NSA OT Cybersecurity Guidance; Researchers Find Flaws Affecting OT and IoT Devices; Pulse Secure Fixes Critical Flaw; Apple Updates iOS to Fix Critical Zero-Day Flaw

The NSA advisory below is only four pages and focuses on evaluating the risks around connectivity from IT to OT as well as guidance for improving the security of your OT systems. Understand, monitor, and document your OT access to those components as well as having gold images and configurations to enable restoration if needed. Segmentation and otherwise only allowing authorized access to OT is an achievable goal. Use the guidance to verify protections are in place as well as provide a plan to improve your cyber hygiene, then track that plan updating as needed. Remember to adjust your lifecycle expectation from years to decades when evaluating OT.

Lee Neely

This short advisory is really just an update and summation of previous guidance from DoD, FBI, Canadian authorities and industry/academia experts that came out of analysis of the 2015 Ukrainian power grid attack. The first paragraph of the executive summary is good material for a push out to CXOs and boards of directors.

John Pescatore

The blog from MSRC explains how these exploits work and provides suggested mitigations. Couple those suggestions with the guidance from NSA above on improving OT cyber security to develop a holistic approach to securing OT. As with any vulnerabilities, patch when available, monitor activity, segment and verify the allowed connections are what you think they are.

Lee Neely

The CISA ICS CERT advisory lists over twenty real time operating system versions that have the flaw (https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04). The list includes well-known names like Amazon, Apache, ARM, Google, Redhat, Samsung, and Windriver/VXWorks, along with many niche RTOS versions. Too often well-known safe coding practices are ignored for memory and processor constrained products, which is like auto manufacturers making the decision to not put oil and fuel filters in cars with small engines.

John Pescatore

This vulnerability was disclosed last week, and had already been actively exploited at the time. As usual: Assume compromise, don’t just patch and move on. A tool to verify the integrity of your PulseSecure firmware was made available last week.

Johannes Ullrich

If you haven’t yet patched the older vulnerabilities, now that the patch for these more recent ones is available it is time to shut down VPN services until all patching is complete. The US federal government deadline for doing so was April 23.

John Pescatore

If you’re running Pulse Connect Secure 9.0RX or 9.1RX immediately update to version 9.1R11.4 after getting a clean bill of health from the Pulse Secure Integrity Tool. Don’t forget running the Integrity tool will reboot your device. Be sure to follow the guidance relating to expired certificates if you’re updating from versions prior to 9.1R8.x.

Lee Neely

Even though you started the iOS 14.5 and macOS 11.3 updates last week, CVE-2021-30665 and CVE-2021-30663 apply to iOS 14.5, iPadOS 14.5, watchOS 7.4 and macOS 11.3. And because they are actively being exploited, you need to push the update to users who may have already updated to 14.5 or 11.3. Users updating now will be able to do so in a single step. If you have older devices on iOS 12, there is also an update for them. Better still replace these old devices, while Apple is has released security updates, application vendors have been dropping support for iOS 12.

Lee Neely

Apple doesn’t release a patch within days of a recent point release unless they have to. Update!

Johannes Ullrich

It is now pass the stage where Apple should release patches in a manner similar to Microsoft’s patch Tuesday schedule. Apple’s devices have grown from being niche devices within many organisations to being used extensively in table, smartphone, and laptop format.

Brian Honan

Export control is a big deal. It has implications not only when operating internationally but also when you employ foreign nationals, which are different from US persons. Be aware of embargoed countries, such as Iran, and make sure that your legal team is current on export control laws. Provide guidance to employees as part of their annual training.

Lee Neely

This is an unauthenticated attack vector and allows the bypass of 2FA. As such, you should be running the integrity checker as well as looking for evidence of unauthorized access to your network, whether public or private sector. Make sure that all accounts are active and authorized. Having a forensic image of your device prior to patching will aid analysis.

Lee Neely

The attack leveraged the “Royal Road” RTF tool to deliver the PortDoor backdoor. While prior attacks leveraging Royal Road delivered a payload with the name “8.t” this variant includes a document which, when opened, drops the encoded file “e.o” which fetches the PortDoor implant. Make sure that your IOCs are updated.

Lee Neely

Exploitation of this vulnerability is trivial, and sadly, it is yet another example of an API not requiring authentication. Developers often ask for security advice regarding current frameworks and tools they are working with. In the end, it comes back to old stupid flaws we have been making for decades. Do not “chase the squirrel” but realize, that in the end, you are still dealing with HTTP requests that need to be validated, authenticated, and access controlled. Your output also still needs to be appropriately encoded. Newer frameworks may make this easier IF you read the respective guidance on how to take advantage of your framework.

Johannes Ullrich

Restoration from these sorts of attacks has been weeks versus days. Think about what you’ve deployed to hosting providers and what would happen if they were offline for a week or two. Ask if you have the ability to recreate those services without dependency on the offline hosting provider. Make sure you are leveraging location and path diversity and redundant services to minimize the risks of a single data center outage. Document your decisions; make sure senior management agrees.

Lee Neely

This is an expected evolution in the modus operandi of the criminals behind ransomware attacks. They are motivated by money and will focus their efforts on organisations that are more likely to pay. Cloud service providers are therefore a ripe target given the amount of data and services they manage on behalf of their clients. I recommend doing some desktop exercises as to what would your organization do in the scenario where one of your cloud service providers gets hit by ransomware and your data is impacted?

Brian Honan