Another Reason to Prioritize Rolling Out MFA to All Privileged Users and Limiting Privileges; Senate Bill to Increase Open Source Security Needs More Focus on Immediate Actions, Less on Documents; Educate Developers/GitHubUsers About Increased Phishing Attacks Targeting Them

This attack only succeeds if privileged accounts initially compromised do NOT have MFA in use. As Microsoft points out “also important to note that all the compromised admins didn’t have MFA enabled, which could have stopped the attack. These observations amplify the importance of securing accounts and monitoring for high-risk users, especially those with high privileges.”

John Pescatore

This attack uses credential stuffing, targeting admin users, to create exchange connectors. At a minimum, enable MFA, then turn on conditional access to limit where admins can connect from. Now, make sure you’re using continuous access evaluation to shutdown accounts behaving unexpectedly. Lastly, if you’re using the free tier AzureAD, make sure the security defaults are enabled.

Lee Neely

In the beginning, most strong authentication schemes were user opt-in, but one was thrilled when one's banks began to offer it. The schemes were often awkward to use but less and less so. Reusable credentials continue to be implicated in breaches. It is time to make MFA mandatory. We should continue to offer users options about how to implement but reliance on passwords puts us all at risk.

William Hugh Murray

Even commercial software could not exist in its current form without open source. Protecting open source by extension does protect the vast majority of commercial software as well.

Johannes Ullrich

The proposed language gives CISA a year to put out yet another framework and then another two years for a report to determine if private industry could use that same framework. Three years to more paper documents is not major movement forward. On the good side, funding hiring of open source expertise in the CISA is a good thing and treating open source software used in critical functions as critical infrastructure is a very good thing. CISA should use the OpenSSF and the Linux Foundation “Open Source Software Security Mobilization Plan” as a starting point to fund immediate movement forward in parallel with any framework development.

John Pescatore

Executive Order 14028 already introduced requirements for securing the software supply chain. Additionally, there is existing guidance you can look to already to raise your bar. At a minimum, ensure you’re only allowing secure access to code repositories, implementing MFA for users and making sure you are using the vetted release of components in your CI/CD pipeline.

Lee Neely

Being able to measure risk is always useful. So is hiring those with skills and experience. One can hardly fault a laws that favors such. However, we already know that this risk is high and that there is not much the buyers can do about it. We know skills and experience are in short supply. As John Pescatore suggests, the time scale for this law to have any real impact is very long. A law that requires a digital software bill of materials would be a good place for Congress to start and would have earlier impact. While our tolerance for supplier error is high, at some point we need to hold sellers accountable for malicious code in their products. That too will require legislation.

William Hugh Murray

It appears that there has been a significant increase in phishing attacks targeting developers. Attackers have figured out that this is the easiest way to break the integrity of the software development supply chain. More technical employees like developers are often considered less vulnerable to phishing, but these attacks are usually less motivated by greed than those targeting executives. Instead, they are using a ruse that targets the desire of developers to get work done. Consider including some of these scenarios in your awareness program.

Johannes Ullrich

Source code repositories remain a target, and while actions are underway to raise awareness and overall security, threat actors are going to try to both inject new functionality and access your secret sauce to obtain an advantage. No package is too small to be a target.

Lee Neely

Individual countries each have to establish their own societal balance between law enforcement/intelligence agency access to citizen communications and citizen privacy rights. The difference between this current wave and previous privacy vs. surveillance waves (such as when telephone audio services first went digital) is that many services do not have to have physical presence in-county to succeed, so providers can fight back by moving offshore. For most companies, this law is a high risk to customer privacy unless stringent judicial release procedures are defined.

John Pescatore

Moving services out of a country whose privacy laws, or other regulations, you can’t comply with is a good idea. In this case the India rules don’t mesh well with the anonymous browsing model many VPNs offer. NordVPN, Proton VPN, Surfshark, Hide.me and ExpressVPN are all shutting down their servers in India. Read the fine print on alternatives which may still provide an Indian IP while not in the country. Expect India to take steps to apply their requirements to this or other perceived bypass scenarios.

Lee Neely

If India wants a Bluffdale, it should build it and pay for it itself. To require VPN service providers to do it will so decrease their revenues and increase their costs as to destroy the business model. The citizen will be the loser.

William Hugh Murray

My usual advise applies: Patch, but also make sure that you are not exposing these web-based admin interfaces to the world. I doubt that this will be the last vulnerability to be found in a web-based firewall/router/VPN admin interface.

Johannes Ullrich

This flaw is noted in the CISA KEV catalog. You have until Oct 14th to fix it. The flaws are in the User Portal and Webadmin services. A workaround is to not expose these services to the Internet. You need to do both, don’t expose those to the WAN and apply the update.

Lee Neely

In this case "allow" is the safe choice and should be the default. We simply have not seen sufficient cases where updates have caused problems to justify the alternative.

William Hugh Murray

The same mitigations apply as with the OAuth attack: MFA, conditional access, and continuous access validation. Make sure that you’ve disabled inactive users, and set a time limit on MFA configuration, perhaps locking users out who can’t meet the timeline.

Lee Neely

There are two items of note from this incident that we should learn from. The first is the compromised mailboxes were accessed via the IMAP protocol. This is an old protocol and one which should be removed from systems. The second is the amount and type of personal data that was stored in the compromised mailboxes. According to the breach notification the personal data exposed in this breach may have included names, Social Security numbers, employee numbers, dates of birth, mailing addresses, phone numbers, email addresses, driver’s license numbers, and/or passport numbers. Email platforms should not be used as databases for personal data and processes should be in place to remove such data from mailboxes.

Brian Honan

Good news: the vendor updates are available; bad news: you need to roll them out quickly. Note that Sophos Firewalls are also on the list with a code injection vulnerability in the User Portal and Webadmin functions which allow RCE.

Lee Neely

If you’re in the energy sector, are you prepared to withstand such an attack? Make sure DDoS, remote access, segmentation, and authentication services are up to the task. Ensure your user awareness training is both current and required- to include annual refreshers. Lastly, ensure media and content validation processes are in place; don’t allow unconstrained introduction into OT environments.

Lee Neely

Mitigations are known to prevent account takeover for your repository. Make sure that only your vetted code is committed. Make sure that you have visibility to all updates, then follow up on unexpected or oddly-timed updates.

Lee Neely