Patch OpenSSL as Updated and Tested Packages Become Available; Establish and Test Backup Plans for Cloud-based Security Services; Patch ConnectWise Backup Software; Make Sure Domain Controllers Are NOT Exposed on the Internet

Looks "not bad." Exploitation seems to be unlikely given the requirement for a valid signature from a trusted certificate authority. The remote code execution is only likely for a malformed Punycode email address. Patch this one as updated packages become available, but you can stand down from "Heartbleed status."

Johannes Ullrich

OpenSSL released two patches that were originally deemed critical. It appears that during the internal disclosure process, many of the operating system vendors have responded with comments and potentially PoC code that identifies many of the memory protections and compiler protections that would make reaching this bug for true exploitability harder than thought (potentially impossible, although that’s an absolute that I would never claim). There is, however, a chance that OpenSSL 3.0 is in use in Network gear such as firewalls, VPNs, switches, and routers. Most of these devices do NOT offer memory protections as they can’t afford to spend the computational cost of doing so. The only saving grace(s) is that the vendor may not have moved to OpenSSL 3.0 yet, and the customers may not have upgraded to software with the vulnerability. The only true way to tell is to wait for vendor disclosures. On a lark, I went ahead and looked at the latest Cisco ASA 9.18 version’s disclosure documentation (https://www.cisco.com/c/dam/en_us/about/doing_business/open_source/docs/ASA-9181-1650467697.pdf), and it appears that they are still disclosing 0.9 train and 1.1.X trains in that document. Please do not take this as an assured fact. Every vendor will have to perform this library search. If you are looking at your own servers, there will be scanners for this it’s probably just too early to tell.

Moses Frost

For most organizations, I recommend taking a step back from the gritty details and ensure you have an inventory of where you leverage OpenSSL and what versions. For OpenSSL 3.x solutions, see where and how to apply the patch. Then you can focus on understanding the implementation of the solutions using OpenSSL 3.x that cannot be patched yet and see if there is a possibility of those implementations being exploitable. I posted the most useful resources I found thus far here: https://twitter.com/jorgeorchilles/status/1587482470131408898

Jorge Orchilles

All cloud services have Service Level Agreements that specify a percentage of downtime that if exceeded results in some reduction of your next month’s bill – SLAs don’t cover the cost of your business interruption. Those SLAs also have fairly complex terms and conditions that often exclude certain types of traffic (such as streaming) or unusually high volumes of business traffic. So, decisions on fail open (allow traffic to bypass outage) vs. fail closed, as well as backup plans, need to be in place and tested in advance for all cloud based security services and any business critical cloud services. SLAs should be reviewed by contracts, legal and security.

John Pescatore

Understand what the impact of outages are for outsourced services. When you purchased Zscaler or AWS, you definitely paid for a higher service level, but did you factor in the impact of outages, to include you not being able to affect the recovery with just-in-time resources or equipment? Make sure that you’ve considered contingencies, particularly for services which represent entry points to your business systems. Make, and document, decisions to allow interruptions, or work-arounds. Test those workarounds. Review regularly as more services get moved to external providers.

Lee Neely

Vulnerabilities in backup systems are one of the underappreciated risks. Backup systems essentially instrument your network for remote privileged file access, and if abused, you easily hand over control to an attacker.

Johannes Ullrich

ConnectWise enterprise applications are most often used by managed service providers (MSPs) that provide IT services to small businesses and local government. In the past 24 months, ransomware attacks have shown a bias towards small businesses and local government. With that in mind and given that a proof of concept exploit exists for this RCE vulnerability, MSPs should place a high priority on implementing the patch within their infrastructure.

Curtis Dukes

This weakness can be exploited for lateral movement, not just impacting the targeted node, so you really want to close this hole. ConnectWise Recover should have automatically updated to newest version. The R1Soft update supports many Linux package mangers (yum, apt-get, dpkg & rpm), making the update straight forward. There is no workaround here.

Lee Neely

You should be highly aware of what your domain controllers are talking to. At a minimum, don’t expose CLDAP (389/UDP) to the Internet. Limit access to LDAP services on your domain controllers to authorized systems, and implement measures to block spoofed IP traffic, such as RPF.

Lee Neely

And yet again: why is this even exposed to the internet? I hope with “managing your attack surface” becoming more of a vendor buzz word, organizations may finally figure out how to configure a basic firewall.

Johannes Ullrich

Keeping Chrome up to date is usually quite easy. But don’t forget that to apply any updates, you need to restart Chrome. I suggest restarting as you start the day in the morning to not delay any updates.

Johannes Ullrich

When you're popular, you get attacked - just ask the Windows security team. I applaud those who make patching fast and transparent, like the Chrome team. The same cannot be said for tablets, networking gear, IOT devices, software libraries...

