Exchange Server: The Attack That Keeps On Giving (Pain); and Big Cyber Flaws in Power Management from GE

Make sure that you’ve checked for IOCs after you patch. The vulnerabilities area being actively exploited, and even if you applied the patches the day they were released, you still need to verify that your system is clean. Both Microsoft and CISA have published free tools to scan your system. The Microsoft EMOT tool has been updated to be easier and more effective than the prior version and will download and install the MS Security Scanner. https://github.com/microsoft/CSS-Exchange/tree/main/Security

Lee Neely

Internet wide scans proceeded the patch. Assume breach if your Exchange server was exposed to the internet before you applied the patch.

Johannes Ullrich

DearCry appears to be a quickly developed package which encrypts not only data, but also executables and DLLs, rendering the system unusable. BlackKingdom is a more mature traditional ransomware, and security firms can provide help with file recovery if needed. Mitigate the risk by applying patches, scanning for IOCs and making sure that you have real-time detection of attempted exploitation.

Lee Neely

The Defender mitigation addresses the ProxyLogon vulnerability. Even with the Defender mitigation, you still need to apply the patches for a comprehensive fix as well as scan to make sure your system has not been compromised. The Microsoft EMOT tool is designed to make this easy and can remediate issues found.

Lee Neely

The list of vulnerabilities found in GE’s firmware is pretty much like reading the OWASP Top 10 software vulnerabilities list from 2005! This is true for many of the operational technology and “Internet of Things” vulnerabilities being disclosed – lots of vulnerabilities caused by prioritizing convenience (easy installs) over security and these devices put many obstacles in the way of easy patching. Essential security hygiene or at least strong segmentation and break/fix windows for patching should be high priority. Spending on Computerized Maintenance Management Systems (CMMS) by OT teams is a $1B per year market. Find out if your company is using a CMSS product and try to get firmware updating to be part of routine maintenance planning.

John Pescatore

The list of disclosed vulnerabilities is both long and reminiscent of vulnerabilities we learned how to avoid years ago. Note that the version 7.4 firmware update added SSH V1 support and version 8.1x has support for weak SSH algorithms. Beyond updating the firmware, use network segmentation, firewalls, and isolation to limit access to these devices to only authorized devices as it is not clear the weak protocols can be disabled. Don’t allow direct access from the Internet or your enterprise internet. See also the CISA control systems recommended practices for references on ICS defense in depth and improving ICS overall cybersecurity: https://us-cert.cisa.gov/ics/recommended-practices.

Lee Neely

While the motivation for the hack appears to be raising awareness of private company and government-sponsored surveillance and the corresponding impacts on privacy coupled with inadequate security, unauthorized hacking is going to run you into legal entanglements. Worse still, if you’re taking action in support of class-action lawsuits intended to change legislation, it can render your work inadmissible. If you’re interested in disclosing security shortfalls, use the processes of a responsible disclosure organization to do it legally.

Lee Neely

Exploitation of the vulnerability is trivial, and exploits are widely available. An attacker will first use a SSRF vulnerability to obtain credentials. Next, they will use these credentials to execute code. Exploits have been easily available for a few days now.

Johannes Ullrich

Adobe gives the security bulletin a priority rating of 2, which indicates that while it’s not actively being exploited, this is a product which has historically been at risk so you should plan to update soon (within 30 days.) Don’t wait for someone to discover your unpatched server. Note that you need to not only apply the corresponding ColdFusion update, but also update your JRE/JDK to the latest versions of the LTS releases for 1.8 and JDK 11 to secure the server. The Adobe security update site below also has links to guides for locking down your ColdFusion server which should be leveraged.

Lee Neely

Details from Adobe are sparse, but the vulnerability may allow unauthenticated remote code execution. Patch now! You may actually have a few days before an exploit is released.

Johannes Ullrich

The Accellion FTA is being actively targeted and has been since December. Even if you apply the patches to extend the life of the service while you transition, you must check the device for indicators of compromise. At this point it may be better to take it offline and accelerate the migration than accept the risk of further compromise.

Lee Neely

This is the latest example of a breach caused by the Accellion File Transfer Appliance. Other victims include Qualys, Flagstaff Bank, Kroger and more. This also illustrates the fundamental challenge of enterprise computing. Accellions FTA is a 20 year old product that was no longer well maintained by the vendor (and officially declared end of life earlier this year after the recent rash of exploits). It is difficult for enterprises to remove these legacy devices form their network.

Johannes Ullrich

Flagstar is offering two years of free credit monitoring to affected individuals. If you don’t already have credit monitoring, accept the offer. Otherwise, multiple monitoring services do not add much value. Note that financial institutions may acquire your personal information in unexpected ways, such as when they purchase your loan from the originating institution, and have retention requirements, mandated by regulators, which exceed the time you’re a customer. As a business, retain personal information the minimal amount of time, making sure you don’t have caches of unpurged data.

Lee Neely

The term “Smart City” is like “Internet of Things” – very broad terms that often contain very different technologies or use cases. Comparison of risk across the disparate items within those broad buckets isn’t very meaningful. It is more important to focus on requiring essential security hygiene to be built into all products and systems being procured as part of “Smart City” initiatives.

John Pescatore