Skip to Content

Cybersecurity and Infosec News Headlines Update on August 31, 2022

By: Author Alex Lim

Posted on  - Last updated:

Categories Cybersecurity, Update

Table of Contents

Hackers Targeting Log4j 2 Vulnerabilities in SysAid Applications

The Microsoft Threat Intelligence Center (MSTIC) warns that a hacking group it calls MERCURY is using Log4j 2 vulnerabilities in SysAid applications to launch attacks against organizations in Israel. MSTIC says this is the first time they have observed SysAid being used as an initial access vector. The MSTIC blog offers an “analysis of observed MERCURY activity and related tools used in targeted attacks.” MSTIC says there is a high likelihood that MERCURY is affiliated with Iran’s Ministry of Intelligence and Security.

Note

  • As the Log4j vulnerability became known, organizations often used generic exploits to scan their network. Exploitability for Log4j is tricky to determine as it all depends on how a particular application uses the framework. Do not ignore vendor patches just because some vulnerability scanner gave you a green light.
  • MERCURY (aka MuddyWater, Cobalt Ulster, Seedworm, static Kitten) was previously targeting VMWare instances with Log4J flaws, has now pivoted to SysAid. SysAid released Log4j patches in January, which appear not to have been applied. After you make sure that you’ve applied updates to SysAid, if you’re using it, make sure that you’re not overlooking other patches, such as VMWare, for fixes to flaws like Log4j. The attack reads like an exercise out of SANS SEC560 – the attackers are using Log4Shell flaws to get an initial footprint, then using PowerShell to drop web shells, then add a user, give it elevated privileges, and add attack tools to startup folders for persistence. From there, they are using Mimikatz for credential theft, RemCom for later movement, and send data to their C2 server using a custom version of the Ligolo tunnel/reverse proxy.

Read more in

Twilio Breach Affects Okta, Authy, and Others

The hackers responsible for the Twilio data breach used the access to steal Okta SMS one-use passwords. At the time of the breach, Okta was using Twilio as one of its SMS authentication services. When Okta learned of the breach and that some Okta-related data were compromised, they switched to a different provider. The attackers also accessed some Authy 2FA accounts and registered unauthorized devices.

Note

  • This is the new “dependency hell.” We used to worry about libraries we are using for example for authentication. But APIs we are using behave very much like libraries in our code, just with less control about what they are actually doing.
  • Twilio’s failure to protect its systems against the original attack should serve as a warning to all companies offering strong authentication services: since MFA is a major barrier to the attackers, they are going after the entire MFA food chain. SANS instructor Katie Nichols highlighted MFA bypass in the SANS RSA Top New Threat panel – it is critical that MFA services be hardened.
  • In today’s modern business world where companies rely so heavily on their suppliers, and in turn the suppliers of their suppliers, it is prudent that we regularly run “what if” scenarios on the impact a breach against a third-party company can have on your organization. In other words, do you know the impact a breach like that on Tilion can have on your organization either directly or via one of your supplier?
  • While SMS is better than single-factor authentication, it can still go wrong. Choose other options wherever possible. Make sure that you’re not leaving SMS or phone call verification options available on your MFA service offering. Better still implement phishing resistant MFA (FIDO2, SmartCards, USB hardware tokens, etc.) The cost of hardware tokens can be rapidly eclipsed by a single breach, and the integration is vastly improved to what it was even a year ago, to include NFC or Bluetooth communication options you can investigate.

Read more in

Atlassian Releases Updates to Address Critical Flaw in Bitbucket Server and Data

Atlassian has issued an advisory warning of a critical vulnerability affecting Bitbucket Server and Data Center versions 7.0.0 though 8.3.0. The command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center could allow “an attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.” If updates cannot be applied right away, Atlassian says the issue can be temporarily mitigated by turning off public repositories globally.

Note

  • The best mitigation is to update to the applicable fixed version (see the Atlassian advisory for specifics.) Even if you implement the workaround of turning off public repository access, it’s not a full mitigation as users with accounts can still execute the exploit. CVE_2022_36804 has a CVSS v3 score of 9.9 as the attack complexity is low, and doesn’t require privileges, or even an account. Expect DHS/CISA to issue alerts tracking fixing of this issue, either as a BOD or KEV.

Read more in

Montenegro Government Systems Targeted in Cyberattacks

Montenegro’s Agency for National Security has warned that Russian hackers have launched “a persistent and ongoing cyberattack” against the Adriatic country’s government and services. Some of the country’s power plants are currently operating manually, and some government systems have been taken offline as a precaution.

Note

  • I’ve spent a lot of time in Montenegro, and I’ve truly enjoyed watching the nation mature to the West-leaning democracy it is today. As much as we may like to ignore politics in cybersecurity, this is a prime example of political decisions’ effects on threat landscape. Russia has been vocal about its disappointment in Montenegro’s NATO and pending EU memberships, and this is not Russia’s first known attack against the small country.
  • The attack appears politically motivated, possibly as a result in the change of government last week. Montenegro was previously attacked on their election day in 2016, and again in 2017 when they threatened to join NATO. Systems are offline both for analysis and to prevent further damage, necessitating alternate communications, such as Twitter, as well as manual processing. Now is a time to look at what you can leverage from this even in your BCP plan and exercises. Don’t forget to consider how you reconcile systems when switching back from manual to automated mechanisms, as well as to define what constitutes a determination that a system is suitable to return to operation.

Read more in

FCC Releases Mobile Carrier Responses to Data Privacy Inquiry

According to the US Federal Communications Commission (FCC), 10 of the top 15 mobile carriers collect geolocation data but do not provide a means for customers to opt-out. Most of the carriers said that they do not allow customers to opt-out because of the need to comply with requests from law enforcement and because of FCC rules. FCC chair Jessica Rosenworcel has asked the FCC’s enforcement bureau to investigate whether the companies are abiding by FCC rules requiring them to communicate their geolocation data use and sharing practices to customers.

Note

  • This is not location services on your devices. This is triangulation based on highly accurately located towers, as well as their full visibility to your call meta-data. Expect to see attempted refinements in retention periods and data sharing agreements, and carriers to push back as there is a big financial stake with even obfuscated versions of their data.
  • If the rare use of location data by law enforcement is to trump the day-to-day privacy of users, then transparency is the least we should expect. Fine print buried in terms of service does not amount to transparency. Emergency use of location does not require that the data be retained. Retention for more than days to weeks for potential use in investigations should be a matter of law, not mere convenience.

Read more in

FTC Sues Kochava Over Location Data Sales

The US Federal Trade Commission (FTC) has filed a lawsuit against data broker Kochava for allegedly selling geolocation data that links users to health clinics, domestic violence shelters, recovery centers, and other sensitive locations. The FTC alleges that Kochava sells data collected from “hundreds of millions of mobile devices” paired with time-stamps and Mobile Advertising IDs.

Note

  • The device data gathered includes a unique device identifier (Mobile Advertising ID or MAID), device type, timestamp, latitude, longitude, horizontal accuracy (how close the latitude/longitude are in meters) and the IP address. This data can be mined determining sensitive locations, such as a user’s home, shelter, place of worship, or medical providers. About the only action you can take is to change the MAID on your device on a periodic basis. Watch this case, as well as the FCC action above, to see what privacy protections can be placed on this data.

Read more in

Health-ISAC White Publishes Zero-Trust Guide

The Health Information Sharing and Analysis Center (Health-ISAC) has published a guide “intended to help CISOs understand and implement a zero trust security architecture.” The paper notes two central challenges to zero-trust adoption in the healthcare sector: the increasing use of IoT devices, and the identity and access management challenges posed by healthcare workers moving from room to room and logging into multiple workstations.

Note

  • Before you roll your eyes at Zero Trust, delve down into what the fundamental improvements are and look at how they can improve your business. Look at improvements in endpoint security to reduce reliance on your boundary protections; factoring not just for the human identifier but also for the device authenticator in authentication processes, raising the bar where you don’t recognize one or the other; leveraging software defined networks to dynamically define and protect assets, particularly with cloud and outsource activities. Then make deliberate decisions using guides like this moving forward.
  • Recent breaches suggest that the first step for hospitals is to isolate clinical systems from public network facing systems (e.g., e-mail and browsing). Clinical personnel should carry their personal authentication (e.g., NFC token or mobile) with them from station to station.

Read more in

CISA Adds 10 More Flaws to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added 10 more security issues to its Known Exploited Vulnerabilities catalog. The vulnerabilities affect dotCMS, Apache CouchDB, Apache APISIX, VMware Tanzu Spring Cloud, WebRTC, Grafana, Delta Electronics DOPSoft2, Apple iOS, macOS, watchOS, and PEAR Archive_Tar. The flaws have a mitigation date of September 15, 2022.

Note

  • Check the clock: September 15th is only a couple of weeks out. The entries have notes that include links to the vendor notifications about these flaws, which can be a real help. Once you’ve filtered out what you don’t have and checked for any others with recent due dates you do, work with business units to get these buttoned up. Make sure that your SOC is checking for IOCs, these are actively being exploited and you may want to assume compromise. Be methodical, don’t panic, solve one problem, then solve the next one and then next, one update at a time.

Read more in

Plex asks users to reset passwords after theft of 15+ million users’ data

Media streaming service Plex confirmed hackers stole data on the “majority” of its 30 million users, so some 15 million users had at least usernames, email addresses and scrambled passwords (hashed with bcrypt) were stolen, prompting Plex to ask users to reset passwords. That said, Plex’s mass reset didn’t go so well, with users unable to change passwords when attempted. In its initial email to users, Plex said only a “limited subset” of user data was accessed, which clearly isn’t true.

Read more in

Twilio breach fallout: DoorDash, Authy, Okta

Let’s look at new research from Group-IB, which investigated the mass breach of companies including Twilio. It says the hacking group it calls 0ktapus (for impersonating Okta login pages) has hacked over 130 organizations as part of its phishing campaign since March. Twilio’s breach had knock-on effects for DoorDash, because one of its vendors was also compromised by the same hackers that hit Twilio. And things got worse for Twilio, because its own 2FA app, Authy, was targeted too. Twilio said 93 Authy users’ apps were compromised, effectively allowing the attackers to generate 2FA codes on behalf of their victims. And finally, Okta confirmed some of its customers’ data was visible in Twilio’s console, marking Okta’s second security incident this year. Don’t expect this mass-hack to quieten down any time soon. There’s still over a hundred companies yet to announce their own breaches.

Read more in

Hackers steal crypto from Bitcoin ATMs by exploiting zero-day bug

Hackers are exploiting a zero-day bug in a popular General Bytes bitcoin ATM by targeting its crypto application server that allows an attacker to create an admin user. Using that admin account, the attacker can modify its settings and swap out a cryptocurrency wallet under their control. Sneaky! Here’s the advisory.

Read more in

Novant Health admits leak of 1.3M patients’ info to Facebook

Novant Health confirmed it accidentally disclosed 1.3 million patients’ sensitive information — including email addresses, phone numbers, financial information and even details of doctor’s appointments — to Facebook because of a misconfigured tracking pixel. The Register explains how the breach happened — effectively an ad campaign that collected too much data by mistake.

Read more in

Smartphone gyroscopes threaten air-gapped systems, researcher finds

Sticking with El Reg for a minute: A researcher known for discovering ways to siphon data from air-gapped computers is back with a new exploit [PDF] able to sniff acoustic airwaves from speakers on internet-isolated computers by using the gyroscope sensors in nearby smartphones. Another exploit uses green and amber lights on network interface cards to transmit data in Morse code. Wild research, even if it requires close proximity to the target device.

Smartphone gyroscopes threaten air-gapped systems, researcher finds

Read more in

Meta, Twitter took down accounts engaging in pro-U.S. covert influence campaigns

Meta and Twitter took down accounts in recent weeks connected to a pro-U.S. influence network targeting the Middle East and Central Asia. Wait, what? Yes, you read that right. The data provided by the two social giants showed the campaign used “deceptive tactics, including computer generated profile images and fake news outlets, to promote an agenda aligned with Western policy priorities and opposing Iran, China and Russia.” More from the Washington Post. It’s believed to be the first pro-Western influence campaign taken down by the companies.

Read more in

Cosmetics giant Sephora settles customer data privacy lawsuit

The first CCPA case is in: make-up giant Sephora settled a lawsuit claiming it sold customer information without proper notice in violation of California’s landmark privacy law. The company agreed to pay $1.2 million, the state’s first enforcement action, even if the wrist-slapping was on the lighter side. According to the AP’s yarn, “Sephora allowed third-party companies to install tracking software that allowed them to build detailed consumer profiles that allowed them to better target customers,” according to the California attorney general Rob Bonta. “But on its website it promised ‘we do not sell personal information,’ according to the lawsuit.” Yuck.

Read more in

Lockdown Mode? We know

A researcher’s proof-of-concept website can identify if your iPhone is in Lockdown Mode, the new ultra-secure mode in iOS 16 that blocks certain features to protect it from spyware attacks. Lockdown Mode also blocks things like remote fonts, which can contain malware, which is how the website knows (or infers) when a device is in Lockdown Mode, reports Motherboard. That can be used for profiling or fingerprinting, which may help identify at-risk users.

Spilled docs show $8M iOS, Android exploits

Leaked documents appear to show a little-known spyware company called Intellexa allegedly offering exploits for iOS and Android devices for around $8 million. The screenshots, obtained by malware researchers @vxunderground on Wednesday, appear to show a browser-based exploit able to remotely extract data from iPhones and Android devices, though @maddiestone believes the docs show exploitation-as-a-service, rather than exploits for sale. (The difference matters, since one requires the maintenance of infrastructure.) Interestingly, the exploits on offer target recent releases of iOS 15.4.1 (released in March) and Android 12.

Spilled docs show $8M iOS, Android exploits

NATO classified docs stolen

BBC News reports that NATO is assessing the impact of a data breach including classified military documents and blueprints of weapons used by NATO allies in Ukraine. The documents are said to be linked to a major European weapons maker. @joetidy does a great job of breaking this one down.

LastPass breached, says user data safe

Password manager LastPass says it detected “unusual activity” in its development environment two weeks ago (so around mid-August) and booted attackers from its network. It blamed a single compromised developer account that allowed the theft of some source code and technical information. No customer action needed, LastPass says, since master passwords aren’t stored by the company.

