Skip to Content

Cybersecurity and Infosec News Headlines Update on April 30, 2022

By: Author Alex Lim

Posted on  - Last updated:

Categories Cybersecurity

Table of Contents

Five Eyes List Most Exploited Vulnerabilities

The Five Eyes countries – Australia, New Zealand, Canada, the UK, and the US – have published a list of the top 15 most routinely exploited vulnerabilities in 2021. The list includes the Log4Shell vulnerability and the ProxyShell and ProxyLogon vulnerabilities.

Note

  • Note the dominance of Microsoft Exchange. Currently, one of the most impactful security initiatives may be to move away from Exchange or at least substantially reduce its exposure.
  • The report points out that the majority of the top 15 CVEs were exploited within two weeks of disclosure – monthly patching is not fast enough. The Atlassian exploitation rate jumped to near the top after a proof-of-concept exploit was released – reports of POC attack code should be triggers for immediate action. The Mitigations section has action recommendations specific to the top vulnerabilities.
  • Life moves pretty fast these days, and there isn’t a lot of time to contemplate what to remediate. Key off of actively exploited and POC’s being available. Consider requiring critical vulnerabilities be addressed in 7-10 days. Don’t accept workarounds as permanent fixes: require a timeline for deploying the complete fix, with appropriate consequences for failure to execute, then follow-up. Make sure that you’re subscribed to the CISA alerts, in addition to your other threat feeds; CISA has recently upgraded their mailing list and supporting processes.
  • This is good insight to push for much faster patching cycles for these products, migrate to newer platforms, or make architectural changes that lower the risk of these products being exploited. Unfortunately, if you have any of these vulnerabilities in your environment, they were most likely already exploited.

Read more in

Log4Shell Attack Surface Remains Large

Researchers from Rezilion found that more than 90,000 Internet-facing applications are running vulnerable versions of the Apache Log4j library. The Log4Shell vulnerability was first disclosed in December 2021. It is easy to exploit and has a CVSS v3 score of 10.

Note

  • The real takeaway from this report: A large number of downloads of log4j done today will install the vulnerable versions on systems. New vulnerable systems are diminishing the impact of patching of existing systems. Maybe instead of signatures to detect log4j attacks, we need signatures to detect the download of log4j legacy versions.
  • This was expected because most organizations do not keep an inventory of where the vulnerable library is used. We went through similar exercises with Struts and Heartbleed. Keeping an inventory is tough but needs to go down to the library level.
  • You may want to reset your expectations on the remaining Log4j attack surface after reading this report. Then knuckle down and look to your organization to see what may be skipped or tabled. Don’t overlook your internal/non-internet facing systems, there are scenarios where they can also be exploited.

Read more in

Nimbuspwn Linux Security Issue Can be Exploited to Gain Elevated Privileges

A collection of vulnerabilities affecting Linux systems could be exploited by local attackers to gain elevated privileges and deploy malware on unprotected systems. Dubbed Nimbuspwn, the security issue involves vulnerabilities affecting the networkd-dispatcher component.

Note

  • If you want a cool example of two race conditions (symlink, time-of-check-time-of-use) the Microsoft report (www.microsoft.com: Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn) explains why they work and how to exploit. Note that manual exploitation is challenging because this is a race condition, so you’re going to want to script that if you want to see it work, particularly if you want to reliably show others how this works. The developer has patched networkd-dispatcher, make sure to deploy the update when its available for your Linux distro.
  • Privilege escalation vulnerabilities have a lower CVSS score because they require access to the local system. Therefore, these vulnerabilities may not hit your prioritization baselines. However, you should investigate these in your environment for expedited patching.

Read more in

Microsoft Report on Russian Cyber Warfare

Microsoft has published “a report detailing the relentless and destructive Russian cyberattacks we’ve observed in a hybrid war against Ukraine.” The report lists nearly 250 cyber operations conducted by six separate groups of threat actors who all have ties to Russia.

Note

  • The report notes that cyber-attacks are being coordinated with kinetic actions, increasing the reach and disruption of both actions. The old model of going to ground while continuing to operate becomes much more complex. Note that the Russian military defines information warfare as “confrontation in the information space with the goal of causing damage to critical information systems, undermining political, economic, and social systems, psychologically manipulating the public to destabilize the state and coerce the state to make decisions to benefit the adversary party.”
  • This is a fascinating report and one I highly recommend you read. The number and type of attacks is just breathtaking. Three key Russian intelligence services are actively involved (GRU, FSB, SVR). What is amazing is not just the TTPs used in the attacks, but the breadth of goals. Russia is undertaking everything from psychological warfare targeting an entire population to targeted infrastructure attacks. This is not a small-scale effort to support the kinetic side of warfare; this is an entire another battlefield, one Russia prioritizes just as much as their physical military forces.

Read more in

Tenet Healthcare Cybersecurity Incident

Dallas, Texas-based Tenet Healthcare experienced a cybersecurity incident earlier this month. Once the company became aware of the situation, its security team “immediately suspended user access to impacted information technology applications, executed extensive cybersecurity protection protocols, and quickly took steps to restrict further unauthorized activity.”

Note

  • Tenet’s response, recovery and communications all seem to have happened quickly. Their press release on the incident is a good model for clear and timely disclosure – good template to use.
  • Rapid authoritative communication, which not only acknowledges the situation, describes actions taken and manages expectations on future actions is a mad skill we all need to have and hope to rarely use after such an incident. Note they also praised their staff who are working do deliver services through the situation. Store this one in a file in case you need a template.

Read more in

Cloudflare Blocked Huge DDoS Attack

In an April 27 blog post, Cloudflare that its “systems automatically detected and mitigated a 15.3 million request-per-second (rps) DDoS attack — one of the largest HTTPS DDoS attacks on record.” The attack against the unnamed cryptocurrency platform lasted less than 15 seconds.

Note

  • Of note here is that this was an HTTPS attack, which is considerably more resource intensive due to establishing a TLS connection, and the duration was less than 15 seconds. Another change was this attack came from cloud compute centers, not a residential computer botnet. This is a case where automated detection and response performed as intended. You know the questions you need to go ask your defenders and service providers.

Read more in

GitHub Repositories Breached with Stolen OAuth Tokens

GitHub has updated its alert regarding breaches using stolen OAuth token to include a timeline of the attackers’ activity. The threat actor used the tokens to steal repositories belonging to dozens of organizations.

Note

  • GitHub has completed notification of all directly impacted customers and recommends continued monitoring of Heroku and Travis CI’s investigations. Check your repositories for unexpected clone activity, double check for any authentication secrets or keys you forgot were still stored there.

Read more in

“Package Planting” NPM Registry Flaw

Researchers from Aqua’s team Nautilus “found a logical flaw in npm that allows threat actors to masquerade a malicious package as legitimate and trick unsuspecting developers into installing it.” The issue, which the researchers have named “Package Planting,” was fixed on April 26.

Note

  • This is slick. You add a reputable/known maintainer or two to your malicious package, then remove yourself as a maintainer. The added maintainers don’t know they’ve been added to your package, and your package now looks like one of their legitimate ones. The fix was to add a confirmation step. Maintainers must confirm being added to a package.

Read more in

HSCC: MedTech Vulnerability Communications Toolkit

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) has published the Medtech Vulnerability Communications Toolkit. The HSCC CWG developed the toolkit by building on the US Food and Drug Administration’s (FDA’s) “Best Practices for Communicating Cybersecurity Vulnerabilities to Patients as well as information gathered in surveys of “healthcare professionals, journalists covering healthcare cybersecurity, security researchers, manufacturers, and regulators.”

Note

  • Think about this for a second – the average hospital patient bed has 15 medical devices which not only interact with the patient, monitoring and/or providing therapy/medications, but are also connected. Then consider how rapidly they are deployed when a patient needs them, which necessitates configuration and update processes need to be proactively managed ahead of needs. This report is designed to help communicate vulnerabilities to stakeholders in a way they can understand and support taking the required action.

Read more in

French Fiber Optic Cable Attack

Authorities in France are investigating the apparent sabotage of fiber optic cables as a criminal act. The severed cables disrupted Internet service in several regions of the country earlier this week.

Note

  • The photos of the cut cables re-enforce the value of path diversity. Also, an argument for locked and possibly alarmed grates/vaults/etc. Those cuts are going to be a bugger to fix; it’s not clear how much dark fiber is available for re-routing of services. They are also faced with the decision of patching vs pulling new trunks. Understand what resiliency is deployed by your ISP and service disruption communication. should be part of your DR planning in addition to path diversity so you can capture possible risks of service availability.

Read more in

More Good Reads

  • More Than 60 percent of organizations suffered a breach in the past 12 months, according to Forrester’s new report titled “The 2021 State Of Enterprise Breaches,” More Than 60% of Organizations Suffered a Breach in the Past 12 Months
  • Researchers have reported active exploitation of the Spring4Shell vulnerability that allows threat actors to weaponize and execute the Mirai botnet malware, which tends to launch DDoS attacks on cloud-based IoT systems such as security cameras, agricultural systems, medical devices, and vehicles. Threat actors can exploit Spring4Shell to launch botnets that target cloud-based IoT systems
  • Two zero-day vulnerabilities – one of which has been previously disclosed and supposedly fixed twice – are among a total of 119 flaws fixed by Microsoft in its April 2022 Patch Tuesday update, alongside more than 20 Chromium vulnerabilities in the Edge browser. The vulnerabilities in question are CVE-2022-24521, an elevation of privilege vulnerability in the Windows Common Log File System Driver, which is exploited but not public; and CVE-2022-26904, an elevation of privilege vulnerability in the Windows User Profile Service, which is public but not exploited. Both vulnerabilities carry CVSS scores of between seven and eight, rated as important. Microsoft patches two zero-days, 10 critical bugs

Threat actor continues to build out spam arsenal, primarily targets Amazon Web Services

Cisco Talos has recently received modified versions of the TeamTNT cybercrime group’s malicious shell scripts. These scripts are primarily designed to target Amazon Web Services (AWS) but could also run in on-premise, container or other forms of Linux instances. Besides the primary credential stealer scripts, there are several TeamTNT payloads focused on cryptocurrency mining, persistence and lateral movement using techniques such as discovering and deploying onto all Kubernetes pods in a local network. There is also a script with login credentials for the primary distribution server, and another with an API key that might provide remote access to a tmate shared terminal session. Some of the TeamTNT scripts even contain defense evasion functions focused on disabling Alibaba cloud security tools. The tools used by TeamTNT demonstrate that cybercriminals are increasingly comfortable attacking modern environments such as Docker, Kubernetes and public cloud providers, which have traditionally been avoided by other cybercriminals who have instead focused on on-premise or mobile environments.

ClamAV signature: Unix.Trojan.TeamTNT-9940866-0

Read more in

Lazarus Group continues to target blockchain, cryptocurrency companies

The U.S. government warned last week that the Lazarus Group APT continues to target blockchain and cryptocurrency-related companies to generate revenue. The North Korean state-sponsored actor has been active for years, mainly focusing on cyber attacks that could somehow make money for the group. This campaign involves Lazarus Group targeting users with spearphishing emails, then installing a set of malicious apps called “TraderTraitor” that disguise themselves as a legitimate cryptocurrency trading application. The ultimate goal is conducting fraudulent activities on the blockchain, often stealing users’ cryptocurrency wallets.

Read more in

Lapsus$ Breached T-Mobile Network

T-Mobile has confirmed that the Lapsus$ extortion group accessed its systems “several weeks ago.” The company says that it has taken steps to block the attackers’ access to the T-Mobile network and has disabled the credentials that were used in the attack.

Note

  • A key challenge for the Lapsus$ gang was getting devices enrolled or otherwise under their control so they could get SMS or other OTP messages to allow authentication for their targeted services. Lapsus$ success hinges on buying or socially engineering credentials for services they need. They were leveraging the T-Mobile credentials to complete hassle-free SIM swaps which transferred the devices phone number to a hacker controlled device. While leveraging the credentials of your cellular provider bypasses some controls designed to prevent swapping, it’s still important to login to your account and make sure that you’ve enabled the controls at your disposal to raise the bar as much as possible.
  • Rumors about this breach had been circulating for weeks, so it is refreshing to see T-Mobile confirming it. Like with the NVIDIA breach, Lapsus$ relied on purchasing credentials and generating MFA requests to the user (a new MITRE ATT&CK Technique published yesterday with version 11, T1621.
    attack.mitre.org: Multi-Factor Authentication Request Generation
  • The attacks targeted T-Mobile employees with provisioning privileges. This gave them the capability to SIM swap” to change the destination phone for a cell phone number, a number perhaps used for strong authentication. To resist such attacks T-Mobile should ensure that all such privileged employees use token-based (not SMS based) strong authentication. It should also confirm all number change orders both in and out of band and delay implementation of such orders. Other employers should consider token-based authentication for employees in sensitive positions. End users and consumers, especially those using their phones for strong authentication, should contact their carries immediately if they do not receive messages or calls that they expect or cannot make outgoing calls.

Read more in

Costa Rica Government Networks Hit with Ransomware

Costa Rican government computer systems have been debilitated by a ransomware attack. The government has so far refused to pay the ransom. The attackers stole more than a terabyte of data and have published a large portion of it on the dark web.

Note

  • The Conti ransomware gang is taking credit for the attack on the Costa Rican customs and tax systems and claims to have released 80% of the pilfered data on the dark web. Further, they state they will continue to attack their systems until paid. Think about how you’d fare under this sort of continued attack, what resources you could call upon, and what motivations would be behind it. Make sure your DR plans support your assumptions. It is projected this attack is about destabilizing the country as their newly elected president transitions into place on May 8th.
  • Conti is one of the top ransomware threats. Your organization should understand how they operate and practice/train how to detect and respond to these attacks. Tabletops at the executive level combined with hands-on keyboard purple team exercises is one of the most efficient ways to test, measure, and improve your people, process, and security controls.

Read more in

CISA Adds Seven Flaws to Known Exploited Vulnerabilities Catalog

On Monday, April 25, the US Cybersecurity and Infrastructure Security Agency (CISA) added seven security issues to its Known Exploited Vulnerabilities catalog. The flaws affect products from Jenkins, Microsoft, Linux, and WSO2. Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities requires Federal Civilian Executive Branch agencies to fix flaws added to the catalog within a specified amount of time. All seven of the most recently added vulnerabilities have remediation dates of May 16.

Note

  • Exploitation of one of the vulnerabilities added, CVE-2022-29464 affecting WSO2 products, was observed by one of our SANS ISC handlers. He wrote up his observation here: isc.sans.edu: WSO2 RCE exploited in the wild. The vulnerability was patched on April 1st and proof-of-concept exploits were made available a week later.
  • Take a look at these. You may want to prioritize vulnerabilities related to file uploaded and RCE. Operate under the assumption that being in the catalog will motivate attackers to attempt exploits before the mandated patch dates.
  • Patching these vulnerabilities is urgent. The mandatory date should not be taken as license to accept the risk until then.

Read more in

DHS Bug Bounty Program

The US Department of Homeland Security (DHS) has disclosed the results of its first bug bounty program involving external researchers. DHS invited 450 “vetted security researchers” to participate. The researchers turned up 122 vulnerabilities; of those, 27 were found to be critical.

