Make Sure You Have Patched ALL Log4j Vulnerabilities; If You Use Authy, Okta or Signal, Check for Impact From Twilio Breach; Insurers May Decline Coverage Against Attacks Declared “State Sponsored”

As the Log4j vulnerability became known, organizations often used generic exploits to scan their network. Exploitability for Log4j is tricky to determine as it all depends on how a particular application uses the framework. Do not ignore vendor patches just because some vulnerability scanner gave you a green light.

Johannes Ullrich

MERCURY (aka MuddyWater, Cobalt Ulster, Seedworm, static Kitten) was previously targeting VMWare instances with Log4J flaws, has now pivoted to SysAid. SysAid released Log4j patches in January, which appear not to have been applied. After you make sure that you’ve applied updates to SysAid, if you’re using it, make sure that you’re not overlooking other patches, such as VMWare, for fixes to flaws like Log4j. The attack reads like an exercise out of SANS SEC560 - the attackers are using Log4Shell flaws to get an initial footprint, then using PowerShell to drop web shells, then add a user, give it elevated privileges, and add attack tools to startup folders for persistence. From there, they are using Mimikatz for credential theft, RemCom for later movement, and send data to their C2 server using a custom version of the Ligolo tunnel/reverse proxy.

Lee Neely

This is the new “dependency hell.” We used to worry about libraries we are using for example for authentication (see the PyPi story above). But APIs we are using behave very much like libraries in our code, just with less control about what they are actually doing.

Johannes Ullrich

Twilio’s failure to protect its systems against the original attack should serve as a warning to all companies offering strong authentication services: since MFA is a major barrier to the attackers, they are going after the entire MFA food chain. SANS instructor Katie Nichols highlighted MFA bypass in the SANS RSA Top New Threat panel – it is critical that MFA services be hardened.

John Pescatore

In today’s modern business world where companies rely so heavily on their suppliers, and in turn the suppliers of their suppliers, it is prudent that we regularly run “what if” scenarios on the impact a breach against a third-party company can have on your organization. In other words, do you know the impact a breach like that on Tilion can have on your organization either directly or via one of your supplier?

Brian Honan

While SMS is better than single-factor authentication, it can still go wrong. Choose other options wherever possible. Make sure that you're not leaving SMS or phone call verification options available on your MFA service offering. Better still implement phishing resistant MFA (FIDO2, SmartCards, USB hardware tokens, etc.) The cost of hardware tokens can be rapidly eclipsed by a single breach, and the integration is vastly improved to what it was even a year ago, to include NFC or Bluetooth communication options you can investigate.

Lee Neely

There are 4 complex exclusions that lawyers will have to review, but to me they basically have a very loose definition of “state-backed” unless some government agency declares an attack to be “state-backed.” It is increasingly hard to find success stories in cyber-insurance providing meaningful reduction in financial exposure to an attack, let alone complete coverage.

John Pescatore

There is about a seven-month lead time for those insured by Lloyd’s to find an alternate solution. Expect other insurers to follow suit, as damages from a state actor, or undeclared war, represent large risk to the insurer. While on the surface this feels like a reasonable move from the insurers, the devil in in the details. Differentiating a genuine state sponsored attack from sympathizers or cybercrime groups is incredibly difficult. We all know attribution is hard, and now with insurance coverage hanging on the accuracy of that determination, particularly making sure that a look-alike organization is not involved, makes it even more so. This is another time to engage your legal team.

Lee Neely

It will be interesting to see what the detail of this change will mean on companies’ claims. Hopefully, what this will lead to is more honest press releases and breach notifications where companies won’t automatically leap to point the blame at “nation state sophisticated attackers”, but rather admit they were victims of ordinary criminal behaviour.

Brian Honan

This should not surprise anyone. Lloyd’s underwriters have never covered acts of war.

William Hugh Murray

This campaign was clever and should be included in awareness training for developers. Too often, training examples are too generic and users will miss these more targeted and sophisticated attempts. At the same time: There was (limited) resistance from developers against PyPi enforcing stronger authentication methods. Attacks like this show why we need strong MFA.

