Account Hijack Enables Aircraft Data Altering; Prolific Microsoft Path Tuesday; Azure Mitigates Massive DDoS attack; Google Provides Security Tokens to Targets of Nation State Attacks

Another good example of why privileged accounts should be migrated from reusable passwords to multi-factor authentication. The account of the current Flight Operations Manager was used for the unauthorized access – even just using text messaging as the second factor would have prevented this damage.

John Pescatore

This is a case of a (former) disgruntled insider who, despite her credentials being disabled, was able to obtain current credentials with sufficient privileges to retaliate. Use of MFA would have prevented that access. Additionally monitoring for anomalous access patterns could help discover the illicit activity.

Lee Neely

From our perspective the issue is not the sensitivity of the data that was altered so much as that a former employee accessed the company’s systems. When granting privilege, be sure that you know how you will withdraw that privilege when the time comes.

William Hugh Murray

About an average patch Tuesday. The already exploited privilege escalation should be patched quickly, but remember there are always more privilege escalation issues.

Johannes Ullrich

There is a new MS Exchange fix (CVE-2020-26427) with a CVSS score of 9.0; make sure that your remaining on-prem services are patched, and only exposed to the Internet if absolutely necessary. The MysterySnail RAT has been found installed on systems where the Win32 driver bug (CVE-2021-40449) is being exploited. MysterySnail allows for data exfiltration, control of the compromised system and launching further attacks. This also includes another print-nightmare fix. The prior fix resulted in operational impacts, such as requiring administrative credentials for every print job. There are also fixes for Word, Hyper-V, SharePoint and DNS RCE vulnerabilities. The DNS vulnerability (CVE-2021-40469), per Jake Williams, could be leveraged to obtain remote control of a domain controller, where DNS services typically run, likely leading to domain administrator rights.

Lee Neely

This Microsoft Patch Tuesday is a doozy. I am not sure how the IT shops that are supposed to test patches before deployment will have sufficient time to test 70 patches or triage these correctly. Microsoft Exchange is the current gift that keeps on giving, but those not marked as "critical," such as those Local Privilege Escalations, are probably the ones that attackers will go after in this batch. There may also be some interesting attacks against Windows Containers that indirectly show up in the form of Hyper-V Exploits or AppContainer exploits coupled with those Local Privilege Escalations.

Moses Frost

One advantage of migrating to the cloud is the benefit of scale. No business would be able to absorb a DDoS attack of this scale on its own. But for smaller attacks, in particular more application-specific attacks, a cloud application can also become a huge financial burden if the attack is not quickly mitigated.

Johannes Ullrich

The ability for service providers to withstand an increasingly large volume of DDoS attacks is necessary for service delivery and most have solutions. Talk to your service providers to understand their protection model. Azure DDoS protection is enabled by the tenant at the virtual network level and is a separate product; leverage your account representative to understand the offering, pricing, and scaling model.

Lee Neely

It is almost impossible to resist denial-of-service attacks without the cooperation of an upstream provider. Steve Gibson tells that it took him 12 hours to find the right guy and 15 minutes for him to fix the problem. Be sure you know who to call.

William Hugh Murray

Kudos to Google for its continuing efforts to increase the use of multi-factor authentication, but most organizations need to take the same security steps to prevent business damage from all the very active non-state sponsored attackers that are behind the majority of attacks.

John Pescatore

Google is making an important point in saying that receiving a warning does not mean that your account is compromised. Too often, users mistake warnings for an actual compromise.

Johannes Ullrich

Enable two-factor authentication on your Google accounts now, whether using workspaces or their free offering; don’t wait for an alert or worse that you’ve been targeted. If you receive one of the hardware tokens from Google, enable it, don’t file it; then talk to your team about implementing those keys for everyone.

Lee Neely

This is a very impressive service that Google provides. I’ve always admired Google’s push for cyber security (they were one of the very first vendors to publicly push and enable 2FA for users of their free services). Interesting side note: in Microsoft’s webcast yesterday on passwords, they stated that only 20% of enterprise Microsoft 365 customers enable 2FA. So while a powerful security solution, 2FA still has a low adoption rate.

Lance Spitzner

Google has been offering strong authentication options to its users for several years now. Their implementation allows their users a wide range of choices to balance security against convenience; it is a model for others to follow. While Google is releasing data, it would be useful if they told us what user adoption has been and what options users are choosing.

William Hugh Murray

Much interesting data in the report, but if you block replaced “ransomware” with “malware” most of the data would not change. Take the essential security hygiene steps to raise the bar against malware succeeding and you’ve simultaneously lowered the risk of a ransomware attack causing damage.

