Make Sure You Have Active Backups for Cloud Storage; Patch Cisco NX-OS, FXOS Software to Mitigate High Severity Vulnerabilities; Immediately Replace Barracuda Networks Email Security Gateway Appliances

Do you have a plan if your cloud storage disappears? With no control over how the storage is managed, companies put a lot of trust into cloud storage providers to keep their data safe not just from ransomware, but also from other disasters like fires or weather events.

Johannes Ullrich

Important lessons learned here. Note that as part of transitioning to a new data center, server (admin) interfaces were connected to an internal network, providing access previously denied, allowing the attack. The good news is it doesn't appear that data was exfiltrated, just encrypted. The bad news is they are going to need every trick in the book to recover. Have you considered what would happen if your providers were similarly compromised? Are you solely reliant on their backup procedures or do you have another copy just in case?

Lee Neely

This ransomware attack will have a dramatic effect on company future earnings. Firewalls and anti-virus, in and of themselves, are not enough to protect an enterprise. One must have an established cybersecurity program aligning to a cybersecurity framework, with active monitoring and measuring against the framework. There are lots of lessons to be learned here that will be beneficial to cybersecurity professionals and company boards.

Curtis Dukes

It’s not often that I get to say this, but this is actual Enterprise gear that we can discuss and talk about and not small and medium sized business equipment. NX-OS powers DataCenter Switches, and FX-OS powers the Firewall Code under the hood. Currently this can cause a DoS, which in a DataCenter or a Firewall Unit is pretty bad. There are no workarounds listed, however it appears to only be affecting SNMP. I’m not sure if you can disable SNMP on the device and have it not be vulnerable, I would imagine if it that was the case it would have been listed as a workaround.

Moses Frost

Three of the vulnerabilities rate a CVSS score over 7 (CVE-2023-20200, 7.7, CVE-2023-20169, 7.4 & CVE-2023-220168, 7.1) so you need to get these updates out. These are enterprise devices, likely playing a critical role (data center, building/core.) Hopefully, you've got update processes, if not then you need to know where you can failover as well as regression test.

Lee Neely

It is not so much that the fix is insufficient. The fix will patch the system and mitigate the vulnerability, but as any other patch, it will not remove artifacts left behind by attacks. The Barracuda vulnerability was exploited for several months ahead of the patch release. Attackers had plenty of time to set up shop and secure their access to the system. Do not just use lists of IoCs to detect malicious components. They are a good start but they are limited to exploits known so far. Share what you find with others to improve these lists!

Johannes Ullrich

With the patches being insufficient, and the ESG being a target of attack, your options are limited with your existing devices. At this point it's time to look at an alternate solution for your email security gateway. If you're using a cloud-based email provider, there are likely integrated security solutions which can be enabled quickly, give them a call.

Lee Neely

This is not good news for any Barracuda Customer. Whomever is a customer has to be wondering what exactly they can do at this point if the patches are insufficient and returning/procuring a new device are the only good options for repair.

Moses Frost

The "right to repair" will become an even more important issue with electric vehicles. Batteries with limited lifetime, and the use of many proprietary electronics components will make it difficult for owners to maintain these vehicles as they age, even as routine maintenance is reduced. Some manufacturers (apparently BMW) start to even physically restrict access by using proprietary tools to open the hood of the car.

Johannes Ullrich

The right to repair continues to be a charged topic. Besides making sure that the third-party is trained/qualified to repair the tech in your vehicle, consumers also have to worry about moves in states which support the right. In this case, Kia and Subaru disabled the telematics access for new car buyers in Massachusetts, claiming that it wasn't an open platform, but this also blocks features such as emergency roadside assistance, automatic collision detection, remote vehicle recovery, remote unlock. The workaround in Mass is to purchase a model year 2022 or earlier Kia/Subaru. The lesson is to watch carefully for subtle caveats or gotchas until manufacturers are fully on-board with Right-to-Repair.

Lee Neely

As someone whose dad turned a wrench for almost 65 years, I can tell you that there is no valid reason for the car you purchase to not allow for 3rd party repairs. Whether you want to go to any authorized dealership or not, you should be able to service your car. Now, with EVs, I would never touch them as they can quite literally electrocute you if you are not careful. Still, my preference and opinion may be different from most people working in that industry. It’s more of a democratization of your own purchased vehicle.

Moses Frost

NHTSA is attempting to balance risk in an open market economy. The Massachusetts law has similarities with recently enacted ‘right to repair’ laws concerning farm equipment. Unfortunately, today’s manufacturers’ data platforms were not designed with security in mind. It will take time and a redesign to be compliant with the growing list of right to repair statutes.

