Check for Trojanized X_Trader Installer on PCs; Check For and Remove Compromised WordPress Plugins; Look for Phantom Google Cloud Platform Projects and Apps

The Symantec report doesn’t detail how the Trojaned X_Trader software got on the additional victims’ PCs. A safe guess is the same path as 3CX: reusable passwords used for corporate access from employee-owned Windows PC were harvested after users downloaded the trojaned installer onto their home computer. Yet another big reminder about (1) matching controls with policy, as it seems like the majority of organizations do have policy requiring 2FA, but haven’t implemented it; and (2) such “hybrid” work from home on employee-owned and vulnerable Windows PCs did not go away when Covid mask requirements ended.

John Pescatore

Two topics to run to ground here: have they got a toehold in my network and can they spread laterally? For the first one, use the IOCs in the Symantec or Mandiant reports to determine if you have the trojanized X_Trader in your environment. For the second, consider your trust relationships. Beyond MFA to the endpoint, what happens with SSO? Can users SSO to any endpoint or to just those they have a need to access? What about privilege escalation? Do you have UAC set to always? How about requiring MFA for privileged actions? Do all your users have admin on their endpoints or do you only provide it where approved? Are you leveraging a PAM solution to manage local admin accounts? Leverage incremental increases in security to raise the bar.

Lee Neely

The X_Trader application was built to support futures trading. Potential victims of the boogered version are likely trading institutions. If you are a company that uses the application, assume you’ve been breached until you are able to validate the X_Trader application with its developer – Trading Technologies.

Curtis Dukes

It is now clear that at least some APTs are concentrating on software suppliers and the leverage they provide. In the face of an increase in risk, suppliers should consider a hiatus in shipments until they are satisfied that they can meet their obligation to customers not to ship contaminated code. The necessary changes to their processes to improve security will likely also lead to a general increase in efficiency.

William Hugh Murray

The Eval PHP plugin hasn't been updated in over a decade but remains available in the WordPress plugin repository. If you forgot to remove it from your site, you really need to get rid of it, (not just disable it) then actively watch for reintroduction. Threat actors are installing the plugin from the WordPress plugin site on compromised sites. This would be a good time to review admin accounts on your WordPress site, requiring MFA and eliminating old or unused ones. Note you don't need an admin user named admin (the default), so change that too.

Lee Neely

With WordPress, critical vulnerabilities most often crop up by the use of plugins that render websites exploitable; this vulnerability is no different. What is different is that it is an unsupported plugin. Unsupported apps should not be available for download.

Curtis Dukes

We continue to be plagued by WordPress plugins. The problem is not simply the quality of the plugins. Like browsers, the usual client of WordPress services, WordPress itself is open, flexible, complex, and has proven to be difficult to operate safely. Use it with appropriate caution.

William Hugh Murray

If you are a Google Cloud Platform user, follow Astrix’s recommendations for checking GCP app management and OAuth logs for indicators of compromise. This is one of those “huh” type of vulnerabilities that is likely to be found in other applications.

John Pescatore

Exploiting the flaw allows an app to be hidden from the Google application management page, the only place you can manage applications associated with your GCP account. Essentially the app is put in a pending deletion state, which hides it, the patch makes apps in that state visible to the 'Apps with access to your account' page, allowing you to delete it.

Lee Neely

This is a vulnerability that should be taken seriously if you are a GCP tenant. Check for signs of the vulnerability by reviewing the OAuth logs; and as always, follow vendor security recommendations.

Curtis Dukes

First thing, remember that APC falls under Schneider Electric, so yeah, we need to start reading Schneider bulletins because they relate to APC UPSs most of us have. Next, determine where you're using monitoring software, such as Easy UPS, and get it updated. Lastly, review the recommendations for physical and logical isolation and protection of control systems, particularly UPSs. That is most relevant in your data center where you're going to have the bigger solutions, which also means a bad actor could do more harm compromising a single device. When reviewing your physical protections, don't overlook accidents. Remember when we didn't have covers over the crash button (aka elevator call button) in the data center? Yeah...

