MOVEit Transfer Users Need to Patch ASAP; Gigabyte Motherboard Users Need to Update; Update Web Defenses to Thwart Evasive New Skimmer Attacks

If you haven't patched yet: You are too late. Technically, this wasn't quite a "0-day" in that the patch appeared a bit ahead of the public exploit.

Johannes Ullrich

If the vulnerability fix being due 6/23 on the KEV catalog doesn't support your case to deploy the fix quickly, add that it's being actively exploited. You really don't want to have the conversation about why you didn't deploy the update when you knew the vulnerability was being actively exploited.

Lee Neely

Words like ‘zero-day’ and ‘actively exploited’ should be enough for information security professionals to prioritize this vulnerability at the top of their patch list. It now comes down to a race between evil-doers that want to exploit the vulnerability and organizations to patch this software in their enterprise.

Curtis Dukes

"Backdoor" makes for a better headline, but it was really more an insecure update process. To me, a default/support password could be called a "backdoor". Still a critical flaw and I appreciate Gigabyte fixing it.

Johannes Ullrich

The real issue is Gigabyte and other firmware-based product vendors deciding to avoid embedding Windows executables in firmware. Gigabyte’s statement at least says they will thoroughly test and validate such embedded executables: “GIGABYTE engineers have already mitigated potential risks and uploaded the Intel 700/600 and AMD 500/400 series Beta BIOS to the official website after conducting thorough testing and validation of the new BIOS on GIGABYTE motherboards.”

John Pescatore

UEFI really changed the capabilities of securely booting systems, but it also provides an opportunity to embed executables which can be executed by the Windows OS. Even more daunting, the embedded malware exists in the firmware, not your regular storage, so it persists across reboots and power events. At the very least set a BIOS password to deter malicious changes. Better still, monitor systems for vulnerable firmware versions and update them securely to mitigate risks.

Lee Neely

There are advantages, and unfortunately, some disadvantages to auto-updates. The advantage: doesn’t require a human to grab the update and apply it. The disadvantage: if an evil doer can spoof or manipulate the update, they likely drop malware on the device. In this case, it’s a serious risk but several cybersecurity defenses would need to fail for the attack to be successful. That’s doesn’t mean it can’t happen, just that the degree of difficulty is high. Defenders, take the easy mitigation: switch off the auto download and install feature. You can always turn it back on once the vendor fixes the problem.

Curtis Dukes

This attack is targeting Magento, WooCommerce, WordPress and Shopify environments. Mitigate the risks through several approaches: install a WAF as close to your commerce site as possible (to avoid options to bypass it), validate the integrity of the packages installed to detect unauthorized/unexpected changes, and make sure that you're forwarding application and server logs to your SIEM for visibility to events.

Lee Neely

A good example of attackers moving to more complex attacks after web site security practices were improved after the Magecart attacks started in 2018 or so. This attack exploits web security gateway approaches that don’t have reputation feeds that can keep up with compromised sites within trusted domains.

John Pescatore

Over the last few months there has been a rash of WordPress plug-in vulnerabilities reported. Now details are emerging of a lucrative card skimming campaign underway. Never underestimate the ability of an evil-doer to improvise whilst going for your digital currency. The first line of defense is, and continues to be, patch management. This campaign isn’t successful without vulnerable digital commerce platforms to exploit.

Curtis Dukes

These attacks exploit the continued acceptance of Primary Account Numbers in the clear on e-commerce sites. E-commerce merchants should accept payment only using proxies like PayPal and Apple Pay. This protects them from liability for fraud, provides them with a verified customer name and address, and is more convenient for the buyer. Buyers should prefer merchants that provide them with a proxy payment option, and use tokens (from, for example, privacy.com), rather than credit or debit card numbers, where proxies are not offered.

William Hugh Murray

Always a good read to focus your attention before hacker summer camp. No surprise, ransomware remains a concern, albeit possibly reaching a plateau, in contrast to DDOS attacks which are growing in frequency and impact. Also, it reminds us that our insider threats are probably more impactful than watching for APTs, noting about 1 in 5 breaches involved some sort of insider, intentional or deliberate, to enable them. The good news is you can address insider threat, it is far less nebulous than some nation state actor who may or may not care about your enterprise and there are lots of tools to help secure the humans.