Christopher Elgee

This isn’t what we mean when we say Halloween can be a scary time of year. By now you should be leveraging every trick in the book to keep your Chrome/Chromium browsers updated - including enforced limits on browser refresh after an update, so you should be able to scan and remediate stragglers fairly easily. If you're in the federal sector, make sure that you’re tracking updates for those data calls on pushing out these as well as Apple, Chrome, VMware, Cisco, etc. updates.

Lee Neely

Browsers are general, flexible, feature rich, and complex; they leak. Prefer purpose built applications.

William Hugh Murray

The latest guide starts off with the first sentence emphasizing essential security hygiene (“Unmitigated vulnerabilities in the software supply chain pose a significant risk to organizations.”) and throughout makes the point that in order to implement higher levels of supply chain security, you need that foundation of vulnerability management, configuration control and privilege management (such as at least Tier 2 of the NIST Cybersecurity Framework or Implementation Group 1 of the CIS Critical Security Controls) in order to be able to perform due diligence on what your software supply chain is supplying you with.

John Pescatore

While this is a non-trivial problem to get your arms around, the ESF is working to simplify it by focusing on three areas: Software Developers, Software Suppliers (vendors) and Software Consumers (acquiring organizations), and is releasing guidance documents specific to each. The intent is to assist customers in describing, assessing and measuring security practices relevant to software lifecycle. Software security via contractual agreements (which includes updates, addressing vulnerabilities and mitigations) is intended to be a vendor responsibility. Developer guidance includes the dreaded security requirements planning, adding security features and maintaining the integrity of the underlying infrastructure, which includes source code review and testing. This division should help you focus on the areas you can affect as well as know what to look for overall.

Lee Neely

It’s hard to imagine initiatives like this trimming the number of supply chain security incidents, but this could definitely help organizations triage and react when there's an issue with an upstream software package. You can’t fix it if you don't know you have it.

Christopher Elgee

This guidance is aimed at suppliers rather than purchasers. It is essential that suppliers be responsible for excluding malicious code from their deliveries.

William Hugh Murray

These publications are both good high-level guides, but it is pretty rare to see a DDoS attack impact an organization that says, “I had no idea that could happen.” More common is “They wouldn’t believe that *would happen to us.*” The main guide has a good suggestion about using tabletop exercises to gain support for spending on needed mitigation measures.

John Pescatore

The guidance starts with the basics: Know what you have, verify protections are in place (e.g., WAF in blocking mode), understand what protections your ISP and other service providers have today, then work to close the gap. Don’t overlook any CDN services. Yes, we’re back to defense in depth, albeit CISA recommends enrolling in a single source for DDoS protections, versus multiple, which makes management and issue resolution simpler.

Lee Neely

Not a lot of details out on this one yet, but the Colonial Gas Pipeline incident pointed out that not only do OT systems need to be protected and segmented from IT systems, key applications on the IT side that if shut down would impact billing, tracking, sales etc. can also bring production to a halt.

John Pescatore

As with Colonial Pipeline, both OT and IT systems have to be operational to deliver services. Which means that you’ve not only got to properly isolate those OT systems but also make sure that IT core systems which drive the business as well as talk to those OT systems are adequately protected. One other aspect to contemplate, workers sent home during the outage, as they couldn’t do their jobs was reported as a layoff, which could damage your reputation during an already challenging event.

Lee Neely

Since late 2021, the FTC has expanded its role in both setting and enforcing cybersecurity standards. The issues cited in the complaint can be mitigated by simply following well established cybersecurity best practices in the form of CIS critical security controls and CIS cloud foundation benchmarks. This order and the recent action against online alcohol marketplace Drizly and its CEO, sends a clear signal that the FTC has rightfully placed a focus on enforcing cybersecurity standards. Commercial businesses should redouble efforts in implementing a cybersecurity program that is both measurable and defensible

Curtis Dukes

This comes after multiple breaches from Chegg, (2018, 2019, 2020), and reinforces the FTC’s new mantra of information protection being non-discretionary. Before you shrug off the behaviors above, make sure that you don’t have similar practices within your organization. If you do, take steps to remedy them. When was the last time you checked that you had adequate ACLs on your S3 buckets? How about other cloud storage? What about that temporary access for Jane from that company you were doing business with - did that get closed down after the contract concluded?

Lee Neely

Very few enterprises are employing least privilege access control or even have plans to get there.

William Hugh Murray

Cyber as a weapon is now part of the military doctrine for a large majority of nations. While this attack could be viewed as more of a nuisance, it should serve as a reminder for organizations to revisit their recovery plans for service disruptions that impact business operations.

Curtis Dukes

The attack even took systems in the cafeteria offline. Whether or not you feel you’re a targeted organization, make sure that you have DDoS protections in place, even more so if you’re in any way affiliated with supporting government. Review the guidance on DDoS provided by CISA above.

Lee Neely

Centralized reporting of incidents and misuse of government systems is expected these days. The risk management plans are alluding to making sure that appropriate security is in place, and it is reviewed at least annually. Automation is your friend here: this bar is not going to get lowered, and with efforts like CDM, expect it to continue to rise.

Lee Neely