Note

  • Organizations should consider implementing a bug bounty program to amplify the vulnerability management process. These programs can be implemented in phases such as Coordinated Vulnerability Disclosure, private bug bounty, and public bug bounty. There are numerous platforms available to assist on the technology side, but these programs also need internal people and process. NIST has a nice site with multiple references for guidance: csrc.nist.gov: Vulnerability Disclosure Guidance
  • BOD 20-01 required the implementation of a vulnerability disclosure program with all externally facing systems included by September 2022. DHS is leading by example, not only having their systems incorporated into their VDP, but also inviting teams to discover vulnerabilities. I predict flaws will be remediated expeditiously driving revisions to expected vulnerability response timelines as well as refinements in their overall VDP program.

Read more in

Atlassian Patches Critical Jira Vulnerability

Atlassian has released an advisory warning of a critical authentication bypass vulnerability in its Jira and Jira Service Management products. The flaw affects certain versions of Jira Core Server, Software Data Center, Software Server, the Service Management Server, and the Management Data Center. It does not affect the cloud versions of Jira and Jira Service Management.

Note

  • DevOps tools are presenting a large attack surface. Between plugins, authenticating to various external services, and vulnerabilities in the tools themselves they need to be carefully watched and secured (and not exposed to the world).
  • The vulnerability applies to a specific configuration of Jira, affecting first and third-party apps specifying “roles-required” at the action namespace level but not at the action level. Even so, apply the updates if you’re running Jira in your infrastructure. Make sure that you’re updating all the related products you’ve deployed.

Read more in

VirusTotal RCE Flaw is Fixed

VirusTotal maintainers fixed a remote code execution vulnerability affecting the platform in an April 13 security update. The problem is due to ExifTool’s mishandling of DjVu files.

Note

  • Real nice case study on how dangerous file uploads can be. Unlike widely reported, this vulnerability did not affect VirusTotal itself. Instead, third parties downloading (and processing) sample from VirusTotal were affected. The exploited tool (exiftool) is very commonly used in file upload systems to pre-scan the file for metadata and is often considered harmless/low risk. But anything touching untrusted data needs to be carefully maintained and updated. Make sure your developers read the very detailed write-up.
  • This is very similar to embedding a macro in an Office document. The ExifTool was tricked into executing the provided code when analyzing the image. If you’ve got ExifTool in your environment, make sure that you’ve deployed their April 13th update even if you think it’s not processing DjVu files.

Read more in

US Dept. of Energy Funds Grid Cybersecurity Research

The US Department of Energy has funded $12 million in grants for six university research projects focusing on securely designing and building the next generation power grid. “Three of the projects primarily deal with building or designing artificial intelligence solutions that can automate parts of the cybersecurity operations for energy systems, help absorb cyberattacks without disrupting power and recover more quickly when they do. …The other three projects deal with enhancing the security of specific, critical systems relied on by energy owners and operators to keep the lights running.”

Note

  • Critical Infrastructure providers have mad skills when it comes to delivering network and control signals over great distances. Now comes the time to help them with cost-effective prevention, detection, and response capabilities, particularly for services which cover large geographic areas, oftentimes remote, where physical and environmental challenges make in-person detection and response impractical.

Read more in

French Hospital Cyberattack

A France hospital group has severed Internet connections following a cyberattack. The GHT Coeur Grand Est. Hospitals and Health Care group has nine facilities. GHT said that the attackers stole administrative data.

Note

  • How effective would your business be if you severed these connections, particularly with today’s use of cloud and outsourced services? Allowing and denying applications has to be not just at the system executable level, but also at the services level for comprehensive protection. Look to see if you can leverage layer 7 protections for allowed and disallowed services, irrespective of port, protocol, or address. Only allow access to approved services and applications, effectively blocking (or reducing) access to C2, malicious sites or other maleficence. Note that you will need to have to implement an exception and change management process and implementing this is not a finger-snap, and the result is worth it.

Read more in

Jisc: Ransomware is a Threat to UK Universities

In a revised Cyber Impact Report, UK non-profit Jisc indicates that UK universities are facing an increased risk of ransomware attacks. Jisc’s initial report was published in 2020; the revised report “include[s] anonymised case studies of more recent incidents that underline the increased threat of ransomware attacks.” The report also includes updated guidance for leaders.

Note

  • We all worked hard to quickly retool to provide remote services during the pandemic. The attackers continue to exploit any weaknesses in those services. Two issues continue to surface – don’t expose RDP to the Internet and use MFA. When it comes to strong authentication MFA doesn’t have to be a budget buster, leverage soft tokens and capabilities built into modern IDPs. Don’t skip System Administrator and VIP accounts, you need full coverage. Where “break glass” accounts (with reusable passwords) are kept for “emergencies” monitor and restrict their use to be certain that is the only situation where they are used.

Read more in

AWS Releases Updated Log4j Hot Patches

Amazon Web Services (AWS) has released updated hot patches to address the Log4j security issues. Initially released in December 2021, the patches were found to contain security issues themselves. The vulnerabilities in the original patches were detected by researchers from Palo Alto Networks’ Unit 42.

Note

  • The vulnerability addressed here is not log4j, but a problem that resulted from Amazon’s hotpatch process “patching” unrelated code that could lead to privilege escalation as the patching process ran with elevated privileges. Overall, the hotpatch was likely still better compared to not patching a critical vulnerability like log4j.
  • The December patches introduced flaws which can lead to container escape, so apply the new patches now. For Kubernetes clusters, make sure to deploy the current daemonset, for Hotdog users need to update to the latest version and standalone ec2 hosts apply the latest log4j-cve rpm.

Read more in

Mandiant, Google: Number of Exploited Zero-days in 2021 was Up Significantly

According to reports from both Mandiant Threat Intelligence and Google Project Zero, more zero-day vulnerabilities were exploited in 2021 than in any previous year. Mandiant “identified 80 zero-days exploited in the wild, which is more than double the previous record volume in 2019.” Google reported “the detection and disclosure of 58 in-the-wild 0-days.” Mandiant found that the majority of the zero-days were being exploited by state sponsored threat actors.

Note

  • Google points out more entities are being credited with finding zero days as an indication that more threat hunting and early code testing is happening. Mandiant (owned by Google) data shows a wider range of threat actors, especially financially motivated attackers, are exploiting zero days. Use both of these facts to convince management that immediate patching and proactive threat hunting is required on all high value systems, especially where the “we are not a target of Russia/China” pushback has been happening.
  • These exploits have resulted in more frequent updates tied to zero-day exploits. As such, you need to be not only tuned to apply updates across your enterprise, but also be able to monitor and respond to activities which may not yet have patches. Robust authentication, ideally MFA, endpoint security and application security to include WAF have to be SOP.
  • Poor software quality control is leaving us with a porous infrastructure, inviting to increasingly organized crime and state adversaries. We need new tools (e.g., programming languages, SDKs, platforms), methods, and processes.

Read more in

Okta Finishes Up Lapsus$ Investigation

Okta has completed its investigation into the January 2022 compromise by Lapsus$ threat actors. Okta says that the attackers had control of a single workstation for 25 minutes on January 21, 2022, accessed two active customer tenants, and was unable to make configuration changes, multi-factor authentication and/or password resets, or impersonate customer support. Okta has also ended its professional relationship with Sitel, the third-party customer support provider whose systems were breached.

Note

  • Rapid and transparent response by Okta. Sitel customers need to see the same or look to change providers, who blames their breach on weaknesses in the network of an acquisition they made in August 2021.
  • Notice the duration of the interval that was involved here. This is where your monitoring and automation has to be sufficient to not only capture information but also tuned to provide near-realtime alerts of anomalous behavior. And then you not only have to know what is normal, but also be aware of data feeds not working.

Read more in

CISA Expands Joint Cyber Defense Collaborative to Include ICS Experts

The US Cybersecurity and Infrastructure Security Agency (CISA) has announced the expansion of the Joint Cyber Defense Collaborative (JCDC) to include Industrial Control Systems (ICS) experts. CISA established JCDC in August 2021 “to transform traditional public-private partnerships into real-time private-public operational collaboration and shift the paradigm from reacting to threats and vulnerabilities to proactively planning and taking steps to mitigate them.”

Note

  • Good to see many of the high market share ICS device vendors on in ICS expert list. While this effort will have an immediate wartime focus, it needs to continue the immediacy to ICS vendors building more secure and more easily updated (buzzword: resilient) products.
  • Threat actors continue to target ICS/OT systems, in part, because it works, as well as the disruption that can cause. One hopes that by ICS specific expertise to the JCDC will help with added relevant recommendations to further raise the bar to defend critical infrastructure and ICS.

Read more in

Five Eyes Alert Warns of Russian Threats to Critical Infrastructure

The Five Eyes countries – the US, the UK, Canada, Australia, and New Zealand – have published a joint cybersecurity advisory warning of potential Russian state-sponsored and criminal malicious cyber activity. The advisory includes technical details about Russian state-sponsored operations, and Russian-aligned cyber threat and cybercrime groups, as well as suggested mitigations and advice on preparing for cyber incidents.

Note

  • Whether the attacks originate from Russian state sponsored threat actors or sympathetic threat actors, your preparations remain the same, particularly if you’re in the critical infrastructure business. Verify that your defensive measures cover both your ICS/OT systems as well as your conventional IT systems which could be used for recon or pivot points. The CISA alert includes not only mitigations, patches/updates, MFA all entry points, segmentation and appropriate VPN configuration, but also resource and contact links for all of the Five Eyes members.

Read more in

Oracle Fixes Vulnerability in ECDSA Implementation in Java

Oracle has released a fix for a critical flaw affecting the Elliptic Curve Digital Signature Algorithm (ECDSA) signature validation in Java versions 15-18. The issue was introduced in a rewrite of Java 15’s signature verification code.

Note

  • Encryption is hard, and all about details. Read the original blog discussing the vulnerability. ECDSA is used for many different purposes including to verify web server certificates. A proof-of-concept exploit has been published implementing a web server with a fake google.com certificate. But note that it only works if the client is written in Java 15 and later. Most enterprise applications are using older versions.
  • This flaw allows a fake digitally signed transaction or application to appear to be legitimate and is easy to exploit. The fix is included in the current CPU from Oracle, so make sure that you’ve deployed this update.

Read more in

Lawsuit Alleges Vendor Hid Ransomware Attack

Eye Care Leaders (ECL), a provider of “ophthalmology-specific EHR and practice management systems,” is being sued by three medical practices for allegedly concealing a cyberattack against its systems that had significant negative impacts on the medical practices and for misrepresenting the situation when the practices sought additional information. ECL later disclosed that the attack corrupted and encrypted some databases, rendering certain data unrecoverable.

Note

  • Timely and responsible disclosure of security incidents may be legal requirement, not just a best practice. For example, some state privacy laws require breach notification in 24 hours. Check the requirements for the data you’re handling in every location you’re doing business in. Make sure that your contracts with third-party providers include relevant language for notification, and that your legal department can support that language. if a breach happens, be prepared for the tough conversations about preserving or severing those relationships.

Read more in

FBI Warns of Potential Ransomware Attacks Against Agricultural Sector

The FBI has published a TLP: White Private Industry Notification warning organizations within the agricultural sector “that ransomware actors may be more likely to attack agricultural cooperatives during critical planting and harvest seasons, disrupting operations, causing financial loss, and negatively impacting the food supply chain.” The alert includes descriptions of previous cyberattacks against agricultural entities and recommendations for mitigation.

Note

  • There is no such thing as being too small or too obscure to be a target. If you don’t know where to start, contact your local CISA, FBI or other professional security organizations for resources, guides and advice.

Read more in

“Haskers Gang” Introduces New ZingoStealer

Cisco Talos recently observed a new information stealer, called “ZingoStealer” that has been released for free by a threat actor known as “Haskers Gang.” This information stealer, first introduced to the wild in March 2022, is currently undergoing active development and multiple releases of new versions have been observed recently. The malware leverages Telegram chat features to facilitate malware executable build delivery and data exfiltration. It can exfiltrate sensitive information such as credentials, steal cryptocurrency wallet information, and mine cryptocurrency on victims’ systems. While this stealer is freely available and can be used by multiple threat actors, we have observed a focus on infecting Russian speaking victims under the guise of game cheats, key generators and pirated software, which likely indicates a current focus on home users. The threat actor “Haskers Gang” uses collaborative platforms such as Telegram and Discord to distribute updates, share tooling and otherwise coordinate activities. In many cases, ZingoStealer also delivers additional malware such as RedLine Stealer and the XMRig cryptocurrency mining malware to victims.

Read more in

Cisco patches several new vulnerabilities related to Spring4Shell

Cisco released fixes for multiple critical and high-severity vulnerabilities last week, some of which are related to the high-profile Spring4Shell vulnerabilities disclosed earlier this month. A management interface authentication bypass vulnerability in Cisco’s wireless LAN management software (CVE-2022-20695) is the most severe of the vulnerabilities with a severity score of 10 out of 10. An attacker could exploit this vulnerability to log into the management interface using crafted credentials, potentially the same as the admin. The company also announced in another critical advisory that it is still working on updates to some products to fix the Spring Framework vulnerability known as Spring4Shell.

Read more in

GitHub: Stolen OAuth User Tokens Used to Steal Data

GitHub says that stolen OAuth user tokens that were initially issued to two third-party integrators have been used to download data from other organizations. GitHub has notified organizations that were compromised.

Note

  • OAuth is a great tool to create “valet keys” that provide CI/CD tools with just the access needed to do their job. But they still need to be safeguarded. Make sure your tools are able to rotate these keys periodically. From time to time, review which tools have access to your accounts. Services supporting OAuth should make it easy to review which applications have been approved for access.
  • To further protect users, GitHub revoked the tokens associated with their and npm’s use of the compromised Travis CI and Heroku Dashboard applications. The attackers believed to be mining private repositories downloaded using the pilfered OAuth tokens looking for opportunities to pivot into other systems using additional discovered credentials. With OAuth keys being an essential component of remote/cloud based services, their use is a risk you need to actively manage to prevent malfeasance. Make sure you’re auditing, monitoring and appropriately expiring OAuth keys to minimize abuse.

Read more in

Cisco Fixes Critical Flaw in WLC Software

Cisco has released updates for its Wireless LAN Controller (WLC) software that fix a critical authentication bypass vulnerability. The issue has a CVSS score of 10; it exists because the password authentication algorithm is improperly implemented. The vulnerability affects Cisco’s 3504 Wireless Controller, 5520 Wireless Controller, 8540 Wireless Controller, Mobility Express, and Virtual Wireless Controller (vWLC)

Note

  • This flaw will only affect you if you are using a non-standard configuration for Radius authentication. Review Cisco’s bulletin to see if you are affected. But probably best to just patch in case you modify your configuration later.
  • If you have one of these controllers, with RADIUS compatibility mode set (check your macfilter summary) to other, you’re vulnerable. The best move is to apply the update; workarounds entail changing the RADIUS compatibility to Cisco or free which may have operational impacts you’ll want to test first.

Read more in

US Legislators Introduce Quantum Computing Cybersecurity Preparedness Act

Legislators in the US House of Representatives have introduced the Quantum Computing Cybersecurity Preparedness Act, a bill that would require the civilian federal government to develop a strategy to protect systems from attacks conducted by quantum computers. One of the bill’s sponsors, rep. Ro Khanna (D-California), who said “Even though classical computers can’t break encryption now, our adversaries can still steal our data in the hopes of decrypting it later. That’s why I believe that the federal government must begin strategizing immediately about the best ways to move our encrypted data to algorithms that use post-quantum cryptography.”

