Singapore Banks Urge Customers to Uses Mobile Apps for Safer Banking; Segment and Patch All Atlassian Confluence Servers; FBI Info Prevents Damage from Attack on Boston Hospital

Many of the steps required earlier are remedial measures to get up to common practice levels of fraud reduction. The self-service kill switch in place of a phone call seems likely to have unintended consequences of driving calls up when hit accidentally. The move to more use of mobile banking apps reinforces the importance of the mobile telecom service providers and cell phone vendors stepping up the pace of pushing out security updates to all devices, and for Apple and Google to reduce the quantity of fraudulent or “leaky” apps that make it into the Apple App Store and Google Play.

John Pescatore

This is an interesting option, there will be some user training as all parties also learn when not to use this feature. Too often legitimate transactions are mistaken for fraud when the supporting details are inaccurate or truncated, such as POS systems still including test or outdated information in their name. Note the user is expected to call the help desk or use an ATM to initiate the lock. Increased functionality in mobile applications is welcome, don't overlook weaknesses in the web interface, APIs or other entry points needed to support online users. Make sure users can equally access supporting details for transactions from all provided entry points.

Lee Neely

This vulnerability was found after it was used in an attack against two different companies. So far, there is no patch for this vulnerability. Do not expose your Confluence server to the public. If you find a server exposed: Take it out back and rm -rf it.

Johannes Ullrich

The advisory notes that all supported versions of Confluence are affected, and hints that unsupported versions are as well. Don't take a chance, implement the mitigations on all instances of Confluence. Apply the update when released and update unsupported versions or migrate to the Atlassian Cloud service. The mitigations are to either restrict access from the Internet or shutdown your instances. The CISA bulletin on CVE-2022-26134 recommends blocking Internet access. Make sure that you are monitoring activity for malfeasance. https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data

Lee Neely

All too often notification to law enforcement is the first indication to organizations that they have already been compromised. Good to see the FBI taking timely action to aid in prevention of damage.

John Pescatore

Chalk one up for the good guys. The hospital was able to partner with the FBI and take needed steps to stop the attack. This information triggered the production of subsequent advisories on both healthcare and critical infrastructure protection. Make sure that you have relationships with the FBI, CISA and/or relevant ISOC partners before you need them to facilitate a timely response. Ensure you aren't overlooking key component security on devices labelled as appliances which silently “just work.”

Lee Neely

This implies that any VPN company still operating in India will comply with data retention laws.

Johannes Ullrich

Keep an eye to regulations for the regions and countries where you operate services. Not all regulators are willing to accept a response of not technically feasible. Or you may wind up in a perpetual cycle of explaining the impossibility of compliance. Either way, removing operation from that area may be the best overall solution; don't make that decision in a vacuum, make sure the C-Suite and board are behind you.

Lee Neely

The contact list in mobile devices has become a lifeblood for maintaining connections with our friends, partners, and businesses, synchronization with desktop tools for consistency is now SOP. As such attention should be paid as to what has been granted access to your contacts. Look at application permissions, particularly mobile apps, restricting them to the minimum set. Check for applications you don't use any longer and remove them. Resist the temptation to install a new app to view a unique content type. Make sure that content type is legitimate long-term, and not a lure.

Lee Neely

The LockBit ransomware group is taking credit for the attack and threatening to publish the exfiltrated information on June 11th. It is expected that the demand is a substantial as LockBit only targets large businesses with the ability to pay large ransom demands. Foxconn manufactures electronics, LCD TVs, mobile devices, computers for many brands, so there is a risk of substantial IP disclosure. This creates an interesting dilemma as you're dealing with disclosure of customer data, not just yours. Consider the actions you would need in this scenario, not just to prevent recurrence, or redistribute workload to meet customer demand, but also to retain their business.

Lee Neely

In 2020, the WeLeakInfo<dot>com domain was seized, and two suspects were arrested in Ireland and Netherlands. This action seized the WeLeakInfo<dot>to, ipstress<dot>in and ovh-booter<dot>com domains. The latter two provided booster or stressor services used for a DDoS attack. The FBI is still seeking information on any individuals connected with any of these domains.

Lee Neely

This highlights the struggle between using available tools to support a legitimate investigation and ethical or legal constraints. Making certain a clear authorization has been granted, particularly as these tools may violate relevant privacy laws, as well as careful consideration that collateral damage, or otherwise exceeding that permission doesn't happen; may not be sufficient to prevent blow-back when the investigation becomes known. Be sure to consider the worst-case scenario as well as every legal option; triple check those giving permission truly can.

Lee Neely

Use extreme caution with offensive cyber operations. Not only can you become a target if discovered, but you also put affiliated parties at risk. Understand the value and purpose of disclosing these activities. It's safer to learn from the ongoing battle between Russian threat actors and the Ukraine; applying lessons learned to your area than to actively participate, even though that participation is alluring.

Lee Neely

The key quote is “Of note, states’ standard election security procedures would detect exploitation of these vulnerabilities and in many cases would prevent attempts entirely.” So, the key is making sure that standard election security procedures are being followed by the large and small government election authorities and that vulnerabilities in processes are being remediated before any exploitation attempt.

John Pescatore

A lot of success can be attributed to defense-in-depth of the procedures, cyber, physical, and operational, supporting the voting process. If you're a steward of electronic voting machines, make sure that you're applying updates whenever they are released, not waiting until the last minute because they're all in storage.

Lee Neely