Infrastructure Breaches: State-Sponsored Threat Actors Target US Broadband Providers' Court-Authorized Wiretap Interfaces; Wayne County, Michigan Government Websites Down; American Water Works SEC Filing Indicates Unauthorized Network Activity

If you build it, they will come. The court-authorized wiretap interfaces at telco providers are too juicy of a target for attackers to overlook. Note to also closely monitor any infrastructure like this in your own environment. You may not deal with court ordered wiretaps, but your security team likely still has extensive systems to reach out to and monitor endpoints.

Johannes Ullrich

Large ISPs are attractive targets for nation state intelligence agencies and present an equally large attack surface. While they could do more for the security of their users, they cannot be relied upon to do so. Targeted users should take appropriate precautions, to include end-to-end encryption and proprietary DNS service.

William Hugh Murray

The attack vector used by Salt Typhoon/Ghost Emperor in this case is unknown. In the past they have been known to obtain initial access through flaws like the Exchange ProxyLogin vulnerability to leverage a custom backdoor, SparroDoor, customized Mimikatz, and a rootkit known as Demodex. Make sure that any remaining on-premises Exchange servers are fully patched, and reach back to your team to make sure that MFA is required on your Internet facing services.

Lee Neely

Details are lacking, but two immediate thoughts: 1) there has to be an exploit in common for all three communication service providers (CSPs); and 2) over time CSPs automate CALEA implementation, which creates a pathway to those protected systems. Nation states understand that, as they implemented them in their own countries.

Curtis Dukes

Wayne County was putting updates on their Facebook page while their website was offline; these are reflected on the home page of the now restored county website. Wayne County is the largest county in Michigan with 1.75 million residents. This is the latest blow to Michigan, which included hits on Flint and Traverse City, as well as impacts from the Ascension and McLaren hospital ransomware incidents. Don't assume you're not a target and leave things be. Be proactive, start with the basics, MFA, patching and monitoring, grow from there.

Lee Neely

Municipalities rank right up there with healthcare as targets for ransomware attacks. Take appropriate care to include strong user authentication, isolating mission critical applications from e-mail and browsing, and having hot backup and recovery.

William Hugh Murray

A lot of focus has been on nation states potentially targeting critical infrastructure and efforts to protect said infrastructure. That is a concern, but this also could have been a simple ransomware event, targeting the internet accessible IT systems of critical infrastructure providers. There exist good solid cybersecurity frameworks (i.e., NIST CSF, ISO 27001, CIS Controls) that work, if implemented. Efforts should be made to ease the implementation and monitoring against one of those frameworks.

Curtis Dukes

American Water has published a FAQ on impacted services (amwater.com/corp/security-faq) and promises to update their home page as things change. It's not easy to find those updates; they are on their essential services page with a link back to the FAQ. On a positive note, while the billing system is offline, customers will not be assessed late fees or have service disconnected. One hopes customers will be notified when the system is online. When you're doing notification, consider making things more easily found.

Lee Neely

'Largely non-compliant' means failure to employ basic hygiene. However, the industry is also plagued with ad hoc connections to the public networks placed not by management but by operators for their own convenience. In the absence of basic security measures this is all too easy to do. Management should provide operators with necessary, even useful, connections using VPNs that terminate on the intended control, not on the perimeter.

William Hugh Murray

Invariably, more industry collaboration is better than less, but self-inflicted wounds are as much, if not more, of a threat than adversaries. The wisdom of the Critical Security Controls and OWASP Top 20 apply to all large software systems, which includes AI.

John Pescatore

As AI continues to find its way into our environments, having a feed of AI incidents and defenses becomes a critical layer of defense. You should be reading up on ATLAS and seeing how you can leverage the data in your environment. Start with the beta set of AI mitigations which are designed to prevent techniques or sub-techniques from being executed. ATLAS mitigations can be found here: atlas.mitre.org/mitigations/

Lee Neely

There are two hard problems in intelligence. The first is enlisting reliable, but not necessarily trusted, sources. The second is identifying those who can use the intelligence to your advantage without compromising it. Ideally these are both small population as MITRE is using in this application.

