Court Approves Microsoft/Fortra Taken Down of Cobalt Strike Evil Use; Unplug Nexx WiFi Garage Door Openers; Many Simple Techniques Can Prevent Malware/Pirated Software Downloads

On one level, this is a straightforward issue: since criminals are using “attack tools as a service” platforms to reduce their costs/barriers to entry, they make it easier for such legally authorized disruption efforts. But two complexities: (1) Are the laws and process behind legal authorization modern and transparent? and (2) Should all software vendors be expected, or required to do what Microsoft and Fortra are doing to try to stop malicious use of their products? Getting a yes answer to both those questions is going to be tough.

John Pescatore

This is about choosing good partners to effect a change. It can be frustrating when your tool is used for malfeasance, and getting a court order to back actions needed to respond even harder to obtain. Microsoft has size and reputation/legitimacy, Cobalt Strike is getting a bit of a black eye for it being used nefariously - underscoring the problem, and with all the attacks on the healthcare industry, having the Health-ISAC reinforces the need to take action. One hopes that they can make a dent in the problem, and this is a viable model for others to follow.

Lee Neely

Almost from the dawn of computing, infrastructure management tools have been used by evil-doers. Today, it’s referred to as living off the land, where adversaries use what’s available to them to enable the attack. Cobalt Strike is but an extension of that concept, where miscreants have manipulated a commercial product for their own purposes. What’s interesting though, is the use of the court to target specific domains where the tools are kept.

Curtis Dukes

We can rely upon the courts to resist over-reach but only if they are consulted. Reference to the courts will offer some protection to those considering such an effort. We can also rely upon the involvement of multiple agencies. In the presence of both of those we should encourage this kind of activity to broadly reduce our collective risk.

William Hugh Murray

There is no patch available for these devices, and the vulnerability is easily exploited. Unlike weaknesses in "old fashioned" garage door openers, an attacker does not have to be close to the device, attacks may be launched remotely. This vulnerability may lead to pranksters opening garage doors in large numbers. Your best defense right now is to disconnect the controller from the network.

Johannes Ullrich

Sending a hard coded credential, between the device and the cloud service, broadcasting email addresses and device ID, not properly validating input, and the devices not implementing consistent access control, and more, would allow someone to access the Nexx service and manipulate any device. Also, traffic between the Nexx devices and servers can be replayed. There are multiple CVEs. The most severe, CVE-2023-1748, use of hard coded credentials, has a raw CVSS score of 9.3. If you have these devices, you have a couple of choices, there are no updates as yet, you can either disconnect them or isolate them to limit access as much as possible using segmentation and not exposing them directly to the Internet. Given the nature of the flaws, disconnection is best, at least until Nexx brings services back online and offers a fix.

Lee Neely

The most egregious of the vulnerabilities listed is the hard-coded credential. I thought we were past vendors hard coding passwords into their products; guess not. The security researcher did the responsible thing in trying to work with the vendor. Now it’s time for public shaming. Unfortunately, it’s also an opportunity that cyber adversaries will take advantage of. The clock is ticking, Nexx, take ownership and fix your products.

Curtis Dukes

This is likely a case where it is cheaper to replace the devices than to patch them.

William Hugh Murray

Stories like this make me cringe. It's really easy to fall into the trap of finding the "free" version of an application rather than risking management won't fund it. The cost of a license will be eclipsed many times by the cost of incident response and recovery. Make sure that staff know that you're willing to fund the tools they need to meet mission objectives, including escalating to other funding sources if your budget is spent. Re-enforce that by coming through. Additionally, make sure that you have EDR solutions to cover all your endpoints, not just your Windows desktops. There are EDR products which will work on air-gapped networks, don't leave these out.

Lee Neely

I was recently on a panel discussion on what has become called “Protective DNS” – DNS services to block or at least alert on DNS resolution to both malicious and suspicious sites. This goes beyond simple URL blocking and really should be mandatory for any critical infrastructure service provider. In the US, if you are part of the Defense Industrial Base, you can use NSA’s service for free - https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/PDNS/

John Pescatore

don't think we have to worry about which exact ICS security framework to follow if workers at utilities are able to run pirated software.

Johannes Ullrich

It should not be the case that compromising one end user system is sufficient to compromise the entire enterprise. Think Sony and Aramco. We should be striving for least privilege, but at a minimum we can structure the network.

William Hugh Murray

Good to see continued movement towards users owning their data, but the first wave of response will be obtuse click-through agreements by many app owners. But consumer sentiment is continuing to push towards more of this, even in the US – software architects are increasingly having privacy requirements as part of their list of business requirements, a very good thing. Google has also detailed privacy/security improvements in Android 14 when it ships later this year.

