Check Enrollment Status on Your Managed Chromebooks; Another Ransomware Incidents Points Out Costs of Manual Workarounds; Vulnerabilities Found in Electric Vehicle Charger Protocols

If you're reliant on your managed mode for your Chromebook fleet, you're going to need to monitor to make sure they remain enrolled until Google's patch can be deployed. Effectively, you boot from external media, run the code which both unenrolls the device and puts it in developer mode. If you're researching this behavior, make sure that you're using a valid shim, as some will brick the Chromebook. If you're creating a device that supports developer and managed modes, create two accounts before enrolling: first in developer mode, the second enrolled.

Lee Neely

This exploit requires direct access to the ChromeBook. While that may be appealing for users of enrolled and managed ChromeBooks, it is likely a violation of enterprise IT security policies and violators would be held accountable. Physical access to devices (laptops, desktops, etc.) open up a number of potential new attack vectors that can be used by an adversary.

Curtis Dukes

Not a lot of information out on this one – the important part is always *why* and *how* the attack succeeded. In the financial world, being forced to use slower manual trading/reconciliation processes can carry huge costs to customers and the financial organization hit swamps recovery costs.

John Pescatore

The LockBit ransomware group is taking credit for this attack, threatening to leak data on Feb 4 unless the ransom demand is paid. Financial institutions using their services currently have to process trading and clearing of exchange-traded derivatives manually. The question is how long manual processing will be viable. When reviewing DR plans, this is something to contemplate and at least plan for a point where you need to move to a new automated system before the business impact is unacceptable.

Lee Neely

This ransomware attack, while specific to financial trading systems, is a good reminder for every enterprise to revisit their SLA with third party software vendors. Reliance on third party vendors for products and services should be part of a company’s risk assessment; and mitigations such as switching to staff intensive processes regularly tested to counter impacts to business operations.

Curtis Dukes

Electric Vehicle chargers are more than high power electric outlets. The cable connecting the car to the charger includes data lines to regulate charging and provide metering as well as payment information. It is more like a "very large USB-C" charger in how it combines data and power delivery. This provides an avenue to either attack the charger or the car. In addition, wireless networking may be used as well to interface with mobile devices for payment.

Johannes Ullrich

In 2021 USD 7.5B was allocated over five years to build out EV charging stations and last September the Biden administration launched a grant program to build charging networks along 75,000 miles of interstate highways. That means the focus is going to be on deployment before the money runs out rather than cyber security. While many states are working to require cyber security components as part of approving grants for EV charging stations, this still leaves existing or legacy installations possibly exempted. If providers don't resolve issues, expect a regulatory body, like NERC, to step in and require it. Regardless, if you're in the EV charging business, you want to make sure that you've got cyber security covered, before your hand is forced.

Lee Neely

This announcement isn’t unexpected as the EV infrastructure continues to build out. Researchers in academia, private sector, and hacking circles will start fully testing the underlying protocols and vulnerabilities will be found. Unfortunately, speed to market often trumps adequate security testing of new technology. We’ve witnessed a similar parallel with vehicle automation. What’s important is that the industry move quickly to close this and other vulnerabilities, as they will be targeted by cybercriminals.

Curtis Dukes

Oracle released the update in their October 2022 CPU; SugarCRM released their patch Jan 11, 2023. SugarCRM cloud services are already updated. Three weeks is not a lot of time for regression testing of ERP and CRM systems: you're going to need to not only build an aggressive schedule, but also management support for the resource hit. Even though the Oracle release was in October, be sure it wasn't postponed due to the fiscal year open/close. (Sept 30/Oct 1 for Federal Agencies.)

Lee Neely

It is clear that the FBI Cyber Crimes Unit has adapted its tactics, techniques, and procedures to better support victims of cybercrime. In this instance, while successful, other cybercriminal gangs will learn from this change in tactics to increase their vetting procedures. As always, more work needs to be done to make enterprises more resilient against ransomware attacks.

Curtis Dukes

The FBI is facing a balancing act. While their work gets them access to tools, like decryptors, that victims desperately need, releasing those tools can also compromise their investigation. The trend with the Hive takedown indicates they are actively working to release things sooner. My takeaway is to make sure that you've got a relationship with your local FBI office so you know who to call if you have an incident and need to leverage their resources.

Lee Neely

National Laboratories have been a target since their inception, meaning they also have a lot of experience with detection, defense, monitoring and response. If you're the subject of a data call, such as this, don't take it personally: work to gather the requested information, then review it carefully with management before turning it over so they understand any implications. Do not fail to respond.

Lee Neely

The Healthcare Sector was frequently targeted for ransomware attacks in 2022 and that trend is continuing into 2023. Organizations that make up this critical infrastructure sector can’t say they haven’t been warned that a ransomware attack is coming for you. I urge all organizations to use the recently published ‘Blueprint for Ransomware Defense’ as an action plan for ransomware mitigation, response, and recovery to protect against future attacks.

Curtis Dukes

As the event is still under active investigation, Atlantic General is holding their cards close until they have definitive answers. In the meantime, they are operating under a combination of manual procedures and reduced capacity to minimize the overall impact on patients. While working to increase security, which the medical profession is doing, it's important to look beyond your top identified mitigations to make sure that you've not left unaddressed attack paths, e.g, MFA on the workstations, but leave accessible (unprotected) network jacks in the conference rooms.

Lee Neely

Hospitals really need to isolate patient-facing applications from those, like e-mail and browsing, that are connected to the public networks.

William Hugh Murray

If only new org charts and strategic plans could solve supply chain security issues. More info to buyer organizations is pretty low on the need list to improve supply chain security – more pressure on the suppliers is needed. In 2018 the Federal Acquisition Security Council (FASC) was created by the 2018 Federal Acquisition Supply Chain Security Act. In 2021, FASC issued rulemaking establishing authority to issue removal and exclusion orders if suppliers were found to be negligent. US procurement policy moved pretty quickly to remove/exclude Chinese suppliers of technology, but I can’t find any case of any actual action taken against the numerous suppliers that have had cybersecurity incidents. The US government needs to use its buying power to drive progress.

John Pescatore

Beyond training for a consistent approach, having resources to share existing research would be helpful. Those databases would need to include context, and the hardest part, remain unclassified.

Lee Neely

One might hope that holding suppliers accountable for shipping malicious code would be an obvious place to start. At some point we must address the software quality problem. We may be spending as much or more trying to eliminate vulnerabilities in software which the suppliers wrote themselves as we are eliminating malicious code that they shipped but did not write.

William Hugh Murray

The flaw only applies to the product with the native docker status; if your device has Dockerd running, it's not vulnerable. There really isn't a viable workaround other than disabling the IOx application hosting service entirely, unlikely a viable option. Cisco's updates are free, check their release notes for the versions relating to your affected products.

Lee Neely

F5 has released an engineering hotfix, available from their downloads site. Before deploying the hotfix, read and understand the caveats relating to how to return to a mainstream of F5 BIG-IP (See their KB55025573: Engineering hotfix installation overview) Alternately there is a workaround which limits the iControl SOAP message traffic, but this will prevent adding new devices to a device trust.

Lee Neely