Prioritize Patching and Monitoring Microsoft Exchange Servers; City Pays Ransomware Demand But Still Has to Deal With a Breach; Pulse Secure Updated Patch Released to Fully Address Vulnerabilities Not Closed With Previous Patch

Three CVEs are being leveraged to exploit the vulnerability: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. The first two were patched in April’s Exchange KP5001779 cumulative update, the third in the May KB003435 update. Make sure that you’ve applied the current Exchange updates, and that you’re leveraging Azure Sentinel to check IIS logs to the “/autodiscover/autodiscover.json” and “/mapi/nspi/” strings to detect targeting of your servers for exploitation of the vulnerabilities.

Lee Neely

Orange Tsai's talk at Defcon outlined a whole family of possible new vulnerabilities in Exchange. It is unlikely that ProxyShell will be the last such vulnerability. Keep your Exchange patching playbooks handy. It would not surprise me to have Microsoft patch more critical Exchange vulnerabilities later today (or in the next couple months).

Johannes Ullrich

Note that even after paying the ransom, the city will have to incur the costs to notify all possibly impacted citizens and offer them the usual credit/identify theft monitoring services, and remedy the deficiencies that enabled the ransomware attack to succeed. Since the attackers had control of that data, a breach occurred – the hope is the extortion payment lessens the harm to the citizens. But the payment does not reduce the costs the city will incur.

John Pescatore

Luckily, a new CVE number was assigned to this issue. But in some ways, it is due to an incomplete patch released for a vulnerability last year. Do not get confused by this and make sure you patch. The original vulnerability was heavily exploited.

Johannes Ullrich

Pulse Secure initiated external rigorous code review and discovered six vulnerabilities which have been fixed it their 9.1R12 firmware update. The update also provides the ability to run their integrity checking tool without incurring downtime, which was a downside with prior actions needed to detect compromise. That improvement alone warrants raising the priority of applying this update.

Lee Neely

The AAB format allows applications to be optimized for delivery to different platforms, reducing the footprint for apps on smaller devices. Coupled with Play Asset Delivery and Play Feature delivery, which replaces unsigned OBB application expansion files for dynamic delivery of added features and content with signed distribution APK, the goal is to improve the overall application delivery and security. Google’s Play Store is the only app store which currently supports these features, so read the guidance from Google if you need options for delivery on other distribution channels.

Lee Neely

There really isn’t anything new in this bulletin that isn’t in the 2018 PCI SSC Cloud Computing Guidelines. The key sentence in the bulletin: “Data breach investigation reports continue to find that organizations suffering compromises involving payment data were unaware that cardholder data was present on the compromised systems.” Whether it is on premise or in the cloud, if you don’t know where critical data is you cannot protect it. Persistent encryption that happens at the source of the data is needed, which in turn needs Multi Factor Authentication to be in place to assure only authorized parties can decrypt.

John Pescatore

The message is to understand what your Cloud Service Provider (CSP) is doing, where your payment data is processed, and apply the same governance to the cloud implementation of payment processing as you did to on-premise implementations. The PCI-CSA bulletin provides guidance to follow and questions to ask as well as resources such as the CSA CCM which you can leverage to assess your cloud implementation.

Lee Neely

The payment card industry continues to place the cost and burden of fraud on consumers and merchants while perpetuating the fundamental vulnerability of publishing and accepting primary account numbers in the clear. While EMV is now almost universally implemented and accepted, the brands still have no plan to eliminate the magnetic stripe vulnerability. Online merchants should use check-out proxies, like PayPal and Apple Pay, in lieu of accepting credit and debit card numbers in the clear. Consumers should prefer mobile payment systems to the use of credit and debit cards.

William Hugh Murray

Random number generators in IoT devices have been recognized as an IoT problem for a while. For larger systems, advanced CPU features or in some cases even add-on hardware can be used to create quite good streams of random numbers. But for IoT devices, cost cutting and limited features often leads to very predictable execution paths which in turn lead to more predictable random numbers. This is probably best addressed by adding specific entropy sources to IoT CPU designs. These design changes are cheap and can be very effective.

Johannes Ullrich

Creating code that uses good pseudo-random numbers, let alone cryptographically secure ones, takes extra work which is easily dismissed as not worth it. Identify functions which must have CSPRNG and verify those as part of your SDLC. Where possible leverage built-in capabilities found on system-on-a-chip devices, the call that consistently throughout your code. For users of IoT devices, limit connections, inbound and outbound where possible to reduce exposure of insecure access controls.

Lee Neely

While the advice to users is similar for email and SMS Phishing attempts, SMS messages don’t have the benefit of screening by your corporate protections. Users still need to beware of unexpected links in SMS messages and to consider the source carefully before acting. Consider blocking unknown SMS senders. Spam filters for SMS rely on sending all SMS messages to a third party for analysis, so you need to consider the risk and privacy impacts before enabling those services.

Lee Neely

I don’t know about you, but I have personally seen a jump in SMS phishing (sometimes called Smishing) attacks also. Cyber criminals are extremely adaptable. If they perceive organizations (and people) are getting better at spotting email phishing attacks, they will quite readily jump to other mediums (texting, social media, voice). When training your workforce how to spot any type of attack, don’t focus on the medium (email vs. texting, etc.), focus on the common indicators they all share. That way as cyber criminals jump from one technology to the next, your workforce is trained and can spot the attacks.

Lance Spitzner

Not sure if there is an overall uptick. But there are some pretty odd brazen attempts I have seen recently. For example: https://isc.sans.edu/forums/diary/Is+this+the+Weirdest+Phishing+SMishing+Attempt+Ever/27706/

Johannes Ullrich

The Amnesty International Security Labs report provides insight as to where and how Pegasus is introduced onto mobile devices. They have released both their IOCs as well as their MVT tool for analysis of Android devices and iOS backups. You may want to leverage these to double-check devices, particularly for potentially targeted individuals.

Lee Neely

The Arcadyan firmware is installed in 17 varieties of home, SMB and ISP provided routers. The exploit attempts to install a version of the Mirai malware. Mitigate the risk by installing updates as they are available. Leverage IOC information in the Juniper blog to detect attempted access and/or downloads.

Lee Neely