Rapid Fix of Azure Vulnerability Highlights Need to Follow Cloud Security Best Practices; Passage of US Cyber Bill Increases Government Agency Reporting Requirements and Will Enhance CISA Capabilities; Cobalt Strike Attacks Spotlight Need to Limit Updates to Authorized Channels

This is a success story where responsible disclosure and prompt response by the software owner quickly closed a serious cross-tenant cloud threat. Points out two things: (1) vulnerabilities will continue to be found in cloud platforms, meaning (2) platform-specific security best practices (like Microsoft’s for Azure or the excellent Center for Internet Security Azure Benchmark (https://www.cisecurity.org/benchmark/azure) need to be following and audited against.

John Pescatore

While it remains true that cloud security providers, especially the larger players, are able to make their platforms more secure than many organisations can make their own on-premise solutions, it should always be remembered that security is never a binary thing and continuous risk assessment, multi-layer controls, combined with detection and response capabilities still remain top priorities when you move to the cloud.

Brian Honan

This was resolved in four days; the vulnerability disclosure agreement didn’t allow publication until March 7th. Make sure that you are following Microsoft’s best practices for Azure Automation (https://docs.microsoft.com/en-us/azure/automation/automation-security-guidelines) – use accounts with the minimum required privileges, use managed identities rather than Run As accounts and rotate keys periodically. If you must use Run As accounts, renew their certificates periodically, verify permissions are as locked down as possible. Secure credentials, certificates, connections and encrypted variables; use either Microsoft or customer managed keys to keep this information encrypted.

Lee Neely

There are a few meaningful items in this bill: CISA is tasked to increase its pen testing resources; it requires federal agencies to do more/be better at threat hunting (but first an 18-month study); modernizing FedRAMP cloud security requirements; and studies on use of honey pots and a government SOC as a Service offering. Most of the rest is increasing reporting by government agencies, including incident and vulnerability reporting. There’s a lot that is aimed at making sure CISA is authorized to do stuff that it has already been doing and making sure they report to Congress more, and a lot of reports that are just updates on progress on last year’s President Biden cyber memo in areas like Zero Trust, dashboard, metrics, software inventory etc.

John Pescatore

Don’t assume this condones ransomware payment; you still need to abide by OFAC rules. The legislation creates a council to coordinate reporting requirements, as well as formalization through the federal rule-making process which includes consultation with industry. Don’t expect CISA to go slow here, even though they have two years for that process to complete. The legislation also includes a requirement for CISA to warn organizations of vulnerabilities. Make sure that you’re signed up for that; CISA has a reputation for providing relevant and actionable information.

Lee Neely

Beware of email bearing security updates. You should be pushing required updates to enterprise users, disabling local actions if possible. Make sure that users are aware of the update process and how legitimate communication will look. Also ensure that you’ve enabled URL rewrite/security for email services, as well as layer 7 controls to block access to known bad sites.

Lee Neely

Apart from a Cobalt Strike beacon, the attack chain also pulls two payloads written in Golang: GraphSteel and GrimPlant. The Cobalt Strike payloads should be easily detected but attackers are moving to other languages, like Go, Rust, NIM, to avoid preventive controls.

Jorge Orchilles

The attack against Viasat has so far, in my opinion, been the most interesting facet of "cyber" in this war. It looks like so far, Viasat is still attempting to put together all the pieces, but based on current reporting, Russian forces had some access to a ground station in Ukraine (either physical access, or via remote connectivity). The initial assessment, which suggests that the affected terminals will need to be reset by hand or even entirely replaced makes for a lengthy and expensive recovery process with thousands of sites like wind generator plants to be visited by technicians.

Johannes Ullrich

As an example of how interconnected and interdependent our world has become, this attack apparently impacted on the ability of a German wind turbine manufacturer to remotely monitor and manage thousands of wind turbines across Europe. https://www.datacenterdynamics.com/en/news/satellite-outage-impacts-more-than-5000-wind-turbines-across-europe/

Brian Honan

A flaw in the KA-SAT management system allowed access to customer modems, which were subsequently disabled by the attack. Impacted devices need replacement, which is hindered by both supply chain and conflict related challenges. Assess the importance and reliance on Internet connectivity for your business and have a backup commensurate with critical service needs. Note that if your backup is of lower capacity than your primary connection, you will need to have a plan for how you’re going to restrict access to critical systems only. Don’t forget to factor in how long you can operate with a reduced connection. It may turn out that you need a secondary connection of equal bandwidth to your primary. I harken back to when we had DS1 fail-over links for our primary DS3 connection, which were dropped because they simply were not viable as a fail-over and drove the need for parity of capacity.

Lee Neely

Russian forces have disrupted GPS in that area in the past during military exercises. In Finland, some more remote airports can only be used if reliable GPS coverage is available as no other electronic landing aids exist. For most commercial air traffic GPS is not required, but it is helpful, and disruptions may lead to lower capacity on specific routes. Some routes around Russia are seeing an increase in traffic and are somewhat congested after routes across Russia have been closed to many airlines.

Johannes Ullrich

GPS spoofing attacks are relatively simple and inexpensive to carry out: e.g., a 1KW jammer can block a GPS receiver as far as 80KM away and only cost a few hundred US dollars. This is intended as a warning to airlines, putting them on notice to not rely on their GPS for navigations and landing as they are supposed to have other systems which assist during a GPS outage. Even so, the pilots may not want or be prepared to fall back to other systems and elect to turn back rather than risking a failed landing.

Lee Neely

This is yet another excellent guide published by the UK’s NCSC. I strongly recommend that security professionals refer to the NCSC website for some excellent guidance on various security matters.

Brian Honan

When I was working on data center design, the focus was on physical and environmental stability, security, and resilience. I recall one provider that located their two data centers seven miles apart due to tornado threats. Today there is an equal, if not greater, need to factor in logical attack paths, both for the facility control systems and the systems housed within them. Make sure you understand what threats the data center is mitigating and what you need to focus on. Use the guides to drive the conversation. Don’t forget to include people and supply chain threats in the conversation.

Lee Neely

While the conversation has been ongoing about improving BGP security, now is the time to reach out and comment. Use the https://www.fcc.gov/ecfs to electronically file comments. There are also provisions for people with disabilities wishing to comment – email fcc504@fcc.gov for options.

Lee Neely

Take a moment to review CISA’s “Shields Up” guidance ( https://www.cisa.gov/shields-up) to reduce the likelihood of an intrusion, speed detection, be better prepared to respond and maximize resilience to a destructive incident.

Lee Neely

Practice, practice, practice! It is required for every sport you have ever played; it is required in information security. The more you train, the better prepared you will be for the real attack.

Jorge Orchilles

You should have a notice that your WordPress sites were already updated to 5.9.2, if they are not, find out why and make sure to not only apply the update but also make sure future updates will be automatically applied. With the ongoing threats to WordPress, the risks of regression testing outweigh the risk of having to roll back due to a bad update. Note that Wordfence has already provided WAF rules for their paid users for this attack, the free version will be updated April 10th.

Lee Neely

Two recurring themes to contemplate here. First, long delays between the attack and notification allow sufficient time to forensicate issues, and put a limit for the sanity of your users and to not get crosswise with regulators. Second, email was a key component in the compromise. Don’t wait to implement both technical controls, MFA, strong passwords, anomaly detection and email security tools; as well as making sure that you are providing current relevant training to users. Studies have found that security training fades in as few as six months without a refresher.

Lee Neely