NewsBites Volume XXIII – Issue 76

Top of the News

2021-09-27

Business Email Compromise Scheme Charges

US federal prosecutors are charging four people with conspiracy to commit wire fraud for their roles in a business email compromise (BEC) scheme. The individuals allegedly used phishing and social engineering to access targeted organizations’ networks and email services to conduct fraud.

Editor's Note

The techniques used by this group point out the three key issues: (1) On the front end, reusable passwords enabled phishing attacks that gave the attackers internal access; (2) once in, they were able to operate unnoticed for long periods of time; and (3) the processes for disbursing funds had no final “out of band” check that would have required a phone call or actual old fashioned face to face check before giving away large sums of money. That final one is largely outside the control of IT security but requirement strong authentication for privileged users and reducing time to detect are clearly essential security hygiene issues. Good to see the bad guys prosecuted; better to see them unsuccessful in the first place.

John Pescatore

Multi-factor authentication for email, and all other externally facing services is more important than ever. Stolen reusable credential use has to stop being viable. Don’t just consider what a given service does, and the risk of exposure of that service, consider what else can be done with the credentials if captured. Make sure that your CFO has adequate controls on financial transactions to not only vet changes of account or process, but also be sure that validation is out-of-band and all parties verified. You may not be involved in these business processes as cyber security professionals, consider leveraging your contacts to get the right people in a meeting to present the concern. Don’t forget to invite your contacts to participate.

Lee Neely

Ransomware gets all the media attention, yet BEC / CEO fraud is most likely a far costlier threat in dollar terms. The FBI reported over $1.8 billion in reported losses in 2020 alone. BEC is purely a financial attack, so technically it is not a breach, which means no one reports it. While ransomware impacts an entire organization and quickly becomes public, BEC only impacts accounts payable, so quite often most of the company will be in the dark if compromised. The key to protecting against BEC is ensuring your workforce knows and understands your processes and feels safe and comfortable following them, even if someone claiming to be the CEO is screaming at them to process a payment right away.

Lance Spitzner

In addition to the recommendations above, employ multi-party controls. For example, separate the privilege of setting up payees or making changes to them (e.g., name and address, destination accounts) from that of issuing payments. In addition, require two parties to approve large (e.g,, above the 90th percentile) or non-routine payments. Such controls resist both errors of omission and fraud.

William Hugh Murray

CISA TIC Office Draft IPv6 Transition Guidance

Draft guidance from the US Cybersecurity and Infrastructure Security Agency (CISA) Trusted Internet Connection (TIC) program office is designed to help agencies make the transition to IPv6 securely. The document ”is not intended to be prescriptive but rather facilitate decision-making in determining the appropriate level of security in IPv6 environments.” Comments will be accepted through October 15.

Editor's Note

Some good points in this document. If you consider implementing IPv6, take a look and consider following the guidance provided. IPv6 is having a hard time right now due to half-baked implementations by ISPs that solve very specific problems for the ISP and increase adoption rates, without unleashing the full potential of IPv6 to the user. IPv6 done right can improve security and allow for new end point focused architectures in line with many modern enterprise security trends.

Johannes Ullrich

The guidance is for networks where IPv6 is deployed rather than dual-stacked environments and provides a point-by-point comparison of TIC 3.0 security objectives and capabilities when considered from an IPv6 perspective. If your agency is using a TIC and following OMB M 21-07 which requires an 80% cutover to IPv6 by the end of FY2025 (9/30/25), these considerations are important to factor into your architecture and planning.

Lee Neely

CISA Warns of VMware Vulnerability Being Exploited

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning that “Security researchers are … reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability.” CISA is urging users to update to a patched version.

Editor's Note

As previously reported there are no completely effective workarounds to this vulnerability. Apply the update. Also make sure that your management interfaces to your vCenter infrastructure are limited to authorized devices and users only. Don’t expose management and/or console services to the Internet.

Lee Neely

The Rest of the Week's News

2021-09-27

IT-ISAC’s Food and Agriculture Special Interest Group

Recent ransomware attacks targeting food chain and agricultural organizations like New Cooperative, Crystal Valley, and JBS have highlighted the need for threat information sharing in that sector. The Information Technology Information Sharing and Analysis Center (IT-ISAC) ‘s Food and Agriculture Special Interest Group has been monitoring the attacks.

Editor's Note

Sharing incidents, preparedness and response information with your peers is moving beyond a good idea to a critical survival technique. Even if you have an organization such as IT-ISAC or CISA in your sector, leverage the relationships in your C-Suite to create relationships with peer businesses.

Lee Neely

Be sure to join and support your industry ISAC(s).

William Hugh Murray

QNAP Releases Fixes for QVR Video Management System

QNAP has fixed three vulnerabilities in its QVR video management system. Two of the vulnerabilities are rated critical. Those flaws affect some products running QVR that have reached end-of-life (EoL) but because they are still widely used, QNAP issued fixes for them.

Editor's Note

Network storage devices are a great prize for ransomware. Do take these vulnerabilities seriously, and while painful in some cases, expedite patching. Also consider other mitigating controls. For example, uninstall all unneeded features; these devices often come with various software packages that you may never use. And never expose any admin controls to the public internet.

Johannes Ullrich

If you have an affected product, update the firmware immediately, then start the project to replace it. I know they still work; the problem is these are EOL devices so you cannot expect ongoing vulnerability discovery and resolution. Recovery from a compromise of either content or network compromise will quickly outstrip the replacement cost.

Lee Neely

Chrome Update

Google has updated the Chrome stable channel to version 94.0.4604.61 for Windows, macOS, and Linux to fix a high-severity flaw that is being actively exploited. The vulnerability is a use after free issue affecting the Portals web page navigation system for Chrome.

Editor's Note

Memory management issues such as use after free can be tricky to detect in the software development cycle. Make sure that your Chromium browsers are also updated – Brave, Edge, etc.

Lee Neely

SonicWall Releases Fixes for Critical File Delete Vulnerability

SonicWall has released updates to address a critical vulnerability affecting Secure Mobile Access (SMA) 100 series appliances. The flaw could be exploited to remotely obtain administrator access on vulnerable devices. The issue is fixed in 10.2.1.1-19sv and later, 10.2.0.7-34sv and later, and 9.0.0.10-28sv and later. There are no workarounds available.

Editor's Note

This vulnerability includes path traversal flaws and arbitrary file deletion which can be leveraged to cause the device to reboot to factory default settings. SonicWall reports there are no workarounds for the vulnerability, so applying the update expeditiously is warranted.

Lee Neely

I am not ready yet to say that each network perimeter security device needs a security device protecting it. But let’s start by removing access from admin interfaces, please?

Johannes Ullrich

FCC Rules for Huawei and ZTE Equipment Replacement Reimbursement

The US Federal Communications Commission (FCC) has published rules for certain carriers to apply for funds to pay for ripping out and replacing Huawei and ZTE network equipment and services. The rules apply to small carriers, as well as schools, libraries, and health care organizations that provide broadband services.

Editor's Note

This has been in the works since the FCC designation of ZTE and Huawei as national security threats in July of 2020. The reimbursements have both company size and date constraints. Carriers must have less than 10 million customers and many only be applied to replacement costs incurred with Huawei and ZTE equipment purchased before June 30, 2020 and replacement costs incurred after April 17, 2018. The costs may also be extended to replacement of towers and travel expenses directly related to the replacement activities. If you think you’re eligible, don’t hesitate, apply.