CISA, FBI Provide Tool for VMware Recovery from Ransomware; Attacks Against Unpatched ESXi Get More Sophisticated; Microsoft Upgrades Bing and Edge with AI Capabilities

Great move by CISA to provide the recovery script. The sad part is that this doesn't come from VMWare. It also appears to be easier to create a script to recover from ransomware vs. a script to patch systems.

First off, make sure that your ESXi management interface is not exposed to the Internet. Second, make sure that you're on the latest version of ESXi and third make sure that you've disabled the Service Location Protocol (SLP) which is a target for this attack. If you've been attacked, work on the recovery before upgrading. Some organizations have been able to recover their VMs with the recovery script and not pay the ransom. It's worth a shot, particularly if you image the datastore first. CISA and the FBI would like you to report any discovered attacks to help their response efforts. Read the guidance for artifacts you should preserve.

As CISA and the FBI point out: make sure you have skilled staff that can use this tool safely. If you do, once they are done put them to work making sure you don’t have other 2-year-old missing patches or obsolete versions of software running exposed on critical business networks.

Of course they improve. On the other hand, all exposed vulnerable systems have been hit. If you still haven't noticed and taken basic counter measures: Do you really need that VMWare server?

This is a cat and mouse game. This new attack seems to both encrypt 50% of the data (of files over 128 MB ) and leverage a new attack vector. The new ransom note no longer has the bitcoin address, but instead, asks victims to contact them via Tox (a peer-to-peer instant message protocol) for the crypto wallet to send payment. This is likely due to investigators collecting the prior wallet addresses and tracking activity. The target is still your ESXi hypervisor, so having it updated and not exposed to the Internet still matters. And while this attack appears to bypass SLP, you still want that service disabled, as well as the SSH daemon (except when you're actively using it, then turn it back off.) Existing decryptors will have to be updated to handle the increase in encrypted data.

The old adage “prevention is better than the cure” really applies when it comes to ransomware. So while scripts like this one produced by CISA are very welcome to help those who become victims of a ransomware attack I urge everyone to ensure they read the CISA guidance on preventing ransomware (https://www.cisa.gov/stopransomware/ransomware-guide) or that provided by the Europol NoMoreRansom project (https://www.nomoreransom.org/en/prevention-advice.html)

The good news is that both security researchers and the Government have created automated scripts to recover the encrypted files. The bad but not unexpected news is that the adversary, or adversaries, have changed their techniques, tactics, and procedures in malware execution. Costs to recover, if possible, will certainly rise. Company leadership and Boards should refer to this event as they balance the economics of updating vs. cost in recovery and clean-up.

Since Google built a $238B business around free search, the commercial battlefield for the current wave of AI hype is around making search return answers to questions rather than just lists of places to look. So, think of the Shodan IoT discovery search engine being able to answer questions like “How can I break into the Acme Healthcare/Smart Parking Meter/Burglar Alarm/etc. monitoring network of devices?”

This "rise of the machines" is going to affect the workforce far beyond "cyber." As a college, SANS.edu has just drafted a first policy to allow students to integrate machine learning and artificial intelligence tools into their research papers. These technologies are already affecting us more than we realize.

Microsoft is leveraging the partnership with OpenAI to tell Google users, in effect, hold my beer. Google is poised to strike back with Bard, their AI-powered conversational bot. Heck, even Chinese search engine Baidu is getting into the act with their upcoming "Ernie Bot" (文心一言) in March. While this is a far cray from the age-old office-assistant "Clippy," the question remains of will these AI bots, be useful, or will they retain ChatGPT's propensity to be chatty and sometimes seemingly make up answers.

It is a very important move by NIST to recognize that IoT devices with limited hardware capabilities need different encryption standards. Ascon appears to be a solid choice. But also remember that weak or missing encryption is just one of many security issues hurting IoT users. Encryption issues rank far below vulnerabilities like default passwords, outdated software components and the inability to efficiently upgrade IoT devices.

