FBI Pushes Warrant Boundaries in Cyclops Blink Takedown; Microsoft Offers Progressive Windows Autopatch Service; Bogus AV Apps That Actually Spread Malware Made It Into Google Play Store

I find physical analogues instructive. We expect fire and police departments to gain entry to our homes and businesses when there's an emergency, and whether or not we're present. Infected machines can constitute an emergency, especially when they're being used to attack other victims. However, police and firefighters will go to greater lengths to notify property owners. It might be ideal, instead, to take over attacker-owned C2 servers and issue kill orders to infected systems, but opportunities like that can't be common.

Christopher Elgee

The FBI did a great service to the reckless owners of unpatched devices. Did they even access the infected devices, or did they just access the C&C server? Of course the Internet usually plays a bit by Florida traffic rules where we do not like things like safety inspections.

Johannes Ullrich

We need to be wary of law enforcement using powers such as these to tackle malware and botnets. While it may technically make sense to take this approach, we have to take into account people’s privacy rights and ensure there is appropriate transparency and governance in place to manage any such actions.

Brian Honan

The amendment to Rule 41 of the Federal Rules of Criminal Procedure was the result of three years of debate and public input, adopted by the Supreme Court and approved by Congress in 2016 and was intended to handle a large-scale event. This is the broadest application of that rule not only for investigation but also for disruption of criminal activities. The risk is that multiple warrants were not obtained, just one, which was used in jurisdictions outside the one which issued it. One hopes this case helps strike a balance between taking remote action to remediate known infected systems versus reliance on system owners to take action. As we all get better at communicating with federal agencies such as the FBI, CISA, etc. one hopes that can be leveraged to allow local action versus remote unexpected intervention.

Lee Neely

Sounds like a neat idea and well thought out feature. Now let’s see if this will work or if someone will figure out it is less of a problem to have your infrastructure pw0n3d by ransomware than have a system misbehave every so often due to a bad patch.

Johannes Ullrich

There is a lot of mythology around how often apps break after Windows patches are pushed out these days. Try this out and see what your halt and rollback percentages are – I’m betting they will be pretty low. The apps that do break should be candidates for sunsetting.

John Pescatore

It is interesting to see how Microsoft is becoming a one-stop-shop for enterprise wise security solutions, however I am concerned that many of these features are not as readily available to smaller firms and SMEs. Security should not be the preserve of well-funded organisations, similar to how automobile safety should not be the preserve of those who can afford brakes, seat belts, and air bags.

Brian Honan

Even if you are not interested in autopatch or have E3+, the four rings explained here are a great strategy for your patch management process. We implemented this years ago and it has many benefits. Consider it.

Jorge Orchilles

This service targets desktop users rather than servers. Many of us have worked to implement a similar phased update approach. This basically turns that into a commodity activity for Microsoft products, freeing some resources to address servers and other high-value assets. Note you're still going to need to have a solution for other installed products, Adobe, Chrome, Java, etc.

Lee Neely

Beware of software bearing gifts, in this case applications purporting to be anti-virus solutions that install malware instead. Even more dangerous: a user installing what they think is AV is more likely to grant that application all requested permissions. Provide users with approved device security tools and profiles rather than letting them choose their own. Note that these apps themselves didn't contain the malware; instead, they downloaded it after fooling the user with a pretty icon and otherwise legitimate looking app. As the apps have been pulled from the Play Store, Play Protect will remove them on installed devices, but the damage is likely done, and infected devices will likely need a factory reset.

Lee Neely

I’d like to see two things: (1) Good data from Google Play Store and Apple App Store on the average time before a bad app is detected and removed; and (2) a security settings switch that filters app store view to only show apps have been published longer than that average. I guess the third thing would be to that average time decrease to hours, then minutes, vs. days.

John Pescatore

Nice! This will be free for use in public repositories on GitHub.com, but for private ones you’ll need to license GitHub Advanced Security. Definitely worth it for critical codebases, especially those with high commit frequency.

