FCC Proposes Rules for Internet Routing Security Reporting; Zyxel Patches Critical Flaws in EoL NAS Devices; Threat Actors Exploit Old Vulnerabilities in ThinkPHP Apps

This move comes at the right time. For the most part, large ISPs are already implementing RPKI. As of earlier this year, the number of protected prefixes exceeds the number of unprotected once. This will hopefully get the stragglers on board.

Johannes Ullrich

First comes the plan then comes the implementation. ISPs have known that BGP is vulnerable to attack and has been for decades. This future requirement shouldn’t come as a surprise to any of them.

Curtis Dukes

The FCC is working to hold ISPs feet to the fire implementing BGP security measures specifically Resource Public Key Infrastructure (RPKI). In effect, signed changes/updates to BGP information. They want to have the ISPs provide a confidential (detailed) report on their plans to improve BGP security, and the nine largest ISPs will be held to a higher bar for delivery. However, if they meet the desired security threshold, they will not need to file subsequent detailed plans.

Lee Neely

Nice to have patches available even after the product is officially EoL. Too often we end up with no longer supported devices. I just looked at some EoL policies for different vendors, and around four years appears to be standard. How many devices in your network are older?

Johannes Ullrich

CVE-2024-29972, backdoor account, CVE-2024-29973, Python code injection, and CVE-2024-29974, RCE/persistence flaw, all have CVSS scores of 9.8. CVE-2024-29972 the "NsaRescueAngel" backdoor/remote support root account, was supposed to be resolved in 2020 but remains. The patches are only available if you have extended support; apply the patches expeditiously. Regardless of support, take steps to replace these devices; they were EOL December 31, 2023. Make sure the old devices are retired/recycled so they don't re-appear in your radar at a time where issues won't be addressed.

Lee Neely

ThinkPHP has been one of the most actively exploited web apps for years. Must have been a slow news days for this to get picked up. I would be very surprised to find a vulnerable ThinkPHP install in the wild that is not already exploited multiple times.

Johannes Ullrich

There were initially two major releases of ThinkPHP, an object-oriented lightweight PHP development framework, version 3 and 5, licensed under Apache 2 Open Source. CVE-2018-20062 affects ThinkPHP versions prior to 5.0.23, and CVE-2019-9082 impacts ThinkPHP prior to version 3.2.4. Make sure you're using the latest release and investigate moving to ThinkPHP 6.0/6.1 which use PHPO 7 strong typing (strict mode) and are compatible with PHP 8.1.

Lee Neely

This announcement serves as good reminder that vulnerabilities that are known to work are a good first bet for evildoers to try. Evildoers are using them because they’re still working. The bigger question is why organizations fail to patch. That answer can be a bit more complicated, but the requirement is if don’t patch you regularly review the risk of not doing so.

Curtis Dukes

The FCC should include program implementation guidance with the release of these funds. For example, a must is completion of a standardized cybersecurity assessment. This creates the sort of data that will prove valuable in identifying specific products and services to implement essential cyber hygiene.

Curtis Dukes

Understanding what services and equipment best serves schools includes deployments at schools. In other words, the pilot program will provide financial support to schools and libraries seeking to reduce the burden of maintaining/implementing cybersecurity services and equipment. This program is part of FCC Chairwoman Jessica Rosenworcel's Learn Without Limit's initiative, which includes ensuring connectivity in schools and libraries, Wi-Fi on school busses, as well as E-Rate support for libraries and tribal communities.

Lee Neely

We don’t fund our public schools very well, and the staff’s salary is not what it should be. I’ve known some IT people at these county schools, and their staffing levels are some of the smallest. Any amount of help is appreciated.

Moses Frost

Welcome and long overdue news from the Microsofties. Granted admins still have some time to make the transition fully to Kerberos or another authentication protocol. That said, no time like the present to inventory NTLM usage and start planning for its eventual deprecation.

Curtis Dukes

Yeah, I thought NTLM (LANMAN, NTRLMv1 and NTLMv2) were long gone, and the April 2024 security update broke it for some as a reminder it's still around. (This was resolved in the May 14 update). Calls to NTLM should be replaced with calls to Negotiate, which uses Kerberos, falling back to NTLM only when necessary. If you've not already cataloged your use of NTLM, do so, then take active steps to phase it out.

Lee Neely

The hospitals have disconnected from Synnovis IT systems while the incident is resolved. Synnovis is not yet sharing an ETA for service restoration, and it's being noted that the recent Synlab Italia incident, even though not directly connected, took a month to restore services. Take a note here - where you're not sharing your targets of service restoration, connections will be made to other incidents to extract and publish a timeline by others. You've set recovery time objectives, if you're not comfortable stating these, you need to rehearse and revise your plans until you are.

Lee Neely

The key statement from Synnovis is “…This is a harsh reminder that this sort of attack can happen to anyone at any time…” Heed Synnovis’ advice and review your credential, configuration, and patch management processes on a regular basis. Where possible enable MFA. Configure your devices to a known benchmark standard. And, ideally, patch high severity vulnerabilities within 24-hours of patch release.

Curtis Dukes

CVE-2017-3506, command injection flaw, CVSS score 7.4, along with CVE-2023-21839 have been weaponized by the China-based 8220 Gang (aka Water Sigbin) to launch a fileless, in-memory, cryptocurrency miner via a heavily obfuscated PowerShell script. This affects Oracle Fusion Middleware version 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2 and while difficult to exploit, an unauthenticated hacker with access via HTTP is all that is required. Workarounds include limiting network access or disabling packages, which will likely affect break application functionality, the best fix is to apply the CPU. The NIST KEV has a due date of June 24th to apply the update or workaround.

Lee Neely

If you were hit by LockBit and don't have the key, reach out to the FBI to see if you can get a decryption key; it's not going to cost you anything. Note that LockBit is still active, albeit operating on new servers due to the recent takedown. The U.S. State Department is now offering $10 million for information that leads to LockBit leadership arrest or conviction, and an extra $5 million for tips leading to arrest of LockBit affiliates.

Lee Neely

This was a server-side fix. As a customer, you have no action to take. Cisco is notifying customers who had observable attempts to access meeting information and metadata, and reports no further (successful) attempts to access this data via the bugs.

Lee Neely

Single factor authentication has to become a thing of the past. With an ever-increasing number of services and applications available over the Internet, coupled with the human factor of password choices, it's not a risk you can ignore. Where you're using passwords, ensure that you've using password services which include data breach notification to alert users they need to change passwords, and put time limits in. Here is a hard one - where a user has multi-factor authentication enabled, but is using a weak or compromised password, they still need to change that password.

Lee Neely