Free Tool from Microsoft to Scan for Compromised MikroTik Devices; Misconfigured MFA Compromised by Attackers; US Department of Justice Uses False Claims Act to Fine Contractor for Failing to Disclose Known Security Issues

Great work by Microsoft. But a bit sad that this didn't come from MikroTik. Like many similar devices, MikroTik routers had their share of vulnerabilities (or just simple misconfigurations) in the past. But vendors need to step up and provide users with tools to avoid and detect configuration errors and compromise. This could start with a simple standardized API to request firmware versions for easier vulnerability scanning (and an API to find the most recent version easily). Currently, scripts to accomplish this often have to scrape data from ever changing webpages. (Prove me wrong and let me know of vendors doing this well.)

Johannes Ullrich

It still blows my mind when looking at all the cool cyber research Microsoft is publishing, to include free tools for prevention and detection. If you have any MikroTik devices you need to read this. Essentially the TrickBot malware is using the routers as a proxy on a non-standard port to access their C2 servers. Then adds a persistence layer which obfuscates malicious IPs to avoid many detection systems. Make sure that you have changed default passwords on your MikroTik devices, use good passphrases – ideally checked against data breaches and keep the firmware updated. Only allow management from authorized systems making sure you restrict access to port 8291 and 22. Grab the forensic tool and cross-check your devices for any areas of concern.

Lee Neely

This issue is getting to some of the core challenges of MFA: How to deal with lost/expired tokens efficiently.

Johannes Ullrich

Headlines are making this sound like MFA has been hacked and is no longer reliable, which is NOT the case; it’s something much more boring: MFA mis-configuration. The cyber attackers were able to gain control of a forgotten account via simple password brute forcing. This account had been ‘expired’ from the MFA server, but was still able to re-enroll. Once the attackers re-enrolled and gained access to the internal environment, they disabled the domain controllers MFA configuration by pointing to itself (localhost) which caused MFA authentication to fail. Unfortunately, it was configured for ‘fail-open’ mode which means if MFA is not working, users can gain access with just their password. Is MFA still a viable and recommend method for protecting accounts, absolutely. Are there steps we can do on the server end to lock it down even more? It appears so. The CISA write-up has the best technical details of the attack.

Lance Spitzner

Does your MFA fail open or closed? MFA which fails open is being discovered and exploited. Sometimes old accounts are identified which haven’t been converted to MFA, so a password attack works, or somehow are trivially reactivated. Make sure that your MFA is comprehensive, fully disable inactive accounts - removing them is best, make sure all components are patched to mitigate risks on all the components involved in MFA. If you have emergency/”break glass” accounts monitor them closely; it is very tempting to for system administers to use these instead of the MFA “everyone else” has to use. Make sure their credentials are strong and changed after each authorized use. Don’t allow for non-MFA accounts for special/VIP users.

Lee Neely

Another good report from FBI and CISA. This one maps to ATT&CK and provides some TTPs that you should be able to easily detect regardless of what vulnerability or misconfiguration is exploited. As we say in SEC504, prevention is a goal, detection and response are the reality.

Jorge Orchilles

If you are a contractor or supplier to the US federal government, or a federal grant recipient, this is an important item to show to Chief Legal Counsel and management. The False Claims Act is a long-used mechanism to fine offenders for misuse of government funds. This case is the first of the 2021 Civil Cyber Fraud Initiative being applied to instances where companies did not disclose incidents or known high risk issues while accepting government funding – there will be more. The message is “much less expensive to follow regulations for disclosure than try to hide incidents, lowest cost is to avoid incidents in the first place.”

John Pescatore

While this case is specific to medical/health industry activities, it foreshadows the expectations of federal government contractors. Make sure that your licensing and knowledge of regulatory requirements is up to current requirements, to include NIST, CMMC and incident reporting requirements. Use this incident to reinforce support meeting and ongoing monitoring of these requirements.

Lee Neely

While the exploit wasn’t discovered until August of 2020, it’s believed the attack happened during the five months the vulnerability was unpatched. Make sure that you are prioritizing application of updates with high CVSS scores, 9.8 in this case. This is even more critical as many services now have customer facing interfaces allowing for potential exploitation or abuse. Remind management reluctant to incur downtime or complete regression testing that with the GDPR and other privacy legislation such as the CCPA, there are real fines at stake which can quickly offset any costs associated with staying secure.

Lee Neely

Adversaries shooting bullets ‘over the fences’ has been replaced with cyber-attacks, and DDoS seems to be a favorite lately, not only as a mission disruptor, but also to disguise other activities such as a ransomware attack. DDoS protection, particularly in the public sector, needs to be added to the SOP list. Talk to your ISP, CDN and cloud service providers to not only ensure available DDoS protections are enabled, but also to determine what they are to see if they are sufficient or if you need to seek added protections.

Lee Neely

This vulnerability affects all devices based on Linux, not just QNAP. QNAP was just nice enough to release a patch and point out that they are vulnerable.

Johannes Ullrich

Linux privilege escalation vulnerabilities, like Dirty Pipe, tend to affect many products and solutions and stick around for a very long time.

Jorge Orchilles

You already know what I’m going to say – so say it along with me “I solemnly swear I won’t expose NAS devices to the Internet.” Do keep your NAS devices patched, monitor for unauthorized accounts or applications, change default credentials, use another option for sharing content externally. Cloud based file sharing is not all that expensive, particularly when compared to recovery of your compromised content.

Lee Neely

Internet Explorer 11 is Being Retired in June

Jorge Orchilles

If you’ve not been pushing out and testing Chromium Edge you really need to get moving. Chromium Edge does include an IE mode for IE dependent applications you can toggle the “Allow sites to be reloaded in Internet Explorer” At this point you may not need that as many applications are now fully functional in Chrome/Chromium based browsers. If you need it, Microsoft is planning to support IE mode through 2029. Microsoft has published a transition guide. https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWEHMs

Lee Neely

See my comment about the MikroTik tool released by Microsoft. We need an easier way to identify out of date or misconfigured routers.

Johannes Ullrich

Initial reports of Cyclops Blink included speculation that the Sandworm group would be porting it to other platforms. There is not a firmware update from ASUS to resolve the vulnerability, as such affected routers will need to be factory reset. Mitigations, which apply to most routers, include replacing any end of life devices, disabling remote management, changing default admin passwords, and keeping your firmware updated. If you have any doubts, go through the factory reset and recreate your configuration including the mitigating steps above. Don’t forget to really get rid of the old unsupported devices you’ve got on the shelf “just in case.” It’s no good if your service restoration is followed by a compromise.

Lee Neely

This may in some cases affect devices using GPS to synchronize time.

Johannes Ullrich

These are jamming or spoofing attacks. The EASA bulletin has both issues aviation authorities, service providers and operators may face as well as possible mitigations/recommendations. They include both validation and testing of contingency plans. How viable is it really to grab a map and look out the window when you don’t have aids such as a GPS? While the best defense is to stay away from affected areas, not all flights have that option making preparation and planning crucial.

Lee Neely

Recommended mitigations include reviewing trust relationships, use of MFA, principle of least privilege, increased monitoring, shortened update/patch intervals and use of strong encryption wherever possible. These are good mitigations for non-SATCOM networks too – consider how they apply to your enterprise.

Lee Neely