Florida Water Treatment System Breach Cause Exposed; Microsoft Patches: Install Quickly; Windows Defender Vulnerability; Bloomberg Says Spy Chips Found in Super Micro Computer Products

Remote access applications, such as TeamViewer, should be configured with unique credentials for each user, and Internet-exposed entry points need to support MFA and include a firewall. All these also need to be actively monitored for abuse. Old unsupported operating systems, such as Windows 7, which cannot be updated to Windows 10, need additional mitigations, such as an external firewall, to protect them from modern attacks. CISA Alert AA21-042A includes analysis and additional logical and physical mitigations to incorporate if your enabling remote access to control systems. https://us-cert.cisa.gov/ncas/alerts/aa21-042a

Lee Neely

When signing up for a new TeamViewer account, the user is prompted to set up two-factor authentication. TeamViewer also offers integration with single sign-on systems for enterprise use. Looks like either may have prevented this breach but was not enabled. The old version of Windows may have been required to run the particular software, and it does not look like it contributed to the breach.

Johannes Ullrich

Everyone has probably seen the "Rubin's Vase" optical illusion that to some people looks like a vase and to other people looks like two faces staring at each other. Incidents like this one at the Oldsmar water treatment plant happen frequently and can be viewed two different ways: (1) employees who didn't care about security doing very dangerous things violating well-known security policies enabled an attacker; or (2) mission requirements demanded remote access, no secure approach was provided and the employees did what they had to do to keep the water treatment systems running. The pandemic forced rapid movement to Work-From-Home and exposed a lot of number 2 out there, especially in smaller organizations.

John Pescatore

Any and all utility controls attached to public networks MUST employ strong authentication. This one measure will reduce risk by eighty to ninety percent. Shared passwords, on the other hand, reduce accountability and otherwise increase risk.

William Hugh Murray

This patch Tuesday fixed a smaller number of vulnerabilities, but it included a few vulnerabilities that need to be patched quickly. Most notable is the DNS server issue. The TCP/IP stack problems also need rapid action. Make sure your perimeter firewalls/routers do not pass IPv4 packets with IP options. This should already be a default configuration but I find a surprising number of devices that still pass them. It is also sad that we are still fighting with these basic TCP/IP implementation issues. TCP/IP stacks have been in use for 40 years. Microsoft included TCP/IP by default starting with Windows 98 and NT 4.0. One would have hoped that it was implemented correctly by now in most operating systems. Forescout this week released a paper outlining how many TCP/IP implementations still do not get TCP sequence numbers right. https://www.forescout.com/company/resources/numberjack-weak-isn-generation-in-embedded-tcpip-stacks/

Johannes Ullrich

This vulnerability was hard to discover as it is in the BTR.sys driver which is only present when needed and has a random name when installed and is purged after execution. BTR.sys performs boot time cleanup of malicious files and registry entries. The fix is in Microsoft Malware Protection Engine 1.1.17800.5 or later.

Lee Neely

The risk associated with old undiscovered vulnerabilities goes up dramatically when they are identified, publicized, or a fix is published. Such vulnerabilities should be addressed in a timely manner. "Privilege escalation" vulnerabilities are an issue for multi-user and managed systems.

William Hugh Murray

Make sure that you've enabled the available protections from your carrier to prevent SIM-swapping. If you haven't checked recently, revisit your account to see if there are added settings you need to enable. If SMS or phone call is the second factor to access your Cryptocurrency wallet, consider switching to alternate second factor mechanisms not susceptible to this attack.

Lee Neely

SIM-Swapping attacks are expensive, risky, and do not scale well. They rely in part upon the carriers desire to be responsive to user reports of new, lost, or damaged phones. That said, those who rely upon their mobiles for receiving one-time passwords for high value accounts should be sensitive to not receiving calls or messages that they are expecting. If your phone "goes dead," report it to your carrier immediately. Prefer local password generators to SMS for high value accounts.

William Hugh Murray

This is the last step for fixing CVE-2020-1472, moving DCs into enforcement mode. Prior to this update you could toggle enforcement mode on your DC manually. Devices which cannot be made to use the Secure RPC Netlogin need to be manually added to the "Domain controller: Allow vulnerable Netlogin secure channels connections" group policy or they will not be able to authenticate.

Lee Neely

Make sure that you have a plan for recovery if your hosting provider suffers a catastrophic failure. Verify that you not only have backups enabled, but you also know how to retrieve them and restore the services backed up. Test this capability before you need it and verify your providers DR process. The cost of the backups will be less than the cost of recovery from scratch.

Lee Neely

I really wish this item said, "All customers of a web hosting company that had been completely compromised by attackers cancelled their services, resulting in the web hosting company going out of business." I can't say I know how business decisions are made at "pirate streaming sites" but all too often cloud or other outsourced hosting services are chosen by lowest bid instead of the superior approach of security being evaluated and being a go/no-go decision rule.

John Pescatore

I used to dread having to apply patches to our ERP system, particularly critical/urgent ones, both for risk of business interruption and making sure we had sufficient regression testing. The Experian breach taught us that avoidance can have consequences which exceed the business impact of the update, particularly for Internet accessible services. This particular vulnerability, CVSS-2021-41477, requires an authenticated user and has a raw CVSS 3.0 score of 9.9. The fix for this law requires manual steps to fully mitigate risks.

Lee Neely

The vulnerable version of the plugin (4.0.0 - 4.0.3) allowed any authenticated user to upload and extract a zip file, resulting in opportunities for remote code execution. While the flaw, once acknowledged, was fixed rapidly and an update was released January 19th, the difficulty in reaching the maintainer suggests looking for alternative plugins with a more reachable support team. Wordfence WAF was updated December 17 and January 16 for the paid and free versions respectively.

Lee Neely

WordPress plugins come with no representation or assurance of quality and have historically been a source of vulnerability. They should be used sparingly, only by design and intent, and, must even then, be diligently policed.

William Hugh Murray

The FTA appliance is based on Centos 6, which reached "end-of-life" in November 2020. If you want to continue to use Accellion services for file transfer, you need to migrate to their Kiteworks cloud service. Kiteworks has a FedRAMP moderate authorization. Accellion is sweetening the pot by offering migration services to existing FTA customers. I would not roll my own file transfer service, but rather use cloud solutions such as OneDrive, Box, DropBox, Drop and Google drive.

Lee Neely