Patch VMWare Carbon Black Now; Okta Provides More Information on Breach; Yet Another US Legacy IT Modernization Bill Proposed

While exploiting the flaw requires access with privileges, this is your application allow/deny list, and there are no workarounds, so you don't want to miss addressing this flaw. The fix is to apply the corresponding patch for your currently installed App Control tool.

Lee Neely

Okta has been lacking transparency. Their hand was forced by Lapsus$ to admit a significant breach. As an IDAAS vendor, this should disqualify Okta from consideration for some customers who expect their identities to be managed and controlled by a vendor capable of detecting and responding to an incident.

Johannes Ullrich

Valuable to note how Okta detected this: Okta “…detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider.” As part of investigating that, Okta brought in a third party forensics firm to investigate and they found that a week before this event, for 5 days an attacker had access to a support engineer’s laptop. Doing that thorough investigation discovered the bigger problem.

John Pescatore

Lapsus$ trades in stolen credentials and leverages information about team structures, users, help desks, incident response workflow and possible supply chain trust to target victims. Be on the look for unexpected account lockout, users with added privileges, or new users with full administration rights in your cloud accounts. As they also tap into internal communications, make sure that you have out-of-band protected communication channels for incident response.

Lee Neely

First, the cynical comment: I think there has been some form of “Modernizing Government Technology Act of 20XX” every year or two since X=0. More importantly, as evidenced by yearly GAO reports, the US Government has major problems patching, maintaining and securely administering the modern technology they are already using. Doing the wrong things on shiny, new hardware can only be marginally more secure than doing the wrong things on dusty, old hardware.

John Pescatore

Affected agencies will have to submit modernization plans within two years and every five years thereafter. Expect those plans to be part of your annual assessments. Irrespective of legislative requirement, or funding, you need lifecycle plans for not just hardware and operating systems, but also for applications. Keeping those updated and modernized will put you at odds with your business system owners who value stability and meeting milestones over security and business process modernization. That may be the time to discuss outsourcing or moving to a cloud service which is engineered for both stability and updates. Note that government systems, e.g., government financials, cost modeling, are different from private sector systems, so make sure your provider has demonstrated success in these domains. Where you still have legacy systems, ICS/OT being the easiest examples, make sure that you are both protecting them from your environment and vice versa.

Lee Neely

Techniques used by Lapsus$ in some of their attacks, like SIM swapping and bribing insiders, are used by other actors as well. Do not discount this as a “group of teenagers.” Sophisticated attackers use the same techniques and are less likely to get caught. Lapsus$ got caught because they didn't try to hide their exploits. Sophisticated expensive security stacks had little to contribute after Lapsus$ notified their victims and made data public.

Johannes Ullrich

The alleged leader appears to have amassed about $14m in bitcoin from his exploits so far. It would be nice to channel that level of ingenuity and leadership for a successful, legal, business venture. The arrest may be, in part, due to the 16-year-old leader having a falling out with his cohorts resulting in him getting "doxxed." One hopes he learned from that experience.

Lee Neely

Satellite communication is really attractive in areas where other communication options are not available or reliable. This also makes contingency planning complex. When planning connectivity in that situation be sure to consider and document what the fail-over options are and what they involve including lead time and mission impact.

Lee Neely

Not really anything useful in the publicly available executive summary, but Health-ISAC members can download the full report. The report seems to be saying Healthcare should spend at the levels of Finance in cybersecurity, which is not likely. Plus, the IT architectures and more importantly IT governance is vastly different in healthcare – more like retail than banking.

John Pescatore

The executive summary is a good read, you have to be a member of the Health-ISAC to get the full report. The issues of service delivery, exposing more functions to customers, rapid change to remain viable during the pandemic and software supply chain attacks (SolarWinds, Kaseya, Log4J, etc.) are not industry specific. The mitigations and recommendations are applicable across the board.

Lee Neely

Beware of guest packages bearing "gifts." The fake packages had similar names but with different scope from the legitimate ones and much higher version numbers to appear to be legitimate updates, e.g., @azure/core-tracing vs core-tracing. Be sure to scope the packages fully and make sure that you're loading the versions you have qualified.

Lee Neely

The report also gives an overview of what IC3 does as well as how they are responding to top incidents reported. This is a good time to make sure you've included IC3 reporting in your incident response plan, to include contacts in your local FBI office, in case you need these services in the future. The report also gives some context on recovery and how these crimes are interrelated.

Lee Neely

Much of the report is given over to explicating IC3's role and accomplishments. While the findings, (for example, $6.9 billion victim losses in 2021, 2,300+ average complaints received daily, 552,000+ average complaints received per year (last 5 years), over $6.5 million is complaints reported since inception) are not surprising, they carry authority and weight, and demonstrate both the vulnerability and the threat. Note that $6.9 billion in losses would buy a lot of prevention.

William Hugh Murray

These indictments are not so much about getting the culprits arrested and convicted. But they are very useful as they are providing some insight into the techniques used by these attackers. And remember that these techniques tend to trickle down to less sophisticated attackers.

Johannes Ullrich

Extradition restrictions in Russia will likely prevent them from ever coming to trial. Nevertheless, their actions reinforce the need to make sure your systems are appropriately secure. Don't ignore low-hanging fruit like not allowing RDP from the Internet, judicious application of patches and updates and implementing MFA for all Internet accessible services. Finished that list? Now have some of the hard conversations about lifecycle replacement. Not just of boundary protections, but also endpoint, monitoring and incident response systems. Don't forget there are many services available to help, both free (ISAC, FBI, CISA) and paid (MSP, etc.) you can leverage.

Lee Neely

Another point noted is the need to prioritize security efforts. "Patch all the things (now)" isn't really viable. Identify key assets, know where sensitive information is, and make sure those are well secured. Make sure that security of outsourced or cloud based services remains appropriate, remember to do those reviews and audits you added to the contract provisions. Keep leveraging the resources available from the government services to help you knock this out of the park.

Lee Neely