Johannes Ullrich

This was a credential stealing attack. PyPI states that accounts protected with hardware tokens are safe, and they are unsure about TOTP users. PyPI has announced a campaign to give away hardware security tokens for their top one percent of projects, based on download volume. Be aware of your source code repository’s efforts on both MFA and conditions for package removal or account disablement. With all the current activity around MFA and doctored-up packages, it’s easy to miss what is legitimate and what is not. PyPI has worked to roll back repositories which were compromised and contained malicious content as well as taking down numerous typo squatting repositories.

Lee Neely

Am I the only one who finds the repositories late to their responsibility in the supply chain?

William Hugh Murray

The best mitigation is to update to the applicable fixed version (see the Atlassian advisory for specifics.) Even if you implement the workaround of turning off public repository access, it’s not a full mitigation as users with accounts can still execute the exploit. CVE_2022_36804 has a CVSS v3 score of 9.9 as the attack complexity is low, and doesn’t require privileges, or even an account. Expect DHS/CISA to issue alerts tracking fixing of this issue, either as a BOD or KEV.

Lee Neely

I've spent a lot of time in Montenegro, and I've truly enjoyed watching the nation mature to the West-leaning democracy it is today. As much as we may like to ignore politics in cybersecurity, this is a prime example of political decisions' effects on threat landscape. Russia has been vocal about its disappointment in Montenegro's NATO and pending EU memberships, and this is not Russia's first known attack against the small country.

Christopher Elgee

The attack appears politically motivated, possibly as a result in the change of government last week. Montenegro was previously attacked on their election day in 2016, and again in 2017 when they threatened to join NATO. Systems are offline both for analysis and to prevent further damage, necessitating alternate communications, such as Twitter, as well as manual processing. Now is a time to look at what you can leverage from this even in your BCP plan and exercises. Don’t forget to consider how you reconcile systems when switching back from manual to automated mechanisms, as well as to define what constitutes a determination that a system is suitable to return to operation.

Lee Neely

This is not location services on your devices. This is triangulation based on highly accurately located towers, as well as their full visibility to your call meta-data. Expect to see attempted refinements in retention periods and data sharing agreements, and carriers to push back as there is a big financial stake with even obfuscated versions of their data.

Lee Neely

If the rare use of location data by law enforcement is to trump the day-to-day privacy of users, then transparency is the least we should expect. Fine print buried in terms of service does not amount to transparency. Emergency use of location does not require that the data be retained. Retention for more than days to weeks for potential use in investigations should be a matter of law, not mere convenience.

William Hugh Murray

The device data gathered includes a unique device identifier (Mobile Advertising ID or MAID), device type, timestamp, latitude, longitude, horizontal accuracy (how close the latitude/longitude are in meters) and the IP address. This data can be mined determining sensitive locations, such as a user’s home, shelter, place of worship, or medical providers. About the only action you can take is to change the MAID on your device on a periodic basis. Watch this case, as well as the FCC action above, to see what privacy protections can be placed on this data.

Lee Neely

Before you roll your eyes at Zero Trust, delve down into what the fundamental improvements are and look at how they can improve your business. Look at improvements in endpoint security to reduce reliance on your boundary protections; factoring not just for the human identifier but also for the device authenticator in authentication processes, raising the bar where you don’t recognize one or the other; leveraging software defined networks to dynamically define and protect assets, particularly with cloud and outsource activities. Then make deliberate decisions using guides like this moving forward.

Lee Neely

Recent breaches suggest that the first step for hospitals is to isolate clinical systems from public network facing systems (e.g., e-mail and browsing). Clinical personnel should carry their personal authentication (e.g., NFC token or mobile) with them from station to station.

William Hugh Murray

Check the clock: September 15th is only a couple of weeks out. The entries have notes that include links to the vendor notifications about these flaws, which can be a real help. Once you've filtered out what you don’t have and checked for any others with recent due dates you do, work with business units to get these buttoned up. Make sure that your SOC is checking for IOCs, these are actively being exploited and you may want to assume compromise. Be methodical, don’t panic, solve one problem, then solve the next one and then next, one update at a time.

Lee Neely