A Better Response to Ransomware and Three Critical Vulnerabilities Likely To Be Exploited Imminently

It looks like the $300K is to both improve security and recover the data. Essentially, rather than pay the arsonist to put out the fire in your burning house, you pay a contractor to rebuild it to existing fire codes to build in smoke detectors and sprinklers - essential safety requirements.

John Pescatore

Paying the company to not only restore files but put in protections to prevent recurrence is a good approach, and it's more cost effective to implement controls prior to a compromise. The challenge we all face is obtaining management support to fund and resource the efforts when the attack is just a potential. The Yazoo School district can be a case study to strengthen your position.

Lee Neely

The Visual Code Studio flaw is especially interesting. This editor is popular with developers, a group that has been targeted previously. Opening a json file in Visual Code Studio would be somewhat common, and it may be possible to trick a developer into opening a malicious file given the right pretext. This vulnerability is an effective vector for more targeted attacks.

Johannes Ullrich

I pointed to this vulnerability in the last patch Tuesday update as one to watch out for. It is more severe than the ICMPv6 issue that got more press. Also note that, based on anecdotal evidence, at least several states have in the past shared early election results via SharePoint sites (and what better way to sow uncertainty and fear then to make early results reported by states look "off"). This vulnerability has a lot of potential for evil.

Johannes Ullrich

Apply the October updates to your on-premise SharePoint (versus hosted/M365) servers. The update, categorized as critical by Microsoft, is the primary mitigation to the vulnerability, followed by monitoring for IOCs and attempted lateral movement.

Lee Neely

"Proof-of-concept" code reduces the cost of attack to miscreants. While it may be evidence of how clever the authors of it are, it reduces both the amount of special knowledge that the attackers have to have and the work they have to do. This is particularly true where the vulnerability is so obscure or difficult to exploit that it must be demonstrated to be believed.

William Hugh Murray

Yet another vulnerability in a perimeter security device. This one looks a bit more tricky to exploit compared to some flaws in similar devices, but I am pretty sure someone is already working on the right exploit for this vulnerability.

Johannes Ullrich

While there is currently no evidence of this being exploited in the wild, this is still a high-risk vulnerability which can also be used to cause a persistent denial-of-service condition. When prioritizing the needed update, be sure to incorporate any complexities of attempting this remotely.

Lee Neely

Updating firewalls, or indeed many other devices, during the pandemic is going to be a challenge for many IT teams as they try to do this remotely. Given that many ransomware attacks are now being launched via vulnerable remote access points, it is imperative that you review your change management processes to clarify how your IT team operates during the pandemic and to ensure they have the tools and training to apply critical patches remotely.

Brian Honan

Prefer end-to-end encryption that terminates on the application, not on the perimeter, not on an operating system. Whatever one thinks of its name, "Zero Trust" is an old idea whose time has come.

William Hugh Murray

Appliances ("Things") should include only that functionality that is essential to their application. They must be able to protect themselves from any traffic that they are likely to encounter in their intended environment.

William Hugh Murray

Use the Microsoft documentation on URLPOLICY flags to allow Jscript only from trusted systems if still used; otherwise disable it altogether. You should be migrating off IE to newer actively supported browsers such as the new Chromium based Edge.

Lee Neely

One small step in the right direction. Browsers are porous, in part because of the default to include a lot of rarely used, and even, obscure, functionality. Browsers ought to be safe, at least by default, at least "out-of-the-box." Now if we could only rid the world of Flash.

William Hugh Murray

As the article points out, there is not great data on the false positive (recipients mistrusting trustable communications) rate. On the other hand, most legitimate health care companies were already using trustable ways of contacting their customers prior to the pandemic. Extending this out to the unique issues of contact tracing should be a driver for a national approach on how to do so for the next time, and really needs to include the FCC moving beyond "urging" carriers to block spoofed numbers.

John Pescatore

The message of not clicking on unknown senders and being aware of COVID-19 themed phishing attacks clearly got through. Now is the time to refine user awareness so messages aren't missed. As part of your Phishing/Spam reporting, provide timely feedback on reporting of legitimate and illicit emails, to include affirmation of reporting test messages accurately. Additionally, if you have outside services sending legitimate alerts to employees, inform them of this activity early on so they can recognize it.

Lee Neely

Users are a large part of the attack surface of the enterprise. Like any other process, they must be suspicious of, and authenticate, the origin of all "inputs." The failure of users to authenticate inputs is implicated in more breaches than not. The total absence of false rejects would be an indication that this level of "zero trust" was not working.

William Hugh Murray

The Tyngsboro DDoS attack was linked to a device being connected daily to their network. Implement isolation of visiting devices on your network and consider a device posture check as part of (re)admitting them to your corporate segments to reduce the potential for them to cause harm.

Lee Neely

If your automatic plugin updates are configured but not working, you may need to reset permissions on your WordPress site.

Lee Neely