Microsoft’s Patch Tuesday for May 2022
On Tuesday, May 10, Microsoft released fixes for more than 70 security issues, including seven that are rated critical. One of the patched flaws, a Windows Local Security Authority (LSA) spoofing vulnerability, is being actively exploited. In a related story, some users have reported authentication failures after installing the May updates. Microsoft is investigating.
- CVE-2022-26923, while “only” a privilege escalation vulnerability, is relatively easy to exploit and exploits have been well documented. Do not overlook this issue. CVE-2022-26925: Take it as another reason to review the configuration of your Windows systems and make sure NTLM is no longer used.
- The LSA vulnerability (CVE-2022-26925) is kind of a big deal. While the raw CVSS score is 8.1, Microsoft suggests it warrants a 9.8 in some situations. This flaw allows attackers to exploit a MITM condition to force domain controllers to authenticate with NTLM authentication. Which, in summary, means you’re going to need to roll this one out, but do some testing, you’re messing with the authentication stack.
Read more in
- Microsoft closes Windows LSA hole under active attack
- Microsoft Patch Tuesday, May 2022 Edition
- Actively Exploited Zero-Day Bug Patched by Microsoft
- Microsoft Releases Fix for New Zero-Day with May 2022 Patch Tuesday Updates
- Microsoft: May Windows updates cause AD authentication failures
- May 2022 Security Updates
CISA Adds BIG-IP Flaw to Known Exploited Vulnerabilities Catalog
Earlier this week, the US Cybersecurity and Infrastructure Security Agency (CISA) added the F5 BIG-IP missing authentication vulnerability to its Known Exploited Vulnerabilities catalog. The flaw is being actively exploited; federal agencies are required to apply updated by May 31.
- As reported earlier, this vulnerability is heavily exploited and the pool of exposed vulnerable systems has likely been completely compromised by now. Look for webshells and backdoors. If exposed, you will likely find several by now. We also noted some destructive attacks and the system may not reboot cleanly (but function reasonably well otherwise for a while) if affected by them.
- You’re reading this and saying “We so totally fixed that flaw last week,” right? For real, you need to patch your BIG-IPs and lock down access to their management interfaces. Don’t skip your internal devices. Scan your network for devices which may be overlooked, possibly really old, and patch/update/lifecycle them as needed. If you’re determined to redeploy old (still working) hardware to lower tier environments, make sure that it still includes a lifecycle plan.
Read more in
FDA Medical Device User Fee Legislation Includes Security Requirements
A bill introduced in the US House of Representatives would amend the Federal Food, Drug, and Cosmetic Act. The amendment would require medical device manufacturers to “design, develop, and maintain processes and procedures to ensure the device and related systems are cybersecure, and shall make available updates and patches to the cyber device and related systems throughout the lifecycle of the cyber device.”
- A law was enacted in 1992 to allow the FDA to charge manufacturers fees when they submitted applications for product approval – these funds allowed the FDA to shorten the review cycle by increasing staff and other resources required to review applications. This cybersecurity language follows that model and is badly needed – it mainly requires the vendors to demonstrate the product will be under a vulnerability discovery and disclosure program and (finally) products must have the ability to be updated/patched if vulnerabilities are discovered. Good stuff.
- This bill dovetails on the PATCH act which also requires SBOMs, regular testing and assurance as well as the lifecycle plan above prior to pre-market approval from the FDA. This raises the bar on both the production of medical devices and drugs, but also the lifecycle of those in the field and/or implanted. SBOMS are seen as a critical mitigation for software supply chain security risks related to those devices.
Read more in
- FDA Bill Includes Medical Device Security Requirements For Manufacturers
- H.R.7667 – Food and Drug Amendments of 2022
Five Eyes Alert Warns of Attacks Against Managed Service Providers
Cybersecurity authorities from the Five Eyes countries – the UK, the US, Canada, Australia, and New Zealand – have issued a joint advisory warning that they “are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.” The advisory includes recommendations of security measures and operational controls MSPs and their customers can implement.
- The back-end management platforms built by many Managed Service Providers often use a lot of open source tools and libraries, putting them at risk to attacks like we’ve seen against Log4J. There are many, many forms of MSPs and all should be subject to demonstrating at least basic security hygiene, but MSPs with remote access to high privilege accounts on internal systems should be required to demonstrate higher levels of security and their connections monitored.
- This is third-party risk. Your MSP has a trust relationship with you and all their other customers. This means you need to have assessed their security posture and practices, including how they are separating access to customers. Understand how they vet and maintain the products they use. Ask to see their latest external assessment/audit, including actions taken on any issues. Verify these are conducted on a regular basis.
Read more in
- Protecting Against Cyber Threats to Managed Service Providers and their Customers
- Five Eyes turn spotlight on MSPs: Potential weak links in IT supply-chain security
- MSPs, customers targeted by malicious cyber actors, intelligence alliance warns
- Beware of state actors stepping up attacks on managed service providers: Cyber agencies
- U.S., allies warn of rising recent and future attacks on managed service providers
Read more in
- Thousands of WordPress Sites Hacked to Redirect Visitors to Scam Sites
US, EU, UK: Russia Launched Viasat Attack
The US, the EU, and the UK say that Russia was the perpetrator of a cyberattack on Viasat in the days before it invaded Ukraine. The attack against the satellite network deployed wiper malware that disrupted communications and wind farms.
- This is an important step in the attribution stakes as it is the first time that the EU has openly identified the source of a cyber attack. It is also important to note that while this attack was aimed at Viasat to disrupt the communications capabilities of the Ukrainian army, it also disrupted businesses outside of Ukraine. It is a good example of why organisations located outside of Ukraine need to be vigilant for cyber attacks that may result in collateral damage against them. So do follow the Shields Up guidance from US Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies.
- For those, like me, who said that was obvious, step back and remember attribution can be tricky and can have serious ramifications if incorrectly done. Further, it’s possible to fake the fingerprint in malware, as was demonstrated in a project John Strand lead where he and his team offered a service which would inject “telltale” fingerprints into an uploaded executable, so it looked like it came from the selected entity. Be patient with those tasked with attribution, provide them tools and information needed, don’t delay mitigation and remediation activities for their result.
Read more in
- Attribution of Russia’s Malicious Cyber Activity Against Ukraine
- US, Europe formally blame Russia for data wiper attacks against Ukraine, Viasat
- UK, US and EU attribute Viasat hack against Ukraine to Russia
- US and its allies say Russia waged cyberattack that took out satellite network
Pushback Against Incident Reporting Requirements
The Information Technology Industry Council (ITI) is asking the Securities and Exchange Commission (SEC) to postpone its implementation of regulations that require publicly traded companies and investment firms to report of cybersecurity incidents. In public comments, ITI says the rule’s implementation should be delayed “to ensure [it] does not undermine cybersecurity and create additional security risks.” In a separate story, ITI sent a letter to India’s Computer Emergency Response Team (CERT-In) saying that the organizations six-hour incident reporting rule is not feasible.
- The major point of ITI’s “undermine cybersecurity” comment is that quickly reporting an incident may give away technical details of vulnerabilities before they are mitigated. This is a pretty low risk – most corporate disclosures of cybersecurity incidents stay at very high levels that make them barely understandable, let alone useful to attackers.
- With the plethora of cyber security reporting initiatives of late, it is easy to lose track of what’s required and assess if you’re meeting them. Work to develop the needed disclosure processes and relationships to build assurance that information will be properly protected, whether you’re sending information to the CISA, FBI or SEC. Where possible, provide feedback on what timelines are workable, such as India’s six-hour reporting requirement. The goal is to encourage regulators to have a common/consistent requirement.
Read more in
- ITI Urges SEC to Delay Proposed Rule on Cybersecurity to Deconflict, Mitigate Security Risks
- Tech group pushes back against SEC cyber rules, warns of reporting overload
- Industry pushes back against India’s data security breach reporting requirements
- ITI India CertIn Letter (PDF)
Zyxel Releases Patches OS Command Injection Vulnerability
Zyxel has released fixes for a command injection vulnerability that affects Zyxel firewalls that have the zero-touch provisioning feature. Researchers from Rapid7 detected the flaw and disclosed it to Zyxel in mid-April. Rapid7 “suggested a coordinated disclosure date in June. Instead, Zyxel released patches to address this issue on April 28, 2022.”
- Still waiting for exploitation to start, but the vulnerability is trivial to exploit and will likely be added to bots in the next couple days.
- These are firewalls designed for small business and branch office deployments. On the one hand, this is an easily exploited flaw which doesn’t require authentication and can be weaponized easily. Rapid 7 has a Metasploit module to exploit this flaw. On the other hand, Zyxel released a fix two weeks after the flaw was disclosed to them, which is awesome! If you have Zyxel firewalls, update the firmware and enable automatic updates. Shodan queries indicate only about 25% of these devices are running updated firmware.
Read more in
- Zyxel security advisory for OS command injection vulnerability of firewalls
- CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection
- Zyxel fixes firewall flaws that could lead to hacked networks
- Zyxel silently patches command injection vulnerability with 9.8 severity rating
US DEA Investigating Breach
The US Drug Enforcement Agency (DEA) is investigating reports that attackers breached an agency portal that accesses 16 federal law enforcement databases. The incident appears to be linked to a group of attackers that impersonates police and government officials to gather information.
- The databases provide access to various records including aircraft, firearms, motor vehicles, boats, drones, etc. While the portal is configured to primarily accept Personal Identity Verification (PIV) cards, it also can accept reusable passwords. This is how the site was compromised and why you need to make sure your MFA is comprehensive. If you must enable fallback to password authentication, limit what those weaker credentials can access; better still, provide rapid credential issuance and recovery negating the need for the fallback.
Read more in
BIG-IP vulnerability could lead to arbitrary code execution
A recently disclosed vulnerability in F5 Networks’ BIG-IP could allow an unauthenticated attacker to access the BIG-IP system to execute arbitrary system commands, create and delete files, disable services and could lead to additional malicious activity. This vulnerability, tracked as CVE-2022-1388 is an authentication bypass vulnerability in F5’s BIG-IP modules affecting the iControl REST component. BIG-IP is F5’s line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing in to and out of networks. The vulnerability has a CVSS score of 9.8 out of a possible 10 and is considered critical.
Microsoft fixes more than 70 vulnerabilities as part of May Patch Tuesday
Microsoft returned to its normal monthly patching volume in May, disclosing and fixing 74 vulnerabilities as part of the company’s latest security update. This month’s Patch Tuesday includes seven critical vulnerabilities after Microsoft disclosed more than 140 security issues in April. The point-to-point tunneling feature in Windows contains two of the most serious vulnerabilities that could allow an attacker to execute remote code on a targeted RAS server machine. While CVE-2022-21972 and CVE-2022-23270 are rated “critical,” Microsoft stated the attack complexity is high since an adversary needs to win a race condition, making it less likely an attacker could exploit these issues. CVE-2022-26931 and CVE-2022-26923 are elevation of privilege vulnerabilities in Windows Kerberos and Windows Active Directory, respectively. They both are considered critical, though CVE-2022-26931 is considered less likely to be exploited because it has a higher attack complexity.
