T-Mobile Confirms Lapsus$ Breached its Network; Costa Rican Government Networks Hit with Ransomware; Known Exploited Vulnerabilities Catalog Updated

A key challenge for the Lapsus$ gang was getting devices enrolled or otherwise under their control so they could get SMS or other OTP messages to allow authentication for their targeted services. Lapsus$ success hinges on buying or socially engineering credentials for services they need. They were leveraging the T-Mobile credentials to complete hassle-free SIM swaps which transferred the devices phone number to a hacker controlled device. While leveraging the credentials of your cellular provider bypasses some controls designed to prevent swapping, it's still important to login to your account and make sure that you've enabled the controls at your disposal to raise the bar as much as possible.

Lee Neely

Rumors about this breach had been circulating for weeks, so it is refreshing to see T-Mobile confirming it. Like with the NVIDIA breach, Lapsus$ relied on purchasing credentials and generating MFA requests to the user (a new MITRE ATT&CK Technique published yesterday with version 11, T1621. https://attack.mitre.org/techniques/T1621/

Jorge Orchilles

The attacks targeted T-Mobile employees with provisioning privileges. This gave them the capability to SIM swap" to change the destination phone for a cell phone number, a number perhaps used for strong authentication. To resist such attacks T-Mobile should ensure that all such privileged employees use token-based (not SMS based) strong authentication. It should also confirm all number change orders both in and out of band and delay implementation of such orders. Other employers should consider token-based authentication for employees in sensitive positions. End users and consumers, especially those using their phones for strong authentication, should contact their carries immediately if they do not receive messages or calls that they expect or cannot make outgoing calls.

William Hugh Murray

The Conti ransomware gang is taking credit for the attack on the Costa Rican customs and tax systems and claims to have released 80% of the pilfered data on the dark web. Further, they state they will continue to attack their systems until paid. Think about how you'd fare under this sort of continued attack, what resources you could call upon, and what motivations would be behind it. Make sure your DR plans support your assumptions. It is projected this attack is about destabilizing the country as their newly elected president transitions into place on May 8th.

Lee Neely

Conti is one of the top ransomware threats. Your organization should understand how they operate and practice/train how to detect and respond to these attacks. Tabletops at the executive level combined with hands-on keyboard purple team exercises is one of the most efficient ways to test, measure, and improve your people, process, and security controls.

Jorge Orchilles

Exploitation of one of the vulnerabilities added, CVE-2022-29464 affecting WSO2 products, was observed by one of our SANS ISC handlers. He wrote up his observation here: https://isc.sans.edu/forums/diary/WSO2+RCE+exploited+in+the+wild/28586/. The vulnerability was patched on April 1st and proof-of-concept exploits were made available a week later.

Johannes Ullrich

Take a look at these. You may want to prioritize vulnerabilities related to file uploaded and RCE. Operate under the assumption that being in the catalog will motivate attackers to attempt exploits before the mandated patch dates.

Lee Neely

Patching these vulnerabilities is urgent. The mandatory date should not be taken as license to accept the risk until then.

William Hugh Murray

Organizations should consider implementing a bug bounty program to amplify the vulnerability management process. These programs can be implemented in phases such as Coordinated Vulnerability Disclosure, private bug bounty, and public bug bounty. There are numerous platforms available to assist on the technology side, but these programs also need internal people and process. NIST has a nice site with multiple references for guidance: https://csrc.nist.gov/Projects/vdg/related-guidance

Jorge Orchilles

BOD 20-01 (https://www.cisa.gov/binding-operational-directive-20-01) required the implementation of a vulnerability disclosure program with all externally facing systems included by September 2022. DHS is leading by example, not only having their systems incorporated into their VDP, but also inviting teams to discover vulnerabilities. I predict flaws will be remediated expeditiously driving revisions to expected vulnerability response timelines as well as refinements in their overall VDP program.

Lee Neely

DevOps tools are presenting a large attack surface. Between plugins, authenticating to various external services, and vulnerabilities in the tools themselves they need to be carefully watched and secured (and not exposed to the world).

Johannes Ullrich

The vulnerability applies to a specific configuration of Jira, affecting first and third-party apps specifying “roles-required” at the action namespace level but not at the action level. Even so, apply the updates if you're running Jira in your infrastructure. Make sure that you're updating all the related products you've deployed.

Lee Neely

Real nice case study on how dangerous file uploads can be. Unlike widely reported, this vulnerability did not affect Virustotal itself. Instead, third parties downloading (and processing) sample from Virustotal were affected. The exploited tool (exiftool) is very commonly used in file upload systems to pre-scan the file for metadata and is often considered harmless/low risk. But anything touching untrusted data needs to be carefully maintained and updated. Make sure your developers read the very detailed write-up.

Johannes Ullrich

This is very similar to embedding a macro in an Office document. The ExifTool was tricked into executing the provided code when analyzing the image. If you've got ExifTool in your environment, make sure that you've deployed their April 13th update even if you think it's not processing DjVu files.

Lee Neely

Critical Infrastructure providers have mad skills when it comes to delivering network and control signals over great distances. Now comes the time to help them with cost-effective prevention, detection, and response capabilities, particularly for services which cover large geographic areas, oftentimes remote, where physical and environmental challenges make in-person detection and response impractical.

Lee Neely

How effective would your business be if you severed these connections, particularly with today's use of cloud and outsourced services? Allowing and denying applications has to be not just at the system executable level, but also at the services level for comprehensive protection. Look to see if you can leverage layer 7 protections for allowed and disallowed services, irrespective of port, protocol, or address. Only allow access to approved services and applications, effectively blocking (or reducing) access to C2, malicious sites or other maleficence. Note that you will need to have to implement an exception and change management process and implementing this is not a finger-snap, and the result is worth it.

Lee Neely

We all worked hard to quickly retool to provide remote services during the pandemic. The attackers continue to exploit any weaknesses in those services. Two issues continue to surface - don't expose RDP to the Internet and use MFA. When it comes to strong authentication MFA doesn't have to be a budget buster, leverage soft tokens and capabilities built into modern IDPs. Don't skip System Administrator and VIP accounts, you need full coverage. Where "break glass" accounts (with reusable passwords) are kept for "emergencies" monitor and restrict their use to be certain that is the only situation where they are used.

Lee Neely