Note

  • It may not be clear how much of a threat quantum computing will present in the future. But upgrading encryption algorithms takes time, and it is important to start the process well before the threat is apparent. Encryption isn’t like a good wine, it doesn’t get better with age. Always implement systems with the best possible encryption algorithms you can afford at the time you create software.
  • This type of legislation was needed back in the 1990’s to get the federal government moving around Y2K preparedness. Quantum computing security issues are much more complex technically and the lack of a hard deadline makes it too easy to keep kicking the can down the road. So, good to see this bipartisan legislation initiated.
  • The trick is phasing out old cryptography, such as 3DES or SHA1, which often requires not only updated hardware, software, and applications, but also intentionally disabling the old crypto which is left for compatibility. This is exacerbated by external collaboration where getting agreement to no longer support that compatibility is neither a technical nor a cyber security decision. Enlist the C-Suite to move the bar, track the progress and record the risk decisions.

Read more in

Chrome Updates to Fix Actively Exploited Flaw

Google has updated the Chrome Stable channel for Desktop to version 100.0.4896.127 for Windows, Mac and Linux. The newest version of the Chrome will be rolled out over the next few weeks. It includes fixes for two security flaws, including a type confusion vulnerability that is being actively exploited. The flaw affects Chrome’s JavaScript and WebAssembly engine.

Note

  • Here is another emergency update for Chrome. If I’m tracking, this is the third for 2022 that also includes a Zero-Day fix. The updates to Chrome and Chromium, which address CVE-2022-1364 and CVE-2022-1096, are already available for deployment; make sure Edge, Brave and other Chromium based browsers are also updated. This is a good time to make sure that you’re actively managing updates to all Chrome and Chromium based browsers in your environment. Don’t overlook mobile.

Read more in

US Officials Warn on Russian Cyberattacks

On the US television news show 60 Minutes, Deputy Attorney General Lisa Monaco and Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly spoke about the potential for Russian cyberattacks on critical infrastructure. Monaco said, “We are seeing Russian state actors scanning, probing, looking for opportunities, looking for weaknesses in our systems on critical infrastructure, on businesses.” Easterly noted that the Russian hackers appear to be focusing on the energy and financial sectors.

Note

  • Ukraine has been inundated with various attacks against critical infrastructure, government and businesses. Many of the tools deployed so far are “wipers” created to just destroy data. But other malware, like credential stealers, has been seen as well with very targeted lures. A possible expansion of the Russian war effort to include countries supplying Ukraine may very well mean that these attacks will be attempted against a larger list of targets.
  • Imagine a burglar jiggling all the locks in the neighborhood looking for a way in. Then using a possibly unrelated entrance point to pivot to a higher value target using partnership or other trust relationships. Extend your definition of third-party risk to include the environments where you have remote workers as well as business partnerships, including cloud. Ask what added resources could access your network after you conceded to allow access to local resources on the far end such as printers and file servers, then look to means to minimize those risks.

Read more in

US CISA, FBI, and Treasury Warn of Lazarus Hackers Targeting Cryptocurrency

In a joint alert, the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Treasury Department warn that the Lazarus hacking group is targeting cryptocurrency and blockchain organizations. The hackers use social engineering to get cryptocurrency company employees to download and run apps that have been laced with malware. The Lazarus group has been linked to North Korea.

Note

  • Crypto is still not insured, nor regulated for safety and soundness. That means increased reliance on the user, and when working with an exchange it also means you really need to read the EULA and other terms. In this case the target is those organizations you would be reliant on to properly manage the transactions, so you need a clear understanding of what happens if that is successful. As a developer, of any sort, one needs to always be careful of new and improved libraries bearing extra features, particularly when accompanied by alluring messages which lead you to think their deployment is urgently required. Make sure your staff is fully trained on detecting and thwarting social engineering attempts, as they can be compelling. If you have any doubt, visit a social engineering village at a conference and prepare to be amazed.

Read more in

Remote code execution vulnerabilities in Hyper-V, NFS part of Patch Tuesday

Microsoft released its latest security update Tuesday, disclosing more than 140 vulnerabilities across its array of products. This is a departure from past Patch Tuesdays this year, which have only featured a few dozen vulnerabilities, and is the largest number of issues in a single Patch Tuesday since September 2020. Ten of these vulnerabilities are considered to be “critical,” while three others are listed as being of “moderate” severity and the remainder are considered “important.” There are also nine vulnerabilities that were first found in the Chromium web browser but affect Microsoft Edge, since it’s a Chromium-based browser. Edge users do not need to take any action to patch for these issues.

Read more in

Tarrask Malware Hides in Scheduled Windows Tasks

Researchers from Microsoft’s Detection and Response Team (DART) and Threat Intelligence Center (MTIC) have detected malware that hides in Windows scheduled tasks to evade detection. Dubbed Tarrask, the malware is believed to be used by the Hafnium Chinese state-backed hacking group. Tarrask is able to maintain persistence even after reboots.

Note

  • This reminds me of the 3:50am alarm I set for an early flight that I thought I had killed but still manages randomly come on every now and then. Mitigation here is pretty straightforward – know what legitimate scheduled tasks are in use and audit for discrepancies and tasks that are attempted to hide from simple listing.
  • The tasks are hidden due to a bug in Windows where tasks without a security descriptor are not displayed with traditional checks like “schtasks /query.” The good news is you can scan the registry to find them, or enable Secuirty.evtx and the Microsoft-Windows-TaskScheduler/Operational.evtx logs in which you can then look for key events related to the malware. The trick is you need to know what’s expected to identify anomalies reliably. Leverage the IOC’s in the Unit 42 post below to aid detection and thwart C2 channels.

Read more in

Threat Actors Hung Out on US Government Agency Network for Months

Researchers from Sophos found that threat actors maintained a presence in a government agency’s network for more than five months before deploying ransomware. It appears that at least two different groups of threat actors had access to the network. The attackers gained initial access through open Remote Desktop Protocol (RDP) ports on a firewall that was configures to allow public access to an RDP server. The agency might have been able to detect the attackers’ presence sooner if the agency had deployed multi-factor authentication and a firewall rule blocking access to RDP ports without a VPN connection.

Note

  • Many lessons to be learned from this one, but I think the top one is: Looks like this attack was enabled when security controls were turned off during network maintenance and not restored afterwards. That left a PC with local server and domain admin credentials exposed. The attackers had a field day from there. When you take your boat out of the water and you remove the drain plug, job 1 is remembering to put the drain plug back in *before* putting the boat back in the water.
  • Don’t make access any easier than it has to be. Do not expose RDP to the Internet, and MFA all remote access mechanisms. Further, make sure you’re actively managing accounts for remote access, authorizing only users with legitimate need, revalidate regularly, disable access judiciously. Restrict access to end-user accounts. Admins can elevate after connecting; service accounts shouldn’t need to use RDP.

Read more in

CISA, FBI, DOE, NSA: Custom PIPEDREAM Malware

The US Cybersecurity and Infrastructure Security Agency (CISA), The Department of Energy (DOE), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have issued a joint cybersecurity advisory warning that advanced persistent threat (APT) actors are using custom tools to target ISC/SCADA devices and gain full system access to multiple devices. The advisory provides technical details and suggested mitigations for strengthening ICS/SCADA security.

Note

  • These devices fall into the category of set and forget: once they are working, they will continue, undisturbed, almost indefinitely. The problem is we can’t afford to let our guard down, we need to protect them so they can achieve their operational goals. The primary mitigations include segmentation; limiting access to authorized devices and users; using multi-factor authentication wherever possible; changing all default passwords; rotating all static passwords on a regular basis. Make sure your monitoring tools include OT specific capabilities, and keep software/firmware updated.

Read more in

Ukraine Fends Off Power Grid Cyberattack

According to advisories from the Ukrainian Computer Emergency Response Team (CERT-UA) and the Slovakian cybersecurity company ESET, the Russian Sandworm hacking group launched attacks targeting high-voltage electrical substations in Ukraine. The attack was detected and stopped before it could cause any blackouts. CERT-UA says that the hackers gained access to systems at the electric utility earlier this year, but did not deploy the malware, known as Industroyer 2, until last week. The attackers also reportedly deployed wiper malware and a Linux worm.

Note

  • Ukraine has been doing battle with Sandworm for a long time and has become adept at shutting down their activity. It’s nice to read stories where the attackers were unsuccessful in their disruption of services. What is concerning is that the attackers’ access was not detected sooner. Dwell time is a challenge; make sure that you truly know what normal is and can detect and identify irregular behavior. Monitor not only the security of authorized connections but also look for unauthorized ones, to include blocking unauthorized remote desktop access services.

Read more in

CISA: Update to Most Recent Struts 2

Apache says that a 2020 fix for a critical flaw in Apache Struts 2 framework for Java was incomplete. The OGNL (Object-Graph Navigation Library) injection vulnerability could lead to remote code execution. The vulnerability affects Struts versions 2.0.0 through 2.5.59. The US Cybersecurity and Infrastructure Security Agency (CISA) is urging users to update to the most recent version, 2.5.30 or later.

Note

  • Deja-vu anyone? The fix is to upgrade to 2.5.30, which has no issues with backward compatibility. Expedite fixing any Internet accessible installations. Also make sure that developers are following the Struts Security tips for added defense in depth, particularly with regards to untrusted input.

Read more in

Microsoft Patch Tuesday Includes Fix for Flaw That is Being Actively Exploited

On Tuesday, April 12, Microsoft released updates to fix more than 120 vulnerabilities in its products. Ten of the flaws are rated critical. One of the flaws updated is a Windows Common Log File System Driver Execution Vulnerability, which is being actively exploited to gain elevated privileges. The US National Security Agency (NSA) and CrowdStrike reported the vulnerability to Microsoft.

Note

  • This patch set includes fixing CVE-2022-24521, which only has a CVSS score of 7.8. However, the exploit complexity rating is low, making it more important to address, as well as CVE-2022-26904 which has published exploit code but relies on a race condition to exploit. There are other vulnerabilities with scores as high as 9.8 which are also addressed. Rather than picking this apart, focus on getting the update deployed.

Read more in

Aethon Hospital Robot Vulnerabilities Patched

Aethon has released fixes for five vulnerabilities affecting its TUG robots, which are used in hospitals to perform a variety of tasks. The flaws could be exploited to lock elevators and doors, disrupt medication delivery, and gain access to medical records, user credentials, and real time camera feeds. The vulnerabilities are fixed in the latest version of TUG firmware. Aethon has also updated firewalls at hospitals with vulnerable robots so they could not be accessed through the hospitals’ IP addresses.

Note

  • I still do a doubletake when I see robots like these in use in hospitals, restaurants, malls, and airports, wondering what could go wrong. In some areas, these robots are used to deliver medicines outside the hospital over pre-determined routes where exploitation of the flaws could be used to crash, misdirect, or otherwise actively interfere with intended operations. Applying the update in some cases is non-trivial, requiring firmware replacements and OS upgrades. The firewall changes provided necessary segmentation and should be viewed as a long-term security measure for robots, medical or otherwise. Remember to consider which of your IT systems they can reach and the impact a compromised device would have.

Read more in

ZLoader Botnet Disrupted

Microsoft’s Digital Crimes Unit (DCU) has used legal measures to disrupt the ZLoader botnet. ZLoader comprises infected “devices in businesses, hospitals, schools, and homes around the world.” Armed with a court order, Microsoft took control of 65 domains associated with the botnet and redirected them to a Microsoft sinkhole. The court order also allowed Microsoft to take control of 319 fallback ZLoader domains. Microsoft has also linked ZLoader to an individual who lives in Crimea; that person is believed to have created a component that ZLoader uses to spread ransomware. The Microsoft DCU investigation was conducted in partnership with ESET, Black Lotus Labs, Palo Alto Networks, Health-ISAC and the Financial Services-ISAC.

Note

Ever read a story like this and think “I could do that?” Obtaining a court order, taking over domains and naming names is not something to take on trivially. You need considerable resources and time to include not only research, build the case and implement the actions, but also defend yourself from any blow-back, to include partnerships such as the ones noted above.

Read more in

RaidForums Taken Down

An international coalition of law enforcement agencies has taken down the RaidForums illegal online marketplace. The RaidForums administrator and two accomplices have been arrested. RaidForums sold access to leaked databases that contained payment card and bank account information. Operation TOURNIQUET, as the effort was dubbed, involved Europol and law enforcement agencies from the US, the UK, Sweden, Portugal, and Romania.

Note

  • The forum sold access to more than 10 billion consumer records since it started operation in 2015. The charges levied by the DOJ against the alleged 21-year-old forum administrator, Diogo Santos Cohelo, include conspiracy, aggravated identity theft, and access device fraud.

Read more in

Fix Available for Elementor WordPress Vulnerability

A critical vulnerability in the Elementor plug-in for WordPress could be exploited to upload and execute malicious code. The flaw appears to have been introduced in version 3.6.0, which was released in March. Users are urged to update to Elementor version 3.6.3 or higher. Elementor has more than five million installs.

Note

  • The flaw was introduced when a simplified onboarding module was released which omitted proper nonce checking before executing commands. The update for the Elementor plug-in was released April 12, 2022 and required pressure from the WordPress plugins team to elicit action. Even though WAF rules are available for the paid and free versions on March 29th and April 28th respectively; install the updated plugin regardless.
  • The usual caution that WordPress plug-ins should be used only by design and intent, not by default, and must be actively managed.

Read more in

DHS Thwarts Cyberattack on Undersea Cable

Investigators from the US Department of Homeland Security have reportedly foiled an attempted cyberattack against a company that manages undersea communications cable in Hawaii. The attackers breached the servers belonging to the private company, but their actions were thwarted before they caused any damage. A suspect has been arrested.

Note

  • When someone mentions risks to undersea cables, I think of anchors or other physical impacts. It turns out the better attack vector is a logical path targeting companies or services which are managing the onshore connection points. These rely on remote management and administration tools to offset having staff physically present at these locations. While remote management is a good option, it needs to be done securely and those systems closely monitored for attempted malfeasance. Additionally, physical security also needs to be appropriate to thwart and deter direct interaction. Don’t ignore lifecycle updates to keep the bar high. It’s also a good idea to schedule regular physical verification actions commensurate with the risk of compromise.
  • After prevention, early detection is the efficient tactic. A retrospective reading of the Verizon Data Breach Incident Report suggests that we are not good at it, weeks to months, and not getting better. This exception to the rule suggests that hours to days is possible.

Read more in

FBI’s Cyclops Blink Action Raises Questions

The FBI’s recent takedown of Cyclops Blink command-and-control infrastructure raises questions about the US government’s reach regarding search and seizure. The government obtained a warrant allowing them to gain remote access to privately owned devices without notifying the owners and take steps to dismantle the botnet’s command and control operations. The FBI also used an amendment to Rule 41 of the Federal Rules of Criminal Procedure to access computers outside the jurisdiction of the court granting the warrant.

