Patch Available for Critical Polkit Vulnerability; Security Services Firm COO Charged With Attacking Customer Devices; Remote Access Trojan Uses SEO Poisoning to Spread

Check your Linux distributions, for applicability; this applies to RHEL 8, Fedora 21 (or later), Debian “Bullseye,” and Ubuntu 20.04 among others. Think of Polkit as an alternative to sudo, where some commands require explicit permission and others are simply executed. Exploiting the weakness, which uses simple commands, requires interrupting the command at the right point to trigger the vulnerable code. The mitigation is to patch the affected systems now, particularly on any internet facing Linux systems.

Lee Neely

systemd is further confirming its reputation as a security nightmare. But remember that Polkit replaces sudo, which in itself has had a spotty history. It isn't easy to allow for the flexible assignment of elevated privileges. Update as your Linux distribution makes updates available.

Johannes Ullrich

This is a tough one – Securolytics has been around for 5 years and has some very high profile/experienced and local investors. Good reminder that whenever any third party is given access to networks or systems, those credentials and passwords should be removed at the end of the engagement – no matter how trusted the 3rd party. Also points out that any “Thing” with an IP address is a potential compromise point.

John Pescatore

This appears to be a case of insider threat from a third-party service provider. Not only do you need to worry about your own insider threat, but you also need to make sure that you know what access you’re providing your third-party providers, and understand how they are vetting their staff to address insider threats. Make sure your credential management extends to any credentials used by the service provider. Lastly, make sure your contract includes sufficient recourse if anything goes wrong, keeping in mind the sensitivity of data shared, which may include sensitive network topology and system information. Make sure contract termination processes are documented and processes followed to not leave any outdated access paths.

Lee Neely

These documents, which masquerade as legitimate documents users may otherwise be looking for, are hard to have users not open. Even so, users can be made aware of the technique and trained to use caution when a document is prompting them to load more documents for the information requested. Endpoint protections, to include filtering of malicious sites, are key to preventing this sort of attack.

Lee Neely

Understanding the distribution vector for malicious code may be more useful in resisting it than knowing its capabilities.

William Hugh Murray

If Sol Oriens had classified or critical security information, that would have been stored and processed on isolated networks and not reachable in this attack. The contract from NNSA would have stringent data protection and handling restrictions as well. Ask how you’re protecting your most sensitive information form this sort of attack. DOE offers a cyber security test called the “Cybersecurity Capability Maturity Model (C2M2),” which energy sector organizations can use to assess the security of their networks. (https://www.energy.gov/ceser/energy-security/cybersecurity-capability-maturity-model-c2m2-program ) If you’re not in the energy sector, look at the guidance documents to see where you can better assess your security posture, then make improvements.

Lee Neely

Peer connection between one's network and those of contractors might expand both the attack surface and the population of potential attackers. Consider zero trust, next generation firewalls, and strong authentication (at least two kinds of evidence, at least one of which is resistant to replay, e.g. one time passwords).

John Pescatore

ASD is known for their cyber expertise, detection and response capability. And while it is tempting to reject an offer of help from “the government,” that help can really augment your response capabilities. If you do accept help, participate fully, leverage all the resources that can be brought to the table. Assess relevant government agencies, such as ASD and CISA ahead of time, to both understand what they have to offer and build a relationship before you need one.

Lee Neely

This is part of PNNL’s overall PACiFiC (Proactive Adaptive Cybersecurity for Control) approach to protecting operational technology (control systems) from attack. The effort is addressing Situational Awareness, Analytics, Decision Support and Defense. Defense includes deception with the intent of discovering hackers’ activities early on. While honeypots are not new, the technology leveraged here uses “model-driven dynamic deception” which is much more realistic than a static decoy. The model is intended to behave as the genuine control system would, making it harder for the attacker to discover the ruse.

Lee Neely

Honeypots / deception are useful in two primary ways. For most organizations, they can greatly simplify detection; anything that interacts with them is by definition suspicious. However, when dealing with more interactive / advanced threats, honeypots / deception can be a powerful way to turn the tables, in both collecting good information (intel) and putting out bad information. DoE / PNNL is the perfect organization to lead an effort like this, and a powerful way to take the offensive against our scariest threats.

Lance Spitzner

While congress is paying more attention to ransomware attacks and why payments are made, you need to focus on your cyber security posture. Make sure that you’re ready for such an attack; verify training, detection, and response capabilities are where they need to be. Conduct tabletop exercises to make sure not only that responses are known, including fail-over options for offline systems, but also that any external services or responders needed are current, relevant, and still able to help.

Lee Neely

It’s easy for government to say, “Don’t pay,” but when organizations are unable to operate, and the impact cripples both the company and their community, there may be few options. I would love to see our government spend less time on the “pay / don’t pay” discussion and focus more on inflicting pain / repercussions on those leading the attacks.

Lance Spitzner

The decision to pay extortion is a business decision and the responsibility of the enterprise. It should be made in advance of a demand, as part of a documented response plan. The decision should take into account the fact that it funds a criminal economy and raises the risk to the community. Providing a safe environment in which to do business is the responsibility of government. Needless to say, government will resist contributions to the criminal economy.

William Hugh Murray

Not sure if the move to NodeJS fixes any actual security issues. It may actually make things more complex to secure going forward. The move may be more related to keeping the code base maintainable by current developers.

Johannes Ullrich

SANS has demonstrated that such lists can be helpful and effective in improving quality and reducing risk. However, “20” is a long list and ordering is important. Ordered list should end in “other.”

William Hugh Murray

Include sweeping for passwords in configuration files to your CI/CD process. Make sure they are not stored in your software repositories and they don’t get needlessly pushed to production. Require passwords to be set on deployment; don’t provide defaults which are either unlikely to be changed or can be used with a default deployment to exploit weaknesses.

Lee Neely