Crunch Time for Facial Recognition
In a court settlement with the American Civil Liberties Union (ACLU), controversial facial recognition technology company Clearview AI agreed to not sell access to its facial recognition database of over 10 billion images to private companies or individuals in the US (although selling the use of its algorithm alone is ok).
The ACLU, which brought the case under a US state law, the Illinois Biometric Information Privacy Act, described the settlement as a “big win”, although Clearview’s lawyers also managed to claim victory, writing in a statement:
This settlement is a huge win for Clearview AI. Clearview AI will make no changes to its current business model. It will continue to expand its business offerings in compliance with applicable law.
The settlement does not require any material change in the company’s business model or bar it from any conduct in which it engages at the present time.
Clearview AI's lawyers celebrating the settlement it struck with ACLU, given that the company was already not selling facial recognition tech to private companies. 'This settlement is a huge win for Clearview AI.' pic.twitter.com/Qz0tikdoD2
— Michael Kan (@Michael_Kan) May 9, 2022
Given that Clearview is paying USD$250k for the ACLU and other plaintiffs’ legal fees and USD$50k to publicise the settlement, we think they are really stretching to describe the outcome as a ‘win’.
Clearview’s facial recognition technology is objectively pretty good, as determined by NIST’s facial recognition technology testing. The company has fallen afoul of various regulators, however, for voraciously scraping publicly available images for its facial database without consent.
Clearview is not the only company that does this, but the ACLU’s Nate Wessler, Deputy Director of its Speech, Privacy, and Technology Project, Clearview was “especially brazen among American companies” in harvesting faceprints without consent.
“We hope this settlement will be a strong deterrent to any other company considering replicating Clearview’s original business model, by making clear how untenable such practices are under Illinois’ strong law.”
Clearview also aggressively marketed its product to law enforcement by offering free trial accounts to individual police officers without the knowledge of their employers.
The unconstrained collection of biometrics and unregulated use by police forces is concerning, but we think privacy advocates sometimes go too far.
In a statement given to this newsletter, for example, the EFF’s Senior Staff Attorney Adam Schwartz wrote:
The settlement announced today in the Illinois lawsuit, ACLU v. Clearview, demonstrates the need for strong data privacy laws, modelled on the Illinois Biometric Information Privacy Act. These laws must also include a ban on government use of face recognition technology, including through private contractors like Clearview.
Similarly, the ACLU’s Wessler told that the ACLU was working to “enact state and local bans on police use of face recognition technology in dozens of jurisdictions across the country”.
Although these technologies present risks to civil liberties, they can also be used to improve public safety. The trick is to strike the right balance.
James Lewis, Senior Vice President at the Center for Strategic and International Studies (CSIS) and author of a report on the responsible use of facial recognition technologies, public safety “tends to get left out” of the discussion.
In most respects, the three experts we consulted were in agreement.
They all agreed that there are more risks from facial recognition technology than just Clearview and that overarching federal legislation is desirable. As Lewis puts it, “federal regulation would be the best solution instead of 50 states with different rules”.
Where they differed however, was on the desired end state. Wessler and Schwartz were sceptical about legitimate government uses of facial recognition technology, whereas Lewis argued for a tiered approach, outlined below:
- Strict controls on use by law enforcement agencies should be similar to those used for communications data. These should include oversight and prior approval for programs, transparency in use, rules limiting secondary uses of collected data, and requirements for human review and rights for redress.
- Rules governing government uses other than law enforcement should be less restrictive. These should also include transparency and oversight, defining acceptable secondary uses, and providing processes for redress.
- Rules for commercial use should be linked to improved privacy protections. Rules for commercial use in public spaces may need to be more fulsome than rules for on-premise use.
These tiers make sense to us, and there are certainly reasons to be wary of unrestrained government access to its citizen’s data. A Georgetown Law Center on Privacy and Technology report this week says US Immigration and Customs Enforcement (ICE) has built a “surveillance dragnet by tapping data from private companies and state and local bureaucracies” while avoiding congressional oversight.
Russia’s Coolest Hack Condemned by EU, Five Eyes
The US, UK, European Union, and other countries have formally attributed various cyber attacks on Ukraine to Russia, mostly notably the hour-before-invasion attack on Viasat’s KA-SAT communications network. The attack affected tens of thousands of terminals, and although aimed at Ukrainian command and control, other customers were affected, including private and commercial internet users and wind farms in central Europe.
Five Eyes – statement on website: 5 (100%)
Five Eyes – only statement on twitter: 0
Five Eyes – only retweet: 0
Five Eyes – completely silent: 0https://t.co/aRIJZ9sDwu
— Stefan Soesanto (@iiyonite) May 10, 2022
Interestingly, while some statements explicitly condemn malicious cyber activity in general or the attack on KA-SAT in particular, the UK’s statement is much more circumspect. It said “Russia is responsible for a series of cyber-attacks”, but didn’t explicitly condemn them separately from Russia’s broader war.
The Russians seem to have focussed their attack on terminals in spot beams that serviced Ukraine rather than disabling KA-SAT entirely, so there is an argument to be made that this was a proportionate attack on a legitimate military target.
Other destructive attacks also seem to have, at least so far, been focussed relatively narrowly on Ukraine, and we haven’t (thankfully!) seen a repeat of NotPetya. From what we can see so far (a huge caveat!), we think Russian cyber operations have been relatively responsible.
A statement by UK Foreign Secretary Liz Truss points out that cyberspace isn’t special and that unprovoked aggression is a problem wherever it occurs:
We will continue to call out Russia’s malign behaviour and unprovoked aggression across land, sea and cyberspace, and ensure it faces severe consequences.
The real problem with all these destructive cyber operations isn’t the attacks themselves, it’s that the whole war is unjustified, irresponsible, and illegal. These cyber attacks are arguably targeted and proportionate, but what makes them necessary? Putin’s idiocy?
Ransomware “National Emergency” in Costa Rica
The newly installed President of Costa Rica, Rodrigo Chaves, has declared a state of emergency after a ransomware attack by the Conti group. The attack took place in mid-April, prior to Chaves’ inauguration, and has affected a number of government organisations including the Ministry of Finance. Independent news outlet Amelia Rueda reports that the Finance Ministry has been without digital services since 18 April and has to resort to manual procedures.
Funnily enough, the fact ransomware hasn’t destroyed the government’s ability to function illustrates the limits of disruptive cyber operations in other contexts — Conti has caused a lot of pain in Costa Rica, resulting in a national emergency, but somehow the government is muddling through. It says it is refusing to pay a USD$10m ransom, and the angry rhetoric from Conti’s affiliate makes us believe them.
Meanwhile, Conti has released a further statement about the attack. 2/3 pic.twitter.com/Px2pIigZ8D
— Brett Callow (@BrettCallow) May 8, 2022
“The US public sector has long been ransomware gangs’ target of choice, but that may be changing. While attacks in countries like Costa Rica and Peru may not offer the same ROI, the increasing number of successes by US and European LEAs may make them seem like a safer choice,” Callow said.
The US State Department calls Conti “the costliest strain of ransomware ever documented” and cited an FBI estimate of over 1,000 victims and USD$150m in ransom payments. However, Chainalysis counted Conti’s takings at USD$180m in 2021 alone, so who knows what the real total is. The State Department continues to use large rewards as a tool against cyber criminals. It cited the Costa Rican incident when offering rewards of up to USD$10m for Conti’s key leadership and USD$5m for other Conti co-conspirators.
Conti is the third ransomware group that the State Department has offered rewards for, after DarkSide and REvil in November last year. It’s not clear what impact these type of rewards have, but that’s ok: Even if rewards don’t work, they’re low cost until they do.
My Phone is my password
Apple, Google and Microsoft have announced that they’ll support a passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. This means that one day you’ll be able to log onto all the things by logging onto your device. Brian Krebs has a good wrap on the tricky but not all that uncommon problems like, what happens when you lose your phone?
Fined for Being Hopeless
The US Department of Transportation’s Pipeline and Hazardous Materials Administration (PHMA) intends to fine Colonial Pipeline USD$1m for not complying with various control standards. Colonial Pipeline was victim of a May 2021 ransomware attack that resulted in significant disruption to US east coast fuel supplies. The fine doesn’t relate to cyber security standards per se, but Colonial essentially ignored the requirement for it to have manual shutdown and restart procedures in place. Colonial’s ‘plan’ for a manual restart was to just figure things out if they ever needed to. PHMA alleges this planning failure “contributed to the national impacts when the pipeline remained out of service after the May 2021 cyber-attack”.
Mandatory MFA for Github
Github will require all users who contribute code to use MFA by the end of 2023. It sounds like Github would like to move faster but will spend some time figuring out how to improve security without it being too much of a PITA, such as by using passwordless authentication (cheerful reason #1).
Knives Out in Spain’s Phone Hacking Fallout
The first campaign involved the domestic targeting of individuals linked to the Catalan separatist movement. The second campaign, most likely international espionage, involved the compromise of the phones of the Prime Minister, the Minister of Defence, and the Interior Minister.
Esteban reportedly admitted the CNI had hacked some Catalan pro-independence politicians after obtaining judicial approval, but the government says the second campaign is “illegal and external”.
It’s not altogether clear why Esteban is being removed. When announcing her dismissal, Defense Minister Margarita Robles implied that it was because the compromise of senior ministers’ phones went undetected for so long. Robles said “that [the hacks of government phones] took a year to discover, well, it is clear there are things that we need to improve”.
“We are going to try to ensure that these attacks don’t happen again, even though there is no way to be completely safe”, Robles continued.
We have our suspicions that Esteban’s removal has more to do with politics than insecure phones — the current minority government relies on Catalan separatist parties for support in Parliament.
What Does the F in F5 Stand For?
It’s been a while since we’ve seen a dunce-cap level vulnerability in enterprise software, but F5 has come through with a doozy. Its BIG-IP portfolio of appliances that includes encryption inspection boxes, load balancers and firewalls are vulnerable to an attack that lets people log on as an admin without a password.
And in case anyone is wondering about that special YWRtaW46 authorization.
It's not a hard-coded password. It's an EMPTY password. It base64 decodes to
— Will Dormann (@wdormann) May 9, 2022
A patch is available and this is definitely one to fix quickly. This vulnerability is being exploited and has already been added to CISA’s list of exploited vulnerabilities. There were reports someone was dropping a wiper which deletes the BIG-IP devices Linux file system, but this doesn’t appear to have been widespread.
