Ukraine Sheds More Light on Sandworm; SolarWinds Disputes SEC Findings; SysAid is the Next MoveIT

This is where your legal team will earn their retainer. And they need support from you to succeed. Without taking sides in the SolarWinds lawsuit, there are some lessons here we can leverage. Finalize and review assessment documents. Address deficiencies and document actions taken. Make sure that you're fully following your security standards, including documenting any risk acceptance or deviations. Have frank conversations with your internal auditors, remember they work for you, follow their guidance, or document why not and have management sign off either way.

Lee Neely

And, so, the legal posturing begins. Ultimately, it is the CEO who bears responsibility for informing investors on the state (including cybersecurity) of the company. There is also a fine line in how material cybersecurity deficiencies are discussed with investors absent an actual attack. Too much information can provide a roadmap for the attacker. Too little, well, then you might get sued by the government.

Curtis Dukes

This lawsuit is not so much about SolarWinds security posture as it is about misleading customers and investors. That said, their security posture notwithstanding, they did ship malicious code to their customers for which they have not been held accountable. This may well be the single most expensive security failure ever, with the cost borne not by the failing party but by its customers.

William Hugh Murray

Malware that lives off the land in an OT attack, which seems to have been developed in 1-2 months is a peek at how Sandworm's cyber capabilities have evolved. Note they also deployed CADDYWIPER via GPO from a domain controller using the TANKTRAP PowerShell script, (also used for NEARMISS, SDELETE and PARTYTICKET), on the IT systems to distract from the attack on the OT systems. The mitigations remain the same. Focus on securing the attack vector and detection/monitoring. Have the hard discussion about exactly which entry points are exposed and needed. While many OT components don't have security updates, there are other components which do, such as hypervisors, firewalls, routers and monitoring components, that need to be considered. Have an in-depth conversation on how to keep them updated without unacceptable impact to operational objectives.

Lee Neely

Two points stand out in the Mandiant report. First, the attacker applied ‘living off the land’ tactics to compromise the OT environment. We’ve seen this tactic used in information technology (IT) environments but, perhaps this is the first time used against OT. Second, the attacker, exploited the physical connection of the two environments, IT and OT, to enable the attack. Yes, there are legitimate business reasons for connecting the two environments, but that just means you had better understand the security consequences and protect accordingly.

Curtis Dukes

Novel attack or otherwise, the risk of mis-operation of critical infrastructure in time of armed conflict should not surprise anyone. What may be concerning in the Mandiant report is the increasing maturity of the Russian attackers.

William Hugh Murray

CVE-2023-47246, a path traversal flaw, doesn't have a published score; attackers leverage the flaw to upload a WAR file containing a WebShell and other payloads to the root of your SysAid Tomcat server. The threat actors appear to be the same group which exploited the MOVEit flaw, the clop ransomware gang. SysAid urges taking action, Rapid 7 takes it a step further suggesting applying the update on an emergency basis. Patched or otherwise, use caution with SysAid instances exposed to the Internet as they are being targeted, and discoverable with Shodan.

Lee Neely

For these packages, both the setup.py and init.py scripts include the scripts, used during package installation, which receives and executes code from an external source. The primary fix is to make sure that you properly vet all your included packages. Leverage services from Git, Google, your CI/CD tools and others as a force multiplier here.

Lee Neely

This malware highlights the fragile nature of open-source software libraries. If done correctly, malware introduced in the supply chain can have disastrous consequences for developers across a large number of vendors. This malware demonstrated that level of skill. What’s baffling though is that the consequence is about the least possible thing that could happen. Strange.

Curtis Dukes

We're all aware of the seemingly perpetual list of WP vulnerabilities, particularly in the myriad of plugins. Wordfence (aka Defiant Inc) is working to raise the security bar with this program. To participate, register with the Wordfence bug bounty program, carefully read the conditions, paying particular attention to what is and is not in scope. If you've previously submitted vulnerabilities, they can be associated with your account to increase your status/ranking. Note that bounties are not paid for out-of-scope vulnerabilities, and while each submission is checked, you're encouraged to limit out-of-scope submissions as there are limits on how many of your reports will be checked.

Lee Neely

Kudos to Wordfence for implementing such a program. As we’ve discussed in previous SANS NewsBites, WordPress plugins are the security weak link. Bug bounty programs are an efficient way to ferret out vulnerabilities before they can cause harm. It’s proven highly successful in large organizations such as the US Department of Defense.

Curtis Dukes

This breach, and a recent breach of plastic surgeons shows that HIPAA is missing the teeth to prevent these breaches. HIPAA may have a lot of reasonable rules to help clinics protect this data, but without per-breach enforcement and independent auditing, the rules are meaningless.

Johannes Ullrich

US Radiology is a private service provider for partner companies. At core, they failed to quickly update their firewall to provide adequate protections to both their and partner connected networks as well as failing to upgrade other systems in a timely fashion. In addition to the fine, they are also required to update their IT infrastructure, properly secure their network and update data protection policies. Meaning they need to incur both the cost of the deferred actions and the penalty as well as any costs associated with the ransomware incident. While it may be easy to defer updates to systems and security practices, consider this scenario, then work to prioritize needed improvements, to include scheduling out-year activities so they are not lost. Make sure that any interconnected networks, such as one to a service provider, are properly constrained and have monitoring you're watching. Think trust but verify.

Lee Neely

The State of New York, both the OAG and the DFS, have been on a tear this year in fining companies for inadequate cybersecurity practices. Per the OAG, US Radiology Specialists, did not demonstrate a standard of reasonableness in implementing its cybersecurity program. In addition to the fine the OAG also required adoption of data security practices. A good starting point for any organization implementing security practices is the CIS Critical Security Controls, Implementation Group 1.

Curtis Dukes

Regulators have been punishing victims for a generation now with no measurable effect on security.

William Hugh Murray

Another protocol that should never have been exposed to the public internet. But if it can be exposed: It will be exposed.

Johannes Ullrich

CVE-2023-29552, CVSS Score of 7.5, allows an unauthenticated remote hacker to register arbitrary service, which then is used to conduct an amplified DDoS attack leveraging spoofed UDP traffic. You can apply your vendor specific mitigations or disable the SLP (RFC 2608) service on UDP port 427. Vulnerable systems share the characteristic of being old and not otherwise using the service. Odds are this is an old service you're not using and can simply block/disable.

Lee Neely

The comment period goes through January 12, 2024. While CUI has been on the books for a while, not all agencies have transitioned until recently. The comments have highlighted a need to streamline and simplify CUI guidance in 800-171. CUI is more complicated than prior guidance relating to sensitive unclassified information, allowing for more fine-grained categorization and identification of needed controls. As such don't try to figure that out on your own. If you're going to be processing/handling or generating CUI, work with your federal contacts to learn exactly which categories of CUI they are using and how they expect them to be marked and protected, as they have already developed guidance and training for their users.

Lee Neely

If you are using trackers on your web site, make sure that you are fully aware of the data they have access to and where that is sent/used. Document this and make sure the risk is accepted. If you are not actively using them and the related services, take them off.

Lee Neely

Verify that your DDoS protections include layer 7 defenses as well as make sure that you don't already own services (in house or otherwise) you haven't leveraged to keep the bar on this sort of attack.

Lee Neely

2023 has seen a dramatic increase in DDoS attacks. Threat intelligence generally attributes the uptick in DDoS attacks to the military conflict in Ukraine. Organizations should review their SLAs with their upstream provider to limit the effect of DDoS attacks.

Curtis Dukes