Resource PKI for BGP Security Requires Network Provider Mitigations Until Fully Adopted; HHS Presentation Can Aid in Checking Your Approach to Detecting/Mitigating Living Off the Land Attacks; Patch Fortinet Equipment ASAP

The real problem isn't that it fails "open" if a key cannot be found, but the fact that the majority of networks do not have RPKI configured at all.

Johannes Ullrich

As ATHENE points out, currently only 40% of address blocks have RPKI certificates and only 27% of networks are verifying RPKI certs. This attack takes advantage of the way connectivity is allowed when RPKI certs can’t be found or validated and is not effective with full participation. Google and other BGP network providers have put mitigation measures in place to deal with the issue, but faster adoption of RPKI and other MANRS (Mutually Agreed Norms for Routing Security) that The Internet Society has been recommending will be the best solution for upgrading BGP security.

John Pescatore

The exploit takes advantage of RPKI allowing traffic to flow when the identifying certificate for that block cannot be found. About 40% of networks have an identifying certificate, while 27% of networks verify them. As this is a design flaw, don’t expect a rapid change to be issued to fix this issue.

Lee Neely

Key takeaways here are actionable defense and detection strategies for these technologies. As a penetration tester, I know that no control is a silver bullet, but we attackers have a harder time when PowerShell is disabled, Credential Guard is enabled, and defenders are watching for beacon-like and odd DNS traffic egressing their networks.

Christopher Elgee

In the 2020 SANS Emerging Threats keynote at the RSA Conference, Ed Skoudis pointed out “Living off the Land” attacks that used these and other tools to essentially use the target’s resident apps against itself. Two of his key recommendations: (1) More use of application whitelisting to limit access to the needed tools; and (2) Purple Teaming, where the Red Team launches LotL attacks and the defenders improve ability to detect and rapidly mitigate.

John Pescatore

Many tools like these can be used for both legitimate and nefarious purposes. The trick is understanding what is normal in your environment and making sure you can detect anomalous behavior. Use application allow/deny lists, particularly on critical servers, to block the installation of anything beyond what they need to meet mission objectives.

Lee Neely

A tool can be used for legitimate or nefarious means. A screwdriver can be used to fix things or it can be used to attack people or break into premises. It is the intent of the person using the tool that matters. That being said, I like this presentation as it gives a good insight into how these tools can be abused and in most cases outlines steps you can take to protect against the abuse/misuse of these tools.

Brian Honan

More details and a likely PoC exploit are expected later this week. This is not just a “must patch now” issue, but yet another reason to verify that your admin interfaces are not exposed. Starting yesterday, we saw an increase in scans for an older Fortinet vulnerability. This may either be due to the publicity around the flaw, or someone using an older attack tool to fingerprint devices in order to build target lists.

Johannes Ullrich

Until you've applied the update, you can disable access to the web administration interface, or limit which hosts are allowed to connect to it. Even after you've applied the update, keep access to the web interface limited to only the devices which _MUST_ use it.

Lee Neely

This is a good example of that tough business risk decision to proactively disconnect and impact business to minimize potential impact of a suspected breach. This a good scenario for a proactive tabletop exercise with management/board members, both to educate them and to make sure the security team has an effective approach for communicating near term risk in a way that management can make an informed decision.

John Pescatore

Lloyd’s engaged Mandiant and NTT to help with the investigation which found there was no evidence of compromise and advised Lloyd’s to start bringing systems online whenever they wish. Services are expecting to be restored by October 12.

Lee Neely

Let’s hope we will get a patch for this vulnerability today. Filtering malicious requests will always be a whack the mole game between defenders coming up with better rules and attackers finding bypasses as long as the actual vulnerability isn’t fixed.

Johannes Ullrich

The update to the instructions changes the blocking rule in IIS Manager from .*autodiscover\.json *Powershell.* to (?=.*autodiscover\.json)(?=.*powershell). It's likely going to be easier to use the updated EOMTv2 PowerShell script and avoid transcription errors. There are still no patches; you will need to continue active monitoring for attempted exploits.

Lee Neely

For those that are concerned if there servers have been compromised the Microsoft Safety Scanner is a tool that can quickly scan for any malicious software and is available to download for free from https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/safety-scanner-download?view=o365-worldwide

Brian Honan

Note that this isn't so much a Zimbra vulnerability but a vulnerability in the cpio utility included in some Linux distributions. Using the alternative (and preferred) "pax" utility will prevent exposing cpio via Zimbra.

Johannes Ullrich

The exploit requires two conditions to be met. First, a vulnerable version of cpio must be present/pre-installed, second, the pax utility must not be installed. The flaw leverages behavior in the Zimbra AV engine which uses cpio to extract the files it's scanning. Zimbra is moving to pax from cpio and will use pax if installed. Note the easiest fix it is to add pax to your Linux distribution and restart the Zimbra services.

Lee Neely

The new session is October 19th in Washington, DC. The proposed regulation requires reporting of “covered cyber incidents” to CISA within 72 hours, and report “ransom payments” within 24 hours. Input is needed to make sure that “covered entities,” “covered cyber incidents,” and “ransom payments” are properly defined.

Lee Neely

A side effect of improving your cyber hygiene is that you may find you’re discovering incidents which would previously have gone unnoticed, which is a huge step in the right direction. Even so, make sure that you’re looking for gaps in your armor and filling them, not only to prevent recurrence, but also to thwart other types of attack. Consider that once breached, it’s kind of like blood in the water, and you’re going to be targeted by others looking to take advantage of your shortcomings.

Lee Neely

The repository with the source code has been taken down. Alder Lake CPUs, first released in late 2021, are in Laptop/desktop systems not servers. While researcher claims to have discovered undocumented registers, aka MSRs, used in the Alder Lake CPU for debugging or enabling/disabling specific chip features, as Intel claims they are not obscuring security information; that information should be available through other legitimate channels if you really need it.

Lee Neely

The flaw was fixed in macOS 12.5, released July 2022. Essentially, you leverage a flaw in the Safari browser to get it to unload a crafted archive file causing the quarantine bit to _NOT_ be set, which then bypasses the gatekeeper functions which prompt for permission prior to allowing execution of such a file. The fix is simple – apply the latest updates from Apple.

Lee Neely