Supply Chain Security Needs to Include Corporate Law Firms; Patch Everything Apple; Update Awareness and Mailroom Guidance on Risk of Unsolicited Devices and Packages

Another reminder of how complex supply chains are – law firms, outsourced employee benefit services, etc. are part of the attack surface in your “supply” chain that can lead to data exposure.

This and the HWL Ebsworth attack [second story in Rest of the News] remind me of the ‘quote by the bank robber Willie Sutton: “I rob banks because that’s where the money is.” In this case, law firms are ‘cyber robbed’ because that’s where the data is. Specific to this cyber breach a couple reminders: 1) data owners have a responsibility to understand how the law firm protects the information entrusted to them; and, 2) details of the attack and victim notification should be shared more quickly, and not wait for all the information to be stitched together.

Mondelēz owns multiple brands including Sour Patch Kids, Chips Ahoy, Triscuit, Wheat Thins, Oreo and Ritz, and was not directly penetrated. This is a case of the third-party service provider being compromised. Bryan Cave was compromised in February and started notifying impacted clients in March; it wasn't until May 22 that Mondelēz had enough information to understand who was impacted and start their notification process. Consider your third-party notifications, not only that they have a timeliness requirement, but consider the impacts of having sufficient information to begin your own analysis and response. Maybe sit down with those who are processing/storing sensitive information for you and see what can be optimized.

Apple released updates including iOS/iPad OS 16.5.1, 15.7.7, macOS 11.7.8, 12.6.7, 13.4.1, watchOS 9.5.2 and 8.8.1. While there are only three CVE's here (CVE-2023-32434 (Kernel flaw, allowing privilege escalation), CVE-2023-32439 (Webkit flaw allowing arbitrary code execution), CVE-2023-32435 (Webkit memory corruption flaw)) they are severe enough to warrant taking immediate steps. Let your MDM push out the update to your mobile devices, then queue up the fixes for your Mac systems.

Today, Apple is no different from other major OS vendors. Given that these vulnerabilities are being actively exploited, the guidance is pretty simple: download the patch and update the software for each of the Apple products in your environment.

Timely. Also much faster than most Apple updates. Turn on Automatic Updates; really should be the default setting.

The initial compromise appeared to be allowing a USB drive, used on the road, to be inserted into a compromised system which happily conscripted the USB drive, which then infected the user's system when they returned from the trip. Make sure your EDR is watching USB and other removable media. This is largely a human problem, where you need to raise awareness about sharing and using removable media, particularly from unknown sources, encourage use of cloud-based services for sharing data. Consider the use of media scanning kiosks which both scan and copy the data from unknown media to known good media without "hitchhikers."

This, and the news item on military personnel having “unsolicited smartwatches” sent to them is a good reminder to check your security program controls and “tip sheets” for coverage of physical threats in general – before the next Anthrax-filled envelope or trojan-ed smart watch arrives. The US Postal Service Publication 166 (https://about.usps.com/publications/pub166.pdf) is a good source for mailroom security guidelines. Awareness programs need to address unsolicited devices along with unsolicited email offers, etc.

What’s it been? 20 years since infected USB drives made the rounds as a security risk and cybersecurity talking point? I guess it’s time to dust off the security awareness training materials and policy guidelines for USB drives.

The firm is not paying the ransom demand and has determined about 4TB of data was exfiltrated. HWL Ebsworth high profile clients include National Australia Bank, the state government of Tasmania, The Office of the Australian Information Commissioner, among others. With that in mind, seeking an injunction blocking media reporting of leaked data is understandable, if the goal is to keep your client list a secret. Keep in mind that those who would use the data for nefarious purposes aren't going to let that distract them. Use this as a thought exercise about how loss of data relating to current cases or projects could impact you and what you could do to minimize the impact. Also consider where you may have concentrations of sensitive data which may not be adequately protected.

Adversaries go to where the data they seek is located. Knowing that, CIS moved Control 3 (Data Protection) up in priority with the release of version 8 of the critical security controls. When information is shared or maintained by third parties, HWL Ebsworth in this case, data owners have a responsibility to understand how that information is protected. Boards should use this cyber breach to review where their sensitive data is managed, by whom, and what safeguards are in place.

The Water ISAC guidelines published in 2019 covered this ground pretty well – NIST even shows a full mapping from NIST core requirements to the W-ISAC document across the key OT areas of Asset Management, Data Integrity, Remote Access, Network Segmentation. I think the real issues to be addressed in locally funded and managed critical infrastructure (such as water and voting systems) is not different security technology is needed, but support in overcoming governance and funding obstacles.

If you're in this sector, here is a chance to enter into a cooperative research and development agreement (CRADA) with NIST's National Cybersecurity Center of Excellence (NCCoE) to develop relevant and current guidance which will be incorporated into a NIST SP 1800 series practice guide. NCCoE has a web site focused on securing water and wastewater utilities with more information - https://www.nccoe.nist.gov/projects/securing-water-and-wastewater-utilities

While the notice by NIST is important, the Water and Wastewater sector can take positive cybersecurity steps today. Take a look at some of the cybersecurity guidance available now and adapt as needed to your environment. You may just find that most of the cyber safeguards recommended are applicable to your environment. As has often been said, all critical sectors have more in common when it comes to cybersecurity safeguards than not.

What has changed is the release of the POC exploit. Prefer using your software management system to push the update as the built-in update is where the flaw lies, evaluate going as far as an uninstall/reinstall. After hitting your systems, consider making the self-update option available for remaining clients.

As a cyber defender, whenever you see phrases like ‘actively exploited’ or ‘proof of concept exploit’ you must prioritize the vulnerability as part of the patch management process. Bottom line: download the patch and update your software now.

Note that CISA disclosed the flaws to Enphase, who decided to ignore the report. In today's climate, you must have a vulnerability disclosure program that isn't just an unmonitored mailbox. After the alerts were published is not the time to notice you have a flaw; even if that happens, take action, as Enphase is doing, to address the issue. Until the updates are available, isolation and monitoring are the primary mitigations you need to implement. Even once patched, make sure that access remains limited to authorized users, and you've got alerts on abnormal activity.

It appears that CISA has ‘shamed’ Enphase into addressing the vulnerabilities by releasing the two security advisories. Every product vendor has a responsibility to correct, when reported, deficiencies in their products. Hard coding credentials into a product has been a poor security practice for well-over a decade. Enphase should revisit established cybersecurity best practice guidance for both IoT and ICS products.