Disable NTLM Authentication on Domain Controllers; No More Ransomware Project Effective in Reducing Ransomware Risk; Patch Your Apple Products Again to Avoid Arbitrary Code Attacks

These last few weeks have provided attackers with a number of interesting new opportunities for lateral movement. PrintNightmare, Summer of SAM, and now PetitPotam are all very applicable and it will likely take months (years?) to completely patch or mitigate them. One more reason to up your detection game for these exploits. Make sure you have relevant indicators covered.

Johannes Ullrich

PetitPotam affects Windows Server 2008 through 2019. If you cannot disable NTLM, then make sure you’re either using signing features such as SMB signing or Extended Protection for Authentication (EPA). Also make sure your Active Directory Certificate Services (AD CS) servers are configured to protect against NTLM relay attacks. See Microsoft KP5005413 for mitigations.

Lee Neely

The guidance from Microsoft is not new but being highlighted because of a new attack method. Most technology cannot be deployed as is; investment in people and process is required to ensure proper configurations. Same is true with security solutions; people need to follow a process to tune, detect, and respond to attacks.

Jorge Orchilles

This project by Europol has been a great success and is a portal I have used successfully when working with companies impacted by ransomware. The NoMoreRansom www.nomoreransom.org is a great example of how public and private partnership can work together to tackle cybercrime.

Brian Honan

This is a great example of an effective, action-oriented partnership between government agencies (Europol and Politie, the Dutch national police organization) and vendors (initially Kaspersky and McAfee, now many more) to provide free help to individuals and businesses. No More Ransom emphasizes prevention/avoidance though essentially security hygiene, since at the front end ransomware attacks are like all other attacks. The collection of encryption tools as the last resort recognizes the unique recovery aspects of a ransomware event.

John Pescatore

his sort of assistance is critical to reduce the frequency certainty of ransomware payments. That reduction is necessary to turn the tide on operators. This service provides decryption, reporting, and prevention tools to members. To obtain a decryption tool, ransomware victims upload two encrypted files and the ransom note to their Crypto Sheriff for a match. If matched, the decryptor includes detailed instructions for use. If not matched, users are advised to check again shortly as tools are being continuously added.

Lee Neely

Working together has always proved to be better than working in isolation. I recommend leveraging these resources so we improve as an industry and hopefully slow down ransomware attacks.

Jorge Orchilles

iOS 14.7.1 is only about an 80mb delta if you’ve installed 14.7. If you’re still rolling out your requirement to go to iOS/iPadOS 14.7 and macOS 11.5, then switch to 14.7.1/11.5.1. This vulnerability is being exploited in the wild.

Lee Neely

While annoying to have to patch your systems twice in two weeks, I applaud Apple for the fast response. A lot has been written about the increase in 0-Days Apple patched this year, but I think the real story isn't the increase of 0-Days but instead Apple finally paying more attention to them and calling them out in special patches like this.

Johannes Ullrich

Not sure if I would call languages like "Go" uncommon, but reverse analysis tools and debuggers are only now starting to support it well. This will give attackers an advantage. But this is also not new. Go has been reported as an up-and-coming malware language for a couple years now due to its concurrency support and ease of supporting network clients and servers.

Johannes Ullrich

Too many host-based defensive tools are easily tricked by using a slight variation of payloads. Attackers recognize this and can queue up a list of payloads using Rust, Go, Dart, Julia, etc. Application safe listing isn't perfect, but it's a heck of a lot more reliable than trying to play catch-up each time a new payload variant is identified.

Joshua Wright

Not only might Go and Rust binaries be better for evading signature detection, but they could also run more stealthily than PowerShell. PowerShell post-exploitation tools are easy to write, but also easy to log and reverse engineer. The more attackers shift from PowerShell to compiled code, the more difficult it will be to track them.

Jason Fossen

Pentesters have done the same thing, transitioning through PowerShell, compiled Python executables, cscript.exe XML files, etc; now we're on to Golang and Rust. On top of that, we use wrappers and encoders - all to avoid signature-based detection. In your environment, what type of *behavioral* detections do you have? Will you catch additions to admin groups, inter-workstation communications, and heavy/odd Active Directory requests?

Christopher Elgee

On the other hand, the commonly used languages are vulnerable to procedures being contaminated by their data (e.g., buffer overflows.) We really need to move in the direction of strongly typed object-oriented languages. One more instance where we know what to do but lack the will to do it.

William Hugh Murray

“Zero Trust” being specifically mentioned in President Biden’s Executive Order has ratcheted up the already high level of hype around the term. To achieve Zero Trust, you basically have to implement all of the CIS Critical Security Controls – you can’t determine what to trust (let alone enforce trust decisions) if you don’t have reliable visibility, network access control, configuration management, privilege management, application control, etc. A key indicator of this: most of the 18 security vendors participating in the NIST project are well known vendors who two years ago sold the same products but didn’t have “Zero Trust” in their marketing campaigns.

John Pescatore

As vendors struggle for position in support of E.O. 14028, agencies need to focus on their plan for the EO, including secure configurations, comprehensive MFA, encryption at rest, transit and in use (in memory) as well as clearly defining which systems are and are not in scope. You are still going to need segmentation and other protections for OT and other specialized IT. When the dust settles, these efforts will yield a demonstration of Zero Trust implementations which follow NIST SP 800-207, and should provide needed insight to make an informed selection to meet the EO requirements.

Lee Neely

While "zero trust" is too often used as marketing hype, enterprise security is too often porous. While it is widely accepted, a single user clicking on a bait message should not expose the entire enterprise. Any initiatives for improvement are welcome. That said, we know what to do; we lack the will to do it.

William Hugh Murray

FTP was deprecated in Chrome at the beginning of 2020 and has been disabled by default since Firefox 88 was released in April of 2020. If you have FTP servers, you should be replacing them with secure alternatives, either shared drives (Box, Google Drive, OneDrive, etc.) or services built on SFTP, FTPS, HTTPS, MTS. When implementing a file transfer service, be sure to keep it updated, secure and replace it before support is dropped.

Lee Neely

Good riddance to bad rubbish. Both the protocol and the servers have been leaking sensitive information for decades. It is a clear case of convenience trumping security.

William Hugh Murray

As long as the surveillance technology use risk remains, the best stance is to provide users with training to be proactive in securing their mobile devices. Keep them updated, only install apps from Apple/Google/corporate app stores, don’t leave them unattended, block unknown callers and texters, use loaner devices on foreign travel, implement device sanitization and verification processes to support international use.

Lee Neely

There is little chance that a "regulatory framework" will deter nation states from surveillance of their citizens.

William Hugh Murray

Breached information included SSN and driver license numbers, bank account numbers, home addresses, phone numbers, DOB and claim information. They are not providing credit monitoring, so if you think you’re affected, and don’t have credit monitoring already, today’s the day to get it. If you do have it, check it, make sure alerts are configured and working.

Lee Neely

Increased communication, sharing, and notifications will help participating entities improve their preparedness and response. Success depends on building an appropriate trust/privacy model, particularly if you wish to entice/include non-government entities in the network.

Lee Neely