John Pescatore

This new feature, which is in public beta, leverages the GitHub Advisory Database to see if these new dependencies introduce vulnerabilities, raising an error if they do. Dependency review is enabled in public repositories and is available in private repositories which use GitHub Enterprise Cloud including a license for GitHub Advanced Security. Given recent issues with malicious included code of late, this is one more step you can take to reduce those risks.

Lee Neely

DDoS attacks are becoming SOP retaliatory actions, as well as common cover to distract responders from other attacks. Make sure that you've got active DDoS protections, particularly if you are in the Public, Energy, or Critical Infrastructure sectors. Shared environments, such as hosting facilities or multi-tenant cloud services could result in collateral damage if one of the other tenants is a target. Verify you're protected and to what level.

Lee Neely

This is a great example of why companies need to conduct robust risk assessments before moving services into the cloud. Those risk assessments should include what the business’s alternatives are in the event the cloud service provider has an outage or issue that impacts the ability to access data or the service. Just because it is in the cloud does not mean you can forget about your business continuity planning.

Brian Honan

While this doesn't seem to bode well for a company discontinuing on-premises licenses (they stopped in February 2021), it shows that their recovery objective is full restoration with no data loss. Unfortunately, that recovery point means the recovery time objective can be indefinite. When using a third-party, outsource or cloud, have an in-depth discussion on recovery, to include what they are designing for, recovery time and recovery point objectives, and what steps, if any, you should take in addition to their processes to guarantee success. When comparing to your legacy in-sourced solutions, be realistic about your own capabilities and their shortfalls. E.g., a pile of tapes media in the trunk of the CEO's car isn't as reliable or secure as you may think.

Lee Neely

For regular updates on this activity, subscribe to CISA's weekly update summary. Many of the items listed have the action of applying the updates according to vendor instructions and/or updating to the current version. Having a current, auto-generated software inventory can help you keep your arms around where vulnerable software is hanging out in your enterprise. Many of your endpoint management and protection tools can already generate that list for you.

Lee Neely

Healthcare was already a target, increasingly so with the pandemic, and the Russia-Ukraine war has escalated attacks even further. If you're in the healthcare industry, make sure that security comes from the top, that it is not just an “IT problem” or worse – “someone else's problem.” If you don't have the resources, hire a reputable firm to perform a vulnerability assessment and help you target needed improvements. You're going to need that support from the top to get improvements implemented, not bypassed, and to continue to have a seat at the table to keep security factored into the equation.

Lee Neely

While not having required follow-up actions with deficiencies is a dream outcome, it's not ideal, and possibly does a disservice to the entity being audited. Requiring or mandating fixes not only provides a raised bar to check on future audits, but also can be leveraged to get the funding, resources and attention needed to keep systems properly secured.

Lee Neely

While this has widely been reported as Mirai exploiting Spring4Shell, evidence presented only shows Mirai going after the default backdoor, using the default password, left behind by the PoC exploit. It is highly unlikely that this leads to a significant growth of the Mirai botnet, or is of any consequence at all.

Johannes Ullrich

There are two vulnerabilities relating to Spring - CVE-2022-22963, which is a resource exposure flaw specific to the Spring Cloud Foundation where the routing functionality is used; not specifically related to Spring4Shell and CVE-2022-22965 which can be used for RCE on any Java application using the Spring Core under non-default configurations. The best mitigation is to update to the Spring Framework versions greater than 5.3.18 or 5.2.20, Spring Boot versions higher than 2.6.6 and 2.5.12. As a workaround, you could update to Apache Tomcat 10.0.20, 9.0.62 or 8.5.78, which close the attack vector, or you could downgrade to Java 8 which may cause issues if you're using features which don't exist in Java 8. Note that Java 8 and 9+ have different licensing models you need to consider.

Lee Neely