A bunch of similar bugs made last week’s Five Eyes 2021 Top Routinely Exploited Vulnerabilities list. These bugs — in Accellion, Fortinet, Pulse Secure and SonicWall devices — are internet-facing, tend to have broad access into a network and often have administrative privileges. Everything an attacker could wish for, wrapped up in a nice null password bug.
US college to shut down
Lincoln College, a predominantly black college based in Illinois, is scheduled to shut down operations on Friday, becoming the first US educational institution to close down due to a ransomware attack, The Hill reported on Sunday. In a message posted on their website, college officials said the institution has struggled to recover its data following a ransomware attack that took place in December 2021. While the college has been struggling with enrollments due to the COVID-19 pandemic, the attack hindered access to all institutional data, blocking access to recruitment, retention, and fundraising efforts, and creating an unclear picture for next year. When systems were restored in March, officials discovered too late a grim enrollment projections outlook for the 2022 fall, which required a great financial effort to keep the college afloat.
Another crypto heist
The operators of decentralized finance (DeFi) lending and credit protocol Fortress announced on Sunday that about $3 million worth of cryptocurrency was stolen during an attack on third-party infrastructure. While the company has not published a full post-mortem of the recent incident, Fortress described the incident on Twitter as an “oracle manipulation attack” that drained all its funds.
Fortress has been hit with what we believe is an oracle manipulation attack draining all funds. We are investigating to determine the exact method of attack.
PLEASE DO NOT SUPPLY ANY ASSETS TO FORTRESS! https://t.co/o0Sqznl2wP
— Fortress Protocol (@Fortressloans) May 9, 2022
Federal employees have asked a judge to approve a $63 million settlement in a class-action lawsuit related to the 2015 OPM data breach. The settlement, if approved, would grant from $700 and up to $10,000 to current and former OPM employees who had their data snatched by Chinese state hackers back in 2015. More than 21.5 million OPM employees had their information stolen, but only those who can prove a direct economic loss from the hack will be eligible for compensation.
9 May hacks
Pro-Ukraine hacktivists have hacked and defaced several Russian TV and online platforms on Monday during Russia’s Victory Day celebrations, WaPo reported. The attackers defaced TV schedules on Russian smart TVs and widgets on the Yandex search engine to show a message reading: “On your hands is the blood of thousands of Ukrainians and their hundreds of murdered children. TV and the authorities are lying. No to war.” In addition, the hackers also launched an attack against RuTube, a local Russian YouTube-like video hosting platform. Initially, the attackers claimed to have wiped the site’s content, but RuTube denied their claims in a statement published on Tuesday. The Russian video platform said that 75% of its web infrastructure was destroyed but that its source code and video archives were intact.
The New Zealand Automobile Association said that it recently discovered that a threat actor used a vulnerability to extract personal data for some of its users from one of its older websites. In a statement posted on its official site, AA said the attacker exploited a bug in a version of AA Traveller, an online platform for making travel reservations. AA said the vulnerable site was in use between 2003 and 2018 but did not say how many users had their personal data stolen in the attack. This is the second time that AA discloses a breach of this nature after a first incident in 2010.
Clearview AI lawsuit
The ACLU and Clearview AI have agreed to a court settlement that will ban the company from selling its biometrics database to private businesses or individuals in the US. Both parties celebrated the settlement as some sort of win, but as Michael Kan, a reporter for PCMag, pointed out, Clearview appears to have won more, as the company was not selling its facial recognition tech to private businesses in the first place, only to state agencies, meaning the settlement will have little impact on its operations.
Clearview AI's lawyers celebrating the settlement it struck with ACLU, given that the company was already not selling facial recognition tech to private companies. 'This settlement is a huge win for Clearview AI.' pic.twitter.com/Qz0tikdoD2
— Michael Kan (@Michael_Kan) May 9, 2022
CCC privacy warning
Germany’s Chaos Computer Club, one of the largest hacker communities in the world, published a blog post on Tuesday [in German] warning their members about the EU’s plan to screen all IM/chat messages. Euractiv has obtained and broken down a copy of the EU’s proposed plans—meant to combat child pornography.
Pentagon hates data brokers
And now for an oxymoron from the US government on data brokers and privacy. For starters, the US DoD has put out a call to the private sector for solutions to protect its military and civilian personnel from data tracking and data brokers that can amass vast quantities of information about its staff.
ICE loves data brokers
But on the same note, the ICE absolutely loves data brokers, according to a recent report. Academics from Georgetown University said that they’ve discovered that the ICE has used data brokers to bypass US judicial, legislative, and public oversight and build a surveillance system capable of tracking most US citizens.
Must-read report from @GeorgetownCPT. ICE's surveillance infrastructure is massive:
—scanned driver’s license photos of 1/3 adults
—access driver’s license data of 3/4 adults
—tracks movements of drivers in cities home of 3/4 adults
—and much, much morehttps://t.co/20jg7mL4df
— Justin Sherman (@jshermcyber) May 10, 2022
DOD cyber to get State Dept. oversight
Cyberscoop reported on Tuesday that the White House is preparing an agreement to put give the State Department more say in some DOD offensive cyber operations. The State Department will have a say if the DOD sends notifications to foreign countries about their intention to enter their cyberspace to interrupt adversary infrastructure, according to sources familiar with the future agreement.
New Kaspersky probe
Following Russia’s invasion of Ukraine, US officials have started a new probe into Russian security firm Kaspersky, Reuters reported on Monday, citing three people familiar with the new investigation. The probe is being led by the US Department of Commerce using new broad powers granted to it by the past Trump administration. Reuters claims these new powers can allow the Commerce Department to ban the use of Kaspersky software across the US, purchases by US citizens, or prohibit the download of software updates. US regulators have already banned federal government use of Kaspersky software in 2017.
Biden signs cybercrime bill
Spain fires intel chief
The Spanish government has fired the director of its intelligence agency, citing the agency’s failure to detect the Pegasus spyware on the phones of Spanish officials for more than a year. Paz Esteban, director of the National Intelligence Center (CNI), was relieved of duties on Tuesday. Prime Minister Pedro Sánchez’s mobile phone was breached twice in May 2021, and Defense Minister Margarita Robles’ device was targeted once the following month, per an AP report earlier this month.
Microsoft’s security team said on Monday that it tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities. Microsoft called the DEV-0193 cluster (also known as Trickbot) as “the most prolific ransomware group today.”
The team at BlackBerry has published an in-depth report on DCRat (or DarkCrystal RAT), a remote access trojan sold on underground cybercrime markets. Sold predominantly on Russian underground forums, BlackBerry said DCRat was one of the cheapest commercial RATs they’ve ever come across, priced at only $6 for its lowest tier.
Finland’s cybersecurity agency published an alert on Tuesday about a new wave of SMS spam distributing links to apps infected with the FluBot Android malware.
German car dealerships
Check Point has a report out on an email phishing campaign targeting German car dealerships and manufacturers. The final payload in the attacks are infostealers such as Racoon, AZORult, or BitRAT.
UK hacker charged
The DOJ has charged a UK national for a hacking campaign that took place between 2011 and 2018. The suspect stands accused of gaining access to email servers and computers belonging to US financial institutions in order to steal money from online bank accounts and make unauthorized stock transactions from brokerage accounts. The suspect was detained in the UK in August 2021, and the US is now seeking his extradition.
Security firm Cybereason has published a report on the Quantum Locker ransomware, the latest rebrand of the MountLocker crew. Previous rebrands included the AstroLocker and XingLocker ransomware variants.
New REvil samples
Secureworks have published a report on samples of the REvil ransomware that were in recent attacks over the past weeks. The company concluded that this new REvil group has access to the original REvil ransomware source code, “reinforcing the likelihood that the [REvil] threat group has reemerged.”
Trend Micro has published a report on the new Black Basta ransomware operation, believed to have splintered off from the old Conti gang.
Something we missed last month—Resecurity’s report on Frappo, a new Phishing-as-a-Service platform for cybercrime groups.
F5 active exploitation
Owners of F5 BIG-IP devices (load balancers, firewalls, and proxies) are advised to install the security updates F5 Networks released last week for a vulnerability tracked as CVE-2022-1388. Reports are coming in from multiple threat intel analysts and security firms that several threat groups are now exploiting this bug, which has already been used to hijack at least 300 devices. The current attacks have begun after several security researchers published PoCs for this bug over the weekend, fast-tracking the attacks that began earlier this week.
⚠ Patch Now, already +300 compromised F5 devices via CVE-2022-1388! https://t.co/TBp96ETNjX
— Will (@BushidoToken) May 10, 2022
Google reviews AMD security processor
Google’s infamous Project Zero team has released a security audit [PDF] of the AMD Security Processor (ASP), an isolated core in AMD EPYC CPUs that handles secure system initializations. The report found 19 security issues. Google said AMD fixed all reported flaws.
A security researcher has recently avoided a major disaster by registering the expired domain that was used as the email domain for a very popular npm library. If left unregistered, the domain and the npm package could have been hijacked by a threat actor. This new technique of hijacking npm accounts was first discussed in an academic paper published last December. At the time, the researchers said they found that thousands of npm packages were using expired email domains for their npm portal accounts.
I just noticed "foreach" on npm is controlled by a single maintainer.
I also noticed they let their domain expire, so I bought it before someone else did.
I now control "foreach" on NPM, and the 36826 projects that depend on it.
Yesterday was Patch Tuesday, so there are loads of security updates to apply this morning, such as those from VMWare, Adobe, and Microsoft. The Microsoft updates also included a fix for an actively exploited zero-day (CVE-2022-26925), and half of the 75 fixed vulnerabilities were reported by one single company—China’s Kunlun Lab
Kunlun lab reported 30 of the total 74 fixed vulnerabilities this month, with 3 different CVSS 9.8 rated ones related to LDAP & NFS. https://t.co/8u7dkDBwrB
— mj0011 (@mj0011sec) May 10, 2022
One Year Later, US Regulator Proposes Colonial Pipeline Fine
The US Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) has proposed fining Colonial Pipeline nearly $1 million for control room management failures that contributed to the severity of the May 2021 cyberattack. One year ago, Colonial Pipeline shut down operations in the wake of a ransomware attack. According to a PHSMA press release, the Notice of Probable Violation (NOPV) and Proposed Compliance Order “alleges that failures to adequately plan and prepare for a manual restart and shutdown operation contributed to the national impacts when the pipeline remained out of service after the May 2021 cyber-attack.”
- While PHMSA is still under the US Department of Transportation, the Transportation Security Administration (TSA) which is under DHS has overall responsibility for pipeline security. Until the Colonial Pipeline incident, TSA largely focused on voluntary compliance and interviews on security issues, mostly focused on operational technology and physical security, with no real audits. Since the incident, TSA has put out 2 Pipeline Cybersecurity Directives (one requiring a “Cybersecurity Coordinator” for the first time) and established a cybersecurity operations branch. This is a good example to use to drive a proactive review of (a) cross OT/IT cybersecurity visibility into and security testing of OT cybersecurity and (b) development of playbooks for response to a cyber incident that impacts OT operations directly or indirectly.
