Check for Plex and XStream on PCs; Are You at Risk From Using Third Party Invisible Pixel Trackers?; Make Sure CISA Is Not On Your Email Spam List

Most organizations will not have Plex, a popular video player, on their radar. But it played an important role in the LastPass breach. A developer's workstation had Plex installed. A vulnerability in Plex was used to compromise the workstation and that workstations was used in the large breach of encrypted LastPass credential files. Software running on developers’ personal systems is often overlooked. Organizations should provide incentives to developers to keep software on personal workstations up to date by reimbursing patching tools or offering assistance in managing the updates.

Along with making sure that installed copies of these products get fixed, riddle me this: should they be installed on work computers? Part of any hardening exercise is removing unnecessary components. If you’re ok with the risk, make sure it is documented.

It is critical to understand what information is included when using third party trackers. Do your homework, not stopping at the shiny graphics and dashboards those trackers provide you. Also understand where your data are kept and who controls their disposition.

This will be an interesting case as it makes its way through the court system. Did Cerebral know that invisible pixel trackers were being used by third parties on its online services? Did those third parties properly disclose to Cerebral the use of, and type of data logging captured by the pixel trackers? Did Cerebral have a data management process in place to review data collected by the healthcare platform and its third-party providers? This is also an excellent case study for both boards and the executive leadership team.

I know using the term “ransomware” is good click bait but I sure hope CISA will also let critical infrastructure providers know if CISA finds vulnerabilities that would enable boring old breaches that expose sensitive information or other incidents that simply disrupt or corrupt critical services without trying to obtain ransom!

These warnings are intended to be one more data point of a potential for compromise. They will come from the local CISA office. If you received a notification, you can verify the identity of the CISA personnel through CISA Central: central@cisa.gov or (888) 282-0870. If you haven’t made contacts in your local CISA office, rectifying that before getting notified would be good. If you have, see what else they are doing that can help with your cyber hygiene.

While waiting to hear from CISA, be sure to that you have implemented strong authentication. Passwords continue to be implicated in a majority of breaches. One need not wait for a caution from CISA. The absence of a call from CISA is not evidence of anything.

Good one to use to drive a tabletop exercise walking through your breach disclosure processes. Call it “Take an Hour to Help Ourcorp Avoid a $3M Fine.”

Consistency and transparency are crucial in a breach. It is more important to fully disclose customer impacts than to downplay them to avoid negative consequences. Make sure customer and regulatory reporting match. If one is found to be in error take immediate steps to rectify and communicate.

The details of this ransomware attack make for a good case study and should be captured in a tabletop exercise by the Board. Communication to employees, customers, and suppliers are important components of any incident response plan and should be regularly exercised by the leadership team. The final piece of the case study should capture total costs of the attack as IT and security budgets are reviewed.

Not much new here, but I’d reorder the top three recommendations to be: (1) enforcing phishing-resistant multi-factor authentication; (2) establishing a baseline of normal network activity; and (3) conducting regular assessments.

According to the report, there were 13 actions taken that should have resulted in a response from the target and didn’t. I think we all have some reading to do to ensure we’re not in the same boat.

enetration testing is an important security action and makes up control 18 of the CIS Critical Security Controls. However, it should only be leveraged after doing the work upfront to: 1) know your environment (HW, SW, Data); 2) establish a configuration and patch management process; and 3) activity monitor your enterprise. Otherwise, all you get for the cost of the red team exercise is a reminder that you should… know your environment, have a configuration and patch management process, and monitor your enterprise.

This RAT has been available for sale since 2012. Is cheap ($80-100) and multi-platform (Win, Android, Linux, Mac) and distribution is via infected Office docs sent in email. Prevention (essentially don’t click unknown attachments, don’t enable macros) can be aided by newer document scanning options in many email tools. Look to your existing provider, Microsoft, Google, etc. for integrated options before asking about an add on. If you have a solution that is not enabled, ask the why; make sure you don’t have cultural versus technical problems to solve.

Another week, another takedown by international law enforcement. These actions have only come about because of increased information sharing between nations. Over the past two years we’ve seen law enforcement action against the evil-doers themselves, their infrastructure, and the currency exchanges they use. Don’t forget though that the end user has to do their part by enabling basic cyber hygiene on their enterprise.

Go back and read that again. The attackers were in their network since January 15, 2022. Detection is key to reducing dwell time. Having secure configurations as well as documentation about what is running where, ideally with controls on running new software are good ways to keep things in check. At a minimum, make sure you are not only collecting logs from everything but also have alerts configured for anomalies. Make verifying logs and alerts SOP when commissioning any system on premises or cloud. If you can’t get logs forwarded from a given service, develop procedures to cover the gap.

This is an interesting disclosure. HACLA has an annual operating budget of $1B. Surely with a budget of that size, it has established a cybersecurity program. A review of staffing, training, and cybersecurity practices should be part of the after-action report.

If you’re in this position, can you execute an emergency plan that you have confidence in? If you’re saying anything but a confident yes, you know what needs to be done. Even if you are confident, make sure your backup and their backup are also as confident.

While it has not yet been determined if this was a ransomware attack, the outcome is the same: severe impact to business operations. Having to revert back to staff intensive processes is both inefficient and poses some risk to patient care. The hospital will and has largely recovered from this attack and it will most certainly revisit its patch and configuration management processes.

These vulnerabilities include remote code execution flaws, remote activation of microphone and camera, and access to downloaded images and files stored on the device. As of March 13th, Akuvox acknowledges the flaws and promises updated firmware by March 20th. While it is great to see they are addressing the flaws, 90 days to acknowledge a vulnerability report is unacceptable in 2023, particularly when more than one source reaches out. If you have one of these devices, seriously look at keeping it offline until patches are out or maybe replacing it given the response to vulnerability disclosures. Make sure that your own organization not only has a vulnerability disclosure policy that includes timely response, but also that it is published on your web pages, preferably under a link like domain/security. Take a look at DHS BOD 20-01 for more ideas and sample language.

A reminder that there are always work arounds. As in this case, most are not welcomed by users or suppliers.

If nothing else, scammers are opportunistic, with perhaps more agile development processes than defenders. Expect this to continue to play out over the next couple months. That said, phishing, smishing, or vishing, is the primary attack technique used. Integrate awareness of this attack technique as part of your enterprise security program.

The primary issue with these banks was liquidity risk. They didn’t have the capital to back up withdrawals and sold investments at a loss, heading down a slippery slope. My point is there is an opportunity to learn from these events if you’re in the financial sector. It is worth noting these banks largely had a very specific customer base, e.g, VCs, who operate differently from traditional depositors. If you (or your friends) have funds in SVB or Signature Bank, you’re still covered by the insurance fund. IT and cyber staff were offered 150% of their salaries to operate the banks for the next 45 days while this all gets sorted out. Be extra careful of any requests to change payment accounts (think BEC) or of offers from third parties offering to help you with you recover your funds. Double check all such offers.