Note

  • I find physical analogues instructive. We expect fire and police departments to gain entry to our homes and businesses when there’s an emergency, and whether or not we’re present. Infected machines can constitute an emergency, especially when they’re being used to attack other victims. However, police and firefighters will go to greater lengths to notify property owners. It might be ideal, instead, to take over attacker-owned C2 servers and issue kill orders to infected systems, but opportunities like that can’t be common.
  • The FBI did a great service to the reckless owners of unpatched devices. Did they even access the infected devices, or did they just access the C&C server? Of course the Internet usually plays a bit by Florida traffic rules where we do not like things like safety inspections.
  • We need to be wary of law enforcement using powers such as these to tackle malware and botnets. While it may technically make sense to take this approach, we have to take into account people’s privacy rights and ensure there is appropriate transparency and governance in place to manage any such actions.
  • The amendment to Rule 41 of the Federal Rules of Criminal Procedure was the result of three years of debate and public input, adopted by the Supreme Court and approved by Congress in 2016 and was intended to handle a large-scale event. This is the broadest application of that rule not only for investigation but also for disruption of criminal activities. The risk is that multiple warrants were not obtained, just one, which was used in jurisdictions outside the one which issued it. One hopes this case helps strike a balance between taking remote action to remediate known infected systems versus reliance on system owners to take action. As we all get better at communicating with federal agencies such as the FBI, CISA, etc. one hopes that can be leveraged to allow local action versus remote unexpected intervention.

Read more in

Microsoft Windows Autopatch

Microsoft plans to launch Windows Autopatch in July 2022. The managed service will be available to Microsoft users with Windows 10/11 Enterprise E3 or above licenses. Autopatch was created to ensure that Windows and Office software are up-to-date. It divides organizations’ devices into four rings: the test ring, which has a small number of devices; the first ring, which has about 1 percent of endpoints; the fast right, which has another 9 percent of devices; and the broad ring, which accounts for 90 percent of an organization’s devices. Autopatch will apply updates progressively; the service also has Halt and Rollback features.

Note

  • Sounds like a neat idea and well thought out feature. Now let’s see if this will work or if someone will figure out it is less of a problem to have your infrastructure pw0n3d by ransomware than have a system misbehave every so often due to a bad patch.
  • There is a lot of mythology around how often apps break after Windows patches are pushed out these days. Try this out and see what your halt and rollback percentages are – I’m betting they will be pretty low. The apps that do break should be candidates for sunsetting.
  • It is interesting to see how Microsoft is becoming a one-stop-shop for enterprise wise security solutions, however I am concerned that many of these features are not as readily available to smaller firms and SMEs. Security should not be the preserve of well-funded organisations, similar to how automobile safety should not be the preserve of those who can afford brakes, seat belts, and air bags.
  • Even if you are not interested in autopatch or have E3+, the four rings explained here are a great strategy for your patch management process. We implemented this years ago and it has many benefits. Consider it.
  • This service targets desktop users rather than servers. Many of us have worked to implement a similar phased update approach. This basically turns that into a commodity activity for Microsoft products, freeing some resources to address servers and other high-value assets. Note you’re still going to need to have a solution for other installed products, Adobe, Chrome, Java, etc.

Read more in

New GitHub Dependency Review Action

GitHub has introduced dependency-review-action, which scans pull requests and raise an error if a new dependency contains known vulnerabilities. “The action is supported by an API endpoint that diffs the dependencies between any two revisions.”

Note

  • Nice! This will be free for use in public repositories on GitHub.com, but for private ones you’ll need to license GitHub Advanced Security. Definitely worth it for critical codebases, especially those with high commit frequency.
  • This new feature, which is in public beta, leverages the GitHub Advisory Database to see if these new dependencies introduce vulnerabilities, raising an error if they do. Dependency review is enabled in public repositories and is available in private repositories which use GitHub Enterprise Cloud including a license for GitHub Advanced Security. Given recent issues with malicious included code of late, this is one more step you can take to reduce those risks.

Read more in

Finnish Government Websites Disrupted by DDoS Attack

The Finnish Foreign Ministry and Defense Ministry websites were knocked offline on Friday, April 8, while Ukrainian President Volodymyr Zelenskyy was addressing Finland’s members of parliament. The distributed denial-of-service (DDoS) attacks hit the websites at noon on Friday; an hour later the sites were operating as usual.

Note

  • DDoS attacks are becoming SOP retaliatory actions, as well as common cover to distract responders from other attacks. Make sure that you’ve got active DDoS protections, particularly if you are in the Public, Energy, or Critical Infrastructure sectors. Shared environments, such as hosting facilities or multi-tenant cloud services could result in collateral damage if one of the other tenants is a target. Verify you’re protected and to what level.

Read more in

Atlassian Outage

Several Atlassian cloud services have been down for nearly a week. The company says it may take another two weeks to restore service to all users. As of 15:34 UTC on April 11, Atlassian has “rebuilt functionality for over 35% of the users who are impacted by the service outage, with no reported data loss.”

Note

  • This is a great example of why companies need to conduct robust risk assessments before moving services into the cloud. Those risk assessments should include what the business’s alternatives are in the event the cloud service provider has an outage or issue that impacts the ability to access data or the service. Just because it is in the cloud does not mean you can forget about your business continuity planning.
  • While this doesn’t seem to bode well for a company discontinuing on-premises licenses (they stopped in February 2021), it shows that their recovery objective is full restoration with no data loss. Unfortunately, that recovery point means the recovery time objective can be indefinite. When using a third-party, outsource or cloud, have an in-depth discussion on recovery, to include what they are designing for, recovery time and recovery point objectives, and what steps, if any, you should take in addition to their processes to guarantee success. When comparing to your legacy in-sourced solutions, be realistic about your own capabilities and their shortfalls. E.g., a pile of tapes media in the trunk of the CEO’s car isn’t as reliable or secure as you may think.

Read more in

CISA Adds Eight Security Flaws to Known Exploited Vulnerability Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added eight more vulnerabilities to its Known Exploited Vulnerabilities Catalog. The list on new entries includes the WatchGuard privilege elevation flaw that affects the company’s Firebox and XTM products. All eight of the new vulnerabilities have remediation due dates of May 2, 2022.

Note

  • For regular updates on this activity, subscribe to CISA’s weekly update summary. Many of the items listed have the action of applying the updates according to vendor instructions and/or updating to the current version. Having a current, auto-generated software inventory can help you keep your arms around where vulnerable software is hanging out in your enterprise. Many of your endpoint management and protection tools can already generate that list for you.

Read more in

Healthcare Data Breaches

Recent US healthcare data breaches include a network server hacking incident at California-based SuperCare; a network server hacking/IT incident at Georgia-based CSI Laboratories; an “IT security issue” at East Tennessee Children’s Hospital; a cyberattack at Oklahoma City Indian Clinic; and a ransomware attack on Cancer and Hematology Centers of Western Michigan.

Note

  • Healthcare was already a target, increasingly so with the pandemic, and the Russia-Ukraine war has escalated attacks even further. If you’re in the healthcare industry, make sure that security comes from the top, that it is not just an “IT problem” or worse – “someone else’s problem.” If you don’t have the resources, hire a reputable firm to perform a vulnerability assessment and help you target needed improvements. You’re going to need that support from the top to get improvements implemented, not bypassed, and to continue to have a seat at the table to keep security factored into the equation.

Read more in

State Auditor Did Not Require Connecticut Health Insurance Exchange to Fix Security Issues

Connecticut’s Access Health health insurance exchange experienced 44 data security breaches over a three-and-a-half year period. Audit report lists Access Health’s security shortcomings, but the state auditor recommended that it mitigate the problems, but did not issue a mandate.

Note

  • While not having required follow-up actions with deficiencies is a dream outcome, it’s not ideal, and possibly does a disservice to the entity being audited. Requiring or mandating fixes not only provides a raised bar to check on future audits, but also can be leveraged to get the funding, resources and attention needed to keep systems properly secured.

Read more in

Spring4Shell is Being Exploited to Spread Mirai

Researchers from Trend Micro say that the Spring4Shell vulnerability is being actively exploited to spread Mirai botnet malware. The US Cybersecurity and Infrastructure Security Agency (CISA) added the Spring4Shell vulnerability to its Known Exploited Vulnerabilities Catalog last week.

Note

  • While this has widely been reported as Mirai exploiting Spring4Shell, evidence presented only shows Mirai going after the default backdoor, using the default password, left behind by the PoC exploit. It is highly unlikely that this leads to a significant growth of the Mirai botnet, or is of any consequence at all.
  • There are two vulnerabilities relating to Spring – CVE-2022-22963, which is a resource exposure flaw specific to the Spring Cloud Foundation where the routing functionality is used; not specifically related to Spring4Shell and CVE-2022-22965 which can be used for RCE on any Java application using the Spring Core under non-default configurations. The best mitigation is to update to the Spring Framework versions greater than 5.3.18 or 5.2.20, Spring Boot versions higher than 2.6.6 and 2.5.12. As a workaround, you could update to Apache Tomcat 10.0.20, 9.0.62 or 8.5.78, which close the attack vector, or you could downgrade to Java 8 which may cause issues if you’re using features which don’t exist in Java 8. Note that Java 8 and 9+ have different licensing models you need to consider.

Read more in

FIN7 adds ransomware to its belt

The financially motivated group FIN7 has a new trick up its sleeve: ransomware. The new findings via Mandiant confirm that FIN7 has been getting cozy with ransomware actors, and even used ransomware as part of its attacks.

Read more in

Raspberry Pi ditches default user account

See you later “pi” account, you’re out. The longtime default “pi” account has been phased out for security reasons. That may break some software and scripts. It seems to coincide with a new U.K. law that specifically forbids default credentials in new tech, and companies can face steep fines for falling foul of the new rules.

Raspberry Pi ditches default user account

Read more in

Windows 11 gets a drop of new security features

A ton of new security features were announced for Windows 11 this week. “Among the updates is Microsoft Pluton, a security processor integrated directly into versions of AMD Ryzen and Qualcomm CPUs; a Smart App Control feature for preventing unsigned and untrusted apps from running; and controls enabled by default for protecting against credential theft, for authenticating users, and for blocking vulnerable drivers.” Microsoft explains more in a blog post.

Read more in

Google Meet to get end-to-end encryption

Google’s answer to Zoom, aka Google Meet, will get end-to-end encryption for all video and voice meetings later this year, the company announced. Client-side encryption will land in the interim.

Read more in

FBI disrupts Cyclops Blink botnet linked to Russian GRU

Big news out of the DOJ this week when it announced the FBI had conducted an operation to disrupt the Cyclops Blink botnet, attributed to a threat group called Sandworm, otherwise known as Russian military intelligence. The operation didn’t involve mass-removing malware from infected devices, but instead targeted the command and control servers used to control the botnet by locking Sandworm out of the servers — specifically. The U.K.’s NCSC sounded the alarm on Cyclops Blink in February, but only about 39% of device owners updated and patched their devices, leaving the majority still vulnerable. How well did the operation go? Given that only about half of the C2 servers targeted by authorities were in the U.S., that leaves half… still active. We shall see.

Read more in

Hackers breach MailChimp’s internal tools, Block employee steals customer data

Bad week for insider attacks. First up, Mailchimp (which delivers this newsletter*) was targeted by hackers who accessed internal company admin tools in order to access data on 319 customers. The hackers ultimately downloaded audience data (email addresses) on 102 customers, mostly in the cryptocurrency space. It follows a spate of similar hacks on companies involving their internal admin tools. And, Block, which used to be Square, said in an SEC filing this week that a former employee downloaded reams of customer information — somehow — after they left their employment. Block is contacting some 8.2 million customers. Ouch, and it wasn’t detected for four months. Double ouch. (*I wasn’t notified, like others were, of an account breach so I think you’re safe.)

Read more in

How German police shut down ‘Hydra,’ one of the largest dark web marketplaces

German authorities are credited with the takedown of a massive Russian dark web marketplace called Hydra, one of the largest suppliers of drugs and money laundering services, facilitating some $5 billion in Bitcoin transactions since its inception in 2015. @joetidy has the explainer of how the takedown went down. Police say Hydra had 17 million users in total.

How German police shut down 'Hydra,' one of the largest dark web marketplaces

Read more in

Google bans apps with hidden data-harvest software

Great reporting here on another location and data-harvesting SDK packaged with a ton of Muslim prayer apps, QR code readers, and speed trap detector apps. The SDK was run by a Panamanian company called Measurement Systems, which surreptitiously collects device data and phone numbers(!) of millions of users who installed the apps. The company that wrote the code is linked to a Virginia-based cyber intelligence company that does intercept work for U.S. national security agencies. The shady activity was first spotted by AppCensus, which details the technicals in a blog post. Google removed several Android apps for violating its rules — which doesn’t help users who have already downloaded and installed the suspect apps — but some of the apps are already back in the app store after removing the SDK.

Read more in

Police records show women are being stalked with Apple AirTags across the U.S.

@samleecole does incredible work here reporting on the threat that women across the U.S. face from Apple AirTags, the tiny pebble-sized trackers that have become the center of harassment and stalking claims. Police departments across the U.S. are seeing reports flood in. Apple put in some protections, including adding an Android app, after the fact, but AirTags continue to pose a real-world security risk to many.

Police records show women are being stalked with Apple AirTags across the U.S.

Read more in

The FBI is spending millions on social media tracking software

The FBI has contracted for 5,000 licenses to use Babel X, a software made by Babel Street that lets users search social media sites within a geographic area and use other parameters, reports the Post. The deal for the OSINT tool is said to be worth $27 million.

Read more in

Hackers flood internet with what they say are Russian companies’ files

A look at Distributed Denial of Secrets, an organization known for publishing leaked files from a variety of sources — police departments, right-wing social media platforms, and far-right groups themselves. Now the organization is inundated with a flood of data from Russian companies, like banks, energy companies, and government agencies, since Russia’s invasion of Ukraine. @kevincollier explains: “The leaks are part of a larger ecosystem of amateurs trying to help Ukraine’s war efforts with their own keyboards.”

Read more in

US Government and Energy Companies are Stepping Up Cybersecurity Collaboration

Shortly before Russia invaded Ukraine, officials from the US departments of Energy and Homeland Security worked closely with executives from Berkshire Hathaway Energy (BHE) to draft a playbook and help the energy sector take steps to protect their systems from potential Russian cyberattacks. Over the past eight years, BHE has implemented stringent cybersecurity measures to protect its systems from attacks.

Note

  • This effort supports three important activities we should all implement. First, having a playbook for what to do to protect systems. Second, setting up communication, including addressing any non-disclosure issues, with regulators, law enforcement (FBI), CISA, and other support services both for awareness and incident response. Third, implementing and verifying the plan. Plans, no matter how comprehensive, are of no value sitting on the shelf. They need to be living documents which are followed.
  • Collaboration is the word of the day. Happy to see this and more of it across sectors and even within your own organizations. Push for collaboration and check out the SANS Purple Team page to get started: https://www.sans.org/purple-team/

Read more in

US Justice Dept. Disrupts Cyclops Blink Botnet

In March, the US Justice Department (DoJ) disrupted a botnet that was being used by the Sandworm threat actors by taking down its command-and-control network. Sandworm has been linked to Russia’s Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU). Armed with a court order, the FBI accessed devices in the US that were infected with Cyclops Blink botnet malware and removed it. Most of the infected devices were firewall appliances from WatchGuard; others were network devices from Asus. The botnet is known as Cyclops Blink.

