Protect Linux endpoints from Shikitega Malware; IHG Breached Again, Disrupting Business; Update, Segment, or Properly Dispose of Baxter Spectrum Infusion Pumps

These more subtle attacks easily hide in the noise created by all the Mirai and similar bots flooding Linux devices. Remember that the important attacks are the one-offs, not the top 10 attacks shown by your console.

Johannes Ullrich

When you read Linux, don’t just think of your servers or desktops, remember that many IoT devices are running Linux, with very limited built-in security measures to deploy. Shikitega is delivered in a very stealthy way and leverages legitimate hosting services for C2 functions. Incorporate the IOCs from the Alien Lab report. The best mitigations are to keep your devices updated, deploy EDR, and have backups. While you can’t deploy EDR to most IoT devices, you can isolate them as much as possible, make sure they are getting updated and where possible export the configuration to make service restoration simpler.

Lee Neely

IHG had $1.39B of revenue in 2021, or about $3.8M per day. If bookings of IHG’s nearly 900,000 rooms are impacted by the disruption, a 10% hit would mean the breach could be costing them almost $400k per day just in delayed, if not lost, revenue. IHG also paid over $1.5M in a legal settlement over a previous breach, which have been happening frequently at IHG. If you’ve been having trouble convincing management to back needed changes to reduce vulnerabilities, this will be the latest data point for proactive spending invariably being cheaper than incurring a meaningful breach.

John Pescatore

Remember IHG operates 17 hospitality brands including Holiday Inn, Crowne Plaza, and Candlewood Suites, meaning you may be impacted even though you've not booked an InterContinental Hotel stay. While centralized systems are offline, local hotel operators are able to process reservations on their local systems. While this is the third attack since 2017, it is unlikely they are connected; think more of kicking someone while they are down. Which means if you’re compromised, you need to not only restore services, and remediate the weaknesses used against you, but also raise the bar overall. The IHG attackers appear to be seeking the personal data associated with reservations, which can then be resold.

Lee Neely

Wiping all WiFi devices before decommissioning is vital because too many of them, include Baxter’s pumps, store WiFi credentials in non-volatile memory. The usual segmentation advice is true for any OT type technology, and even vulnerable IT devices and guest logins.

John Pescatore

These devices FTP and Telnet services enabled, and the firmware update is needed to disable them. Make sure that you’ve isolated them, using firewalls, separate VLANS, etc. If you’re using Wi-Fi, ensure that you’re using current wireless security. Hint: open access point or a captive portal aren’t sufficient. As a last resort you can operate these without a network, note that impacts the ability to deliver formulary (drug library) updates to them.

Lee Neely

If you look at multi-year attack data, you see that attackers target every sector that has vulnerabilities – which means they target all sectors. Denial-of-service attacks, which includes ransomware, often do target specific times when targets may feel a sense of urgency – holiday shopping, start of school year, tax filing days, etc. But, most ransomware attacks are also data exfiltration type attacks which create their own urgency. Bottom line: use data over headlines and focus on increasing basic security hygiene as “4-seasons” protection.

John Pescatore

No matter what your sector, you should be prepared for attacks. You should have a plan in place for recovery that you’ve tested, verified your backups and ensured you’re keeping systems updated, particularly boundary control devices. Make sure that all your internet accessible entry points use MFA, for everyone. Treat that VIP or Administrator account as just as likely to be compromised, no matter how careful they are or how strong the password. A level playing field also helps buy-in. If you’re looking to expose more services to the Internet, ensure security posture assessment, and remediation, is required in the process.

Lee Neely

Healthcare has tremendous pressure to implement the latest technology to aid patient care. And when that technology, or supporting systems are offline, the patients are directly impacted. It is easier to start with security practices than retrofit running production systems, and this is the challenge many of us face, not only in healthcare. If you’re having trouble building management support to retrofit or otherwise raise the bar, make sure that you’re sharing how compromise directly impacts customers. While death may not be a consequence, having your business transferred to your competition or worse a loss of reputation, should resonate.

Lee Neely

When talking about reporting, the conversation needs to include a good understanding about how the information is protected and who has access to it. But don’t forget to make sure you understand what information is required, that you can actually provide it in the format needed. The schedule for the listening sessions as well as links to the proposed regulation are on the CISA Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) site (https://www.cisa.gov/circia)

Lee Neely

The trick here is not to jump the gun, only deploying algorithms which have been vetted and approved by NSA, NIAP, etc. Read the caveats for each of the approved algorithms as they apply to the data you're protecting. Note the timeline recommends software and firmware signing to start migrating immediately. Expect to be required to include language for support of CNSA 2.0 algorithms in procurement contracts very soon.

Lee Neely

What is new is that a new implant “MagicRAT” is being deployed three days before the deployment of their previously known VSingle malware. The entry point remains vulnerable services, such as unpatched VMWare Horizon servers vulnerable to Log4Shell, which have, in this case, patches for the flaw. Yes, it’s a bummer getting downtime to patch these services, but it’s far better than the dust-up if you’re compromised. Yes, your internal network is safer than Internet exposed services, and it’s too risky to assume hackers can’t penetrate your perimeter. Core capabilities in the Lazarus toolkit include disabling endpoint protection and other mitigations you’ve deployed to detect and prevent compromise.

Lee Neely

Make sure that you are keeping any OEM provided software updated if your imaging processes don’t remove it. Also scan for re-introduction. The HP Support Assistant CVE-2022-38395 has a CVSS 3.0 score of 8.2, in part as the tool is already running with system privileges. The attack, while simple to exploit, requires a foothold on a system prior to exploitation, which provides some cushion; don’t sit on forcing the update.

Lee Neely

We've talked about some of these previously, but don’t overlook the others. Note that the D-Link and Netgear updates relate to end-of-life products. Make sure you’re actively replacing and excessing them. While they still work, the flaws also still work, which does nobody a favor if pressed back into service. Make sure that you wipe the firmware prior to recycling/disposal.

Lee Neely