If You Haven’t Patched FortiGate Firewalls By Now, You’ve Been Compromised; Patch Netwrix Auditor ASAP; Snappy Is a Useful Rogue WiFi Detector; Check Processes and Playbooks to Make Sure You Can Rotate API Keys

The headline should probably read that these firewalls area likely already compromised. Patching them may not suffice.

That figure means only about 31% of internet exposed FortiGate devices have been patched in the three-and-a-half weeks or so since Fortinet released the patch. “Time at known risk” is something that needs to be decreasing. If limited downtime windows are the reason (vs. just not noticing the risk), time to escalate to management that one incident will overcome years of availability gained from shortened changed windows.

The flaws affects devices with VPN enabled, so there is a likely chance some of these are not running the VPN. The trick here is that the vulnerable code is present even if the VPN is not used, necessitating an update. The narrowness of the flawed services allows you to test the update before going to production, but you still need to keep moving forward. If you haven't recently, you may want to run a Shodan search for devices in your address space you might have missed.

The first thing I do when I see the headlines is make sure I had the latest version of the firmware on a FortiGate I have. Now that this is out of the way, I must say a few things. First, it’s hard to figure out when to patch these things. It’s not automatic, and it’s ad-hoc. It also can break; I had one of my settings breaks after an upgrade. I understand why the administrators are not patching because they may not be aware and maybe concerned about a big outage. This is, however, concerning that the number mentioned is 336,000. It’s also concerning that it's an attack on VPN. If this is true, I can only imagine that hundreds of thousands of companies could be completely owned by now. I hope that is not the case and this is just based on old Shodan data. If this is true and the numbers hold up. Expect a lot of breaches in the upcoming months (years?).

Well this is depressing news: fully two-thirds of FortiGate firewalls not yet been patched a month after the fix was released. If cyber criminals haven’t already, they will certainly read Bishop Fox’s blog and take advantage of those organizations that fail to patch the vulnerability lurking in their infrastructure.

The “known time at risk” of this one is over a year, impossible to justify that. Security tool vendors should start building in “patch before use” fail-safes, kinda like those breathalyzer ignition switches that prevent drunk driving.

Here’s an example of a vulnerability that was properly disclosed and patch issued over a year ago. Here’s my question: how many customers have yet to download and install the patch? Perhaps a better approach would be for the vendor to take the advisory and targeted communication to those organizations still affected by the vulnerability.

Ingest the IOCs from the CISA alert to help hunt for and respond to Truebot incidents regardless of having the Netwrix Auditor, attacks are on the rise leveraging tools such as Cobalt Strike (RAT), Teleport (data exfiltration), Flawed Grace (RAT) and Raspberry Robin (wormable malware).

This tool uses an interesting approach, which is likely going to work. It would be nice to have this functionality integrated into the operating system. Yes, the approach isn't foolproof, but it does look like a worthwhile effort.

This is a cool piece of Python code, leveraging scapy. You need to feed it a pcap of beacon management frames, and it produces fingerprint information as well as detecting AP's created by AIRBASE-NG. Most definitely get this to your Wi-Fi team and could be a cool addition to a wireless security class.

I am a big fan of reading the source code of tools you run like this. Surprisingly simple source code to read, maybe under 100 lines. However, of all the tools released in a while, this one seems to have struck a chord. We keep forgetting that Rogue WIFI is a thing.

Encryption, digital signatures, and strong authentication are all becoming increasingly important as generative AI makes disinformation easier to create and harder to detect. Key rotation, whether driven by “abundance of caution” during an incident, or at regular intervals (such as every 90 days as recommended by major players like Google and Okta) needs to be planned for, tested, and performed periodically.

Remember that you may need to invalidate API keys during an incident, particularly if they are compromised. An important step is to communicate to those affected, including instructions for generating new ones. Even if the compromised key is just your "client" key to a service, you need to follow any reporting requirements as they may want to forensicate and may need to take added steps.

