Big Week for Critical Vulnerabilities Already Exploited: Google Drive Collaboration Feature, Windows Kernel, Oracle WebLogic Server, and WordPress

While collaborating on documents using shared drives or shared documents is pretty common, it's still important to teach users to not accept unexpected collaboration requests. When collaborating, particularly outside your organization, make sure the collaboration link is only available for specific users, particularly if it allows write access. Once the document is opened there is a tempting link to a malicious site; use this as an opportunity to validate your boundary and endpoint protections still, in our current work environment, block access to malicious sites in case users click it.

Lee Neely

The major point is that every communication/collaboration method created for legitimate use will be used by attackers for spam, phishing, malware delivery etc. Consider an egg salad sandwich left at your door. It really doesn't matter whether it got there by the mail carrier, UPS, FedEx or whoever - you really shouldn't eat it unless you know who sent it to you and unless you have made sure that the mayonnaise hasn't turned yellow or green - the latter being what Google has said it will ramp up on this communications path.

John Pescatore

The Microsoft fix is scheduled to be released November 10th. Exploiting the flaw itself, a buffer overflow weakness in cng.sys, requires another successful exploit, such as the recent Chrome Flaw (CVE-2020-15999), to obtain local system access. The best mitigation is to fully deploy the Chrome update and push the Microsoft fix when released.

Lee Neely

WebLogic is quickly becoming the WordPress of the enterprise world because of the large number of vulnerabilities being discovered. The flaws in Oracle's emergency fix have been actively exploited for about a week now, and the newest "emergency patch" is a trivial bypass of the patch released in October. First and foremost, do not expose WebLogic to the world. Even internally, be cautious. The latest flaw is easy enough to exploit. Any browser inside your network may easily be tricked into sending an exploit request to an internal WebLogic server when it visits a malicious web page. This could be exploited even via images included in emails (if your mail client downloads them automatically).

Johannes Ullrich

Check the version of your WordPress site to make sure that you're running 5.5.3. If you're on 5.5.3-alpha or earlier, or haven't enabled auto-updates, update to 5.5.3. While the 5.5.3-alpha plugin disablement was resolved in the 5.5.3 release, it's still a good idea to verify your plugins are properly enabled as well as updated. Given the pace of WordPress and plugin updates of late, automatic updates are a good way to stay current. Also make sure that you have regular backups in case you need to roll back.

Lee Neely

It is time to add WordPress to the list of historically broken applications. Any continued use should be accompanied by strict management, scrutiny, and maintenance.

William Hugh Murray

Of note is the dwell time. The attackers installed a web shell which allowed further attacks, including data dumps, administrator and end-user credential capture, which went undetected from July 2014 to September 2018. Another contributing factor was an incomplete deployment of multi-factor authentication (MFA). Make sure that your monitoring has sufficient coverage to detect unexpected access. Verify the completeness of security measures such as MFA to identify any resulting risks or omissions.

Lee Neely

In 2019, Marriott said the breach cost them $28M, but their cyberinsurance policy paid $25M - reducing the direct impact to $3M. However, cyberinsurance doesn't always pay for regulatory fines, especially in EU for GDPR. An AON research report stated that in 20 of 30 EU countries, including the UK, GDPR fines would not be insurable. So, even this drastically reduced fine may end up costing Marriott more than a breach - that is a rare occurrence and needs to part of the calculus in deciding if cyberinsurance has a positive ROI.

John Pescatore

All the usual precautions against clicking on bait messages apply. In this case users must click twice. Android users, once on the message itself and once to install the malware. While it is more difficult to corrupt iOS devices by clicking on something on a web page, iOS users must both click on the message and be duped into entering their Apple credentials. While it seems to be counter-intuitive, mobiles remain safer than so called "personal" computers.

William Hugh Murray

While there should not be an expectation of privacy in public, using facial data to create a unique biometric representation of one's image should be disclosed. Additionally, when storing unique identifiers or PII, that repository needs to be deliberately managed and tracked to protect the information from misuse or acquisition.

Lee Neely

Timely breach notification are important when customers need to take action in response to lost data. In this case, JM Bullion didn't notify customers until three months after the breach discovery. As reports are circulating that the breach data from JM Bullion has been offered for sale since late May, JM Bullion customers should take active measures to monitor and secure their credit.

Lee Neely

A lot of voter data is available publicly or for a nominal fee from many states. In some cases, the goal of these hacks isn't the actual data, but to support the narrative that election systems are insecure.

Johannes Ullrich

The county is working to establish temporary email and phone numbers to allow operation while service restoration completes. Watch the county website (http://www.chathamnc.org/) and social media channels for updates.

Lee Neely