Warn Home Workers of Cheap Android Device Risks; Enable GitHub Token Validity Checks; Patch Citrix NetScaler Gateways

This isn't anything fundamentally new. Low cost devices have often been subsidized by additional software. It is worth noting however that "Android" is more than a smartphone operating system. For years, we have seen in our internet storm center sensors attacks against TV sticks and similar devices running Android.

Johannes Ullrich

This is a good example to use for education/awareness for employees with remote access over some simple steps to reduce the risk of compromised devices (like the “cheap Android TV streaming boxes” detailed here). Home DNS filtering services can go a long way in impeding connections to the malicious actors’ command and control servers that are needed to make these attacks work.

John Pescatore

Think beyond the smart phone/tablet to streaming and other IoT devices running the Android OS. Generally, these are knock-off devices, which appear to be a bargain, which have achieved that discount by partnering with others such as malware providers, for offsetting income. Purchase the name-brand devices, isolate them on appropriate segments, and limit their connectivity to only the services needed, to include updates. You may wish to blackhole DNS entries for unexpected sites they are trying to access.

Lee Neely

The old adage proves true; you get what you pay for. In this case, cheap Android TV streaming boxes, come preloaded with malware. When purchasing IT devices do the research and buy from a reputable company. Yes, it may cost a bit more but well worth it. Additionally, every home should use a free DNS filtering service like OpenDNS, Quad9, Cloudflare, and Google Public DNS, to block malicious websites.

Curtis Dukes

Nice move by Github to make their alerts more actionable. This is a free feature, but remember that you must enable it.

Johannes Ullrich

By now we know to leverage any services like this which help us discover accidental information disclosure. The scan will determine if any discovered tokens are valid, allowing you to remediate as needed. You (enterprise or organization owners and repository administrators) need to enable the service for it to work - Settings > Code security and analysis > Secret scanning and check the option "Automatically verify if a secret is valid by sending it to the relevant partner."

Lee Neely

GitHub has been on a security tear over the last 18-months. They first started the security journey by requiring MFA for privileged accounts, then expanded the requirement for all user accounts. Next, they created a secret scanning capability as a credential security check on their public repositories, now expanding to include the major cloud service providers. Well done GitHub, well done!

Curtis Dukes

You read that right, the patch was released in July, and is still being exploited on unpatched devices. Add looking for NetScaler Packet Processing Engine (NSPPE) crash files to your threat hunting as they can contain evidence of the exploitation of the vulnerability. Other IOCs were released with the CVE notification in July. Most importantly, make sure you're on top of patching these devices. While you may be waiting for an outage window, make sure there is an upper end for that wait, and it's reflected in policy.

Lee Neely

We are looking at attackers hitting NetScaler gateways with a vulnerability that has had a patch available for the last 4 months. At this point there are only a few scenarios. Negligence is one. Inability to patch because of some external factor such as it breaks a business process. Could also be that the company forgot the NetScaler was there, moved away from it, and is unaware. Maybe it was a M&A thing. Maybe their support contract ran out and they can’t get the patch? Either way, it does make you wonder who is being affected and why.

Moses Frost

The flaw stems from TagDiv not properly validating and escaping some parameters, as well as improper authorization on the REST route, which allows Stored Cross-Site Scripting attacks. The attackers are leveraging this to send victims to various scam sites such as fake tech support, false lottery wins and push notification scams. TagDiv is a required plugin for the Newspaper and Newsmag WordPress themes, so you can't uninstall it if you're using those themes; make sure that you're on 4.2+ of TagDiv, and then make sure the themes are also updated.

Lee Neely

A WordPress plugin that has vulnerabilities and its actively being exploited? Never heard of such a thing. This is one of those: if you still use WordPress, just have it hosted in a hosting provider that is good at security.

Moses Frost

WordPress Plugins continue to be a source of vulnerability and exploitation. They should be used only by design and intent, never by default, and must be scrupulously managed.

William Hugh Murray

This is a good example of a failure in cybersecurity having a direct impact on a closely tracked business metric – in this case room occupancy. MGM’s annual revenue is over $13B but the ransomware compromise took down their ability to book rooms and they had to report a likely miss in forecasted revenue for 3Q23 – the $100M reduction in billings resulted in a 15% drop in their stock price since the incident was reported. All that adds up to needing to know which baskets are holding a lot of business eggs and prioritizing really, really watching and securing those baskets.

