Australia, UK, and US Issue Joint Warning on Critical Infrastructure Attacks; Turning Stolen Cryptocurrency into Real Money Provides Opening for $3.6B Seizure by US DoJ; SEC Proposes Requiring Investment Advisers, Companies and Funds to Follow Risk Management and Incident Reporting Guidelines

While the targets change as we deploy new services and technologies, the mitigations remain essentially the same – keep devices updated; MFA all the external entry points; segment systems, particularly OT and legacy systems which are running older applications and operating systems; turn off or disable insecure or unnecessary services; train the users; use immutable backups; monitor for maleficence.

Lee Neely

It’s fantastic to see countries working together to address ransomware. Global challenges require global solutions. Keep in mind that ransomware is not a new type of attack, it is simply a new way to monetize a successful attack. The reason we have seen an explosion of ransomware is because it is so profitable - fast (and relatively safe) return on investments. According to the report, and no surprise here, the three steps to mitigating ransomware are focusing on the fundamentals - phishing, passwords and updating.

Lance Spitzner

The use of crypto currencies often comes with the promise of anonymity. But this anonymity is lost as soon as cryptocurrency is converted in to “real money.” With few non-criminal services accepting cryptocurrency, the actual value of cryptocurrency is very limited. In particular, currencies focusing on anonymity need to be at least converted into more traceable currencies like bitcoin.

Johannes Ullrich

There are so many aspects to this story, but one we should definitely not lose sight of is the fact that it is difficult to launder significant amounts of cryptocurrency when exchanges follow know your customer (KYC) regulations. Many have traditionally relied on cryptocurrency mixers, but when law enforcement seizes mixing operations (as happened in the AlphaBay takedown), those transactions are relatively trivially to deanonymize. Even without law enforcement actions against mixing operators, it's clear the Department of Justice is getting much better at tracking the flow of cryptocurrency. This certainly won't be the last large-scale recovery we see.

Jake Williams

Good to see the FBI has the tools for tracing crypto transactions. While the couple did use options such as “chain-hopping,” mixer or tumbler services and “privacy coins,” which are intended to make tracking the digital transactions difficult, the investigators were still able to “follow the chain” to the couple. They had the address of the wallet funds were exfiltrated to from Bitfinex in 2016 ultimately working back to the couple, not only leveraging transactions from identified wallets, but also data discovered in the AlphaBay takedown which allowed wallets to be connected to their owners.

Lee Neely

I think the SEC issued its first cybersecurity guidance in 2011 and since then has slowly increased disclosure and incident response requirements across the financial food chain. While there will be the usual negative reactions to the burden this may place on small advisors and funds, bringing registered investment advisors and funds up these basic minimum requirements is a good thing. The impact to their customers of lax information security processes and controls can be catastrophic and not just via breaches. Stock market volatility means attacks causing very short duration outages can be used to manipulate stock prices and trading with serious financial impact.

John Pescatore

Disclosure of incidents in SEC filings has provided visibility into issues otherwise obfuscated by business practices. With the current threat environment having transparency on cyber security posture should help raise the bar, much as the increased requirements from cyber insurance providers seeks to do. One hopes this also becomes one more tool for savvy investors to leverage when considering their wealth management strategy.

Lee Neely

This update addresses multiple issues, and there is a separate set of patches from February 5th which address a high-severity flaw in System. If you don’t see the update for your devices, your Android hardware vendor may not have finished qualifying these updates for your platform, don’t forget to check again. Note this is also the final official update for Google’s Pixel 3 smartphones, launched in October 2018. Keep an eye on the support lifecycle for your smartphones, Android devices typically only get OS updates for two years and security updates for three, don’t wait until the end of year three to start your update process.

Lee Neely

You should have these queued to push this weekend, even though there are only 51 flaws addressed. Notice there are fixes for DNS and SharePoint server RCE flaws as well as for a Win33K privilege escalation flaw.

Lee Neely

Interesting to not have a critical (or an already exploited) vulnerability this month. The lack of an emergency may give you some time to hone your patching / vulnerability management process.

Johannes Ullrich

The attack leverages a flaw in the Quickview plugin to run code on the server. When exploited, the attackers leave multiple back doors into the server, so if detected you’re going to have to fully scan and analyze the system to discover all of them; possibly building a new server based on a clean install. If you’re still using Magento 1, you need to be migrating to the newest version of Magneto Open Source which is based on Magneto 2, or to a commercially supported platform such as Adobe Commerce, there are not going to be updates or fixes for Magento 1.

Lee Neely

With the deployment and move to 5G, 3G and earlier networks are being shut down, decommissioned and the frequencies reallocated, fortunately Vodafone was able to reactivate their 3G network and provide some relief to customers. This is intended to restore voice services as the data rates are much lower. Customers relying on cellular data will need to wait for the full restoration to achieve the expected data rates. Watch the Vodaphone site below for status updates. Note the site is in Portuguese.

Lee Neely

WMIC was a blessing back when I was a sysadmin, and it was released. Note that WMI is not affected. If you want to understand WMI, it is MITRE ATT&CK T1047: https://attack.mitre.org/techniques/T1047/

Jorge Orchilles

Read that again – the WMI itself is not deprecated, you just need to use PowerShell for WMI instead of WMIC. If you haven’t looked recently, the Microsoft link below addresses many features which are being removed and when, such as IE11 and the BitLocker To Go Reader.

Lee Neely

Practitioner's note: This will mean eventually replacing cmd.exe commands like <wmic service where (displayname like "hyper%") get name,displayname> with PowerShell equivalents like <Get-CimInstance Win32_Service -filter "displayname like 'hyper%'" | select Name, DisplayName>

Christopher Elgee

These are flaws in PLCs and exploiting these flaws can crash them. As such, you should be isolating them and only allowing connections from authorized devices and users. Note there are no mitigations to these flaws and your firewall likely cannot parse the S7CommPlus_TLS protocol to discover malicious content, use the Siemens General Security Recommendations for a defense-in-depth approach to cover hardening, network and physical security. See Siemens Operational Guidelines for Industrial Security https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf

Lee Neely

You can download the entire dataset as an Excel file. The dataset continues to evolve and additional fields, such as point of attack, are being requested and considered. Note that while the number of incidents reported for 2021 is lower than 2020, it is likely due to focus on other incidents or on roll-up reporting versus indicating a trend towards fewer attacks.

Lee Neely

When viewing these numbers, keep in mind that extortion is only one of the bad things that could result from these breaches. While some of the breaches exploited human error, the indication is that the cost of attack for far too many systems is much lower than the value of success to the attackers. Collectively we need to raise the cost of attack. Please do your part.

William Hugh Murray

While you just started pushing iOS 15.3, you need to regroup and push 15.3.1. The update is small for devices already on 15.3. MacOS 10 & 11 users need only apply the update to Safari while Monterey users need to install 12.2.1. While Apple seems to be responding to more vulnerability disclosure reports in an effort to maintain the security of their products, the out-of-cycle updates are a bit disruptive, they are calling these flaws actively exploited. One hopes that doesn’t become so commonplace as to be regarded like the boy who cried wolf.

Lee Neely