Check That You Really Are Meeting Data Retention Requirements; Patch Fortinet FortiNAC Now; Follow NSA Recommendations to Reduce BlackLotus Bootkit Risk

A lot of errors in this one. A third-party vendor service was claiming to be compliant with FINRA rules of enforcing 3 year retention requirements, but neither JP Morgan or FINRA noticed that it really wasn’t. Good idea to check your processes or services to see if too little or too much deletion is really happening.

You can outsource the task but you cannot outsource the responsibility. Always make sure that your third-party suppliers are fully aware of the compliance, regulatory, legal, and contractual obligations your organization, and therefore they, have to operate under.

In a regulated space, archives are a big deal. Know your retention requirements, and what disposition means. In the public sector, that means you’re likely obligated to turn over records, including email, to the national archives.

This appears to have been a lapse by JP Morgan Securities in validating that the third-party vendor was meeting the compliance controls required for data retention. It’s a financially painful lesson for JP Morgan Securities but one that others can learn from.

All right, let's roll those updates. If you're running FortiNAC version 8.x, you really need to upgrade. The flaw addressed, CVE-2023-33299 has a CVSS score of 9.6, and moreover, is likely one of your cornerstone solutions for zero trust. As we move into new worlds like ZTA, you're going to have to pay heightened attention to access control points to ensure they remain pristine.

I am always concerned when I read about large network vendors as they usually have product lines that we are familiar with and think of and product lines that are not what we would consider putting in an enterprise at all. Fortinet is a very large company that has moved beyond just firewalls, and as such, this story does not reflect FortiGate, which has been in the news for years. This bug affects FortiNAC, which I believe was the Bradford Networks Acquisition. Don’t expose these management interfaces to the internet; internally, try reducing the attack surface area.

Basically, the task is to raise the bar on the UEFI by scanning it for inappropriate software and ensure its integrity, using application blockers to limit which updaters can run, and remove the MS Windows Production CA 2011 cert from the SecureBoot's DB on systems only running Linux. Note that you can only effectively remove the BlackLotus EFI binary by completely reimaging, so do all the up-front work to avoid this scenario.

If you have Windows devices in your environment, and chances are you do, read this document. This will require some work from teams to resolve, not a simple patch.

Patching is still the preferred solution for a product vulnerability. That said, sometimes in the rush to push a patch to protect its product users, compromises are made. The vendor, MSFT in this case, pushed two patches, but for reasons not mentioned, didn’t revoke trust in unpatched boot loaders via the Secure Boot Deny List Database. Having clarity on how active a threat this is would help organization make the risk determination to apply the resource intensive guidance listed by NSA, while waiting for the next update from MSFT.

The recently released national cybersecurity strategy emphasized the shifting of liability to product and service companies. This action appears to be another signal to the market that companies will be held responsible. What’s interesting though, is that the SEC recommended an enforcement action against SolarWinds over its public statements on cybersecurity and procedures governing such disclosures. Is this a case where the issue is about statements made, or not, in the context of financial regulations rather than a lack of appropriate application of cybersecurity?

This really just indicates the beginning of the investigation to see if failures that allowed this compromise to happen were known and not acted on, or just not known. From a customer perspective, both are equally bad – a supplier of software that is installed at the heart of IT operations with full access needs to be held to higher standards that require at least essential security hygiene be maintained to assure software product integrity.

The SolarWinds SEC issues will be interesting to follow as the MOVEit vulnerabilities surface. Is there going to be a correlation between the situations?

This is currently a case of he-says, she-says. The SEC states that SolarWinds didn't properly disclose their breach in 2020, while SolarWinds contends they performed as required. This is an argument to make careful records of not only your breach disclosures, but the basis or regulations you feel you were following.

Hopefully this is a step toward holding suppliers accountable for shipping malicious code.

With so many companies using Teams, this could be an interesting bug. It’s more interesting that Microsoft will not address it right away. Typically, the reason is either that it’s a complicated thing to fix and will require some time to solve, or that it’s very difficult to exploit, and widespread exploitation has not happened. The silver lining here is that it’s a hosted service, so Microsoft will patch it for you.

Teams is one of those annoying Microsoft apps that seems to constantly turn itself on after being shut down, so many instances of it running with the default configuration even where it is not being used.

We’ve seen an increase in the use of collaboration platforms by enterprises, Teams being one example. These platforms allow seamless integration with other organizations. It stands to reason researchers [to include evil-doers] would start to probe this new means of access for malware delivery. It does reinforce the need for security vendors to ensure their products account for this access method. Bottomline though: effective configuration and patch management is still the best defense to limit the attacker’s foothold.

Looks like Suncor didn’t live up to the World Economic Forum “Cyber Resiliency Pledge” it signed just last year. That pledge was triggered by the Colonial Gas Pipeline incident, which highlighted that resiliency meant more than protecting OT and systems directly related to production/distribution – business is interrupted if billing/payment and other systems are brought down.

If you're going to a Suncor or Petro-Canada station, be prepared to pay cash, and that carwash season pass, not so much either. They still appear to be working on recovery, and their forensics don't yet indicate any customer data has been exfiltrated. We need to see what we can learn from this attack to see what's familiar and can be mitigated.