Apple Updates Include Fixes for Actively Exploited Flaws; India Air Customer Data Compromised in SITA Breach; City of Tulsa Prevents Data Theft in Ransomware Attack

This is the second time this month that Apple has patched actively exploited vulnerabilities. Either Apple's ecosystem is seeing more attention from attackers, or Apple is being more open in announcing if vulnerabilities are already exploited. Note that this round of updates provides patches for older versions of OS X, like Catalina and Mojave. The most important vulnerability is targeting developers via malicious XCode projects. Prioritize these patches if you are using XCode.

Johannes Ullrich

Apple is releasing updates as rapidly as they can to thwart exploits actively being exploited. Unfortunately, this is shortening the update cycle. Even though you likely haven’t finished applying the last OS updates from the beginning of May, you need to keep rolling forward to get these deployed. CVE-2021-30713 is a flaw in the Transparency, Consent and Control (TCC) framework, while the others are focused on webkit, which impacts both mobile and desktop operating systems. Push the updates to your ADE devices to have users install immediately so you can focus on desktop devices running the other operating systems.

Lee Neely

When you have a data breach, timely notification of impacted parties is critical to allow them to take actions to protect themselves from further harm. Even if, as was the case here, a breach doesn’t include your password, plan to update the password to that service to a new unique one, enabling 2FA if available while you’re at it. Also review information stored to make sure the service has only what is absolutely needed.

Lee Neely

Obviously, another supply chain security issue. But, this is also another example of “concentration risk” (like SolarWinds) where suppliers have large market share and offer attackers a highly leveragable target – compromise them and you have access to hundreds of high value targets. If you are in the transportation industry – Amadeus and Sabre have higher market share than Sita – good to use this item to recommend risk assessment be done of use of those services.

John Pescatore

Nice to see a (even if just partial) success story of organizations preventing the full impact of ransomware. Ransomware isn't that hard to detect once it starts "doing its thing," so good for the city to pay attention and stop the ransomware before it exfiltrated the data (and I hope that assessment holds up).

Johannes Ullrich

We can’t call this a complete success story, since it is likely the usual phishing/missing patches/etc. technique were used at the front end of the attack but rapid detection and having reliable backups in place puts Tulsa way ahead of other cities that have suffered similar attacks.

John Pescatore

About time. With Microsoft Edge now being based on Google Chrome, there was no need for Internet Explorer to stick around. And as a reminder: If you are designing web applications, do not design them to work with one specific browser, but stick as much as possible to standards that are common among different browsers.

Johannes Ullrich

Note that MS is not going to offer exceptions or extended support for IE11 after June 15, 2022. Investigate using Internet Explorer mode in Microsoft Edge to provide support for legacy applications which require IE11. Leverage the transition guide (https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWEHMs) to use IE mode where needed. IE mode will be supported until 2029, but be aware of the limitations. (https://docs.microsoft.com/en-us/deployedge/edge-ie-mode#ie-mode-supports-the-following-internet-explorer-functionality: IE mode supports the following Internet Explorer functionality)

Lee Neely

Ben Wright and I have done several webinars examining how security operations are impacted if cyberinsurance is in place and how policy premiums are going up while coverages are going down. Key point to get across to management: having cyberinsurance can reduce incident costs by some fixed amount but they do not cap or transfer risk – and most importantly, cyberinsurance does not eliminate the need to understand and mitigate security gaps that are enabling incidents.

John Pescatore

I’m going to channel my inner Bruce Schneier in here as economics and incentives drive behavior. Insurance companies covering ransomware attacks made it much easier for infected companies to pay, and much easier for cyber criminals to monetize, only incentivizing more attacks. It appears insurance companies may now realize their mistake, charging far greater premiums for far less payouts

Lance Spitzner

Some of the biggest growth in adoption of cyber insurance since 2016 has been in health care and education, which have been prime targets this past year. Even so, this is a fairly new market for insurers, meaning they don’t have a lot of historical loss and cyber event data which is used to quantify risk and set rates, which means premiums are likely to increase, and availability of insurance, particularly relating to ransomware, will decrease. If you have cyber insurance, talk with your broker about their plans, make sure you’re on the same page about what the coverage means. If you are seeking cyber insurance, you may have to look to more insurers to find a solution with the terms you’re expecting.

Lee Neely

While DarkSide has retired their public facing presence, it is not safe to assume their criminal activities have ceased. Even if this is a look-alike attack, focus first on remediation and prevention of recurrence rather than attribution.

Lee Neely

Absolutely anyone and everyone is a target for cyber criminals, from hospitals and utilities to elementary schools and non-profits. Whatever ethics cyber-criminals may post are quickly forgotten when there is easy money to be made. And if even certain groups were to limit their targets, their ‘affiliates’ most likely will lack such ethical guidelines. In addition, it’s easy to accidentally infect unintended targets or not to realize who they are infecting.

Lance Spitzner

The insider threat (both malicious like this one, and well intentioned accidents) and the need to protect stored sensitive data from such unauthorized disclosure don’t get the press coverage that ransomware does, but usually are the cause of the most damaging breaches. Privilege management and access behavior monitoring won’t catch everything but they would have avoided or minimized the damage in most insider attacks.

John Pescatore

Classified is, despite what you may have seen in the movies, not something you can work on at home. It has handling, access, and need-to-know requirements with published consequences. When I was young it was emphasized that having a clearance is not the same as need-to-know. (One does not just “show up” at a classified briefing.) The information in your enterprise should also have classification with clearly defined access and handling requirements. Be clear about what can be processed locally and remotely, and where it can and cannot be stored, and what the storage requirements are. Train users on this regularly, particularly when things change.

Lee Neely

Initial reports indicated you had to be authenticated to exploit this vulnerability; further research found an unauthenticated user can exploit this. This exploit uses time-based blind SQL Injection so exfiltrating information is very slow. If you are using a WAF, the enabled SQL Injection module should block the attack; make sure WP Statistics is either updated to version 13.0.8 or uninstalled it if unused.

Lee Neely

Make sure that you updated to version 21.0426 or higher of the plugin. A public POC was released Sunday. Lack of input sanitization made exploitation easy by entering a malicious JavaScript in the comment field which is saved to the database without changes, meaning it is executed when the restaurant is viewing the reservation.

Lee Neely