Hackers Using Sneaky Exploits to Bypass Microsoft’s Multi-Factor Authentication

Cyber criminals are exploiting dormant Microsoft accounts to bypass multi-factor authentication (MFA) and gain access to cloud services and networks, researchers have warned. The technique has been detailed by cybersecurity researchers at Mandiant, who says the exploit is being used in hacking campaigns by APT29 – also known as Cozy Bear – a hacking and espionage operation. Read more: Hackers are using this sneaky exploit to bypass Microsoft’s multi-factor authentication

80,000+ Hikvision Cameras Remain Unpatched

According to researchers from Cyfirma, more than 80,000 Internet-facing IP cameras are vulnerable to command injection attacks. A patch has for the vulnerability has been available since September 2021. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw (CVE-2021-36260) to its Known Exploited Vulnerabilities catalog in January 2022.

Note

  • Only 80,000? These types of cameras, not just from Hikvision, have been a major source of “internet background radiation” ever since Mirai started spreading about 10 years ago. Without automatic updates, they will only become safe once their electronic fails.
  • It is confusing: Hikvision is NOT on the sanctions list barring import, but it IS on the OFAC Non-SDN Menu-Based Sanctions List (NS-MBS List) under the “Strong” category, whatever that means. Bottom line: check if Hikvision equipment in use or any planned procurements and considered replacing or banning since sanctions are a high risk, let alone this vulnerability issue.
  • Think of that security camera as a computer, where vulnerabilities could be leveraged to pivot onto your network. Yeah, that means you need to think about patching them. What’s worse, not all manufacturers are as judicious about providing patches. Think twice about directly exposing them to the Internet, then isolate them onto a separate VLAN and use the strongest possible credentials, verifying no default passwords remain.
  • People seem to miss that there may be a Cyber-Physical component to this. While we are mired in the “What if” of Cyber and these patches, there is a real danger that not only are these systems able to be used as a pivot point inside your network but these cameras can be abused to look at people, places, locations and be used to potentially move from a cyber-attack into a real-world physical attack. We shouldn’t lose sight of that.
  • Those appliances (e.g., cameras) that must, or may be, attached to the public networks have a higher security requirement than those (e.g., baby monitors, TVs, refrigerators) that are intended to run only on private networks. Such appliances should be purpose-built and avoid any and all gratuitous functionality.

Read more in

Carbon Black Ruleset Rolled Back After Reports of BSOD

VMware has rolled back a problematic ruleset after some updates to its Carbon Black endpoint security solution were found to be causing the blue screen of death (BDOD) on Windows devices. VMware’s suggested temporary workaround is to “place impacted sensors into bypass mode via Carbon Black Cloud Console to allow them to boot successfully and have ruleset removed.”

Note

  • Like many endpoint protection/detection software vendors, Carbon Black using what it calls “machine learning and behavior models” which are basically software. Ruleset updates are essentially software updates and need to be QAed by vendors just like any major software update. Inability to examine and audit complex models used to bundle mortgages into “derivative” packages in 2008 ended up with a lot of “deranged” investment packages being created and sold, leading to a major recession. That led to the Federal Deposit Insurance Corporation creating “Supervisory Guidance on Model Risk Management” that is already being looked at as the basis for evaluating financial institutions’ use of models in cybersecurity controls. Ask for model governance details on all security products claiming use of AI/ML and any other trendy model-based technologies.
  • Two step fix – (yes, chicken and egg problem since you asked) first you must have the sensor bypassed via the Carbon Black console, to stop applying the ruleset and get out of the BSOD/Boot loop, then when they check in the impacted rulesets are removed. VMware did test the problematic ruleset prior to deployment, expect them to tweak this process. Note this includes sensor versions 3.6.x.x to 3.7.x.x, not just 3.7.0.1253 as was initially reported. Check the VMware KB note for information on verifying you are running non-impacted rulesets – there are six. community.carbonblack.com/: Endpoint Standard: Sudden Blue Screens on Windows Devices
  • Microsoft has always contended that BSOD is most often caused by third party drivers. Avoiding such drivers has made Apple operating systems more stable, at the cost of limiting third party devices. Prefer attachment via standard interfaces.

Read more in

NOBELIUM Threat Actors Deploying MagicWeb Authentication Bypass

The threat actors behind the SolarWinds supply chain attack are believed to be responsible for a newly detected “post-compromise capability.” Rather than using supply chain attacks, the threat actors are using purloined admin credentials. Dubbed MagicWeb, the trick allows attackers “to maintain persistent access to compromised environments” by gaining admin privileges to an Active Directory Federated Services server. Then they replace a legitimate DLL with a MagicWeb DLL.

Note

  • This is not a supply chain attack. This is a case of compromised credentials being used to access your AD FS servers. Make sure that you’re protecting those servers as you would a domain controller, making sure it’s isolated, restricted to only allow admin accounts to login and monitored closely. Once the malicious Microsoft.IdentityServer.Diagnostics.dll is loaded, an attacker can generate claims that allow bypass of AD FS policies (roles, devices, network including MFA) to login to your other services. Make sure that you’re actively managing accounts, use MFA where possible, that you leverage services to detect passwords in data breach dumps as well as long passphrases where you’re still using passwords, and review the Microsoft blog for IOCs and other threat hunting information.
  • Move away from On-Premise Active Directory and legacy technologies like ADFS. Yet another example of why.
  • This is similar to a previous Active Directory MFA-bypass reported on in July. Microsoft’s recommended mitigation starts with “It’s critical to treat your AD FS servers as a Tier 0 asset, protecting them with the same protections you would apply to a domain controller or other critical security infrastructure.”

Read more in

VMware Releases Updates to Fix Local Privilege Escalation Flaw

VMware has released updates to address a local privilege escalation vulnerability in VMware Tools. The issue affects VMware tools on Linux and Windows platforms. Users are urged to update to VMware Tools 12.1.0 running on Windows, and 12.1.0 / 10.3.25 running on Linux.

Note

  • In our Penetration Testing Practice and in the Cloud Penetration Testing class we spend a great deal of time attacking control planes. There are many times that we are abusing this channel to evade detection by EDR and EPP. An attacker can evade these tools by using the control places like VMware to do work such as access consoles, and disks without having to work with the operating system. Instead of cracking passwords we typically find unpatched systems all over the place. Please patch your infrastructure.
  • The flaw in VMware Tools can be exploited by a user on the guest OS to obtain privileges. Make sure that you’re tracking/updating VMware tools versions on the guest OS just as you are other packages on endpoints, don’t overlook the service components, whether workstation, player, or ESXi. This is a good time to also make sure that you limit access to administration interfaces for your virtualization environment.

Read more in

French Hospital Diverts Patients Other Facilities in Wake of Ransomware Attack

Centre Hospitalier Sud Francilien (CHSF) was the target of a ransomware attack that began on Sunday, August 21. The incident forced the hospital, which is about 40 km (25 miles) south of Paris, to redirect patients to other facilities. The attackers have reportedly demanded $10 million for the decryption key.

Note

  • The big deal is not the ransom demand, it’s the impact to patient safety. Not only are they re-routing patients, but they have also deployed their crisis unit to ensure existing patients are getting proper care. When formulating response plans, make sure to include mission or service delivery plans, which means we need to be partnering with the mission side of the organization, and vice versa, to include being at each other’s exercises, from tabletop to live fire.
  • Unfortunately, this is not the first time a ransomware attack affects the physical world and affecting human lives. We were warned years ago: https://www.wired.co.uk/article/ransomware-hospital-death-germany. What can you do? Understand how attacks work, emulate them in your environment, improve and tune your security controls, train your people to detect and respond before impact.

Read more in

Plex Instructs Customers to Reset Passwords Following Breach

Streaming media service Plex is instructing all customers to reset their passwords following a data theft incident that compromised a proprietary database containing usernames, email addresses, and hashed passwords for at least half of its 30 million customers. In an email sent to customers, Plex said that it has “already addressed the method that this third-party employed to gain access to the system.”

Note

Make sure that you’ve using a unique, strong, password for your Plex devices. Yeah, I know the cat’s name is something your mom can remember, it’s still not a good plan. After you change the password, be sure to click the “Sign out connected devices after password change” box so nothing using that past password is overlooked.

Read more in

Dominican Republic’s Government Agency Suffers Ransomware Attack

An agency within the Dominican Republic’s Ministry of Agriculture was the target of a ransomware attack earlier this month. The attack has affected all department of the Dominican Agrarian Institute; just one of the agency’s servers was not breached as it runs on Linux.

Note

  • We are seeing an uptick in ransomware attacks against Latin American governments. Costa Rica was a pilot and hopefully organizations are acting. Latin America has traditionally been behind in cyber security.
  • “Quantum” ransomware, noted by the use of the .quantum extension on encrypted files, is a branch of the Conti ransomware, which was largely dormant until Conti shutdown and some of their members joined the Quantum gang. While root causes are still being investigated, it’s already been noted that not only did their systems not have comprehensive EDR, they also didn’t have a dedicated security department. In a similar situation, consider not only the value of your endpoint security, but also weigh the value of outsourcing your services and applications along with your SOC, which may provide some offsetting costs to raise the bar overall.
  • One might easily guess what the vulnerable servers were running. That said, ransomware is more likely to exploit fraudulently reusable user credentials, flat networks, and default read/write access control than operating systems.

Read more in

Apply GitLab Updates to Fix Critical RCE Vulnerability

GitLab has issued updates to address a critical remote code execution flaw that affects GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability affects all versions of the software from 11.3.4 through 15.1.4, as well as 15.2 through 15.2.3, and 15.3. Users are being urged to update to versions 15.3.1, 15.2.3, and 15.1.5.

Note

  • GitLab has already updated their hosted service, this applies to folks running local copies of GitLab and GitLab Runner. CVE-2022-2884 has a raw CVSS 3 score of 9.9, so you may want to get this done PDQ. Make sure you are subscribed to GitLab’s security release emails or their RSS feed (See the GitLab notice for information on subscribing.)

Read more in

National Security Telecommunications Advisory Committee Draft Report on Information Technology and Operational Technology Convergence

A draft report from the President’s National Security Telecommunications Advisory Committee (NSTAC) aims to identify opportunities for the federal government to aid in a secure convergence of OT cybersecurity within all relevant stakeholder communities.” The committee’s recommendations include requiring “the Cybersecurity and Infrastructure Security Agency (CISA) [to] issue a Binding Operational Directive (BOD) requiring executive civilian branch departments and agencies to maintain a real-time, continuous inventory of all OT devices, software, systems, and assets within their area of responsibility, including an understanding of any interconnectivity to other systems.”

Note

  • I briefed the NSTAC on “Securing an Internet of Things” back in 2013 and this draft does start out by saying “The cybersecurity challenge of converged IT and OT is not a new issue; it has been happening for decades. The United States has the technology and the knowledge to secure these systems but has not prioritized the resources required to implement solutions.” They also admit most of the recommendations are not new – the issue is starting with moving to a governance approach for OT that is similar to if not identical to mature IT governance around security being baked into procurement, deploying and monitoring.
  • We have all seen an increased importance on OT security over the last couple of years. The focus needs to be on where OT systems interface with conventional IT systems, to include media transfer procedures for isolated systems. Use caution when looking at patches/updates or adding active testing as these activities can render systems inoperable, or worse, OT components may not have any provision for updates other than a very expensive forklift replacement.
  • We need to know what we have so that we can protect it. We all so need to know what we rely upon so that we can patch it as necessary. Given so called “shadow IT,” this becomes a line-management, not IT or security staff, responsibility.

Read more in

CISA: Critical Infrastructure Agencies Should Prepare for Post-Quantum Computing

The US Cybersecurity and Infrastructure Security Agency (CISA) has published Preparing Critical Infrastructure for Post-Quantum Cryptography. The document provides an overview of quantum computing and explains why it is a threat to digital communications, public key cryptography, and enumerates potential impacts to national critical functions.

Note

  • A good tutorial around how quantum computing will impact the use of cryptography, but the truth is most (really all) government agencies need to reach basic security hygiene levels long before quantum computing use by bad guys reaches the top 5 risks. A critical part of basic security hygiene, as defined in every security framework, is an accurate inventory of resources that need to be protected to keep the mission safe. ALL security controls should be part of that accurate inventory. Knowing where you are using crypto is one of the early steps in the DHS Post-Quantum Crypto Roadmap.
  • There is not a lot you can do right now except to make sure that you’ve phased out older weaker encryption/signing such as 3DES and SHA1. If you’re already at AES128, look at moving to AES256. Prepare for the quantum-resistant crypto by identifying where you’re using encryption so you can plan for testing prior to a wholesale uplift to new algorithms. Pay particular attention to key escrow and recovery changes where applicable.
  • It is not simply the traffic that occurs after quantum computer attacks become efficient that is at risk but all that encrypted traffic that the NSA is storing. We must assume that our adversaries also have troves of traffic that will remain sensitive into the future. That said, we still have ample time to prepare. Let us use it well.

Read more in

Mozilla Releases Updates for Firefox and Thunderbird

Mozilla has updated Firefox and Thunderbird to address several vulnerabilities in its Firefox browser and Thunderbird email client. Users are urged to update to Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13 and Thunderbird 102.2, and Thunderbird 91.13.

Note

  • If you’re still on ESR 91.12, you may want to go to 91.13 vs 102.2 until you’ve verified the impact of any UI/Feature changes. The .13 versions updates are effectively transparent to end users aside from the browser relaunch.

Read more in

LastPass Discloses Security Incident

Password management company LastPass has disclosed a breach in which intruders stole source code and proprietary data. In a blog post, LastPass CEO Karim Toubba writes that they “determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.”

Note

  • This is about security of their development system, no user impacts are yet determined. The hard problem for LastPass will be determining what actions to take to circumvent the risk of the lost intellectual property. Keep an eye out for any updates to address that risk.
  • Every organization has security incidents. I applaud those like LastPass who 1) detect and 2) report publicly on what happened.

