Sonic Wall VPN Appliance Under Active Attack; Patch WooCommerce Block Now; US Government Takes Steps Against Ransomware But Doesn’t Address MFA

These vulnerabilities have been known for months, and have been exploited for months. You will need to decommission these devices or if possible upgrade them to a 9.x or 10.x firmware. Upgrades will likely require a valid subscription. Remember that many security devices will work only if you continue to pay subscription fees.

Johannes Ullrich

Attackers will always focus their efforts on our blind spots. As endpoint protection has evolved dramatically in recent years to provide greater visibility to the desktop, we’ve seen an increase in attacks against security appliances, such as firewalls and VPN concentrators, where endpoint security products can’t be installed. This attack is focused on an SMB product line, but enterprise products from Cisco, Juniper, F5, Palo Alto Networks, and Citrix have had similar issues within the last year. Earlier this week, Microsoft reported attacks against SolarWinds Serv-U product being launched from compromised home routers. So, this serves as a great reminder that “appliances” should be included your regular patch and vulnerability management program, and organizations should consider the risk and impact if an employee’s home routers is compromised, as well.

Jon Gorenflo

VPNs are still the predominant remote access to the corporate network and remain a critical boundary protection device. As such, you need to keep them secured, patched and current. While implementing MFA, verifying the security and patching them with nominal disruption is tricky enough; you need to add lifecycle replacement to your list. That means you’re going to have to identify and implement the replacement early enough to have the users cut over before the old solution goes out of support. Then you need to retire the old one, as in dispose of it, to avoid the temptation to fall back to an unsupported, no longer secure solution.

Lee Neely

You MUST patch this vulnerability today. This vulnerability is already being exploited.

Johannes Ullrich

Updates were released to all vulnerable versions, about 90 updates in total. This means you can update to a fixed version without having to worry about compatibility issues. That said, you still need to press forward to get to the latest versions of these plugins if you’re continuing to use them. Note that the Wordfence paid version had two firewall rules to detect and block exploitation as of July 14th and 15th. The free version will get these rules August 13th and 14th.

Lee Neely

These are all good things but what is missing here is the most proactive step: the US government driving increased use of multi factor authentication to replace reusable passwords in government and critical infrastructure applications. President Biden’s Executive Order on cybersecurity did emphasize MFA – the publicity around ransomware should be used to main gains in eliminating reusable passwords before attention moves on.

John Pescatore

The trick is to disrupt the effectiveness of the tactics used with ransomware. A multi-faceted, multi-agency effort is underway to do this and includes task forces and rewards for information on ransomware gangs and even conferences. The StopRansomware.gov web site is set up to deliver information regarding what ransomware is, what to do if compromised, and how to avoid it. Core to avoidance is good cyber hygiene and good user behavior. The site breaks this down into understandable bites and has references from multiple sources to help preparedness. Conduct a ransomware tabletop exercise to see how prepared you really are. Implement any lessons learned, look at adding this to your annual DR exercise.

Lee Neely

I somehow feel we are still very much in the wild-wild west stages of cybersecurity. Instead of WANTED posters being posted on the frontier cities of the old cowboy days, we have cyber WANTED posters for the international community. It’s a step in the right direction (we are no longer homesteaders on our own having to protect the farm) but we have so much further to go (we need the sheriffs to help enforce international law). I checked out the CISA new ransomware site and love it! The problem we have in the US is that so many organizations are putting out information (CISA, FTC, FBI, NCSA, IRS), it can be both overwhelming and conflicting for its citizens).

Lance Spitzner

These measures may change the risk/reward of ransomware and reduce the efficiency of the black market. In the meantime, enterprises need to reduce the attack surface and raise the cost of attack. Consider strong authentication, structured networks, and least privilege access control.

William Hugh Murray

Ransomware gangs need to be careful to attract just the right amount of attention and notoriety. Too little, and victims will not pay as the actor is not yet established as reliable. Too much and law enforcement will take note and pressure ISPs / Registrars to disconnect payment sites even if the individuals themselves are out of reach. It is very possible that REvil is just rebranding or selling assets to a different group.

Johannes Ullrich

As exciting as the prospect is of them being shut down, hold the applause until you see an announcement from law enforcement stating they took them down. Otherwise, expect them to re-emerge, probably from a different locale.

Lee Neely

All agencies are required to disable print services on AD controllers, apply the patches to all Windows servers and workstations, then either disable print spoolers, restrict installation of printer drivers to administrators via GPO or registry keys, by July 20th. These are good practices to consider even if you’re not impacted by this directive. Don’t forget to address cloud-based Windows servers or workstations, whether directly or indirectly (third-party) managed.

Lee Neely

This update includes fixes for four zero-day flaws, and the official patch for PrintNightmare. Even with this fix, look to restrict print driver installation to administrators only as the CISA ED 21-04 suggests. Don’t lose sight of the other updates released, including fixes for SharePoint and Exchange which deserve special attention due to their exploitability.

Lee Neely

Pro tip: you can gauge the quality of your pentesters with this kind of vulnerability. Yes, they can probably move laterally and escalate privilege, but can they give you viable recommendations that fit your operations model? Do those recommendations apply to just this vuln-of-the-day, or are they generally applicable to your vulnerability management program?

Christopher Elgee

The Windows Print Spooler is the gift that keeps on giving. The reason is an architectural choice made many Windows versions ago. Printer drivers are code provided by users, and this code executes as System. This will not be fixable unless you heed Microsoft's advice and disable users’ ability to provide printer drivers. Everything else will just be a bandaid until the architecture is fixed in a future Windows version.

Johannes Ullrich

Vulnerabilities that require device access to exploit do not result in large scale or widespread attacks.

William Hugh Murray

The Acrobat and Reader flaws are a priority 2, as in no active exploit but historically targeted application, while the others are a priority 3 as they are not a historically targeted platform. Even so, the base CVSS scores suggest not sitting on these updates. Typically users need to close these applications before an update can be performed, and with the Microsoft patches queued up, it’d be a good time for a forced reboot to ensure that happens.

Lee Neely

Patching is a necessary but expensive way to achieve software quality. Consider applications in the cloud and thin clients to reduce your cost.

William Hugh Murray

As other items point out, July will be a busy patching month and IT resources that support OT patching may be consumed dealing with the volume of Microsoft, Adobe and VPN patches. Good idea to review segmentation and monitoring around any Siemens and Schneider device usage.

John Pescatore

The Citizen Lab report not only outlines the malware functionality, C&C infrastructure and how to identify it, but also shows the lucrative nature of this sort of offering. Apply the patches, and keep an eye on the IOCs as a well-funded group like this will find other ways to exploit systems.

Lee Neely