Dev Tools as Supply Chain Attack Target; Early Signs of SolarWinds Related Malware; Industrial Networks Using EtherNet/IP Stack Vulnerable

If you had any keys, credentials or tokens in your CI environment, and you’re using the Codecov CI runner which includes their Bash Uploader, you need to consider them compromised and you need to start revoking/updating or creating new ones. Also make sure that digital signatures are verified when doing updates. Even if you’re running an internal deployment, make sure you’re running the known-good versions of the software.

Lee Neely

Yet another software supply chain compromise. Just like similar compromises, we may see additional fallout from this as the attackers behind this were able to harvest some credentials used in CI/CD pipelines. If you are using Codecov, and were affected, make sure you update your credentials (and also look into methods to automatically rotate them from time to time).

Johannes Ullrich

Two important aspects to this item: (1) Attackers are increasingly focusing on the tools used by developers which are often built without emphasizing security and often go untested even when they are use in software development lifecycle that includes security testing of the end software product; (2) The Register piece quotes a survey of developers by the Open Source Software Security Foundation (the 2020 consolidation of the Open Source Security Coalition and the Core Infrastructure Initiative) that says developers of free and open source software spend less than 3% of their time on security and feel even that is too much. While the DevOps movement has shown promising trends in making security and privacy “guard rails” be considered intrinsic requirements, it has not resulted in developers magically becoming security experts or champions.

John Pescatore

The VirusTotal screen shot shows that as of last week, 54 of 70 security vendors flagged this file as malicious, but it does not show what the identification rate was when the malicious file was first submitted. Despite a lot of hype around Artificial Intelligence/Machine Learning solving malware as a problem, servers running critical applications with privileged access on sensitive network segments should have strong application control/permission management security policies in place, not just rely on end point detection and response agents.

John Pescatore

I find the combination of exploits and techniques used in an attack fascinating and educational. This is also a stark reminder that defense in depth is as prudent as ever. Leverage these types of disclosures to make sure that you don’t have a similar weakness. In this case make sure you’re applied the updates to VMware Workspace One Access which address CVE-2020-4006.

Lee Neely

We had a long list of basic IP stack vulnerabilities like this this year, for example the Treck IP Stack and Name:Wreck vulnerabilities. Many affect IoT devices, and have in common that they are difficult or impossible to patch. Network segmentation appears to be the only workaround to help.

Johannes Ullrich

This can be exploited by sending specially crafted packets to vulnerable devices. OpENer is an EtherNet/IP stack for I/O adapter devices. If you’ve incorporated it yourself, you can apply the latest commits from their repo and update your stack. More likely it’s embedded in your control systems. You’re going to want to use the US-CERT/CISA mitigations below including segmentation, applying updates when available and blocking them from either Internet access or direct access from your corporate net.

Lee Neely

EtherNet/IP is widely used where both TCP/IP and the Common Industrial Protocol are used. The Open DeviceNet Vendors Association (ODVA) manages the standard and product conformance testing and lists over 100 products using the EtherNet/IP stack. Segmentation around industrial networks should be reviewed/strengthened since discovery and remediation will be complex.

John Pescatore

The risks from this attack weren’t limited to agencies. If you’ve not looked at your SolarWinds install for IOCs, go to the CISA site (https://us-cert.cisa.gov/ncas/alerts/aa20-352a) for vulnerability information, mitigations as well as IOCs.  Make sure there are no remnants, forgotten or unpatched installations.

Lee Neely

While you may see fewer alerts from CISA on Orion or Exchange, the importance of monitoring for malicious behavior and keeping  secure updated configurations doesn’t change. Make sure your supply chain security plans include monitoring for maleficence or unusual behavior, introduced by an unchecked malicious update, such as today’s Codecov Bash Updater story.

Lee Neely

We cannot patch our way to security. If we did not already know that, SolarWinds should convince us. While further remediation efforts may have diminishing returns, the “supply chain” as a means of compromising thousands of enterprises at a time demands a policy response. Those who recklessly, or even negligently, distribute malicious code (as opposed to those who distribute vulnerable code through error) must be held accountable.

William Hugh Murray

BGP routing leaks will continue to happen. There are technologies to prevent them, but universally adopting them is difficult. Ultimately, you do not control where packets are going after they leave your network. Properly configured TLS is your best bet to mitigate the threat.

Johannes Ullrich

There is a lot of really bad code being patched carried along in many products that really should be rewritten or removed – does anyone really miss Flash? While this move by Mozilla really just means that browser extensions will be launched if FTP is needed, good to see all of the browser vendors jettisoning minimal useful functions and reducing browser complexity.

John Pescatore

This means you’re going to need a browser extension to perform FTP from your browser, or better still use an FTP application for those times where you still need it. Most file transfer services now use web servers for downloading files rather than FTP.

Lee Neely

File transfer is a useful, not to say necessary, function. However, the continued use of historically broken tools continues to leak information and must end.

William Hugh Murray

FLoC seems to be changing generally available cookies for grouping based on browser history for more targeted advertising as defined by Google. The predominant response towards tracking is to have an environment of opt-in, explicit permission for tracking rather than implicit tracking. Unfortunately all the browser manufacturers are coming at it slightly differently. Until the W3C comes out with a new standard, make sure that you’re enabling privacy options, with the exception of FLoC. Chrome users can opt-out of FLoC by either going to Settings, Privacy and Security, Cookies and Other Site Data and selecting “Block third-party cookies” or by installing the DuckDuckGo extension for Chrome.

Lee Neely

It is generally a good idea to treat any “privacy enhancement” initiative from a company that monetizes their customers' personal data with a large dose of skepticism.

Brian Honan

So you noticed your WordPress site was updated to 5.7.1 right? Now you need to make sure you’re on the current PHP. PHP 7.4 was released in 11/28/19 and is actively supported until 11/28/21 and PHP 8.0 was released 11/26/20 and is supported until 11/26/22. Don’t wait for active support to end prior to updating. Since PHP releases versions at the end of November/beginning of December, you can plan around that.

Lee Neely

While less porous than browsers, WordPress continues to be a problem. Use with due caution. Prefer purpose built applications.

William Hugh Murray

There is little to substitute for good management and supervision, but multi-party controls, and Privileged Access Management systems to implement them can reduce the risk to more reasonable levels.

William Hugh Murray