Lee Neely

In this case, one of Schneider’s “strongly recommended” practices is “Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.” This requires Network Access Control capabilities for all remote access to UPS systems.

John Pescatore

Two of the three vulnerabilities allow for remote code execution and carry a CVSS score of 9.8. Exercise your patch process and remediate these vulnerabilities as well as follow Industry configuration recommendations.

Curtis Dukes

This was a human error in a cloud-based Jenkins reporting system, which allowed for anonymous downloading of reports and logs. Additionally, there wasn't sufficient logging from that service to fully forensicate the incident. We all have outsourced and cloud services, what is needed is to regularly review the security configurations of each of them, as well as making sure you have optimal logging for successful incident response. Make sure you're including your incident responders in that conversation; they likely have a very different view than the service provider on what adequate means.

Lee Neely

The testimony by Director Kofman mentions the human error that resulted in critical data being accessible without authentication, but never acknowledged the equally serious mistake of not detecting that before criminals did. Kofman confused buying products with strong security, saying: “We have a strong cybersecurity program. For example, we use technologies such as…” Strong processes and skilled analysts are needed to make investments in technology effective in reducing risk.

John Pescatore

The CIS Community Defense Model identified misconfiguration as a leading cause for most cyber breaches. As such, server configuration guidance is available for a large number of products to include servlet containers such as Apache Tomcat. Going forward, standardize server configuration using Industry best practices as put forth by CIS Benchmarks.

Curtis Dukes

This changes the idea that everything is a file, which is the paradigm in *nix, to everything is a table. As such, system logs become transaction logs, rolling back is as simple as rolling back a database. And yeah, I'm remembering multi-phase commit rollback too. Making it easier to revert the system to a known good state as well as improved visibility to system events means we should keep an eye on this one.

Lee Neely

First, it is encouraging to see that some researchers are working on solutions rather than mere vulnerability discovery. Second, this solution addresses the requirement, in the face of ransomware attacks, to recover applications, rather than merely files, in hours to days, rather than days to weeks. Worth checking out.

William Hugh Murray

The version numbers can be confusing; make sure that you're running the latest version of PaperCut for your platform. Both Windows and Mac versions of the software need updating. Note that only version 20.x or later are patched, so be prepared for some big catching up if you've fallen behind. Also make sure that you're limiting traffic to the PaperCut management interface (Port 9191) to only authorized devices/users. This is an unauthenticated RCE flaw, which is being actively exploited. Plan accordingly.

Lee Neely

Public sector information sharing is working, and we have reported many stories of cooperation leading to takedowns and successful incident prevention and response. The relationship between CISA and CNMF is new and their focus needs to include maintaining and maturing that partnership, keeping information flowing. One of the next challenges for CISA is providing value to the private sector in exchange for their sharing of similar information.

Lee Neely

The RTU is sitting between the SCADA and the instrumentation devices. Taking over the RTU allows input or outputs - manipulating pumps or valves or can be used to pivot to available networks for further malfeasance. First thing, apply the firmware update, (CVE-2023-2131 has a CVSS score of 10.0) then review your segmentations and access controls to ensure that only authorized systems can interact with ICS components.

Lee Neely

Shields is offering credit monitoring for two years to affected customers and started notifications 4/19. It appears the breach investigation spanned a year, from March 28, 2022 to March 27, 2023 and the data exfiltrated was names or other personal identifier in combination with driver's license number or other ID card number. While the notification was filed in Maine, only 2260 of the 2.3 million patients were in Maine. Sending a breach notification over a year later to affected customers is too long after the fact. The reality is you have no idea what the intersection of your data being breached, notification and implementation of credit monitoring will be. Be proactive and get your own coverage in place before you need it.

Lee Neely