Check Your Use of Hikvision Cameras for Active Threats and Possible Sanctions; Ask Vendors Using Machine Learning About Model Governance and Update Testing; Another Active Directory Authentication Bypass Attack is a Reminder to Secure AD Services

Only 80,000? These types of cameras, not just from Hikvision, have been a major source of "internet background radiation" ever since Mirai started spreading about 10 years ago. Without automatic updates, they will only become safe once their electronic fails.

Johannes Ullrich

It is confusing: Hikvision is NOT on the sanctions list barring import, but it IS on the OFAC Non-SDN Menu-Based Sanctions List (NS-MBS List) under the “Strong” category, whatever that means. Bottom line: check if Hikvision equipment in use or any planned procurements and considered replacing or banning since sanctions are a high risk, let alone this vulnerability issue.

John Pescatore

Think of that security camera as a computer, where vulnerabilities could be leveraged to pivot onto your network. Yeah, that means you need to think about patching them. What's worse, not all manufacturers are as judicious about providing patches. Think twice about directly exposing them to the Internet, then isolate them onto a separate VLAN and use the strongest possible credentials, verifying no default passwords remain.

Lee Neely

People seem to miss that there may be a Cyber-Physical component to this. While we are mired in the “What if” of Cyber and these patches, there is a real danger that not only are these systems able to be used as a pivot point inside your network but these cameras can be abused to look at people, places, locations and be used to potentially move from a cyber-attack into a real-world physical attack. We shouldn’t lose sight of that.

Moses Frost

Those appliances (e.g., cameras) that must, or may be, attached to the public networks have a higher security requirement than those (e.g., baby monitors, TVs, refrigerators) that are intended to run only on private networks. Such appliances should be purpose-built and avoid any and all gratuitous functionality.

William Hugh Murray

Like many endpoint protection/detection software vendors, Carbon Black using what it calls “machine learning and behavior models” which are basically software. Ruleset updates are essentially software updates and need to be QAed by vendors just like any major software update. Inability to examine and audit complex models used to bundle mortgages into “derivative” packages in 2008 ended up with a lot of “deranged” investment packages being created and sold, leading to a major recession. That led to the Federal Deposit Insurance Corporation creating “Supervisory Guidance on Model Risk Management” that is already being looked at as the basis for evaluating financial institutions’ use of models in cybersecurity controls. Ask for model governance details on all security products claiming use of AI/ML and any other trendy model-based technologies.

John Pescatore

Two step fix - (yes, chicken and egg problem since you asked) first you must have the sensor bypassed via the Carbon Black console, to stop applying the ruleset and get out of the BSOD/Boot loop, then when they check in the impacted rulesets are removed. VMware did test the problematic ruleset prior to deployment, expect them to tweak this process. Note this includes sensor versions 3.6.x.x to 3.7.x.x, not just 3.7.0.1253 as was initially reported. Check the VMware KB note for information on verifying you are running non-impacted rulesets - there are six. https://community.carbonblack.com/t5/Knowledge-Base/Endpoint-Standard-Sudden-Blue-Screens-on-Windows-Devices-23rd/ta-p/114369

Lee Neely

Microsoft has always contended that BSOD is most often caused by third party drivers. Avoiding such drivers has made Apple operating systems more stable, at the cost of limiting third party devices. Prefer attachment via standard interfaces.

William Hugh Murray

This is not a supply chain attack. This is a case of compromised credentials being used to access your AD FS servers. Make sure that you're protecting those servers as you would a domain controller, making sure it's isolated, restricted to only allow admin accounts to login and monitored closely. Once the malicious Microsoft.IdentityServer.Diagnostics.dll is loaded, an attacker can generate claims that allow bypass of AD FS policies (roles, devices, network including MFA) to login to your other services. Make sure that you're actively managing accounts, use MFA where possible, that you leverage services to detect passwords in data breach dumps as well as long passphrases where you're still using passwords, and review the Microsoft blog for IOCs and other threat hunting information.

Lee Neely

Move away from On-Premise Active Directory and legacy technologies like ADFS. Yet another example of why.

Moses Frost

This is similar to a previous Active Directory MFA-bypass reported on in July. Microsoft’s recommended mitigation starts with “It’s critical to treat your AD FS servers as a Tier 0 asset, protecting them with the same protections you would apply to a domain controller or other critical security infrastructure.”

John Pescatore

In our Penetration Testing Practice and in the Cloud Penetration Testing class we spend a great deal of time attacking control planes. There are many times that we are abusing this channel to evade detection by EDR and EPP. An attacker can evade these tools by using the control places like VMware to do work such as access consoles, and disks without having to work with the operating system. Instead of cracking passwords we typically find unpatched systems all over the place. Please patch your infrastructure.

Moses Frost

The flaw in VMware Tools can be exploited by a user on the guest OS to obtain privileges. Make sure that you're tracking/updating VMware tools versions on the guest OS just as you are other packages on endpoints, don't overlook the service components, whether workstation, player, or ESXi. This is a good time to also make sure that you limit access to administration interfaces for your virtualization environment.

