Russians Arrest Alleged Colonial Pipeline Ransomware Actor; White House and Tech Firms Talk About Open Source Security; Microsoft Uses Out of Band Release to Fix Problems Caused by Last Patch Batch

International cooperation is critical to prosecution having any impact at all, but politics still gets in the way. I don’t think there has been any meaningful progress on international cybersecurity laws since 2001 or so. The UN Governmental Group of Experts met and issued reports in this area every few years, nothing since then I don’t think. Maybe the pandemic spirit of international cooperation will carry over to cybersecurity.

John Pescatore

There was a lot of political pressure to find those behind the Colonial Pipeline attack, as well as pressure from Russia that cooperation was contingent on the US not reacting to their activities in Ukraine, as well as Russia not wanting to acknowledge they had ransomware groups actively operating in their country. This makes international cooperation tricky and non-trivial. One hopes we would have moved beyond this, as it also allows operators more room to operate and maneuver without recrimination.

Lee Neely

A number of initiatives came out of the Heartbleed vulnerability back in 2014. For example, the Linux Foundation identified critical components in need of help. Companies like Google, Apple, Facebook and others are already contributing to open source. But they often miss older existing components that have lost support and are still relied upon. After Heartbleed, the Linux Foundation started a project to identify critical open source components that have either lost their maintainers or are in need of help (e.g. security assessments).

Johannes Ullrich

A great topic to see progress on but the only output of a meeting was an agreement to “continue discussions to support these initiatives in the coming weeks.” If private industry wants to show it has any ability to self-regulate, this is a great opportunity to see the vendors participating come out with a major announcement in those coming weeks with some 2022 milestones of actual changes to improve the baseline security of repositories and code.

John Pescatore

The government doesn't need private industry to improve the security or support of open source software. If the administration saw open source software security as a legitimate threat to national security, it could simply fund the maintenance it is asking industry to fund. The reality isn't that simple. Choosing which open source projects to support (which will of course be seen as an endorsement) poses some immediate issues as will administering the program. But those challenges unfortunately don't go away by pressuring private industry to provide the open source software support.

Jake Williams

Open source expects active contributions from the community. If you’re improving, extending or fixing open source, you’re supposed to give those changes back. If you discover an issue you cannot resolve, report that too. Take a look at the license for any open source you’re using to make sure that you’re following any other expectations. I’ve seen prohibited use cases or expectations which are easily missed.

Lee Neely

While the quality and protection of open source software may not be worse than that of the code that we pay for, it is clear that “many eyes” has not delivered on its intuitive promise. There does not appear to be any useful difference in the risk of code based upon its source.

William Hugh Murray

I am not a fan of throwing money at the problem, but when it comes to open-source software leverage by multi-million- and billion-dollar companies, my opinion changes. Maintaining open-source software is a thankless, tedious job. The log4j showed the potential impact.

Jorge Orchilles

This out-of-band fix was urgently needed to allow organizations to apply the January cumulative updates correctly. I know it isn't easy for Microsoft to test all the possible DC configurations. But reliable and painless software updates is one of the things organizations purchasing software are looking for.

Johannes Ullrich

After pausing and/or rolling back some server updates last week, it’s time to test these revised updates and schedule their deployment. Trust the fixes to the update but verify them before enterprise deployment.

Lee Neely

The destructive malware which Microsoft has termed "WhisperGate" has been detected targeting many organizations similar to those that were hit with website defacements last week. The WhisperGate malware is designed to appear like ransomware at a very high level. However, a cursory inspection shows that there is no realistic possibility of recovery for victims. The destructive malware lacks features built into traditional ransomware, such as per-victim keying. If threat actors were hoping this would continue to appear to be ransomware (even under limited scrutiny) they missed a significant number of details. We should conclude that the threat actors are likely relatively sophisticated and don't really care how the malware is perceived, in which case the ransomware connection is probably just there to preserve some semblance of plausible deniability.

Jake Williams

Preparations for this strain are the same as any other; recovery is simplified as you don’t have to have the ransomware payment discussion. Be sure your recovery plans are tested and timelines realistic.

Lee Neely

This is interesting; destructive malware is something that many companies have not had the luxury to experience. Instead, most companies experience traditional ransomware. Has your company modeled this?

Moses Frost

This attack does not appear very sophisticated, nor does it leverage any innovative TTPs. Doing the “boring” basics, such as eliminating local administrative privileges to accounts that have email and internet access, will go a long way.

Jorge Orchilles

Regardless of the current geo-political situation, these arrests should send out a strong signal to criminals who thought they were untouchable due to being based in Russia. It will be interesting to see what impact these arrests, coupled with other recent activities by law enforcement agencies in other countries, will have on the activities of ransomware gangs.

Brian Honan

Many rightly viewed the arrests with suspicion, almost like the arrests were timed as top cover for something else Russia wanted to keep out of the news cycle. While that certainly is possible, we should still celebrate the takedown of this group of cybercriminals. This particularly impacts the affiliate model so many of these groups rely on to prosper. The affiliate model only works on trust and anytime law enforcement is believed to be sniffing around, trust in criminal organizations isn't exactly at an all-time high.

Jake Williams

International cooperation resulting in a takedown such as this is something to celebrate. It can be complicated in locations where operators are ignored so long as they don’t target that country's assets. One hopes cryptocurrency was also secured, a skill which is needed with current cybercrime.

Lee Neely

The articles today seem to conflict with one another, and maybe this is on purpose. While on the one hand we have a suspicion that Russia is involved in this Ukrainian malware, we have a conflicting story with REvil group being caught. It's just interesting that these two stories show up in a similar timeline. Is Russian making it appear that they are playing ball with the world by arresting REvil ransomware gang while simultaneously attacking Ukraine? Only time will tell.

Moses Frost

Many people have been suggesting this may be smoke and mirrors to take some pressure off our ransomware fight and/or geopolitical strategy. I welcome this over no action at all.

Jorge Orchilles

The issue is that all three functions didn’t properly implement a nonce check, allowing their security to be bypassed. The patched versions were released in December; make sure your auto-update installed them. Wordfence released firewall rules for free and paid versions on December 5th and November 5th respectively. Verify your WAF is getting updates for the latest plugin vulnerabilities.

Lee Neely

I hope we can get away from WordPress at some point in time, but I feel that we will be talking about this in a decade. They need to completely re-write this concept of plugins.

Moses Frost

Insider threats continue to be the focus of more mature organizations. As mentioned earlier, do the “boring” basics first such as implementing the CIS Critical Controls, then focus on insider threats.

Jorge Orchilles

It appears he was attempting to create a copy of these applications, presumably with the intent of marketing them to agencies with similar requirements. While audits from an agency IG require turning over lots of information, it also requires proper custody of that information which itself must be audited. One hopes new processes to verify information is properly managed will ensue.

Lee Neely

Don’t expect a reduction in attacks targeting the healthcare sector. With resources spread thin, look to leverage local CISA or other industry partnerships to assess and, if needed, help improve your security posture.

Lee Neely

A number of Oracle products are using log4j. Watch for related updates and expedite these patches if possible. For earlier, less severe log4j vulnerabilities, Oracle released upgrades across several quarterly patch updates.

Johannes Ullrich

Many of these are application level flaws which can be exploited without authentication. Review the CPU quickly to see if the updates apply to applications used and (the E-Business suite is in the list) start planning your rollout of the corresponding updates.

Lee Neely

Oracle has quarterly patch releases; this should not be a surprise to patch and vulnerability management teams. Time to analyze and prioritize based on your threat model.

Jorge Orchilles