- If you had not considered regulatory fines for breaches and ransomware, here is an example you can use. The direct cost is more obvious: negotiator, incident response, recovery, etc. I go deeper into these costs in my blog: www.scythe.io/library: The Real Costs of Ransomware: Direct Costs
- This emphasizes the importance of a viable COOP plan. If you’re in a regulated industry, you need to make sure that your regulators are on-board with your service resumption goals. Even so, you need to make sure you can meet those goals, to include any assumptions about acquisition. Revisit plans about backup communication paths as well as changes to perimeter security to facilitate resumption of operations. The last two years have taught us that exposed services are rapidly targeted, remember security by obscurity isn’t. Stand things up securely from the get-go.
- In addition to fines, accountability for these failures should include changes in both governance, directors, and management. Fines alone are not sufficient to change an organization’s behavior.
Read more in
- PHMSA Issues Proposed Civil Penalty of Nearly $1 Million to Colonial Pipeline Company for Control Room Management Failures (Press Release)
- Notice of Probable Violation Proposed Civil Penalty and Proposed Compliance Order (PDF)
- Regulator Proposes $1 Million Fine for Colonial Pipeline One Year After Cyberattack
- Transportation Proposes Near $1M Fine for Colonial Pipeline One Year After Hack
Raspberry Robin Spreads Via External Drives
Analysts from Red Canary have detected a worm that spreads via external USB drives. Dubbed Raspberry Robin, the malware uses Microsoft Standard Installer to communicate with its command-and-control infrastructure, which is largely made up of compromised QNAP devices.
- Even if you aren’t interested in this particular malware, read it for a nice example on how to provide actionable information about detecting this type of malware and the particular techniques being used will likely be found in other malware as well.
- Am I the only one who thought this was a Raspberry Pi issue? Not so much. This is the loaded media problem; once again your QNAP devices are in the cross hairs. This reminds us to not allow autoplay on removable media, only use trusted media, and ideally, scan it before inserting it into system components. Note that NGAV systems tend to not perform disk scanning, they scan when files are opened, so you need a separate process for that.
Read more in
- USB-based Wormable Malware Targets Windows Installer
- New Raspberry Robin worm uses Windows Installer to drop malware
- Raspberry Robin gets the worm early
Big-IP Flaw is Being Actively Exploited: Patch Now
A critical vulnerability in F5’s Big-IP appliances is being actively exploited. F5 released fixes for the flaw last week. The flaw affects the Big-IP iControl REST authentication component. It can be exploited to execute commands with root privileges and could potentially allow attackers to take complete control of vulnerable devices.
- This is a serious vulnerability and represents a foundational misunderstanding of threat modeling. Regardless of authentication bypass issues, F5 essentially built a webshell into its product. The only saving grace is that the management interface of the F5 should not be accessible from the Internet. Still, we’re already observing threat actors exploiting the vulnerability. I wrote a blog post on the post-exploitation activity observed and recorded a video dissecting the vulnerability, including recommendations for organizations.
Blog post: www.scythe.io: VULN ALERT: F5 Big-IP appliances vulnerability – CVE-2022-1388
Video: www.youtube.com: Threat Emulation Plans for F5 Big-IP appliances vulnerability – CVE-2022-1388
- Our honeypots started seeing numerous exploit attempts Sunday-Monday night. Exploit attempts include simple recon, backdoors (including webshells), data exfiltration and even two attempts to destroy the devices. Please see this as yet another “last warning” to remove admin/control interfaces from public networks and carefully restrict traffic to these interfaces. This particular vulnerability is about as bad as they come, but F5 isn’t the only one having patched an unauthenticated remote code execution flaw recently. The number of exposed systems is small, but if your system is vulnerable and exposed, it was likely exploited by now.
- Readers of this newsletter probably know to turn off external management interface, but when’s the last time you ran ssh [email protected] nmap $(curl icanhazip.com) on your home network? On your friends’ and relatives’?
- If you’re still procrastinating because the flaw wasn’t well known, or being exercised, time’s up. Make sure that you’ve got your roll-back process well defined then get that maintenance window lined up. Repeat until done.
Read more in
- Hackers are actively exploiting BIG-IP vulnerability with a 9.8 severity rating
- Hackers exploiting critical F5 BIG-IP flaw to drop backdoors
Agricultural Equipment Company Systems Hit with Ransomware
Agricultural machinery maker AGCO says its systems were hit with a ransomware attack. The incident affects some of its production facilities. AGCO says it “is still investigating the extent of the attack, but it is anticipated that its business operations will be adversely affected for several days and potentially longer to fully resume all services.”
This is the time of year where agricultural machinery is in high demand as crops are planted, making the attack even more disruptive. While you may not have heard of AGCO, its brands include Challenger®, Fendt®, GSI®, Massey Ferguson® and Valtra® and their biggest rivals are Caterpillar, Komatsu and John Deere & Company. We’ve been talking about supply chain risks for a bit, but have you considered the availability of large system components and your realistic ability to pivot to alternatives. How about when those components are pre-paid? How about a supplier which provides services that manage operations?
Read more in:
- Ransomware plows through farm machinery giant AGCO
- US agricultural machinery maker AGCO hit by ransomware attack
- AGCO Announces Ransomware Attack
Microsoft Fixes Azure Data Factory and Azure Synapse Pipelines Vulnerability
Microsoft has released updates to address a vulnerability affecting Azure Data Factory and Azure Synapse Pipelines. The issue could be exploited to execute remote commands across Integration Runtimes. Microsoft does not expect that customers will need to take any action, but in the event that action is necessary, customers will receive notifications through Azure Service Health Alerts.
If you’re running Azure Integration Runtime, or on-premises Self-Hosted Integration Runtime, with auto-updates enabled, you’re good to go. If you’re not so big on auto-update – keep an eye on your Azure Service Health notifications and have a frank conversation about enabling auto-updates, things are moving pretty fast these days, and leveraging auto-updates from your providers can save you all sorts of long-term issues.
Read more in
- Upcoming improvements to Azure Data Factory and Azure Synapse Pipeline infrastructure in response to CVE-2022-29972
- Microsoft releases fixes for Azure flaw allowing RCE attacks
RubyGems Fixes Critical Unauthorized Gen Takeover Flaw
RubyGems has fixed a critical vulnerability that could be exploited to unpublish Ruby packages from the repository and put altered and/or malicious versions in their places. The flaw affected RubyGemsorg, which hosts more than 170,000 gems.
This was a simple oversight and there is no evidence it’s been exploited. While authentication and most rights were indeed checked, the check that the gem you were accessing was indeed the one you’re permitted access to was missed, this is fixed. RubyGems also now sends an email to the gem owner when a gem is yanked or published. As a package owner, you should audit your gems for signs of potential tampering as well as make sure that you’re following best practices outlined in the mitigation section of the RubyGems GitHub page below.
Read more in
- Unauthorized gem takeover for some gems
- rubygems CVE-2022-29176 explained
- Check your gems: RubyGems fixes unauthorized package takeover bug
- RubyGems Fixes Critical Gem Takeover Vulnerability
Better Cybercrime Metrics Act Becomes US Law
Last week, US President Joe Biden signed the Better Cybercrime Metrics Act into law. The legislations requires that the Department of Justice and the FBI to maintain cybercrime statistics and requires the DoJ to work with National Academy of Sciences to develop a taxonomy to help make sense of the information.
- Reliable, repeatable data on cybercrime incidents is badly needed, but don’t look for output from this Act for at least two years. The taxonomy effort alone is planned to take 1 year.
- Until the taxonomy is completed, the benefits cannot begin to be realized. With luck this will lead to standardized metrics which will allow us to consistently assess the current landscape.
- This effort might be boot strapped by starting with the Veris framework used by the many contributors, including the FBI and Secret Service, to the Verizon Data Breach Incident Report (DBIR).
Read more in
- Biden signs bill aimed at improving data collection on cybercrime
- US Passes Law Requiring Better Cybercrime Data Collection
- Biden signs cybercrime tracking bill into law
- Better Cybercrime 5 Metrics Act (PDF)
US State Department Offers Reward for Info About Conti Ransomware Operators
In an attempt to hobble the Conti Ransomware operation, the US State Department is offering “a reward up to $10,000,000 for information leading to the identification and/or location of any individual(s) who hold a key leadership position in the Conti ransomware variant transnational organized crime group [and] a reward of up to $5,000,000 for information leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident.”
- This is another measure to deter malicious actors but will probably only gain businesses more time to prepare as other actors will fill in Conti’s place. The best time is now folks. Test, measure, train and improve your people, process, and technology. We have a ton of resources at SANS: https://sans.org/purple-team
- Given the alignment of the Conti Ransomware operators with the Russian government, it’ll be interesting to see if anyone takes the State Department up on this offer. Also, as they are a RAAS provider, it’s not clear how much legal action will flow down to their affiliates using their platform. This should be interesting to watch.
Read more in
- Reward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Justice
- US offers $15m reward for information about Conti ransomware gang
- U.S. Offers $15 Million Bounty for Leaders of Conti Ransomware Gang
- US offers reward for information on Conti ransomware group leadership, conspirators
Costa Rica Declares Cybersecurity Emergency
Costa Rica’s new president Rodrigo Chaves has declared a state of cybersecurity emergency several weeks after a Conti ransomware attack significantly impaired multiple government computer networks. The country’s treasury has not had access to digital services since mid-April.
- The attacks on Costa Rica commenced April 18th, and they are still recovering, and their government has decided they are not going to pay the ransom. The attack is impacting their Ministry of Finance, Ministry of Science, Innovation, Technology and Communications, National Meteorological Institute, Radiographic Costarricense, Costa Rica Social Security Fund, and others. The reward offered by the US State Department hopes to result in a take-down before others can be harmed. In the meantime, this declaration will enable the support needed to apply resources to recovery, remediation, and prevention of recurrence, just as an emergency declaration after a natural disaster does.
Read more in
- Costa Rica declares national emergency after Conti ransomware attacks
- Costa Rica Declares State of Emergency Under Sustained Conti Cyberattacks
Data broker selling location of people who visit abortion clinics
This week saw the leak of a Supreme Court draft opinion that indicated that the court will soon overturn Roe v. Wade here in the U.S., ending guarantees that protect a person’s constitutional right to have an abortion. Clearly this will have major ramifications, not least for human rights and healthcare — but also for privacy rights, especially for those who seek abortions or need to seek medical and reproductive services in places where procedures are banned. As @josephfcox reported this week it’s incredibly easy to identify people who visit abortion clinics from the location data collected from the apps on people’s phones. @alfredwkng also reported on another data broker that offered location insights on dozens of Planned Parenthood locations. My colleague @carlypage_ explored the not-unfounded fears that data collected from period trackers could be used in a post-Roe world to prosecute people seeking abortions. No matter which way you look at it, we’re on the edge of a major human rights crisis in the U.S., and reporting this week shows just how easy it is for data to be used to identify people. As Recode says, “The pre-Roe world didn’t have data privacy laws. The post-Roe world needs them.”