Read more in

Apple releases patches for iPad OS, iOS

Apple released security updates for iPhones, iPads and Mac desktops last week, warning of two security vulnerabilities that attackers were actively exploiting in the wild. The two security issues exist in WebKit, the browser engine for Safari and other Apple apps. Apple said an attacker could exploit these vulnerabilities if a targeted device accessed attacker-created content that could lead to code execution, while another attack could lead to arbitrary code execution with kernel privileges. The flaws affect iOS, iPadOS and macOS Monterey, especially older models of the iPhone and iPad.

Read more in

Cisco patches high-severity vulnerability in AsyncOS

Cisco released patches for a high-severity vulnerability in AsynchOS for Cisco Secure Web Appliance. CVE-2022-20871 exists because the software improperly validates user input from the web interface. An attacker could exploit this vulnerability by authenticating to the targeted system and then elevating their privileges to root. However, the attacker first needs to acquire appropriate read-only credentials. Cisco stated in a security advisory that is not aware of any exploitation attempts of this in the wild.

Read more in

Sucuri: Fake DDoS Protection Popups on WordPress Sites Lead to Drive-by Download

Researchers from Sucuri warn that some WordPress sites are being hacked to display phony DDoS protection popups. The prompts are designed to appear that they came from Cloudflare. When people click on a button to purportedly get a verification code to access the site, they are actually being tricked into downloading a remote access trojan (RAT).

Note

  • This is an interesting “trick” in that it is likely perfectly reasonable to users to follow the instructions on these fake DDoS protection pages. There is no good way for a user to distinguish a fake from a real DDoS protection page. Some user education may help.
  • As a site owner, make sure that you’re keeping it updated; implement MFA for administrator accounts. If you’re not implementing MFA for all accounts, use strong passwords for end-users, and allow them to self-enroll in MFA. Put a firewall in front of your site, and looking into file integrity monitoring which can alert you to unauthorized or unexpected changes. As a user, beyond keeping your system updated, look carefully at requests to verify you are not a bot or other malicious agent. Make sure that your endpoint protection is both enabled and keeping current.

Read more in

CISA Hosts Tabletop Election Security Exercise

The US Cybersecurity and Infrastructure Security Agency (CISA), along with the US Election Assistance Commission, National Association of Secretaries of State (NASS) and the National Association of State Election Directors (NASED) hosted a tabletop election security exercise last week. Participants included representatives from state and local government, federal agencies, and election industry firms.

Note

  • Good to see proactive effort for assuring the security of election systems. This was a larger, longer version of a tabletop exercise – many CISOs have found doing 1-4 hour tabletop exercises with Boards of Directors, often outside of the regular board meeting, to be very effective in both gaining trust for strategy and support from directors and senior management.
  • When’s the last time you conducted a tabletop exercise? Did it include the same systems as last time or are you working through all your systems, including cloud and outsourced services? CISA has resources to help if you don’t have a handle on conducting these exercises. Make them regular – at least annual – and implement lessons learned, don’t leave them sitting in a report someplace.

Read more in

CISA and MS-ISAC: Zimbra Flaws are Being Actively Exploited

In a joint cybersecurity advisory (CSA), the US Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warn of “active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS).” The CSA includes technical details, detection methods, and suggested mitigations.

Note

  • At this point, if you’ve not applied the patches and have Internet facing Zimbra instances, you need to assume they’ve been compromised. This means you need to forensicate your environment _AND_ apply the updates. Leverage the snort signatures in the CISA alert to detect malicious activities, as well as any activity from the C2 domain. Act now before you show up on a list of pwned sites. Note the Zimbra flaws are on the CISA KEV site with due dates of September 1st.

Read more in

LockBit Gang Website DDoSed

The site on which the LockBit ransomware group posts stolen data has been shut down by a distributed denial-of-service (DDoS) attack. LockBit says that the messages accompanying the attack referenced Entrust, a cybersecurity vendor that reported a cyberattack and data theft earlier this summer. LockBit began posting data taken from Entrust late last week; the DDoS attack began over the weekend.

Note

  • I worked for the original Entrust PKI company back in the late 1990s – a security firm launching a DDoS attack back then wasn’t even a consideration. Doing so today shouldn’t be one either, as it is unlikely to have any positive outcome. Good example to use to drive planning for how your company would respond if attack traffic was doctored to appear as if it was coming from you.
  • Entrust has contracts through GSA and US-Access to provide HSPD-12 badges to much of the US Government as well as many other customers of their hosted and local PKI services. I have been involved with their products since 1998 and knowing the company it’s unlikely that they would jeopardize these relationships to strike back at the LockBit gang. If you have a desire to strike back at a threat actor or ransomware gang, be very careful. Not only do you need good operational security, but also a clear understanding of risks, blow-back and permission to use the devices and networks involved in that retaliatory move.
  • It should come as no surprise the cybercriminals do not have robust cybersecurity measures in place and can themselves be victims of cyberattacks. This is a cautionary reminder that even if a criminal gang promises not to release your data should you pay the extortion fee, they themselves cannot guarantee the security of that data on an ongoing basis.

Read more in

CISA Adds Seven Vulnerabilities to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added seven security issues to its Known Exploited Vulnerabilities Catalog over the past week. The vulnerabilities affect Palo Alto Networks PAN-OS, Apple’s iOS and macOS, Google Chrome, Microsoft Windows and Active Directory, and multiple SAP products. Seven of the flaws have mitigation deadlines of September 8; the eighth has a mitigation deadline of September 12.

Note

  • If you’re holding off on pushing people to install the patches for iOS and macOS because a new version is “around the corner,” you need to rethink that strategy as the vulns are being actively exploited. Don’t overlook the SAP issues while you’re heads-down updating Windows, Chrome and PAN-OS.

Read more in

Joint-Cybersecurity Operations Command Center Membership is Growing

The Joint-Cybersecurity Operations Command Center (J-CSOC), founded by North Dakota in 2021, now has nearly 20 percent of US states participating. Initially, the organization included North Dakota, South Dakota, and Montana because of a law that allowed state agency collaboration only with bordering states. That law has since been overturned. The J-CSOC hopes to have 30 percent participation by the end of this calendar year. “Prior to forming the J-CSOC, there was no mechanism to facilitate direct state-to-state sharing of cyber threat intelligence.”

Note

  • In other verticals, like healthcare, there have been problems when multiple sharing organizations existed without coordination. More sharing is better than less, but isolate silos don’t lead to effective sharing – the JSOC and the Multi-State ISAC should work together to establish coordination/cooperation.
  • Information sharing is how we help each other. Overturning that law which limited participation to bordering states allowed the J-CSOC to include the entire nation. As a participant in a service like this, make sure that you understand what information is stored, and how it is shared. Make sure that you have appropriate NDAs as well as sign-off from your risk executive as your CISO and SOC will benefit from access to the information. For optimal benefit, all participants need to ensure they’re contributing not just consuming incident and threat data.

Read more in

Java Libraries and Deserialization Vulnerabilities

Researchers from four European universities have published a paper titled An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities. The researchers “perform[ed] two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications.” Some notable deserialization issues include the Log4Shell RCE vulnerability, the 2017 Equifax breach that was enabled by a deserialization flaw in Apache Struts, and the Atlassian Jira vulnerability that was disclosed last summer.

Note

  • A couple of key points in the study include that deserialization vulnerabilities have an average of six years for removal of the exposed exploitable code constructs as well as using caution to only accept deserialized data from a trusted source. Even with a long patch time, make sure that you’re using updated libraries which include fixes for these flaws.
  • The efficient use of computers relies upon code reuse. Secure use of computers requires that developers (and users) be accountable for the quality of all the code that they use, regardless of source.

Read more in

DHS IG: CISA’s Automated Indicator Sharing Service Needs Improvement

According to a report from the US Department of Homeland Security Office of Inspector General, the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Automated Indicator Sharing (AIS) service “has made limited progress improving the overall quality of threat information.” Entities interviewed for the report said that most of the threat indicators they received did not include enough information for them to take steps to mitigate the issues.

Note

  • This is the feed between government and private sector customers. As such, data quality and relevance are crucial for effective decision making. CISA has been directed to upgrade systems, hire staff, and implement quality controls on reporting of data to ensure needed context is included to allow consumers to make better decisions.
  • Timely and effective intelligence sharing is much more difficult than it looks. It takes years to establish, not weeks or months.

Read more in

Twilio breach exposed phone numbers of 1,900 Signal users

That Twilio breach announced last week really had a knock-on effect. The hackers who broke into Twilio’s systems gained access to data on 125 customers. One of those customers is encrypted messaging app Signal, which this week said 1,900 users had their phone numbers exposed as a result. (Signal relies on Twilio for sending SMS verification codes to users registering their Signal app.) No messages or private content were compromised, but Signal said at least three user accounts were re-registered during that time, allowing the attackers to briefly send and receive messages as if they were those people. Motherboard reporter @lorenzofb was one of those targeted and gave an inside account of how the account hijack went down.

Read more in

DigitalOcean customers affected by Mailchimp security incident

Staying with breaches… cloud giant DigitalOcean pulled the plug on its account with email marketing giant Mailchimp (now owned by Intuit) after it pulled DigitalOcean’s email account without warning. DigitalOcean was told around the same time by one of its customers that their password was reset, and asked Mailchimp, which two days later disclosed another security breach (its first was in April) where some Mailchimp customers had their email addresses exposed. Mailchimp wouldn’t say how many are affected — crypto and blockchain companies were mostly targeted — but that was enough for DigitalOcean to drop a scathing blog post detailing its decision to not use Mailchimp again. (FYI, this newsletter is delivered by Mailchimp, but I was not notified.)

Read more in

White House’s three-headed cybersecurity team

For a time, it wasn’t clear exactly who was doing what at the highest echelons of cyber in the U.S. government, even for the top cyber officials themselves — U.S. national cyber director Chris Inglis; CISA director Jen Easterly; and White House cyber advisor Anne Neuberger. Axios breaks down the roles and responsibilities of the three top U.S. cyber officials. (Thanks to @kimzetter for tweeting about it.) But Axios warns that the industry folks, former officials and lobbyists who regularly talk with the trio “are still trying to distinguish who does what.”

Read more in

Android 13 privacy settings you should update now

Google’s new mobile OS has landed, and with it packs a ton of new features aimed at privacy and security, including greater notification controls and an updated privacy dashboard.

Read more in

New tool checks if JavaScript is injected through in-app browsers

@KrauseFx is back after last week’s look at how Instagram and Facebook inject JavaScript code into third-party websites that could allow tracking within their in-app browsers. Turns out lots of other apps are doing it. If in doubt, use a browser you actually trust (as much as you can trust a browser) and not the in-app version, which largely exists just to keep you in the app.

A chart by Felix Krause showing which apps use in-app browsers, which inject JavaScript, and have the capability to modify the page.

A chart by Felix Krause showing which apps use in-app browsers, which inject JavaScript, and have the capability to modify the page.

Read more in

New DOD budget bill would force military to disclose location data purchases

An amendment to the U.S. military budget, known as the annual National Defense Authorization Act (or NDAA), would require the Pentagon to publish a report about its collection of location data from calls, texts and internet traffic — and would apply to DOD’s intelligence offices. The amendment doesn’t ask “why” the DOD is buying it, only what kind of data it buys. A declassified memo last year reported by The New York Times ($) showed the U.S. military bought app data that could be used to track Americans.

Read more in

Apple tries to quietly patch two zero-days

Apple released surprise security updates to patch two zero-day vulnerabilities found in macOS Monterey, iOS, and iPadOS. which are under active exploitation by hackers. The two bugs, affecting WebKit (the iOS browser engine) and the kernel, are believed to be linked and could allow for complete access to a user’s device. Given the profile of the bugs, it certainly looks like it could be spyware of sorts. But despite the sense of urgency, Apple refused to comment.

Read more in

Government-grade bull-s…martphone

MIT Technology Review ($) obtained the pitchdeck for Unplugged, a smartphone startup by Erik Prince — you know, the billionaire founder of the Blackwater “private security” firm that infamously killed Iraqi civilians. No surprise here that the pitchdeck is full of bold but mostly false claims, like how it’s “impenetrable” to surveillance (whereas Apple, the $2.7 trillion company with 150,000 employees, isn’t?) and how its infrastructure is in part hosted on a server farm located somewhere in international waters. Brilliant reporting (and tweet thread) by @HowellONeill, who announced this week that he’s leaving journalism for something new. Congrats!

Read more in

Microsoft disrupts APT with ridiculous name

Hackers linked to the Russian government, which Microsoft calls Seaborgium (in line with its Periodic table-naming system), have spent the past five years conducting cyber-espionage and hack-and-leak efforts against military personnel, governments, think tanks and journalists in Europe and South Caucasus. Microsoft blocked the hackers’ use of OneDrive and fake LinkedIn accounts and exposed the innards of the wider operation.

Read more in

Microsoft staff exposed their own internal logins

Staying with Microsoft: Motherboard reports that a cybersecurity firm found Microsoft’s own employees inadvertently exposing sensitive corporate login credentials in repos hosted on none other than Microsoft-owned GitHub. Microsoft confirmed the exposure but declined to say specifically what the credentials were protecting.

Read more in

Compliance is Not an Effective Approach to Cybersecurity

An experiment conducted by Navy CIO Aaron Weis and command information officer at the Naval Postgraduate School Scott Bischoff had red teams launch frequent and unannounced attacks against their own networks. The experiment demonstrated that the approach “reveals which vulnerabilities are the most dangerous, the easiest for an attacker to exploit with the highest impact—information they wouldn’t have otherwise.” Weis notes that while the Defense Department currently manages cybersecurity as a compliance issue, ”Cybersecurity is not a compliance problem.”

