US DOJ Indicts Six People in Connection with WhisperGate Malware Campaign; US Kaspersky Customers will be Migrated to UltraAV; AT&T Sues Broadcom Over VMware License Support

The bulletin is up-front with mitigations for this type of attack. Keep systems updated, remediate known vulnerabilities, implement (phishing-resistant) MFA for anything internet facing, particularly critical systems, email and VPN. Segment your networks. To which I would add monitoring and alerting. Make sure you can track anomalous behavior, verify the breach notification agreement with your cloud and outsource service providers. Make sure you're really on the same page, not just what they are paying lip service to, and address any discrepancies.

Lee Neely

If you're a U.S. based Kaspersky customer, make sure that you're getting these notifications. No, you didn't miss an opportunity to choose the replacement: they made the decision to move you to UltraAV. Kaspersky started winding down their U.S.-based operations in July, laying off these employees. UltraAV offers near parity in features, minus webcam and online payment protection offered by Kaspersky and the annual cost will be the same as you were paying for Kaspersky. Pango President and CEO Neill Feather says that customers have little to do here and that the company will be providing instructions as needed via email in the coming weeks.

Lee Neely

An end of an era as Kaspersky was one of the early AV companies. What we're seeing is a bit of tech-nationalism at play here under the guise of national security but then, other countries are doing the same with US technology companies.

Curtis Dukes

The transition to Broadcom's new licensing model is a big concern for many legacy VMware users. There are few alternatives for enterprises still attempting to maintain a private cloud environment. Many will migrate to public clouds, or they will have to investigate other on-premises options like offerings from Citrix and Proxmox. In many cases the issue is not just the increased cost of licensing but also the uncertainty due to the complex licensing model.

Johannes Ullrich

In the past, movement from one license form to another -- e.g., fixed to subscription pricing -- has been non-optional, and the prospect of pushing back was not viable. While AT&T may be able to modify the renewal process from Broadcom, the need to move to subscription pricing seems here to stay. As such, it's prudent to research your ongoing cost as well as the viability of alternative solutions to include cloud migration, so you can give management an informed, supported recommendation.

Lee Neely

Static credentials and overly verbose logging should be in the distant past, yet they keep turning up. Remember when sites used to provide all sorts of insight via their logs, and we shut all that down? Make sure that your scans trigger on debug information when discovered so you can run that down. While you cannot entirely prevent embedded static credentials, you can block or restrict access to management interfaces where they could be used. Even so, make sure that your SOP includes changing all vendor provided credentials where possible. Trust but verify this is done.

Lee Neely

It has been just a couple weeks since SonicWall released an update fixing this vulnerability. But you should also restrict access to the administrative interface. Only allow specific IP addresses to access the management webpage.

Johannes Ullrich

These devices are SOHO class devices; you should check for them regardless and make sure they are updated. In all cases, once updated you need to make sure Internet access to the firewall and SSLVPN management interface is disabled, or limited to trusted sources. Additionally, if you have Gen 5/6 firewalls with SSLVPN users who have locally managed credentials, those passwords need to be updated as soon as the firmware is upgraded. Enable the "User must change password" option for each of these accounts, then enable MFA (TOTP/Email-based OTP) for all of these users.

Lee Neely

CVE-2024-34102, improper XXE reference restriction, which permits arbitrary code execution, CVSS score 9.8, affects all 2.4 versions of Adobe Commerce and Magneto Open Source, as well as the Adobe Commerce Webhooks plugin 1.5.0. Adobe released a security update June 11th, a hotfix July 17th, and an isolated patch on June 28th which includes the July 17th hotfix. You need all three, but if you haven't installed the July 17th hotfix you can skip and install the other two. In all cases, you will need to rotate encryption keys and flush the cache. For the plugin you're going to have to manually update the modules and extensions.

Lee Neely

Another e-commerce site suffering through a Magecart attack, not really news. However, what is news is that Adobe had a patch available for the vulnerability a full 90 days ago. Until we, collectively, find a way to automate software patching, we'll never beat the adversary at the exploit game.

Curtis Dukes

Work continues to put data brokers on notice that privacy needs to be preserved. This violates a West Virginia law known as Daniel's Law. New Jersey has a similar statute of the same name. These are designed to protect the privacy of public-facing professionals, and it is spreading. In May, Maryland passed a similar law. Companies like the Atlas Data Privacy Corp., which issues takedown orders for removing this information online, has filed 118 class action lawsuits against data brokers who refused to acknowledge these orders filed on behalf of 20,000 New Jersey law enforcement officers.

Lee Neely

I suspect that the data broker wasn't even aware of the state law when it scraped the information from one of several possible sources. That said, a person should have the right to decide what information about them is publicly available. It's high time that the US pass a national data privacy law, as opposed to the hodge-podge of state data privacy laws.

Curtis Dukes

In case you're wondering what happens when someone who is "sanctioned" continues to interact with the U.S., here is a real example. Note these fake sites are upping their game to include AI to make convincing arguments for the parties or POV they are supporting. Train users to be really vigilant for typo squatting, e.g., washingtonpost.pm vs washingtonpost.com, then support them by enabling available protections on your endpoints and perimeter to reduce or block access to these sites.

Lee Neely

A short-term victory for the US. However, many of these domains have been active for upwards of a year, with millions of views.

Curtis Dukes

This sprint "Service for America" dovetails into efforts by OPM and ONCD, announced last spring, to rewrite cyber job hiring practices to recognize learned experience and not just degrees obtained. ONCD is also encouraging agencies and private sector companies to use best practices such as removing degree requirements and offer entry level, apprentices and intern level positions. Note that you don't have to have Cyber in your job title to be doing cyber work. These days IT, Cyber, Cloud and AI are intertwined. One hopes this effort continues beyond October.

Lee Neely

This initiative will hopefully help bridge some of the competency gaps found in public and private organizations HR departments. There is a big disconnect matching available talent to open positions, leading to uncertainties about the demand for cyber security professionals in particular for entry level positions.

Johannes Ullrich

UK Schools continue to be targeted, with the first quarter of 2024 having more than twice the attacks reported in the same quarter of 2023. The timing, at the beginning of the school year, is unfortunate, and will have the largest impact on teacher devices with the potential loss of lesson plans/etc. This is a good time to make sure you've implemented security best practices, starting with MFA and strong passwords. Many services now have an easy button to enable strong security, which you can test before deploying to everyone, do it, smartly, and don't forget to deploy fully once you have a working configuration.

Lee Neely