Read more in
- Data Broker Is Selling Location Data of People Who Visit Abortion Clinics
- Location Data Firm Provides Heat Maps of Where Abortion Clinic Visitors Live
- How to Protect Your Digital Privacy if Roe v. Wade Falls
- Period tracking apps warning over Roe v Wade case in US
- Digital Security and Privacy Tips for Those Involved in Abortion Access
This is nice to see and is also sex work 101 pic.twitter.com/qoeo02Iurt
— Melissa Gira Grant (@melissagira) May 5, 2022
Grindr user data was sold through ad networks
The precise movements of millions of users of the gay-dating app Grindr were collected from a digital ad network since at least 2017, according to sources speaking to the Journal. Grindr cut off the flow of location data two years ago. But for a time this commercially available data contained at-times intimate details about its users, like location data. It’s the same kind of location data that allowed a publication to out a U.S. Catholic official last year as a Grindr user.
Read more in
- Grindr User Data Was Sold Through Ad Networks
- Grindr users’ precise location data was sold to the highest bidder for years
2 years ago, we observed Grindr sharing exact location data with 8 data brokers in the 'advertising' space, including MoPub, back then owned by Twitter.
Now the WSJ found that this data has actually been available for sale, via MoPub, since at least 2017:https://t.co/mymxk9z8ck
— Wolfie Christl (@WolfieChristl) May 2, 2022
Over 200 Spanish mobile numbers ‘possible targets of Pegasus spyware’
The Moroccan government is likely behind the mobile hacking of 200 Spanish phone numbers, including Spain’s prime minister and defense minister, in mid-2021. The hacks happened at a turbulent time for Spanish politics, given the divisive pardons of nine Catalan independence leaders and a separate diplomatic spat with Morocco. Their numbers were on a leaked list of phone numbers said to be possible targets of NSO’s Pegasus spyware, but also Candiru spyware, according to Citizen Lab’s report last month. This week also saw a leading Catalan separatist politician say that Spain’s spy chief “acknowledged” that her agency hacked into the phones of “some” of the Catalonian pro-independence party members. So, to recap: Morocco is likely hacking politicians in Spain, and Spain is likely hacking politicians in Catalonia.
Read more in
- Over 200 Spanish mobile numbers ‘possible targets of Pegasus spyware’
- Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru
- Catalan: Spain spy chief admits legally hacking some phones
- Catalans demand answers after Spanish spy chief confirms phone hacking
Cyber Command did nine ‘hunt forward’ ops last year, including in Ukraine
U.S. Cyber Command, the offensive operations sister agency to the NSA, launched nine “hunt forward” operations last year, which is to say operations that have caused friction to the adversary in cyberspace. One of the operations was to help build resilience in Ukraine ahead of an anticipated (and eventual) Russian invasion. The unit’s chief, Gen. Paul Nakasone, told the AP that some of these operations involved deploying defensive teams, including in Lithuania. As an aside, Nakasone — who heads both Cyber Command and the NSA under Trump and Biden administrations, has been asked to stay on for another year beyond his four-year posting.
Read more in
- Nakasone says Cyber Command did nine ‘hunt forward’ ops last year, including in Ukraine
- US Cyber Command Team Helps Lithuania Protect Its Networks
- Nakasone has been asked to remain at helm of NSA, Cyber Command
- U.S. Brings Back Cyber Team to Combat Possible Election Meddling
Heroku resets user passwords weeks after GitHub OAuth token theft
ZDNet: Heroku has reset user passwords after sending out a last-minute alert warning users that their API access would also get wiped out and would need to be regenerated. It follows a security incident on April 12 that saw a theft of OAuth tokens — four tokens related to Heroku Dashboard and one from Travis CI. The OAuth token theft was detected by GitHub. The tokens were used to read and list all of the private repos they could access, and downloaded the contents of private repos from dozens of organizations. SecurityWeek explains more, too. People are rightfully not thrilled about Heroku’s handling of all this.
Read more in
- Heroku to begin user password reset almost a month after GitHub OAuth token theft
- Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators
- Heroku Security Notification
Heroku’s GM’s blog post: “env vars weren’t accessed”
Two hours later, in the incident status update: “actually they were accessed but they were encrypted”
This is the kind of bullshit that destroys trust.
— jacobian (@jacobian) May 7, 2022
GitHub will require all code contributors to enable two-factor by 2023
TechCrunch: Speaking of GitHub, the coding platform giant will require all users who contribute code to enable two-factor authentication by the end of 2023. According to GitHub’s own data, only about 16% of active GitHub users and 6% of npm users have 2FA enabled. Per @fredericl: “That is not a lot, and frankly fewer than I would have expected.” Here’s GitHub’s explainer on the data.
Read more in
- GitHub will require all users who contribute code to enable two-factor authentication by the end of 2023
Man convicted in phishing scam that cost Pentagon $23.5M
Decipher: A California man was convicted this week of launching a complex phishing attack that allowed him to steal the login credentials of a defense contractor employee, who was responsible for communicating with the Pentagon using a government system, to break in and redirect $23.5 million in federal funds to a bank account that he owned. The money was meant for supplying jet fuel to troops in southeast Asia. (So, did he not think the government wouldn’t notice when their jet fuel didn’t turn up?) Still, a good lesson for network defenders. More from Bleeping Computer, and the Justice Department’s own presser.
Read more in
India’s new super app has a privacy problem
How much would it completely upend your day if you logged into a new app for the first time and all of your personal data was already there? That’s what happened to many in India who signed up to Tata Neu, the country’s latest do-everything app. The app is run by the Tata Group, one of India’s largest conglomerates and a regular household name, which has amassed so much personal information — in large part because India has incredibly lax privacy rules.
Read more in
Google drops IOCs on threat activity in eastern Europe
Google’s TAG has a new blog post with new indicators of compromise for a range of threat actors operating in Eastern Europe using the war in Ukraine as a lure. Russia’s APT28 or Fancy Bear gets a mention, as does Turla and Ghostwriter, a Belarusian group with links to Moscow, as well as an espionage group operating out of China.
U.S. planning significant sanctions on Hikvision
According to the Financial Times, the U.S. is close to imposing new sanctions on Hikvision, the China-based video surveillance equipment maker accused of supplying its technology to detention camps in Xinjiang, which Beijing uses to oppress the largely-Uyghur population. The new sanctions would put Hikvision on the same “specially designated nationals” list as terrorists and drug traffickers and would make it near-impossible for U.S. and other Western countries to do business with Hikvision. Last month I spoke with a Kyrgyz man and a former Xinjiang prisoner, who gave a first-hand account of the use of Hikvision’s technology in the camps. Washington is already in discussions about the sanctions with allies, per Reuters.
Big tech teams up on passwordless tech
Of the few things that Silicon Valley can get behind, a future without passwords is one of them. Google, Apple and Microsoft said this week (via ZDNet) that they will build passwordless support into their devices and platforms. “This means that, sooner or later, you won’t need a password to log into devices, websites or applications. Instead, your phone will store a FIDO credential called a passkey, which is used to unlock your device — and your entire online account.”
Ikea Canada hit by data breach, instructions unclear
An employee of Ikea Canada compromised a database of 95,000 Canadian customers, according to Dark Reading, by performing unsanctioned searches over a period of three days in early March. Ikea confirmed the breach and said that personally identifiable information was compromised — including names, email addresses, phone numbers and postal codes — but that banking information was not included.
CERT-IN’s VPN logging announcement in context
The latest rules by CERT India asking VPN providers to collect user data or face jail terms is interesting because the organisation lacks both:
- the technical capability
- the enforcement powers
Their technical limitations were on display in November 2019 when Meta
reported the vulnerabilities in WhatsApp that were used by Pegasus.
CERT-IN famously responded that it was “a communication in pure
Sources: WhatsApp had given information to CERT-IN, a government agency as seen in the attached image in May. As is seen in the image, it is a communication in pure technical jargon without any mention of Pegasus or the extent of breach. pic.twitter.com/RPIgIntu1X
— ANI (@ANI) November 1, 2019
The VPN notification also contains gems, such as:
- Strict requirement to use specific Indian controlled NTP servers,
3 out of 4 of which are down.
- Report incidents via a form (whatever happened to STIX or TAXI?)
- Including port scanning attempts (!!)
- Mandatory logging of data with 180 days retention for every server
- Every data centre, public company or corporation that provides hosting or cloud services must collect user data.
Oh well forget IPv6…
2 out of 3 of @CSIR_NPL's NTP servers are down!
— (@kingslyj) May 1, 2022
The Ukraine war has clearly demonstrated the dangers of relying on other countries’ infrastructure. It is understandable to want to limit reliance on external infrastructure.
The key takeaway here, though, is that although countries want to be self-reliant, aspiration is no substitute for capacity, capability and budgets.
GitHub Will Require 2FA for Developers and Other Contributors by End of 2023
GitHub says that it will require all code contributors to enable two-factor authentication (2FA) by the end of next year. GitHub CSO Mike Hanley wrote that “Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain.”
- This is awesome. Comprehensive 2FA is essential to prevent bypass use cases. Be proactive and enable 2FA for your account now rather than scrambling, and getting stressed, after a hard deadline. Check out the npm 2FA phased rollout timeline to be aware of when you may fall into an enforcement window and to model a plan for getting your staff and contributors on 2FA.
- Github had previously said only developers and admins would have the 2FA requirement, good to see strong authentication mandate extended.
Read more in
- Software security starts with the developer: Securing developer accounts with 2FA
- By end of 2023, GitHub to force code contributors to use two-factor authentication
- GitHub to require two factor authentication for code contributors by late 2023
- GitHub requires all coders to use 2FA by end of 2023
- GitHub launches new 2FA mandates for code developers, contributors
Apple, Microsoft and Google Will Support Passwordless Authentication
Microsoft, Apple, and Google have announced that they will implement standards developed by the FIDO Alliance and World Wide Web Consortium (W3C) intended to eliminate passwords. The new standards will allow users to authenticate with PINs or biometric information.
- This is by far the most promising effort to solve the authentication challenge. In my opinion, the most important part of this standard is that it will not require users to buy a new device, but instead they may use devices they already own and know how to use as authenticators. If you haven’t done so yet: Look into what it will take to integrate these standards with your web application.
