Check SOHO Routers from ASUS, Cisco, DrayTek and NETGEAR for ZuoRAT Malware; Can Your Protect Your CEO With Apple’s New Lockdown Mode?; Patch OpenSSL

Usually as we talk about attacks against home routers and similar "IoT" devices, we talk about nuisance malware like Mirai. But among the background noise are some more sophisticated attacks using the same simple exploits to turn these devices into a powerful distributed attack platform. This has been done in the past with MikroTik routers and others as well.

Johannes Ullrich

This malware is operating under the pretext that SOHO routers are not maintained or secured. Make sure that your routers are configured for automatic firmware updates, that remote management is either disabled or restricted to very specific authorized devices, and pay attention to any vendor provided security posture check. Lastly, make sure the device is still supported and replace it if not. This RAT cannot survive reboots, so if you're thinking your infected, reboot your router; then you need to perform a factory reset to make sure only the settings you intend are in effect.

Lee Neely

These routers are the first line of defense line of defense in "work from home" applications. Yet, as with many smart appliances ("things"), keeping them current is costly and rarely routine.

William Hugh Murray

Interesting move by Apple to give users the option to prioritize security over functionality. Also interesting as only a very small number of users will benefit from it. We will have to see how many attacks are actually disrupted by this setting. (I don't doubt it will work, but the real question will be if the right target group will take advantage of it.)

Johannes Ullrich

I think we will be surprised how many CEOs might be willing to lockdown their phone this way. If your CEO wears an analog watch that does NOT show altitude, phases of the moon or beep on every Instagram post, configure an iPhone in this Lockdown Mode when it comes out and do a demo to CEOs and even the Board.

John Pescatore

Something to consider for potential targets (VIPs?) working in risky areas. Read and test the impacts carefully and review them with your possible user to ensure they don't wind up turning this off because they are not able to work. Impacts blocking most attachment types other than images, disablement of link preview, Java JIT compiling on non-trusted websites, blocking MDM profile updates and inbound service requests such as calls, or FaceTime being blocked if you haven't connected previously.

Lee Neely

One should add international travelers to the list of those that may find this mode useful. (Everyone might want to turn it on in such hostile environments as Starbucks, airports, or Washington DC.)

William Hugh Murray

These are two interesting vulnerabilities and I think they may have gotten a bit lost during the short work week. CVE-2022-2274 could have huge impact, but luckily it only affects OpenSSL on specific CPUs, and more importantly, it was caught immediately after the bug was introduced so the footprint of installed vulnerable OpenSSL versions is negligible. The second issue is also CPU version dependent, but it affects a much larger range. It could potentially affect a lot of data that was encrypted and is now considered "safe" even though a very small part of the data has not been encrypted.

Johannes Ullrich

Good to see fast reaction by OpenSSL. That needs to become the norm for open source software, medical devices, etc.

John Pescatore

The flaw was introduced in OpenSSL 3.0.4, so make sure that when you're updating, particularly if you're playing catch-up, you move to at least 3.0.5. While you're waiting on vendor provided patches, it'd be a good time to take stock of the versions of OpenSSL you have installed to see what your risk levels are.

Lee Neely

Economic conditions mean many HR organizations are dealing with layoffs/redundancy while also hiring in key areas – busy HR people often take shortcuts. As a minimum, use this item to touch base with HR and IT management to make sure hires in positions that will be given sensitive access get thorough reference and background checks.

John Pescatore

Trust but verify. Part of the scheme is using doctored videos, but the audio doesn't match the video exactly, particularly for coughs or sneezes. Use employment background screening processes to verify that the person is truly who they claim to be. The cost of an in-person meet and greet may offset the cost of damage from a fake hire.

Lee Neely

This is a good reminder that we need to look at the supply chain for all business services to an organization for its Business Continuity Planning. If you have not done so already, you should review what key functions your organization has outsourced to third parties and how you would continue to provide that service should that provider become a victim of a cyber-attack or other issue that results in them being offline.

Brian Honan

Using companies like Geographic Solutions provides easy access services you may not be able to otherwise deliver, and they are able to achieve economies of scale, which is a boon to your business. Make sure that you're incorporating the risks of outsourced services being offline for the time needed to recover from a ransomware attack. Make sure that interdependencies are also understood then develop your response plan.

Lee Neely

These typos which result in the incorrect package are incredibly easy to make, particularly with pressure to deliver rapidly. Make sure your build/integration process is validating that the packages intended are what is loaded. Name, version, checksum, and that you're responding to exceptions.

Lee Neely

No matter what sector you're in, add the IOCs from the CISA bulletin to your SIEM. The attack vector is not yet known, mitigations include making sure you have MFA on your entry points, only authorized systems and individuals can access sensitive data and encryption of sensitive data at rest wherever possible.

Lee Neely

I don’t see any game changers, mostly a lot more data collection and reporting requirements – more pages of documents have never equated to reduction in risk. Game changers would be requiring DoD (and by extension those who sell to DoD) to upgrade IT operations to meet basic security hygiene requirements, vs. more documents on how to spackle security on top of badly developed and administered systems in data centers and in the cloud.

John Pescatore

Key to the Office of Cybersecurity Statistics will be the capability to process, store and analyze data in an expeditious fashion, while an exciting capability, expeditious funding is critical. Expect this to change in committee. This also includes attempting to insulate the CISA to political swings by limiting the term of the CISA director to five years and requirement for military leaders to report on acceleration of domestic production of rare-earth metals.

Lee Neely

Chrome, like most other browsers, will update automatically as long as you close and reopen. Even so, this is a good reminder that client-side attacks should be part of the scope of work in red team and pen testing engagements.

Christopher Elgee

Heap overflow, use-after-free and type confusion issues are addressed. Chrome updates continue to hone our ability to push out-of-band patches. Don't forget to set a time limit on users relaunching browsers to load the updated version. Be sure to check, and update, chromium-based browsers in your environment.

Lee Neely

The quest for quantum-resistant algorithms started in 2016. CRYSTALS-Kyber is intended for general key-establishment, CRYSTALS-Dilithium for digital signatures, FALCON as a fallback for cases where the CRYSTALS-Dilithium signatures are too large, and SPHINCS+ is the slowest of the bunch, but is suggested as an alternative where you want to use alternate mathematical models. Don't expect to find these in vendor products right away. Once they are available, you're going to want to do regression testing to not only ensure that you're functional, but also for other operational or performance impacts.

Lee Neely

We have ample time to replace RSA. There will be no "Quantum Apocalypse." However, it is important to keep in mind that attacks against modern cryptography are rarely against the algorithms but rather against implementations and applications. We still have a long way to go.

William Hugh Murray