Curtis Dukes

The Meta/Facebook writeup is a good read to understand what needs to be thought through to minimize business disruption when rolling out encryption. Encryption is easy – making sure decryption is reliable for authorized users (and really hard for unauthorized users) is not so easy. Under the “free with ads” business model, a lot of revenue may be tied to visibility into server level traffic which may go away with end-to-end encryption – a business problem that the intelligence agencies also face with E2EE.

John Pescatore

The Meta/FB article is a good read on considerations when rolling out E2EE. While an obvious architecture change is that the servers would no longer be able to "see" messages, a more subtle point is that servers were assisting with things like thumbnail or other preview functions in content rich messages which will now have to be done by the endpoint, raising concerns of both bandwidth and performance impact. They are also leveraging lessons learned from WhatsApp. Think about all the things which change when you're doing E2EE, including relocation of processing, storage, and bandwidth.

Lee Neely

Kudos to Meta for making E2E encryption on by default. Apple and other companies have had this capability for years. While this will undoubtably have an impact on certain law enforcement operations, user privacy rights should always tip the scale.

Curtis Dukes

Like most competing implementations, this is device-to-device encryption, not user-to-user. It should not be relied upon for life and death applications.

William Hugh Murray

Microsoft announced in May they were including support for RAR files, along with other archive formats such as tar, 7-zip, gz and others thanks to the addition of the libarchive library, presumably only for Windows 11. This gives you the option of deploying the WinRAR app only where the built-in feature won't meet user needs. Even so, make sure to both update the package where installed and to remind users to only use RAR (and any other archive) files from trusted sources that you've verified. Note this is in the CISA KEV with a due date of 9/14, I wouldn't wait that long.

Lee Neely

Two phrases, ‘zero-day’ and ‘actively exploited’ that immediately puts this vulnerability at the top of the must patch list. That said, given the length of time the exploit has been active, many users of the WinRAR utility are already likely victims.

Curtis Dukes

The message here is to apply the mitigations or discontinue use of the product. This is more than just updating, you're updating the jvm, ideally using the ColdFusion administrator, then restarting, then addressing issues to changes in default behavior. Read the tech notes. Once mitigated, kick the migration project into high gear to move off ColdFusion.

Lee Neely

While Q-Day may be about ten years out, having these standards in place, getting vendor implementations stable, and then migrating will take time. It's important to read and comment before these standards become finalized. Weigh in by November 22nd.

Lee Neely

Quantum computing is still very expensive, but NSA has very deep pockets and acres of cheap storage. The window for replacing RSA is shrinking. One hopes that qualified reviewers can spare the resources to vet these proposals.

William Hugh Murray

The key quote from the Sophos report about RDP: “Combined with the fact that the use of compromised credentials is rampant, and that single-factor authentication is the norm, it’s no mystery why attackers love it.” If you really have to allow RDP, and you probably don’t, but if you do, essential security hygiene requires stronger authentication than reusable passwords.

John Pescatore

We've been talking about dwell time for a while, and never in single digit numbers. Even so, attacks on RDP and during intervals where staffing levels are down come as no surprise. If you must use RDP, put it behind a VPN with MFA or other strong authentication. Consider an outsource for times when you're not staffed, or thinly staffed, rather than trying to hire. Having a backup set of eyes can not only cover when you're not there, but also call attention to issues overlooked.

Lee Neely

A mildly interesting read from Sophos. Even with a shortened window for dwell time, the attacker is still highly successful, as the increase in ransomware attacks in 2023 can attest. The best defense is still having a focus on essential cyber hygiene (see CIS Critical Security Controls Implementation Group 1). If implemented, it really is effective against most cyber-attacks.

Curtis Dukes

The first time I saw an article about dwell time the average was about 450 days. I would say 8 days is a big improvement over that.

Moses Frost

In any real-world risk analysis, this problem is essentially a hole in the screen windows inexplicably put in a submarine. Some of the proposed device certification programs could help raise the bar – the telling quote in this research report: “We were not prepared to discover passwords in the clear and weak cryptography. Exploiting the vulnerabilities was moderately challenging but devising appropriate fixes was harder.”

John Pescatore

This attack relies in using acquired credentials to launch a MitM attack during bulb setup, making this a fairly narrow window of opportunity. Even so TP-Link is fixing issues to limit exposure of credentials in their app, and firmware updates for their bulbs. When you have the updated Tapo app, you may want to change your credentials, particularly if you reused that low security, don't-care password.

Lee Neely

Another example of the rush to connect all manner of devices to the Internet resulting in added risk to a user’s enterprise. Most IoT vendors don’t employ qualified cybersecurity engineers that understand secure by design/default principles. Perhaps, just perhaps, the emerging IoT labeling scheme will be helpful in reducing some of these common cybersecurity mistakes.

Curtis Dukes