Before Disposal, Double Check Sanitization of Anything With a Network Interface; Require Vendors to Assure Secure Implementation of UEFI and Secure Boot; Another Top Exploited Vulnerabilities List Highlights Need to Patch Faster

Reading the instructions, it appears the trick is that you need to reset the printer twice. Leaking a WiFi password may not be a huge deal to most users of these consumer level printers, but manufacturers need to do better in making reset procedures easy and reliable.

Make sure that you have sanitization processes for all devices with storage. In this case, Canon has you re-enable WiFi after resetting settings one time, then reset them again. Some devices, such as copiers, may have hidden storage you need to physically remove to sanitize. Don't forget to check for other things like originals or output quietly forgotten.

This one by itself is not a major risk, but a good reminder to pass on to home workers and to trigger a review of your organizations process for disposal of anything with a WiFi interface – don’t forget to check equipment used in the shipping office, reception desk, etc.

The CISA “How Can We Improve UEFI Cybersecurity?” section starts off by using the word “holistic” twice. Whenever I see that word in vendor advertising I substitute “imaginary;” in guidance like this I replace it with “a complex solution is required to deal with this problem.” The weaknesses in this area generally have to do with software and product vendors erring on the side of ease of use vs. difficulty of misuse. Microsoft’s advice from Black Lotus still holds: “…maintain ‘credential hygiene’ by following least-privilege access permissions. Organizations should avoid enabling ‘domain-wide, admin-level service accounts.’ They should also restrict local administrative privileges.”

UEFI adds a huge amount of capability to the boot process, including secure boot, which interacts directly with the OS, and includes the ability to hand code to the OS to execute at the system level. This means the security is much more critical than it was with conventional BIOS, to include the update process as with UEFI you can introduce code that persists across OS installs. Additionally, the days of a physical switch/jumper to allow firmware updates are long gone. While the blog is directed at the UEFI community, you want to track this as it will impact how you manage your enterprise.

If you set your “must patch ASAP” threshold at a CVSS score of 9.7 out 10 (high critical and above), you would have avoided all but one or two of these attacks. We are starting to see progress in reducing use of reusable passwords, really needs to be matched with reduced time to patch and overcoming old myths in IT operations about not being able to do so.

Exploiting boundary protections and remote access devices remains at the top because they work. You need to aggressively update and secure these devices. If you’re moving to ZTA, you need to apply the same strategy to all components involved in those access control decisions. After that, timely deployment of OS and application patches, modern EDR tools, and secure software development practices need to be SOP.

It is always sad to see security products listed.

Luckily, Ivanti appears to start copying the attackers and is reviewing its code for vulnerabilities now. This vulnerability was addressed before it was exploited in the wild.

The vulnerability (CVE-2023-35082, CVSS 10.0) affects MobileIron Core 11.2 and below. Version 11.2 has been out of support since March 15, 2022, and was resolved in version 11.3. There will be no fix for 11.2 or below, upgrade to a supported, patched version, e.g. 11.10.

Google’s data says 54.8% of cloud compromises were from weak or no passwords in use, and another 7% from “leaked credentials.” An additional 19% were enabled by “misconfiguration.” So, over 70% were easily avoided by applying the well-known essential security hygiene measures in cloud services.

Credential and resource management of your cloud services should be top of mind. Actively managing accounts, both expiration and authentication, as well as watching for unauthorized use of services will help you keep the bar high on your cloud services. Mobile users remain a prime target as the relationship with their phones is nothing like the one with their computer, if they have one. Imagine if you would, a legitimate app in the Google Play store, which then loads a malicious update from the attacker’s site, not the Play store, bypassing the controls there. Another form of that is an app that dynamically loads code from a site that contains malware. That is Versioning. Your primary defense is to allow app installs only from trusted sources and actively manage corporate devices with an MDM.

Reusable credentials continue to be implicated in a large portion of compromises. While strong authentication is offered as an option on many public applications, it is not at all clear what percentage of users adopt it. The resistance within the enterprise, where it should be mandatory, remains high is a major vulnerability.

Absolutely no surprise here. The headline should probably read that the servers were compromised multiple times. Each day.

CVE-2023-3519 carries a CVSS score of 9.8, so you deployed the fixes right? Don't be lulled into a sense of false security as the attacks are primarily focused in Germany, followed by France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil; make sure the fix is in now.