Note

  • Great work by DoJ/FBI in disrupting this botnet. But remember you will still need to patch your firewalls (Watchguard and ASUS) to prevent immediate re-infection. WatchGuard published a great step-by-step guide walking you through what to do.
    detection.watchguard.com: Cyclops Blink 4-Step Diagnosis and Remediation Plan
  • After the instructions to remove Cyclops Blink were released, the number of infected devices dropped by just 39%, so the FBI stepped up and cleaned up for us all, including disabling remote management. Don’t rely on law enforcement to step in like that; proactively manage your perimeter devices. If you don’t have the resources, hire a reputable company to make sure they are patched, properly configured, and lifecycle replacements are performed. Even then, verify these actions are done.
  • I have to admit I feel uncomfortable that law enforcement were granted a court order to hack into people’s systems to remediate the botnet. This type of action could serve as a precedent for future intrusions, which may not have the same good intentions.

Read more in

WatchGuard Delayed Disclosure of Flaw Exploited by Cyclops Blink Operators

WatchGuard fixed a critical vulnerability in its firewalls last year, but didn’t disclose the vulnerability until this week, after Russian state-sponsored hackers exploited it to create the Cyclops Blink botnet. When UK and US law enforcement agencies warned that hackers were infecting WatchGuard firewalls with botnet malware, the company released a tool and direction for identifying and “locking down” infected devices. That information did not specifically mention the vulnerability, although it did urge users to make sure they were running the latest version of the appliances’ OS.

Note

  • By delaying the disclosure, Watchguard may have made it more difficult for customers to accurately define how urgent last year’s upgrade was. But the vulnerability was patched about a year ago. And remember that without disabling remote access to the firewall, it is just a matter of time for the next vulnerability to be abused.
  • When releasing a fix-it tool or patch with information about associated vulnerability resolution information, particularly if targeting non-IT professionals who won’t research fixes for applicability, relevance and risk/urgency must be conveyed to ensure application of fixes.

Read more in

German Authorities Seize Dark-Web Marketplace Servers and Cryptocurrency

German law enforcement authorities have seized servers and cryptocurrency wallets belonging to the dark-web marketplace Hydra. The seizure was the culmination of a coordinated effort that included US authorities from the FBI, the DEA, IRS Criminal Investigations, and Homeland Security Investigations. The US Department of Justice (DoJ) has also announced criminal charges against an alleged Hydra operator and sysadmin.

Note

  • Coordinated efforts across multiple countries and authorities. We need more of this.
  • A big well done to all involved in this operation. While this takedown won’t lead to an end to cybercrime, what it will do is send a strong message to criminals that they are becoming less and less immune to actions from law enforcement. Hopefully, the seized servers will contain some good intel that will assist law enforcement in identifying and arresting more criminals.
  • While crypto is not regulated from a safety and soundness perspective, bypassing OFAC restrictions comes with significant fines. Be clear on the exchanges and currencies you are using.

Read more in

ICS Medical Advisory for LifePoint Informatics Patient Portal

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an ICS Medical Advisory warning of a remotely exploitable authentication bypass vulnerability in the LifePoint Informatics Patient Portal, a website that contains patient data. The flaw could be exploited to expose sensitive data. LifePoint Informatics released and deployed Patient Portal Version LPI 3.5.15 in February. Because this is a hosted applications, users do not need to take any action.

Note

  • While this is a fix to the hosted portal, make sure that you’re utilizing a defense in depth approach for your healthcare ICS components. Minimize network connectivity, don’t allow direct VPN access to their network, and monitor all interaction.
  • Note the security advantage of “applications as a service.” Patching is still necessary, but the cost need not be multiplied by the number of users.

Read more in

FDA Draft Medical Device Cybersecurity Guidance

The US Food and Drug Administration (FDA) has published draft guidance for medical device cybersecurity. The “guidance is intended to provide recommendations to industry regarding cybersecurity device design, labeling, and the documentation that FDA recommends be included in premarket submissions for devices with cybersecurity risk.” The FDA first released guidance for pre-market medical device cybersecurity in 2014; that guidance was updated in 2018. The FDA is accepting comments on the new draft guidance through July 7, 2022.

Note

  • The intent is to raise the security baked into medical devices. Unfortunately, the draft document utilizes non-binding guidelines and recommendations rather than requirements, making them both unlikely to be implemented and harder to measure. Even with guidance converted to implemented requirements, you still need to create a verified secure ecosystem to host these devices.

Read more in

US Dept. of Health and Human Services Seeks Comment on HIPAA and HITECH Issues

The US Department of Health and Human Services (HHS) has published a request for information (RFI) in the Federal Register seeking “public comment on how covered entities and business associates are voluntarily implementing recognized security practices as identified in Public Law 116-321 (the HITECH Act) and public input on potential information or clarifications OCR (HHS’s Office for Civil Rights) could provide on its implementation of the statute in future guidance or rulemaking.”

Note

  • Comments can be provided by mail (written) or via the Federal Rulemaking Portal. (https://www.regulations.gov) by searching for Docket ID OCR-0945-AA04.

Read more in

Apple Updated macOS Selectively

When Apple released fixes last week to address two critical, actively exploited flaws in macOS, it did so only for macOS Monterey; Big Sur and Catalina did not receive patches. Catalina is affected by one of the vulnerabilities; Big Sur is affected by both. The two older versions of macOS account for 35-40 percent of Macs currently in use. The flaws in question reportedly affect iOS and iPadOS as well.

Note

  • Apple needs to release stand-alone security updates for older OS versions, in particular as Apple does alter functionality (like recently removing Python 2), making it impossible for some upgrades. In this case, a stand-alone security update for macOS 12.2 will be almost more important than updates for macOS 10/11. macOS 10/11 are affected by only one of the two flaws fixed in the latest update.
  • Apple holds their update/EOL process close. While they have historically supported current plus two versions back, they have a caveat about severity driving the back porting of updates. Vendors consistently apply the best and most comprehensive updates to current versions. For commodity systems, qualify the latest versions and deploy them in a timely fashion. For older versions, make sure that you mitigate risks with added endpoint or network protections and monitoring, as well as looking to a defined lifecycle expectation with appropriate risk acceptance for those devices.

Read more in

Some Palo Alto Networks Products Vulnerable to High-Severity OpenSSL Flaw

Palo Alto Networks says that some of its firewall, VPN, and XDR products are vulnerable to an OpenSSL flaw that was disclosed several weeks ago. The infinite loop vulnerability can be exploited to create denial-of-service conditions and crash devices that are not running patched software. While the OpenSSL team released a patch two weeks ago, Palo Alto Network plans to release updates that address the flaw the week of April 18.

Read more in

Microsoft Takes Down Domains Used in Cyberattacks Against Ukrainian Targets

Microsoft has taken down seven domains that were being used to conduct cyberattacks against Ukrainian targets. The attacks were being launched by the APT28 hacking group, also known as Strontium, which has been linked to Russia’s GRU military intelligence service. Microsoft “obtained a court order authorizing [them] to take control of seven internet domains Strontium was using to conduct these attacks.” They redirected the domains to a Microsoft-controlled sinkhole. The domains were also being used to launch attacks against US and EU government entities and think tanks.

Note

  • Redirecting domains like this requires not only infrastructure capable of resisting any retaliatory actions, but also a solid legal basis to keep it from backfiring. One hopes the research done to identify and target these domains can be leveraged to discover the replacements quickly.

Read more in

CISA warns of active exploitation of Spring4Shell vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency recently added the Spring4Shell vulnerabilities to its to its Known Exploited Vulnerabilities Catalog based on “evidence of active exploitation.” Spring4Shell affects Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later. The Kenna Risk Score for CVE-2022-22965 is currently at maximum 100. This is an exceptionally rare score, of which only 415 out of 184,000 CVEs (or 0.22 percent) have achieved, reflecting the severity and potential effects of this vulnerability. To get a risk score this high means it is a widely deployed technology with a public exploit available, and Cisco Talos researchers have seen proof of an ongoing active internet breach using the vulnerability.

References

AsyncRAT campaigns feature new version of 3LOSH crypter

Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims. The infections leverage process injection to evade detection by endpoint security software. These campaigns appear to be linked to a new version of the 3LOSH crypter. These malware distribution campaigns have been ongoing for the past several months, with new samples being uploaded to public repositories on a daily basis. The 3LOSH crypter continues to be actively maintained and improved by its author and will likely continue to be used by various threat actors attempting to evade detection in corporate environments.

References

GitHub Advanced Security Secret Scanning Now Offers Push Protection

GitHub has added an option to GitHub Advanced Security that scans for secrets before accepting code pushes. The new feature works with 69 token types.

Note

  • Nice improvement. Also note that Trufflehog released a new version with some significant improvements to find secrets like API keys left in code. Secrets like passwords and in particular API keys leaking in source code repository is an increasing problem. Modern distributed applications rely more and more on these secrets and many developers do not manage them properly.
  • Including authentication secrets in repositories continues to be a problem. This option will augment your processes designed to prevent that from happening. Verify developers don’t disable it.

Read more in

PCI Data Security Standard Updated

The Payment Card Industry Security Standards Council (PCI CCS) has updated the PCI Data Security Standard (DSS) to version 4.0. Changes include “expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment, and increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.” The current version of PCI DSS, v.3.2.1, will be retired on March 31, 2024.

Note

  • This revision has about 60 new requirements, 40 of which don’t kick in until 2025. Those 40 longer term requirements represent most of the security gains – requiring software inventories of internal and external software in use, user and application privilege management, increased use of MFA, more focus on encryption, etc. If you have PCI exposure, use those requirements to justify starting improvements now. There are also additional requirements specifically for service providers. PCI DSS 1.0 came out in 2004; the requirement updates have tried to keep up with changes in threats but the requirements and rigor around the assessment process that governs how the 389 PCI Council certified security assessors operate has been much slower to be upgraded.
  • Regarding penetration testing, section 11.4 of v4.0 still requires internal and external network testing at least annually but gets more prescriptive in how it is to be done.
  • More MFA is always better. But at this point, your question shouldn’t be if you need MFA. The question should shift to what kind of MFA is sufficient for a particular application.
  • Don’t wait until 2024 to implement the updated standard. Begin assessing the changes and getting your implementation together now. Note the scope of encryption requirements including removable media as well as requirements for protecting the PAN during RDP sessions. Also note that some best practices have expiration dates.
  • PCI DSS was introduced as a stop-gap measure until the introduction and implementation of EMV (and to transfer as much of the fraud risk as possible to the merchants, their customers). However, it has taken on a life of its own, in part because the issuers continue to publish the Primary Account Number (PAN) in the clear. The PAN is then used in “card not present” fraud. Merchants accept the risk of accepting PANs, in preference to more secure proxies like PayPal, Apple Pay, Google Pay, and others, in part because the transaction cost is a little lower. However, the risk plus the cost of PCI DSS really makes accepting PANs much more expensive than the proxies.

Read more in

Proposed US Legislation Addresses Medical Device Security

US legislators have introduced a Senate bill that focuses on medical device security. The PATCH Act “will implement cybersecurity protocols and procedures for manufacturers applying for premarket approval through the Food and Drug Administration to ensure that users are properly equipped to deal with foreign or domestic ransomware attacks.” Provisions include implementing cybersecurity requirements for manufacturers and establishing a software bill of materials for medical devices. A companion bill has been introduced in the House of Representatives.

Note

  • For close to 20 years, much of the medical device industry has avoided taking the responsibility for building secure/safe and supportable/patchable networked devices. The FDA has issued many directives about this over the years – this bill will give the agency the needed power to enforce.
  • While this legislation attempts to raise the bar of new devices being produced, healthcare providers need to make sure their current environment architecture implements security. That includes segmentation, MFA, and monitoring. The new legislation also provides for ongoing security updates. One hopes manufacturers take advantage of this so one can plan for update and lifecycle events in the operations schedule.
  • I welcome legislation that attempts to shift security left, especially for devices that are traditionally released with trivial vulnerabilities and rarely get patched.

Read more in

US Senator Seeking Answers About Phony Emergency Data Requests

Last week, Brian Krebs reported that hackers are using phony Emergency Data Requests to obtain information from ISPs, mobile phone companies, and social media companies. The hackers have been using compromised police department and government agency email accounts. US Senator Ron Wyden (D-Oregon) is “requesting information from tech companies and multiple federal agencies to learn more about how emergency data requests are being abused by hackers.”

Note

  • Train users to always verify the credentials and legitimacy of data requests, emergency or otherwise. Use out of band mechanisms, not verification mechanisms provided by the requester. Don’t forget to include yourself and your security team in that training.
  • This is a perfect example of the need for Red Team. A new process has been implemented and no one looked at it holistically (people, process, and tech) from the adversary’s point of view.
  • EDRs are often, not to say routinely, used in lieu of warrants in investigations; warrants are then sought after the fact if the product of the investigation is to be used as evidence in a prosecution.

Read more in

GitLab Updates Fix Static Password Flaw

GitLab has released updates for GitLab Community Edition (CE) and Enterprise Edition (EE) software to address 17 vulnerabilities. The updates include a fix for a critical flaw that arose from “a hardcoded password [being] set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2.”

Note

  • GitLab releases updates on the 22nd of the month. Get their application into your monthly patch cadence. Yes, there were hard coded credentials in their code; time to see how your code fares in that respect. There are also XSS issues relating to improperly handling user input. Again, time to make sure you’re not in the same boat, preferably after you apply the update.

Read more in

US State Department’s Bureau of Cyberspace and Digital Policy

The US Department of State has launched its Bureau of Cyberspace and Digital Policy. According to a media note from the agency spokesperson, the “bureau will address the national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy.” It will comprise three policy units: International Cyberspace Security, International Information and Communications Policy, and Digital Freedom.

Note

  • While this sounds like added bureaucratic overhead, I believe this new bureau will allow State to focus on cyber requirements appropriate to their mission in support of the NIST RMF as well as moving towards the requirements in EO 14028 such as MFA, zero trust and cloud adoption.

Read more in

Zyxel Urges Users to Patch Critical Flaw

Zyxel has released patches to address an authentication bypass vulnerability in the CGI program embedded in Zyxel USG, ZyWALL, FLEX, ATP, VPN, and NSG software. The flaw could be exploited to take control of vulnerable products.

Note

  • Weekly reminder: Do not expose these type of admin interfaces to the internet. This will not be the last vulnerability in a router/firewall/VPN admin interface. Not exposing these interfaces will significantly reduce the chance of the flaw being exploited.
  • In essence an ACL was not implemented in the CGI allowing it to be executed without authentication. Change advised to patch (in the bulletin) to patch now. Also make sure the administration interface is not accessible from the WAN.

Read more in

Fixes Available for Flaws in Rockwell Products

A pair of vulnerabilities in Rockwell programmable logic controllers (PLCs) and engineering workstation software could be exploited to inject code and modify automation processes. The flaws allow attackers to run code on vulnerable PLCs without appearing to be causing anomalous activity.

Note

  • Read the bulletin carefully. This is not just a patch and go fix. Note the raw CVSS 3 score is 10.0 so you need to make sure you have your ducks in order PDQ. You may need to recompile and reload user program code. Also, make sure your PLCs are properly segmented so only authorized systems and users can interact with them. Monitor all interaction for unwelcome advances.

Read more in

VMware Releases Updates to Fix Spring4Shell Vulnerability

VMware has published updates to address the Spring4Shell remote code execution vulnerability in several VMware products. Patches are not available for all affected products; VMware has suggested workarounds. The Spring4Shell vulnerability, which resides in the Spring Core Java framework, is being actively exploited.

