Attackers Exploiting Admin Privileges Delegated to Service Providers; BQE Software’s BillQuick Web Suite Vulnerabilities Being Actively Exploited; Emsisoft Works With Law Enforcement to Decrypt Ransomed Data

The key point here is that managed service providers are often granted admin privileges on customer systems and these “… delegated administrative privileges are often neither audited for approved use nor disabled by a service provider or downstream customer once use has ended, leaving them active until removed by the administrators.“ When signing on for cloud services, all such delegated admin privileges should be minimized and processes need to be establish to ensure that they are removed whenever that service provider is terminated.

John Pescatore

Monitor all accounts with administrative privileges, whether used for insourced or outsourced support. Make sure that your account disablement procedures include provisions for changes of staff at a MSP and that they are not all using the same account, just as you would with your staff. If you terminate an external support contract, make sure all associated accounts and access is also disabled or deleted promptly.

Lee Neely

Another way to look at this is the SolarWinds attack was so successful, and the cost was so minimal, that Russian Intelligence has simply accelerated their efforts to continue to infiltrate and/harvest as much as they can targeting 3rd party infrastructure. Makes you wonder just how many of their attacks have been successful and we have yet to discover them.

Lance Spitzner

Caveat Emptor cannot address the supply chain as a means of distributing malicious code. Neither can we simply accept the risk. We must hold suppliers accountable, if not for the quality of their own code, at least when they recklessly distribute the code of others. Am I the only one that thinks that our tools and processes for managing the quality and content of software are inadequate?

William Hugh Murray

The blog post by Huntress suggests that there are multiple exploits that are not yet patched. Get ready to patch this software again shortly. If possible: add additional access restrictions.

Johannes Ullrich

Sqlmap was able to execute xp_cmdshell as well as bypass authentication to the BillQuick application. Note that the Huntress researchers worked to create a separate copy of the application rather than testing the live system as part of finding the root cause for malicious activity noted in production.

Lee Neely

There is inherent risk in using a decryptor from the attackers. Check to see if a decryption key and tool are published for your particular ransomware before seeking the key from the ransomware gang. If you have the decryption key, look to companies such as Emsisoft for a decryptor which can use that key before using the attacker provided tool.

Lee Neely

npm is the dumpster fire that keeps on giving. You MUST scan any libraries that you are including in your projects, or stop using node.js/npm if you can't perform these scans.

Johannes Ullrich

Make sure you’re incorporating the updated library in your build process. If you’re publishing code for others to use, make sure that you’ve followed the security practices for your source code repository such as using two-factor authentication, making sure accounts are not shared, managing access to data only giving contributors the specific rights needed and revoking access to users no longer working with you.

Lee Neely

There is no such thing as being too small to be a target. There is such a thing as not having enough resources to assess your security or implement a good cyber security program. This you can outsource, and likely spend less than you would recovering from a breach. If you’re looking for a starting place, you can reach out for references is your local cyber security organizations or chapters (ISSA, CSA, ISACA, ISC2, etc.).

Lee Neely

Healthcare is very slow to roll out security changes. In the past, those organizations have been hiding behind the thought, “What are attackers going to do with our data? They can’t monetize it!” PHI wasn’t as directly monetizable. Of course, ransomware has significantly changed the game and healthcare orgs are significantly behind and aren’t nimble enough to take big steps forward. I predict more and more of this happening in healthcare in the next few years.

Tim Medin

Beyond applying the update, make sure these types of devices are isolated. If you’re using Wi-Fi, it should be a separate network, with limited access, much as you would use segmentation on a wired network for control systems. Don’t expose these to the Internet and if remote access is required, use a VPN and an authorized secure bastion host.

Lee Neely

I'm so glad folks are giving this kind of device attention. I wish those with the skills to find these flaws good hunting. And for manufacturers, please hire quality pentesters and consider shipping devices (or at least firmware) to bug bounty hunters. This is a prime case of, "Find the bugs before the bad guys do."

Christopher Elgee

A recurring theme is to secure your remote access components and keep products updated/patched. Go through the list to make sure you didn’t miss any tricks. Also make sure that you’re not only getting security bulletins for all your installed products but also that they are acted upon, which may mean you need to change the distribution.

Lee Neely

The blog post describing the vulnerability includes sufficient details to write an exploit. I would not be surprised to see vulnerable sites already being targeted while you read this. Please expedite this update if you run Discourse.

Johannes Ullrich

If you cannot apply the update, you can add a rule to block requests with a path starting ‘/webhooks/aws’ in your WAF or other security module.

Lee Neely

Bad BGP updates cause the network to fail rapidly and are slow to back-out and recover from. When needing access to the console port on your routers (remember that teal cable that came in the box you tossed in the back of the drawer?) – know what you would have to do to back out an erroneous update, verify that you have the access to your network gear when the routing is impacted, document the process.

Lee Neely

The system tampering happened two months after he resigned, and he used the company remote access system to do it. Disabling accounts when staff leave is critical. If you don’t remove disabled accounts, monitoring for their re-activation is also critical to detect malfeasance. Consider deactivating accounts which are not used frequently, particularly those used for remote access. When looking at this make sure that low frequency, but known/regular, events/use cases are factored in.

Lee Neely