Ransomware Attacks Using Storage Devices; Critical Windows Vulnerability; DARPA's Bug Bounty

If you own a QNAP or similar storage device (Netgear, Synology, Western Digital..), do the following today: (1) Patch. These devices tend to be difficult to patch. You will need to be careful to not disrupt any work if users use the device to store documents they work on, or worse, if the device is used as an iSCSI drive in a virtual environment. (2) Make sure the device is not exposed to the internet. (3) Uninstall all components that are not required to operate the device. These devices often come with a large number of vulnerable web applications preinstalled. Uninstall as many of them as possible. Vendors try to sell these functions based on the number of features bundled with them. It is easy and cheap to add features by adding random open source components to the device. But vendors also often fail to secure these components and with patching being difficult, these devices will be compromised after some time exposed to the internet.

Johannes Ullrich

Update the QNAP OTS and Security Counselor software, use stronger admin passwords, limit network accessibility, disable Telnet and unused SSH services and enable QNAP snapshot service. Flaws in eCh0raix have been fixed which neutralized the free decryption option released by BloodDolly.

Lee Neely

NAS devices should not be connected to the public networks or hidden by end-to-end application layer encryption.

William Hugh Murray

This is not a big deal because we all patch our Windows systems on patch Tuesday (today..) and we would never allow SMB to traverse our perimeter. If this statement is not true for your organization: Panic. You are probably already compromised by an exploit targeting dozens of other vulnerabilities.

Johannes Ullrich

The critical Microsoft patch for CVE-2020-0796 was released March 12th and affects both Windows 10 and Windows Server versions 1093 & 1909. While the risk can be mitigated slightly by disabling SMB compression and blocking port 445, the complete fix is to apply the patch, particularly with an increased percentage of remote workers.

Lee Neely

This will be an interesting one to watch. Good to see DoD building on the success of years of Hack-the-Pentagon managed bug bounty programs but this has a different focus than almost all previous bug bounty programsfinding vulnerabilities in specialty hardware. This is badly neededthe vulnerabilities in Apples A4 chip and in PC motherboards and basement management controllers have made this very clear. Much more specialized skills are required, but too often hardware devices have relied on security through obscurity. Programs like this can shine a bright light on why that doesnt work.

John Pescatore

With the current environment and pressure to deliver solutions, users are more susceptible than usual to these sorts of attacks. One of the best mitigations for credential harvesting attacks like this is implementing multi-factor authentication, reducing the value of any captured credentials.

Lee Neely

The attack on VT SAA and Westech are further indicators that the Maze Operators are focusing more on US Defense contractors. The Maze operators are not only attempting to sell data they have exfiltrated, but are also working with other cybercriminal gangs to auction off their stolen data. The trick is catching and stopping the data exfiltration before the attack moves to the encryption stage.

Lee Neely

We now have the tools to resist "card not present" fraud if we would only use them. Consumers should prefer online merchants that use check-out proxies such as PayPal, Apple Pay, and Click-to-Pay. Otherwise they should use one-time or one-merchant tokens from Privacy.com or others in lieu of Primary Account Numbers. The card brands should be encouraging online merchants to use Click-to-Pay, their co-branded check-out proxy.

William Hugh Murray

A plan for mitigating "ransomware" and other data changing attacks must include rapid restoration of mission critical applications.

William Hugh Murray

Two analogies here: (1) A few years ago, I had rotator cuff surgery and the morning of the operation the surgeon came to the prep room with a black marker and wrote This arm and his signature on my right arm; (2) I have never seen, and never want to see, a traffic light that is showing green in all four directions. Errors in presidential elections are pretty much up there with operations on the wrong body part or cars colliding at intersections. There needs to be both manual mechanisms and auditing and safety interlocks built-in to any software-based voting system, just as it is built into surgical procedures even though we have Electronic Health Records, and in traffic signal controller hardware even though we have online light control systems. Every state has rigorous control of traffic lights and there are national standards for them, as well. Since election systems are considered part of the critical national infrastructure, they should be treated just as rigorously.

John Pescatore

If you must use OmniBallot, the most secure option for remote voting remains printing, hand marking, and then returning a paper ballot by mail. The electronic ballot return mechanisms dont include sufficient anti-tampering protections, and even when printing paper ballots, if youre using the application to mark your ballot, OmniBallot collects and sends privacy information from the voters for tabulation. As electronic voting continues to move forward, rigorous testing and validation of security is essential to election integrity and voter confidence.

Lee Neely

There is a fundamental flaw in all such systems. If one makes the ballot unique, even though it would require collusion between the issuer and the counter of ballots, the voter cannot be sure that it cannot be identified with him.

William Hugh Murray