Check for Trojanized X_Trader Installer on PCs; Check For and Remove Compromised WordPress Plugins; Look for Phantom Google Cloud Platform Projects and Apps

The Symantec report doesn’t detail how the Trojaned X_Trader software got on the additional victims’ PCs. A safe guess is the same path as 3CX: reusable passwords used for corporate access from employee-owned Windows PC were harvested after users downloaded the trojaned installer onto their home computer. Yet another big reminder about (1) matching controls with policy, as it seems like the majority of organizations do have policy requiring 2FA, but haven’t implemented it; and (2) such “hybrid” work from home on employee-owned and vulnerable Windows PCs did not go away when Covid mask requirements ended.

Two topics to run to ground here: have they got a toehold in my network and can they spread laterally? For the first one, use the IOCs in the Symantec or Mandiant reports to determine if you have the trojanized X_Trader in your environment. For the second, consider your trust relationships. Beyond MFA to the endpoint, what happens with SSO? Can users SSO to any endpoint or to just those they have a need to access? What about privilege escalation? Do you have UAC set to always? How about requiring MFA for privileged actions? Do all your users have admin on their endpoints or do you only provide it where approved? Are you leveraging a PAM solution to manage local admin accounts? Leverage incremental increases in security to raise the bar.

The X_Trader application was built to support futures trading. Potential victims of the boogered version are likely trading institutions. If you are a company that uses the application, assume you’ve been breached until you are able to validate the X_Trader application with its developer – Trading Technologies.

It is now clear that at least some APTs are concentrating on software suppliers and the leverage they provide. In the face of an increase in risk, suppliers should consider a hiatus in shipments until they are satisfied that they can meet their obligation to customers not to ship contaminated code. The necessary changes to their processes to improve security will likely also lead to a general increase in efficiency.

The Eval PHP plugin hasn't been updated in over a decade but remains available in the WordPress plugin repository. If you forgot to remove it from your site, you really need to get rid of it, (not just disable it) then actively watch for reintroduction. Threat actors are installing the plugin from the WordPress plugin site on compromised sites. This would be a good time to review admin accounts on your WordPress site, requiring MFA and eliminating old or unused ones. Note you don't need an admin user named admin (the default), so change that too.

With WordPress, critical vulnerabilities most often crop up by the use of plugins that render websites exploitable; this vulnerability is no different. What is different is that it is an unsupported plugin. Unsupported apps should not be available for download.

We continue to be plagued by WordPress plugins. The problem is not simply the quality of the plugins. Like browsers, the usual client of WordPress services, WordPress itself is open, flexible, complex, and has proven to be difficult to operate safely. Use it with appropriate caution.

If you are a Google Cloud Platform user, follow Astrix’s recommendations for checking GCP app management and OAuth logs for indicators of compromise. This is one of those “huh” type of vulnerabilities that is likely to be found in other applications.

Exploiting the flaw allows an app to be hidden from the Google application management page, the only place you can manage applications associated with your GCP account. Essentially the app is put in a pending deletion state, which hides it, the patch makes apps in that state visible to the 'Apps with access to your account' page, allowing you to delete it.

This is a vulnerability that should be taken seriously if you are a GCP tenant. Check for signs of the vulnerability by reviewing the OAuth logs; and as always, follow vendor security recommendations.

First thing, remember that APC falls under Schneider Electric, so yeah, we need to start reading Schneider bulletins because they relate to APC UPSs most of us have. Next, determine where you're using monitoring software, such as Easy UPS, and get it updated. Lastly, review the recommendations for physical and logical isolation and protection of control systems, particularly UPSs. That is most relevant in your data center where you're going to have the bigger solutions, which also means a bad actor could do more harm compromising a single device. When reviewing your physical protections, don't overlook accidents. Remember when we didn't have covers over the crash button (aka elevator call button) in the data center? Yeah...

In this case, one of Schneider’s “strongly recommended” practices is “Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.” This requires Network Access Control capabilities for all remote access to UPS systems.

Two of the three vulnerabilities allow for remote code execution and carry a CVSS score of 9.8. Exercise your patch process and remediate these vulnerabilities as well as follow Industry configuration recommendations.

This was a human error in a cloud-based Jenkins reporting system, which allowed for anonymous downloading of reports and logs. Additionally, there wasn't sufficient logging from that service to fully forensicate the incident. We all have outsourced and cloud services, what is needed is to regularly review the security configurations of each of them, as well as making sure you have optimal logging for successful incident response. Make sure you're including your incident responders in that conversation; they likely have a very different view than the service provider on what adequate means.

The testimony by Director Kofman mentions the human error that resulted in critical data being accessible without authentication, but never acknowledged the equally serious mistake of not detecting that before criminals did. Kofman confused buying products with strong security, saying: “We have a strong cybersecurity program. For example, we use technologies such as…” Strong processes and skilled analysts are needed to make investments in technology effective in reducing risk.

The CIS Community Defense Model identified misconfiguration as a leading cause for most cyber breaches. As such, server configuration guidance is available for a large number of products to include servlet containers such as Apache Tomcat. Going forward, standardize server configuration using Industry best practices as put forth by CIS Benchmarks.

This changes the idea that everything is a file, which is the paradigm in *nix, to everything is a table. As such, system logs become transaction logs, rolling back is as simple as rolling back a database. And yeah, I'm remembering multi-phase commit rollback too. Making it easier to revert the system to a known good state as well as improved visibility to system events means we should keep an eye on this one.

First, it is encouraging to see that some researchers are working on solutions rather than mere vulnerability discovery. Second, this solution addresses the requirement, in the face of ransomware attacks, to recover applications, rather than merely files, in hours to days, rather than days to weeks. Worth checking out.