Europol is Investigating Alleged Breach of Law Enforcement Info Sharing Portal; Does the KEV Reduce Time to Patch in the Private Sector?

The attacker seems to have accessed a test environment using their Zscaler proxy to access production data. With efforts tied to ZTA such as Zscaler facilitating access to internal systems, it's more important than ever to make sure that you have the same bar on access control, particularly authentication, to your non-production environments. While we could argue that dummy data should be used outside production, there are valid use cases for real data for acceptance testing or other activities, it makes sense to implement the same security on all platforms for such use cases.

Lee Neely

While agencies struggle to meet the KEV timelines (on average only 40% are able to do so) the overall health of agency networks is improved as a result of the KEV, which is what is intended. It also provides insight into vulnerabilities being actively exploited, making it a valuable metric when assessing risk/prioritizing updates/fixes. Note that to be listed in the KEV, there has to be a remediation, evidence of exploitation and CVE number. The 175 day average, even caveated that more severe issues are resolved more quickly, still is an opportunity to improve. As more access paths are made available, through efforts like Zero Trust, the list of what you include in your Internet Accessible systems needs to be adjusted along with the risk ratings relating to patching.

Lee Neely

Good to see that publicity around exploited vulnerabilities does reduce time to patch, bad to see the 175 day average for patching. Also disappointing to see Federal agencies lagging industry in time to patch, since the Federal are the only ones subject to the CISA deadlines. Basically, use this and KEV announcements to drive at monthly server patching vs. twice per year.

John Pescatore

While I applaud CISA for their efforts in creating and managing the KEV catalog, I'm not sure I will call this a success story. I mean, it still takes upwards of six months to patch for known active exploits. In legal terms that demonstrates a failure of the reasonableness standard, should an organization fall victim to attack.

Curtis Dukes

One infers that patching of vulnerabilities on the list does receive priority. However, that the vulnerabilities remain exploitable, and presumably exploited, often for months is troubling. One hopes that the most sensitive systems and applications are the earliest patched (but hope is not a strategy.)

William Hugh Murray

This has the potential to be a serious problem as cellular modems are used in a variety of critical infrastructure sectors. That said, the attacker must first determine which end products are vulnerable and how to monetize. In the meantime, follow the straightforward mitigation advice to disable SMS and use private APNs.

Curtis Dukes

This malicious package was interesting and different than prior incidents like this. The malicious package targeted one particular Mac. It checked the unique ID of the system before executing the malicious code. The malicious code itself was included in an image file delivered with the package, and written in Go, not Python. This may have been more a "test" to verify if the technique is viable, or maybe part of a penetration test and the specific system ID was used to avoid collateral damage.

Johannes Ullrich

This exploit targets Macs. The exploit is a Golang library hidden in a 13Mb logo file (originally 300Kb). All versions of "requests-darwin-lite" were immediately removed after being reported by the Phylum team. If you're using the requests PyPy package, make sure that you don't have copies of the bogus package, irrespective of the platform.

Lee Neely

Google is well ahead of last year in the number of Chrome zero-day vulnerabilities reported. It's indicative of its large install base which makes Chrome vulnerabilities highly valuable in the exploit marketplace. Bottom line: get into a regular cadence of closing and restarting the browser to apply the updates automatically.

Curtis Dukes

As my boss Matt would say, "We've seen this movie before." You already have processes to make sure the end-users have the update, and have set limits on how long they can ignore the restart prompt. Just verify that it's done; hopefully you don't have to force/kill too many running browsers.

Lee Neely

Their primary entry still relies on phishing and externally-facing vulnerable apps. You know this dance: make sure you're equipping your users with both training and technical tools, and keep an eye on externally-facing apps, insisting they remain current. Find that compromise between business impact and newspaper headline.

Lee Neely

While the advisory is helpful and is specific to Black Basta TTPs, the security mitigations are essentially the same for most ransomware attacks. They are: 1) patch as soon as software vendors update their products; 2) configure to a known security benchmark; 3) employ multi-factor authentication (MFA) on all internet-facing accounts; and 4) implement a data recovery plan. Each of these are tried and true security controls that work.

Curtis Dukes

FBCS continues to notify affected users. Even so, don't wait to see if you're in scope. You should already be getting notifications from your credit monitoring/ID protection service about breaches such as this. Make sure you're following up to see if you are included. This is an area we all need to be proactive for both ourselves and for our family members who are not as well-versed in what's at stake.

Lee Neely

As is often the case, the number of impacted individuals goes up as incident analysis completes. What's important is to download your credit report on a quarterly basis to look for signs of identity theft, or, if you're one of the impacted individuals, use the free credit monitoring service offered.

Curtis Dukes