More Reasons to Prioritize 2FA Migration; Prioritize Patching Citrix and Cisco Products

If you care enough about your LinkedIn account to actually pay a ransom to get it back: Maybe you should enable 2FA. There is no indication that these attacks use any new technique. Likely, they are just phishing or guessing credentials.

Johannes Ullrich

The Cyberint writeup doesn’t really point out hacking of LinkedIn. The two scenarios are (1) Temporary Lockout where you are notified someone was trying and failing to log in; and (2) account takeover, where is usually where the password you are using was compromised somewhere else and you didn’t change in on LinkedIn and didn’t turn on two step verification on LinkedIn. (1) is a working security feature, (2) is failure to use a known needed security feature.

John Pescatore

Part of the attack involves not only compromising the password but also changing the email on the account, making recovery options impossible. If you have a LinkedIn account, make sure that you still have access, that contact information is correct (no unexpected email or phone numbers), then go into settings -> Sign in & security and make sure Two-step verification is enabled. Use the authenticator app rather than the SMS options. Also check your active sessions and devices which remember your password. LinkedIn seems to be forcing users to verify email and phone associated with their accounts.

Lee Neely

From the apparent large number of frustrated users, LinkedIn did not create an Incident Response plan for this sort of attack. While they will suffer ‘brand’ damage for a period of time, there really isn’t an alternative for business professionals. At some point LinkedIn will provide additional details of the attack and its lessons learned.

Curtis Dukes

Every application that I use daily offers strong authentication. Even my little community bank turned it on this month. A few even offer Passkeys. They are all user opt-in. Hardly any of them promotes its use. In some it was hard to find. Yet most agree that it is our single most effective, efficient, and essential cybersecurity measure.

William Hugh Murray

Any unpatched Citrix ADC should be considered compromised. Mandiant released a nice tool that will not only identify available patches, but will also check for indicators that the device is compromised.

Johannes Ullrich

Citrix has observed bad actors exploiting these flaws, (CVE-2023-3466, CVE-2023-3467 and CVE-2023-25-19), so you need to update to the fixed releases. Note if you're on NetScaler ADC or NetSCaler Gateway version 12.1, that version is EOL and you need to update to the newer version 13 releases.

Lee Neely

Patching Citrix ADC (NetScaler) is just as valid as relevant as patching a VPN device. It’s important to realize that.

Moses Frost

CVE-2023-24489 can be exploited by a non-authenticated user, rates a CVSS score of 9.8, so you're going to want to jump on upgrading to ShareFile storage zones controller 5.11.14. Note that Citrix is blocking access from any controllers not running patched versions.

Lee Neely

These vulnerabilities can lead to privilege escalation, SQL injection, directory traversal, DOS, not a good end to the week. Go through your inventory of Cisco non-router products making sure they are all updated. Make sure that security/patch alerts for these items go to the right folks, not just the network team.

Lee Neely

If you’re a Cisco Customer or any type (outside of just routing and switching but also software), patch. Unlike other companies, there is no regular release cadence for this like Patch Tuesday.

Moses Frost

This is a great reminder that defenders have more than traditional IT infrastructure to defend. Some of our most interesting pentesting engagements involve access badges, power generation, wearables, and other "in between" systems that are easily forgotten.

Christopher Elgee

Kudos to the Italian team "mHACKeroni" for winning Hack-A-Sat 4. Earlier in the week, Stefano Zanero, who sits with me on the ISSA International board, was telling me about the team and how excited they were for the chance to compete. It is amazing that the economics of putting a satellite in space as a cyber testbed have changed enough to make flying a real bird viable.

Lee Neely

I watched the DefCon hack-a-sat a bit over the DefCon weekend, and it was interesting to see the teams work on it. Happy to see that this type of device is being made available to a broader audience.

Moses Frost

While cyber is but one active threat to satellite systems, it is the most ‘reachable’ by non-nation state actors. Both the US Air Force and its defense contractors will learn valuable cyber defense lessons from offering the Hack-A-Sat competition. Unfortunately so will cyber attackers, as details of the competition are released.

Curtis Dukes

This campaign delivers QR codes in email, largely as Bing redirect URLs. It's probably best to train users to not scan QR codes in email messages, then, for allowed use cases, make sure that they are using QR scanners which preview the content of the code, such as the URL, so they can assess before clicking.

Lee Neely

QR codes seemed to be going the way of the blinking URL but “touch-free” demand during COVID seemed to breath some life in usage, and the raise of cellphone payment apps resulted. Just as now it is common for every legitimate business to say “We would never ask for your sensitive information over email” good idea to review any use you have of QR codes and see if it is really necessary – for example, in rolling out 2FA. Not really a huge risk path, but if not necessary, better to avoid.

John Pescatore

Malicious QR Codes are a thing. I would be very wary of getting them over untrusted sources. It’s a new area for training for sure.

Moses Frost

This campaign takes *ishing (ph-, v-, sm-) to the next level by embedding malicious QR codes. To fully enable the attack though, one must use a mobile device. That’s ok though, as today’s workforce likely receives business email on that device. Finally, the evil-doers and betting that their targets are generally accustomed to just scanning the QR code. Organizations should add this attack scenario as part of their periodic cyber awareness training.

Curtis Dukes

The lesson for the rest of us is that QR tags, like any link, URL, or button, may be bait and should be regarded with appropriate suspicion.

William Hugh Murray

Pass the IOCs from the We Live Security blog posting to your threat hunters to make sure you're not already compromised. The phishing email masquerades as a notice about a legitimate change to the Zimbra login, then directs them to open the provided attachment to access the new borked login page. This comes back to training users on detecting real IT updates.

Lee Neely

CISA continues to create services intended to build partnerships with the private sector. Consider bringing in your local CISA representative (they have offices in all 50 states), to present to your company, or professional organization, on what they can do for (and with) you. At a minimum, having a face to go with the agency goes a long way should you ever need each other. This plan, it's only 8 pages, has two pillars –Operational Collaboration and Cyber Defense Guidance – with four LOE's - Cyber threat and vulnerability information sharing, educating RMM Operational Community, End-User Education and Amplification. Critical components to build trust and sharing partnerships with the private sector.

Lee Neely

Two pillars of the plan are "collaboration" and "end user education." One looked in vain for first or next steps, for direction on how the plan should alter one's behavior.

William Hugh Murray

In 2021, Executive Order 14028, improving the nation's cybersecurity, was released with many required improvements for cabinet level agencies to adopt, on fairly short timelines. While it was not supposed to be an unfunded mandate, many agencies have not received sufficient funding to properly implement these changes. Required activities like zero-trust, increased cloud adoption, increased logging and retention and even phishing resistant MFA can be foundational technology and cultural changes which can be extremely expensive and time consuming. Due to differences in size, structure and cyber maturity, one must take care with making broad requirements without considering specific risk posture. I predict that full adoption of EO 14028, like HSPD-12 which is still not fully implemented after 19 years, will be measured in decades, not years.

Lee Neely

Until senior leaders of departments and agencies are held accountable, little will change when it comes too cybersecurity. Sending a memo isn’t holding individuals accountable.

Curtis Dukes

Remember those frequent updates for Chrome Google promised? Don't miss added features like the one-time allowance of permissions and their new privacy options relating to presented ads, you may have to start testing the earlier release channels, such as Dev or Beta to stay ahead of the production release of new capabilities.

Lee Neely

An important update for Google Chrome. The good news is that updating the browser has become a routine practice for most users; as simple as ‘clicking’ a button. The new ‘Allow this time’ feature is also a welcome change by Google.

Curtis Dukes