Check SIM-Swapping Controls on All Corporate Carriers and Allowed User-Owned Devices; US Federal Government Shows ROI of Vulnerability Management; Check Crates.io Rust Packages for Compromise

T-Mobile and most carriers have implemented some controls to make SIM swapping more difficult, but Kroll says “T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor's phone at their request.” Not a lot of detail to determine if any controls had been enabled on that particular account – doing so is key to enable trustable mobile phone-based MFA. The recent CSRB report on the Lapsus$ attack detailed how telecommunications provider customer management tools were compromised to bypass controls against SIM swapping. Good reminder to check corporate mobile services settings and mobile device management policy checks for employee-owned devices.

John Pescatore

SIM-swapping is one threat vector we pentesters can't directly exploit, so be sure to calculate and consider this risk another way. And let this be your reminder that while SMS-based MFA is better than none, there are many more secure options available.

Christopher Elgee

This was a SIM-swapping attack on the corporate account. While we've all been focused on making sure our personal accounts were protected, your corporate team should have been doing the same with your corporate carriers. Take a moment to ask your mobility team what controls are in place to prevent SIM-swapping, and if they have implemented all the latest options. They may have to reach out to their account reps for the answer. Also, make sure you're asking about all your carriers. While you may have a default/preferred service provider, odds are you have alternates for areas where coverage is better from another provider.

Lee Neely

T-Mobile ‘owns’ this compromise of the Kroll network. SIM-swapping has been around for more than a decade and mobile service providers by now should have a solid set of procedures in place to guard against it. That said, Kroll would be wise to revisit what controls it has in place for mobile device management to minimize future data loss.

Curtis Dukes

I just mentioned SIM Swapping attacks in Class this week when we were discussing Cloud and IdP attacks and the strengths of each one. I have noticed along these lines that it is still the target for getting into Crypto Exchanges. The other commonality is that T-Mobile customers seem more in the news. Is it just T-Mobile? Hard to say, but strange.

Moses Frost

That this change took place without even notification to the subscriber is a classic failure. As a major carrier, T-Mobile must perform at least as peer to its competition. Provisioning orders must be subject to supervision, training, out-of-band confirmation, and with sufficient delay (e.g., three days) for the out-of-band confirmation to give the subscriber time to recognize and react. These are essential, not simply desirable, controls.

William Hugh Murray

Another success story for CISA. Back in September 2020, BOD 20-01 called for the development and publishing of a vulnerability disclosure policy, which included the CISA reporting and monitoring requirements, while the requirement was graduated, by 2 years (Sept. 2022) all internet facing systems were in scope. To date, 40 agencies are participating, and almost 4,100 unique reports, 1,330 of which were valid, through the end of last year. Those reports were classified into 192 critical, 92, severe, 757 moderate and 299 as low. Make sure you have a VDP policy and program. The BOD has templates and resources you can leverage if you don't have a starting point.

Lee Neely

Good to see essential security hygiene in action but it took an Executive Order by President Biden in 2021 to move from talk to action – 24 years after 1998’s Presidential Decision Directive 63 pointed to 2005 as when “The Federal Government shall serve as a model to the private sector on how infrastructure assurance is best achieved…”

John Pescatore

Crowdsourcing vulnerability discovery has proven successful with federal departments and agencies. Perhaps this success story can be replicated sector by sector leveraging the Federal Government’s Information Sharing and Analysis Center (ISAC) model.

Curtis Dukes

No platform is safe from these attacks. JavaScript (NPM) and Python (pip) are most often used as examples, but any language that allows for easy sharing and distribution of components is potentially vulnerable. On the other hand, a language not providing for a means to easily share components/packages is likely not a very useful language these days.

Johannes Ullrich

You know your language is now very popular when the attackers are hitting your library supply chains—node Packages, PyPi, and now Rust. I suspect PHP and Perl would also be hit, but does anyone use those anymore? That was a lousy attempt at a joke; no one can read Perl anyway, so the attacks will surely go unnoticed.

Moses Frost

The campaign was laying the seeds for a much broader campaign, relying on callbacks from seeded malicious packages to trigger deployment of more sophisticated packages before being detected and shut down by the repository owner. Rust developers can leverage a few tricks, including a sandbox to limit access to disk and environment variables, as well as verifying packages are clean prior to allowing them to execute.

Lee Neely

Kudos to researchers from Phylum for sniffing out this potential supply chain attack. These sorts of software registries are becoming quite valuable to threat actors, including nation states, as Identity and Access Management solutions become mainstream. This should serve as a reminder for maintainers of these software registries to create procedures to guard against this sort of multi-stage attack.

Curtis Dukes

Most online services just invest in DDoS mitigation capabilities and services, but Tor faces the double challenge of being a non-profit company and providing anonymity. The downside of this approach is many DDoS attacks use compromised servers in botnets to launch their attacks. Those machines will now be essentially “resource consumption DoS-ed” while they are busy playing killer Sudoku or trying to solve a Bongard problem. I guess that has an upside – the admins of those compromised machines may show reduced time to detect metrics, though their electric bills will go up.

