Biden Administration Moves Forward on IoT Device Security Labeling; October Patch Needed to Keep Azure Service Fabric Explorer Secure; Modern Detection Techniques Needed for Windows PowerShell Backdoor

Since the direction so far is in line with my comments in Newsbites 81, I have to say this is good to see. Similar past efforts (like in fire retardant materials) succeeded where the government worked with private industry standards efforts and then used its buying power to make those standards meaningful to producers.

John Pescatore

Work is progressing to ensure the consumer product labelling is both current and relevant. For example, the label will include having a barcode which allows the user to see the vendors security practices, current state so you can ensure the label is current. The label also includes a rating or score. The rating is derived from components such as how easily the device is to patch, encryption, and interoperability. Initially, complying with the standards will be voluntary. Note that even with a rating, sufficient information has to be provided to ensure products are deployed securely.

Lee Neely

You applied the October 2022 security update already, right? Service Fabric, a platform for delivering applications, both yours and some familiar Microsoft products such as Intune, Dynamics 365, Skype for Business, Cortana, MS Power BI, etc. Service Fabric Explorer is used by Azure admins to manage and inspect nodes and cloud applications in Service Fabric. Verify you’re running the latest version of the Service Fabric Explorer (SFXv2) - the Microsoft update-guide link below has instructions. Next, review your permissions, make sure that you know who has the rights to do things such as create new applications and reset cluster nodes. Note that future updates to the Service Fabric will remove the v1 SFX as well as the ability to revert to it.

Lee Neely

An interesting find and certainly new and different which makes it difficult to detect using legacy approaches. More modern approaches looking for unusual behaviors like connections to IPs without prior DNS activity (and connections to port 80 sending more data than they receive) should be able to spot this type of backdoor.

Johannes Ullrich

Beware of Word documents bearing gifts. In this case a Word document (Apply Form<dot>docm) with a macro which launches a PowerShell script. The document properties include information intended to make users believe it’s from a legitimate LinkedIn job application. Make sure that macros are enabled from trusted sources if they are enabled at all. The SafeBreach report includes not only IOCs but also the content of the PowerShell scripts. Take note when reading the SafeBreach report the acronym FUD means fully undetectable which is why you want the IOCs added to your defenses.

Lee Neely

Good to see this position but a two-pronged caution: “Forceful nudging” should only occur after internal testing to make sure both that the authentication approach and apps/devices are all configurated to work together successfully and that backup processes are made resistant to MFA bypass attacks that we’ve seen. These two things are achievable but non-trivial – we will see many early MFA failure stories from deployments that don’t address them up front.

John Pescatore

While we’ve been talking about MFA for a bit, the push to FIDO, an enabling component of password less authentication, represents raising the bar to MFA components which are not so easily spoofed or phished. Don’t try to eat the whole elephant at once; start with your externally exposed applications and entry points and leverage your IDPs capability to conditionally raise the bar on authentication based on risk. Remember to consider collaborators and business partners when rolling out these solutions.

Lee Neely

When the US government states it is pushing for Phishing Resistant MFA, FIDO is an example of that. The problem is many websites do not yet support it, and FIDO often requires a dedicated software or hardware token. Apple, Microsoft, Google, and others’ push to Passkeys greatly simplifies the FIDO implementation for end users, but it’s not yet fully baked and deployed. So while this all sounds great, we are several years out from when FIDO is both simple and widely adopted. More on FIDO / Phishing Resistant MFA at https://www.sans.org/blog/what-is-phishing-resistant-mfa/

Lance Spitzner

Most of the public applications seem to offer at least an option. The problem continues to be within the enterprise, where fraudulently reusable credentials are implicated in breaches.

William Hugh Murray

This continues the movement to raise the bar across critical sector areas. This guideline extends the earlier 1580-21-01 security directive which went into effect December 31, 2021. Requirements include not only implementing enhanced security measures but also establishes an annual assessment plan as well as regular and proactive assessment activities. Rail System operators are expected to share data with TSA who will likely share it with DHS/CISA to identify vulnerabilities, track trends and cyber security incidents.

Lee Neely

As we know from nutritional labels and UL labels on electrical cords, such labels don’t by themselves make things safer but more information to consumers backed by government buying power requiring compliance in government procurements does work to raise the bar.

John Pescatore

As more countries implement rating/labelling requirements for consumer devices, the question of competing requirements and repeated testing for each market entered arises. Agreements such as these hold the promise of reducing duplicative testing. Over time, expect more categories of devices to be added to the agreement. Note that Singapore has a four-tier rating system and is only recognizing Germany’s labels as meeting the first two tiers.

Lee Neely

Medibank is being very transparent here. Take note of some of the recovery actions which include creating and redirecting staff to answer their cyber response hotline, halting trading of Medibank shares, as well as publishing what data elements they have verified versus which elements the attackers claim to have. Consider adding similar actions to your incident response plan.

Lee Neely

Both advisories contain the phrase “Low attack complexity.” Additionally, the R-SeeNet vulnerability is remotely exploitable. In both cases, not only should you apply the update, but also make sure that you’re only allowing access from authorized devices and users, not directly exposing these devices to the Internet or Intranet, scanning media prior to introduction and monitoring for unexpected activity.

Lee Neely

Breaches in the medical vertical are starting to result in multiple fines and settlements – it isn’t just CMS and the US federal government anymore. One thing to note in the wording: “EyeMed had violated its Cybersecurity Regulation by failing to implement multifactor authentication (MFA) throughout its email environment, which was required by the regulation.”

John Pescatore

In addition to failing to implement MFA, they also failed to limit sharing of credentials, data retention and disposal policies, and to conduct adequate risk assessments which would have identified shortfalls in meeting regulatory requirements. The takeaway is make sure that you are not only meeting requirements in your adopted security framework, to include regulatory requirements, but also looking for risks beyond those requirements specific to your environment. Remember to look for updates in both those frameworks. Additionally, monitor for unexpected user behavior. For example, shared credentials could indicate a need for a more appropriate data sharing/collaboration platform.

Lee Neely

While 5G traffic has been known to impact GPS signaling due to interference with older, legacy devices, typically that cause can be pinpointed fairly quickly. In this case no such link can be established. While GPS interference isn’t life-threatening, and planes can revert to older navigation options, it still causes delays, cancellations, etc.

Lee Neely