Check for Compromised Magento 2 Applications; Patch All PLCs Using CodeSys V3 SDK; Obtain Legal Counsel Review of Zoom and Other Collaboration Platform Privacy Policies

Akamai’s good news is that Web App Firewall filters were effective against the attack and they only saw a small number of targets. But, Magento has been a major target for almost a decade now - going unpatched for 18 months is reckless behavior.

Make sure that you're applying patches and you have a WAF in active (non-learning) mode. Even if you've applied the updates you should check for the IOCs as this vulnerability dates back to January. If you've outsourced web/app services to a provider, make sure that you understand what security checks and updates they do, versus your responsibilities, as well as verifying that any notifications are appropriately routed, preferably not to a single point of failure.

This story highlights two things: 1) the importance of an organization knowing its environment; and 2) the criticality of having an effective patch management process. Knowing your environment has three components: identifying all hardware, all software, and the location of all sensitive data on the network. That is extremely important when it comes to maintaining software updates. If you don’t do either particularly well, you become a statistic.

I would say patch, but I suspect the people affected by this will not patch anytime soon. At least not until rampant fraud, theft, or ransomware affects the site they are neglecting. My dad was an auto mechanic. Most people need to be made aware of how to deal with car maintenance. I suspect most store owners will also be unaware of website maintenance, but not in this respect.

While the vulnerabilities were patched, make sure that those patches were applied, the CODESYS V3 SDK is compatible with about 1000 different PLCs from about 500 different manufacturers; thus, you may have a wider impact than you otherwise would assume. You may want to engage with your PLC manufacturers to better understand how this affects you.

This one looks pretty bad as it affects many partners in the ICS ecosystem. If you are responsible for the security of these systems, ask your vendors how they are affected by this.

By definition, if enabled, this can be construed as a supply chain attack affecting a large number of vendors and their products. While each of the vulnerabilities requires user authentication, that is increasingly likely given the convergence of IT and OT networks. Hopefully over the last several months, those vendors affected have downloaded and patched the 15 vulnerabilities. Only time will tell.

The wording about not using your content for any AI training is pretty clear but if you consent to its use in other “Permitted Uses” areas, then it seems like that same data could be used by Zoom for other purposes. That may be OK for consumers and free use of Zoom but for paid corporate use there should be broader restrictions in the terms of service.

Be clear about differences in terms of services for paid and free users. In Zoom's case they don't appear to have a difference, albeit you would expect there to be, particularly for regulated industries. More services are taking measures to prevent generative AI from using their data, such as X (formerly Twitter) and Reddit limiting third-party API access.

Like most after action reports, this one states: “…Lapsus$ and related threat actors used primarily simple techniques, like stealing cell phone numbers and phishing employees, to gain access to companies and their proprietary data.” They also pointed out that the cell phone issue (like in many other cases) supported bypass of weak MFA implementations.

No rest for the CSRB. Straight off publishing its second report it already has been assigned a third study. The Lapsus$ study highlights the dependency on mobile carriers to prevent SIM swapping and the use of social engineering to enable an attack. The first is preventable, but it comes at a cost to user experience; so, a balancing act for the mobile carrier. The second is far more difficult, as social media platforms are now fully integrated into society and people believe what they want to believe. The upcoming cloud security study will be interesting, I look forward to what new findings the board uncovers.

I would highly recommend reading through the recommendations. Not all of them will apply to everyone. You may only be looking at the Outsourcing Responsibilities, or maybe just plain IAM and Passwordless. Nevertheless, worth the read!

Just as the CSRB found that simple things were leveraged by Lapsus$ to be effective, I'm worried they will find low-hanging fruit in cloud environments also aids compromise. While I'm pretty sure we're past the non-secured storage phase, there are likely still shortcuts relating to rapid adoption of and migration to cloud services. Key things to check here is MFA use, particularly on Internet facing services, rigorous identity management and logging and monitoring, as you would for on-premises services are the starting points. Don't forget the CSP can make mistakes with the best of us, verify things are as requested.

The recommendations from the initial report are the equivalent of the NTSB saying, “Keep your seatbelt fastened.” Jumping from the compromise of a private key by one cloud service provider all the way to cloud security does not seem well focused. That said, it may be that a CSRB investigation is the only way that we are likely to find out how that happened.

Kind of interesting that this specific action (integration of physical badge reader data with network logon data) was long ago ballyhooed as the “convergence of physical and cybersecurity” but now when actually used, the issue of who really owns user location data comes up again. In past cases, laws in the US have upheld employers’ rights on corporate owned property but not in all countries and I don’t think yet in hybrid work cases.

Requiring workers back in person has challenges and needs foundational measures for it to work. Having a clear understanding of employee/employee telework agreement, including when they are expected to be on-site, an exception process, and consequences for failure to follow the agreement is foundational before you can alert on non-compliance. Once that is in place, think through your measurement process carefully. Note that Amazon is looking at multi-week trends to minimize the impact of anomalies in the data. Be sure to examine use cases and validate data before entering an enforcement phase.

This ultimately comes down to who ‘owns’ the data. My sense is that it’s company data and they can do with it what they wish. Laws may vary by country, so I suspect that the AMZ legal department guided the company on its specific use to ‘monitor’ office access.

This isn’t surprising; pulling data from these databases is very trivial. There are some questions people will have, but of course, I will suspect many false positives / false negatives on this. “Hello, my fellow Cubemate. Can you badge me in every morning also?” Also, “Yes, please hold the door open for me while I have a bunch of coffee.” The real thing will be when they start to use facial recognition + badge swipes to monitor who is showing up. At this point, I would suggest it’s a management problem, and the big brother tactics will kill company culture. But what do I know?

At least in this special case, this seems to be a terms of employment issue. Management is entitled to know if (non-exempt) employees are coming to work.

Hooray for user-installable fixes! Too often these updates are only available at dealerships. Or, worse, vulnerabilities are discovered and patches are never created. Maybe someday they'll be pushed without any user interaction at all!

CVE-2023-29468, CVSS score 9.6, applies to the WL18xx MCP Driver in the SYNC3 system. SYNC3 is shipped with '21 & '22 Ford Escape, Explorer, Mustang, Transit and Super Duty. While Ford is still developing the patch, turn off Wi-Fi functionality in the SYNC3 settings to avoid exploitation.

This is new territory for automobile manufacturers. Vehicles have now become computers on wheels and cybersecurity best practices have to be an integrated part of the manufacturing process. The first step is recognizing the need for cybersecurity.

The issue is specific to the new Background Task Manager in macOS 13 (Ventura.) These latest issues were released without notifying Apple as the researcher felt their prior notifications to Apple were sufficient to have covered these issues as well. Having OS built-in security in concert with your EDR solution can counter these types of scenarios. Be certain to not ruin performance to deliver secure operation.

Developing a capability to detect persistent malware is an incredibly complex task. I applaud companies like Apple and Microsoft for adding such capabilities to their respective operating systems. While not perfect, it does inflict a cost on the evil-doer and that’s a good thing. Hopefully Apple will investigate the vulnerabilities announced at DEF CON and continue to improve the detection and alerting capability.

The third-party, in this case IBM, was providing file exchange using MOVEit. Most of us would not think twice about a product leveraged by a company with IBM’s size and reputation. The reality is you need to make sure that you're assessing the security of all your third-party service providers, to include documenting what resources are available in an incident. Don't assume, ask. You don't want to find out you can't get help during an incident. Don't forget the hard part - you need to keep that information current.

For the rest of us, if one is using MOVEit, assume that you are compromised and begin remediation.