- Great to see but most previous attempts at getting standards to be agreed upon and implemented by these “big three’ have failed. I think this has a much better chance of success. Fewer passwords in use are better than more, but important to see the protocols and implementations thoroughly pounded on by researchers before any releases.
- Adoption of new stronger authentication technology can be hastened by it being easier and faster than the old technology. The new standards from FIDO and W3C being implemented in Office, Azure, iPhones, Chrome, Gmail, and iCloud are intended to do just that, enabling access to existing passkeys, allowing mobile devices to be used for authentication on a nearby computer. It’s time to see where these activities lie on your IDP or service provider’s roadmap to build a path forward towards passwordless authentication for your users.
Read more in
- Microsoft, Apple, Google accelerate push to eliminate passwords
- Google, Apple, Microsoft make a new commitment for a “passwordless future”
- Microsoft, Apple, and Google to support FIDO passwordless logins
White House National Security Memorandum on Quantum Computing
The White House has issued a new National Security Memorandum that “identifies key steps needed to maintain the Nation’s competitive advantage in quantum information science (QIS), while mitigating the risks of quantum computers to the Nation’s cyber, economic, and national security.” Agencies that fund quantum computer research or develop or acquire quantum computers have 90 days to “coordinate with the Director of the Office of Science and Technology Policy to ensure a coherent national strategy for quantum information science (QIS) promotion and technology protection.”
- The risks posed by a cryptanalytically relevant quantum computer would pose to all existing use of public key crypto have been long known and discussed. But, quantum has kinda been another Y2K-like risk, but without a deadline. Good to see a proactive, but reasonably timed, effort being put in place (public comment period to open in 90 days) to lead a new federal crypto standard by 2024. This memorandum also recognizes that US adversaries will focus on stealing quantum technology being developed in the US and mandates extra protections be implemented by all development organizations.
- Implementing new encryption algorithms will take years or even decades. This is why we need to worry about this now. The threat from quantum computing may never materialize, but it doesn’t hurt to think ahead now.
- The goal is to move to cryptographic agility, allowing for migration to encryption which is resistant to decryption by a cryptanalytically relevant quantum computer (CRQC) attack. Within one year of the memo, all agencies are expected to report on information systems which have not mitigated risks of CRQCs. The challenge will be availability of products which meet updated NIST cryptographic standards (FIPS 140) which agencies are required to implement along with maintaining backwards compatibility to support collaboration with others who have not implemented support for these new standards
Read more in
- National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems
- White House: Quantum computers could crack encryption, so here’s what we need to do
- White House rolls out new timelines, mandates for ‘post quantum’ encryption replacement
- White House: Prepare for cryptography-cracking quantum computers
Dept. of Health and Human Services FISMA Compliance Audit
An Office of Inspector General (OIG) audit of the US Department of Health and Human Services’ (HHS) compliance with the Federal Information Security Modernization Act (FISMA) found the agency’s security program ineffective. “The determination was made based on HHS not meeting the ‘Managed and Measurable’ maturity level for the Identify, Protect, Detect, and Recover function areas as required by DHS guidance and the FY 2021 Inspector General FISMA Reporting Metrics.”
- Most of the deficiencies stemmed from lack of full implementation of continuous monitoring based on tools/platforms from the DHS Continuous Diagnostics and Mitigation (CDM) Program. HHS, like many, has a distributed responsibility model from HQ to operational divisions to contractors. This complicates asset inventory, configuration management and full monitoring/reporting but is the realistic model for most organizations. Takes more support from the top, and often some additional funding, to completely move the operating divisions away from legacy security controls that have already been paid for.
- As an agency, this is not what you want to hear from your IG. The audit was performed by E&Y on behalf of the HHS OIG. While the report [oig.hhs.gov: Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2021 (PDF)] notes improvements since the 2020 evaluation, they are not sufficient to meet the requirements, highlighting the need for stronger supply chain security controls, something we’re all dealing with. Read through the management responses in the report; many areas of concerns are things we’re all dealing with, identity management, identification and categorization of systems, configuration management, appropriate visibility into current state and making sure that security remains in place. Note the challenges identified in a federated environment and think about how that applies to your own autonomous or semi-autonomous business units or partners when meeting your cybersecurity and interoperation goals.
Read more in
- OIG: Evaluation of FISMA Shows HHS Security Program “Not Effective”
- Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2021
Operational Continuity-Cyber Incident Checklist for Healthcare Organizations
The Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group (CWG) has developed an Operational Continuity-Cyber Incident checklist. The checklist “is intended to provide a flexible template for operational staff and executive management of healthcare organizations to respond to and recover from an extended enterprise outage due to a serious cyber-attack. Its suggested operational structures and tasks can be modified or refined according to an organization’s size, resources, complexity, and capabilities.”
- If you are in healthcare or related medical services, this a good checklist to apply against your existing playbooks and processes.
- While this is intended as a tactical measure in response to collateral damage from current cyberwarfare activities, this is a good checklist beyond the healthcare industry. Note that this checklist [healthsectorcouncil.org: Operational Continuity – Cyber Incident (OCCI)] is a collection of homework assignments, many of which you’ve already completed. Make sure that you’ve got validated copies in known locations which are accessible during an incident. If you’re keeping physical copies in binders, make sure they are maintained on a regular, non-optional basis.
- This kind of guidance is preferable to that (such as HIPAA) which expects buyers and end users to do “risk assessments” which require knowledge and experience that most do not have. While efficient security must be risk based, the most significant risks are common to most organizations. We know what they are; we should not expect each organization to discover them de novo.
Read more in
- HSCC Creates Operational Continuity Checklist For Navigating Cyberattacks
- Health Industry Publishes “Operational Continuity-Cyber Incident (OCCI)” Checklist
- Operational Continuity-Cyber Incident Checklist Published by HSCC
Heroku Acknowledges Cyberattack, Resets User Passwords
Cloud platform as a service Heroku has acknowledged that customer account credentials were compromised in a cyberattack a month ago. Heroku began resetting user account passwords earlier this week.
- Heroku notes that some customers may also receive notifications directly from Salesforce relating to actions required after the breach. The exfiltrated passwords are salted and hashed; even so, a forced rotation is a great idea. In addition to password rotations, integration with GitHub and the Heroku dashboard or automation remains disabled, the status updated from April 26th includes instructions for deploying their apps until the integration is restored.
Read more in
- Heroku Security Notification
- Heroku admits that customer credentials were stolen in cyberattack
- Heroku Forces User Password Resets Following GitHub OAuth Token Theft
- Communication around Heroku security incident dubbed ‘train wreck’
- Heroku to begin user password reset almost a month after GitHub OAuth token theft
VPN Providers Find India’s New Rules Onerous
VPN companies have said they might not comply with a new rule from India’s Computer Emergency Response Team (CERT-In) that requires them to collect customer information and retain it for several years. CERT-In wants the companies to keep the information to help with potential cybercrime investigations. Some VPN companies say they might stop operating within the country.
- If your business model is based on anonymity, or not providing logs, this new law makes doing business in India a non-starter. As a user, use of a VPN to secure traffic where your network connection is untrusted remains a best practice. Keep an eye on guidance from your provider when planning use in foreign countries to avoid regulatory entanglements.
Read more in
New Framework for Apps and Technology Not Covered by HIPAA
The American College of Physicians, the American Telemedicine Association, and the Organization for the Review of Care and Health Applications have jointly developed a framework to help secure health-related technology and apps that are not subject to the Health Insurance Portability and Accountability Act (HIPAA).
- The new framework is being piloted, and uses technology which isn’t incorporated into the current HIPAA act. In parallel, a new Health Data Use and Privacy Commission Act is in committee. This new act is intended to update the HIPAA requirements allowing for better alignment with modern technology. The trick is to create a framework which provides guidance that is not technology-specific to support advancement and innovation.
Read more in
- American College of Physicians and the American Telemedicine Association Collaborate on New Digital Health Assessment Framework
- New framework aims to secure digital health apps not covered by HIPAA
- ACP, ATA, ORCHA announce new framework supporting health app safety
NIST Updates Supply Chain Risk Guidance
The US National Institute of Standards and Technology (NIST) has published updated guidelines for software supply chain risk management. The document is the result of two earlier drafts and is part of NIST’s response to Executive Order 14028: Improving the Nation’s Cybersecurity.
- This will help you get your arms around beefing up your supply chain security efforts. Watch for an upcoming “quick start” guide to help start your processes. While some actions may require resources and funding, progress can be made with tweaks to existing processes and procedures you can implement today
- “The primary audience for the revised publication is acquirers and end users of products, software and service.” Caveat Emptor. Buyers and end-users cannot solve this problem. The solution rests with suppliers, with their transparency and accountability. Start with a digital software bill of materials.
Read more in
- NIST Updates Cybersecurity Guidance for Supply Chain Risk Management
- Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (PDF)
- NIST Issues Guidance for Addressing Software Supply-Chain Risk
- NIST updates guidance for defending against supply-chain attacks
- NIST Releases Updated Cybersecurity Guidance for Managing Supply Chain Risks
F5 Big-IP Critical Remote Code Execution Flaw
F5 has released fixes to address a critical vulnerability in the Big-IP iControl REST component; the flaw could be exploited to bypass authentication and potentially take control of vulnerable systems. F5 has released fixes for affected 13.x, 14.x, 15.x, and 16.x versions of Big-IP, but will not be issuing fixes for affected 11.x and 12.x versions.
- This is an authentication bypass flaw with a 9.8 CVSS score. As your Big-IP is often an Internet-facing device, you’re going to want to verify the plans to remediate or mitigate this vulnerability. The mitigations may be more complex than simply applying the update. Even so, make sure that you’re limiting access to your iControl REST and other management interfaces for your F5 products. If you’re on devices running versions prior to 13.x of BIG-IP, you need to update or replace them (The current version is 17.x) Note that BIG-IQ, F5OS-A/C and Traffix SDC devices are not affected.
Read more in
- K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388
- F5 Warns of Critical Bug Allowing Remote Code Execution in BIG-IP Systems
- F5 warns of critical BIG-IP RCE bug allowing device takeover
Cisco patches vulnerabilities in ASA, FTD
Cisco disclosed and patched several vulnerabilities in some of its most notable security systems — Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD) and Firepower Management Center (FMC). Of the 19 vulnerabilities fixed earlier this week, 11 are of high severity. CVE-2022-20746 is the most serious of the group with a severity score of 8.8 out of 10. This is an issue in FTD that exists because the software doesn’t properly handle TCP flows. An attacker could exploit this vulnerability without authentication to cause a denial of service. In its release of the vulnerabilities, Cisco said it was not aware of any active attempts to exploit these vulnerabilities.