Note

  • CVE-2022-22965 has a CVSS score of 9.8 and you’re going to need to read the workaround where patches are pending. (There are no workarounds for the patched products, just patch them.) There are multiple manual steps to the workaround so have a fully backed up environment to get them right. Doubly so if you don’t have a non-production environment. Note that the workaround will stay in place even if you perform a VM resurrection or upgrade your TKGI file.

Read more in

Two People Facing Charges in Connection with Lapsus$ Hacking Group Activity

Two teenagers arrested in London, UK, in connection with the Lapsus$ cyber extortion group have appeared in court to face charges. They have been released on bail and are required to appear in court at the end of the month. Both teens have been charged with “unauthorized access to a computer with intent to impair the reliability of data; fraud by false representation; and unauthorized access to a computer with intent to hinder access to data.” One of the individuals is facing an additional charge of “causing a computer to perform a function to secure unauthorized access to a program.”

Note

  • When the arrests occurred, the Lapsus$ gang reported some of its members were taking a vacation and work continued with a posting last Wednesday of information pilfered from an Argentinian software development group. Don’t assume a group of malicious actors are out of commission until you have authoritative information that their entire operation is shuttered. Even so, expect those not arrested to reappear in a new form soon.

Read more in

Nordex Group Shuts Down IT Systems in Wake of Cybersecurity Incident

Nordex Group, a German wind turbine manufacturer has “shut down IT systems across multiple locations and business units” as a precautionary measure following a cybersecurity incident. Nordex Group detected the problem on March 31.

Note

  • Similar to the Viasat attack, this is intended to get a jump on the IT used to control wind turbine systems in Ukraine, and possibly other places, obtaining inside intel into operation beyond what can be obtained via OSINT. If you have these systems, you need to focus on the security of any access mechanism. If remotely connected, make sure those connections are both secure and genuine, that media and data flowing to and from them is properly sanitized, and that you are monitoring any connections or activity.

Read more in

How one Ukrainian IT specialist exposed a notorious Russian ransomware gang

Incredible reporting on a Ukrainian cybersecurity expert who fights “with a keyboard and mouse” by exposing files, tools, and internal chat logs belonging to Conti, the notorious Russian-linked ransomware gang. The Conti leaker “quietly lurked on the hackers’ computer servers and would pass along information on the group’s operations to European law enforcement officials,” per the report. The doxes were so effective that the FBI asked him to stop, fearing it would make it more difficult to track them. Also this week, reporting from the Wall Street Journal exposes the inner workings of the Trickbot cybercrime enterprise, a pro-Russia hacking group, thanks to a Ukrainian researcher who infiltrated the group’s servers.

More info

Apple and Meta Gave user data to hackers who used forged legal requests

Well, they finally did it: hackers associated with a group, some of which now operate as part of Lapsus$, tricked Apple and Meta into turning over user data by supplying fake subpoenas sent from hacked email domains belonging to law enforcement. The hackers specifically exploited the “emergency data request” system, which allows the quicker turnover of data under emergency situations — often to prevent loss of life. Discord also fulfilled a forged legal request. The use of forged legal requests was first reported by Krebs on Security.

More info

Zero-day flaw found in Java Spring Framework

Dark Reading: A bad bug found in a popular Java web application development framework puts a ton of web apps at risk of remote attack. The bug, named Spring4Shell, affects Spring, whose maintainers confirmed the bug. Patches are out, just after a zero-day exploit was posted to Twitter — then deleted.

More info

How Intrusion Truth is unmasking China’s state hackers

KimZetter is back with a long-read on Intrusion Truth, the anonymous person or group behind a series of doxes of high-level Chinese cyber spies — some of which have proven to be pretty accurate, with U.S. Justice Department indictments dropping soon after. A compelling read, and featuring conversations with Intrusion itself (or themselves).

More info

People are getting scam texts from… themselves

We’ve all had weird spam in our time, but more people seem to be getting spam from… themselves. It’s what appears to be part of a widespread scam aimed at getting people to click on a phishing link that comes from the target’s own number. Many Verizon customers appear to be affected, which seems to be having trouble doing anything about it.

More info

Mystery GPS tracker found on an EFF supporter’s car

Electronic Frontier Foundation: Why did an EFF supporter’s car have a GPS tracker on it? Did they have a stalker? No, it turns out a GPS tracker was installed to their vehicles by car dealerships, but weren’t activated until the buyer paid for services. @cooperq ripped the device to bits and figured out how it works — and left open a ton of questions about the sort of data that’s being stored on the device regardless of whether it’s activated or not. Very creepy.

Safari vulnerability allowed for Gatekeeper bypass

An interesting newly discovered bug in macOS, dating back to as far back as Safari 14 on Big Sur, allowed for an attacker to bypass in-built Gatekeeper protections in macOS, which protect the operating system from automatically opening apps and files downloaded from the internet. The researchers found the bug as what appeared to be an intended feature from a popular game hosting site, but turned out to allow unauthorized code without a pop-up prompt.

Google Project Zero explains how NSO’s ForcedEntry exploit escapes the iOS sandbox

Google Project Zero: Google, with help from Apple and Citizen Lab, analyzed a sample of NSO Group’s “ForcedEntry” exploit, which can remotely compromise an iOS device for the purpose of installing the Pegasus spyware. This blog post explains the sandbox escape part of the bug.

Ronin Network: What a $615m hack says about the state of crypto

A hack of the Ronin Network, a key platform powering the game Axie Infinity, had $615 million in cryptocurrency stolen, in one of — if not the biggest cryptocurrency hack to date. Hackers used private keys to exploit a bug in the Ronin bridge. (A bridge lets people convert tokens to ones that can be used on another network.) A lot of people lost a lot of money, once again because of weaknesses in poorly coded and unaudited software, explains Bloomberg.

More info

Major Ukraine ISP hit by DDoS

BBC News reporting major disruptions at one of Ukraine’s largest telecoms, Ukrtelecom, following a DDoS powerful enough to affect its core infrastructure. Forbes ($) spoke with Victor Zhora, Ukraine’s deputy head of state infosec protection, who said the incident at Ukrtelecom as the “most severe” cyberattack since the start of the Russian invasion in February. That’s presumably including the mass modem bricking attack at Viasat…

More info

Viasat attack caused by Russian wiper malware

Speaking of Viasat… SentinelOne security researchers found evidence that the Viasat satellite network — which went down over Europe and Ukraine just as Russia was crossing the border — was downed by destructive malware dubbed AcidRain, which they think is ultimately linked to the GRU. Viasat told TechCrunch that the findings were “consistent with the facts in our report,” which it had published a day earlier, which you can read here and Cyberscoop parsed here.

More info

Browser-in-a-browser phishing linked to Ghostwriter

Google TAG dropping new IOCs on threat activity and actors it’s tracking with regard to the war in Ukraine. Among the new data drop is Belarus-linked threat actor Ghostwriter, otherwise known as UNC1151, which was found using the same browser-in-a-browser phishing technique. The technique relies on imitating an OAuth login popup using HTML and CSS.

More info

Browser-in-a-browser phishing linked to Ghostwriter

It’s Section 702 renewal time (again)

Every few years key U.S. surveillance powers come up for renewal — and this time it’s the notorious Section 702 (of the Foreign Intelligence Surveillance Act), the core powers that U.S. intelligence rely on for warrantless snooping on communications. The powers are set to sunset in December 2023 unless lawmakers act, reports The Record. That’s a year and a half away — plenty of time for a spirited debate that will only be ignored in favor of inevitable sweeping reauthorization like every other time this has happened. Maybe this time we can hope for real reform, if not least to protect Americans’ rights from their own government?

More info

Wyze bug ignored for two years

A relatively simple-to-exploit bug in those cheap Wyze cameras allows remote access to the contents of its SD card in the camera via a webserver that doesn’t require authentication to access. Per Bleeping Computer, which outlines the two-year-long process by BitDefender to get Wyze to fix the bug — only to have security updates pushed only to newer devices, leaving 2017 models still vulnerable. Wyze said it takes “all security concerns seriously,” which as you know is corporate code for “dgaf”.

More info

AppSec

Introducing Dagger: a new way to create CI/CD pipelines

A portable devkit for CI/CD pipelines that allows you to unify dev and CI environments, test and debug pipelines locally, and avoid CI lock-in. Instead of gluing pipeline together with throwaway scripts, Dagger supports composing reusable actions, which can be shared and reused due to a complete package management system.

Trufflehog V3

Epic new release by the Truffle Security team. See Dylan Ayrey’s video overview for more details, but in short:

  • It’s a complete rewrite in Golang with other speed improvements
  • Now contains over 600 credential detectors that support active verification against their respective APIs.
    • Verifying if the keys still work => no false positives or alert fatigue.
  • Native support for scanning GitHub, GitLab, filesystems, and S3.

OAuth

Introducing AppTotal: Democratizing third-party apps security

Itay Kruk announces AppTotal, a new service like VirusTotal but for OAuth apps. It dynamically scans SaaS add-ons for vulnerabilities and suspicious or malicious behavior, enabling you to profile third-party apps’ permissions and access, posture, and behavior before connecting them to IT-approved applications.

Authorization

Authorization in Microservices

A new chapter in Oso’s Authorization Academy covering how to share data between services and various trade-offs: decentralizing or centralizing your authorization model, centralizing data, distributing data with existing infrastructure, Authorization-as-a-Service.

Authorization in a microservices world

RapidDot’s Alexander Lolis describes authorization approaches and their trade-offs, and moving from a simple flag to Role Based Access Control (RBAC) to Attribute Based Access Control (ABAC), as well as architectures with an authz service, an authz and data service, and an authz middleware and library per service.

Authorization in a microservices world

Supply Chain

How Go Mitigates Supply Chain Attacks

Go team security lead Filippo Valsorda describes some language choices that provide nice security properties.

  • All builds are “locked”
  • Version contents never change
  • VCS is the source of truth
  • Building code doesn’t execute it
  • A little copying is better than a little dependency

Securing Developer Tools: Package Managers

SonarSource’s Paul Gerste describes vulnerabilities they found in several package managers, including Composer, Bundler, Bower, Yarn, and others. Some bugs are due to interesting nuances in how Windows vs other OS’s handle PATH or variable quoting, git argument injection, and more.

Cloud Security

Codify your best practices using service control policies

Overview post on what SCPs are, why you should create SCPs, and the strategy you can use to implement SCPs, as well as how to continue iterating and improving SCPs as your workloads and business needs change. Part 2 discusses how you can create SCPs using constructs from AWS Well-Architected.

The Expansion of Malware to the Cloud

Orca Security’s Bar Kaduri describes the main malware types you may encounter in your cloud with examples and ways to detect and protect yourself from them.

Infrastructure as Code

aquasecurity/tfsec-pr-commenter-action

GitHub Action by Aqua Security that comments on Pull Requests where tfsec checks have failed.

Standardizing Terraform Linting

Square’s Adam Cotenoff describes their rollout strategy, approaches to enforcement, and other lessons learned along the way in minimizing developer friction and maximizing fix rate.

Using SemGrep to find security issues and misconfigurations in AWS Cloud Development Kit projects

Aquia’s Dakota Riley walks through how to write Semgrep rules to find issues directly in AWS CDK code, using some open source rules he’s contributed as examples. Most IaC tools scan the generated Cloudformation output, which can make it harder to trace issues back to the originating CDK code, making it less likely devs will fix the issue.

Dakota shows how Semgrep can enforce usage of company-specific custom constructs, enabling cloud security teams to define secure by default primitives that developers can use. *me: waves secure guardrails flag vehemently*

Container Security

stackrox/stackrox

The StackRox Kubernetes Security Platform is now open source. StackRox performs a risk analysis of the container environment (build, deploy, runtime), delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.

Blue Team

Introducing CVE Markdown Charts

@clearbluejar describes cve-markdown-charts, a simple tool to generate MermaidJS Markdown charts from CVE IDs and CVE keyword searches.

MG thread on Red Team MFA bypass techniques

Want some techniques that many Red Teams have been using to circumvent MFA protections on accounts? Yeah, even “unphishable” versions.

I’m sharing so that you can think about what’s coming, how you’ll do mitigations, etc. Its being seen in the wild more these days.

Politics / Privacy

The Ultimate Personal Security Checklist

A curated checklist of 300+ tips for protecting digital security and privacy in 2021, by Alicia Sykes.

Stalkers, Sock Puppets, and Security

A chapter from an unpublished book by Cassie Cage covering InfoSec best practices and techniques that can help protect against online threat actors and stalkers.

FYI Cassie is also looking for jobs in the GRC space, 100% remote or with an office in Austin, TX.

Windows 11 gets a drop of new security features

A ton of new security features were announced for Windows 11 this week. “Among the updates is Microsoft Pluton, a security processor integrated directly into versions of AMD Ryzen and Qualcomm CPUs; a Smart App Control feature for preventing unsigned and untrusted apps from running; and controls enabled by default for protecting against credential theft, for authenticating users, and for blocking vulnerable drivers.” Microsoft explains more in a blog post.

Google Meet to get end-to-end encryption

Google’s answer to Zoom, aka Google Meet, will get end-to-end encryption for all video and voice meetings later this year, the company announced. Client-side encryption will land in the interim.

FBI disrupts Cyclops Blink botnet linked to Russian GRU

Big news out of the DOJ this week when it announced the FBI had conducted an operation to disrupt the Cyclops Blink botnet, attributed to a threat group called Sandworm, otherwise known as Russian military intelligence. The operation didn’t involve mass-removing malware from infected devices, but instead targeted the command and control servers used to control the botnet by locking Sandworm out of the servers — specifically. The U.K.’s NCSC sounded the alarm on Cyclops Blink in February, but only about 39% of device owners updated and patched their devices, leaving the majority still vulnerable. How well did the operation go? Given that only about half of the C2 servers targeted by authorities were in the U.S., that leaves half… still active. We shall see.

Read more in

Hackers breach MailChimp’s internal tools, Block employee steals customer data

Bleeping Computer, TechCrunch: Bad week for insider attacks. First up, Mailchimp (which delivers this newsletter*) was targeted by hackers who accessed internal company admin tools in order to access data on 319 customers. The hackers ultimately downloaded audience data (email addresses) on 102 customers, mostly in the cryptocurrency space. It follows a spate of similar hacks on companies involving their internal admin tools. And, Block, which used to be Square, said in an SEC filing this week that a former employee downloaded reams of customer information — somehow — after they left their employment. Block is contacting some 8.2 million customers. Ouch, and it wasn’t detected for four months. Double ouch. (*I wasn’t notified, like others were, of an account breach so I think you’re safe.)

Read more in

How German police shut down ‘Hydra,’ one of the largest dark web marketplaces

German authorities are credited with the takedown of a massive Russian dark web marketplace called Hydra, one of the largest suppliers of drugs and money laundering services, facilitating some $5 billion in Bitcoin transactions since its inception in 2015. @joetidy has the explainer of how the takedown went down. Police say Hydra had 17 million users in total.

Read more in

Google bans apps with hidden data-harvest software

Great reporting here on another location and data-harvesting SDK packaged with a ton of Muslim prayer apps, QR code readers, and speed trap detector apps. The SDK was run by a Panamanian company called Measurement Systems, which surreptitiously collects device data and phone numbers(!) of millions of users who installed the apps. The company that wrote the code is linked to a Virginia-based cyber intelligence company that does intercept work for U.S. national security agencies. The shady activity was first spotted by AppCensus, which details the technicals in a blog post. Google removed several Android apps for violating its rules — which doesn’t help users who have already downloaded and installed the suspect apps — but some of the apps are already back in the app store after removing the SDK.

