Report: Exploitation Rate of Microsoft Proxy, Log4j and Atlassian Show Faster Patching and Architecture Changes Needed; High Rate of Vulnerable Log4j Downloads Means Software Inventory to the Library Level is Needed; Prioritize Patching Linux Privilege Escalation Vulnerabilities When Fix Is Available

Note the dominance of Microsoft Exchange. Currently, one of the most impactful security initiatives may be to move away from Exchange or at least substantially reduce its exposure.

Johannes Ullrich

The report points out that the majority of the top 15 CVEs were exploited within two weeks of disclosure – monthly patching is not fast enough. The Atlassian exploitation rate jumped to near the top after a proof-of-concept exploit was released – reports of POC attack code should be triggers for immediate action. The Mitigations section has action recommendations specific to the top vulnerabilities.

John Pescatore

Life moves pretty fast these days, and there isn't a lot of time to contemplate what to remediate. Key off of actively exploited and POC's being available. Consider requiring critical vulnerabilities be addressed in 7-10 days. Don't accept workarounds as permanent fixes: require a timeline for deploying the complete fix, with appropriate consequences for failure to execute, then follow-up. Make sure that you're subscribed to the CISA alerts, in addition to your other threat feeds; CISA has recently upgraded their mailing list and supporting processes.

Lee Neely

This is good insight to push for much faster patching cycles for these products, migrate to newer platforms, or make architectural changes that lower the risk of these products being exploited. Unfortunately, if you have any of these vulnerabilities in your environment, they were most likely already exploited.

Jorge Orchilles

The real takeaway from this report: A large number of downloads of log4j done today will install the vulnerable versions on systems. New vulnerable systems are diminishing the impact of patching of existing systems. Maybe instead of signatures to detect log4j attacks, we need signatures to detect the download of log4j legacy versions.

Johannes Ullrich

This was expected because most organizations do not keep an inventory of where the vulnerable library is used. We went through similar exercises with Struts and Heartbleed. Keeping an inventory is tough but needs to go down to the library level.

Jorge Orchilles

You may want to reset your expectations on the remaining Log4j attack surface after reading this report. Then knuckle down and look to your organization to see what may be skipped or tabled. Don't overlook your internal/non-internet facing systems, there are scenarios where they can also be exploited.

Lee Neely

If you want a cool example of two race conditions (symlink, time-of-check-time-of-use) the Microsoft report (https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/) explains why they work and how to exploit. Note that manual exploitation is challenging because this is a race condition, so you're going to want to script that if you want to see it work, particularly if you want to reliably show others how this works. The developer has patched networkd-dispatcher, make sure to deploy the update when its available for your Linux distro.

Lee Neely

Privilege escalation vulnerabilities have a lower CVSS score because they require access to the local system. Therefore, these vulnerabilities may not hit your prioritization baselines. However, you should investigate these in your environment for expedited patching.

Jorge Orchilles

The report notes that cyber-attacks are being coordinated with kinetic actions, increasing the reach and disruption of both actions. The old model of going to ground while continuing to operate becomes much more complex. Note that the Russian military defines information warfare as "confrontation in the information space with the goal of causing damage to critical information systems, undermining political, economic, and social systems, psychologically manipulating the public to destabilize the state and coerce the state to make decisions to benefit the adversary party."

Lee Neely

This is a fascinating report and one I highly recommend you read. The number and type of attacks is just breathtaking. Three key Russian intelligence services are actively involved (GRU, FSB, SVR). What is amazing is not just the TTPs used in the attacks, but the breadth of goals. Russia is undertaking everything from psychological warfare targeting an entire population to targeted infrastructure attacks. This is not a small-scale effort to support the kinetic side of warfare; this is an entire another battlefield, one Russia prioritizes just as much as their physical military forces.

Lance Spitzner

Tenet’s response, recovery and communications all seem to have happened quickly. Their press release on the incident is a good model for clear and timely disclosure – good template to use.

John Pescatore

Rapid authoritative communication, which not only acknowledges the situation, describes actions taken and manages expectations on future actions is a mad skill we all need to have and hope to rarely use after such an incident. Note they also praised their staff who are working do deliver services through the situation. Store this one in a file in case you need a template.

Lee Neely

Of note here is that this was an HTTPS attack, which is considerably more resource intensive due to establishing a TLS connection, and the duration was less than 15 seconds. Another change was this attack came from cloud compute centers, not a residential computer botnet. This is a case where automated detection and response performed as intended. You know the questions you need to go ask your defenders and service providers.

Lee Neely

GitHub has completed notification of all directly impacted customers and recommends continued monitoring of Heroku and Travis CI's investigations. Check your repositories for unexpected clone activity, double check for any authentication secrets or keys you forgot were still stored there.

Lee Neely

This is slick. You add a reputable/known maintainer or two to your malicious package, then remove yourself as a maintainer. The added maintainers don't know they've been added to your package, and your package now looks like one of their legitimate ones. The fix was to add a confirmation step. Maintainers must confirm being added to a package.

Lee Neely

Think about this for a second - the average hospital patient bed has 15 medical devices which not only interact with the patient, monitoring and/or providing therapy/medications, but are also connected. Then consider how rapidly they are deployed when a patient needs them, which necessitates configuration and update processes need to be proactively managed ahead of needs. This report is designed to help communicate vulnerabilities to stakeholders in a way they can understand and support taking the required action.

Lee Neely

The photos of the cut cables re-enforce the value of path diversity. Also, an argument for locked and possibly alarmed grates/vaults/etc. Those cuts are going to be a bugger to fix; it's not clear how much dark fiber is available for re-routing of services. They are also faced with the decision of patching vs pulling new trunks. Understand what resiliency is deployed by your ISP and service disruption communication. should be part of your DR planning in addition to path diversity so you can capture possible risks of service availability.

Lee Neely