Read more in
Chinese APT using new version of PlugX malware
The Chinese state-sponsored actor Bronze President (aka Mustang Panda) recently started deploying a new version of the PlugX malware in several espionage campaigns. Security researchers say the group is actively targeting the Russian military. The group is sending targets a decoy document alleged to relate to the Russian military, though it eventually downloads a malicious DLL that loads an updated version of PlugX, a remote access Trojan (RAT) previously associated with Bronze President. This group is known to previously target Asian countries with its malware, and is particularly surprising given China is military allies with Russia and has yet to strongly condemn the country’s invasion of Ukraine. Once installed, PlugX can remotely monitor and access the targeted machine.
Read more in
Vulnerability: API vulnerability in VeryFitPro app
Security researcher Martin Francois recently disclosed a vulnerability in the VeryFitPro fitness tracking app (versions 3.3.7 and lower).
The vulnerability potentially allows attackers to access the backend API without the original credentials. Francois disclosed the details in GitHub after two unsuccessful attempts to contact the vendor. At the time of writing, the vulnerability had not been addressed, and version 3.3.7 was still the most recent version of the app available on the Google Play store, with over 100k installations.
The vulnerability originates from the decision to store a password hash in a device database: if attackers get access to the database, they can reuse the hash to access the account of a targeted user. This method is known as the Pass-the-Hash attack. Francois describes a relatively simple proof of concept for the exploit, and suggests mitigating this by transmitting the user password in the body of the POST request over HTTPS.
Vulnerability: Exposed Docker APIs targeted by botnets
Crowdstrike provides coverage of ongoing attempts by the LemonDuck crypto mining botnet to target exposed Docker APIs on Linux systems. The attacks are anonymized using proxy tools and evade detection because they do not show in Alibaba Cloud’s monitoring services. According to the article, crypto mining is becoming increasingly prevalent, with the majority of compromised Google Cloud Platform instances being used for mining.
Docker executes with elevated privileges so it can spin up containers and use OS resources. The Docker daemon also has the option to expose the management API through a port, typically 2375. If this port is inadvertently exposed to the internet or unsecured, attackers may exploit it to execute arbitrary workloads on the host through Docker. Attacker can point the API to use a customer Docker ENTRYPOINT to execute a malicious core.png file which is actually a shell script:
This script creates a cron job and downloads the active payload, which then performs the following operations:
- Kills processes based on names (competitor applications)
- Kills known daemons, such as sshd, syslog
- Deletes know Indicators of Compromise file paths to evade detection
- Kills know network connections (to competitor websites)
The script then evades Alibaba Cloud’s protection services, and finally downloads the crypto mining payload which then begins mining. Finally, a proxy disguises the recipient crypto wallet to avoid identification.
The key takeaway is to be very careful if exposing the Docker API port, particularly if connected to a public network.
Tools: TruffleHog v3 detects stored API credentials
Leaked API credentials (keys, passwords, and tokens) is one of the most prevalent challenges in security API deployments. One of the stalwart tools of the trade for detecting leaked credentials is TruffleHog. This week, PortSwigger has featured details of the newly released TruffleHog version 3, with improved capabilities for API key detection.
A key new feature in this release is verifying if a suspected leaked credential is still valid by testing access against the affected backend service. This powerful feature should be a great boon to security teams for reducing the false positives from expired or invalidated credentials.
TruffleHog comes highly recommended in my experience, and anyone wishing to actively monitor credential leaks should check it out.
Article: Scaling APIs in real-world backend platforms
Gary Archer at Curity who discusses the security challenges of scaling APIs in real-world backend platforms. Although there are numerous well-written articles about the handling and validating JSON web tokens (JWTs), the articles often lack the depth of coverage on how to scale the use of JWTs to large systems, with multiple APIs and clients.
This article is an excellent discussion on the challenges for the handling of JWTs in complex topologies, and it makes a number of recommendations on topics, such as:
- Use reverse proxies to return opaque tokens rather than raw JWTs.
- Use standard security libraries for JWT validation, and include security parameters in the claims section rather than in headers or URL paths.
- For multiple APIs, use a so-called entrypoint API to federate access to internal APIs based on the calling client.
- Extend JWTs to allow the initial authorizing server to add additional claims to them to be consumed downstream.
- Use a separate short-lived token in callbacks to avoid the challenge that asynchronous methods pose for maintaining the state and identity of the original requester.
- Be aware of the additional challenges regarding authorization and identity posed by partner APIs.
- Design clients to be reliable and resilient to mitigate complexities of microservices with multiple components that present more points of failure.
Great food for thought in this article, thanks for the author for the contribution.
India’s CERT Requires Fast Reporting of Cyber Incidents
New guidelines from India’s Computer Emergency Response team (CERT-In) require companies, data centers, service providers, and government agencies to report cyber incidents within six hours of detection. The covered organizations will also be required to maintain ICT system logs for a rolling period of 180 days and be prepared to submit them to CERT-In if requested. The new requirements take effect in late June.
- There are a lot of flaws in this one. Simple example: “targeted” scanning/probing of networks is included in the incidents that need to be reported, which means a flood of incident reports of low value. Reporting in six hours is obviously a tough requirement, but the CERT-In reporting form has a lot of free-form text and FAX is OK for submission! So, reams of data flowing in but analysis can’t keep up – no increase in security. Large libraries of unread books do not make us smarter.
- This regulation appears to be overly ambitious, and the author lacks the basic competence required to draft such a regulation. The broad definition of reportable incidents and the short reporting deadline will lead to a flood of meaningless reports. Requiring long log retention times without specifying what to log will incentivize organizations to enable less verbose logs. You will end up with more but less meaningful logs.
- The timeline is short, 60 days. Twenty incident types are listed with a six-hour reporting window along with requirements to use their specified NTP service. While having a consistent time source is critical for correlation and aggregation, and you should make sure you’re using a reliable NTP source, simply requiring use of a known authoritative service would be preferable to limiting the country to a single choice. The big tasks will be getting clarification of all the reporting requirements as well as establishing the communication channels and relationships needed. The reporting window is unusually small, GDPR uses 72 hours and the US is asking for 24 hours. Irrespective of the window size, make sure you know what needs reporting and how.
- It seems like a very grand plan, with very few specific details set to be rolled out within the next 60 days. I don’t think this is realistic and to say it’s ambitious is an understatement. Specifically, just attempting to retain 180 days’ worth of logs will be difficult with all the supply chain shortages. Considering that a single firewall in a decent-sized enterprise will create several gigabytes of daily logs, I can’t imagine how many potential terabytes of records will be required to be retained from here on out in one of the most densely populated countries in the world. The other issue is what would constitute both an incident and detection. If companies decide to report to comply, CERT-In could potentially be seeing a large percentage of reported detections of false-positive or low priority events. How would the CERT-In triage a large influx of reports? Instead of systematically bringing up the regulations, CERT-In wants to collect as much data as possible and sort it out later. We know that this doesn’t typically end well. Maybe it would be ideal to buy storage now, ahead of the rush?
Read more in
- India gives local techies 60 days to hit 6-hour deadline for infosec incident reporting
- New Regulations in India Require Orgs to Report Cyber Incidents Within 6 Hours
Microsoft Patches Flaws in Azure PostgreSQL Database
Microsoft has fixed two vulnerabilities in the Azure Database for PostgreSQL Flexible Server. The flaws could be exploited to obtain elevated privileges and access other customers’ databases. Wiz researchers reported the issued to Microsoft in January. Microsoft has addressed the issues; no action is needed by customers.
- Privilege escalation flaws are very difficult to prevent and dangerous for on-premises systems. But for cloud providers, a simple privilege escalation flaw is deadly as it destroys the illusion of cross-tenant isolation of data.
- Microsoft patched the databases on February 25th, so you’re covered. They recommend setting up private network access to flexible servers to minimize further exposure. Fundamentally make sure that you’re not needlessly exposing access to services, leverage security services and options to also monitor access to ensure protections are what you think they are. Read the Wiz research blog (www.wiz.io: Wiz Research discovers “ExtraReplica”— a cross-account database vulnerability in Azure PostgreSQL) for more details on the ExtraReplica flaw.
- While, on the surface, this seems to be tragic, I guess the real question is how prevalent the PostgreSQL Flexible Server deployment is going to be. Having a system with a disclosed vulnerability in your cloud service provider is a double-edged sword. While there was a privileged escalation flaw in PostgreSQL because this is a cloud provider, each PostgreSQL instance can be patched and remediated without the user necessarily worrying about it. With on-premises software, we often see that it is the case that servers go unpatched. The question is a tricky one to weigh in on. Cloud-hosted and shared infrastructure vs. on-premises and private. Which one is safer, less risky, or more secure? Is it better or worse than it is cloud-hosted? Only time will tell.
Read more in
- Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution
- Microsoft fixes vulnerability in Azure Database for PostgreSQL Flexible Server
- Microsoft Azure Vulnerability Exposes PostgreSQL Databases to Other Customers
Breach Reporting Rules for US Banks Now in Effect
As of May 1, US banks are required to notify regulators of computer security incidents within 36 hours of detection. “A collective of U.S. regulators, including the Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency” passed the rule in November 2021.
- The FDIC currently requires incident reporting with 72 hours of detection, so this is a significant move forward. But the FDIC, along with the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency, took input from industry and narrowed the definition of what constitutes a “notification incident” to those that actually caused some harm – probing/scanning would not qualify. 36 hour response will be tough for many but the financial sector certainly needs the toughest requirements.
- Essentially if you’re a federally insured or regulated financial institution, this applies. Make sure that you review your agency specific guidance for reporting and note the examples of incidents that were released to clarify the initially overly vague ‘Computer-Security Incident’ in the initial legislation. Expect your examiners to verify that you have both the notification and definition of what you need to report. As other organizations, CISA, DHS, etc. are looking for incident reporting, it’d be a good idea to make sure you know what that would mean if you’re required to comply, to include what information you would rather not share and establishing the relationship required for reporting or assistance.
Read more in
- New US Breach Reporting Rules for Banks Take Effect May 1
- Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (PDF)
Google Expands Types of Data Users Can Have Removed from Search Results
Google now allows people to remove more personally identifiable information (PII) from search results. Google has previously allowed people to request that their financial information be removed from search results; now they can have their contact information removed as well.
- This has been a right, known as the “right to erasure” or more commonly referred to as the “right to be forgotten,” to those based in the EU and covered by the EU General Data Protection Regulation (GDPR). A key point to note is that while the personal data is removed from the search results, the data is still available on the sites hosting that data. Under GDPR, individuals also need to exercise their right to erasure with the sites hosting their personal data.