Read more in

Police records show women are being stalked with Apple AirTags across the U.S.

Motherboard: @samleecole does incredible work here reporting on the threat that women across the U.S. face from Apple AirTags, the tiny pebble-sized trackers that have become the center of harassment and stalking claims. Police departments across the U.S. are seeing reports flood in. Apple put in some protections, including adding an Android app, after the fact, but AirTags continue to pose a real-world security risk to many.

Read more in

The FBI is spending millions on social media tracking software

The FBI has contracted for 5,000 licenses to use Babel X, a software made by Babel Street that lets users search social media sites within a geographic area and use other parameters, reports the Post. The deal for the OSINT tool is said to be worth $27 million.

Read more in

Hackers flood internet with what they say are Russian companies’ files

A look at Distributed Denial of Secrets, an organization known for publishing leaked files from a variety of sources — police departments, right-wing social media platforms, and far-right groups themselves. Now the organization is inundated with a flood of data from Russian companies, like banks, energy companies, and government agencies, since Russia’s invasion of Ukraine. @kevincollier explains: “The leaks are part of a larger ecosystem of amateurs trying to help Ukraine’s war efforts with their own keyboards.”

Read more in

US Government and Energy Companies are Stepping Up Cybersecurity Collaboration

Shortly before Russia invaded Ukraine, officials from the US departments of Energy and Homeland Security worked closely with executives from Berkshire Hathaway Energy (BHE) to draft a playbook and help the energy sector take steps to protect their systems from potential Russian cyberattacks. Over the past eight years, BHE has implemented stringent cybersecurity measures to protect its systems from attacks.

Note

  • This effort supports three important activities we should all implement. First, having a playbook for what to do to protect systems. Second, setting up communication, including addressing any non-disclosure issues, with regulators, law enforcement (FBI), CISA, and other support services both for awareness and incident response. Third, implementing and verifying the plan. Plans, no matter how comprehensive, are of no value sitting on the shelf. They need to be living documents which are followed.
  • Collaboration is the word of the day. Happy to see this and more of it across sectors and even within your own organizations. Push for collaboration and check out the SANS Purple Team page to get started: https://www.sans.org/purple-team/

Read more in

US Justice Dept. Disrupts Cyclops Blink Botnet

In March, the US Justice Department (DoJ) disrupted a botnet that was being used by the Sandworm threat actors by taking down its command-and-control network. Sandworm has been linked to Russia’s Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU). Armed with a court order, the FBI accessed devices in the US that were infected with Cyclops Blink botnet malware and removed it. Most of the infected devices were firewall appliances from WatchGuard; others were network devices from Asus. The botnet is known as Cyclops Blink.

Note

  • Great work by DoJ/FBI in disrupting this botnet. But remember you will still need to patch your firewalls (Watchguard and ASUS) to prevent immediate re-infection. WatchGuard published a great step-by-step guide walking you through what to do.
    detection.watchguard.com: Cyclops Blink 4-Step Diagnosis and Remediation Plan
  • After the instructions to remove Cyclops Blink were released, the number of infected devices dropped by just 39%, so the FBI stepped up and cleaned up for us all, including disabling remote management. Don’t rely on law enforcement to step in like that; proactively manage your perimeter devices. If you don’t have the resources, hire a reputable company to make sure they are patched, properly configured, and lifecycle replacements are performed. Even then, verify these actions are done.
  • I have to admit I feel uncomfortable that law enforcement were granted a court order to hack into people’s systems to remediate the botnet. This type of action could serve as a precedent for future intrusions, which may not have the same good intentions.

Read more in

WatchGuard Delayed Disclosure of Flaw Exploited by Cyclops Blink Operators

WatchGuard fixed a critical vulnerability in its firewalls last year, but didn’t disclose the vulnerability until this week, after Russian state-sponsored hackers exploited it to create the Cyclops Blink botnet. When UK and US law enforcement agencies warned that hackers were infecting WatchGuard firewalls with botnet malware, the company released a tool and direction for identifying and “locking down” infected devices. That information did not specifically mention the vulnerability, although it did urge users to make sure they were running the latest version of the appliances’ OS.

Note

  • By delaying the disclosure, Watchguard may have made it more difficult for customers to accurately define how urgent last year’s upgrade was. But the vulnerability was patched about a year ago. And remember that without disabling remote access to the firewall, it is just a matter of time for the next vulnerability to be abused.
  • When releasing a fix-it tool or patch with information about associated vulnerability resolution information, particularly if targeting non-IT professionals who won’t research fixes for applicability, relevance and risk/urgency must be conveyed to ensure application of fixes.

Read more in

German Authorities Seize Dark-Web Marketplace Servers and Cryptocurrency

German law enforcement authorities have seized servers and cryptocurrency wallets belonging to the dark-web marketplace Hydra. The seizure was the culmination of a coordinated effort that included US authorities from the FBI, the DEA, IRS Criminal Investigations, and Homeland Security Investigations. The US Department of Justice (DoJ) has also announced criminal charges against an alleged Hydra operator and sysadmin.

Note

  • Coordinated efforts across multiple countries and authorities. We need more of this.
  • A big well done to all involved in this operation. While this takedown won’t lead to an end to cybercrime, what it will do is send a strong message to criminals that they are becoming less and less immune to actions from law enforcement. Hopefully, the seized servers will contain some good intel that will assist law enforcement in identifying and arresting more criminals.
  • While crypto is not regulated from a safety and soundness perspective, bypassing OFAC restrictions comes with significant fines. Be clear on the exchanges and currencies you are using.

Read more in

ICS Medical Advisory for LifePoint Informatics Patient Portal

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an ICS Medical Advisory warning of a remotely exploitable authentication bypass vulnerability in the LifePoint Informatics Patient Portal, a website that contains patient data. The flaw could be exploited to expose sensitive data. LifePoint Informatics released and deployed Patient Portal Version LPI 3.5.15 in February. Because this is a hosted applications, users do not need to take any action.

Note

  • While this is a fix to the hosted portal, make sure that you’re utilizing a defense in depth approach for your healthcare ICS components. Minimize network connectivity, don’t allow direct VPN access to their network, and monitor all interaction.
  • Note the security advantage of “applications as a service.” Patching is still necessary, but the cost need not be multiplied by the number of users.

Read more in

FDA Draft Medical Device Cybersecurity Guidance

The US Food and Drug Administration (FDA) has published draft guidance for medical device cybersecurity. The “guidance is intended to provide recommendations to industry regarding cybersecurity device design, labeling, and the documentation that FDA recommends be included in premarket submissions for devices with cybersecurity risk.” The FDA first released guidance for pre-market medical device cybersecurity in 2014; that guidance was updated in 2018. The FDA is accepting comments on the new draft guidance through July 7, 2022.

Note

  • The intent is to raise the security baked into medical devices. Unfortunately, the draft document utilizes non-binding guidelines and recommendations rather than requirements, making them both unlikely to be implemented and harder to measure. Even with guidance converted to implemented requirements, you still need to create a verified secure ecosystem to host these devices.

Read more in

US Dept. of Health and Human Services Seeks Comment on HIPAA and HITECH Issues

The US Department of Health and Human Services (HHS) has published a request for information (RFI) in the Federal Register seeking “public comment on how covered entities and business associates are voluntarily implementing recognized security practices as identified in Public Law 116-321 (the HITECH Act) and public input on potential information or clarifications OCR (HHS’s Office for Civil Rights) could provide on its implementation of the statute in future guidance or rulemaking.”

Note

  • Comments can be provided by mail (written) or via the Federal Rulemaking Portal. (https://www.regulations.gov) by searching for Docket ID OCR-0945-AA04.

Read more in

Apple Updated macOS Selectively

When Apple released fixes last week to address two critical, actively exploited flaws in macOS, it did so only for macOS Monterey; Big Sur and Catalina did not receive patches. Catalina is affected by one of the vulnerabilities; Big Sur is affected by both. The two older versions of macOS account for 35-40 percent of Macs currently in use. The flaws in question reportedly affect iOS and iPadOS as well.

Note

  • Apple needs to release stand-alone security updates for older OS versions, in particular as Apple does alter functionality (like recently removing Python 2), making it impossible for some upgrades. In this case, a stand-alone security update for macOS 12.2 will be almost more important than updates for macOS 10/11. macOS 10/11 are affected by only one of the two flaws fixed in the latest update.
  • Apple holds their update/EOL process close. While they have historically supported current plus two versions back, they have a caveat about severity driving the back porting of updates. Vendors consistently apply the best and most comprehensive updates to current versions. For commodity systems, qualify the latest versions and deploy them in a timely fashion. For older versions, make sure that you mitigate risks with added endpoint or network protections and monitoring, as well as looking to a defined lifecycle expectation with appropriate risk acceptance for those devices.

Read more in

Some Palo Alto Networks Products Vulnerable to High-Severity OpenSSL Flaw

Palo Alto Networks says that some of its firewall, VPN, and XDR products are vulnerable to an OpenSSL flaw that was disclosed several weeks ago. The infinite loop vulnerability can be exploited to create denial-of-service conditions and crash devices that are not running patched software. While the OpenSSL team released a patch two weeks ago, Palo Alto Network plans to release updates that address the flaw the week of April 18.

Read more in

Microsoft Takes Down Domains Used in Cyberattacks Against Ukrainian Targets

Microsoft has taken down seven domains that were being used to conduct cyberattacks against Ukrainian targets. The attacks were being launched by the APT28 hacking group, also known as Strontium, which has been linked to Russia’s GRU military intelligence service. Microsoft “obtained a court order authorizing [them] to take control of seven internet domains Strontium was using to conduct these attacks.” They redirected the domains to a Microsoft-controlled sinkhole. The domains were also being used to launch attacks against US and EU government entities and think tanks.

Note

  • Redirecting domains like this requires not only infrastructure capable of resisting any retaliatory actions, but also a solid legal basis to keep it from backfiring. One hopes the research done to identify and target these domains can be leveraged to discover the replacements quickly.

Read more in

CISA warns of active exploitation of Spring4Shell vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency recently added the Spring4Shell vulnerabilities to its to its Known Exploited Vulnerabilities Catalog based on “evidence of active exploitation.” Spring4Shell affects Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later. The Kenna Risk Score for CVE-2022-22965 is currently at maximum 100. This is an exceptionally rare score, of which only 415 out of 184,000 CVEs (or 0.22 percent) have achieved, reflecting the severity and potential effects of this vulnerability. To get a risk score this high means it is a widely deployed technology with a public exploit available, and Cisco Talos researchers have seen proof of an ongoing active internet breach using the vulnerability.

References

AsyncRAT campaigns feature new version of 3LOSH crypter

Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims. The infections leverage process injection to evade detection by endpoint security software. These campaigns appear to be linked to a new version of the 3LOSH crypter. These malware distribution campaigns have been ongoing for the past several months, with new samples being uploaded to public repositories on a daily basis. The 3LOSH crypter continues to be actively maintained and improved by its author and will likely continue to be used by various threat actors attempting to evade detection in corporate environments.

References

GitHub Advanced Security Secret Scanning Now Offers Push Protection

GitHub has added an option to GitHub Advanced Security that scans for secrets before accepting code pushes. The new feature works with 69 token types.

Note

  • Nice improvement. Also note that Trufflehog released a new version with some significant improvements to find secrets like API keys left in code. Secrets like passwords and in particular API keys leaking in source code repository is an increasing problem. Modern distributed applications rely more and more on these secrets and many developers do not manage them properly.
  • Including authentication secrets in repositories continues to be a problem. This option will augment your processes designed to prevent that from happening. Verify developers don’t disable it.

Read more in

PCI Data Security Standard Updated

The Payment Card Industry Security Standards Council (PCI CCS) has updated the PCI Data Security Standard (DSS) to version 4.0. Changes include “expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment, and increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.” The current version of PCI DSS, v.3.2.1, will be retired on March 31, 2024.

Note

  • This revision has about 60 new requirements, 40 of which don’t kick in until 2025. Those 40 longer term requirements represent most of the security gains – requiring software inventories of internal and external software in use, user and application privilege management, increased use of MFA, more focus on encryption, etc. If you have PCI exposure, use those requirements to justify starting improvements now. There are also additional requirements specifically for service providers. PCI DSS 1.0 came out in 2004; the requirement updates have tried to keep up with changes in threats but the requirements and rigor around the assessment process that governs how the 389 PCI Council certified security assessors operate has been much slower to be upgraded.
  • Regarding penetration testing, section 11.4 of v4.0 still requires internal and external network testing at least annually but gets more prescriptive in how it is to be done.
  • More MFA is always better. But at this point, your question shouldn’t be if you need MFA. The question should shift to what kind of MFA is sufficient for a particular application.
  • Don’t wait until 2024 to implement the updated standard. Begin assessing the changes and getting your implementation together now. Note the scope of encryption requirements including removable media as well as requirements for protecting the PAN during RDP sessions. Also note that some best practices have expiration dates.
  • PCI DSS was introduced as a stop-gap measure until the introduction and implementation of EMV (and to transfer as much of the fraud risk as possible to the merchants, their customers). However, it has taken on a life of its own, in part because the issuers continue to publish the Primary Account Number (PAN) in the clear. The PAN is then used in “card not present” fraud. Merchants accept the risk of accepting PANs, in preference to more secure proxies like PayPal, Apple Pay, Google Pay, and others, in part because the transaction cost is a little lower. However, the risk plus the cost of PCI DSS really makes accepting PANs much more expensive than the proxies.

Read more in

Proposed US Legislation Addresses Medical Device Security

US legislators have introduced a Senate bill that focuses on medical device security. The PATCH Act “will implement cybersecurity protocols and procedures for manufacturers applying for premarket approval through the Food and Drug Administration to ensure that users are properly equipped to deal with foreign or domestic ransomware attacks.” Provisions include implementing cybersecurity requirements for manufacturers and establishing a software bill of materials for medical devices. A companion bill has been introduced in the House of Representatives.

Note

  • For close to 20 years, much of the medical device industry has avoided taking the responsibility for building secure/safe and supportable/patchable networked devices. The FDA has issued many directives about this over the years – this bill will give the agency the needed power to enforce.
  • While this legislation attempts to raise the bar of new devices being produced, healthcare providers need to make sure their current environment architecture implements security. That includes segmentation, MFA, and monitoring. The new legislation also provides for ongoing security updates. One hopes manufacturers take advantage of this so one can plan for update and lifecycle events in the operations schedule.
  • I welcome legislation that attempts to shift security left, especially for devices that are traditionally released with trivial vulnerabilities and rarely get patched.

Read more in

US Senator Seeking Answers About Phony Emergency Data Requests

Last week, Brian Krebs reported that hackers are using phony Emergency Data Requests to obtain information from ISPs, mobile phone companies, and social media companies. The hackers have been using compromised police department and government agency email accounts. US Senator Ron Wyden (D-Oregon) is “requesting information from tech companies and multiple federal agencies to learn more about how emergency data requests are being abused by hackers.”

Note

  • Train users to always verify the credentials and legitimacy of data requests, emergency or otherwise. Use out of band mechanisms, not verification mechanisms provided by the requester. Don’t forget to include yourself and your security team in that training.
  • This is a perfect example of the need for Red Team. A new process has been implemented and no one looked at it holistically (people, process, and tech) from the adversary’s point of view.
  • EDRs are often, not to say routinely, used in lieu of warrants in investigations; warrants are then sought after the fact if the product of the investigation is to be used as evidence in a prosecution.

