Guidance Available on US Treasury Department Requirements for Accepting Cryptocurrencies; Update Microsoft PowerShell to Patch Critical Vulnerabilities; Dutch Police Will Go After Second-Time DDoS-as-a-Service Procurers

If your organization is considering accepting “cryptocurrency,” make sure business, finance and legal managers are aware of the OFAC sanctions compliance guidance. The risk is not just the actual ransom obtained payments, using involved exchanges may put transactions using these alternative currencies at risk, as well.

John Pescatore

If you’re using cryptocurrency, check the OFAC status of your exchange. Remember, sanctioned does not mean approved in this context. The use restrictions apply to U.S. persons, meaning citizens and “green card” holders, irrespective of their location. Violations of sanctions carry both civil and criminal penalties ranging up to $1 million and/or 20 years in prison for each violation. Additionally, there is an option for civil penalties which can hold you liable even if you did not know you were engaging in a prohibited transaction. Your financial institution is well versed in OFAC and can help you with references and understanding of the issues and risks as they see them.

Lee Neely

Currently, PowerShell is not updated with Windows Update. So please update this if you are using an affected version of PowerShell. Updates via Microsoft Update may be available in the future.

Johannes Ullrich

Microsoft hasn’t yet incorporated PowerShell 7.0 or 7.1 updates into the Microsoft Update service, so you’re going to have push these updates to affected systems. PowerShell 7.2-preview.10 has support for Microsoft Update. Note PowerShell 7.1 installs in a new directory and runs side-by-side with PowerShell 5.1. Installing PowerShell7.1 replaces PowerShell 7.0.

Lee Neely

Hmm, one use of DDoS for service attack capabilities is OK in the Netherlands? I’m pretty sure bank robbers and arsonists don’t get a second strike, but some law enforcement action is better than no action.

John Pescatore

DDoS attacks are not just being used by attackers; gamers are also figuring out how to use them to knock rivals out of action. As such, the Dutch Authorities appear to be tempering their guidance to not place undue sanctions or otherwise treat the wrong individuals as criminals. While this does move the bar some, it can create confusion, and a more consistent message of “this is illegal and has consequences” whether service provider or consumer, may be more effective.

Lee Neely

BlackMatter leverages LDAP and SMB to access AD and discover all hosts (and shared drives) on the network, encrypting them as it goes. They are also encrypting Linux-based machines, using a separate binary and routinely encrypt ESXi virtual machines. And in case you’re wondering, they don’t encrypt backups, they wipe or reformat the data stores instead. This leverages captured credentials, so augmenting your password processes to check breached passwords is a really good move. You privileged accounts (system administrators, Domain Administrators, and particularly your Enterprise Administrator) all need to be MFA. Take a look at time based access limits on accounts, some ransomware is now trying to act off-hours and this can help.

Lee Neely

According to the Verizon Data Breach Incident Report (DBIR) the time to detect breaches continues to be measured in weeks to months. Detection is more often passive, as in ransomware, than active. To be useful in resisting ransomware attacks, detection must be active and in hours to days. Set an objective for time to detection and implement a strategy to achieve it.

William Hugh Murray

Rolling back to manual methods, such as pen and paper, allow the business to operate at least a limited capacity while incident response completes. If you’re in this position, be sure to allocate extra resources to update the restored electronic systems, and don’t wait for full restoration to verify handwritten records are legible. Also plan to validate that downstream actions are checked to avoid data integrity or other long-term issues.

Lee Neely

Beyond making sure that you block entry points to your network, verify that you can tell when you’ve got malicious parties on your network. Can you detect malicious events in your network? Can you trigger on unexpected privilege escalation or modification? Are you reviewing account privileges regularly to ensure that only needed privileges are assigned? Do you know what to do when an incident is discovered?

Lee Neely

In their release, Sinclair used language that is often used when ransomware victims have to do a public statement: “As the Company conducts its investigation, it will look for opportunities to enhance its existing security measures.” Convince your management it will actually cost the company less if the release was able to say “Because the Company had improved our security measures before this attack, there was no financial impact to the Company or violation of our customers’ privacy.”

John Pescatore

Assume you are already compromised and actively look for signs of attack. When you find a deficiency in one area, look to make sure it doesn’t need to be addressed in other areas as well. Make sure you get to root causes (remember “ask why 5 times”) to help you and your IT staff better provision secure configurations in the future and prevent recurrence.

Lee Neely

Use caution when responding to disclosed weaknesses, understand the activities needed to expose them and the situation under which they were performed before declaring they are illegal. In this case the SSN’s were revealed by going to the web page and clicking “view source,” which was then disclosed appropriately to DESE where it was addressed. Make sure that you’re regularly doing security testing and evaluation of your applications to minimize issues discovered and reported externally. Treat disclosed vulnerabilities as well intended, not malicious actions, and take action to address and acknowledge them promptly.

Lee Neely

To me as a non lawyer, the legal issues around security testing a public website are at murky enough to stay away from. Sadly, bruised egos can easily get in the way of fixing the actual security problem. Get permission first to avoid a lot of headaches.

Johannes Ullrich