FTC May Go After Companies that Ignore Lof4J Flaws; Optional Microsoft Authenticode Fix Enabled Zloader Attacks

While some may pooh pooh the FTC’s cybersecurity related actions, it is telling that many attempts have been made by private industry to challenge their authority to do so. SANS gave the FTC a Difference Maker’s award in 2013 and the justifications for that award have held up over the years: “It seems like regardless of who is president or what the state of the economy is, the FTC stays focused on its mission of consumer protection and in particular, going after companies that don't protect their customers' information. The FTC doesn't seem to need new laws or more money, it just keeps fighting for its customers.”

John Pescatore

The FTC doesn’t want history to repeat itself. While a company could accept the risk of not addressing Log4j vulnerabilities, the FTC wants them to know that both the Gramm Leach Bliley Act (GLBA) and Federal Trade Commission act have specific directions to mitigate known software vulnerabilities. Long story short: update Log4j wherever you’re using it, make sure you’ve deployed your vendor updates, use a properly configured WAF if you can, monitor activity, and document actions taken.

Lee Neely

Organizations should not see this as a one-off vulnerability and invest in building a program to track assets, vulnerabilities, and patches. Vulnerability management is hard, it is a process, and there is no end state. Implementing lessons learned from Log4j, like those learned during the Struts2 vulnerability that affected Equifax, will be ideal for your organization when the next big vulnerability is inevitably disclosed.

Jorge Orchilles

On the Log4J Issue, I am not sure how the FTC enforcement will fully happen. There are going to be a fairly large number of systems in which the actual code doesn't exist, won't compile, and is mission critical. I would imagine that this sets a very bad precedent, overall, but it's not unexpected. We have been talking about regulation for years, and if the larger community does not regulate itself, someone else will. This is also compounded by the fact that Log4J may not even show up in the dependency chain directly but as a sub-dependency. We need to watch this carefully as this could start rolling down hill to the next “Exchange Vulnerability” that is not patched in time.

Moses Frost

It's easy to cast shade at Microsoft, but they're right - this has an extremely high risk of false positives in many (if not most) environments. Even given the news of active use of the vulnerability, knee jerk implementation of fixes risks impacting system availability. It's important to put this in context. This vulnerability does NOT allow threat actors access to systems. It only allows them to bypass intended code signing security checks *after* they've already accessed a system, meaning threat actors have already bypassed at least some security controls. To use a circus analogy, carefully consider whether enabling an additional safety net is worth blindfolding the trapeze artists. If you're not sure and projected impacts are high, perform extensive testing first.

Jake Williams

There are currently two mitigations. Either apply the Microsoft Authenticode fix to check certificate padding with the caveat that it causes some installers to be tagged with an invalid signature, or disable mshta.exe which is how the embedded scripts are executed, provided you’re not using it in your environment.

Lee Neely

While this particular attack is to run unsigned DLLs, I would like to highlight that leveraging Microsoft signed binaries, scripts, and libraries (LOLBAS) has been around for some time and highlighted in RSAC Keynote by SANS in 2020: https://www.sans.org/blog/the-five-most-dangerous-new-attack-techniques/: The Five Most Dangerous New Attack Techniques The LOLBAS project is maintained here: https://lolbas-project.github.io/

Jorge Orchilles

Initially, I considered mitigating this issue by removing the CD-ROM device from workstations. But keep in mind that it is needed for example to install and update VMWare Tools. For VMWare Fusion and VMWare Workstation, you will likely not even have to upgrade. The fixed versions were released late last year (Workstation: Oct 14th, Fusion: November 18th).

Johannes Ullrich

If you cannot apply the patch, or it’s not available, the workaround is to remove unused hardware from virtual machines. Note they need to be shut down to do this. It’s not a bad idea to make sure that you’ve removed unused hardware which may have been added for testing or other long forgotten purpose.

Lee Neely

We constantly see unpatched ESXi and unpatched vCenter in almost every customer environment on premise. The problem isn't getting better – it’s getting far worse. Many companies that have a good desktop and server vulnerability management strategy fall flat in this regard. Patch where you can, segment where you cannot. We still see 6.5, 67, and 7.0. It would also be relevant for many of the Security Industry to patch their workstation builds.

Moses Frost

This is a good issue to include in awareness training. Just because an email originated from a "trusted" entity like Google, or a link is located on Google docs, doesn't mean it is safe.

Johannes Ullrich

When you add a comment to a Google Doc which has an “@” reference to the user, regardless of the source of that document, an email is sent to the user, including any malicious links or text in the comment, with a Google originating email address, making it feel trusted/legitimate. If you’re using URL rewriting tools, make sure all external email is in-scope. Make sure that your endpoint or perimeter protections include blocking/denying uncategorized and malicious web site access. At core protection still depends on user hygiene, not clicking unrecognizable links and being sure the comments are truly from a document they are collaborating on with a recognized partner.

