Microsoft Investigating Lapsus$ Hacking Claims; Biden’s Statement on National Cybersecurity; TSA Cybersecurity Rules are Problematic

The "Lapsus$" group has breached a number of other high profile targets. The claims should be taken seriously. Today, they also announced a breach of a company associated with Octa and they claimed to be going after Octa customers. Exposed RDP servers are one way how Lapsus$ is assumed to breach its targets. The goal is typically extortion.

Johannes Ullrich

While you cannot be certain of being or not being a target of the Lapsus$ group, you can make sure that your cyber hygiene is up to par. Make sure that you’re following best practices for your source code repositories, particularly any which are externally stored. Make sure you are only enabling the minimum access needed, that authorization/API or other security keys are NOT stored there. If you remove them, make sure they are rotated so that any downloaded or archived copies are not viable. MFA all externally accessible services, make sure there are no undocumented exceptions; keep those to the minimum possible.

Lee Neely

The warning is vague, but it links to some of the guidance CISA has been publishing. At this point, it is likely too late to fix your security program. Instead, check the list of CISA suggestions for any gaps. The announcement has been covered in many non-tech news outlets and management is likely going to ask if you are “ready.” It may be good to have a brief slide deck ready explaining where you stand (and good opportunity to get buy-in for things like MFA or whatever is missing). But please avoid “busy work.” Make sure not to overload your team with work at a time when they probably should rest a bit to get ready for the big event, should it happen.

Johannes Ullrich

The CISA has been publishing guidance on cyber hygiene you can leverage. They also offer services to help with scanning, analysis, or tool recommendations. Review their guidance, perform a gap analysis, then go get funding and resources for priority items such as MFA, modern endpoint and boundary protection services. Remember to make sure your SOC is equipped with the tools, including staff; they need to monitor and respond to incidents.

Lee Neely

It’s easy to forget the TSA’s scope includes mass transit systems, ports, and pipelines. The lesson here is to make sure that regulations, policies etc. at any level, are relevant. While the requirements from TSA don’t necessarily apply to ICS, the goals of security awareness, strong authentication, segmentation, allowing only authorized devices and users access to these systems are appropriate. Supporting IT systems need to be up-to-snuff as well, leveraging endpoint protection, patching, and MFA where appropriate. With revisions the guidelines will make a better fit; in the interim, review them for what you can use, and document what is inappropriate to moderate regulators looking for you to follow the “letter of the law.”

Lee Neely

Drafting regulation is difficult. TSA came late to this aspect of their responsibility. Whether or not TSA had the necessary knowledge, skills, abilities, and experience to regulate this aspect of its responsibility has been in question. They should seek the assistance of CISA and NIST to raise the security of the pipeline industry to an appropriate level.

William Hugh Murray

This group typically exploits Exchange Server vulnerabilities as entry points. If you cannot migrate off on-premises Exchange servers, adopt an aggressive patching and vulnerability management posture. The AvosLocker RaaS group handles details such as ransom negotiation, publishing leaked data on their site, guiding victims to the payment sites, and will accept either Monero or Bitcoin (for a 10-25% fee). This shields affiliates from direct communication with the victims. Use the IoCs from IC3 to scan for activities.

Lee Neely

Now that we’re emerging from challenges getting chips for modern vehicle electronics, we can’t get the tires to drive them. Fortunately, as a consumer you can buy tires from alternate manufacturers; it’s a bit harder for a factory to ask for a quick shipment of thousands of tires. When looking at alternate suppliers for your contingency plan, be sure to include how long it’s going to take to get a replacement order and if that disruption is tolerable. Stockpiling may not be the optimal answer; consider downsides.

Lee Neely

Fraudulent reuse of passwords continues to be a frequent method of compromise. A preference for convenience is used as a justification for the continued use of passwords. One test of good design is that it makes it easier to do the right thing than the wrong thing. Cheap, powerful, portable clients make it possible to implement strong authentication without the use of passwords by the individual. Such implementation is urgent.

William Hugh Murray

Yes, the vulnerability can be weaponized for a DoS attack. But is this your #1 priority right now? Apply patches as they become available. Don't get distracted by "squirrels" but stick to your vulnerability management protocol on this one. Updated packages are available for various Linux distributions that should be straightforward to apply.

Johannes Ullrich

The patch was released on March 15th; apply it when it is available. If you’re still on OpenSSL 1.0.2 – it’s time to go to 1.1.1n or higher. The flaw is triggered by elliptic curve keys where the explicit curve parameters are invalid.

Lee Neely

No surprise here. This isn't an "easy" vulnerability to patch and it usually doesn't patch "itself" via more or less automatic operating system updates. While log4j is no longer at the top of the list of vulnerabilities attackers scan for, it now has entered the dangerous zone of exploits that are more used in targeted attacks and less in widespread scans by bots.

Johannes Ullrich

The low-hanging fruit is patched at this point; many are waiting for updates from vendors. For Internet-facing applications, make sure that your WAF is configured to handle attempted Log4J exploits. Make sure you’re actively monitoring for attempted exploits and your response plan is known. Track internally discovered Log4J instances to make sure they are addressed as software is either updated or retired. Watch for orphaned systems no longer getting automatic updates.

Lee Neely

There is no such thing as too big (or too small) to fail. Given the scope of the outage, Apple was back on its feet relatively quickly. How fast could you recover if you got hit hard? When thinking of fall-back practices, such as hand-written sales receipts, include processes for entering and reconciling them into systems once recovered, making sure resources are identified and know how to do that. Think about how you would communicate internally and externally. Then test those assumptions.

Lee Neely