Sabotage Shuts Down Iranian Nuclear Site; Name:Wreck DNS Vulnerabilities; Critical Zoom RCE Flaw

Not a lot of details out on this one yet, but an important reminder on two fronts. The obvious one is for power system and other critical infrastructure operators to take immediate action to reduce exposure to similar attacks. But, a broader reminder that back in 2010 the Stuxnet malware attack caused spillover that impacted financial systems and many other networks – good reason for an accelerated push to make sure essential security hygiene deficiencies are addressed rapidly.

John Pescatore

The take-away is to make sure that critical infrastructure is properly protected from cyber-attack. Control systems need to be properly isolated and never directly accessible from the Internet. Further, not only restrict access to known trusted systems, but also monitor that access for anomalous behavior. Make sure that supporting systems, such as power and cooling are similarly protected and monitored. Lastly, practice good OPSEC. One of the take-aways from the Stuxnet incident was that PR photos in front of the control systems were used to reveal the technology used allowing that attack to be very accurately developed and targeted.

Lee Neely

While these are issues that need to be "patched now", the end user may not have the option if vendor firmware is not updated. A better fix is likely an architecture that forces all internal devices to use an internal recursive resolver. While it may not mitigate all the vulnerabilities, it will at least provide visibility into DNS traffic which is crucial for devices that are often only offering limited logging.

Johannes Ullrich

The vulnerable versions of Nucleus NET, FreeBSD, and NetX have been updated, but the trick is waiting on vendor updates to devices with these as an embedded OS. Mitigations include identification and segmentation of devices with the vulnerable TCP/IP stacks, configuring devices to use known good internal DNS servers and monitoring and blocking of malicious or malformed DNS traffic.

Lee Neely

The browser version of Zoom in not affected - a good work around until the patch is available. Good to see that Zoom was one of the sponsors of the Pwn2Own competition that found this one.

John Pescatore

This flaw was revealed and demonstrated during the Pwn2Own event. The vulnerabilities have been reported to Zoom, and no details were made public. The Pwn2Own events have been a great way for researchers to demonstrate their skills responsibly. While depressing to see pretty much every single target fall year after year, this event has been a great source of responsibly disclosed vulnerability details.

Johannes Ullrich

The exploit leverages a weakness in the Zoom Chat product, not the in-session chat which is part of Zoom Meetings or Zoom Video Webinars. The attacker has to either be an accepted external contact or another organizational user. The best mitigation is to use the web client until a fix is released. Also make sure that you’re following best practices to secure online meetings and accept external contact requests only from people you know and trust.

Lee Neely

A rare exception to the rule that one should prefer purpose-built applications to browsers.

William Hugh Murray

As the flaws are being exploited, assume unpatched devices have been compromised. The strategy recommended by NCSC, effectively a factory wipe and reset, (and patched) is a good way to make sure that your device is operating from a known good configuration. Make sure that all your internet facing and boundary protection devices including VPNs, firewalls, load balancers, WAFs are at the top of both the patch priority and security posture review lists. Ensure they are both properly configured and updated.

Lee Neely

Updating your remote access equipment, while most people still work from home, may be scary. But dealing with an incident involving your remote access equipment while working from home is worse. An upgrade can be scheduled.

Johannes Ullrich

This denial of service/access problem that keeps popping up shows the need for certificate discovery and management tools. There are some commercial products and a number of open source tools (like OpenCA and gnoMint) that provide support at scale for certificate management.

John Pescatore

Certificate use has become pervasive, and certificate lifetimes are shrinking, necessitating active monitoring and automated processes to update them automatically where possible. If nothing else, generate a support ticket with sufficient priority and warning to take action without interruption. When using certificates to sign code, be sure to not only use a timestamp server which captures the certificate validity at the time of signing, but also verify the behavior after the code signing certificate has expired.

Lee Neely

Repeat findings on an audit are not something you want. While HHS does have overall strategy for implementing needed processes and controls, OIG found the specific roadmaps and KPIs were lacking, which would drive completing the implementation of those strategies. Make sure that your enterprise strategy has the information needed for success to the lowest layers, including measurable objectives, defined timelines and funded resources. If you are not going to implement a regulatory requirement, such as the Continuous Diagnostics and Mitigation (CDM) program, work that at the highest levels with the regulator, and document the outcome and update your enterprise roadmap accordingly.

Lee Neely

Previously used 4-digit PINs, while encrypted, were trivial to guess, as users often chose predictable values. Having users choose longer passwords, sending account PINs out-of-band, and an emailed multi-factor access code are excellent steps in the right direction.

Lee Neely

While resistant to the rare brute force attacks, it sounds as though this system will continue to be vulnerable to the more prevalent fraudulent credential replay attacks. Strong authentication requires that at least one form of evidence be resistant to replay.

William Hugh Murray

These nominees have not only cybersecurity expertise, but also track records of partnership with private industry. CISA has used those relationships to increase the relevance, effectiveness and value of their services and guidance to both the public and private sector. Extending this partnership model to other cybersecurity roles is necessary to have comprehensive, relevant and effective security leadership.

Lee Neely