Lee Neely

Google has been slow to address this attack vector, which I think dates back as far as August 2020. This is one of those features that carry risks that can in many, probably most, cases be way more damaging than the benefit of the feature. Kinda like is anyone really missing Adobe Flash?

John Pescatore

Software development needs to consider the time a particular system is supposed to be in operation, and the entire life cycle should be considered. As cars adopt more “smart” feature, it is important to remember that cars are expected to stay operational for 10+ years, unlike smart phones which are often considered obsolete in less than half that time. Simple bugs like this Honda Y2K22 issue do not make me feel very good about how well systems like smart phone integration APIs will perform 10 years from now.

Johannes Ullrich

It is easy to overlook the capacity of a variable being exceeded, in this case a signed int32 which cannot hold the date string for January 1, 2022. We should have learned this 22 years ago and documented these constraints, or better still chosen alternatives not subject to the limitations. Take a quick look through your application inventory to make sure you address systems with Y2K22 issues. One hopes that any Honda subscription services tied to the navigation systems will refund the charges until the issue is resolved.

Lee Neely

Wouldn’t it be nice if Honda said “All car loan payments to Honda will be suspended from January to August to make up for the impact to our customers who paid a lot of money to buy our products.”

John Pescatore

This is a great first step toward helping the "under-resourced counties and municipalities." Here's hoping legislation from Senators Hassan and King enable more collaboration between other agencies (like the National Guard) that may actually bring more resources to the fight.

Christopher Elgee

Make sure you connect with your local CISA coordinator, they are a good contact for bringing resources, such as ransomware remediation, training, assessment tools, and advice at no added charge as they are taxpayer funded. It is easy to forget their mission includes both public and private sector.

Lee Neely

I’m excited to read about this as CISA is both taking what appears to be a leading role in helping organize US cyber defenses in one of the most difficult areas to defend, and creating a network for better coordination and sharing. My question: is this attempting to replace functionality with the MS-ISAC, better align with MS-ISAC or fill in a gap? The US government has a reputation for solving problems by creating new organizations instead of improving existing ones.

Lance Spitzner

In the FCI incident no data was accessed in the electronic health record (EHR) system due to unspecified “security controls.” The disclosure notes that the data for almost 80k current and former patients was accessed in “administrative files and folders.” It seems likely that patient data, whether in scanned paper records or exported EHR data, was placed in locations that were accessible with AD domain logons. In my experience it's also likely that all of this data wasn't actually accessed by threat actors, but the organization lacks the auditing controls to know what specific data was taken so they reported everything in the accessed file shares. This not only increases notification costs, but also likely involved a substantial eDiscovery bill. Organizations handling regulated data should examine their filesystems for copies of regulated data and ensure they have appropriate auditing in place to detect access to that data.

Jake Williams

Beyond testing and securing your primary applications, make sure that any archives or other locations that data is stored are also secured, particularly any systems where you digitized the paper records to get rid of storage rooms full of boxes of them. Remember that plan to save a fortune by moving unused data to low-cost cloud storage? Did you ever get a report on how it would be secured, including a risk assessment? Did you verify the security was as planned?

Lee Neely

When responding to a ransomware incident, isolating/shutting down and/or disconnecting affected systems is a good step. Make sure that your forensic team has what they need before wiping disks to reinstall, such as logs or system images so they can work on root cause as well as determine what data may have been exfiltrated. Keep in mind the encryption step is often the last thing done on the way “out the door” as it were.

Lee Neely

Ransomware threat actors often don't get payouts for attacks on municipalities. Attacks on municipalities in 2021 should generally be attributed to inexperience of the specific ransomware operators or desperation - neither of which bodes well.

Jake Williams

I don’t think anyone predicted that we would not see ransomware in 2022. It is here and organizations must train, test, measure, and improve their people, process, and technology to detect and respond to these attacks before impact. We often call this “left of boom” where boom is exfiltration and encryption.

Jorge Orchilles

As we see more data calls of the form “Check the list of affected products against your installed software list,” searchable repositories make that far simpler. Beyond reporting, this is useful for analysis of your current possibly impacted products, using either the hosted or downloadable version of this tool. The data includes notes, references, and links to the vendor advisory/fix guidance.

Lee Neely

Chrome is the gift that keeps giving. Is Chrome the new Flash? According to W3Schools, over 80% of their traffic in 2020 & 2021 was from Chrome making these rapid updates all the more disruptive. These vulnerabilities can have grave impacts including data corruption or malicious code execution, bottom line, time to update (again.) These fixes also impact Chromium based browsers (Edge, Brave, etc.) The good news is updates are already available for those browsers and simply waiting for the user to relaunch their browser.

Lee Neely