Expedite Patching Vulnerable Atlassian Products; Check for Use of “Fleeceware” Apps Google Published in Google Play; Microsoft Releases Improved Default Office Macro Blocking

Not just for the hardcoded password, these vulnerabilities are serious and need to be applied expeditiously. These Atlassian products are often central to organization's software development process and a compromise could endanger this software.

Johannes Ullrich

When a physical substance (asbestos, lead, Red Dye #2, etc.)is found to be poisonous or dangerous, society can move pretty quickly to ban it. But, bad habits (eating too much fat/sugar salt, leaving the keys in the ignition, buffer overflows in code, hard coded passwords in apps, etc.) are much harder to eliminate. Every modern app testing tool detects the worst software coding/app security mistakes – require all software suppliers to show evidence of having run such tools or to be part of programs such as Veracode Verified, where the app test software vendor does it for them.

John Pescatore

Atlassian included this account to aid cloud migration, and while considerate, including either hard coded credentials or authorization keys has repeatedly been found to be a source of exploitation. Make sure that your Atlassian products don't include the disabledsystemuser account, delete it if found, creating fresh credentials for migration only for the duration of the project if you elect to migrate. Add checking for (and removing) disabled accounts "out of the box" right next to changing default passwords in your software installation/update process.

Lee Neely

Google seems to have been very slow to remove this “fleeceware” and has not made a public statement providing justification. I think something like 3700 apps per day are added to the 3.5M or so apps in Google play – human inspection isn’t really feasible to augment all the automated checks. The good news is Android and iOS do have what Windows and Linux lack – by default software whitelists (app stores) that greatly raise the bar against malware.

John Pescatore

These apps can either install premium dialers, such as Joker, which signs users up for expensive monthly subscription plans, or install malware. While there is some screening for malware when publishing content to the Google Play Store, the Joker-spreading apps keep being reintroduced as they are obfuscating their malicious activity by changing code, execution methods and payload retrieval processes/techniques. As always beware of over permissioned apps, only download apps from known developers and either your corporate or Google app stores. Play Protect will remove the malicious applications, you need to check your device for premium subscriptions you didn't authorize and cancel them.

Lee Neely

For organizations who experienced issues with macro blocking when Microsoft first started doing it: You will still be able to set your own policies, and Microsoft updated its guidance. As long as you set a specific policy manually, this change will not override it.

Johannes Ullrich

If you'd already configured the "Block macros from running in Office files from the Internet" policy, the setting will control the disablement behavior. Consult the updated Microsoft Guidance on how to enable macros from SharePoint or network shares to minimize impact, in general you want to disable Macros by default.

Lee Neely

While these attacks are targeting Ukrainian entities, we know that there can be collateral damage, so better safe than sorry, include the IOCs in your SIEM. Also include information from the Mandiant report on the GRIMPLANT and GRAPHSTEEL spear phishing campaign.

Lee Neely

The vulnerable devices do not just allow for tracking of the vehicle, but could also be used to disable them. This could become a safety issue. The inaction of the vendor is appalling and should be taken as a clear sign to not procure any more of these products.

Johannes Ullrich

I’m not a big fan on 152 page documents that focus on how to comply with regulations vs. how to protect data/systems/services and demonstrate compliance as a byproduct of that. But, more than half of SP800-66 is reference documents and section 5 (which is still 47 pages long) is a good source of questions that need to be answered to secure public health information.

John Pescatore

The goal is to augment the guidance to include more resources to help those struggling to implement the necessary security posture for HIPAA compliance. If you're a practitioner in this space, provide feedback to increase the relevance of the guides and resources.

Lee Neely

Attackers seek to leverage our increased use of online ordering from restaurants. The attackers are targeting the POS not the individual restaurants. As a subscriber to an online ordering service, verify that they are scanning server and bowser components, verifying that they are following PCI-DSS requirements to both inventory all JavaScript and traffic in and out of their website. Ask for proof of activities related to detection of Magecart and other similar threats.

Lee Neely

The hype around “cryptocurrency” and blockchain had reached unbelievable and really dangerous levels, so it is good to see criminal use of them be used by authorities to disrupt and catch criminals. Of course, many victims paid in crypto coins that in a few days were worth a small percentage of what was paid for them – kinda like recovering nickels when you lost $100 bills…

John Pescatore

This is why you want a relationship with the FBI before you need it. The cooperation from the Kansas based facility allowed for both the recovery of the ransom payment, but also the identification of previously unidentified ransomware strain. Note that ransom payments for other victims were recovered, but without their reporting it's unlikely those funds will be properly restored.

Lee Neely

The memory corruption flaw in WebRTC (CVE-2022-2294) is the same flaw Google disclosed as being actively exploited in Chrome browsers. Note the Safari update is included in the macOS 12.5 update, but must be installed separately on macOS 11.6 and 10.15. In addition to addressing vulnerabilities, iOS and iPadOS 15.6 include bug fixes and some new features such as being able to restart a live stream viewed with the TV app.

Lee Neely

While the FCC fined the major carriers over $200M in 2020 around misuse of customers location data, this issue has been a problem for more than a decade and the FCC has been slow to define user rights and carrier regulations around location data. If you have corporate wireless contracts with carriers, try to get questions around location data use and protection into RFPs – the market needs to feel demand around privacy.

John Pescatore

This follows up on Feb. 2020 FCC proposed fine of $208 million after determining that Sprint, AT&T, Verizon and T-Mobile were selling access to the customer's location information without ensuring that adequate protections were in place to prevent misuse of that information.

Lee Neely

Web Real-Time Communications (WebRTC) provided JavaScript interface to enable realtime voice, text and video communications between web browsers and devices. The WebRTC flaw, fixed July 4th, is being actively exploited. As such, you need to make sure that not only are your Chrome updates pushed out, but also that users are restarting the browser for the update to take effect. You can now push enterprise settings for Chrome browsers to both auto-update and force the relaunch in a defined period.

Lee Neely

f you're impacted and seeking restitution, make sure you have a supporting paper trail to support your claims of expenses incurred. If you allow remote access to your email, enforce MFA, being careful to exclude SMS and phone-call verification methods. If you already have MFA, make sure it's phishing resistant, if not, create a plan to get there from here.

Lee Neely