Many Lessons to Learn from CircleCI Breach Report; Patch Zoho ManageEngine Ahead of Exploit Code Release; Yet Another Password Manager Product (Norton) Breached

I appreciate CircleCI being transparent and helping us all learn. When using CI/CD tools, there is no way around entrusting them with some form of credentials. Make sure to keep those credentials ephemeral and rotate them frequently.

Johannes Ullrich

Good example of a targeted attack that went after an employee with privileges to generate production access tokens. The CircleCI actions taken also point out the risks of too many employees being given production access and the risks that SSO approaches bring, even when multifactor authentication is used for initial authentication.

John Pescatore

Well done to CircleCI for being so transparent in their incident report. This is a great reminder that security has to be seen as a holistic challenge rather than focusing on just one area within an organization. Too often I see companies thinking that their production systems in the cloud are secure and therefore they need not worry as much about other parts of their infrastructure, in particular the end points. You need to identify every possible route a compromise can take and secure it accordingly. I will be keeping this report to hand for future client engagements who tell me they don’t need to worry about their developers’ devices as the production environment is secure.

Brian Honan

Kudos to CircleCI for their transparency. Be aware of your “weakest links.” While there is no such thing as perfect security, it is possible to implement many measures to reduce risks, to include modern EDR, MFA, MDM, and logging. With the change of the perimeter, due to efforts such as Cloud and ZTA, make sure that endpoints are hardened and defenses enabled. Where you are using long lived credentials, make sure that you can rapidly change them in the event of a breach. Verify controls are in place, and are not bypassed, regularly.

Lee Neely

Theft of user credentials, especially elevated privileges, is the ‘holy grail’ for cyber criminals. It allows easy system access and with elevated privileges, ease in traversing the enterprise. Interestingly, both multi-factor authentication (MFA) and data encryption defenses were employed by CircleCI but were ultimately compromised. This indicates that the adversary was highly skilled to both bypass the additional authentication method and separately, recover ‘running’ encryption keys. Organizations should revisit their configuration of MFA to protect against credential harvesting attacks.

Curtis Dukes

The flaw stems from a flaw in the Apache Santuario third-party plugin which is updated in the patches released in October and November. While this flaw only exists when you have SAML/SSO enabled, you should make sure that you’re on the current version of ManageEngine regardless.

Lee Neely

Per previous comments in Newsbites, it is obvious that attackers have targeted password manager software – not surprising since all those tasty eggs are in one tempting basket. LastPass, Okta, now Norton Password Manager. If you are using or considering other password managers, get assurances they are going back and making sure they have not been compromised.

John Pescatore

Protecting online access to a password manager with a simple username and password is negligent. After all, the main selling point of a password manager is that users will not be able to remember complex passwords.

Johannes Ullrich

The cliché “only as good as your weakest link” comes to mind. As hard as we’ve worked to encourage the selection of strong credentials, leveraging a password manager to keep it all straight, we still have a human behavior challenge. The challenge is to train users on not only using good pass-phrases, or MFA if available, to protect your password manager, but also keep an eye out for breach notifications and update affected passwords.

Lee Neely

The Pentagon’s experience with two previous well-managed bug bounty programs mirror the success of many others in the effectiveness of both identifying meaningful vulnerabilities and in providing information that can greatly ease the process of fixing those vulnerabilities. The important part is the fixing of those vulnerabilities – if you are looking at doing a similar effort, make sure you have the processes and staff in place to deal with the influx.

John Pescatore

This program has been evolving since 2016. If you want to try your skills on testing OT systems, this could be a lot of fun. Note that the actual event window is only 72 hours, read the Hack the Pentagon 3.0 solicitation for details about participation and timelines.

Lee Neely

Bug bounty programs have proven their worth as a cybersecurity tool. While system developers try and test for every possible exception, history has shown that flaws ultimately find their way into production systems. Crowdsourcing vulnerability discovery in a controlled setting is both cost efficient and supports cyber defenders.

Curtis Dukes

Critical systems do not fail because a person makes a mistake, but because insufficient controls fail to prevent the mistake. Of course, in this case, Layer 8 problems (politics) may in the turn out to be the real culprit.

Johannes Ullrich

This one is a good example of how complex the true critical path of business operations really is. Reminds me of the Colonial Gas Pipeline shutdown – turns out that billing systems are on the critical path, since they won’t pump the gas if they can’t bill for it. This wisdom dates back to the 13th century, where “keeps” means “keeps safe”: “The wise tell us that a nail keeps a shoe, a shoe keeps a horse, a horse keeps a knight, a knight, who can fight, keeps a castle.”

John Pescatore

Ever wonder what constitutes a critical system? One can argue this is a critical business process, even so, being aware of the impact of outages to components which support that process, and ensuring you have a smooth failover are vital. This is the type of situation where you don’t want to rely on on-call IT, for a primary response, but rather invest in modern architecture where services scale, fail-over, etc. This type of architecture can be expensive, which is why you need to have it tied to mission impact.

Lee Neely

By now we’ve all become familiar with the NOTAM acronym and its criticality in successful flight operations. I, like thousands of other passengers were delayed in our travel that day, but the FAA made the right call to ground all flights. That said, two observations: 1) after 30 years of reliable service, it’s time for a NOTAM replacement; technology evolves. 2) in addition to system replacement, the FAA should establish a prioritization scheme for messages; humans can only process so much information.

Curtis Dukes

The exploit requires administrative access to the system, often accomplished by a combination of credential capture (to include OTP tokens), and once on they take advantage of the loophole allowing BYOVD to work. In addition to applying current security fixes from Microsoft which are making this harder, also make sure your EDR solution is able to detect and block this activity. Read the CrowdStrike blog to both gather IOC’s for hunting, and the type of capabilities your EDR would leverage when you’re verifying that you are covered.

Lee Neely

Hackers will always be exploiting "old...flaws.” We should know by now that a significant number of instances of popular products will never be patched. Even if it was effective, patching is an inefficient way to attain quality.

William Hugh Murray

You should be subscribed to these notifications, in addition to your vendor security bulletins. (The subscribe information is at the bottom of the CISA web page below.) Note that the alerts for InHand’s InRouter include CVE-2023-22600, a remote command injection flaw, with a CVSS score of 10.0. I know you’re focusing on proper segmenting and monitoring, don’t forget to ensure updates are also applied.

Lee Neely

This time DNV caught a bit of a break as the on-ship operations can continue until the on-shore systems are restored and they sync back up. In the future, it’s expected increased dependencies on on-shore services may render this option non-viable. The challenge is to assess dependencies of remote applications on your services and to assess the intended behavior when those services are offline. Don’t forget to not only include notification as well as re-sync/catch-up of transactions in your planning.

Lee Neely

Read the analysis even if you’re not in the healthcare sector. Not only to understand these adversaries and how their malware works, but also for IOCs and mitigations you can leverage. Even if they all look familiar, it’s a good idea to check for tricks you and your team may have missed.

Lee Neely

Cybercriminal gangs target every infrastructure sector. All information sharing and analysis centers benefit from analysis of Royal and Black Cat ransomware tactics and techniques. Cyber defenders use the brief to revisit your cyber defense plan and its implementation.

Curtis Dukes