More Mitigations Needed from Microsoft to Deal With Exchange Zero Days; Service Providers Will Be Settling More Breach Lawsuits; Proposed FERC Incentives Focus too Much on Buying Products, Not Enough on Increasing Security Operations Effectiveness and Efficiency

This vulnerability is a good example for the need of robust detection engineering to cover post exploit activity. Rules to detect rogue DLLs or webshells will go a long way to detect activity well beyond Exchange flaws.

Johannes Ullrich

The trick is to focus on where you can raise the bar until a patch is released. Allowing Powershell execution only from users who need it is a good first step. These attacks require account takeover. As such, make sure accounts, especially administrative ones, use MFA and are only allowed to connect from authorized devices/services. Employ separation of duties, require administrative accounts not be end user accounts, then monitor their use.

Lee Neely

Managed service providers are going to see more of these lawsuits from their customers, which seem to be settled more often than the broad class action lawsuits that have gotten more press. If you are a service provider, good one to show your Chief Legal Counsel along with many previous reports on how cost to avoid was way less than the overall eventual cost of being compromised.

John Pescatore

Make sure you are tracking breach notification requirements for all your data types. Enlist expert guidance when you’re breached , and if you’re planning to miss the required window make sure you’re also taking to the regulator as late findings/penalties will only worsen your recovery process.

Lee Neely

I think the proposed approach has a dangerous flaw: it is almost 100% focused on either deploying new products and services to get rate reductions or by joining threat sharing. It almost completely avoids the People and Process part of “People, Process and Technology. For example, better IT admin and faster patching is one of the biggest improvements that could be made and in most cases does not require advanced products or new procurements – it requires a security team that can get the admin side to do things differently. The same is true for segmentation, privilege management and many of the Critical Security Controls that provide the biggest bang for the buck. The people skills to work with other organizations and to develop effective and repeatable playbooks to make the operations side better need to be incentivized, not just buying new products/services.

John Pescatore

The comment period runs for 30 days from publication which was 9/22/22. The proposed incentives would take two forms: a return on equity adder of 200 basis points, or deferred cost recovery that would enable the utility to defer expenses and include the unamortized portion in its rate base which could substantially reduce the burden of improving their security. The trick is the improvements must be deemed to materially improve the utilities cyber security, so it is critical to have a clear understanding of what that means. Also be prepared to demonstrate you’ve actually implemented changes, not purchased shelfware.

Lee Neely

Most electric utilities are regulated by the states. The states tend to focus on the rate to the consumer and to discourage what they see as discretionary spending. That contributes to the state of security in the industry. This legislation might well compensate.

William Hugh Murray

The DISA CDM program has been going for almost 10 years now and the acronym has always stood for *Continuous* Diagnostics and Mitigation. The question has always been what is the definition of “continuous” which ranged from yearly (or worse) to monthly for agencies checking on monthly Windows patches. While the CDM tools have been purchased to go faster, and meet this directive’s 7 day asset discovery and 14 day vulnerability assessment, the processes and staff skills needed to do that have lagged. This is step one to getting to basic security hygiene.

John Pescatore

CDM (which has the same scope as this directive) already expects discovery within 72 hours with the expectation that interval will shrink to near-real-time. Additionally scanning and remediation windows have been specified in previous directives. Irrespective of applicability, make sure you are able to discover all devices on your network and block/quarantine devices which are either unknown or not meeting minimum security standards. Technology such as NAC has matured to make this possible.

Lee Neely

This looks like yet another example where the attacker attached an obfuscated executable to an image (which isn't steganography in my opinion), and used a common cloud service to deliver the image. Lazy detection systems often ignore content past the initial header and this trick isn't new but effective. Catchy headline, but nothing really new.

Johannes Ullrich

Steganography is very interesting and capturing the source image is tempting. Use care handling it if you go down that path. This attack is new functionality added to the LookBack back door and the image (the jacked up windows logo) is stored on a GitHub repository. The Symantec blog has IOCs for you to incorporate. The attack is leveraging weaknesses in public facing services, e.g., exchange. The best mitigation is to actively update any public facing services and regularly verify they are running current security configurations.

Lee Neely

While Optus has not publicly stated the vulnerability, the articles say local reports point to “did not require authentication or authorisation for customer data to be accessed.” “Broken Access Controls” is the number 1 vulnerability on the OWASP Top 10 and “Insecure Design” is number 4 – any thorough software review of internal code or use of a modern software test tool on any open source code should have detected this long ago.

John Pescatore

In addition to the 1.2 million current customer records exposed, another 900,000 expired documents were exposed - which means attackers have customers' old data that could be leveraged to obtain the current information. While the company says they are taking steps to prevent recurrence and affected users have been notified, it’s still not a bad idea to make sure you’ve got credit/ID monitoring now rather than waiting for this to all shake out.

Lee Neely

The KEV instructions for mitigation for all three of these is to apply vendor updates. The Bitbucket issue goes back to August; this should be well and truly patched by now. The Microsoft Exchange issues are still waiting on patches, but you can follow their mitigation guidance.

Lee Neely

While the intended targets so far have been small, it’s not hard to take mitigation steps regardless of being targeted. Dell provided updates to the DBUtil drivers in May of 2021. Make sure that you’ve deployed them.

Lee Neely

If you’re using the Comm 100 live chat app make sure that you’re using the updated installer. Make sure that your EDR platform can detect malicious installers.

Lee Neely

They are creating weaponized versions commonly used open source, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer, you need to make sure you are not only educating users about obtaining genuine versions of packages but also providing current EDR which is watching for this activity.

Lee Neely

These type of agreements are always controversial, but are badly needed to both monitor and apprehend cybercriminals. The best possible outcome is an equal and opposite amount of opposition from privacy groups and national intelligence/law enforcement agencies.

John Pescatore

Data sharing agreements like this are needed to facilitate effective law enforcement response to multi-national crimes. Make sure you have a clear process, properly vetted by all parties, with those you plan to enlist in response to an incident well before it’s needed.

Lee Neely