CISA: Hackers Successfully Combining Long-Known Vulnerabilities to Penetrate Federal Systems, Plus Escalating Ransomware Attacks

Exactly a year ago, the NSA released an advisory warning of exploitations of exactly the same vulnerability (e.g. CVE-2018-13379). Additional warnings for these types of attacks were released in February, May, about a month ago, and again now. The headlines should be "CISA: Government networks still don't know how to manage VPN vulnerabilities." Any attacker would be negligent not to take advantage of this point easy-to-exploit "VPN + Zerologon" attack vector.

Johannes Ullrich

Weaknesses in so-called "VPN" products, services, and implementations should not discourage "virtual private connections," that is, the use of end-to-end application-layer encryption. The term "VPN" has become synonymous with marketed proxy services intended to merely hide the origin of traffic to avoid geographic or political controls. Such services are not "private" in the original sense of the term. Neither are they truly (user to application) end-to-end.

William Hugh Murray

This close to an incident, you need to be focused on forensics, system recovery, preventing recurrence, and refining contingency plans so that systems and processes are more resistant to attack. In the UHS case, there is the additional responsibility to ensure future events don't result in loss of life. When these processes are complete, response to external or regulatory questions will be more accurate and more valuable.

Lee Neely

Maze is known for their pay-or-publish stance. Unless you know the specific data taken, that's an effective threat. The school district's actions indicate they are not paying the ransom, but instead offering credit monitoring to those impacted. Know, document, and verify locations of sensitive data before an incident occurs - not just personal information, but also company proprietary information and records. Walk through your response process for attempted disclosure of this information.

Lee Neely

The DHS report provides useful insight into motivations and tactics of foreign and domestic adversaries - which highlight patterns we are likely to see in the future. The attempted accesses to the US Census Bureau have been, so far, unsuccessful. Expect continued attempts to manipulate the election process and steal information around COVID-19 and supply chains. Impacting the distribution of over $675 billion makes the Census Bureau a very attractive target.

Lee Neely

This attack works because the Electrum network allows for anyone to add an ElectumX gateway server, and the app doesn't block popups from the bitcoin network, an egregious failing. Since the attacks started, Electum has added both bad-server blocking and popup blockers in the latest versions of the app. Verify that you're downloading your cryptocurrency wallet from the genuine source. Also, be mindful of unexpected OTP requests at application start up; that's what allows the transfer of all funds to the attackers account.

Lee Neely

The security of wallets and exchanges, for crypto or other currencies, is not a space for amateurs. Wallets and exchanges have proven to be lucrative targets for criminals. Most of us should rely upon banks, credit unions, and other insured and regulated institutions.

William Hugh Murray

Kudos to Microsoft and its partners for being more aggressive against these botnets. Let's hope this takedown will have a lasting effect.

Johannes Ullrich

I refuse to comment on yet another article about this outrageously bad idea. Everybody seems to agree that freedom is dangerous.

Johannes Ullrich

Secure encryption does not need a back door to be decrypted. While we often talk about encryption algorithms, we don't often focus on key escrow. Key escrow can be used to recover the encryption key and then decrypt encrypted items, such as files or disks, and should be part of your processes to protect corporate information. The problem is that Internet protocols, such as TLS, are not intended or designed to use escrowed keys, and implementing processes so that "only law enforcement" can access and use keys has such significant risk of abuse as to be impractical.

Lee Neely

The struggle continues; it is not likely to end well for the Infrastructure, the economy, or the citizen.

William Hugh Murray

This is a reminder to regularly re-assess protection measures between OT and IT systems. Consider not only undesired access to OT systems, but also how data provided by those systems could be used inappropriately or used to reach inaccurate conclusions when taken out of context.

Lee Neely

If we have learned nothing else over the last decade, we should have learned that we cannot patch our way to security, not in "cyber," not in aviation. We must add "attack surface" management to our strategy. From aviation, "cybersecurity" needs to learn "failure mode" management, starting with "pilot (user) error" and "ransomware."

William Hugh Murray