Prioritize Patching Seven Critical CVEs in Microsoft Patch Tuesday Release; Look for Webshells and Backdoors on Your F5 BIG-IP Installs; FDA Moves to Drive Security Requirements into Medical Device Product Approval Process

CVE-2022-26923, while “only” a privilege escalation vulnerability, is relatively easy to exploit and exploits have been well documented. Do not overlook this issue. CVE-2022-26925: Take it as another reason to review the configuration of your Windows systems and make sure NTLM is no longer used.

Johannes Ullrich

The LSA vulnerability (CVE-2022-26925) is kind of a big deal. While the raw CVSS score is 8.1, Microsoft suggests it warrants a 9.8 in some situations. This flaw allows attackers to exploit a MITM condition to force domain controllers to authenticate with NTLM authentication. Which, in summary, means you’re going to need to roll this one out, but do some testing, you're messing with the authentication stack.

Lee Neely

As reported earlier, this vulnerability is heavily exploited and the pool of exposed vulnerable systems has likely been completely compromised by now. Look for webshells and backdoors. If exposed, you will likely find several by now. We also noted some destructive attacks and the system may not reboot cleanly (but function reasonably well otherwise for a while) if affected by them.

Johannes Ullrich

You're reading this and saying “We so totally fixed that flaw last week,” right? For real, you need to patch your BIG-IPs and lock down access to their management interfaces. Don't skip your internal devices. Scan your network for devices which may be overlooked, possibly really old, and patch/update/lifecycle them as needed. If you're determined to redeploy old (still working) hardware to lower tier environments, make sure that it still includes a lifecycle plan.

Lee Neely

A law was enacted in 1992 to allow the FDA to charge manufacturers fees when they submitted applications for product approval – these funds allowed the FDA to shorten the review cycle by increasing staff and other resources required to review applications. This cybersecurity language follows that model and is badly needed – it mainly requires the vendors to demonstrate the product will be under a vulnerability discovery and disclosure program and (finally) products must have the ability to be updated/patched if vulnerabilities are discovered. Good stuff.

John Pescatore

This bill dovetails on the PATCH act which also requires SBOMs, regular testing and assurance as well as the lifecycle plan above prior to pre-market approval from the FDA. This raises the bar on both the production of medical devices and drugs, but also the lifecycle of those in the field and/or implanted. SBOMS are seen as a critical mitigation for software supply chain security risks related to those devices.

Lee Neely

The back-end management platforms built by many Managed Service Providers often use a lot of open source tools and libraries, putting them at risk to attacks like we’ve seen against Log4J. There are many, many forms of MSPs and all should be subject to demonstrating at least basic security hygiene, but MSPs with remote access to high privilege accounts on internal systems should be required to demonstrate higher levels of security and their connections monitored.

John Pescatore

This is third-party risk. Your MSP has a trust relationship with you and all their other customers. This means you need to have assessed their security posture and practices, including how they are separating access to customers. Understand how they vet and maintain the products they use. Ask to see their latest external assessment/audit, including actions taken on any issues. Verify these are conducted on a regular basis.

Lee Neely

Attackers have been taking advantage of WordPress vulnerabilities to inject malicious CharCode obfuscated JavaScript into the wp-includes with JQuery in the name, which are incorporated into every rendered page with those elements; odds are they are on every rendered page of your WP site. You'll want to make sure that you’re on full-auto update, verify your site is clean using a scanner, like the free Sucuri scanner (https://sitecheck.sucuri.net), address any issues found, then make sure that you’ve got a WAF, like Wordfence, pay for security profile updates, to help prevent malfeasance.

Lee Neely

This is an important step in the attribution stakes as it is the first time that the EU has openly identified the source of a cyber attack. It is also important to note that while this attack was aimed at Viasat to disrupt the communications capabilities of the Ukrainian army, it also disrupted businesses outside of Ukraine. It is a good example of why organisations located outside of Ukraine need to be vigilant for cyber attacks that may result in collateral damage against them. So do follow the Shields Up guidance from US Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies.

Brian Honan

For those, like me, who said that was obvious, step back and remember attribution can be tricky and can have serious ramifications if incorrectly done. Further, it’s possible to fake the fingerprint in malware, as was demonstrated in a project John Strand lead where he and his team offered a service which would inject “telltale” fingerprints into an uploaded executable, so it looked like it came from the selected entity. Be patient with those tasked with attribution, provide them tools and information needed, don’t delay mitigation and remediation activities for their result.

Lee Neely

The major point of ITI’s “undermine cybersecurity” comment is that quickly reporting an incident may give away technical details of vulnerabilities before they are mitigated. This is a pretty low risk – most corporate disclosures of cybersecurity incidents stay at very high levels that make them barely understandable, let alone useful to attackers.

John Pescatore

With the plethora of cyber security reporting initiatives of late, it is easy to lose track of what’s required and assess if you’re meeting them. Work to develop the needed disclosure processes and relationships to build assurance that information will be properly protected, whether you’re sending information to the CISA, FBI or SEC. Where possible, provide feedback on what timelines are workable, such as India’s six-hour reporting requirement. The goal is to encourage regulators to have a common/consistent requirement.

Lee Neely

Still waiting for exploitation to start, but the vulnerability is trivial to exploit and will likely be added to bots in the next couple days.

Johannes Ullrich

These are firewalls designed for small business and branch office deployments. On the one hand, this is an easily exploited flaw which doesn't require authentication and can be weaponized easily. Rapid 7 has a Metasploit module to exploit this flaw. On the other hand, Zyxel released a fix two weeks after the flaw was disclosed to them, which is awesome! If you have Zyxel firewalls, update the firmware and enable automatic updates. Shodan queries indicate only about 25% of these devices are running updated firmware.

Lee Neely

The databases provide access to various records including aircraft, firearms, motor vehicles, boats, drones, etc. While the portal is configured to primarily accept Personal Identity Verification (PIV) cards, it also can accept reusable passwords. This is how the site was compromised and why you need to make sure your MFA is comprehensive. If you must enable fallback to password authentication, limit what those weaker credentials can access; better still, provide rapid credential issuance and recovery negating the need for the fallback.

Lee Neely