Don’t Delay in Notifying Customers of an Incident; Check Late December PyTorch Versions In Use for Compromise; Obtain Security Improvement Assurances from Okta, LastPass and Other Password Manager/SSO Vendors

In this case, the reporting requirement seems to be 60 days so Lake Charles is compliant, but waiting that amount of time to notify impacted customers is the issue. Reports say Lake Charles refused to pay the ransom demand, so allow some time for negotiations. But customers should have been notified faster. Lesson to learn is to have the breach response process in place and tested long before an event.

John Pescatore

That is a long time for customer notification. While it's tempting to hold off making notifications until you're 100% certain, you need to put a cap of (at most) a couple of weeks to keep your customers comfortable. More transparency is expected. Make sure that you're able to provide information and updates as you move along, not holding back until you have absolutely every detail nailed down.

Lee Neely

Many criticize mandatory reporting requirements introduced by regulations such as the EU General Data Protection Regulation (GDPR). However, delayed reporting can have serious impacts on the affected individuals such as exposing them to the risk of fraud.

Brian Honan

While earlier might have been better, I tend to be forgiving of hard choices made by other professionals.

William Hugh Murray

Luckily, this only affected the "nightly" builds and only a specific set of features of this very popular machine learning framework. But the event yet again shows the problematic state of the Python supply chain if even major and actively maintained packages can be affected by the compromise of a "random" Python package.

Johannes Ullrich

Note this only impacts the nightly-build (vs stable) versions of these packages. Make sure you uninstall all four packages (torch, torchvision, torchaudio & torchtriton) as well as purge your cache for these before loading the updated binaries. The bad version of torchtriton was uploaded with the same package name as the nightly-build version, and due to the PyPi index taking precedence, the bad version was loaded versus the official version. The PyTorch team has renamed the torchtriton dependency to pytorch-triton as well as reserving a dummy package to prevent future attacks.

Lee Neely

This should be a non-event. Attackers in possession of the source code will not be able to do anything a responsible vendor has not already done as part of their software quality assurance process. Manual and automatic code reviews, dynamic testing assisted by full insight into the source code should be easier for the vendor creating the code than for a third party attacker. On the other hand, we are talking about a vendor producing critical security software.

Johannes Ullrich

There is an old saying “If you put all your eggs in one basket, watch that basket really, really carefully.” Password managers and SSO platforms are essential big baskets of eggs full of passwords and are obvious high leverage targets for attackers. Both Last Pass and Okta have had serious breaches (even if no customer data was exfiltrated) recently – they haven’t been watching their (your) baskets carefully enough. At renewal time for all such services, require information on security changes and testing and consider competitive procurements.

John Pescatore

When first discovered, Okta shut down access to their GitHub repositories, and after analyzing access, has since restored that access. The exposure was specific to their new Workforce Identity Cloud service which provides access management, governance and privileged access controls in one package. The attackers are claiming they had sufficient access to reset passwords and MFA credentials data for Okta customers while Okta claims they were not. This follows the August breach of Twilio (used for SMS validation) and September breach of recently acquired Auth0. While the issue of who has which data is being sorted out, you may want to consider what options you have, including changing credentials, use of SMS validation and moving to another solution, just in case.

Lee Neely

Single sign-on and password managers are the old solution to part of the password problem. While better than nothing, they are still limited. Passkeys are the modern solution. They offer both safety and convenience. Be sure to offer this option to your users. Three months might be a reasonable schedule.

William Hugh Murray

It appears that cyber criminals [or nation states] are ‘upping’ their game by attacking companies that centralize critical information. In this case company proprietary information was lost that could be used to find and exploit vulnerabilities in the Workforce Identity Cloud service. Companies that offer consolidation/centralization services, should revisit their security processes and make it a regular discussion item as part of board level risk management.

Curtis Dukes

The attack violated LockBit's code of ethics, and they removed the affiliate who executed the attack from their network. But they still took long enough to release the decryptor that the hospital was able to restore over 50% of systems to operational status. The motivation here is likely to paint a positive picture to influence future victims to trust them and pay their fees.

Lee Neely

While this is good news and shows that even criminal elements have a code a conduct, the fact remains that the IT enterprise had not implemented basic cyber hygiene practices. The recently published ‘Blueprint for Ransomware Defense’ can serve as an action plan for ransomware mitigation, response, and recovery to protect against future attacks.