Note

  • For most NewsBites readers, this is a “no duh” moment – even Navy CIO Weis says “We’ve got…15 to 20 years of track record using a compliance mentality that says it doesn’t work…” Same issue in private industry over that period: the vast majority of credit card info breaches occurred at companies that had passed PCI DSS audits. The key is “protect the business/mission first, then convince auditors you are compliant” and the US DoD needs to focus on the obstacles impeding change. In civilian federal government, we’ve seen the Office of Inspectors General take initiative to add active testing (a la targeted threat hunting and pen testing) to their audits, vs. just data calls collecting reams of policy documents for compliance. Always most effective for security teams to do the right security things before the auditors do it!
  • Well, this is a “water is wet” kind of story, and while it’s a bit embarrassing to hear senior technology leaders say that a compliance-driven mentality is wrong when the rest of the world has been saying the same thing for the past two decades, it is progress. If it moves the Navy in the direction of managing by risk instead of managing by compliance, it’s something we should applaud.
  • Compliance, configuration of security to an accepted baseline and verifying it remains at or above that baseline is a starting point, not an end state. For many years now, I’ve been involved with audits of FISMA systems against published baselines. Those baselines have been suggesting active monitoring of technical controls for a few years now, and DHS’s CDM program is an example of active monitoring. The problem is you need more than big brother watching, you need your own assessment. About 15 years ago our FISMA audits started to include external pentests, and about ten years ago, the testing added internal testing, ultimately having the assessors gear live on our internal network. This is both scary and enlightening. Two excellent lessons here. First, don’t wait for a regulator to find your deficiencies; use active means. Remember the auditors are of limited scope, you need a plan for *everything*. Second use a third party to compensate for your biases, question your accepted deficiencies.
  • If compliance won’t get us there, let’s focus on what will. Asset inventories, identity management, and patching/vulnerability management all matter. We must also hire reputable penetration testers and give them network diagrams, inside access, and recent vulnerability scans.
  • The one thing that concerns me here is that this report is even making the news, or that even a report like this has to be published.

Read more in

Check the Details of Your Cyber Insurance Coverage

A judge has dismissed a lawsuit against an insurance company over a disputed claim. Travelers Casualty and Surety Co. filed a motion to dismiss the suit brought by SJ Computers because the incident was deemed a case of social engineering fraud rather than computer fraud. SJ Computers sought payment of $600,000 for losses incurred after they were targeted in a business email compromise (BEC) scheme. The social engineering fraud policy is capped at $100,000.

Note

  • Definitely use this item to discuss with your Chief Legal Counsel CFO and/or Board of Directors. If your company just now looking at cyber insurance, a short tabletop exercise would be ideal. Most lawsuits like this seem to find in favor of the insurance companies and most security folks should NOT be the ones examining all the clauses and loopholes when policies are being looked at. This incident really pointed out three key issues: how MFA would have made it much harder for the attacker to compromise the purchasing manager’s PC; informal approval processes enabled the false sense of urgency the attacker created to succeed; and why cyber security policies rarely, if ever, cover anything close to the entire cost of attacks that exploit those first two issues.
  • Even if you play a lawyer on TV, hire a professional who knows cyber law to read your existing contract. You need to know when they will and will not pay. As tempting as it is to say, I read it when we signed up, we’re good, make sure that you’re looking at their most current language as many contracts include language to the effect that continued use/renewal is consent to the most current contract terms. Make sure that you’re addressing any coverage gaps, and adjust the policy where needed. Make sure you have a plan for items with reduced to negated coverage.
  • Wow, this is a big deal. First, I never even thought of “Social Engineering” vs. “Computer Fraud” as being two different things because from my perspective they are very intertwined. However, from a legal / insurance perspective it can (and is in this case) clearly defined as two very different things. With over 80% of breaches now involving the human element, this could easily become a legal mechanism where insurance companies don’t have to pay.
  • Suffice it to say that most enterprises do not have the competence to evaluate cyber insurance policies and compare them to the risk that they are trying to assign. Consider the use of a broker that specializes in this kind of coverage.

Read more in

Microsoft Sysmon 14

Microsoft Sysmon 14 includes a configuration option that allows sysadmins to block creation of malicious executables. The executables can be blocked based on several different criteria, including file path and hash matches. It should be noted that a security researcher has come up with a method to bypass the feature.

Note

  • We continue to see more and more organizations deploying Sysmon (it is free) alongside their EDRs but the number is still relatively low (<20% if I had to guess). I highly recommend considering Sysmon as part of your security stack. Like all detection solutions, it requires detection engineering, tuning, continuous testing, and validation.
  • The feature requires the use of XML rules files which need to be passed to sysmon as it starts up. Even with a bypass method, this should only be one component in your larger cadre of protection services – yeah I’m going to say it – defense in depth.

Read more in

Make Sure Chrome Browsers Are Updated and Relaunched

Google has updated the Stable channel for Chrome to version 104.0.5112.101 for Mac and Linux and version 104.0.5112.102/101 for Windows. The updates for the desktop versions of the browser include fixes for 11 security issues, including an improper input validation vulnerability that is being actively exploited.

Note

  • One of the fixed vulnerabilities is already being exploited. Luckily, Google Chrome has pretty good auto-update features. Make sure to exit Google Chrome at least once a day to allow it to update.
  • That improper input validation (CVE-2022-2856), with a known exploit, should be sufficient motivation to push out your updates. Make sure that users really relaunch Chrome, Brave, etc. and they are running the current version. (As opposed to a relaunch from the last update, leaving them not current yet.)

Read more in

Can Machine Learning Predict Which Vulnerabilities Will be Exploited?

Researchers from the University of Maryland at College Park and Arizona State University have developed a model to predict which software vulnerabilities are more likely than others to be exploited. The researchers “propose a new metric, called Expected Exploitability (EE), which reflects, over time, the likelihood that functional exploits will be developed.” The metric was developed using machine learning based on more than two dozen data sources. The researchers published a paper on their work at the USENIX Security Symposium in Boston last week.

Note

  • Whenever there are vendor or researcher papers on AI/ML predicting cybersecurity-relevant stuff, I always search for where (too often “if”) false positives are mentioned. This paper did a good job of addressing false positives, in particular what they call “label noise” but it kinda seems like this index mostly says “if good guys publish Proof of Concept attack code, then high likelihood bad guys will be able to exploit this one.” That issue is pretty much covered by CVSS scoring’s Exploit Code Maturity metric under Temporal Metrics. This research used that data but also added other similar information. Either using this index or simply tracking Temporal Index driven increases in relevant CVSS scores does look like false positives are reduced – but very often the initial CVSS score already includes presence of functional PoC code.
  • Properly predicting the likelihood of a vulnerability being exploited is a game changer for enterprise patch management. I will believe that this works once it has shown to be effective for future vulnerabilities.
  • Very interesting paper that I will need more time to digest and think through. I like how it compares and contrasts with the Exploit Prediction Scoring System (EPSS): https://www.first.org/epss/. A better understanding of (potentially) exploitable vulnerabilities will help organizations prioritize but I still think the focus on detection and response is more important as 0days and gaps in these models leave you vulnerable.
  • This would help in prioritizing update activities; you still need to apply your local environmental considerations and regulatory requirements which may constrain your risk-based approach. Even so, it’s a potential win for resources which are already stretched thin.

Read more in

An Argument for ”Whole-of-State” Cybersecurity

Former NSA Director Gen. (Ret.) Keith Alexander and North Carolina Chief Risk Officer Maria Thompson write that “While adversaries are launching sector-wide and supply-chain attacks to get the biggest bang for their buck, we’re fundamentally still defending on an individual basis.” They propose “a ‘whole-of-state’ approach to cybersecurity — one that breaks down the silos and enables real-time, cross-jurisdictional collaboration across the entire state to improve the cybersecurity posture of all stakeholders.”

Note

  • The reason attacks have been able to continue to succeed really is NOT because attackers attack entire industries or supply chains at once – the real key is attackers have gotten much better at tailoring attacks against particular vulnerabilities at particular targets to achieve particular goals. Collaboration across industries has long been recognized as a good thing, as efforts like the Financial ISAC have shown for a long time – such collaboration does NOT require the use of a particular product. For US state and local, in May the Biden administration increased funding through DHS to the Muti-State ISAC – the MS-ISAC should be the focus of increased collaboration across states to raise the bar against attackers.
  • The vision is that broad visibility to incidents, across an entire state or region, can help to identify trends and activities which could allow for mitigation activities to slow or block their continued spread. The challenge is defining how that visibility is to be achieved, and then providing the tools and resources to state agencies to achieve it. And the sad reality is that without a mandate, which includes funding, not a lot of traction can be obtained. Further, the organization collecting the data will need to be equipped to address concerns relating to the security of that data, as well as privacy/NDA constraints. While this parallels what DHS/CISA are doing at the federal level, it’s not clear they have the capacity to take this on as well.
  • This opinion is absolutely correct, but who’s the hero who’ll bring us all together?
  • Given that almost any system connected to the public networks is part of the national infrastructure, we all have an interest in the security of those systems.

Read more in

RubyGems Mandating MFA for Popular Maintainers

As of Monday, August 15, RubyGems will be requiring multi-factor authentication (MFA) on the accounts of popular maintainers. For the time being, the new rule applies to “owners of gems with over 180 million total downloads.” Once MFA has been rolled out to that group, the requirement will be extended to additional maintainers.

Note

  • This is about account takeover and supply chain security. Their move is designed to be consistent with what package registries are doing. RubyGems started enforcing the MFA requirement 8/15, owners without MFA will no longer be able to edit their profile, perform privileged actions (push/yank gems, add/remove gem owner) or sign into the command line. Once a package exceeds the 180 million downloads, MFA will be required.
  • I see this as a growing trend and a good one, MFA being required for important accounts. Is MFA perfect? No? Is if effective. Yes. My one concern is we now have so many variations of MFA, and different definitions of what constitutes as ’strong’ MFA, that even I’m getting confused.
  • Code repositories are about as sensitive as an application can get. The use of strong authentication continues to become more convenient and efficient. It is essential to the kind of accountability that is so lacking in software.

Read more in

Apple Updates Address Zero-Days in macOS, iOS, iPadOS, and Safari

Apple has released macOS Monterey 12.5.1 and iOS/iPadOS 15.6.1 to fix two out-of-bounds write vulnerabilities that are reportedly being actively exploited. of the flaws affects the OSes kernel; the second affects the WebKit browser engine. Apple has also released Safari 15.6.1 for macOS Big Sur and Catalina to fix the WebKit vulnerability.

Note

  • Apple released 3 distinct updates. The first two are for the current version of macOS and iOS/iPadOS. They fix the WebKit vulnerability affecting Safari as well as a privilege escalation vulnerability in the kernel. The third update is only updating Safari, and it is meant for the older operating system. At this point, there is no patch for the privilege escalation vulnerability for older versions of macOS. These older versions may not be affected, or we will see a patch for them later.
  • Yeah, actively exploited -doggone it. Leverage that with your users waiting for iOS 16 or macOS 13 in September instead of applying these updates. Odds are you’re going to need time to do testing of the newest OS versions before pushing them, so September rapidly becomes November, and the wait a few weeks before applying updates becomes not only longer, but also an increased risk of exploit.

Read more in

Amazon Fixes Ring App Vulnerability

Amazon’s Ring has fixed a vulnerability in its Android App that could have exposed users’ personal information, geolocation, and saved recordings from their cameras. The Android Ring app has been downloaded more than 10 million times. The vulnerability was detected by researchers at Checkmarx.They notified Amazon Vulnerability Research Program about the issue on May 1, 2022; Amazon released a fix on May 27.

Note

  • In addition to updating your Ring app, make sure that you’ve minimized the alerts which draw attention to your smartphone/tablet being connected to a Ring doorbell/etc. Make sure that your Ring Neighbors app is also updated and verify your security settings are current. Make sure you understand the conditions under which your doorbell or other security device footage can be shared by your provider with law enforcement with and without your consent.
  • Always nice to highlight success stories around vulnerability disclosure and rapid vendor fix. This required malware to get onto Android first, risk somewhat mitigated by the Google Play app store process. Would be good to hear from Amazon why Reflected Cross-Site Scripting (XSS) vulnerabilities in all Amazon code will be much less likely after this one.

Read more in

Update Zoom for macOS, Again

Zoom has released a second update for an auto-update utility vulnerability in Zoom for macOS after the first fix was bypassed. The initial patch was made available over the weekend; the new update, version 5.11.6 (9890) was released on Wednesday, August 17.

Note

  • While it seems the 5.11.5 patch was an incomplete fix, CVE-2022-28757 was released for this issue, which looks identical to CVE-2022-28756 except for the version and this one was reported by Casba Fitzl of Offensive Security. This has a base CVSS score of 8.8 – so you want to jump on this. Again, not a good idea to wait for the auto-update process to catch up.

Read more in

Ransomware Affects UK Water Company

A UK Water company was hit with ransomware earlier this week. There was some confusion about which company was the victim, as the perpetrators published incorrect information about the company they targeted. Both the incorrectly identified target and the actual victim have published statements.

Note

  • By all intents, it appears that the weaknesses and exfiltrated data from the smaller company, South Staffrdshire PLC, were used to try to exact a response, including payment from the much larger Thames Water company. The most obvious lesson is one of verification. Make sure that when you’re being extorted over exposure of your data, make sure that it really is your data. South Staff is still working to restore their IT services, fortunately; their ability to supply water to customers was not impacted.

Read more in

Janet Jackson Music Video Can Crash Hard Drives on Old Laptops

A computer manufacturer discovered that playing the music video for Janet Jackson’s 1989 song Rhythm Nation can crash hard drives in certain older laptops. Not only does the video have the capacity to crash laptops on which it is played, but it can also crash drives of nearby laptops. “It turns out that the song contained one of the natural resonant frequencies for the model of 5400 RPM laptop hard drives that” the affected laptops used. The manufacturer created a custom filter to remove the identified frequencies during audio playback.

Note

  • Real “fun” vulnerability, and it got its own CVE number! The effect isn’t new. There have been reports of mass disk failures in data centers triggered by fire alarms, and it has been well documented that mechanical drives suffer performance penalties in high vibration (loud) environments.
  • Raise of hands, how many of you are getting ready try this and see which laptops will crash? This affects laptops from around 2005, and has its own identifier of CVE-2022-39392. With apologies to my Netwars family and other similar event hosts, without appropriate filters, you may (still) not want to play this album during CTF events as that “burner” laptop participants are using may be old enough.
  • Impossible to resist commenting on this one: when I was 11 years old, William Shatner (Star Trek’s Captain Kirk) released his “version” of the Beatles’ “Lucy in the Sky with Diamonds” that made everyone assume he had taken LSD. Playing that on any computer will likely cause the sound card to self-destruct…
  • This is, hands down, my new favorite CVE.