It’s never a good thing when a vendor has to force an access reset on its user base. This gives some indication to the severity of the security incident they are dealing with. The reset will cause some impact to customer operations but at least the instructions for generating new API keys seem straight-forward.

This is not good, considering that JumpCloud is like an IdP, having an incident is really bad news for users of the system.

Privacy laws in the US are still a patchwork that vary by state. This ruling aligns NJ with the rest of the country when it comes to privacy protections and legal oversight of data access requests by law enforcement. Perhaps Congress will help sort this patchwork out by enacting new privacy legislation.

Having some guard rails on the legal process is appropriate, and using the wiretap analogy to monitor data is about as close of a fit without waiting on new regulations. Even with a wiretap order, the question remains as to whether organizations like Facebook, Google and Microsoft will honor them as being good enough.

This makes a lot of sense in the digital age. Think of real-time access to a real-time phone call. This could be via voice over IP, Webex, zoom, direct messages, SMS, MMS, iMessage, and many other real-time communications media. Think of legacy posts as a voicemail. If the order relates to real-time communications, then I think it should stand to reason that wiretap is appropriate, if not badly named.

The NUTS is employing a team of 60 to restore and re-write lost data. Consider the speed and size of that response and if you could pull that off. Currently, this is believed to be a LockBit 3.0 (aka LockBit Black) attack, and the NUTS will join the likes of Royal Mail on their victims list. The LockBit operators are known for exfiltrating and publishing data. Their TTPs are also well known, and decryption keys are available. CISA's Alert aa-23-075a (#StopRansomware: LockBit 3.0) https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a is a good reference and worth reviewing to see how you would fare if the tables were turned.

Ransomware gangs don’t differentiate when it comes to targets of attack. Here’s an association, Nagoya United Terminal System, that is the largest container shipper in Japan. One would expect that they have ample budget for cyber defense and are well aware of the attack tactics and techniques used by ransomware gangs. It still comes down to a relentless focus on the basics: know your environment (HW, SW, Data); configuration management, and patch management. Ransomware gangs are not super-human.

Kudos to the security team at the Port of Nagoya in restoring systems and services 48 hours after being impacted by ransomware. While prevention is always the better option having quick, effective, and efficient incident response and recovery capabilities in place is equally important.

This set of vulnerabilities includes two D-Link vulnerabilities. This, and the story about FortiGate vulnerabilities, are good reminders to have a monthly "perimeter patch day". Add it to your calendar and double check that day if there are any updates for routers/firewalls. This is particularly useful for smaller networks. It can be difficult to notice new firmware releases. And remember to track the "End of Support" for these devices.

The identified D-Link products are targeted at home and small businesses, so you may have to look at remote sites or one-off environments to find them, if you have them. The challenge to the Samsung updates is that with Android, you need to apply and check for new updates as they are not always cumulative, and not all your devices will be eligible for these updates. Map your device inventory against their EOL dates to find devices you'll need to replace rather than update.

How many federal agencies have D Link Routers and Access Points? Not knocking the consumer products company that services many individuals, but federal agencies?

Swatting can and has been prosecuted under several existing federal laws, with time in jail included. I don’t think we really need some federal law just so headline writers can say “Swatting on Tuesdays increased 27% last week, plus 310 million people at risk for thunderstorms.”

While the FBI tracking swatting will help track and monitor the crime, without good swatting laws, there isn't going to be a sufficient disincentive to stop the attacks. This is also a call to report any information you have on individuals planning on engaging in a swatting event to help law enforcement get ahead of the problem.

A responsible move by the FBI. Swatting attacks have become a serious problem in this country with deadly consequences. Creation of a database is a small but important first step. What really needs to be done is creation of a set of tactics, tools, and procedures to quickly adjudicate whether law enforcement response is required.

Swatting is a false crime report and is illegal in all jurisdictions.

The complexity of the issue is likely the reason there is no fix here, and as encrypted traffic can be both decrypted and modified, I'd say it's time to order replacements, and roll up your sleeves for a long weekend deploying them.

Disabling devices is a "workaround," one frequently called for.