Segment Storage Appliances from Internet Connectivity; Check All Python Packages for Auto-Execute; Third Party Breaches Are A Risk to You

Deadbolt has been an ongoing issue for exposed storage devices. It is important to note that this and similar ransomware has affected not just QNAP devices, but QNAP has been more open in warning users and implementing specific protections to fight this ransomware. The ransomware typically does not exploit specific vulnerabilities in the storage device’s firmware, but instead exploits configuration issues like weak passwords. And please do not expose these devices to the Internet!

Johannes Ullrich

Don’t expose NAS directly to the Internet, or indirectly via port forwarding. Religiously update the firmware and any applications installed, make sure there are no unknown accounts, accounts have strong passwords, and make sure that you have backups.

Lee Neely

While we expect scripts to run as part of a pip install, it turns out pip download also executes the setup.py script, intended to resolve dependencies, provided the package doesn't include a .whl (wheel) file which takes precedence over downloading the .tar.gz version of a package. The tricky part is if the .whl file is missing, the .tar.gz file is automatically downloaded (which has an embedded setup.py) and then the contents of setup.py are executed. As a mitigation, check your repositories for .whl files and if they are missing, don’t download using pip; use an alternate process to download the tar.gz file and investigate without executing.

Lee Neely

Another Pypi and / or Python supply chain story. The interesting part here is that we can already see the increased scrutiny in Python specifically in Pypi with MFA stories and other issues. We have also seen npm in the news. But does this mean other languages are somehow not also in the same boat? It's a daunting problem to solve and we have only started looking.

Moses Frost

Like KeyBank (see story below), security of outsourced services can be your weakest link. Prepare to spend more time validating their security than you would expect. Don’t expect you're going to get realtime logs from them; more likely they are going to contact you. Make sure you understand what that means, and keep that information current.

Lee Neely

I worked in this space in the 2000’s and I can tell you many major medical centers have to rely on third-party vendors. Almost every department may have their own unique vendor set to support their medical devices. There is barely a consideration for actual security best practices in many of these systems. Mostly because at most they feel ransomware would be the biggest threat. Most of these vendors will have direct connections into the facility and they will probably have the ability to laterally move anywhere as many of these networks are not security segmented by firewalls. I would even suspect many of them are just networks with all manner of devices connected to them freely. This doesn't surprise me: I had to fix a vendor issue in the early days where the actual large medical manufacturer kept imaging machines that had a worm (pre-Conficker) loaded into the build on accident.

Moses Frost

There are a few areas where the proposed changes dictate particular solutions, like “password vaulting” and “endpoint detection and response,” which is never a good idea. But, while many of the proposed changes will be complained about, most of them are just common sense essential security hygiene controls that need to be in place for any hope of a reasonable level of risk.

John Pescatore

While some of the suggested mitigations seem mundane, it’s not a bad idea to review your existing solutions, such as EDR, to make sure they incorporate current threat and response scenarios. It’s easy to get complacent- establish a lifecycle process for your defenses.

Lee Neely

This piece, and the item (above) on healthcare breaches, just point out that most business processes involve third-party service providers and those third parties may often be the weak link in your supply chain. The flip side is your company may be the weak link in larger players’ supply chains. Both scenarios carry high risk – use these news items in a small tabletop exercise if you need to get management support for addressing.

John Pescatore

Third party security is as important as your insourcing. And it can be much harder to verify. Don’t just put the right to audit in the contract, have a real conversation about how you would verify as well as what incident data can be shared. If you aren’t comfortable with the working relationship, and you can’t change solutions, you’ll need to articulate that and seek resolution or documented risk acceptance prior to go-live. Remember that no matter how good your reputation is – KeyBank has an awesome community support reputation – it's not the third party's image but *your* image on the line.

Lee Neely

Every Best Practices guide should come with a list of “How others overcame obstacles to implement…” examples. In many cases, the best security practice is common sense, but operational reasons drive shortcut approaches that are not secure. However, many companies (the ones *not* in the news for a breach) have found ways to justify how doing the right things in security up front actually can reduce cost of apps and time to market.

John Pescatore

Best practices are sometimes a euphemism for “This worked and we didn't get fired.” Don't discount your own experience about what worked. Instead, read the guide to make sure that you've not overlooked anything. Leverage it as support for raising the bar on your own practices.

Lee Neely

Fog Data advertises having a network of 250 million devices providing realtime geolocation data. The issue is the service can be used for legitimate purposes, say who was around a violent crime, or to locate those going to a targeted organization, violating their privacy. This data is gathered from apps to which you have granted location services, which means you can revoke those permissions, or disable location services entirely. Globally disabling location services is too disruptive and not a viable approach. The best approach is to limit location services to applications you trust and only when needed.

Lee Neely

This type of data sales to Law Enforcement is not something necessarily new. Is the fact that their presence on the Internet is also very small? No, many of these data brokers also fly under the radar. The really interesting item to note here is the fact that searches and data could be gathered without warrants. The questionable part then becomes who is able to access the data and who is watching or following that data access. Can this be abused to facilitate potentially criminal activity such as stalking or other acts? The reason we have some of these laws is not just privacy but also as a protection to citizens. Location data can very well be misused. Now will something happen in this case? Something to watch.

Moses Frost

This is the sixth zero-day patch for Chrome in 2022; CVE-2022-3075 is being exploited in the wild. It follows CVE-2022-0609 (2/14), CVE-2022-1096 (3/25), CVE-2022-1364 (4/14), CVE-2022-2294 (7/4) and CVE-2022-2856 (8/17). While Google is not sharing the details relating to exploit/attack vectors, prior zero-day exploit patterns warrant taking this seriously and pushing the update.

Lee Neely

The flaws are relatively simple to exploit, and include the ability to load new firmware from an inserted USB drive or crash these devices in masse with a UDP packet flood. As such, mitigations include limiting physical access, network isolation only allowing devices which absolutely need to connect.

Lee Neely

The flaw was found in both versions of the TikTok Android app. Update to the current version or remove it if you're not actively using TikTok.

Lee Neely