John Pescatore

The DDoS attacks were disrupting access to .onion sites; notably from last June to May this year; the proof-of-work challenge, known as EquiX, is installed on Tor nodes. Proof-of-work is based on a mechanism developed in 1992 by Moni Naor and Cynthia Dwork as a defense against DoS and spam, made famous for energy use by Bitcoin to verify cryptocurrency transactions and add them to the blockchain. For most of us accessing .onion sites over the Tor network, this will be transparent, and where attacks are underway, the increased complexity will slow or stop the attacker with compute times, per puzzle, up to a minute.

Lee Neely

We will see how this may impact the Tor network. I would like to know what the active number of users and sites are for Tor to begin with. Tor’s time in the sun seems to have peaked and may have been on the downswing. I’m sure it's still very much used, but it’s no longer in the zeitgeist of the non-practitioners tongue, not like it was around 2010-2013.

Moses Frost

PurFood reports about a 5 week time to detect, but equally problematic is that they found encrypted files and exfiltration tools installed but said they could not “…rule out the possibility that data was taken from one of our file servers.” That indicates gaps in server and networking monitoring or a failure in protecting logs, or both.

John Pescatore

PurFoods is offering one year credit monitoring and restoration to customers whose personal information was potentially affected, with customer notifications sent last week if their data was not affected. As the investigation is ongoing, and if you're a PurFoods customer, you may want to assume compromise and enroll in your own credit monitoring/restoration service rather than waiting on their processes.

Lee Neely

A bit early in the cyber incident analysis phase but appears to have all the hallmarks of a ransomware attack. Cybercriminals do not distinguish when it comes to who they attack; every sector is a potential target. It will be interesting to learn details of the attack and what defenses PurFoods had in place.

Curtis Dukes

Too much data, too poorly protected. Just by way of example, no one should be storing primary bank card account numbers in the clear. Not even the brands and issuers. It makes one a target and invites fraud.

William Hugh Murray

The hack is sending three known, consecutive tones, to the train's radio which triggers a radio-stop command, halting the train. The current system is neither encrypted nor authenticated, so anyone can send these signals. The good news is Poland is working to upgrade systems to GSM cellular radios which include authentication and encryption, by 2025. This begs the question: how quickly do you mitigate risks when they are being actively exploited? The weakness, and how to hack the trains, has been published online for several years. The question is: can Poland live with the hacks for another 18 months or do they need to accelerate the upgrade?

Lee Neely

Some of our SANS NewsBites readers are old enough to remember ‘phone phreaking.’ This appears to be a play on that attack technique and, as it turns out, still effective against aging infrastructure. Companies with similar technology dependencies should revisit their risk mitigation plans for older infrastructure.

Curtis Dukes

A "stop" is certainly preferable to "full speed ahead." One would like to think that that was a built-in failure mode in the face of interference. That said, infrastructure cannot be safely operated in clear text.

William Hugh Murray

The police force staff association is worried the breach will cause "concern and anger," particularly for officers with ethnically identifiable names which can be used to facilitate identification and interference with their duties. While the association is pointing at the Metropolitan Police, remember this is a case of a third-party breach. The controls, and verification, will need to be reviewed to determine what, if anything, could have been improved. Here is another scenario for you to walk through at your next tabletop.

Lee Neely

This unfortunate cyber incident serves as a reminder to all organizations that outsource key business processes of their responsibility to vet third-party suppliers. That vetting should include at a minimum a periodic review of their cybersecurity processes and procedures as part of the contract.

Curtis Dukes

One can make a case that all of that information is essential to the running of a police department. The lesson for the rest of us is to ensure that we are retaining only essential data and only to the extent that we can vouch for its protection and integrity.

William Hugh Murray

I always say you should learn as much as you can from incidents, particularly if you are not the victim of one. This incident serves two lessons. The first is that moving to the client does not eliminate all risks and that you should ensure your incident response plans include how you recover from an incident in a cloud service provider. The second lesson is that prevention is always better than the cure and the slide deck provided by Rackspace is a great example to show to a board on the financial impact an incident can have on a business.

Brian Honan

The Rackspace incident is one to look at. In the ISP space, email (not Exchange but more like POP3/IMAP/etc.) was considered a “Dead Pipe” solution in which there was no monetary gain by offering or not offering email. It was probably a loss leader as it cost the company money, and the users would use a 3rd party email service anyway. When was the last time your Internet Service Provider made money on email? Now consider you sell Exchange to monetize, and you are in a catch-22; you got hit with a patchable vulnerability, and at the same time, your customers are now suing you. Double whammy for a company that is competing with large cloud providers.

Moses Frost

The costs cover many areas, not just the loss of the hosted Exchange environment, but also the cost to investigate, remediate, legal and professional services as well as added customer support staff to aid customers. All of these are on top of Cyber Insurance costs. Make sure you're factoring all these into your BC/DR planning, use them to strengthen your call for resources and improve your risk register calculations.

Lee Neely

A valuable data point as organizations weigh the cost of implementing cybersecurity best practices. The Center for Internet Security recently published a paper, The Cost of Cyber Defense, that can also serve as an aid in determining the cost in providing essential cyber hygiene.

Curtis Dukes

There are lots of moving parts in Azure AD, and the job is to make sure things are kept current. An abandoned URL, test code, etc. are risks, and while they previously had purposes, you still need them to be discovered and retired judiciously.

Lee Neely

All cloud providers need to be paragons of configuration management. Not only do they owe this to their customers but also to their investors. See Rackspace report above.

William Hugh Murray