Curtis Dukes

Let’s not let this story cloud our judgement about the criminal intent and damage ransomware operators cause. Even with the decryption key, the hospital will still need to keep systems offline until they can be sure those systems are not compromised in any way. Getting the decryptor key does not magically reverse the damage and disruption caused by ransomware attacks.

Brian Honan

LockBit gets little credit for this in my book. I can count; by my reckoning healthcare remains the favorite target for extortion attacks. This is only in part because it is a soft target. In part it is because we will pay to restore care to sick kids.

William Hugh Murray

Copper Mountain had predefined plans which they followed, shutting down systems and reverting to manual controls while conducting their assessment, as well as enlisting the support of external partners. That is how DR plans are supposed to work. It was reported that compromised credentials for a CMMC employee were available for sale in a hacker marketplace on December 13th. While watching for compromised credentials, and taking action to change them is important, making sure that external entry points don't allow access with reusable credentials is critical. Don't forget to review, making sure that accounts which can bypass MFA are not added.

Lee Neely

Three observations from yet another ransomware attack: 1) Every sector, public and private is a target of cybercriminals 2) You need to be prepared for the eventuality of compromise; the importance of regularly testing recovery plans cannot be understated. 3) Use the ‘Blueprint for Ransomware Defense’ as a guide to protect against future attacks.

Curtis Dukes

A busy reporting cycle on ransomware events to start the new year. It is reassuring to read that “All security protocols and response measures planned for this type of occurrence were quickly activated.” Still, lessons can be learned about the state of security employed at the port to further reduce ransomware attacks.

Curtis Dukes

LockBit ransomware operators are taking credit for this attack. Again, predefined security protocols were activated, minimizing the disruption and expediting the response/remediation. The Port is already working with both authorities and staff to ensure the security of the data and systems. The attackers claim to have stolen financial reports, audits, budgets, contracts, ship logs and other information about cargo and crews.

Lee Neely

The report suggests that at least some mission critical applications were safely isolated from public network facing ones.

William Hugh Murray

The two flaws, CVE-2018-5430 and CVE-2018-18809 have patches from TIBCO, also released in 2018. Make sure that you're running the updated JasperReports server, library, and reporting engines.

Lee Neely

The most obvious use of this database is to prioritize patching. However, consider consulting it as an indicator of quality before buying a product.

William Hugh Murray

Irrespective of what malware is targeting which plugins, make sure that you're running updated plugins on your WordPress Site, that you've uninstalled inactive plugins and themes, and implemented MFA for your administrator accounts. There are two exploits, the first: Linux.BackDoor.WordPressExploit.1 has remote C&C, targets 32 bit Linux, but will run on 64 bit variants as well; the second: Linux.BackDoor.WordPressExploit.2 appears to be an updated version, with different C&C servers, and has exploits for additional plugins. The Doctor Web blog lists the plugins each targets and has links to IOCs you can ingest.

Lee Neely

The exploit leverages a flaw in the import_actions_from_settings_from_panel which runs admin_init hook meaning the flaw is running as admin, without authentication, so you can pretty much impact anything in the /wp-admin/ directory. The function was lacking a CSRF and capacity/type check. The updated version of the plugin was released December 6th, (3.20.0) and has been updated since, you should be on at least version 3.21.0. Note that while your WAF can help prevent this type of attack by blocking uploads of files with known dangerous extensions, embedded executable PHP code, or known malicious files.

Lee Neely

Note that "premium" does not modify "plug-in." While some plug-ins may be of higher quality than others, history suggests that, at least collectively, their quality is a problem. Please use them with appropriate caution.

William Hugh Murray

The phrase "baby steps" comes to mind. Even so, this is a step in the right direction. This is the first such bill passed in the US: future bills will build upon this to achieve more comprehensive provisions to better support third-party repair of devices. The bill was weakened through efforts to ensure that safety and security were not compromised with these efforts. Regardless of the provisions, you still need to include due diligence when qualifying repair services, as well as determine where the repair vs replace lines are for your equipment.

Lee Neely

For most end-users, exercising their right to repair will be at the expense of their security.

William Hugh Murray