Fortinet FortiOS Actively Exploited; Automobile Inspections Halted; LinkedIn Job Seekers are Targeted

These are older vulnerabilities, and likely exploited by more than APT actors. Patching a remote access device while everybody is working from home has its risk. But if it is too risky to patch, it would be even worse if the device gets compromised. Patch!

Johannes Ullrich

The vulnerability exploited in CVE-2018-13379 was not only resolved in the May 2019 patch, but also allows attackers to bypass 2FA. Make sure that your Fortinet devices are up-to-date to ensure that your 2FA implementation is not rendered ineffective. Review the IC3 guidance below for important mitigations, beyond updating your devices and enabling multi-factor authentication, important steps include requiring administrative privileges to install software, using network segmentation, auditing the use of administrator accounts, and configuring systems with the principle of least privilege in mind.

Lee Neely

This attack is targeting out-of-work professionals with a personalized compelling campaign, which means user education has to come through non-work channels such as professional organizations, or reaching out to friends who you know to be job hunting. Make sure they are both aware of the campaign and have current endpoint protection on their system. The motivation appears to be access-for-hire – where access to compromised systems is sold to others for use in subsequent campaigns.

Lee Neely

A good reminder that DNS is still a critical service. Doesn't matter how big your cloud is if nobody can find it.

Johannes Ullrich

Microsoft services detected the issue and recovered themselves after 39 minutes, which is impressive on its own and Microsoft has made changes to their volumetric spike detection system to reduce that window further. As we put more reliance on cloud service providers, it becomes important to fully understand what their service level objectives are and compare them with your maximum tolerable downtime. Understand and document what recourse is available during a service outage. If you implement monitoring to discover interruptions in service, make sure that it is configured in a way that your CSP will accept your findings as genuine. That may require monitoring from more locations and more sophisticated service checks than initially considered.

Lee Neely

Now we just need to get state and local governments to actually use .gov domains. For example here in Florida, one of these three domains is not run by the state. Guess which one: sunbiz.org, myflorida.com, stateofflorida.com. Consistent use of the .gov TLD will make it easier to spot imposters.

Johannes Ullrich

Working with small agencies in the past, the barrier to entry for .GOV domains was just too high as compared to getting a free, or nearly free .US or .ORG domain. Not only does CISA need to get .GOV domains funded, the ROI and time to deliver must outweigh the ease of getting alternate domains. Agency leadership also has to be enrolled in supporting their use as well as informed of options such as grants for technical and non-technical items needed to support transitioning to the new domains.

Lee Neely

Ben Wright and I are doing a talk at the RSA Conference in May: “How Risky is Cyberinsurance?” One issue we won’t have time to address is concentration of risk – if an insurer suffers a major incident (such as widespread exploitation of Solar Winds or Microsoft Exchange vulnerabilities) will the insurer be able to meet their financial obligations? In this case, S&P and other credit rating firms say they are not changing CNA’s credit rating. But, since many large enterprises do require supply chain/third-party partners to carry insurance, good to check for too large a percentage with a single cyberinsurance carrier.

John Pescatore

Implementing multi-factor authentication on email has to be a foundational setting we all use. Hosted email providers make this easy to implement. Avoid the temptation to allow VIPs and system administrators to opt-out. In short, they have more access and are more targeted than other users, making them more risky.

Lee Neely

This appears to be data stolen in a 2019 breach. Even so, much of this data is still accurate. At that time the Facebook and Instagram function to search by phone number was removed. What has happen is the data has been released, for free, and could be used for social engineering  or SIM swapping campaigns. Make sure that your mobile number is protected from unauthorized swapping, your spam filters are configured and working; and review your identity/credit monitoring to make sure you are alerted upon use of your personal information.

Lee Neely

As Facebook’s European Head Quarters is based in Ireland, the Irish Data Protection Commission has released a statement in which the line “The DPC attempted over the weekend to establish the full facts and is continuing to do so. It received no proactive communication from Facebook” stood out for me. If Facebook are serious about the personal data of its users I would expect it to be actively informing the Data Protection Commission of its investigations into this issue. https://www.dataprotection.ie/en/news-media/press-releases/dpc-statement-re-dataset-appearing-online

Brian Honan

A recurring theme with Accellion FTA users is not if they have been breached, but when. The FTA appliance was secure mechanism for transferring sensitive data between service providers and business partners. Universities used them for student, faculty and staff data transfers so the impact of exfiltrated data is very broad. If you still have an FTA appliance, it needs to be decommissioned and replaced. You will want to forensically analyze them to establish what data may have been accessed. If you don’t have in-house expertise, engage security services with direct experience with the FTA breaches to work with you through this process.

Lee Neely

One might conclude that open-source intelligence has failed to communicate this vulnerability. What does this say about the effectiveness of open-source intelligence? SANS is doing its part.

William Hugh Murray