Fake Crypto App Leads to Worldwide Arrests; Pipeline Ransom Recovered; VMWare vSphere Under Attack

Finally a "good" supply chain attack and congratulations to everybody involved in executing just a massive operation. But maybe also a subtle reminder that your end-to-end encryption depends on the vendor doing what they promised.

Johannes Ullrich

The takedown involved about 4,000 law enforcement officers processing 25 million messages and executing 525 search warrants across Australia. It is estimated the ANoM app had 9,000 users world-wide. This is an excellent example of international cooperation of law enforcement agencies. Unfortunately, like burning a successful 0-Day, this also marks the end of the ANoM apps viability. Part of the decision to stop monitoring and making arrests was a blog posting (since deleted) detailing the behavior of the ANoM app, this March, which didn’t correctly attribute the backdoor to the FBI.

Lee Neely

While there is little guarantee of a positive outcome, early collaboration with a group such as the FBI can allow them to disrupt and trace cryptocurrency transactions. While only part of the overall solution, shutting down the ability to easily process and launder cryptocurrency is a step in the right direction for discouraging or stopping ransom payments.

Lee Neely

Your organization should have an active and trusted partnership with law enforcement BEFORE incidents happen. Take your local FBI out to lunch quarterly and get to know them; it’s an investment that can pay literally millions in return. This is especially true for financial attacks like CEO fraud, where law enforcement can often claw back (retrieve) stolen funds if reported within 72 hours of the incident.

Lance Spitzner

While it isn't clear yet how the FBI gained access to the private key, this is clearly an important success and shows how law enforcement may be able to recover some of the funds. More important than the monetary loss to the criminals is the fact that it does disrupt the fragile trust between ransomware actors if they are not able to pay parts of their supply chain.

Johannes Ullrich

There are three things you can do to mitigate this attack: (1) Make sure vCenter is not exposed to the Internet (2) Disable the vSAN Client Plugin if possible, and (3) Patch. For details on disabling the vSAN and other plugins see VMware KB 83829: https://kb.vmware.com/s/article/83829

Johannes Ullrich

This vulnerability doesn’t require authentication to exploit, so you cannot depend on your authentication solution to protect you. Restrict vCenter access to authorized devices only. Make sure that your patch/update processes include vCenter. Verify this update is applied.

Lee Neely

For the past three years, the Verizon DBIR has identified the human as one of the primary driver of breaches. In fact, for their 2021 report they put a number to it: 85%. The top two human risks for the past three years? Phishing and passwords. 2FA is probably the number one control I would suggest organizations start with.

Lance Spitzner

Nice work Google! Not only does this project illustrate dependencies among components, but Google is also flagging know vulnerable versions of components to make mitigation easier.

Johannes Ullrich

The change in policy clarifies when they will disrupt activities causing harm, while still permitting POC exploit code. e.g., using GitHub for C2 is disallowed, but hosting the code for Metasploit or Mimikatz is permitted. They also suggest creating a SECURITY.md file with contact information to help in dispute resolution within the community. Read the updated GitHub policy to ensure you’re still following it, verify your repository has appropriate access controls, make sure only the code intended is stored there, check to prevent accidental inclusion of passwords or security keys.

Lee Neely

The update does balance researchers’ abilities to share code while at the same time protecting the public. We will have to see how the policy is applied. But for example, having malware directly download additional code from GitHub is likely going to lead to the removal of the code.

Johannes Ullrich

Take a look at the extensions in your browsers, removing the ones you’re not using; make sure they are updated and supported. The WECG is striving to have extensions maintain security, performance, privacy, and compatibility while prioritizing end user needs over developers. Their principles are inspired by the W3C TAG Ethical Web (https://www.w3.org/2001/tag/doc/ethical-web-principles/) and HTML Design (https://www.w3.org/TR/html-design-principles/) principles. It is hoped that this specification has more adoption than the work done by the Browser Extension Community Group.

Lee Neely

Remember the conversation of build vs. buy? Microsoft has developed software to help voting makers consistently implement needed transparency, security, and integrity, which can be independently verified and ultimately help the certification process. The downside is that any flaws in ElectionGuard may be present on all systems using it. Document the risks and ROI when making this decision.

Lee Neely

Verify your Kubernetes clusters are properly configured, whether local or cloud based. This exploit starts by leveraging known vulnerabilities in running containers, then impersonates the CExecSvc to obtain SeTcbPrivilege, using the undocumented NtImpersonateThread call, to create a global symbolic link to then access the C drive and try to create new Kubernetes deployments. The exploit doesn’t require admin privileges to be successful. The backdoor uses a Tor client to connect to a .onion C2 server. Verify your container image update process to ensure that patches are deployed in your running containers in a timely fashion.

Lee Neely

This is another vulnerability that can be exploited without authentication. Control systems need proper isolation, permit only authorized devices network connections to them, particularly PLCs which are extremely sensitive to inappropriate connections or malformed communication. Make sure those isolated segments are actively monitored for inappropriate traffic.

Lee Neely

Back in the days of the mainframe, I owned the input editor for a large multi-user system. Its job was easy; it dealt with a single, alpha-numeric, code set in a single level closed environment. Two generations go by and the Carnegie-Mellon CERT reports that more than half of the vulnerabilities reported to them resulted from input validation failures. I still thought of it as an easy problem. Then I heard an OWASP presentation that pointed out, among other things that made the problem hard, that the modern programmer had to deal with multiple expanded code sets and often did not know the environment in which his program would run. I now concede that it is a "hard problem" but one which must be addressed. PLCs are a single level closed environment.

William Hugh Murray