Update All Firmware Using Realtek SDK and Monitor for Exploits; Update macOS Devices to Minimize Process Injection Risk; Push All Software Vendors to Improve Vulnerability Notice Processes and Patch Quality

This was probably the most important issue revealed at DefCon/BlackHat this year, and so far it has not been reported on much. It highlights a supply chain issue that organizations have a hard time handling. Affected devices are not typically found in enterprises, but in homes and small businesses. I do not know of an enterprise able of managing or even inventorying routers employees use when working from home, and users have a notoriously hard time finding and applying firmware upgrades to routers.

Johannes Ullrich

The vulnerable code is part of the networking stack, so attackers just need to send a specially crafted SIP packet to achieve device takeover. You can mitigate the risk by blocking UDP packets at your perimeter. Use caution to not block any critical services actively using UDP. VoIP and gaming services are the most likely affected by this approach; make sure that your VoIP provider is on the allow list. Keep an eye out for updates from your vendor, particularly if they reference CVE-2022-27255 or Realtek SDK update.

Lee Neely

SANS Internet Storm Center info and guidance at https://isc.sans.edu/diary/Realtek+SDK+SIP+ALG+Vulnerability%3A+A+Big+Deal%2C+but+not+much+you+can+do+about+it.+CVE+2022-27255/28940

John Pescatore

Apple will have a hard time eliminating these process injection vulnerabilities. This problem reminds me of deserialization vulnerabilities in web applications. Note also that this week’s Zoom update for MacOS addresses this issue.

Johannes Ullrich

Apple’s update is only for macOS 12 (Monterey). With the pending release of macOS 13 (Ventura), which should include this fix, it’s time to get your users up to Monterey. While Apple holds their support model tightly, I have found that support for current plus one OS revision back is their sweet spot. Expect a similar model this fall when iOS/iPadOS support shifts from versions 14 & 15 to 15 & 16.

Lee Neely

The key line in this excellent presentation is “Spend your money wisely. Vote with your wallet.” Realistically, there is NOT going to be legislation any time soon that addresses this complex problem in any meaningful way. The market has shown that security of software is important – over 20 years ago that is what drove then Microsoft CEO Bill Gates to make the company focus on security, since Microsoft was losing the World Wide Web race to Netscape and others. Make sure all procurements/RFPs include at least questions on testing of software and patch timeliness/quality statistics from all software (including SaaS) vendors.

John Pescatore

The dream has been to be able to categorize and prioritize patches, focusing on the most exploitable and critical issues. Vendor trends, which include putting advisories behind paywalls, and reducing the exploitability information with the intent of providing more time for users to apply patches while making reverse engineering the flaw more difficult. Leverage services to auto-patch commodity systems and applications (typically desktops and standard servers) rapidly allowing staff to focus on regression testing for servers and other mission essential applications. You may also be able to leverage cloud or outsource solutions for common applications such as ERP, CRM which are already continuously patching and updating.

Lee Neely

This week one colleague suggested that responding to the Microsoft patch Tuesday constituted “unplanned” activity. Patching is now mandatory and routine, hardly unplanned. The number of patches is a measure of quality. This observer continues to be amazed at the tolerance of this industry for poor quality. Addressing it will require new incentives, tools, methods, processes, and procedures. Those we are using are clearly not working.

William Hugh Murray

According to Palo Alto, this vulnerability can be mitigated by adjusting your configuration. Vulnerable configurations are unlikely and according to Palo Alto usually applied by mistake.

Johannes Ullrich

While the complexity of this attack is low, it is dependent on a misconfiguration of a URL filtering policy. In short, the URL filter profile has to have one or more security categories assigned to a source zone that has an external facing interface. Normally these would be assigned to internal interfaces. Rather than wait for the patch, scan your filtering profiles, and correct this. Apply the patch, when available, as part of your boundary protection update protocols

Lee Neely

This update addresses a vulnerability related to the "process injection vulnerability" discussed at Blackhat. Also see macOS Process Injection story above.

Johannes Ullrich

The fix is in Zoom 5.11.5 (9788) or later. You probably want to push this update rather than waiting for your users to either go to the “check for updates” menu or wait for the release of a Zoom auto-update.

Lee Neely

Mitigation takes some manual steps. First, you need to determine if you're running a vulnerable bootloader. This is done by checking the EFI System Partition (/boot/efi on linux, mountvol DRIVE: /S on windows). If it’s vulnerable, you’ll need to apply the updated bootloader from your vendor. Second, you need to apply updates to the Secure Boot Forbidden Signature Database (DBX) which prevents unauthorized UEFI modules from loading. DO NOT make these updates unless you have a known non-vulnerable EFI bootloader. Read https://support.microsoft.com/en-us/topic/kb4535680-security-update-for-secure-boot-dbx-january-12-2021-f08c6b00-a850-e595-6147-d0c32ead81e2

Lee Neely

VNC is very useful for remote controlling and accessing systems if done right. Exposing a password-less VNC to the Internet is much like when users connected PCAnywhere to a modem, except with a tool like Shodan it’s far easier to find. When setting up VNC, ensure a password is used and don’t expose the service directly to the Internet, use a VPN or other secure gateway. Make sure that the communication is over an encrypted channel to prevent both eavesdropping and MitM scenarios.

Lee Neely

One hopes this briefing provides enough information to support both legislation and funding to help improve overall healthcare cybersecurity, to include sharing of resources, incident and threat information needed to prepare and respond to the changing environment.

Lee Neely

In phishing assessments, click rates are always above 0%. Orgs need technical controls to throw warnings, reduce damage, and alert security when someone does click. We also need users who are trained and comfortable coming to security immediately when they realize something's gone wrong. This means no “three strike” rules!

Christopher Elgee

The problem has been exacerbated by a high turnover of healthcare workers, to include many new workers; where the time to complete cybersecurity training has been (understandably) eclipsed by medical events of late. On the human side, make sure that your training requirements are intact, that you’re tracking completions as well as barriers to find alternate ways to deliver the needed training. From an IT perspective, make sure you've got services enabled to block and tag suspect emails. If using a quarantine, make sure that there is active tuning and monitoring of requests for retrieval to minimize impact of miscategorized messages.

Lee Neely

From 2007 to 2015 or so, retail breaches dominated the news, as Target, TJX, Hannaford, Home Depot and others had breaches that compromised close to 200 million retail customers. Retail had a complicated mix of IT and distributed point of sale/OT systems, and the processing of credit cards was a lucrative target. No coincidence that over that same period the Payment Card Industry Data Security Standards program evolved from PCI 1.0 to PCI 3.0. Healthcare has the same risk profile and an even more complex OT world, but the healthcare world has not had a “Healthcare Industry” kind of program with the power of the payment channel behind it. Without that, it really is time for government funding to healthcare to start being tied in some way to protection of health care data.

John Pescatore

Healthcare data continues to be a big target as studies show it has a greater illicit market value than credit-cards or sensitive PII. Business parties are a big factor in these incidents. Make sure that your business partners are maintaining an appropriate security posture that requires both active (documented) agreement and continuous monitoring. Doubly so if they have a direct connection to your systems.

Lee Neely

From retail, hospitality and card fraud to healthcare and ransomware; crime goes where the money is. EMV and PCI DSS, have helped in reducing card fraud. We clearly need both new tech, convenient strong authentication, and new standards of due care, cybersecurity, in healthcare.

William Hugh Murray