Important Zero Day Updates for All iOS Devices; Check and Test Your DDoS Defenses; Use High Profile Twitter Account Takeover to Drive Authentication Upgrade

The 0-day vulnerability is part of "WebKit". WebKit is Apple's open source browser engine that is included in other browsers as well. In addition to the WebKit problem, Apple fixed a privilege escalation issue. This privilege escalation issue could be used to escape the browser sandbox and gain full system access after a executing code via the WebKit vulnerability.

Apple reports this is being actively exploited. Given that Apple just released 16.3 (and we’re all still getting that rolled out.) I’d treat this as a zero-day fix and pause 16.3 to push this instead.

The Apple security notice is vague; however, it mentions remote code execution at the kernel level and being actively exploited in the wild. It’s not very easily understood yet how reliable or complex the exploit is to re-create, but you should patch it now as it’s actively exploited. There were a couple of reports that Google Photos was not working when the iPhones were patched, but with my own devices, that has not manifested itself. It also takes a long time for this update to go through on both MacOS and certain phones, so expect a good amount of downtime. On MacOS, something like 20-25 minutes on the most recent Intel Macbook Pro seems to be the case.

A lot of questions will surround this one as the number of requests per second (RPS) is 70 million, which is very large for TCP-based attacks. In the past, the largest DDoS attacks were made possible via amplification over UDP. We are not at the moment where this is possible with HTTP, as HTTP/2 is still a TCP-based session. It’s fairly difficult in the blog post from Cloudflare to understand the implications here, but it would stand to reason these are compromised hosts in cloud providers that are causing the attack. Cloudflare is offering ISPs (or maybe cloud providers themselves) a threat list to use. It’s smart to give it away for free as mitigating these large-scale attacks is probably costly on their infrastructure.

DDoS attacks are hitting everyone. Check your logs to see if you’ve been affected. Then go back to service providers to make sure they are stopping them as agreed, or if they are slipping through. If you have staff or friends with advertised services on their home networks, they should also double check. Then talk to their ISP about prevention. Hopefully the only impact seen is interrupting streaming services.

This is a good one to show to CEOs and boards to reinforce that they are also likely targets. “Hacking” a Twitter account usually means that the person’s email address and password were obtained in some other breach and the bad guys tried that combination on Twitter. Remind them (or do it for them) how to do a “Have I been pwned?” check and when the answer is yes (as it always is) what to do from there – ideally move to 2FA, minimum change the password.

This isn’t just a thought exercise: make sure you’re enabling whatever strong authentication options are available, not just for high visibility accounts like this but also personal ones. Those are going to be targeted to see if a trust relationship with the visible account can be exploited. Make sure you’re not overlooking abandoned accounts which you never got around to canceling. Ring up those in your organization with these types of accounts and make sure they understand this and know you’re looking out for them, just in case something got lost in translation.

Let this be a reminder to all of us that good cybersecurity hygiene means more than bank accounts and email!

Twitter offers optional MFA. One wonders if he was using it.

Lots of useful stuff you can leverage in this alert. Ingest the included IOCs then run through the mitigations, even if you don’t think you’re a target they are good Cyber practices to help you keep the bar raised.

It's good to see nations band together to jointly develop and publish guidance on ransomware gangs. While the alert calls out the tactics and techniques employed by a state-sponsored actor; they are virtually the same as those employed by other ransomware gangs. A primary defensive focus should be on ensuring that known vulnerabilities have been patched as part of your vulnerability management process. Let’s deny the cybercriminal initial access and ability to escalate privileges on the network.

This appears to align with the DPRKs intention to continue to fund its military by using funding sources that evade sanctions. They have just made a huge show of force with a large military parade touting the most ICBMs we have seen so far. It makes sense for Korea and the US to focus on cutting off the funding source, which is not only Crypto and Ransomware but other illicit activities.

Good example of a city seeming to be well prepared to make the decision whether to disconnect or not, and how to keep critical services running while back-office systems are offline and being evaluated by a third party. Other cities of similar size should check to see if they have the plans in place and tested to have the same quality of reaction.

Since the beginning of the pandemic, we have seen an increase in ransomware attacks across every industry vertical including Government. In response, industry best practices on how to protect against attack have been published. Once you’re a victim of ransomware attack it’s too late to start developing a response plan. The plan should have already been developed and periodically practiced.