Tech Giants Commit Funding to Increase Open Source Supply Chain Security; Turn on Detections for Powershell-based APT35 Active Attacks

From Heartbleed to Log4j, progress in this area has long been badly needed and it would be good to see more big tech companies step up and join Amazon, AWS. Ericsson, Google, Intel, Microsoft, and VMWare in committing funding. Start now educating app dev and IT about the areas of improvement that will be rolling out over the next two years and push for rapid adoption. (See Google’s Open-Source Maintenance Crew related news item.)

John Pescatore

The ten goals they hope to address include security education, risk assessment, digital signatures (for code), memory safety, incident response, better (security) scanning, code audits, data sharing, SBOMs and improved supply chains. The last being the 10 most critical build systems and includes the C and Rust languages, subsequently this is a huge undertaking. Some of the other areas are already being addressed by emerging standards such as Sigstore for code signing, which is backed by RedHat, Perdue University and Google. Using this approach in multiple areas should help meet the aggressive timeline.

Lee Neely

Great move by Google to put money and bodies behind open source. Google is one of the big commercial users of open source and most of its services would not exist without open source.

Johannes Ullrich

Active participation by Google and others is needed to raise the bar on software supply chain security. Google has pledged $10 billion USD over the next five years, including $100 million for third-party foundations, including the OpenSSF, which help manage open source security and fix vulnerabilities. Expect updates to Google's Know, Prevent, Fix framework to make it more encompassing and accessible, allowing your developers, as well as open-source providers to better leverage it and produce better code.

Lee Neely

At this time the group appears to be small, using manual operations rather than an automated system to map victims to their specific encryption keys; which increases the likelihood of unsuccessful recovery even if the ransom is paid. It is expected that they are also going to, if they haven't already, be posting exfiltrated data as additional leverage to entice customers to pay. Know where your data is and be prepared to decide the value before someone else puts a price tag on it. If you're not comfortable with the protection or location, take steps before an incident happens.

Lee Neely

We published multiple detection opportunities for APT35 in this Threat Thursday blog post. While prevention is a goal, detection and response are a requirement. These detections cover a number of TTPs used by other threat actors as well: https://www.scythe.io/library/threat-actor-apt35

Jorge Orchilles

NIS2 is mostly about standardizing governance, enforcement and incident reporting/response across the EU. It includes a list of seven key elements addressing incident response, supply chain security, encryption and vulnerability disclosure. Organizations will have 24 hours after detection of an incident to submit an initial report. A full report will be required in 30 days. NIS2 expands the number of sectors covered, and specifically identifies social media platforms. If previous NIS rollout timelines hold for NIS2, compliance is likely to be required in 2024.

John Pescatore

Having consistent cybersecurity requirements across the EU will help with not only a consistent implementation, but also simplify requirements needed when doing business in or with EU based partners.

Lee Neely

Maryland had its largest and smallest counties hit hard by ransomware and learned that not all counties are equally able to reach basic security hygiene. That applies to most organizations – centralized support focused on the “security-needy” BUs in a distributed organization can often reduce the risk of potential weak links.

John Pescatore

Even if you're not in Maryland, you should be performing assessments, both internal and external, to identify issues and then remediate them, using a risk-based approach. Seek support from your local CISA or ISAC, or even reach out to local IT security chapters (ISSA, ISC2, ISACA, etc.) for expertise and resources.

Lee Neely

There's still much to be done via federal legislation to make mutual support easier, establish privacy standard, etc. States like Maryland should be commended for the work they're doing!

Christopher Elgee

This update, when applied to domain controllers, impacts certificate-based authentication. Microsoft's KB5014754 provides guidance, review before applying the update. The patch addressed a privilege escalation vulnerability (CVE-2022-26391 and CVE-2022-26923) which can occur when the KDC is servicing a certificate-based authentication request. Essentially after applying the update, make sure the authentication is in compatibility mode (the default), and watch for events in your log, following the remediation guidance. Wait at least a month without issues before planning on turning on enforcement mode.

Lee Neely

Note the issue does not exist on workstations and non-domain controller windows servers, so apply the patch to everything but your domain controllers. Review Microsoft KB5014754 if you're using certificate based authentication for configuration guidance. https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

Lee Neely

The flaw is trivial to exploit and it is no surprise that it is already being used. Did I mention lately to not expose administrative interfaces to the Internet? This isn't the last trivial to exploit remote code execution vulnerability in a Firewall, VPN Concentrator, Load Balancer, NAS or other device people just love to expose to make live easier for the bad guys.

Johannes Ullrich

Given that last week Shodan queries showed only 25 percent of Zyxel devices were running updated firmware, it comes as no surprise that these are now being attacked and exploited. Don't overlook your boundary protection devices in branches or other remote locations, verify that they are being updated and, while you're asking, ensure they have lifecycle plans. Share the one-line exploit code in the Rapid7 report (also in the article below) if anyone doubts how easily this flaw can be exploited.

Lee Neely

A key challenge to zero-trust will be modernizing legacy systems, followed by implementing needed (micro) segmentation and other attack surface reduction activities. Remember agencies are making the move to zero-trust with no relief on existing mission deliverables as well as little to no added funding so far. To get this right, specific funding and resources are needed beyond the status quo. Additionally leveraging external assessments to identify gaps and remediation requirements should also be planned and funded.

Lee Neely

OKCIC’s notification of affected parties, as well as their posted advice, reinforced the value of proactive, rapid, and transparent communication. Not only are they providing identity theft and credit monitoring services to affected individuals, but they also encourage all potentially impacted individuals to take steps to protect their identity and credit, including providing resources and guidance we should all be following.

Lee Neely

These updates are more about security and bug fixes than adding new functionality. With 20-34 CVEs each, you’re going to want to push the updates. With nominal new features, the impact will be minimal to end-users. macOS 12.4 communication safety now allows parents to configure notification in messages for images which contain porn or nudity, iOS/iPadOS 15.5 adds functions to Wallet to allow Apple Cash users to send and request money from their Apple Cash card, Apple Podcasts adds settings to limit number of episodes stored on your iPhone, auto-deleting older ones, and fixes some home automation bugs.

Lee Neely