Denmark's Critical Infrastructure Targeted; Australian Ports Knocked Out in Cyberattack

Note the use of two Zyxel firewall vulnerabilities in these attacks. Before you move on to the next comment/story: Add a recurring monthly reminder to your calendar to check if your firewall/perimeter device firmware is up to date. It is notoriously difficult to be notified of available updates for these devices (not just Zyxel) and usually requires some manual care. Of course: If you do not want to be the script, write one to monitor for updates.

Johannes Ullrich

The SektorCERT report shows that security was not considered to be a critical part of Denmark’s critical infrastructure. Lack of knowledge that Zyxel was even in use, or that firewall software needed regular updates, ignoring repeated warnings between patch availability and before attacks all indicate a systemic problem. Good case study for all nations to proactively fix similar problems and a good “essential security hygiene” checklist to use with all critical service providers to your own organization.

John Pescatore

Several lessons here. First, know what you have, get a good inventory, particularly of your boundary control devices. Second, don't assume devices are up-to-date, even if new: assume firmware updates were released after the unit was produced and always include updates as part of the provisioning processes. Third, paying for the needed contract (software, hardware, or labor) so updates can be installed, is cheaper than the breach recovery. Fourth, make sure you're monitoring for and responding to incidents 24x7, don't assume you have to do all that yourself in-house, there are external resources and services you can leverage.

Lee Neely

A lot to unpack in this report. First, it appears to have been a series of targeted attacks, which often speaks to nation state involvement. Second, vulnerabilities that were not patched, which highlights an ineffective patch management process. Third, misunderstanding of the service level agreement between vendor and operators when it comes to maintenance of the Zyxel firewalls. Fourth, and unfortunately all too common, organizations not having complete knowledge of devices operating on their network. The lesson learned is that every organization has to have a relentless focus on cybersecurity basics, what we call essential cyber hygiene.

Curtis Dukes

DP World was able to contain the attacks to their Australian components. They have roughly 10% of the shipping worldwide and operate 82 inland and marine terminals in 40 countries. Further, they executed their response plan, bringing things back online in three days. While the investigation is not completed, they are bringing services online, indicating someone had addressed the risk of further compromise versus mission execution. Make sure to include that decision process in your planning. Beyond walkthroughs, make sure you schedule exercises for staff to practice their recovery techniques.

Lee Neely

While not yet declared a ransomware attack, it has all the hallmarks of an attack by cyber criminals often associated with ransomware gangs. The attack on DP World, and several others over the last few months highlight the increasing impact to business operations, which translates to lost revenue. The next set of questions by regulators will be whether the organization exhibited a ‘standard of reasonableness’ in defending itself.

Curtis Dukes

The population of Maine, as of 2020, was 1.3 million, meaning it's safe to assume that if you are a resident you're impacted. The state is providing two years of credit monitoring to those directly impacted, and has setup hotlines, discount codes and access processes to facilitate service activation. The only concerning thing is that it took them five months to finish the analysis to disclose the breach. That is a long time for your customer or employee data to be unknowingly released. The state notes they took the needed steps from Progress Software to secure MOVEit, but don't indicate what they are doing to replace it. If you're still using MOVEit, you really need to consider moving to an alternate solution PDQ. It will remain a target.

Lee Neely

Herein lies the conundrum: how much data should an organization maintain and what are their responsibilities to protect it? In this case, the State of Maine, provides digital services to its citizens and much of the data collected is for that purpose. The question now comes down to whether their measures to protect the data were reasonable, given the sophistication of the attack.

Curtis Dukes

According to ConnectWise, the vendor of ScreenConnect, the attacker gained access via an on-prem instance which hadn't been updated since 2019. The point here is that all remote access tools, not just RDP, are targets, and they need to be configured to, at a minimum, vendor best practices, and kept updated. Don't expose any remote desktop or management interfaces to the Internet: require they be accessed via a VPN. And really assess that emergency access, you know the one - so the on-call person can respond without driving in when things break noting it can and will be leveraged by your attackers who also not want to drive in.

