HP Printers Require Immediate Firmware Updates; ATT’s Network Infested With Dangerous Malware; Path Mozilla NSS Crypto Libraries

This vulnerability affects printers for the last few years. If you have an HP printer, it is likely vulnerable. Update your firmware in particular if the printer is reachable over a network. The other exploit scenarios may be less of a problem if the printer is located in a home office without easy access.

Johannes Ullrich

Coincidentally, the SANS Holiday Hack Challenge will feature a printer hack this year. As an overlooked part of most infrastructure networks, printers make interesting targets for adversaries since they are seldom subject to rigorous patch management processes. We thought it important to highlight printer vulnerabilities as a common threat for many organizations.

Joshua Wright

By now, network-attached printers should be fully covered by vulnerability management processes, across their entire lifecycle, including disposal. If not, there have been real world damage-causing exploits against printers over the past 5 years – seeing vulnerabilities that include code execution should be a red flag for action.

John Pescatore

Make sure you’re installing firmware updates on your printers. If you’re using a third party double check their practices. Understand controls which allow or disallow Internet printing before enabling that capability. As many printers now cache information and have ports for USB or other memory cards, consider locations away from unescorted access, not just to prevent media insertion, but also limit unintended browsing of sensitive output. Consider using devices that permit jobs to be queued/paused until the requester is physically present.

Lee Neely

Last week, we had a story about Sky waiting a year to patch customer premise equipment. AT&T didn't want to be outdone and is now, four years after the vulnerability was originally reported, and after it is actively being exploited, considering steps to mitigate it. In your office (and home office) network design: Treat ISP supplied equipment as hostile and outside your perimeter.

Johannes Ullrich

The report suggests that ATT’s use of wildcard certificates may have enabled the malware to get broad internal access. NSA put out a warning about wildcard certs in October 2021. (Just search for “NSA ALPACA” because the creative folks at Ft. Meade used that very cool acronym for “Application Layer Protocols Allowing Cross-Protocol Attacks” vs. earlier use of it for Application Layer Protocol Confusion attacks.)

John Pescatore

In addition to wildcard certificates, it appears these devices also have default credentials which need addressing A patch was released in December 2018, about 19 months after the first discovery of the flaw. Application of the patch has manual updates.

Lee Neely

The NSS library isn't as well-known as openssl, but the scope of its use is similar. Many clients, and in a few cases servers, use this library. As so often with these library flaws, patching the library is just a first step. You may also need to patch software using it.

Johannes Ullrich

Tavis' write-up of this flaw indicates that redirecting code execution is trivially exploitable. NSS is used by Firefox, Thunderbird, and a variety of other software projects from RedHat, Oracle, SUSE, and others: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Overview.

Joshua Wright

This applies to products which use the NSS for handling signatures such as Thunderbird, LibreOffice, Evolution and Evince. The fixes to Thunderbird were released 30 days ago, so the fixed libraries are now available for public download. This also means the most current releases of these products include the fixes, make sure they’ve been updated in your environment.

Lee Neely

There are two issues here – closing the access path and determining the level of access or damage. Could you detect accesses to your file servers or other resources that happened six months ago or are you rolling the logs over when they get “too big” irrespective of duration? While Panasonic says nothing about the exact access method, you may want to make sure that you’re actively disabling inactive accounts, only granting users the access they need for their role with a regular review to ensure they are not over permissioned.

Lee Neely

Attacker 'breakout time' is a metric we use to measure the amount of time it takes an attacker to go from initial exploitation to secondary post-exploitation or lateral movement within a network. For sophisticated attackers, breakout time is measured in minutes, or hours. Panasonic's case is not unusual, where it may take an organization several months to identify a compromise. Threat hunting and red team exercises can help shorten that detection window, but must be supported by a strong incident response process.

Joshua Wright

I have seen some talk about how to detect the kind of activity this developer used to collect the information. Many suggestions do not take into account the access developers need to work effectively. A developer typically needs read access to repositories other than the one they are working on even for little things like a quick copy/paste. Do not use this incident to make your developers’ lives any more difficult.

Johannes Ullrich

This is a case of a trusted insider, with administrator access, abusing those privileges, including modifying logs to cover his tracks. Further, he leveraged an incident to mask his activities. This is an excellent scenario for a tabletop exercise to talk about prevention and discovery. Consider actions such as forwarding logs to a centralized service to reduce the likelihood of modification; performing traffic flow analysis coupled with other DLP tools to discover data exfiltration. Make sure that you’re colling information from insource, outsourced and cloud systems wherever possible.

Lee Neely

There’s a long history in the US of the RICO (Racketeer Influenced Corrupt Organization) act to go after those who knowingly profit by selling products and services to bad guys who meet the broad definition of RICO. While it is so broad that there have been abuses, it is good to see convictions (and asset seizures) coming against the modern equivalent where services providers are profiting from criminals. Good to use this to notify the product/service side of your company of the need to “know your customer.”

John Pescatore

The first directive is to designate a cybersecurity coordinator to perform the identified tasks. The question is – do you have someone in a similar role? This is a liaison between you and your regulator, relevant ISAC or even CISA. This would also be a good person to coordinate vulnerability disclosure activities.

Lee Neely

Access leveraged an API key which was allegedly protected by 2FA. When you implement 2FA, you need to implement it properly. This is another case where you don’t want to “roll your own,” use an existing tested solution, then test your implementation rigorously.

Lee Neely

Insert usual comments here about why the term “cryptocurrency” is an oxymoron. Another note: calling the “MonoX Finance” software is like calling your kid’s fingerpainting “art.” The token abuse exploited is pretty much the equivalent of the web price changing vulnerabilities that worked in the first online commerce sites decades ago.

John Pescatore

If you’re relying on air-gapped networks for security, review the white paper to understand what processes can be leveraged to cross that gap and how to secure them. Look first at how you’re transferring information in and out of those systems, making sure only trusted files and media are allowed, that you’re scanning that media aggressively.

Lee Neely

Systems that are not connected to the public networks for security reasons are probably sufficiently sensitive that they must be protected physically.

William Hugh Murray