Read more in

Realtek SDK Vulnerability Exposes Routers to Simple Exploit

A vulnerability in the SIP application layer gateway (ALG) included in Realtek’s software development kit for its RTL819xD system on a chip devices exposes routers to a simple stack based buffer overflow. Patches are available from Realtek but have not yet been included by all vendors in updated firmware images. This vulnerability is exploitable via a single UDP packet sent to the router even if the web based administrative interface is not exposed.

Note

  • This was probably the most important issue revealed at DefCon/BlackHat this year, and so far it has not been reported on much. It highlights a supply chain issue that organizations have a hard time handling. Affected devices are not typically found in enterprises, but in homes and small businesses. I do not know of an enterprise able of managing or even inventorying routers employees use when working from home, and users have a notoriously hard time finding and applying firmware upgrades to routers.
  • The vulnerable code is part of the networking stack, so attackers just need to send a specially crafted SIP packet to achieve device takeover. You can mitigate the risk by blocking UDP packets at your perimeter. Use caution to not block any critical services actively using UDP. VoIP and gaming services are the most likely affected by this approach; make sure that your VoIP provider is on the allow list. Keep an eye out for updates from your vendor, particularly if they reference CVE-2022-27255 or Realtek SDK update.
  • SANS Internet Storm Center info and guidance at isc.sans.edu: Realtek SDK SIP ALG Vulnerability: A Big Deal, but not much you can do about it. CVE 2022-27255

Read more in

Black Hat: macOS Process Injection Vulnerability

Apple has released updates to address a vulnerability that could be exploited by a process injection attack to break multiple levels of Apple security. The issue was discovered by Thijs Alkemade, a researcher from the cybersecurity firm Computest.

Note

  • Apple will have a hard time eliminating these process injection vulnerabilities. This problem reminds me of deserialization vulnerabilities in web applications. Note also that this week’s Zoom update for MacOS addresses this issue.
  • Apple’s update is only for macOS 12 (Monterey). With the pending release of macOS 13 (Ventura), which should include this fix, it’s time to get your users up to Monterey. While Apple holds their support model tightly, I have found that support for current plus one OS revision back is their sweet spot. Expect a similar model this fall when iOS/iPadOS support shifts from versions 14 & 15 to 15 & 16.

Read more in

Black Hat: Zero-Day Initiative’s Recommendations for Improving ”Systemic Problems with Security Patches”

In a briefing at Black Hat Brian Gorenc and Dustin Childs of Trend Micro Zero Day Initiative discussed the declining quality of patches and increasingly vague language in security advisories they have observed. Gorenc and Childs also “proposed methods to incentivize vendors to improve their servicing habits, including alternative disclosure timelines for failed patches.”

Note

  • The key line in this excellent presentation is “Spend your money wisely. Vote with your wallet.” Realistically, there is NOT going to be legislation any time soon that addresses this complex problem in any meaningful way. The market has shown that security of software is important – over 20 years ago that is what drove then Microsoft CEO Bill Gates to make the company focus on security, since Microsoft was losing the World Wide Web race to Netscape and others. Make sure all procurements/RFPs include at least questions on testing of software and patch timeliness/quality statistics from all software (including SaaS) vendors.
  • The dream has been to be able to categorize and prioritize patches, focusing on the most exploitable and critical issues. Vendor trends, which include putting advisories behind paywalls, and reducing the exploitability information with the intent of providing more time for users to apply patches while making reverse engineering the flaw more difficult. Leverage services to auto-patch commodity systems and applications (typically desktops and standard servers) rapidly allowing staff to focus on regression testing for servers and other mission essential applications. You may also be able to leverage cloud or outsource solutions for common applications such as ERP, CRM which are already continuously patching and updating.
  • This week one colleague suggested that responding to the Microsoft patch Tuesday constituted “unplanned” activity. Patching is now mandatory and routine, hardly unplanned. The number of patches is a measure of quality. This observer continues to be amazed at the tolerance of this industry for poor quality. Addressing it will require new incentives, tools, methods, processes, and procedures. Those we are using are clearly not working.

Read more in

Palo Alto Networks: Updates for PAN-OS Vulnerability Will be Released This Week

A high severity vulnerability in Palo Alto Networks’ PAN-OS is being actively exploited to conduct reflected and amplified TCP denial-of-service attacks. The URL filtering policy misconfiguration flaw affects six versions of PAN-OS; a fix is available for one of the versions; Palo Alto Networks says it will release updates for the remaining versions of PAN-OS this week.

Note

  • According to Palo Alto, this vulnerability can be mitigated by adjusting your configuration. Vulnerable configurations are unlikely and according to Palo Alto usually applied by mistake.
  • While the complexity of this attack is low, it is dependent on a misconfiguration of a URL filtering policy. In short, the URL filter profile has to have one or more security categories assigned to a source zone that has an external facing interface. Normally these would be assigned to internal interfaces. Rather than wait for the patch, scan your filtering profiles, and correct this. Apply the patch, when available, as part of your boundary protection update protocols.

Read more in

Manual Update Available for Zoom for macOS

Users of Zoom for Mac are being urged to conduct a manual update of the video conferencing software to fix a vulnerability in the auto-update process, which is enabled by default. While the Zoom installer needs a password for installation and uninstallation, the auto-update function does not require a password. The flaw could be exploited to gain elevated privileges.

Note

  • This update addresses a vulnerability related to the “process injection vulnerability” discussed at Blackhat. Also see macOS Process Injection story above.
  • The fix is in Zoom 5.11.5 (9788) or later. You probably want to push this update rather than waiting for your users to either go to the “check for updates” menu or wait for the release of a Zoom auto-update.

Read more in

Black Hat: Eclypsium Identifies Bootloader Vulnerabilities

Researchers at Eclypsium “have identified three new bootloader vulnerabilities which affect the vast majority of devices released over the past 10 years including x86-64 and ARM-based devices.” All three are signed by the Microsoft UEFI Third Party Certificate Authority. Eclypsium notes that “Unlike a traditional vulnerability that can simply be patched and resolved, addressing these bootloader vulnerabilities requires multiple parties. In addition to updates from Microsoft, the affected suppliers will also need to remediate and publish updates for their code.”

Note

  • Mitigation takes some manual steps. First, you need to determine if you’re running a vulnerable bootloader. This is done by checking the EFI System Partition (/boot/efi on linux, mountvol DRIVE: /S on windows). If it’s vulnerable, you’ll need to apply the updated bootloader from your vendor. Second, you need to apply updates to the Secure Boot Forbidden Signature Database (DBX) which prevents unauthorized UEFI modules from loading. DO NOT make these updates unless you have a known non-vulnerable EFI bootloader. Read support.microsoft.com: Security update for Secure Boot DBX: January 12, 2021

Read more in

Cyble: Virtual Network Computing Servers Exposed

Researchers at Cyble say they have detected thousands of Internet-facing virtual network computing (VNC) endpoints that do not require authentication. This is concerning because Cyble has also noted an increase in attacks targeting VNCs; between July 9 and August 9 of this year, they noted seven surges of scanning “for active services on the default VNC TCP port 5900.”

Note

  • VNC is very useful for remote controlling and accessing systems if done right. Exposing a password-less VNC to the Internet is much like when users connected PCAnywhere to a modem, except with a tool like Shodan it’s far easier to find. When setting up VNC, ensure a password is used and don’t expose the service directly to the Internet, use a VPN or other secure gateway. Make sure that the communication is over an encrypted channel to prevent both eavesdropping and MitM scenarios.

Read more in

Legislators Ask HHS Secretary for Healthcare Cybersecurity Briefing

Two US legislators have written a letter to the US Secretary of Health and Human Services (HHS) Xavier Becerra “requesting a briefing from [his] office on the status of efforts to strengthen the department’s capabilities as the SRMA and to operationalize collaboration with the organizations throughout the sector.” Former co-chairs of the Cyberspace Solarium Commission, and authors of the Sector Risk Management Agency (SRMA) legislation, Senator Angus King (I-Maine) and US Representative Mike Gallagher (R-Wisconsin) expressed concern “about the lack of robust and timely sharing of actionable threat information with industry partners and the need to dramatically scale up the Department’s capabilities and resources.”

Note

  • One hopes this briefing provides enough information to support both legislation and funding to help improve overall healthcare cybersecurity, to include sharing of resources, incident and threat information needed to prepare and respond to the changing environment.

Read more in

Phishing Scheme Targets Healthcare Providers

The US Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3) says a phishing scheme is targeting healthcare providers in the hopes of stealing their account access credentials. The messages lead the recipient to a maliciously crafted Evernote webpage tailored to the recipient’s organization. The malicious webpage contains an HTML download that delivers a phishing Trojan.

Note

  • In phishing assessments, click rates are always above 0%. Orgs need technical controls to throw warnings, reduce damage, and alert security when someone does click. We also need users who are trained and comfortable coming to security immediately when they realize something’s gone wrong. This means no “three strike” rules!
  • The problem has been exacerbated by a high turnover of healthcare workers, to include many new workers; where the time to complete cybersecurity training has been (understandably) eclipsed by medical events of late. On the human side, make sure that your training requirements are intact, that you’re tracking completions as well as barriers to find alternate ways to deliver the needed training. From an IT perspective, make sure you’ve got services enabled to block and tag suspect emails. If using a quarantine, make sure that there is active tuning and monitoring of requests for retrieval to minimize impact of miscategorized messages.

Read more in

US July Healthcare Sector Breaches

In July 2022, the US Department of Health and Human Services office for Civil Rights (HHS OCR) added 60 breaches to its Cases Currently Under Investigation portal, bringing the total number of breaches posted so far this year to roughly 420. The breaches added in July affect a total of 2.5 million individuals. The three largest attacks reported last month all involved ransomware; in two of the three cases, the ransomware attacks involved providers or vendors.

Note

  • From 2007 to 2015 or so, retail breaches dominated the news, as Target, TJX, Hannaford, Home Depot and others had breaches that compromised close to 200 million retail customers. Retail had a complicated mix of IT and distributed point of sale/OT systems, and the processing of credit cards was a lucrative target. No coincidence that over that same period the Payment Card Industry Data Security Standards program evolved from PCI 1.0 to PCI 3.0. Healthcare has the same risk profile and an even more complex OT world, but the healthcare world has not had a “Healthcare Industry” kind of program with the power of the payment channel behind it. Without that, it really is time for government funding to healthcare to start being tied in some way to protection of health care data.
  • Healthcare data continues to be a big target as studies show it has a greater illicit market value than credit-cards or sensitive PII. Business parties are a big factor in these incidents. Make sure that your business partners are maintaining an appropriate security posture that requires both active (documented) agreement and continuous monitoring. Doubly so if they have a direct connection to your systems.
  • From retail, hospitality and card fraud to healthcare and ransomware; crime goes where the money is. EMV and PCI DSS, have helped in reducing card fraud. We clearly need both new tech, convenient strong authentication, and new standards of due care, cybersecurity, in healthcare.

Read more in

Exploit available for critical VMWare privilege escalation vulnerability

A researcher who discovered two critical vulnerabilities in VMware ONE Workspace Access released proof of concept exploit code for one of them. An attacker could exploit CVE-2022-31656 to gain admin privileges on the targeted device. VMWare had already released a warning telling users to patch the issue as soon as possible even before the PoC code was released. Security firm Imperva said it detected attempts to exploit the vulnerability after Aug. 9 when the code went public.

Read more in

CISA Releases Cybersecurity Toolkit for Elections

The US Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Joint Cyber Defense Collaborative (JCDC), has published a guide for election systems cybersecurity. Designed to help US state and local election officials, the Cybersecurity Toolkit to Protect Elections includes a tool to assess risk profile as well as information about tools and services that can be used to help secure election infrastructure assets.

Note

  • While free toolkits are obviously lower in acquisition cost, they still require a level of cybersecurity skill to use for any purpose other than producing “fill the binder” documentation. For example, the first step in this process is to use the online Election Security Risk Profile Tool developed by CISA and the U.S. Election Assistance Commission. The bad news: it asks the filler-outer to estimate risk at the Confidentiality/Integrity/Availability level with slider bars. All too often in the US election system, the person filling out this form will have no idea of what the risk level is and may not even understand those terms. The good news: the slider bars show curves for how election experts assessed the CIA risk and (at least on my browser) the default risk estimates are fairly high and clicking through maintains those defaults. The CISA focus on free tools unfortunately perpetuates the myth that additional spending on staffing and training by state and local is not required for election security – both are badly needed.
  • When performing a self-assessment, one of the hardest parts is to be brutally honest about your current state, particularly if you’re not used to this. Here is a case where peer review can help you. The Election Survey Risk Profile tool is ten pages of questions, with your answers driving added questions. Once you have an honest assessment, then the real work begins of addressing issues. CISA is leveraging the NIST Cybersecurity Framework, so there are plenty of resources and expertise to help you succeed.
  • As the tool suggests, in order to be effective, much less efficient, security must be risk based. However, risk assessment requires knowledge, skill, ability, and experience. These are not likely to be found in many of the 8000 election jurisdictions. It is all too easy, indeed common, for the novice to confuse threat, vulnerability, or consequences for risk. An effective tool for such a population must provide a lot of guidance while being easy to use. It must not rest upon the ability of the user to do something that he is not equipped to do.

Read more in

Cisco Acknowledges Network Breach

Cisco has acknowledged that threat actors managed to gain access to its corporate network. The company learned of the compromise in late May 2022. The threat actors, a ransomware group known as Yanluowang, used a hacked Google account to gain access to a Cisco employee’s VPN client. Cisco said that the group was not successful in deploying ransomware on their network.

Note

  • This is another example of how complex attacks will be used to try to (and sometimes succeed in) bypassing multifactor authentication. Definitely read the Initial Vector section of the Talos report to see what the compromised user did wrong (multiple things) and look at your awareness training to see if you have this covered. Cisco has recently seemed to be in the news too often for vulnerabilities in their products (see ASA item in this Newsbites, for example) but over the years (going as far back as SQL Slammer in 2002) Cisco’s internal security has aggressively focused on maintaining the skills, processes and controls to reduce time to detect, respond, restore, etc.
  • Thanks to Cisco for sharing the details to allow us to learn from Cisco’s experience.
  • The higher we raise the bar on password-based authentication, the more we can expect users to use electronic means to store those credentials. Make sure that you have policy and training about storing and syncing company credentials using non-corporate mechanisms. At a minimum make sure that remote access requires MFA rather than reusable credentials. Ideally, all remote entry points, including endpoints, should require MFA.
  • All too often an error by a single employee results in the compromise of the entire enterprise but it need not be so. “Zero Trust” architectures, or even network segmentation, can make the enterprise tolerant of the inevitable user error.

