeKit devices are renamed or removed from your iCloud account.

12 Year-Old Bug in Polkit Allows for Privilege Elevation

Note

Read more in

Water Sector Now Included in US ICS Cybersecurity Initiative

Note

Read more in

OMB Releases Zero-Trust Architecture Strategy

Note

Read more in

NCSC’s Scanning Made Easy Project to Share NMAP Scripts

Note

Read more in

Google Drops FLoC for Topics API

Note

Read more in

Let’s Encrypt Certificate Revocation

Note

Read more in

Apple Updates

Note

Read more in

Kentucky Hospital Cyber Incident

Note

Read more in

Ransomware Hits Electronics Company in Taiwan

Note

Read more in

FBI Warns of Malicious QR Codes

Note

Read more in

Rust Update Addresses High-Severity Vulnerability

Note

Read more in

IRS Plans to Adopt Facial Identification to Access Accounts Online

Note

Read more in

FERC Soliciting Comments on New Rule

Note

Read more in

DHS Warns of Potential for Russian Cyberattacks Against US Targets

Note

Read more in

CWP Bugs Could be Chained to Allow RCE

Note

Read more in

Critical SonicWall Flaw is Being Actively Exploited

Note

Read more in

Apple is Reportedly Working on a Fix for Data Leak Bug in Safari

Note

Read more in

Memorial Health Says Information Was Stolen Prior to Ransomware Attack

Note

Read more in

Man Pleads Guilty to Hacking College Networks

Note

Read more in

SMS Phishing Campaign Prompts Singapore to Introduce Internet Banking Security Measures

Note

Read more in

Zoom Fixes Zero-Click Vulnerabilities

Note

Read more in

Report Says Half of IoT Devices in Hospital Settings Contain Critical Vulnerabilities

Note

Read more in

SolarWinds Fixes Serv-U Vulnerability

Note

Read more in

Biden National Security Memorandum Aims to Strengthen National Security Systems

Note

Read more in

CISA Insights Document Published in Response to Ukraine Attacks

Note

Read more in

Cooperative International Effort Takes Down VPNLab Infrastructure

Note

Read more in

Information Disclosure Bug Affects Safari and iOS

Note