John Pescatore

Key points I took away from this report: 95% of all ransomware samples targeted Windows. Less that 5% of samples were related to exploits; the majority of infections were driven by social engineering or droppers. In other words, when it comes to malware, not a lot has changed in the past years. Remember, ransomware is NOT a new attack method, it is a new monetization method. What’s different is that ransomware has made malware a very profitable business model.

Lance Spitzner

Before you celebrate your systems not running Windows, note that two percent of attacks targeted Android, and there were also 1 million samples from macOS. Read the key take-aways in the report. Focus on privilege escalation patches and mitigations, keep your detection profiles updated, monitoring for new activities which needed to be added to your detection capabilities; lastly, keep your cyber resiliency and recovery strategies ready and current.

Lee Neely

As these advance, they will be a source of information that can be leveraged to better our protection strategies for healthcare and critical infrastructure. It’s easy to lose sight of new strategies and techniques when you’re heads down operating and maintaining your current systems, and even more so if you’re busy responding to attacks or incidents.

Lee Neely

Mitre has some amazing people doing important work. I hope these initiatives get the traction required to help these areas of need.

Christopher Elgee

I worked in the healthcare space for a little over eight years and was doing so while getting more and more into this field. It was challenging to try and explain to doctors and healthcare executives the actual dangers posed by cyber security threats. Mainly because those threats impacted financial systems or industry secrets, it appears that ransomware and patient safety has changed that risk calculus. I'm happy to see MITRE step up here because healthcare organizations should be treated like power plants as critical infrastructure. Unfortunately, those systems will continue to be vulnerable without that level of oversight and thinking as the risk calculus is still not fully understood. I can't wait to see what is occurring here.

Moses Frost

While many businesses are finding the right balance of cloud versus on-premise services, state and federal agencies have been struggling with making sure the cloud service providers meet regulatory requirements. While federal agencies have the FedRAMP process to help, StateRAMP has only recently emerged for state and local government users to fill this need. StateRAMP will grant a certification to existing FedRAMP service providers and will work with providers not interested in FedRAMP certification to become StateRAMP certified. With this in hand, it becomes simpler to begin the path to figuring out what will be best in the Cloud.

Lee Neely

It's not uncommon to see long-deprecated IT systems in SLTT networks. Because of financial limitations, they simply can't manage to keep up. I'm thankful for services like Google Classroom that allow educational institutions (globally) to move to the cloud for free. At that point, "keeping up" just means updating end user devices and school networks.

Christopher Elgee

The NASCIO report is fascinating; it highlights a sector of the IT industry that is very far behind in its operations. Last year the state of New Jersey needed more COBOL programmers to retrofit their systems to absorb the volume of requests for aid. This report highlights how they are not the outlier. The states have several issues; the first is retrofitting their aging systems outside of the challenge of maintaining them. The second is attracting talent that can do so. If it is hard to do this at the state level, it's even more challenging at the city level. States with a large budget may migrate their systems, but finding talent to maintain and operate those cloud instances will be very difficult as we have seen a severe shortage in the market. Two charts that are in the report highlight the problems. One asks how many have to MFaaS (Mainframe as a Service). The second details how many entities use IP addressing and not names to reach their systems. Those two charts alone show how difficult and challenging this migration will be for many shops. I guess offensive and defense teams will need to brush up on mainframes and JCL for a while longer.

Moses Frost

Understand the requirements for proving vaccination status when traveling and have a backup option in case the primary option fails. In this case the airports were not accepting paper vaccination records, which we’ve carried for years for this purpose. For a digital application, screenshot the barcode or add it to your digital wallet. Note that you may have to update those as frequently as every thirty days.

Lee Neely

Always try and travel with physical backups of all your paperwork. It may seem counterintuitive as we are so used to the availability of systems. However, we should also acknowledge that many of these systems are new and have probably not been as tested as amazon.com. I would also suggest taking a screenshot for a backup. I try and travel with the physical US vaccine cards and pictures of them just in case.

Moses Frost

If you’re a critical system operator, make sure you’re subscribed to these alerts. The mitigations for these attacks are to include segmentation, monitoring, and MFA for remote access and to remove unnecessary components from networks to reduce your attack surface. Read the bulletin for a comprehensive list along with resources you can leverage.

Lee Neely

The complexity of the network infrastructure, which is required for modern service delivery and redundancy, heightens the need to carefully scrutinize changes prior to deployment. This is not only for big providers like OVH and FaceBook, but also for your enterprise where the configurations now include virtual networks to cloud providers, outsource or business providers and your locations. This is further complicated by increased remote access where network locations can be easily omitted from the VPN configuration. Read twice, deploy once, know how to back it out.

Lee Neely