William Hugh Murray

Protection and storage of collected data will continue to be an issue for companies. The question for the DPC will boil down to this: is the data collected the same as what Ryanair would collect from its own website?

Curtis Dukes

Biometric data is not as vulnerable to disclosure or use as one might intuitively infer. It does not rely upon the secrecy of the stored reference for security (as do passwords and private keys) but upon the difficulty of counterfeiting the instant data. Biometric instant data is vulnerable to replay and therefore is most often employed, for convenience, as additional factors in MFA where protection from replay is provided by a different factor.

William Hugh Murray

Ryanair, famous for their low-cost, no-frills, everything-extra flights, has historically resisted efforts by third parties to sell their flights. They implemented the added ID validation as a deterrent and protection to consumers from unauthorized online travel agents who may be overcharging or scamming customers. The process has had numerous complaints. The issue here isn't addressing those concerns, rather focusing on how Ryanair is protecting and disclosing the gathered ID/Biometric data, particularly in cross-border scenarios, in this process. If you're processing data covered by the GDPR, double down on making sure you're following all of the requirements to avoid undue scrutiny by the DPC.

Lee Neely

FBCS is a debt collector, initially reporting a compromise in March. At that time, FBCS said the incident did not affect Comcast data. However, in July they notified Comcast that their customer data were compromised in the breach. Comcast stopped using the service in 2020, however; they didn't take steps to ensure their data was removed from FBCS systems. FBCS is claiming they are financially unable to bear the cost of identity monitoring/credit restoration services, so it falls to their customers, Comcast, CF Medical, etc. to pay for this. Make sure that you have procedures for clearing (and verifying) data on third-party service providers as well as an understanding of where liability falls should they have a breach with limited financial solvency.

Lee Neely

The vulnerability only existed in certain configurations of Okta Classic; even so, you should check your logs fusing the following query: outcome.result eq "SUCCESS" and (client.device eq "Unknown" OR client.device eq "unknown") and eventType eq "user.authentication.sso" for possible exploits, particularly authentication from unusual locations, IPs or times of day. While the vulnerability was introduced on July 17, it wasn't identified until September 27, and rapidly addressed with a tested patch in production eight days later.

Lee Neely

The vulnerability, CVSS score 7.1, is due to improper input neutralization and could be used to inject malicious scripts, advertising, redirects, and other payloads into your site. Auto-update should have already fixed your plugin, but you should double check. Uninstall any unused plugins or themes. Ask the hard questions on any plugins without updates, and minimize the number of plugins to keep the attack surface small and your site stable.

Lee Neely

Cross-site scripting vulnerabilities have been around for decades and are totally preventable. Seems as though the developers need some remedial training in secure software development practices like input validation and output encoding. Developers, take a look at the OWASP Cheat Sheet Series.

Curtis Dukes

The value of WordPress plugins must be balanced against their historic quality. They should be employed sparingly and managed carefully.

William Hugh Murray

We may have caught a break in that Apple is not indicating these flaws are being actively exploited. The Media Session flaw is specific to the iPhone 16, while the VoiceOver flaw affects all devices running iOS 18; it has a CVSS 3.1 score of 5.5. It's a good idea to push iOS/iPadOS 18.0.1 to all your devices running version 18.0.

Lee Neely

Most Apple iOS users should enable automatic updates.

William Hugh Murray

Those flaws on SOHO routers continue to be exploited to build botnets with amazing impact. Make sure that you're not exposing management interfaces and are keeping the firmware updated and replacing EOL devices proactively. These things can be hard for home users, and while plans for certified devices which are born secure and default to automatic updates continue to evolve, the hard part will likely remain the challenge of getting folks to replace a device which "works perfectly." A challenge for us to convey to our friends and family when they call for help.

Lee Neely

Botnets include many devices that cannot protect themselves from traffic on the public network and are loosely managed.

William Hugh Murray