Colleges New Target Of Ransomware Wave; and Ransomware Attacks on Compromised Exchange Servers

These Exchange Server exploits follow an accelerated timeline of adoption by new criminals: from nation state attacks -> organized crime -> commodity ransomware attacks. Again: If you are not patched, you are compromised. Also consider Business E-Mail Compromise (BEC) attacks a possibility. They are more difficult to detect and may not make the news, at first.

Johannes Ullrich

Microsoft released a one-click tool aimed at companies, in particular SMEs, to use to identify whether they have been compromised and/or vulnerable, and to help remedy if they are. The tool is available at https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/

Brian Honan

Not an emergency. Patch as updated packages become available. Sadly, privilege escalation vulnerabilities are too common to really worry about them too much.

Johannes Ullrich

While you may no longer have SCSI or iSCSI devices, the loadable modules are still installed with the OS. As kernel modules can be loaded by non-privileged users, it’s a good idea to look at hardening the processes around loading kernel modules and allowing only authorized/approved modules to load. While each Linux distribution is slightly different, modules can be denied by editing the modprobe configuration files to not only prevent the loading, but also to change the install for a given module to /bin/false.

Lee Neely

The key issue with Linux vulnerabilities is all the different flavors of Linux that might be in use in your environment, especially in appliances and ICS-type equipment. That impacts not only the level of severity of the vulnerability but also the availability and timeliness of patching. This type of vulnerability – “vestigial” capabilities that aren’t used much but are left in software to end\sure backwards compatibility – are a continuing goldmine for attackers that Windows and Linux suffer because of the broad base of hardware that runs those OSs and the many, many, many years they have been out. It really is time to change the planning around IT lifecycle/depreciation schedules to be closer to mobile device short timeframes than the current schedules which really date back to mainframe days.

John Pescatore

Redacting information requires a careful choice of tool and technique to avoid using mechanisms which can be bypassed. With PDF and other modern document types, it’s easy to overlook the hidden data included by default, from embedded files, to information about the author, organization and even software versions used. The published paper enumerates 11 types of hidden data in PDF files. The best tool for removing metadata from PDF files is Adobe Acrobat.  NSA has published a guide for redacting files using Adobe Acrobat Pro. https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/applications/redaction-of-pdf-files-using-adobe-acrobat-professional-x.cfm

Lee Neely

Or maybe we need fewer PDFs? Reviving the art of creating readable plain text documents may be easier and more effective than sanitizing PDFs.

Johannes Ullrich

When outsourcing functions, whether to a hosting center or a cloud provider, look carefully at geographic separation to prevent single points of failure. When services were in your data center, you had discussions about separations to prevent a single incident taking down your systems and you sent backups to an offsite facility for storage. These same risks apply here. Cloud services make it easy to have regional separations, most often considered for availability, but also consider separations for recovery as well, separate backups and services. Similarly, have backups in a separate co-location service from your hosted systems if you’re not retaining them in your data center.

Lee Neely

Fire safety is usually outside the expertise of cybersecurity teams, but it is just as complex – putting one group in charge of both has been promoted, but often makes no sense. Many UPS systems involve batteries and there are numerous scenarios where batteries can be mismanaged or undermaintained and burst into flames. There are also many storage scenarios which innocuous maintenance materials (antifreeze, fertilizer, burlap sacks, etc.) may be stored too close together and lead to fires. This is a good example to use to drive inspection if your group is responsible for fire safety.

John Pescatore

Too many people feel that once their data is in the cloud they no longer need to worry about backups.

Brian Honan

Microsoft sources say they suspect that one of their MAPP business partners released the code. Vulnerability and supporting information, such as proof-of-concept code is released to these partners as part of their patch release process. If a partner was the source of the leak, they will face consequences, including ejection from the MAPP program. The possible risks of the MAPP program indicate timely application of released updates is prudent.

Lee Neely

This will be watched very closely by the EU because the UK has now left the EU via Brexit. The UK has been granted temporary adequacy (meaning companies within the EU can continue to transfer personal data to organisations within the UK) until the end of June this year. However, should the EU deem the measures the UK are testing with this project to be in breach of the rights of EU citizens, the EU may not grant the UK ongoing adequacy from July 1, leading to major personal data transfer issues between the EU and the UK.

Brian Honan

Luckily, Google Chrome has a reasonably solid auto-update scheme. Just make sure to restart Google Chrome at least once a day.

Johannes Ullrich

The updates have not aligned with patch Tuesday, meaning you’re going to have to kick off an out-of-band patch sequence. Make sure to tell users to close Chrome, because you’re going to have to do that for them to apply the update. Make sure your other Chromium based browsers are up to date as well.

Lee Neely

Browsers have become so general, flexible, feature-rich, and complex that they are inherently risky. Prefer purpose-built apps for sensitive applications.

William Hugh Murray

The POC demonstrates that current Spectre mitigations are incomplete. Google has published guidance on new security defenses to mitigate both Spectre-style and common web-level cross-site leaks (https://security.googleblog.com/2020/07/towards-native-security-defenses-for.html). These defenses are dependent on new security features introduced in Chrome 83 and Firefox 79 and if followed can help create applications more resistant to CSRF, XSS, DOM based and other information leak attacks.

Lee Neely

A much faster approach would be to simply photocopy the reports from any of the numerous other task forces that have been launched by the US Federal Government in the last decade or so on the same topic. I provided input to one in 2012 or so and would just cut and paste my same recommendations today.

John Pescatore

Paying attention to your supply chain is really important, particularly when a known supplier is acquired by one who may not have your best interests at heart. Discovery may reveal hardware and software products no longer appropriate for your enterprise which will then have to be replaced or constrained. That analysis has to be supported by detection capabilities and response to prevent malicious activities not yet surfaced by your supply chain analysis.

Lee Neely

Even if we are unable to hold vendors responsible for the quality of their own code, we must hold them accountable when they distribute malicious code from other sources. We will not secure the supply-chain by putting all the onus on the end-using enterprises.

William Hugh Murray