Lee Neely

Speed limit signs “encourage” safe driving. Speed cameras and speed traps enforce safe driving laws. We have many years of experience that we have plenty of US government “encouragement” and not enough enforcement of existing mechanisms (let alone new ones) for making lack of due diligence in cybersecurity look as risky to CEOs and boards as lack of financial due diligence.

John Pescatore

It's easier to implement added protections when you're not busy fighting fires, which is why the recommendation is to get things in place today before they are needed. CISA has supporting services to help review and assess your resiliency as well as help with tabletop campaign. Leverage their process to assess your resiliency today and identify gaps as well as prioritize fixes, so you're ready to respond when the call comes for budget items.

Lee Neely

Far too often it’s a known vulnerability for which a patch exists, that is the leading cause of compromise. Mandating a minimum cybersecurity baseline that all critical infrastructure providers have to adhere to, would go a long way to ‘strengthening resilience.’ A good starting point would be the CIS Critical Security Controls, Implementation Group 1.

Curtis Dukes

The prevalence and persistence of ransomware attacks suggests the need for hot (or at least warm) backups.

William Hugh Murray

While you're focused on SCRM, and your SBOM, make sure you have a complete inventory of software you need to check first. If you're not keeping that current and those items updated, you may want to get your arms around those processes before you start looking at their corresponding SBOMs. When you do start considering SBOMs, focus on areas where you're leveraging open-source software.

Lee Neely

SBOM is a solid initiative, but a pre-requisite is accurate software inventory. SBOM for Zyxel firewall software was of no help to those Danish critical infrastructure providers who didn’t even know they were using Zyxel software.

John Pescatore

This is a step in the direction of holding suppliers accountable for distributing malicious code.

William Hugh Murray

The variable manipulation flaws, CVE-2023-36844, CVE-2023-36845 and CVE-2023-36846 have CVSS scores of 5.3, 9.8 and 5.3 respectively. The missing authentication flaws, CVE-2023-36847 and CVE-2023-36851 have CVSS scores of 5.3. All five have a due date of November 17th in the KEV catalog. Beyond expeditiously updating to the latest JunOS release, restrict access to or disable your J-Web interface immediately. Adversaries are going to be scanning for the J-Web interface, patched or otherwise, to see what they can do.

Lee Neely

The AlphaV/BlackCat ransomware gang is taking credit for the breach and threatening to auction off the data if not paid. Given that McLaren engaged help back in August, it's safe to assume they already have decided how to respond to this threat, and are currently holding their cards close. If you're a member or employee, rather than worrying about what specific data was or was not breached, or if it's going to be auctioned, make sure you're set with credit monitoring and identity restoration services.

Lee Neely

The compromise of health insurance numbers and social security numbers will likely result in healthcare fraud. The lesson for the rest of us is that the most important role of social security numbers is to break collisions among other identifiers (e.g. name and address.) This can be done with the last four or five digits of the number and does not require the risk associated with storing the whole number.

William Hugh Murray

Notice that the city is committing to updates at 2PM daily to keep residents informed, and already shared to expect the disruption to last a week, what actions are underway, as well as clarifying which services were online/unaffected, and who to contact. Those actions should help reduce the interrupt level to allow those responding to the incident to execute rather than having to (repeatedly) stop and explain things.

Lee Neely

ICBC is China's largest bank, and largest commercial bank in the world based on revenue. As they cannot connect to DTCC/NSCC they are unable to clear transactions, which is having impacts on US Treasury trades, which is why they are sending messengers to manually do so. Additionally, some other actions are being taken to prevent other types of transactions, which cannot be cleared, from being initiated while the bank recovers. The attackers appear to have leveraged Citrix Bleed to own the bank's unpatched Citrix server. To abuse an old story - but for a patch, the battle was lost. Beyond keeping things patched and secured, be aware of downstream impacts of isolating systems which conduct external transactions, incorporate actions business partners may take to protect themselves from your outage and how to recover from those steps.

Lee Neely

Undoubtedly, this event will increase the clarion call for a prohibition on ransomware payouts as it impacted global financial services. Just for the record, I don’t support paying ransomware gangs. That said, it’s usually a bit more complicated for ransomware victims. They often have to weigh the impact to their business operations, their ability to quickly recover from the attack, and, requirements of their cyber insurance provider, in deciding whether to pay or not.

Curtis Dukes