If Execs Are Traveling to Qatar, Give Them a Temporary Phone; Patch Zimbra and Look for Indicators You Were Already Compromised

Burner phones are a good idea whenever you are traveling, in particular if you are traveling abroad and are required to install special tracking applications. Post Covid, these tracking applications have become quite common.

Johannes Ullrich

Many organizations had such policies for executive travel to China, Russia and other countries – add Qatar to the list. Maybe in the US we will soon require visitors to download apps featuring Beyonce or Taylor Swift…

John Pescatore

Over-permissioned apps are a threat. The Ehteraz app asks users to allow remote access to pictures and videos, make unprompted calls, and read or modify device data while the Hayya app asks for full network access and unrestricted access to personal data. It also prevents the device from going into sleep mode and views the phone’s network connections. Both need location data to operate, which is expected. This is an excellent time to take a loaner/burner device which has _MINIMAL_ data. Also at the event are 15,000 surveillance cameras with facial recognition capabilities, ostensibly to keep people safe. Given that Qatar has a lousy reputation when it comes to human rights, this may be a good time to pass on visiting.

Lee Neely

The apps make this problem obvious and burners an appropriate mitigation. However, the risk of international travel with information is not limited to a few countries or a particular technology. For government officials, journalists, activists, and even some business people, it is a more fundamental problem. In a world of fast and ubiquitous connectivity and efficient cryptography, consider leaving the data behind. consider disposable hardware in general, not just phones.

William Hugh Murray

The highlight to take away from this: If you are still running a vulnerable version of Zimbra, assume it to be compromised.

Johannes Ullrich

This is an update to the advisory from August 16th. Two things here. First, there are updated IOCs to consume and scan for, like now. Second, unpatched Zimbra installations are targeted, so patch your Zimbra installation. Leverage this information to get the downtime you need to properly analyze and remediate/patch. Don't let anyone talk you out of addressing this.

Lee Neely

NSA’s report points out “Even with a memory safe language, memory management is not entirely memory safe. Most memory safe languages recognize that software sometimes needs to perform an unsafe memory management function to accomplish certain tasks.” This highlights the importance of requiring static and dynamic testing of all procured or custom-built software. A historical note: in 1978 I graduated from college and went to work at NSA. The first edition I read of the internal NSA newsletter Cryptolog had an article on buffer overflow vulnerabilities – in mainframe operating systems. Software has a long history of being soft.

John Pescatore

Memory management is key on multiple levels. I remember writing code that consumed memory as well as other programs which neglected to fully release it when done. Irrespective of your development environment, make sure that you're running static and dynamic code analysis to make sure you didn't overlook it.

Lee Neely

Don't get me wrong; I am critical of our tools and believe that our choice of those tools contributes to the poor quality of our results. However, our choice of tools is rooted in our culture and that is where the real problem lies. The culture prefers cheap, early, general, flexible, and feature rich; it is tolerant of shoddy. Collectively and pervasively, we will not choose safer tools, much less produce quality results, until we change our culture to one that puts quality first. (Incidentally, if one controls for quality ahead of cost and schedule, cost and schedule will take care of themselves. The reason that we do not make cost and schedule is, not because we do not produce enough code per unit of cost and time but because when we finally get around to testing (for quality) the damn thing doesn't work. Test early, test often, test late, test.)

William Hugh Murray

CISA Publishes Stakeholder-Specific Vulnerability Categorization Guide

Lee Neely

Sobeys has more than 1500 locations across Canada with brand names such as Foodland, IGA, Lawtons, Needs, Safeway, etc. The attack appears to involve the Black Basta ransomware and was executed about the same time as the attack on Canadian meat supplier Maple Leaf foods. Fortunately, the contingency plans have most services operating at this time. With today's patterns, the trick is not only to restore operations and close the avenue of attack, but also make sure that you have checked for, and addressed other attack vectors, as attackers are quick to go after what is perceived as a weakened target. Make sure your recovery plan considers this behavior.

Lee Neely

So this isn't impacting home users and non-domain joined devices. Which reduces the problem set for the enterprise very little. This is an unintended consequence of domain hardening actions, which are desirable, taken as part of the update. The issue may raise a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of Event Log on your Domain Controller, and is most likely tied to where you have set the This account supports Kerberos AES 256 bit encryption' or 'This account supports Kerberos AES 128-bit encryption' Account Options for your AD users. Lots of variability here; keep an eye on MS for a revised patch.

Lee Neely

The report notes that K-12 schools are spending less than 1% of their IT budget on cyber security. Given the history of school budgets, those IT dollars are stretched pretty thin, leaving few dollars to implement needed improvements such as MFA or startup campus-wide strategic planning for overall cyber resiliency. Schools can join the MS-ISAC for no cost and have access to information and tools needed to help them raise the bar. This may be a good time for you to introduce yourself to your kids’ school as a cyber professional offering to help, rather than just a concerned parent.

Lee Neely

There are lots of target school systems and many lack the scale necessary to do security well. Consider application services in the cloud. Choose them for their ability to protect users and users from themselves and others.

William Hugh Murray

BatLoader appears to be drawing from the Conti malware playbook, leveraging some of the same resources and techniques. A common entry point is leveraging SEO to get users to download malicious .MSI installer/updater for products such as LogMeIn, Zoom, TeamViewer and AnyDesk. While detection is included in CarbonBlack MDR products, the VMware blog does include IOCs you can incorporate locally. When it hits a personal computer, it installs the Ursnif banking malware and Vidar information stealer, while on an enterprise system it also downloads Cobalt Strike and the Syncro remote management/monitoring tool.

Lee Neely

Supply chain security requires understanding not only the security of code used, but also its origins. Note that Pushwoosh represents itself as being a U.S. company in regulatory findings, claiming, at times, it is based in California, Maryland, and Washington D.C. When considering the risk, incorporate not only the origin but their TTPs to evaluate how they may impact you.

Lee Neely