John Pescatore

I was hoping this meant there was a requirement to allow users to remove OEM and Carrier provided applications. It is not, and it's still a move in the right direction. This helps align Android users with increasing privacy regulation which grants users the right to be forgotten. It also should allow users to delete the account and data without having to reinstall the application, which is something I would have preferred from time to time.

Lee Neely

A net positive by Google in giving users more control over their data, albeit a year behind their chief competitor. Providing the notice now, and a year to implement gives app developers time to make the necessary changes.

Curtis Dukes

As an essentially open system, Android requires user management. However, there is a limit to how much the user can be expected to know and do. That said, this seems like a policy that will improve security without imposing too much of a burden on users.

William Hugh Murray

Genesis Marketplace, instead of dealing with potential passwords and password dumps, specialized in already established sessions. Most notable was the Electronic Arts (EA) incident in which the Slack cookie was used to gain access to EA’s Slack instance; from there, an attacker gathered enough information to steal pre-released games. This forum also had some innovations allowing its users to use browser plugins to simulate better being the attack victim.

Moses Frost

This was also known as "Operation Cookie Monster" and is the latest success in international cooperation shutting down or disrupting criminal activity. The Genesis Market was an invite-only shop which sold tools to help hackers avoid detection when using compromised accounts, fingerprint generating tools, Genesium browser and Genesis Security plugin. They also sold data from compromised devices such as fingerprints, cookies, logs and saved logins as well as credentials for Amazon, eBay, Facebook, Netflix, Gmail, PayPal, Zoom and Spotify.

Lee Neely

And the law enforcement hits keep coming. Over the last six months, international law enforcement has arrested cyber criminals, infiltrated online criminal organizations, shuttered digital currency sites, taken off-line criminal domains, and closed online marketplaces where cyber criminals operate. As we look back over 2023, this will be the story; and who knows, perhaps the cover of Time magazine.

Curtis Dukes

If you're not running IPsec on your HP Enterprise LaserJet and HP LaserJet Managed Printers, you're not affected. The appeal of IPsec on these devices is to protect credentials and other sensitive data in transit, such as an emailed job or scan data. To prevent re-introduction of the flawed firmware, HP has removed it from their download site. If you have local copies you're using for updates, you need to remove these as well so your processes will not reinstall after you've rolled back to the earlier firmware.

Lee Neely

Ninety days seems a little long. There are workarounds (there are always workarounds) but firmware updates are sufficiently difficult that many will accept the risk of data leakage until the patch becomes available.

William Hugh Murray

QNAP devices remain "Cyberattacker Catnip." The DeadBolt ransomware group has been continually running campaigns to discover and exploit QNAP devices. As such, you need to make sure you don't directly expose them to the Internet, make sure only expected applications and user accounts are present, ensure they are kept patched. If you discover them on your corporate network, make sure they are being managed as mainstream (not shadow) IT.

Lee Neely

ACRO helps provide criminal background checks for potential employers, providing up to ten years of data for a given applicant. In this case the data targeted was not related to their payment system, but data provided by perspective employees such conviction and identification information, email address, case reference numbers, etc. ARCO is working behind the scenes to notify affected individuals, as well as processing background checks manually, but may not be meeting the UK's privacy/incident reporting requirements. While working quietly to investigate, inform affected users, and recover sounds great for your reputation, it can get you crosswise with regulators, let alone in an awkward position when non-affected customers discover and demand an explanation. In today's climate, choose transparency, sharing what you're doing and what you know quickly and keep it updated until you get to the other side.

Lee Neely

Increasingly, supply chain security has been a discussion topic over the last year. Here’s an example where a compromise of a third-party supplier (ACRO) has the ability to impact normal business operations for a wide range of commercial businesses. Another is the WD My Cloud Service which has been off-line for about 10 days now. The lesson here is that companies now need to ‘war game’ loss of key suppliers as part of their business risk management.

Curtis Dukes

The new DDS/Hack the Pentagon site looks nothing like a US Government web site. It has information for DoD partners desiring to implement a similar program, security researchers who want to participate, and even vendors who are a source of ethical hackers - albeit they need to work through the SAM.GOV site and process to bid on jobs. If you're thinking about how to publicize and build your own bug bounty program, take a look at this site: the look, access and message is probably not how you currently market services.

Lee Neely

When DoD first launched their bug bounty program it was thought of as a novelty item. You know, make an announcement, get some free press and don’t expect to find any software bugs. Now it’s become a cybersecurity best practice used by every industry. Along the way, it’s saved hundreds of thousands dollars, and reduced the attack surface for both commercial and bespoke software applications. Seems as though DoD is doubling down on the program with a new website.

Curtis Dukes