Read more in

White House to Provide Critical Infrastructure Sectors with Cybersecurity Guidance

The White House wants to provide the water sector (and other critical infrastructure sectors) with cybersecurity guidance. It asked Congress months ago to codify the Environmental Protection Agency’s (EPA) authority to establish standards for the water sector. An administration official said “the EPA’s current safety and security authorities allow them to roll cybersecurity in,” and added that the EPA will likely issue the rule this summer. Anne Neuberger, deputy national security adviser for cyber and emerging technology, said last week “We need the Hill to ensure that those authorities are clear. There’s hesitancy by agencies to move without real Hill backing to do so.”

Read more in

Microsoft’s August Patch Tuesday Includes Fix for RCE Flaw in MSDT

Microsoft’s Patch Tuesday for August 2022 addresses more than 120 security issues in multiple products; 17 of the vulnerabilities are rated critical. The batch of issues addressed includes a fix for a zero-day remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).

Note

  • The main issue with MSDT was the fact that it was directly exposed via Microsoft Office. This issue was fixed in an earlier update. However, the directory traversal/code execution issue remained. This has been fixed with this update.
  • While the number of issues seems large, 20 of these are Chromium-Edge and 32 are Azure Site Recovery. Also included in the patches are three critical Exchange server patches (CVE-2022-24477, CVE-2022-24516 and CVE-2022-21980) which need to be applied immediately. Fully fixing the issues requires enabling Windows Extended protection on Exchange Servers. Review the MS blog post on the Exchange Server Updates (https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862) for more details. Revitalize your projects to move to hosted email servers wherever possible.

Read more in

Cloudflare Says They Thwarted a Phishing Scheme in July

Cloudflare says their organization was recently targeted by a phishing scheme similar to the one that hit Twilio last week. Twilio’s network was breached after employees received phishing emails claiming to be from the company’s IT department that led them to a phony Twilio sign-in page. Cloudflare said it experienced a similar attempted attack last month, but was able to thwart it because they use hardware-based MFA keys. The Cloudflare blog post offers “a rundown of exactly what [they] saw in order to help other companies recognize and mitigate this attack.”

Note

  • Sharing information lately practiced by Cloudflare, Cisco and Twilio is a great resource to learn and improve. One common theme lately is that targeted attacks are exploiting a disconnect in how some multi factor authentication systems work, and how users perceive them. You should update your user awareness training to include these abuse cases.
  • This is a great example of what phishing-resistant MFA means. Hardware MFA, in this case using FIDO2-compliant key and implemented origin-binding, even with the captured credentials, the attacker couldn’t get past the login prompt. That said, you need to make sure that your MFA is comprehensive, don’t exclude system administrators, VIPs, etc. Where using SSO, make sure that users have to strongly authenticate to the endpoint, and that the endpoint is trusted, genuine, and meets or exceeds your required security posture.

Read more in

Critical Flaws in Device42 Platform

Researchers from Bitdefender discovered multiple vulnerabilities in the Device42 Asset Management Platform that could be exploited to gain full root access to vulnerable systems. The flaws were found during a security assessment of the Device42 appliance with the production instance and with the staging instance. Bitdefender notified the vendor of the vulnerabilities on February 18, 2022. The flaws were patched on July 20, and report and CVEs released on August 10.

Note

  • Bitdefender gives kudos to the Device42 team for rapidly responding and working with them to make sure the issues are resolved. Make sure that your vulnerability disclosure team has a similar model, irrespective of the source reporting issues. Device42 version 18.01.00 addresses the four CVEs (CVE-2022-1399, CVE-2022-1400, CVE-2022-1401, and CVE-2022-1402). Given that Bitdefender has published their findings, it’s time to make sure that version was deployed.

Read more in

7-Eleven Denmark Hit with Ransomware

A ransomware attack caused 7-Eleven Denmark to shut down all 175 of its stores earlier this week. The attack prevented stores from using cash registers or accepting payments. Stores are gradually re-opening and are using alternate payment methods, such as cash of mobile payment systems. 7-Eleven Denmark acknowledged the attack in a statement on Facebook.

Note

While the attack took out the central payment systems, local stores were able to open by finding alternate solutions which worked locally. Make sure that your DR plan includes information on how to keep remote locations operating when central systems are offline. Consider not only the tactical immediate operational return, but also the long-term actions to reconcile information with those systems when they come back online.

Read more in

Fortinet: Older Microsoft Office Vulnerabilities are Still Being Exploited

Researchers from Fortinet say that threat actors are still exploiting a pair of known vulnerabilities in Microsoft Office that are five years old. The flaws, CVE-2017-0199 and CVE-2017-11882, are being exploited by a variant of the SmokeLoader malware.

Note

  • Make sure that users are staying on the current release of Office products, including subscription to (and application of) updates. Make sure you have written management support for minimum versions for users resistant to moving off treasured versions. Recovery from an incident related to running old versions quickly exceeds the cost of providing a license. Investigate Microsoft’s home use program to facilitate users being on current versions for their non-work systems.

Read more in

NHS Outage Due to Ransomware Attack on Vendor Network

A ransomware attack against a third-party vendor is responsible for an outage affecting the UK’s National Health Service (NHS). Managed service provider, Advanced, has released a FAQ document that provides information about which of its customer groups are affected and other details about the attack. Advanced says it could be three to four weeks before all the disruptions are mitigated.

Note

  • The service provider is rebuilding services with updated security practices, to include increased monitoring, EDR, and increased segmentation/isolation. If you’re going to rebuild everything, you may as well increase the security, and may be the only time you get management support to fully implement those changes. Beware that you’re changing things and unknown interdependencies may add significant time to the recovery process as they are resolved. As a customer, be aware of your service provider’s security posture. While we’re used to making sure our data data is isolated and protected, we also need to ensure that protections are in place to stop lateral movement, all endpoints leverage EDR, are actively monitored, and have a clear understanding of their service restoration model and timeline.

Read more in

Black Hat: Cisco ASA Vulnerabilities

Researchers from Rapid7 discovered vulnerabilities affecting Cisco Adaptive Security Appliance software, Adaptive Security Device Manager (ASDM), Cisco ASA-X and FirePOWER Services Software for ASA. Rapid7 disclosed the vulnerabilities to Cisco in February and March of this year. Cisco has released advisories addressing most of the vulnerabilities.

Note

  • As the ASDM packages are not signed, use caution downloading to make sure you have legitimate copies, including the Java based launcher. It’s also not verifying SSL certificates, so use caution to avoid MitM scenarios. At this time there is no auto-update, so make sure that you’re checking periodically, and don’t expose your ASDM services to the Internet. The good news is there are fixes for most of the ASA and FirePOWER Services you can deploy.

Read more in

More than 120 vulnerabilities disclosed as part of Microsoft Patch Tuesday

Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its line of products and software, the most in a single Patch Tuesday in four months. This batch of updates also includes a fix for a new vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) that’s actively being exploited in the wild, according to Microsoft. MSDT was already the target of the so-called “Follina” zero-day vulnerability in June. Two of the important vulnerabilities CVE-2022-35743 and CVE-2022-34713, are remote code execution vulnerabilities in MSDT. However, only CVE-2022-34713 has been exploited in the wild and Microsoft considers “more likely” to be exploited. Read more: Microsoft Patch Tuesday for August 2022 — Snort rules and prominent vulnerabilities

Attackers take advantage of new “C2-as-a-service” platform

In early 2022, a new C2 platform called “Dark Utilities” was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform. Since its initial release, Cisco Talos researchers observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining. Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention. Read more: Attackers leveraging Dark Utilities “C2aaS” platform in malware campaigns

Critical Flaws in Cisco SMB Routers

On Wednesday, August 3, Cisco released a security advisory warning of multiple vulnerabilities in some of its small business routers. The flaws affect the company’s RV160, RV260, RV340, and RV345 Series Routers. Cisco has made updates available.

Note

  • It is Tuesday, so it must be time for more Cisco SMB router vulnerabilities. A quick search at nvd.nist.gov shows 7 critical vulnerabilities this year and 8 last year (and 25 total over the two years). I guess it is cheap enough for Cisco to push vulnerability discovery right and left.
  • The exploit comes from input which is not properly validated/sanitized. Update to the latest firmware, and make sure that the management interface is only available to authorized systems/users. While the CVSS scores are 8.3/10 (CVE-2022-20841) and 9/10 (CVE-2022-20827) – don’t expect this vulnerability to remain on the “not actively exploited” list for long.

Read more in

Open Redirect Flaws Used to Steal Account Credentials

Phishers are exploiting an open redirect vulnerabilities in the Snapchat and American Express websites to steal Microsoft 365 and Google Workspace account credentials. Open redirect occurs when sites do not validate user input. The attackers used personally identifiable information in the URLs to help generate malicious landing pages that were tailored to the user.

Note

  • Phishing is just the tip of the iceberg of open redirect issues. These flaws are often underestimated, and can be tricky to fix. But consider that if your site uses OAUTH for authentication, open redirect flaws can be used in some cases to steal authentication tokens.
  • Snapchat was told of the vulnerability over a year ago and hasn’t fixed it. Imagine if Snapchat sold breakfast cereal that was found to be contaminated with rat poison – the boxes of Snapchat would have been off the shelves in weeks if not days. It really is time for regulatory consequences that cause business disruption, not just fines, to companies that know of vulnerabilities but don’t fix them.
  • The best penetration testers and bug bounty hunters can demonstrate the severity of flaws like open redirection in a way that shows the client how to be more secure – and motivates them to make that change.
  • Prevention/training can include cautioning users around URLs that contain “url=”, “redirect=”, “external-link” or “proxy” strings, the better defense is for domain owners to limit redirection use, and include things like redirection disclaimers, (“You are leaving my site for this site, click here”).

Read more in

GitHub Seeks Comments on Plan to Improve npm Security with Code Signing

GitHub has opened a request for comments on its plan to bolster npm security with code signing. The move follows other efforts to improve npm security, including two-factor authentication, streamlined login, and enhanced artifact signing

Note

  • Sigstore is a very cool effort, supported by Open SSF, Google, Cisco, Redhat, VMware and others. Kubernetes adopting sigstore/code signing in May 2022 has really picked up adoption. But, the signing of code really isn’t what increases security – *verifying* the signatures and not using unsigned or invalid/expired code is the harder required part. Processes for using open source software need to be updated.
  • Code signing is a good idea, and you need to understand what the level of assurance is behind the signature on the code. Having a reliable issuance process and disallowing self-signed as well as enforcing scope – what projects they can and cannot sign code for is a step in the right direction.

Read more in

Plan to Have Sanitation Inspectors Assess Water Utility Cybersecurity is Met with Skepticism

Industry groups and cybersecurity experts have a lot to say about the White House’s plan to have the Environmental Protection Agency (EPA) delegate cybersecurity oversight to local sanitation inspectors. The US water sector currently has no minimum cybersecurity standards. Industry groups say the approach needs to be more granular to meet the cybersecurity needs of different utilities. The American Water Works Association (AWWA), which says the EPA did not engage the organization in its decisions, and noted that sanitation reviews are largely visual, making sure equipment is operating effectively. Cybersecurity experts have expressed concerns about state sanitation inspectors not being trained to conduct cybersecurity audits. Dragos CEO Rob Lee also pointed out that the underlying issue is how to pay for necessary water utility cybersecurity changes.

Note

  • It is easy to criticize thinking local water system inspectors could effectively perform cybersecurity audits, but the real issue is the lack of defined standards for required cybersecurity levels for the various levels of water utilities in the US – no auditor can audit without something against which to audit. By the way, Deputy National Security Advisor Anne Neuberger is quoted as saying the EPA is well equipped to make sure cybersecurity is “holistically” considered. Whenever I hear one of the “H” words (holistic and heuristic) used by a vendor or government official (the two that tend to use those terms the most) I automatically replace the former with “imaginary” and the latter with “undocumented.”
  • Clearly defined standards and requirements must be in place before you can effectively assess the cybersecurity. Otherwise, you’re going have inconsistent results. The selection of Sanitation Inspectors reflects their ability to subjectively inspect and audit against a known set of standards; it is not clear they are going to have the level of familiarity required to audit against cybersecurity requirements.
  • Cybersecurity evaluation, audit, is not an ancillary duty nor a job for amateurs. Such efforts will not enable any conclusions about the security of an enterprise. However, in this industry a very short checklist, suitable for use by any literate person, may enable the early identification and mitigation of dangerous omissions.

Read more in

HHS Suggestions for Healthcare Sector IoT Cybersecurity

The US Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HHS HC3) has published an analyst note providing healthcare organizations with information to improve IoT security. The note suggests limiting attack surface using network segmentation. It also describes common IoT attacks and lists steps to take to minimize the risk posed by IoT devices. HHS has also published a threat brief about web application attacks in healthcare.

Note

  • Healthcare continues to be a target, particularly their IT/OT systems. The guidance is familiar and appropriate for networked IT/OT components (segmentation – only authorized users/devices, use MFA, keep updated/patched, and monitor.) Don’t forget about embedded devices, such as pacemakers, which have wireless communication, which requires you to work with the provider to ensure you either have security best practices implemented or disable the interface.
  • Anyone who’s worked cybersecurity in healthcare knows this is partly a philosophical struggle along the CIA triad. To those of you in cybersecurity making patient health information access secure, immediate, and highly available, thank you! Yours is some of the hardest and most important working going on
  • In perhaps no other industry is process-to-process isolation more necessary than in healthcare. Isolating appliances may be a useful first step but a zero-trust architecture should be the goal.

Read more in

Slack Resets Some Users’ Passwords

Last week, Slack sent some workspace users emails requesting that they reset their passwords. The issue lay in a bug that exposed hashed versions of users’ passwords when they created or revoked a Shared Invite Link for their workspace. The issue affected all users who created or revoked such links between April 17, 2017, and July 17, 2022. Slack has fixed the bug.