Lee Neely

This for me is a must-read for all cybersecurity professionals as the data is presented in an easy to read and easy to digest format. The headlines stat for me regarding this year’s report is that 74% of all breaches include the human element. The top three methods of attack are stolen credentials, phishing, and exploiting vulnerabilities, so we should be focusing more on managing the human risk.

Brian Honan

The Verizon DBIR has become the de facto standard annual report on data breaches and will be pored over by cybersecurity professionals in the coming weeks and months. In the last few years, the Verizon team has included mitigation strategies in the annual report. As they note, using the CIS critical security controls as the starting point should serve you well. A couple of quick comments on this year’s report: 1) yep, ransomware attacks are up in 2023, no real surprise there; 2) more effort needs to be placed on protecting against the malicious insider [to include contractors]; 3) DDoS attacks ebb and flow but can still be a problem.

Curtis Dukes

Concur with Brian Honan that this is "must read." It offers authoritative open source intelligence. It is both rigorous and transparent in its methodology. It first appeared when Verizon's incident response practice began to have enough cases to be able to draw useful inferences across their population of cases, rather than simply from anecdotes. Today it is an essential tool to understand the increasing data available.

William Hugh Murray

SMB Signing prevents interception and relay attacks. That said, not all third-party SMB servers support this, so you're going to need to work with your vendor to incorporate the feature. SMB signing can reduce the performance of SMB Copy operations, mitigate that by adding CPU cores, virtual CPUs, or newer/faster ones. Active Directory domain controllers already required SMB signing for any client connected to them.

Lee Neely

Microsoft continues to ‘inch up’ the security rachet across its products and services. Their strategy seems to be to protect the most lucrative targets first, get the user comfortable with the security mechanism, and then deploy more broadly with the next release. Well done.

Curtis Dukes

To obtain access to hacking the real satellite, you had to pass the qualification rounds in April. Since this is a real bird, in space, intended to be tested, there are redundancies in both the on-board computers and communication paths, as it is slightly out of range for walking up and rebooting it. The trick is those redundancies also offer added pathways the hackers may be able to leverage to take it over. This could be a fun village to swing by if you're at DEFCON this year.

Lee Neely

Kudos to the US Defense Department for having the vision to make this a reality. While simulations are useful, there’s nothing like the real-thing to test and validate security principles. Our collective dependency on space-based assets in everyday life has grown to a point that it’s time to ensure those assets are protected from cyber-attack.

Curtis Dukes

In the SEC filing, the company CEO indicates that the attack may lead to additional regulatory scrutiny. The NY Attorney General (AG) has settled several cases over the last few weeks in which it determined that the company failed the basics when it came to implementing their cybersecurity program. Enzo Biochem can expect that the NY AG will be applying the same ‘standard of reasonableness’ rule with this ransomware attack.

Curtis Dukes

Really good to hear a BC/DR plan success story. That said, disclosure in the SEC filing is not sufficient in 2023. Make sure that you are directly notifying customers and partners well before you're filing your 8-K. Additionally, there should be notification to impacted customers and employees as soon as loss of their data can be confirmed.

Lee Neely

Storing the database master password in cleartext in memory, in hindsight, doesn't sound like a great idea. I am pretty certain other things are in plaintext in memory (past and present); the good news is KeePass fixed the problem and has an update, using APIs to retrieve data from text boxes which prevents the creation of managed strings which could be potentially retrieved from memory. KeePass 2.54 also adds other security measures, such as moving Triggers, Global URL overrides and password generator profiles into the enforced config file to mitigate attacks which change the configuration. Once you update to 2.54, you should change your Master Password, delete crash dumps, hibernation and swap files, or perform a fresh OS install to prevent any chance of malicious credential recovery.

Lee Neely

If you can't update right away, or are otherwise delaying, make sure that you've disabled the admin interface from the WAN as well as disabling UDP Port 500 and Port 4500 if you're not using their IPSec VPN. If you previously checked your Zyxel products and found they were not impacted, check again: the affected products list has been growing.

Lee Neely

The trick is being cautious with compiled Python code (.PYC files). Code scanners don't currently decompile them, and they are easily incorporated into a small python script using importlib.util - which looks completely innocuous. You may want to identify where you're using PYC files and put some rigor on testing them prior to introducing them to mainstream environments. ReversingLabs provides a checksum for this particular malicious PYC file - so it'd be prudent to scan for it, just in case.

Lee Neely