US and Allied Nations Say Focus on Basic Security Hygiene; US Government Agencies Need to Patch VMware Now or Disconnect; Deploy Microsoft Out of Band Patch to Your AD Servers

As is often the case, most of the recommendations have long been part of what is now the CIS Critical Controls, Implementation Groups 1 and some of IG 2, as well as the same requirements being long called out in the Australian “Essential 8.” If you are using security tools that provide those profiles, turn them on. If your tool does not support at least the Critical Security Controls, long past time to switch to ones one that do.

John Pescatore

The recommendations are familiar, with the possible exception of zero trust, and before you roll your eyes, revisit these. The feasibility of implementing many things is changing and it may now be feasible to roll out MFA, monitor for compromised credentials, check for default accounts and implement secure configurations. Don't forget to check on incident detection and response as well as threat intel sources needed to detect and respond to relative threats and incidents.

Lee Neely

One of the downsides of the virtualized data center is that if the underlying virtualization platform (usually VMware at enterprises) inevitably needs to be patched, all servers will need to brought down. This is kinda like when network switches have vulnerabilities – too often, very long time to patch. Switches were harder to attack, need to have emergency down time procedures for critical vulnerabilities in VMware.

John Pescatore

The short version is you should be updating your hypervisors now. Ideally, migrate the workload to another hypervisor so you can patch with nominal downtime. Note that this ED not only applies to on-premises systems but also to systems processing data on the agency's behalf, meaning outsourced or cloud operations. If you're using FedRAMP authorized cloud services, you can leverage the FedRAMP tracking and reporting services to track status. The ED not only requires enumeration but also status reporting by May 24th. All internet facing impacted VMware products are to be considered compromised, disconnected, reported, and not reconnected until they are both updated and have a clean bill of health.

Lee Neely

Many organizations held back applying the May updates due to this bug, which affected one of the more important vulnerabilities patched in May. Exploits for this “certified” vulnerability are already public and with this update, you should not delay the May patches any longer.

Johannes Ullrich

This patch only applies to domain controllers. If you're applying the patch bundle, you'll need to apply the May monthly rollup as well as the standalone patch. The patch will not be listed via Windows Update, nor will it install automatically. Make sure you're following the guidance for the certificate-based authentication changes on your domain controllers, you may need to change the KDC to disabled rather than compatibility mode to ensure certificate-based authentication works properly. See KB5014754—Certificate-based authentication changes on Windows domain controllers: https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_kdcregkey

Lee Neely

Same advice as after every “privileged insider gone bad” story comes out – security should work with IT and HR to make sure that all potential hires that will fill jobs that require privileged access will require more thorough vetting, including checking references.

John Pescatore

These workers are targeting WMD information, so you're in a defense or defense related industry read the guidance carefully, paying attention to both the actions taken such as forged documents and “borrowed” identities as well as look at mitigations to include verification of documentation provided and supporting evidence of employment. Make sure that your pre-employment screening firm is aware of these activities when vetting new-hires, don't let work commence until the checks are complete. The mitigations relating to data exfiltration and inappropriate access should be considered irrespective of these threat actors.

Lee Neely

Note that this is only an issue if the attacker is able to upload malware into the Bluetooth system. But it does illustrate an important point that the state of modern systems isn't always obvious. Similar issues have come up years ago with IPMI interfaces in servers that are on and listening even if the server appears to be powered down. A larger issue may be that phones can be located even while turned off. On the one hand, this is a useful feature should you ever lose your phone, but there appears to be no clear control for the user to enable or disable the feature.

Johannes Ullrich

Not an easy one to exploit, but good idea to check current and planned medical, office and retail environments for plans for any sort of Bluetooth/NFC/UWB technology where scanning of phones is going on in a public area.

John Pescatore

iOS 15 introduced the capability to allow the “Find My” and express cards and keys features to work on a powered-off device. Prior to iOS you had an option for a low power mode to save battery, this is a separate mode which is active even though you powered off the device or the battery is drained. As the chips are still running, the possibility exists to have them executing other code as well. To set that up, you need a device which is already fully compromised/jailbroken.

Lee Neely

I'm thinking of so many mentors who would be reminding me “above all else do no harm.” Shortly followed by an admonishment that I had proper permission. When researching security issues, make sure that you have permission from someone authorized to grant it. With the advent of vulnerability disclosure programs, this is even more easily secured.

Lee Neely

Call me old fashioned but I prefer it when a government changes a law so that the law is clearer and easily understood rather than simply changing their policy on how they will apply the existing law. Policies can be easily changed, laws not so much.

Brian Honan

Haven’t been able to review this one yet, but we haven’t lacked for frameworks defining what to do. Achieving meaningful improvement in software supply chain security will always require action and changes that require buy-in of multiple groups: IT, procurement, logistics/OT, etc. – a “can’t do that” chain of obstacles that needs to be overcome. If you/your CISO does Board of Director briefings, this is a good area for a table top exercise that is first run for the CEO,CIO, CEO, etc.

John Pescatore

This is intended to provide a consistent framework for assessing your software supply chain. You're going to want to leverage any available frameworks to get your arms around securing your software supply chain to keep the effort scoped, and maximize success as attackers aren't going to pause while we figure this out.

Lee Neely

One hopes that such a framework focuses on the responsibilities of suppliers rather than on those of the buyers. The solution to the “supply chain” vulnerability lies with suppliers.

William Hugh Murray

The vulnerability could be exploited by any authenticated user. Make sure you're running at least version 6.10.2 of JupiterTheme 6.10.2 or 2.0.7 of JupiterX. The fixed versions were released May 10, so they should have already autoupdated; you want to make sure you're not on the April 28th released versions which didn't fully patch the weaknesses. Make sure your WAF is running current firewall rules. Wordfence released firewall rules for the paid and free versions April 5th and May 4th respectively.

Lee Neely

While this is an improvement, particularly as Annex 1 of the FAQ (https://regmedia.co.uk/2022/05/20/supplied_cert_in_faqs.pdf) enumerates the types of incidents to be reported. They are now permitting the use of NTP services native to cloud services as well as authoritative sources so long as there is no drift from their time source. They are holding the line on logging VPN and reporting network scans. The implementation due date remains June 27, and India has yet to disclose their data handing and privacy protections. Knowing how your data will be handled and protected is one of the key factors that should be established before sharing any information.

Lee Neely

“Time to report” requirements are well intended and respond to the many instances in which reports have been late and self-serving. On the other hand, they are at odds with the fact many breaches are so subtle and covert as to resist discovery for weeks to months. Perhaps it is better to sponsor an ethic of transparency and accountability than to resort to law or regulation that in context appear unrealistic and punitive.

William Hugh Murray