Don’t Download Password Cracking Tools from Untrusted Sources; Make Sure GitHub Commit Identities Are Verified Before Trusting; Microsoft Exchange Outage: Did It Impact Your 2FA Approach?

Downloading a random password cracker or any piece of software for that matter, and using it in a production environment without verifying the source and integrity of said software is never a good idea.

Johannes Ullrich

Downloading password crackers from unvetted sources and running it in production on systems connected to the Internet are 3 very bad practices. Great write up by Dragos.

Jorge Orchilles

In this case the password cracking tool doesn't crack the password, it exploits a vulnerability in the firmware which allows the password to be retrieved. While the software required a serial connection, Dragos researchers determined the exploit will also work over an Ethernet connection. A firmware update has been released by Automation Direct for this weakness. See CISA ICS Advisory 22-167-02 (https://www.cisa.gov/uscert/ics/advisories/icsa-22-167-02) The Dragos blog post includes other PLCs, HMIs which the threat actor sells password "cracking" for.

Lee Neely

Verifying if software is safe to use is hard. Between typo squatting and bad actors taking over legitimate repositories, it can be difficult to identify "trusted" components. Opensource components included in your software should at least be run through a static code analysis tool to look for obvious issues. Even better: If your code analysis tool finds an issues, fix it and submit a pull request.

Johannes Ullrich

I stumbled upon this issue when committing to GitHub from a virtual machine that had the wrong date and time. As I investigated it, I was surprised to see this was expected behavior. I knew there had to be a way to abuse it somehow and the folks at Checkmarx have documented just that.

Jorge Orchilles

GitHub has features (like Vigilant mode) to make it easier for developers to detect spoofed identities, work with App Dev to get that made part of standard processes.The entire open source software/repository supply chain needs to raise the bar on security. The Linux Foundation “Open Source Software Security Mobilization Plan” detailed the critical areas, more funding for faster progress is needed.

John Pescatore

Attackers are manipulating data related to update activities as well as spoofing who they are to lead you to believe they are a highly trusted contributor who is actively maintaining their code. This can be partly mitigated by making sure that the commits come from someone whose identity has been verified by GitHub when those commits are being made. Don't wait for the 2023 deadline to enable 2FA on your GitHub accounts. If you digitally sign your code, the "vigilant mode" feature can be used to see the status of all code submitted under that name, aiding the discovery of malfeasance.

Lee Neely

Gee, I wonder how many phishing emails didn’t get delivered? On the serious side, 2FA approaches that rely on sending codes to email addresses are more vulnerable to delivery outages than those that use mobile devices and SMS messages or authenticator apps.

John Pescatore

Microsoft stated they found a section of network infrastructure performing below acceptable thresholds and rerouted that traffic, as well as restarted services to resolve the issues. In today's interconnected and interdependent systems required to deliver an online service like these, network performance dips can have a significant impact on service delivery, making it increasingly important to not only understand these relationships, but also to detect and react to issues rapidly.

Lee Neely

Wordfence released updated firewall rules May 21st and April 21st for the free and Premium/Care/Response versions, respectively. At this point it is unlikely the weakness will be resolved, and Wordfence has seen about 444,000 attempted attacks a day, so it's time to remove and replace this plugin. Also check your site for the listed IOCs.

Lee Neely

The fixes include updates to the underlying CentOS 6.8 shipped with some products to CentOS 7.9. The update to Contrail Networking 21.4.0 addresses 166 vulnerabilities, while the update to Space network management 22.1R1 addresses 31. Several of these vulnerabilities have CVSS base scores of 9.6 or higher, so you're want to go to the Juniper Security Advisory site and proactively search for your products. Note the CISA advisory (https://www.cisa.gov/uscert/ncas/current-activity/2022/07/14/juniper-networks-releases-security-updates-multiple-products-1) simply advises you read the Juniper Security Advisory page and apply relevant updates.

Lee Neely

While the Albanian government has assured citizens that their data is backed up, it's not clear that the root cause has been identified or remediated so those backups can be applied. Additionally, it's been noted these services were only recently being moved online, so it's likely the full plans for redundancy and resiliency hadn't been implemented. In today's climate, you need to start with those defenses in place prior to going live, particularly if you're operating a government affiliated service. You may also want to add practicing service restoration to your acceptance criteria for going live.

Lee Neely

The release to WikiLeaks was allegedly motivated by an abject hatred for the CIA. With that level of access, Schulte would have not only had to obtain a security clearance, but also signed enough NDA documents assuring his fate in the event he violated them. Schulte also was found to have child exploitation material on his laptop, so he's going to be busy paying his debt to society for a very long time.

Lee Neely

Make sure you're running the updated FreePBX software, ingest the IOCs in the Unit 42 blog, and check for unexpected new root accounts or scheduled tasks.

Lee Neely

Make sure that your users are running the latest iOS versions which close the attack vector used by Pegasus. If you have users who may be targeted, consider the Apple's Lockdown Mode which will be released with iOS 16 this fall.

Lee Neely

The btrfs file system and firmware for Intel GPU controllers branches also called for a delay. It is likely that version 5.20 of the kernel will be chosen as the next long-term support release.

Lee Neely