There is a definite need for data encryption on a wide range of devices. While the phrase “lightweight cryptography” gives me pause, much the way “healthy fried food” does, the public process NIST uses for this has a good track record. Start by informing all device suppliers that security and privacy is an important criteria for all future procurements.

Get ready to add Ascon to your cryptographic lexicon. While some encryption is available in hardware, such as AES, having a lightweight option than can fit within the resources of IoT devices makes it all that easier to incorporate without impact to performance or price point. There are seven members of the Ascon family. Keep an eye on solutions in the authenticated encryption with associated data (AHED) which will help better secure vehicle and RFID communications. While these show promise of raising the bar for IoT security, consumer education will be needed to drive demand for adoption and selection of products with increased security.

Defining the US national standard for lightweight cryptography has been many years in the making. Unfortunately, it will be of little use for the billions of IoT devices in use today.

In order to be useful and efficient, cryptographic algorithms need only raise the cost of attack to a point greater than the value of success. One must be sure to that use them only for the intended application and environment.

Another example that supply chain security isn’t just about suppliers, it is also about the security of portals that the big guys require their suppliers to use. Since in most cases suppliers have no choice, use this one as an example to your Chief Legal Counsel to make sure you have some form of liability coverage or limitation.

A good use case for enterprises to review the network security architecture that supports their supply chain. APIs are prevalent in most web applications and consequently are often an attack vector used for initial access. The Open Web Application Security Project (OWASP) regularly publishes mitigation guidance against the top security concerns. Implement OWASPs recommendations as part of your software development process.

Recall the flaw was that Toyota's GSPIMS system was generating JWTs based solely on email, not on a validation process. While Toyota has addressed the shortfall, the question is are you properly generating tokens used for trust relationships or are you assuming that the generation and use points of the tokens is secure enough to not warrant verification? Yeah, it's a hard question to ask, and the developers are going to hurt your head explaining, (don't hate on them, we still love them), so use the Toyota example to make your case and have them step back and consider if their assumptions are still correct, don't forget to ask them to consider the impact of distributed/cloud or ZTA changes in the environment.

The problem is consistency. The Critical Infrastructure Act of 2022 set the reporting interval at 72 hours, which may be a bit long for critical infrastructure, and having new legislation now saying 24 hours is likely to confuse operators without clear definitions about which timeline applies. Even then, you may not be prepared to report that quickly. Now is the time to make sure you are aware of the criteria applied to your organization and what you need to do to meet existing reporting requirements, then look at how you would implement a shortened window. It's better to have that worked out before regulators come knocking.

On the face of it 24 hours seems like a relatively short time for critical infrastructure operators to provide specifics on cyber breaches. The reality is that national news reporting will have already picked up on the power grid outage. It doesn’t matter whether the outage is the result of equipment failure, physical attack [most recent outages in both North Carolina and Washington] or cyberattack—it will make the 24-hour news cycle. The draft bill does provide flexibility in allowing the Department of Energy to define specifics on what incidents require reporting to the federal government. That said, at a minimum we should at least be consistent in both cyber breach reporting requirements (24 – 72 hours) and responsibility for establishing reporting guidelines (DoE – DHS).

Many attacks against the grid, e.g., ransomware, will announce themselves. The interesting breaches are those that are quiet, undetected, that are intended for exploitation in the future, during times of conflict.

Not only does this allow for their assets to be frozen and prohibit transactions by the rest of us with them, but also it means they can't obtain new accounts or services. A number of financial institution transaction and account services are tied to cross checking for these sanctions, which are in-effect outgrowth of prior terrorist activities. These sanctions apply equally to virtual and fiat currencies, and members of the virtual currency industry are responsible for following the sanctions. Read more in the OFAC virtual currency guidance brochure ( https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf ). If you have friends in the banking industry, ask them about the Bank Security Act (BSA) and OFAC and how this impacts them. They have to train on this annually.

Global law enforcement and treasury departments have had a good couple of months. We’ve seen takedowns of cybercriminals, removal of ransomware infrastructure, and a focus on currency exchanges. Now they are sanctioning individuals associated with criminal ransomware gangs. Well done and keep going after those benjamins!