More Reasons to Prioritize 2FA Migration; Prioritize Patching Citrix and Cisco Products

If you care enough about your LinkedIn account to actually pay a ransom to get it back: Maybe you should enable 2FA. There is no indication that these attacks use any new technique. Likely, they are just phishing or guessing credentials.

The Cyberint writeup doesn’t really point out hacking of LinkedIn. The two scenarios are (1) Temporary Lockout where you are notified someone was trying and failing to log in; and (2) account takeover, where is usually where the password you are using was compromised somewhere else and you didn’t change in on LinkedIn and didn’t turn on two step verification on LinkedIn. (1) is a working security feature, (2) is failure to use a known needed security feature.

Part of the attack involves not only compromising the password but also changing the email on the account, making recovery options impossible. If you have a LinkedIn account, make sure that you still have access, that contact information is correct (no unexpected email or phone numbers), then go into settings -> Sign in & security and make sure Two-step verification is enabled. Use the authenticator app rather than the SMS options. Also check your active sessions and devices which remember your password. LinkedIn seems to be forcing users to verify email and phone associated with their accounts.

From the apparent large number of frustrated users, LinkedIn did not create an Incident Response plan for this sort of attack. While they will suffer ‘brand’ damage for a period of time, there really isn’t an alternative for business professionals. At some point LinkedIn will provide additional details of the attack and its lessons learned.

Every application that I use daily offers strong authentication. Even my little community bank turned it on this month. A few even offer Passkeys. They are all user opt-in. Hardly any of them promotes its use. In some it was hard to find. Yet most agree that it is our single most effective, efficient, and essential cybersecurity measure.

Any unpatched Citrix ADC should be considered compromised. Mandiant released a nice tool that will not only identify available patches, but will also check for indicators that the device is compromised.

Citrix has observed bad actors exploiting these flaws, (CVE-2023-3466, CVE-2023-3467 and CVE-2023-25-19), so you need to update to the fixed releases. Note if you're on NetScaler ADC or NetSCaler Gateway version 12.1, that version is EOL and you need to update to the newer version 13 releases.

Patching Citrix ADC (NetScaler) is just as valid as relevant as patching a VPN device. It’s important to realize that.

These vulnerabilities can lead to privilege escalation, SQL injection, directory traversal, DOS, not a good end to the week. Go through your inventory of Cisco non-router products making sure they are all updated. Make sure that security/patch alerts for these items go to the right folks, not just the network team.

If you’re a Cisco Customer or any type (outside of just routing and switching but also software), patch. Unlike other companies, there is no regular release cadence for this like Patch Tuesday.

This is a great reminder that defenders have more than traditional IT infrastructure to defend. Some of our most interesting pentesting engagements involve access badges, power generation, wearables, and other "in between" systems that are easily forgotten.

Kudos to the Italian team "mHACKeroni" for winning Hack-A-Sat 4. Earlier in the week, Stefano Zanero, who sits with me on the ISSA International board, was telling me about the team and how excited they were for the chance to compete. It is amazing that the economics of putting a satellite in space as a cyber testbed have changed enough to make flying a real bird viable.

I watched the DefCon hack-a-sat a bit over the DefCon weekend, and it was interesting to see the teams work on it. Happy to see that this type of device is being made available to a broader audience.

While cyber is but one active threat to satellite systems, it is the most ‘reachable’ by non-nation state actors. Both the US Air Force and its defense contractors will learn valuable cyber defense lessons from offering the Hack-A-Sat competition. Unfortunately so will cyber attackers, as details of the competition are released.

This campaign delivers QR codes in email, largely as Bing redirect URLs. It's probably best to train users to not scan QR codes in email messages, then, for allowed use cases, make sure that they are using QR scanners which preview the content of the code, such as the URL, so they can assess before clicking.

QR codes seemed to be going the way of the blinking URL but “touch-free” demand during COVID seemed to breath some life in usage, and the raise of cellphone payment apps resulted. Just as now it is common for every legitimate business to say “We would never ask for your sensitive information over email” good idea to review any use you have of QR codes and see if it is really necessary – for example, in rolling out 2FA. Not really a huge risk path, but if not necessary, better to avoid.

Malicious QR Codes are a thing. I would be very wary of getting them over untrusted sources. It’s a new area for training for sure.

This campaign takes *ishing (ph-, v-, sm-) to the next level by embedding malicious QR codes. To fully enable the attack though, one must use a mobile device. That’s ok though, as today’s workforce likely receives business email on that device. Finally, the evil-doers and betting that their targets are generally accustomed to just scanning the QR code. Organizations should add this attack scenario as part of their periodic cyber awareness training.

The lesson for the rest of us is that QR tags, like any link, URL, or button, may be bait and should be regarded with appropriate suspicion.

CISA continues to create services intended to build partnerships with the private sector. Consider bringing in your local CISA representative (they have offices in all 50 states), to present to your company, or professional organization, on what they can do for (and with) you. At a minimum, having a face to go with the agency goes a long way should you ever need each other. This plan, it's only 8 pages, has two pillars –Operational Collaboration and Cyber Defense Guidance – with four LOE's - Cyber threat and vulnerability information sharing, educating RMM Operational Community, End-User Education and Amplification. Critical components to build trust and sharing partnerships with the private sector.

Two pillars of the plan are "collaboration" and "end user education." One looked in vain for first or next steps, for direction on how the plan should alter one's behavior.

In 2021, Executive Order 14028, improving the nation's cybersecurity, was released with many required improvements for cabinet level agencies to adopt, on fairly short timelines. While it was not supposed to be an unfunded mandate, many agencies have not received sufficient funding to properly implement these changes. Required activities like zero-trust, increased cloud adoption, increased logging and retention and even phishing resistant MFA can be foundational technology and cultural changes which can be extremely expensive and time consuming. Due to differences in size, structure and cyber maturity, one must take care with making broad requirements without considering specific risk posture. I predict that full adoption of EO 14028, like HSPD-12 which is still not fully implemented after 19 years, will be measured in decades, not years.

Until senior leaders of departments and agencies are held accountable, little will change when it comes too cybersecurity. Sending a memo isn’t holding individuals accountable.

Remember those frequent updates for Chrome Google promised? Don't miss added features like the one-time allowance of permissions and their new privacy options relating to presented ads, you may have to start testing the earlier release channels, such as Dev or Beta to stay ahead of the production release of new capabilities.

An important update for Google Chrome. The good news is that updating the browser has become a routine practice for most users; as simple as ‘clicking’ a button. The new ‘Allow this time’ feature is also a welcome change by Google.