- With more privacy legislation including the “right to be forgotten” knowing how to exercise that right is important and varies by service. Be sure you understand the process and limitations available. Google outlines the process and limits of what they will do on their Remove select PII or doxing content from Google Search help page: support.google.com: Remove select personally identifiable info (PII) or doxxing content from Google Search
Read more in
- Google fights doxxing with updated personal info removal policy
- How to Stop Google From Showing Your Personal Info in Search Results
- How to remove your personal information from Google search results
Netatalk Vulnerabilities Affect Synology and QNAP NAS Devices
Critical vulnerabilities in the Netatalk open source version of Apple Filing Protocol fileserver affect certain QNAP and Synology network attached storage (NAS) devices. The flaws could be exploited to access sensitive data and potentially execute arbitrary code.
- Not a terrible big deal. Disable Netatalk (it is no longer needed) and apply patches as they become available. This affects many Linux based network storage systems. Synology and QNAP are just the two out of them responsible enough to release an advisory.
- Patch your NAS, make sure it’s not exposed to the Internet. Remove unneeded apps and user accounts, watch for unexpected additions. Ideally don’t allow SMB or AFP through your boundary, require a VPN for the access. If you must allow the direct connection, only allow it from trusted devices.
Read more in
- Synology warns of critical Netatalk bugs in multiple products
- Critical Vulnerabilities Leave Some Network-Attached Storage Devices Open to Attack
- Synology-SA-22:06 Netatalk
Espionage Threat Actor Target Corporate eMails
Researchers from Mandiant have identified a new espionage threat actor it has dubbed UNC3524. The group “targets the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions.” The threat actors have been observed maintaining dwell time up to 18 months.
- Interesting attack group leverages typically unmonitored systems for their ingress and egress point. Smart move. Most companies do not realize how vulnerable and easy it is to leverage these systems for C2. There are three things to look for in the article. The command channel for the attacker group, how they leverage EWS On-Premises, and then they mention the Mandiant M365 Hardening Guides. My advice for those considering keeping on-premises servers. Don’t.
Read more in
US Legislators Introduce Satellite Cybersecurity Companion Bill
Companion legislation introduced in the US House of Representatives would direct agencies to help improve network cybersecurity for the commercial satellite sector. The Satellite Cybersecurity Act would “require a report on Federal support to the cybersecurity of commercial satellite systems [and] establish a commercial satellite system cybersecurity clearinghouse in the Cybersecurity and Infrastructure Security Agency.”
- Having standards should help suppliers design for an appropriate level of security. Making them voluntary may be a double-edged sword if the goal is to raise the bar consistently across the board. The trick will be adding security to existing satellites, often not sized or otherwise equipped to add that workload. One hopes that industry input can be gathered during a RFC comment for the new standards to make them both relevant and achievable.
Read more in
- House Members Debut Satellite Cybersecurity Companion Bill
- Congress wants to study the cybersecurity of satellites after Viasat hack
April 2022 saw a slew of security updates, including fixes for iOS, iPadOS and macOS; patches for Android; several updates or Chrome; Oracle’s quarterly Critical Patch Update; Microsoft’s Patch Tuesday; a fix for Mozilla Firefox and Thunderbird; and an update to address a critical vulnerability in the WordPress Elementor plug-in.
- While we’ve been focused on OS and browser updates, make sure we don’t overlook the other update actions needed. While many users can be trusted to keep mobile devices and apps they care about updated, verify they are indeed keeping to a defined timeline and not just kicking the can down the road. If you don’t have published timelines, and enforcement for keeping systems updated, get that done post-haste. Also, make sure you aren’t missing less publicized updates such as the Android April update and Apple’s updates beyond iOS, iPadOS and macOS.
Read more in
Russia began setting the stage for cyberattacks against Ukraine a year ago
A Microsoft report out this week found that Russia started to lay the groundwork for launching cyberattacks against Ukraine as early as March 2021 when Russian hackers gained a foothold into Ukrainian government and critical infrastructure networks. Microsoft’s report notes at least six separate Russia-aligned state hacking actors have launched more than 237 operations against Ukraine. The most notable are the destructive attacks launched by a GRU unit which researchers dub “Sandworm,” which was blamed for the Ukraine power grid attacks in 2016 and 2017, and several other recent destructive attacks, including the Viasat attack that knocked out the satellite network over much of Eastern Europe. The U.S. Department of State put a $10 million bounty on six of the Sandworm hackers this week, shortly after CISA sounded the alarm over fears that the U.S. should itself brace for a Russian cyberattack.
- Microsoft On the Issues: The hybrid war in Ukraine
- Microsoft discloses onslaught of Russian cyberattacks on Ukraine
- US offers bounty for Sandworm, the Russian hackers blamed for destructive cyberattacks
Tech giants duped into giving up data used to sexually extort minors
Absolutely brilliant reporting by @williamturton, who uncovered that tech giants including Google and Apple processed fake emergency user data requests sent by hackers, often by breaking into the email system of a law enforcement agency. From there, the hackers file user requests for minors, which the tech giants turned over without verifying the requests. (These emergency requests are often filed amid threats to life or safety.) According to the report, the information given by tech giants was used to extort and harass minors. The tech giants have said little so far. Apple — which constantly harps on about how much it claims to care about your privacy — didn’t even bother to comment. It’s thanks to companies like… *checks notes*… Toontown, which helped to bring the issue to light. @nixonnixoff said that most of the companies that were duped “treated this as a shameful matter to be kept top secret.” I think a lot of us will be thinking this…
Also why the fuck are *Toontown* the company bringing this to light, and not said tech companies? They should be absolutely out in front of this, being transparent.
EU regulators need to be all over this.
— Kevin Beaumont (@GossiTheDog) April 28, 2022
How the French fiber optic cable attacks accentuate critical infrastructure vulnerabilities
Who needs a massive botnet when all you need, apparently, is a shovel? French intelligence is investigating an apparent act of sabotage that extensively disrupted internet services across France after a large number of fiber cables were cut. Now U.S. authorities are said to be on guard, knowing that fiber cables — which keep the backbone of the internet going — aren’t well protected, and often their locations are widely known.
- French investigate who is behind fiber optic cables sabotage
- Fibre optique : des câbles sabotés dans plusieurs régions, une enquête pénale ouverte
Multiples actes de malveillances sur infra fibre durant la nuit et la matinée. Incidents circonscrits, problèmes résiduels en cours de correction sur Reims et Graveline. Equipes Free mobilisées depuis 4h du matin.
— Free 1337 (@Free_1337) April 27, 2022
FBI conducted millions of searches of Americans’ data last year
According to the U.S. intelligence community’s transparency report, pushed out every year by the ODNI since the Snowden leaks, the U.S. government conducted as many as 3.4 million searches of U.S. data previously collected by the NSA. That’s without needing a warrant, since the data is collected and accessed under Section 702 of FISA, the law that allows the U.S. to spy on Americans, which is due to expire next year. The actual number of direct searches investigating Americans is probably far lower. More than half of the searches — close to 2 million — were related to a national security investigation involving attempts by alleged Russian hackers to break into U.S. critical infrastructure networks, for which the searches included efforts to identify and protect victims — including U.S. citizens. The WSJ does a good job of breaking down the figures and what they mean — and, @emptywheel, as always, has you covered.
- Intel report states FBI conducted nearly 2 million searches of US data related to cyberattacks in 2021
- National Security Surveillance on U.S. Soil Dropped Again in 2021, Report Says
Nowhere near as big as the huge number of 702 queries FBI did, this is a rather interesting stat.
— emptywheel (@emptywheel) April 29, 2022
Twitter’s legal team is an aggressive defender of free speech, will that continue?
After the news finally dropped that Elon Musk would buy Twitter — a deal that still has to pass shareholder and regulatory approval(!) — @mmasnick dug into how Twitter’s legal department has been an “aggressive defender” of free speech, in large part by pushing back on subpoenas, often filed by “thin-skinned rich and powerful users,” and what Musk’s Twitter buy might mean for content moderation, privacy and free speech.
European wind-energy sector hit in wave of hacks
Three Germany-based wind energy companies have been targeted by cyberattacks since Russia’s invasion of Ukraine, at a time where Germany is moving away from its reliance on Russian oil and gas after Western sanctions try to cut off Russia from the rest of the economic world. The problem is that Germany is highly dependent on Russian oil and gas, and switching away to less reliant fuels is likely a multi-year process. Not a huge surprise then that cyberattacks targeting renewable, non-fossil fuels have swept the country, in some cases with ransomware, aimed at disrupting energy supplies. “A simpler strike on local internet-connected services could interfere with the remote monitoring systems of wind farms,” according to one security expert. You know, just how Viasat was hacked, causing roughly 5,800 wind turbines that relied on the satellite network to lose connection.
DJI insisted drone-tracking AeroScope signals were encrypted — now it admits they aren’t
In March, Ukraine’s vice prime minister accused drone maker DJI of helping Russia kill Ukranians by allowing Russia to freely use its drone detection system called AeroScope. DJI claimed that AeroScope signals are encrypted. Turns out, they’re not. That means governments (and others) don’t need AeroScope to see the exact position of every DJI drone. It wasn’t until hacker @d0tslash proved that the signals aren’t encrypted that DJI finally admitted that its remarks weren’t truthful.
Now to put the "DroneID is encrypted" thing to rest, then get some bed myself. Before + WEP key for c2 link. After – WEP key for c2 link… look who's still there? The unencrypted droneID packet. K thx for playing @DJIFlySafe @djienterprise @djiglobal @djisupport @adamlisberg! pic.twitter.com/SizPM7sfZ3
— KF (@d0tslash) March 31, 2022
Mexico top court strikes down phone and biometrics registry
Reuters reports that Mexico’s Supreme Court ruled that the government’s plans to create a national phone user registry tied to biometric data is unconstitutional. The phone carriers didn’t want it as it would’ve been costly to implement, but the government said it would’ve fought crime — where Mexico has some of the highest incidences of abductions in the world. The court said the registry would’ve violated human rights. Mexico has some 120 million cell lines, most of which are pre-paid.
Microsoft finds critical Linux flaw
A duo of privilege escalation bugs in Linux, dubbed Nimbuspwn, can be exploited to quickly gain root/system level permissions to an affected device. Ars Technica goes deep on the technical details, including how to gain persistent root access for a future backdoor.
Great news that security.txt is finally an RFC
According to @EdOverflow, who was one of the main proponents of security.txt. For those who don’t know, security.txt is a publicly accessible text file that admins can put in the root of their website directory to help researchers and hackers easily find urgent security contact information. It’s a great idea that’s aimed at speeding up the process of finding and alerting companies to security flaws. Some of the biggest companies use it — Yahoo and Google to name a couple. You can see how Google’s security.txt, for example, looks here. Excellent news and extremely well deserved.
After 5 years of work, security.txt is officially an RFC. I am pleased to announce RFC 9116: https://t.co/uIqSRo28ak.
I would like to use this opportunity to thank those who made this possible. Thank you. ❤️ pic.twitter.com/Z8SNxd81ZO
— Ed (@EdOverflow) April 27, 2022