Colonial Pipeline Gets $1M Fine for Security Failures; Malicious USB Drives Being Used to Download Worms; Install Latest F5 Big IP Patches ASAP, Check for Compromise

While PHMSA is still under the US Department of Transportation, the Transportation Security Administration (TSA) which is under DHS has overall responsibility for pipeline security. Until the Colonial Pipeline incident, TSA largely focused on voluntary compliance and interviews on security issues, mostly focused on operational technology and physical security, with no real audits. Since the incident, TSA has put out 2 Pipeline Cybersecurity Directives (one requiring a “Cybersecurity Coordinator” for the first time) and established a cybersecurity operations branch. This is a good example to use to drive a proactive review of (a) cross OT/IT cybersecurity visibility into and security testing of OT cybersecurity and (b) development of playbooks for response to a cyber incident that impacts OT operations directly or indirectly.

John Pescatore

If you had not considered regulatory fines for breaches and ransomware, here is an example you can use. The direct cost is more obvious: negotiator, incident response, recovery, etc. I go deeper into these costs in my blog: https://www.scythe.io/library/the-real-costs-of-ransomware-direct-costs

Jorge Orchilles

This emphasizes the importance of a viable COOP plan. If you're in a regulated industry, you need to make sure that your regulators are on-board with your service resumption goals. Even so, you need to make sure you can meet those goals, to include any assumptions about acquisition. Revisit plans about backup communication paths as well as changes to perimeter security to facilitate resumption of operations. The last two years have taught us that exposed services are rapidly targeted, remember security by obscurity isn't. Stand things up securely from the get-go.

Lee Neely

In addition to fines, accountability for these failures should include changes in both governance, directors, and management. Fines alone are not sufficient to change an organization's behavior.

William Hugh Murray

Even if you aren't interested in this particular malware, read it for a nice example on how to provide actionable information about detecting this type of malware and the particular techniques being used will likely be found in other malware as well.

Johannes Ullrich

Am I the only one who thought this was a Raspberry Pi issue? Not so much. This is the loaded media problem; once again your QNAP devices are in the cross hairs. This reminds us to not allow autoplay on removable media, only use trusted media, and ideally, scan it before inserting it into system components. Note that NGAV systems tend to not perform disk scanning, they scan when files are opened, so you need a separate process for that.

Lee Neely

This is a serious vulnerability and represents a foundational misunderstanding of threat modeling. Regardless of authentication bypass issues, F5 essentially built a webshell into its product. The only saving grace is that the management interface of the F5 should not be accessible from the Internet. Still, we're already observing threat actors exploiting the vulnerability. I wrote a blog post on the post-exploitation activity observed and recorded a video dissecting the vulnerability, including recommendations for organizations. Blog post: https://www.scythe.io/library/f5-big-ip-cve-2022-1388 Video: https://www.youtube.com/watch?v=1IChiQZM7EY

Jake Williams

Our honeypots started seeing numerous exploit attempts Sunday-Monday night. Exploit attempts include simple recon, backdoors (including webshells), data exfiltration and even two attempts to destroy the devices. Please see this as yet another “last warning” to remove admin/control interfaces from public networks and carefully restrict traffic to these interfaces. This particular vulnerability is about as bad as they come, but F5 isn't the only one having patched an unauthenticated remote code execution flaw recently. The number of exposed systems is small, but if your system is vulnerable and exposed, it was likely exploited by now.

Johannes Ullrich

Readers of this newsletter probably know to turn off external management interface, but when's the last time you ran < ssh user@your.vpc.here nmap $(curl icanhazip.com) > on your home network? On your friends' and relatives'?

Christopher Elgee

If you're still procrastinating because the flaw wasn't well known, or being exercised, time's up. Make sure that you've got your roll-back process well defined then get that maintenance window lined up. Repeat until done.

Lee Neely

This is the time of year where agricultural machinery is in high demand as crops are planted, making the attack even more disruptive. While you may not have heard of AGCO, its brands include Challenger®, Fendt®, GSI®, Massey Ferguson® and Valtra® and their biggest rivals are Caterpillar, Komatsu and John Deere & Company. We've been talking about supply chain risks for a bit, but have you considered the availability of large system components and your realistic ability to pivot to alternatives. How about when those components are pre-paid? How about a supplier which provides services that manage operations?

Lee Neely

If you're running Azure Integration Runtime, or on-premises Self-Hosted Integration Runtime, with auto-updates enabled, you're good to go. If you're not so big on auto-update - keep an eye on your Azure Service Health notifications and have a frank conversation about enabling auto-updates, things are moving pretty fast these days, and leveraging auto-updates from your providers can save you all sorts of long-term issues.

Lee Neely

This was a simple oversight and there is no evidence it's been exploited. While authentication and most rights were indeed checked, the check that the gem you were accessing was indeed the one you're permitted access to was missed, this is fixed. RubyGems also now sends an email to the gem owner when a gem is yanked or published. As a package owner, you should audit your gems for signs of potential tampering as well as make sure that you're following best practices outlined in the mitigation section of the RubyGems GitHub page below.

Lee Neely

Reliable, repeatable data on cybercrime incidents is badly needed, but don’t look for output from this Act for at least two years. The taxonomy effort alone is planned to take 1 year.

John Pescatore

Until the taxonomy is completed, the benefits cannot begin to be realized. With luck this will lead to standardized metrics which will allow us to consistently assess the current landscape.

Lee Neely

This effort might be boot strapped by starting with the Veris framework used by the many contributors, including the FBI and Secret Service, to the Verizon Data Breach Incident Report (DBIR).

William Hugh Murray

This is another measure to deter malicious actors but will probably only gain businesses more time to prepare as other actors will fill in Conti’s place. The best time is now folks. Test, measure, train and improve your people, process, and technology. We have a ton of resources at SANS: https://sans.org/purple-team

Jorge Orchilles

Given the alignment of the Conti Ransomware operators with the Russian government, it'll be interesting to see if anyone takes the State Department up on this offer. Also, as they are a RAAS provider, it's not clear how much legal action will flow down to their affiliates using their platform. This should be interesting to watch.

Lee Neely

The attacks on Costa Rica commenced April 18th, and they are still recovering, and their government has decided they are not going to pay the ransom. The attack is impacting their Ministry of Finance, Ministry of Science, Innovation, Technology and Communications, National Meteorological Institute, Radiographic Costarricense, Costa Rica Social Security Fund, and others. The reward offered by the US State Department hopes to result in a take-down before others can be harmed. In the meantime, this declaration will enable the support needed to apply resources to recovery, remediation, and prevention of recurrence, just as an emergency declaration after a natural disaster does.

Lee Neely