US Treasury Sanctions Cryptocurrency Exchange for Ransomware Involvement; Patch VMWare and Assure Segmentation; Patch Out for Zero-Day Exploits Against Older Apple Devices; Port of Houston: Planning, Processes and Controls Worked to Avoid Damage from ManageEngine Attack

It is hard to find trustable statistics, but it appears that overall, less than 2% of transactions using “cryptocurrencies” are criminal in nature. Most of the transactions are investor trading, which is a different thing to worry about. But there should be global pressure and sanctions on exchanges that are enabling any criminal transactions.

John Pescatore

With OFAC Sanctions in place, there are significant consequences for using their services in the U.S. Which means that if you’re deciding to pay a ransomware demand via Suex, you and your financial institution (FI) would be subject to sanctions or other enforcement actions, both of which are deal breakers for the FI.

Lee Neely

This is an interesting way to undermine the payment flow these criminal gangs rely on. It also illustrates that tackling cybercrime needs a cohesive and wide ranging approach and not technical controls by themselves. In theory, this may be an effective way to undermine the payment flow these criminal gangs rely on and hopefully won’t turn into a “whack-a-mole” type operating.

Brian Honan

I welcome the U.S. government stepping up their defense against ransomware by classifying it as a criminal, economic, and national-security threat. Cryptocurrency leverages blockchain which means we can trace transactions and they can't be removed or hidden after they occur. Don't let the government do all the work for you though; test, measure, and improve your ability to detect and respond to threats before impact.

Jorge Orchilles

To me this seems a far more effective approach than punishing victim companies that pay a ransom. Interesting to see US Treasury targeted SUEX as over 40% of its transactions were ransomware-related. This will obviously not stop ransomware attacks, but is a step in the right direction, targeting financial exchanges heavily involved in supporting criminal activities.

Lance Spitzner

Chainanlysis and Treasury cooperated to produce a report on this effort: https://blog.chainalysis.com/reports/ofac-sanction-suex-september-2021

William Hugh Murray

VMware sent a security alert to their security advisories mailing list. If you’re a vCenter Server user, and not subscribed to that list, you can sign up on the VMware Security Advisories page (https://www.vmware.com/security/advisories.html). This vulnerability applies to version 6.5, 6.7 and 7.0 of vCenter, and can be partly mitigated through perimeter protections, such as limiting access to ESXi, vCenter Server and vSphere management interfaces to only vSphere admins, from trusted locations. The full fix is to apply the update. Disabling the CEIP service, or not enabling it in the first place are not effective mitigations.

Lee Neely

The vCenter file upload / code execution vulnerability should be easy to exploit and fits well into the current ransomware playbook. Needless to say: Do not expose vCenter to the Internet. It is like leaving your datacenter door unlocked. This vulnerability adds the "Free Servers" sign to the door.

Johannes Ullrich

VMware infrastructure should be in a separate management segment of the network. It should not be exposed to internal users and much less the Internet.

Jorge Orchilles

While Apple has extended support for older operating systems, e.g., iOS 12.5, you should actively work to migrate to hardware which supports the newest versions which are going to have the greatest attention.

Lee Neely

Always good to see stories of “pilot lands plane safely” vs. only hear about crashes. Not much detail yet on what the Port of Houston did right, but kudos to them for being able to issue a very short and positive press release that ended with a resounding microphone drop: “Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result.”

John Pescatore

This is not the first time ports have been the target of cyber attacks and as our physical infrastructure continues to be more reliant and dependent on IT, these attacks will continue as criminals and nation state actors look to achieve their goals. In 2013, Europol reported hackers had breached the shipping systems in the Belgian port of Antwerp to enable their drug smuggling activity https://www.bbc.com/news/world-europe-24539417: Police warning after drug traffickers' cyber-attack.

Brian Honan

This is outstanding. While details have not been published, other than a point of contact, it will be worthwhile looking at what the port did to defend itself to see if those are actions you could apply to improve your cyber posture.

Lee Neely

FISMA and related rules/regulation on how government agencies protect government information and systems (including government used of privately owned infrastructure) are badly needed. However, most of the talk here is once again around requiring more reporting from industry to government vs. anything to drive critical government systems to reach essential levels of security hygiene and protection.

John Pescatore

While increased reporting helps with visibility, what is needed is relevant security standards. Too often security controls are written from a perspective of what is possible with Windows systems in an office environment. The mission and scope of government systems ranges from office computing to leading edge research and critical systems. Guidance needs to be simplified and focused on core controls which can be broadly applied without having to spend lots of time tailoring/researching, applying overlays to determine what is indented and how they are applied. A greater percentage of controls need to be technical which enables them to be both monitored and implemented with automation while not preventing systems from completing their intended mission objectives.

Lee Neely

One of the biggest challenges we have in the US is there are so many different departments and agencies involved in leading cybersecurity efforts. According to this report, the focus of updating FISMA would be to codify CISA as the central department in leading those efforts. While CISA is relatively new and huge / broad in scope, I like what I have seen in their efforts publishing resources supporting organizations.

Lance Spitzner

TLS 1.0/1.1 are broken and exploits are not terribly complex. But removing these old protocols doesn't always improve security. For some older devices, the only option may be to switch to completely unencrypted communication. Network monitoring can be used to identify the use of weak TLS versions. Once you have an inventory of these legacy devices, you may come up with a plan to either replace them, or mitigate the vulnerability via other means such as network segmentation or the use of VPN appliances.

Johannes Ullrich

Apple’s move here should surprise no one. TLS 1 and 1.1 are aged protocols, and while most known attacks are somewhat esoteric, reasonable successors have hit the mainstream at this point. Businesses need to prepare for these deprecations; as always, make sure your mission critical systems are running current operating systems, as older and end of life OSes will often not support TLS 1.2 or 1.3. Do not assume your business won't be impacted and start testing and migration plans now.

James Leyte-Vidal

You should have moved to TLS 1.2 by now. It is widely supported and your security tools will continue to function. Use third-party reporting and testing services, such as SSL Labs, to verify your services are indeed using secure protocols and algorithms. Test TLS 1.3 before widely deploying as it has been known to break some security tools, such as web proxies which operate as a MITM.

Lee Neely

Don’t depend on a critical infrastructure designation to prevent attacks. Make sure you have good cyber hygiene, your users are diligent, and you leverage resources, such as the CISA, for both guidance and resources to achieve those ends.

Lee Neely

The legislation attempts to create a common standard for information protection, incident response, and breach notification. Regardless of regulatory requirements, you should assess your protection of sensitive company and customer data regularly to ensure you don’t have gaps, and verify that your notification and response plans are both current and tested. Don’t wait for the attackers or auditors to discover a gap in your plan.

Lee Neely

If your industry isn't already subject to data security regulations, it will be. Start looking at the “common sense” practices being called for across many of these different bills and start preparing your business for them now. The runway to implement given by these laws is not always generous. Also, pointing out these types of bills to your senior leaders may help get the funding to plan for this work in advance.

James Leyte-Vidal

Unlike banking, and though engaged in interstate commerce, insurance companies are regulated by the states.

William Hugh Murray