John Pescatore

While the $100M cost seems eye-popping, it likely will grow. What’s really interesting is the impact the purported ransomware event had on business operations – fully $90M in lost revenue. Both the MGM and Caesars Entertainment cyber incidents should be documented as risk management case studies. In this case, businesses need to model potential cyber risks, to include ransomware, and the effect it can have on continuity of business operations.

Curtis Dukes

The loss of revenue from people choosing to stay elsewhere, as well as reduction in stock value, is likely not finished yet. While the exact extent of data exfiltrated may be in question, assume data related to any stay for the last ten years and/or your loyalty program membership are included. You may not get notified of any issues unless you're a loyalty program member. Be proactive and get your own identity protection in place.

Lee Neely

The increasing frequency of successful ransomware attacks suggest that many enterprises are relying on mitigation, to include paying the extortion. When doing so, one's business continuity plan should include hot backups. Keep in mind that these are difficult to implement and test. Consider that prevention may be more efficient.

William Hugh Murray

Fundamentally, the beef is that there is no control over spyware use, in this case they are using the use case of the Predator spyware, which appears to be readily available to anyone who wants it. It's a similar argument to making a tool that only a certain group (e.g., law enforcement) will have access to, which turns out to be available to a much larger group. The best mitigation is to keep devices updated, and leverage settings such as lockdown mode in iOS in high-risk environments, to reduce the attack surface on smartphones and tablets. Develop a cyber hygiene check prior to foreign travel, which may include provisioning secured loaner devices, to keep the bar raised.

Lee Neely

From a policy standpoint I see what Amnesty International is attempting to do, but we must be really careful not to hamstring the teams attempting to model what the adversary is doing. The attack teams still have better tools than we can model. If we can’t model it, we cannot do well to defend against it. This is speaking from someone who worked in the vendor space, you must be able to model the attacks to make sure products can detect and protect.

Moses Frost

There is a market for software vulnerabilities, pure and simple. In this case the marketplace is used by both the private sector and government entities. It’s only logical that now those purveyors, Intellexa in this case, would move to offer surveillance services through an alliance. It really is ‘all about the Benjamins.’

Curtis Dukes

An example of quick-thinking cybercriminals taking advantage of known vulnerabilities in a range of IoT products to add to their botnets. The simple solution is for users to manage their devices, which means routinely downloading and patching as software updates become available.

Curtis Dukes

The researchers enumerated 13 new payloads being used to infect these devices, all of which are part of the IZ1H9 campaign. The attack is aimed at Linux-based network devices, which starts by leveraging a known weakness to deploy a payload which installs a shell script downloader, deleting all logs, then modifying the device iptables to obscure and enable their desired communication. The primary mitigation is to keep devices aggressively updated as well as limit access to their management services. Fortinet has provided IOCs you may wish to leverage.

Lee Neely

Often when we talk about supply chain attacks, we think solely in the areas of IT and cyber. However, this is a good example of how a cyberattack can potentially impact on the non-IT aspects of your business. Now is a good time to examine your business continuity planning in the event one or more of your key suppliers suffer a cyberattack and cannot deliver their supplies to your organization.

Brian Honan

It's likely this attack was designed to disrupt supply chains, resulting in reputation and financial damage rather than access company secrets. Even so, Volex's response plan minimized impact to operations and their customers as well as nominalizing the financial impact. Make sure you've addressed reputational and financial impact in your BC/DR planning.

Lee Neely

The maintainers of curl are keeping details of high security vulnerability close; unless you have a support contract and good reason, you're not going to get the details on CVE-2023-38545 before 10/11 other than it's bad and affects multiple prior versions of curl. Note that they are working with the Linux distribution lists to get patches prepared. Be proactive and scan your systems to get ready for deployment of the updated curl/libcurl.

Lee Neely

I have no idea what is going to come out with this curl vulnerability. The maintainer of the project has been consistently sounding the alarm that this one will be bad. cURL is used everywhere including in IoT devices. This has the potential to be a very long lasting and nasty bug. Brace yourselves. winter is coming.

Moses Frost