Note

  • Slack leaked salted hashes of passwords, not passwords themselves. But yet another reason to first of all use long and random passwords to make offline brute forcing more difficult, and of course always use a different password for different services. In this case, the four emails I received from Slack about being affected by the leaks are non-events.
  • Slack estimates this impacted about 0.5% of users. Apparently, the shared invite link included the hashed value of the sender’s password. Slack has not revealed which hashing algorithm was used and sent communication to those impacted users directing them to change their passwords. It’s not a bad idea to go through and update your slack passwords, as well as checking to make sure you’re keeping your desktop client updated.
  • Slack offers its users a two-factor authentication option. The key word is “option.” All users of Software as a service (SaaS), indeed any cloud service, should expect and use strong authentication.

Read more in

Spear Phishing Operation Targeted Industrial Plants and Government Agencies

Researchers from Kaspersky said that an advanced persistent threat (APT) group with ties to China’s government used six separate backdoors to infiltrate networks at industrial plants, research organizations, and government agencies and ministries in Belarus, Ukraine, Russia, and Afghanistan. The attackers gained initial purchase in the systems with spear phishing emails.

Note

  • Make sure you’re looking at both sides of this equation. Making sure the users have the training and tools to spot and report phishing emails as well as making sure that you’re securing your systems, particularly critical systems, whether OT or IT. You know the drill, keep them updated, only allow authorized devices and user access, enable MFA where possible, monitor for irregular behavior. On the monitoring front, where OT systems have proprietary protocols, some network analyzers now understand these and can alert on unexpected traffic. Use caution with active response solutions on OT networks.
  • It is unlikely that any technique will ever wholly protect against human error but strong authentication will certainly help here. Once an enterprise network is compromised it almost impossible to completely trust it again. Backdoors are easy to install and very difficult to find and eliminate.

Read more in

Emergency Warning Takeover

The US’s FEMA has warned that there are serious vulnerabilities in the country’s emergency broadcast system that can allow an attacker to send emergency messages without authorization. A researcher named Ken Pyle with CBIR.com found the issue, and he’ll be showing a PoC at DEFCON this weekend. Read more: “Huge flaw” threatens US emergency alert system, DHS researcher warns

Slack Resets Passwords

Slack notified a small number of users that it had to reset their passwords after a security researcher found a bug that was including salted passwords in invitation links. Read more: Slack resets passwords after exposing hashes in invitation links

Chinese Cobalt Strike

There’s a new Chinese offensive framework called Manjusaka that’s like a Chinese version of Cobalt Strike. It’s written in Rust and targets Windows and Linux. It includes a C2 component written in GoLang. Read more: Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Twitter Confirms Zero-Day

Twitter has confirmed that a now-patched zero-day flaw allowed an attacker to link emails to Twitter accounts, which is something you’re not supposed to be able to do. This resulted in the de-anonymizing of 5.4 million Twitter accounts by submitting an email, getting back the Twitter account ID, and then scraping the account for info. Read more: Twitter confirms zero-day used to expose data of 5.4 million accounts

Microsoft ASM

Microsft has entered the Attack Surface Management space with a new tool called Microsoft Defender Attack Surface Management. It sports a real-time inventory, attack surface visibility, exposure detection and prioritization. Read more: Microsoft announces new external attack surface audit tool

Major Solana Hack

There was a major Solana hack last week that drained millions from over 9,000 hot wallets. The issue turned out to be due to a closed-source wallet called Slope, which was using a third-party logging service called Sentry that was sending seed phrases to a centralized server unencrypted. Read more: Solana’s $6M Exploit Likely Tied to Slope Wallet, Developers Say

US Takes Out al-Zawahiri With Ninja Bomb

The US didn’t use explosives in the drone strike that killed al-Zawahiri. They reportedly used what’s called a “flying Ginsu” missile (the Hellfire R9X), which deploys six retractable blades to do its damage. Read more: CIA Likely Used ‘Ninja Bomb’ to Kill Terrorist Leader Ayman al-Zawahiri

The R9X Missile

Taiwan Reports DDoS Attack After Pelosi Visit

Taiwan’s Ministry of Defense reported that its systems were targeted by a distributed denial-of-service (DDoS) attack earlier this week, shortly after US Speaker of the House Nancy Pelosi visited. Earlier in the week, the country’s presidential website reported a DDoS attack as well.

Note

  • The scale of these attacks, and their targets, point to hacktivists. It looked like recovery was swift, and I doubt it significantly affected operations at these organizations. But remember that DDoS attacks can also be used as a smoke screen to cover more sophisticated attacks.
  • The group Anonymous group jumped into the mix, retaliating for the attacks and taking credit for hacking into government website of China’s Heilongjiang Society Scientific Community Federation. The hacked site was taken down but lives on in the Internet Archive. The point is that beyond being prepared for DDoS attacks, you also need to watch for sympathetic actions, possibly retaliating on your behalf, resulting in unplanned escalation of tensions.

Read more in

Post-Quantum Encryption Algorithm Candidate Broken

Researchers have found a way to break one of the post-quantum computing encryption algorithm candidates chosen by the US National Institute for Standards and Technology (NIST) as a potential replacement for encryption algorithms currently in use. Using a single-core PC, researchers from the Computer Security and Industrial Cryptography group at KU Leuven broke the algorithm, known as Supersingular Isogeny Key Encapsulation, or SIKE, in one hour.

Note

  • This is exactly why we need to look for new encryption standards long before they are actually needed. The NIST process is slow and deliberate. It does allow for sufficient time and it does give these proposed standards exposure to encourage review.
  • Three of the new schemes rely on new, less understood assumptions, which could really raise the bar, or be subject to an old-school attack not accounted for. Now is the time to find issues with the new candidates, not after we’ve moved to them. I give a lot of credit for all the candidates who effectively signed up for a multi-round, public, murder board. Once the process completes, vendors will need time to both produce products which implement them, and come up with best practices so you can then discuss moving to Post-Quantum Encryption effectively.

Read more in

VMware: Patch Critical Authentication Bypass Flaw

On Tuesday, August 2, VMware released an advisory that includes fixes for 10 vulnerabilities that affect its VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager Connector, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager products. The most serious of the flaws is a remote authentication bypass issue that affects local domain users.

Note

  • I hope I do not need to remind anybody to not expose these systems to the open internet. This isn’t the first critical VMWare flaw this year.
  • Take a deep breath, grab your coffee, and scan the VMware advisory page for your specific product to find actions needed. It includes a table of criticality, CVE’s and links to KB articles for each. While not actively exploited, the criticality should be used as an indicator of how likely that is to change. There is only one workaround listed for one out all of these issues, frankly, plan to patch all the affected things.

Read more in

CISA and ACSC: Top Malware Strains of 2021

In a joint alert, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) provide overviews of the top malware strains of 2021. The majority of the top malware strains – Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot and GootLoader – have been around as one variant or another for at least five years.

Note

  • The top strains include RATs, banking Trojans, information stealers and ransomware. If the names Tesla, Formbook, AZORult, LokiBot, etc. aren’t well known to you, read the CISA bulletin to learn about them. The mitigations remain the same: implement (comprehensive) MFA, keep systems patched and updated, don’t expose RDP to the internet, have good (offline) backups and train users. When I say comprehensive MFA, I mean don’t skip any externally facing services, and don’t exclude any users from having to use it.

Read more in

FEMA: Critical Vulnerabilities in Emergency Alert System Devices

The US Department of Homeland Security’s (DHS’s) Federal Emergency Management Agency (FEMA) has issued a bulletin warning of critical vulnerabilities in Emergency Alert System (EAS) devices. The flaws in the encoder/decoder devices could be exploited to send phony emergency alerts on radio and television. FEMA is urging all EAS system participants to ensure their devices are running the most recent software versions and have their patches up to date; are protected by a firewall; and that audit logs are reviewed regularly to check for unauthorized access.

Note

  • The vulnerability is now public knowledge, which means participants have to patch PDQ. Some of the Monroe Electronics components of the system had flaws which couldn’t be patched previously due to a lack of updates for the last few years. Ken Pyle, who discovered those flaws, will be presenting more information at the DEFCON 30 IoT village.
  • An instance where false positives more tolerable than false negatives, short of so frequent as to destroy trust in true positives.

Read more in

DoJ Using Paper for Sensitive Documents

The US Department of Justice says it has been filing sensitive court documents on paper rather than electronically since January 2021. In an interview with Cyberscoop, Deputy Assistant Attorney General for National Security Adam Hickey said, “Convenience is great, but security in any internet connected system is going to be different from what it would be on paper.”

Note

  • Often, sensitive OT devices are (wisely!) disconnected from the internet, it’s probably a good idea to isolate the most sensitive documents. Putting them on paper makes them much less accessible by foreign adversaries!
  • The downside of paperless is that you need to make sure the protections are appropriate for your most sensitive paper based processes. When assessing the process think of how we handled paper. While we are familiar with locked filing cabinets, offices and storage rooms, you still have transport concerns, even registered mail can get waylaid. Even so, the risks of the old processes may be lower than the online process for certain use cases. Document gaps and make deliberate decisions to accept the risk or require alternate processes in those scenarios.

Read more in

House Bill Would Reauthorize NCFI

A bipartisan bill in the US Senate would reauthorize the National Computer Forensics Institute. Would extend funding though 2028. NCFI “train state and local law enforcement, judges and prosecutors in digital evidence, network intrusion, and computer/mobile device forensic issues.” The House passed a companion bill last month.

Note

The course is conducted through the local US Secret Service field office and is available to active full time employees (law enforcement, judges and prosecutors) of state or local government agency. If you fit into one of those categories, this should be a great opportunity to hone your skills around digital evidence, network intrusion, and computer/mobile device forensic issues.

Read more in

Cyberattack Hits Association of German Chambers of Industry and Commerce

A cyberattack against the Association of German Chambers of Industry and Commerce (DIHK) prompted the organization to shut down its IT systems. According to a statement on the DIHK website, the shutdown was “a precautionary measure for security reasons. We are currently working intensively on a solution and defense. After being checked, the IT systems are successively started up so that the services for companies are then available again.”

Note

Translation – we don’t know the scope of the attack; turn it all off, check everything, only enabling known-good services. This is a tough call, particularly with 79 chambers and over three million members who use their services. They are using the DIHK web site and LinkedIn to post updates. Are you prepared to communicate in a similar situation? Make the call? And do you have multiple communication paths for users and partners?

Read more in

SolarWinds CISO on Lessons Learned from Sunburst

SolarWinds CISO Tim Brown led the incident response to the Sunburst attack, which exploited a supply chain vulnerability in Orion, a SolarWinds IT performance monitoring system. The incident prompted SolarWinds to establish a new software development process that includes addressing security early on. Brown sees the event as a valuable learning experience, and not just for SolarWinds. CISOs at other companies have been able to get more funding from boards, and it has prompted government to adopt new software procurement practices and move forward with plans to secure the software supply chain.

Note

  • Don’t get caught up in buzzwords and new shiny terms, make sure that you’re using secure practices with software you’re producing, paying attention to internet sourced components, make sure software installed is the genuine product from your vendor, with sufficient regression testing prior to production deployment. Make sure that you’re watching your threat feeds for software and services you use so you can follow up on possible areas of concern. After that, rely on your existing processes for detection and monitoring of malfeasance.

Read more in

US Financial Companies Fined for Failing to Provide Adequate Cybersecurity

The US securities and Exchange Commission (SEC) has fined US financial companies JP Morgan Chase & Co and Trade Station for “deficient customer identity programs.” In addition, the Consumer Financial protection Bureau fined US Bancorp for opening unauthorized accounts. The fines for the three companies totaled $3.5 million.

Note

  • The SEC has a red flags rule, which requires financial institutions and some “creditors” to conduct a risk assessment to determine if they have covered (in scope) accounts. If so, they are required to implement a program for the relevant red flags to protect those accounts from identity theft. If you are a FI or creditor, review the rule to make sure that your risk-assessment meets the current criteria there, and address any shortcomings post-haste.
  • It is not clear from the report cited below whether this punishment is more about IAM or the traditional requirement that banks know their customer, authentication, or new account.

Read more in

New Majusaka toolkit used in attacks in Asia

Cisco Talos recently discovered a new attack framework called “Manjusaka” being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. Talos recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. Read more: Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

TCL LinkHub Mesh Wi-Fi system contains 17 vulnerabilities

The TCL LinkHub Mesh Wi-Fi system is a multi-device Wi-Fi system that allows users to expand access to their network over a large physical area. What makes the LInkHub system unique is the lack of a network interface to manage the devices individually or in the mesh. Instead, a phone application is the only method to interact with these devices. However, this setup leaves the LinkHub Mesh Wi-Fi system open to several vulnerabilities, which we are disclosing today. An attacker could exploit these vulnerabilities to carry out a variety of malicious actions, including injecting code at the operating system level, stealing credentials and causing a denial of service of the entire network. During Talos’ research into this product, 17 different vulnerability reports were generated. These reports group together similar CVEs into reports that are sent to vendors, and in this case are a grouping of 41 unique CVEs. Read more: Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities

Apps Expose Twitter API Keys

More than 3,200 apps are exposing Twitter API keys publicly. Researchers from the cybersecurity firm CloudSEK “discovered that 3207 apps were leaking valid Consumer Key and Consumer Secret.” Bad actors with access to these keys could perform actions as the account owners. CloudSEK recommends that developers use API key rotation.

Note

  • There is nothing you can do to protect credentials once you send them to the user. If you would like the user to interact with Twitter using your application, use the user’s credentials, not yours.
  • Review source code to make sure that hard-coded API keys are not included. When stored, make sure they are not in plaintext. Consider using the mobile device secure storage for API keys versus storing them in configuration files.

Read more in

CISA Adds Atlassian Flaw to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added the Atlassian Questions for Confluence hard-coded credentials vulnerability (CVE-2022-26138) to its Known Exploited Vulnerabilities catalog. Atlassian has released updates (2.7.38 and 3.0.5) to address the flaw, which is being actively exploited. Federal agencies have until August 19 to mitigate the vulnerability.