Read more in

GitLab Updates Fix Static Password Flaw

GitLab has released updates for GitLab Community Edition (CE) and Enterprise Edition (EE) software to address 17 vulnerabilities. The updates include a fix for a critical flaw that arose from “a hardcoded password [being] set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2.”

Note

  • GitLab releases updates on the 22nd of the month. Get their application into your monthly patch cadence. Yes, there were hard coded credentials in their code; time to see how your code fares in that respect. There are also XSS issues relating to improperly handling user input. Again, time to make sure you’re not in the same boat, preferably after you apply the update.

Read more in

US State Department’s Bureau of Cyberspace and Digital Policy

The US Department of State has launched its Bureau of Cyberspace and Digital Policy. According to a media note from the agency spokesperson, the “bureau will address the national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy.” It will comprise three policy units: International Cyberspace Security, International Information and Communications Policy, and Digital Freedom.

Note

  • While this sounds like added bureaucratic overhead, I believe this new bureau will allow State to focus on cyber requirements appropriate to their mission in support of the NIST RMF as well as moving towards the requirements in EO 14028 such as MFA, zero trust and cloud adoption.

Read more in

Zyxel Urges Users to Patch Critical Flaw

Zyxel has released patches to address an authentication bypass vulnerability in the CGI program embedded in Zyxel USG, ZyWALL, FLEX, ATP, VPN, and NSG software. The flaw could be exploited to take control of vulnerable products.

Note

  • Weekly reminder: Do not expose these type of admin interfaces to the internet. This will not be the last vulnerability in a router/firewall/VPN admin interface. Not exposing these interfaces will significantly reduce the chance of the flaw being exploited.
  • In essence an ACL was not implemented in the CGI allowing it to be executed without authentication. Change advised to patch (in the bulletin) to patch now. Also make sure the administration interface is not accessible from the WAN.

Read more in

Fixes Available for Flaws in Rockwell Products

A pair of vulnerabilities in Rockwell programmable logic controllers (PLCs) and engineering workstation software could be exploited to inject code and modify automation processes. The flaws allow attackers to run code on vulnerable PLCs without appearing to be causing anomalous activity.

Note

  • Read the bulletin carefully. This is not just a patch and go fix. Note the raw CVSS 3 score is 10.0 so you need to make sure you have your ducks in order PDQ. You may need to recompile and reload user program code. Also, make sure your PLCs are properly segmented so only authorized systems and users can interact with them. Monitor all interaction for unwelcome advances.

Read more in

VMware Releases Updates to Fix Spring4Shell Vulnerability

VMware has published updates to address the Spring4Shell remote code execution vulnerability in several VMware products. Patches are not available for all affected products; VMware has suggested workarounds. The Spring4Shell vulnerability, which resides in the Spring Core Java framework, is being actively exploited.

Note

  • CVE-2022-22965 has a CVSS score of 9.8 and you’re going to need to read the workaround where patches are pending. (There are no workarounds for the patched products, just patch them.) There are multiple manual steps to the workaround so have a fully backed up environment to get them right. Doubly so if you don’t have a non-production environment. Note that the workaround will stay in place even if you perform a VM resurrection or upgrade your TKGI file.

Read more in

Two People Facing Charges in Connection with Lapsus$ Hacking Group Activity

Two teenagers arrested in London, UK, in connection with the Lapsus$ cyber extortion group have appeared in court to face charges. They have been released on bail and are required to appear in court at the end of the month. Both teens have been charged with “unauthorized access to a computer with intent to impair the reliability of data; fraud by false representation; and unauthorized access to a computer with intent to hinder access to data.” One of the individuals is facing an additional charge of “causing a computer to perform a function to secure unauthorized access to a program.”

Note

  • When the arrests occurred, the Lapsus$ gang reported some of its members were taking a vacation and work continued with a posting last Wednesday of information pilfered from an Argentinian software development group. Don’t assume a group of malicious actors are out of commission until you have authoritative information that their entire operation is shuttered. Even so, expect those not arrested to reappear in a new form soon.

Read more in

Nordex Group Shuts Down IT Systems in Wake of Cybersecurity Incident

Nordex Group, a German wind turbine manufacturer has “shut down IT systems across multiple locations and business units” as a precautionary measure following a cybersecurity incident. Nordex Group detected the problem on March 31.

Note

  • Similar to the Viasat attack, this is intended to get a jump on the IT used to control wind turbine systems in Ukraine, and possibly other places, obtaining inside intel into operation beyond what can be obtained via OSINT. If you have these systems, you need to focus on the security of any access mechanism. If remotely connected, make sure those connections are both secure and genuine, that media and data flowing to and from them is properly sanitized, and that you are monitoring any connections or activity.

Read more in

How one Ukrainian IT specialist exposed a notorious Russian ransomware gang

Incredible reporting on a Ukrainian cybersecurity expert who fights “with a keyboard and mouse” by exposing files, tools, and internal chat logs belonging to Conti, the notorious Russian-linked ransomware gang. The Conti leaker “quietly lurked on the hackers’ computer servers and would pass along information on the group’s operations to European law enforcement officials,” per the report. The doxes were so effective that the FBI asked him to stop, fearing it would make it more difficult to track them. Also this week, reporting from the Wall Street Journal exposes the inner workings of the Trickbot cybercrime enterprise, a pro-Russia hacking group, thanks to a Ukrainian researcher who infiltrated the group’s servers.

More info

Apple and Meta Gave user data to hackers who used forged legal requests

Well, they finally did it: hackers associated with a group, some of which now operate as part of Lapsus$, tricked Apple and Meta into turning over user data by supplying fake subpoenas sent from hacked email domains belonging to law enforcement. The hackers specifically exploited the “emergency data request” system, which allows the quicker turnover of data under emergency situations — often to prevent loss of life. Discord also fulfilled a forged legal request. The use of forged legal requests was first reported by Krebs on Security.

More info

Zero-day flaw found in Java Spring Framework

Dark Reading: A bad bug found in a popular Java web application development framework puts a ton of web apps at risk of remote attack. The bug, named Spring4Shell, affects Spring, whose maintainers confirmed the bug. Patches are out, just after a zero-day exploit was posted to Twitter — then deleted.

More info

How Intrusion Truth is unmasking China’s state hackers

KimZetter is back with a long-read on Intrusion Truth, the anonymous person or group behind a series of doxes of high-level Chinese cyber spies — some of which have proven to be pretty accurate, with U.S. Justice Department indictments dropping soon after. A compelling read, and featuring conversations with Intrusion itself (or themselves).

More info

People are getting scam texts from… themselves

We’ve all had weird spam in our time, but more people seem to be getting spam from… themselves. It’s what appears to be part of a widespread scam aimed at getting people to click on a phishing link that comes from the target’s own number. Many Verizon customers appear to be affected, which seems to be having trouble doing anything about it.

More info

Mystery GPS tracker found on an EFF supporter’s car

Electronic Frontier Foundation: Why did an EFF supporter’s car have a GPS tracker on it? Did they have a stalker? No, it turns out a GPS tracker was installed to their vehicles by car dealerships, but weren’t activated until the buyer paid for services. @cooperq ripped the device to bits and figured out how it works — and left open a ton of questions about the sort of data that’s being stored on the device regardless of whether it’s activated or not. Very creepy.

Safari vulnerability allowed for Gatekeeper bypass

An interesting newly discovered bug in macOS, dating back to as far back as Safari 14 on Big Sur, allowed for an attacker to bypass in-built Gatekeeper protections in macOS, which protect the operating system from automatically opening apps and files downloaded from the internet. The researchers found the bug as what appeared to be an intended feature from a popular game hosting site, but turned out to allow unauthorized code without a pop-up prompt.

Google Project Zero explains how NSO’s ForcedEntry exploit escapes the iOS sandbox

Google Project Zero: Google, with help from Apple and Citizen Lab, analyzed a sample of NSO Group’s “ForcedEntry” exploit, which can remotely compromise an iOS device for the purpose of installing the Pegasus spyware. This blog post explains the sandbox escape part of the bug.

Ronin Network: What a $615m hack says about the state of crypto

A hack of the Ronin Network, a key platform powering the game Axie Infinity, had $615 million in cryptocurrency stolen, in one of — if not the biggest cryptocurrency hack to date. Hackers used private keys to exploit a bug in the Ronin bridge. (A bridge lets people convert tokens to ones that can be used on another network.) A lot of people lost a lot of money, once again because of weaknesses in poorly coded and unaudited software, explains Bloomberg.

More info

Major Ukraine ISP hit by DDoS

BBC News reporting major disruptions at one of Ukraine’s largest telecoms, Ukrtelecom, following a DDoS powerful enough to affect its core infrastructure. Forbes ($) spoke with Victor Zhora, Ukraine’s deputy head of state infosec protection, who said the incident at Ukrtelecom as the “most severe” cyberattack since the start of the Russian invasion in February. That’s presumably including the mass modem bricking attack at Viasat…

More info

Viasat attack caused by Russian wiper malware

Speaking of Viasat… SentinelOne security researchers found evidence that the Viasat satellite network — which went down over Europe and Ukraine just as Russia was crossing the border — was downed by destructive malware dubbed AcidRain, which they think is ultimately linked to the GRU. Viasat told TechCrunch that the findings were “consistent with the facts in our report,” which it had published a day earlier, which you can read here and Cyberscoop parsed here.

More info

Browser-in-a-browser phishing linked to Ghostwriter

Google TAG dropping new IOCs on threat activity and actors it’s tracking with regard to the war in Ukraine. Among the new data drop is Belarus-linked threat actor Ghostwriter, otherwise known as UNC1151, which was found using the same browser-in-a-browser phishing technique. The technique relies on imitating an OAuth login popup using HTML and CSS.

More info

Browser-in-a-browser phishing linked to Ghostwriter

It’s Section 702 renewal time (again)

Every few years key U.S. surveillance powers come up for renewal — and this time it’s the notorious Section 702 (of the Foreign Intelligence Surveillance Act), the core powers that U.S. intelligence rely on for warrantless snooping on communications. The powers are set to sunset in December 2023 unless lawmakers act, reports The Record. That’s a year and a half away — plenty of time for a spirited debate that will only be ignored in favor of inevitable sweeping reauthorization like every other time this has happened. Maybe this time we can hope for real reform, if not least to protect Americans’ rights from their own government?

More info

Wyze bug ignored for two years

A relatively simple-to-exploit bug in those cheap Wyze cameras allows remote access to the contents of its SD card in the camera via a webserver that doesn’t require authentication to access. Per Bleeping Computer, which outlines the two-year-long process by BitDefender to get Wyze to fix the bug — only to have security updates pushed only to newer devices, leaving 2017 models still vulnerable. Wyze said it takes “all security concerns seriously,” which as you know is corporate code for “dgaf”.

More info

AppSec

Introducing Dagger: a new way to create CI/CD pipelines

A portable devkit for CI/CD pipelines that allows you to unify dev and CI environments, test and debug pipelines locally, and avoid CI lock-in. Instead of gluing pipeline together with throwaway scripts, Dagger supports composing reusable actions, which can be shared and reused due to a complete package management system.

Trufflehog V3

Epic new release by the Truffle Security team. See Dylan Ayrey’s video overview for more details, but in short:

  • It’s a complete rewrite in Golang with other speed improvements
  • Now contains over 600 credential detectors that support active verification against their respective APIs.
    • Verifying if the keys still work => no false positives or alert fatigue.
  • Native support for scanning GitHub, GitLab, filesystems, and S3.

OAuth

Introducing AppTotal: Democratizing third-party apps security

Itay Kruk announces AppTotal, a new service like VirusTotal but for OAuth apps. It dynamically scans SaaS add-ons for vulnerabilities and suspicious or malicious behavior, enabling you to profile third-party apps’ permissions and access, posture, and behavior before connecting them to IT-approved applications.

Authorization

Authorization in Microservices

A new chapter in Oso’s Authorization Academy covering how to share data between services and various trade-offs: decentralizing or centralizing your authorization model, centralizing data, distributing data with existing infrastructure, Authorization-as-a-Service.

Authorization in a microservices world

RapidDot’s Alexander Lolis describes authorization approaches and their trade-offs, and moving from a simple flag to Role Based Access Control (RBAC) to Attribute Based Access Control (ABAC), as well as architectures with an authz service, an authz and data service, and an authz middleware and library per service.

Authorization in a microservices world

Supply Chain

How Go Mitigates Supply Chain Attacks

Go team security lead Filippo Valsorda describes some language choices that provide nice security properties.

  • All builds are “locked”
  • Version contents never change
  • VCS is the source of truth
  • Building code doesn’t execute it
  • A little copying is better than a little dependency

Securing Developer Tools: Package Managers

SonarSource’s Paul Gerste describes vulnerabilities they found in several package managers, including Composer, Bundler, Bower, Yarn, and others. Some bugs are due to interesting nuances in how Windows vs other OS’s handle PATH or variable quoting, git argument injection, and more.

Cloud Security

Codify your best practices using service control policies

Overview post on what SCPs are, why you should create SCPs, and the strategy you can use to implement SCPs, as well as how to continue iterating and improving SCPs as your workloads and business needs change. Part 2 discusses how you can create SCPs using constructs from AWS Well-Architected.

The Expansion of Malware to the Cloud

Orca Security’s Bar Kaduri describes the main malware types you may encounter in your cloud with examples and ways to detect and protect yourself from them.

Infrastructure as Code

aquasecurity/tfsec-pr-commenter-action

GitHub Action by Aqua Security that comments on Pull Requests where tfsec checks have failed.

Standardizing Terraform Linting

Square’s Adam Cotenoff describes their rollout strategy, approaches to enforcement, and other lessons learned along the way in minimizing developer friction and maximizing fix rate.

Using SemGrep to find security issues and misconfigurations in AWS Cloud Development Kit projects

Aquia’s Dakota Riley walks through how to write Semgrep rules to find issues directly in AWS CDK code, using some open source rules he’s contributed as examples. Most IaC tools scan the generated Cloudformation output, which can make it harder to trace issues back to the originating CDK code, making it less likely devs will fix the issue.

Dakota shows how Semgrep can enforce usage of company-specific custom constructs, enabling cloud security teams to define secure by default primitives that developers can use. *me: waves secure guardrails flag vehemently*

Container Security

stackrox/stackrox

The StackRox Kubernetes Security Platform is now open source. StackRox performs a risk analysis of the container environment (build, deploy, runtime), delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.

Blue Team

Introducing CVE Markdown Charts

@clearbluejar describes cve-markdown-charts, a simple tool to generate MermaidJS Markdown charts from CVE IDs and CVE keyword searches.

MG thread on Red Team MFA bypass techniques

Want some techniques that many Red Teams have been using to circumvent MFA protections on accounts? Yeah, even “unphishable” versions.

I’m sharing so that you can think about what’s coming, how you’ll do mitigations, etc. Its being seen in the wild more these days.

Politics / Privacy

The Ultimate Personal Security Checklist

A curated checklist of 300+ tips for protecting digital security and privacy in 2021, by Alicia Sykes.

Stalkers, Sock Puppets, and Security

A chapter from an unpublished book by Cassie Cage covering InfoSec best practices and techniques that can help protect against online threat actors and stalkers.

FYI Cassie is also looking for jobs in the GRC space, 100% remote or with an office in Austin, TX.