Lee Neely

The big deal is not the ransom demand, it's the impact to patient safety. Not only are they re-routing patients, but they have also deployed their crisis unit to ensure existing patients are getting proper care. When formulating response plans, make sure to include mission or service delivery plans, which means we need to be partnering with the mission side of the organization, and vice versa, to include being at each other's exercises, from tabletop to live fire.

Lee Neely

Unfortunately, this is not the first time a ransomware attack affects the physical world and affecting human lives. We were warned years ago: https://www.wired.co.uk/article/ransomware-hospital-death-germany. What can you do? Understand how attacks work, emulate them in your environment, improve and tune your security controls, train your people to detect and respond before impact.

Jorge Orchilles

Make sure that you’ve using a unique, strong, password for your Plex devices. Yeah, I know the cat’s name is something your mom can remember, it’s still not a good plan. After you change the password, be sure to click the “Sign out connected devices after password change” box so nothing using that past password is overlooked.

Lee Neely

We are seeing an uptick in ransomware attacks against Latin American governments. Costa Rica was a pilot and hopefully organizations are acting. Latin America has traditionally been behind in cyber security.

Jorge Orchilles

“Quantum” ransomware, noted by the use of the .quantum extension on encrypted files, is a branch of the Conti ransomware, which was largely dormant until Conti shutdown and some of their members joined the Quantum gang. While root causes are still being investigated, it's already been noted that not only did their systems not have comprehensive EDR, they also didn't have a dedicated security department. In a similar situation, consider not only the value of your endpoint security, but also weigh the value of outsourcing your services and applications along with your SOC, which may provide some offsetting costs to raise the bar overall.

Lee Neely

One might easily guess what the vulnerable servers were running. That said, ransomware is more likely to exploit fraudulently reusable user credentials, flat networks, and default read/write access control than operating systems.

William Hugh Murray

GitLab has already updated their hosted service, this applies to folks running local copies of GitLab and GitLab Runner. CVE-2022-2884 has a raw CVSS 3 score of 9.9, so you may want to get this done PDQ. Make sure you are subscribed to GitLab's security release emails or their RSS feed (See the GitLab notice for information on subscribing.)

Lee Neely

I briefed the NSTAC on “Securing an Internet of Things” back in 2013 and this draft does start out by saying “The cybersecurity challenge of converged IT and OT is not a new issue; it has been happening for decades. The United States has the technology and the knowledge to secure these systems but has not prioritized the resources required to implement solutions.” They also admit most of the recommendations are not new – the issue is starting with moving to a governance approach for OT that is similar to if not identical to mature IT governance around security being baked into procurement, deploying and monitoring.

John Pescatore

We have all seen an increased importance on OT security over the last couple of years. The focus needs to be on where OT systems interface with conventional IT systems, to include media transfer procedures for isolated systems. Use caution when looking at patches/updates or adding active testing as these activities can render systems inoperable, or worse, OT components may not have any provision for updates other than a very expensive forklift replacement.

Lee Neely

We need to know what we have so that we can protect it. We all so need to know what we rely upon so that we can patch it as necessary. Given so called “shadow IT,” this becomes a line-management, not IT or security staff, responsibility.

William Hugh Murray

A good tutorial around how quantum computing will impact the use of cryptography, but the truth is most (really all) government agencies need to reach basic security hygiene levels long before quantum computing use by bad guys reaches the top 5 risks. A critical part of basic security hygiene, as defined in every security framework, is an accurate inventory of resources that need to be protected to keep the mission safe. ALL security controls should be part of that accurate inventory. Knowing where you are using crypto is one of the early steps in the DHS Post-Quantum Crypto Roadmap.

John Pescatore

There is not a lot you can do right now except to make sure that you've phased out older weaker encryption/signing such as 3DES and SHA1. If you're already at AES128, look at moving to AES256. Prepare for the quantum-resistant crypto by identifying where you're using encryption so you can plan for testing prior to a wholesale uplift to new algorithms. Pay particular attention to key escrow and recovery changes where applicable.

Lee Neely

It is not simply the traffic that occurs after quantum computer attacks become efficient that is at risk but all that encrypted traffic that the NSA is storing. We must assume that our adversaries also have troves of traffic that will remain sensitive into the future. That said, we still have ample time to prepare. Let us use it well.

William Hugh Murray

If you're still on ESR 91.12, you may want to go to 91.13 vs 102.2 until you've verified the impact of any UI/Feature changes. The .13 versions updates are effectively transparent to end users aside from the browser relaunch.

Lee Neely

This is about security of their development system, no user impacts are yet determined. The hard problem for LastPass will be determining what actions to take to circumvent the risk of the lost intellectual property. Keep an eye out for any updates to address that risk.

Lee Neely

Every organization has security incidents. I applaud those like LastPass who 1) detect and 2) report publicly on what happened.

Christopher Elgee