Note

  • Exploiting the flaw is trivial and we have seen a number of attempts against honeypots. Treat exposed unpatched systems as compromised.
  • The motivator here is that this is being actively exploited, which you may need to leverage if you’re not getting support to update to the patched version. Agencies are likely already being asked to report out on remediating the Atlassian flaws, expect this to fold into your regular BOD-22-01 reporting.

Read more in

Austrian Government Investigating Alleged Spyware Company

Authorities in Austria are investigating a company in that country that allegedly makes spyware to be used for targeting law firms, banks, and consultancies. The spyware has been used to target organizations in at least three countries. News of the investigation follows close on the heels of a report from Microsoft’s Threat Intelligence Center that included information about malware known as Subzero that was allegedly developed by a company based in Vienna, Austria.

Note

  • In the 1980s I worked for the US Secret Service designing surveillance equipment used in counterfeiting investigations. Back then there were companies that pretended to sell anti-surveillance equipment to law enforcement (who, of course, didn’t need it) but really sold to criminals. We had to build in “anti-anti-surveillance” capabilities because in an open society it is hard to make dual use technologies illegal, as we’ve seen with social networks in recent times. Seems like in this case (DSIRF selling spyware that exploited a (now patched) vulnerability) existing laws could be used against the companies doing this.
  • Back in January, Xavier Mertens wrote up a malicious Excel file that matches the type of malware used by this company. See isc.sans.edu/diary: Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
  • The company accused of developing the Subzero spyware is DSIRF (tracked by Microsoft as KNOTWEED). The malware spreads multiple ways including exploiting zero-day vulnerabilities in Windows and Acrobat Reader. Microsoft’s advisory allowed the company to be linked to the sale of the software for unauthorized surveillance. Microsoft announced that Defender Antivirus, signature build 1.371.503.0, detects KNOTWEED and released a patch for the zero-day (CVE-2022-22047) in their July 12 patch release.

Read more in

US Court System Breach

At a hearing of the US House Committee on the Judiciary last week, committee chair Jerrold Nadler said the US federal judicial court system “faced an incredibly significant and sophisticated cyber security breach, one which has since had lingering impacts on the department and other agencies.” The breach was conducted by three foreign state-sponsored threat actors.

Note

  • Not much info on this one, but odds are high it was yet another failure of basic security hygiene and really not all that sophisticated of an attack.
  • This is a breach from 2020 which is only just now coming to light. Even now, the concerns are of eradication and preventing recurrence. While not disclosed, at this point scope should be very well known so recovery actions can complete. The lesson here is to have a disclosure timeline that you manage, as opposed to learning your breach was announced by a third-party at a venue you’ve not granted permission for the disclosure.
  • The lesson for the rest of us is that “data at rest” for an indefinite period should be encrypted.

Read more in

Akamai Mitigated Largest Ever DDoS Against a European Company

Akamai thwarted the largest distributed denial-of-service (DDoS) attack ever faced by a European customer. The unnamed organization was targeted by DDoS attacks over a 30-day period earlier this summer. The attack peaked at 659.6 million packets per second (Mpps) and 853.7 gigabits per second (Gbps) over 14 hours on July 21.

Note

  • I’d like to see the newly formed DHS CISA Cyber Safety Review Board look at this or any of the other recent “largest ever DDoS” attacks and determine why ISPs couldn’t detect much/most of this attack and apply filtering at the source’s connection to their services. If the water companies were delivering sewage to businesses and government agencies, we would not expect to see companies paying to filter it out on the receiving end.
  • Companies like Akamai, Microsoft and Cloudflare will continue to raise the bar on their DDoS protection capabilities, which deserves kudos. Seems like we’re continuing to hear about mitigating “the largest attack ever.” I think the better question is what can your ISP and CDN do for you to mitigate these attacks and have you signed up for that service. If they have free and paid services, fully understand the difference so you can make an informed choice.

Read more in

Tennessee Valley Authority IG Audit Report on EDR

The Tennessee Valley Authority Office of the Inspector General has published the results of an audit they conducted “to determine the effectiveness of endpoint protection on TVA desktops and laptops.” The White House’s Federal zero-trust architecture strategy includes deploying endpoint detection and response (EDR) technology that meet technical requirements set by the Cybersecurity and Infrastructure Security Agency (CISA). While the TVA IG’s audit found aspects “of TVA’s endpoint protection program to be generally effective,” the report found some gaps in TVA’s policy, procedures, and internal controls and notes that TVA does not require endpoint protection for all network connections.

Note

  • Independent of Zero Trust, our hybrid work model drives the need for both effective EDR and remote connections to services. Configure your VPN to conduct a posture check against minimum standards prior to allowing the connection, to include enabled/current EDR. Make sure that your EDR is indeed that, not just an anti-malware tool, and that you’ve enabled protections as well as centralized the logging from your endpoints. Make sure that updates, configuration management and logging work irrespective of the VPN. As you move into “vpnless” services make sure that appropriate posture checks are made before connections are made, and the control point is as close to the target service as possible to prevent bypass.

Read more in

Proposed Legislation Addresses Federal Data Center Resilience

A bill introduced in the US Senate would direct the Office of Management and Budget (OMB) to establish requirements to protect federal data centers. The Federal Data Center Enhancement Act of 2022 addresses both cybersecurity and physical security, aiming to improve the centers’ resilience against cyberattacks, terrorist attacks, and natural disasters.

Note

  • It is hard to be against any action to improve government data center security, but after the terrorist attacks against the US on September 11 2001 and the impact of Hurricane Katrina in 2005 I think we saw similar legislation, though without the new “resilience” buzzword. I’d like to see reviews of both gaps and best practices in federal data center protection happen before more layers of security requirements are issued.
  • I’m not so sure we need information on how to harden a data center. Information for building or retrofitting data centers with different tiers is well known, and we already have controls intended to verify the basics. The bigger problem is to ensure that services are in a data center commensurate with their C-I-A levels. This means you need to find out what service level your data center is built to, then making sure that your applications are not expecting a higher level. Don’t forget about geographic diversity. With the administration directive to cloud adoption, many service providers already have solutions to get your CIA levels without you having to physically build anything. You also have the flexibility to select application specific options, rather than having to build your facility to the highest common denominator.

Read more in

Australian Man Charged for Creating and Distributing RAT

Australian authorities have charged an individual for allegedly creating and selling spyware for criminal use. Jacob Wayne John Keen allegedly created a remote access trojan (RAT) and sold it to more than 14,500 people in 128 countries between 2012 and 2019. Keen faces six counts that carry a maximum sentence of 20 years in prison.

Note

  • The spyware, named Imminent Monitor, was allegedly created by Keen when he was 15 and he administered it from 2013 until his shutdown in 2019. The RAT, which is distributed via email and text messages, included keystroke monitors, recording from webcams and/or microphones, hidden RDP access and even a cryptocurrency miner. The miner is not a typical RAT function. Imminent Monitor sold for AUD $35.

Read more in

Confluence servers under attack due to hardcoded password

Confluence server owners are advised to update their installations as news has emerged last week of active exploitation attempts of a vulnerability the company patched in one of its most popular products.

According to Atlassian, the vulnerability (CVE-2022-26138) is a hardcoded password in Questions for Confluence, an app that can be installed on Confluence Server and Data Center on-premise instances to allow employees to ask questions and receive answers from a company’s various internal departments.

While Atlassian released a patch that disables this built-in hardcoded account on July 20, Confluence server owners did not get that much of a time window to install fixes, as the username and credentials for this account were published on Twitter a day later by an “annoyed researcher.”

As things usually tend to go in Infosecland, it did not take long before these details were put to “good use,” and cybersecurity firms Greynoise and Rapid7 reported seeing ongoing exploitation of this vulnerability less than a week after the patch was released.

Since Confluence on-premise servers are broadly used in corporate and government environments, the US Cybersecurity and Infrastructure Security Agency (CISA) has also urged Confluence server owners to check and see if the vulnerable app had been installed on their servers and then install the patches.

Atlassian warned that disabling the app won’t fix the issue, and server owners must either install the security fixes or manually disable the hardcoded account created by the Questions for Confluence app:

News of this issue being exploited in the wild comes after threat actors, including ransomware gangs, exploited another Confluence bug (CVE-2022-26134) a month earlier, and many more other vulnerabilities before that.

Proxy service hack

The operators of the 911[.]re proxy network said they are shutting down in the aftermath of a data breach that destroyed key components of its business operation, Brian Krebs reported. The shutdown also comes days after the same Krebs published an in-depth look at the shady service earlier this month.

Russian Postal Service leak

Hackers published last week a data trove they claim to have stolen from the official Russian Postal Service. The data contains more than 10 million data points about past shipments. This includes sender and recipient names, addresses, and shipment details. In a statement to local media, Pochta denied the breach and said the hackers obtained the data from a third-party contractor. Russian delivery services have been at the center of several data leaks since Russia’s invasion of Ukraine. Past leaks include Yandex Food, DeliveryClub, and CDEK.

OneTouchPoint breach

Marketing platform OneTouchPoint disclosed a security breach last week. The breach is the result of a ransomware attack that took place in April this year, and the company said that 34 healthcare organizations that used its platform had data compromised in the incident.

Another crypto hack

DeFi platform Nirvana lost roughly $3.5 million following a flash loan attack that took place last week. Just like any respectable DeFi platform, Nirvana is now begging the hacker on its knees to return the stolen funds in exchange for a “bug bounty” payment (wink-wink) of $300,000.

Creos pipeline attack

The operators of the AlphV ransomware claimed to have successfully attacked the Creos Luxembourg natural gas pipeline operator. The company previously disclosed a cybersecurity incident last week but did not specify if it was ransomware.

Breach costs passed to customers

An IBM report published last week has found that almost 60% of the surveyed companies will pass on the costs incurred and associated with a recent data breach downstream to their customers in the form of price hikes.

AdGuard VPN gets blocked in Russia

AdGuard, one of today’s largest ad-blocking companies, said that its ad-blocking and DNS privacy services are having issues for Russian users after Russian telecommunications watchdog Roskomnadzor blocked AdGuard VPN servers last week.

Regrettably, their methods were crude, and along with AdGuard VPN, the entire adguard.com domain became unavailable for Russian users. This led to multiple issues with AdGuard Ad Blocker and AdGuard DNS service.

Tor Android app banned again in Russia

A Russian court re-introduced a ban on the Tor Browser mobile app inside Russia’s borders. The Russian government initially ordered Google to remove the app from the official Play Store at the end of May, but the ban was reversed last week following a legal action citing a breach of procedures, only for the ban to be re-introduced days later.

Imminent Monitor RAT author finally charged

Australian authorities have finally charged the creator of the Imminent Monitor remote access trojan, almost three years after Europol cracked down on the operation. Jacob Wayne John Keen, 24, from Brisbane, was charged for creating the widely popular hacking tools, along with his mother, 42, who authorities said profited from the proceeds of her son’s crimes.

Russian extortionist sentenced

Russian authorities have detained a suspect in the Kaluga region, near Moscow, on charges of breaking into users’ VK social media accounts, stealing private information, and threatening victims to release the data unless they pay a ransom demand.

SafeSound ransomware decrypted

Chinese security firm Rising released a free decryption utility for users impacted by the SafeSound ransomware.

New HiddenAds attacks

McAfee said it discovered 13 apps available on the Play Store that were infected with the HiddenAds adware. The apps were collectively downloaded more than 7.2 million times.

Investment scam network

Security firm Group-IB said it uncovered a network of more than 10,000 malicious sites that are likely being used in an investment scam scheme.

ENISA ransomware report

ENISA, the European Union Agency for Cybersecurity, has published a report analyzing more than 600 ransomware attacks that took place between May 2021 and June 2022. The report introduces the LEDS matrix (Lock, Encrypt, Delete, Steal) that maps ransomware capabilities based on the actions performed and assets targeted.

Capabilities of current ransomware in terms o actions they perform and assets they target.

DawDropper

Trend Micro has published a report on DawDropper, a new dropper-as-a-service (DaaS) for Android malware. This new service is advertised on the dark web and has already been seen inside infected apps on the official Google Play Store, where it has been used to push more advanced banking trojans to devices previously infected with the more innocuous DawDropper first-stage payload.

New rowhammer research

A team of academics and security researchers from AWS, Google, and others, have published new research last week detailing a new method of conducting rowhammer attacks on computer memory. The attack, named Half-Double [PDF], will be presented at the USENIX security conference in the next few days and is also accompanied by PoC code. According to the research team, the Half-Double attack is “an escalation of [classic] Rowhammer [attacks] to rows beyond immediate neighbors,” with the research team creating errors two rows apart from the line of attacked memory cells.

New cryptographic attack

Academics from Belgian university KU Leuven have published details about a cryptographic attack against the Supersingular Isogeny Diffie–Hellman (or SIDH) key exchange algorithm. The SIDH algorithm is an analog of the more well-known Diffie–Hellman algorithm that can be used to establish a secret key between two parties over insecure connections and was designed to resist attacks from quantum computers. According to the research team, their attack can recover keys within one hour. Mathematician Steven Galbraith has more on the topic, along with the following conclusion:

There is no doubt that this result will reduce confidence in isogenies. The sudden appearance of an attack this powerful shows that the field is not yet mature. The relatively recent attack by Ward Beullens on Rainbow has a similar impact on multivariate crypto. The correct response to this is not to attempt to minimise the impact, nor to reflexively declare the subject dead. Instead, we should keep our minds open and let the mathematicians work out the implications, wherever they lead.

Arris router vulnerabilities

Security researcher Derek Abdine published details on Friday on three vulnerabilities in the firmware of Arris routers and all derivative products. Abdine says that while two of the three vulnerabilities are “impractical to exploit,” the third is rated critical. The vulnerabilities impact Arris DSL routers, which are usually handed out by ISPs to their customers for at-home connectivity. Abdine says that at least 19,000 such devices can be easily discovered online.

New tool

Palo Alto Networks has open-sourced a Python library for the extraction of information from .NET Portable Executable (PE) malware files.

SteelCon videos

Talks from the SteelCon 2022 security conference, which took place last week, are now available on YouTube.

TLS test suite

Academics from two German universities have launched a new TLS test suite to evaluate the RFC compliance of Transport Layer Security (TLS) libraries. Named TLS-Anvil, more details will be presented in the next weeks at the USENIX security conference.

xxx