Nominate Difference Makers; Prioritize Mitigation of Cisco ASA and Patching of Cisco BroadWorks; Focus on Hygiene and Known Vulnerabilities to Thwart Ransomware

The vulnerability enables brute force attacks. Only specific configurations are vulnerable, and the attacker will still need to guess your password. Due to the vulnerability, brute force protections can be bypassed allowing for faster attacks. An interesting lesson here: Vulnerabilities in services like web applications and APIs may lead to problems in non-web related services, like VPNs in this case.

Johannes Ullrich

Since most compliance regimes require MFA for remote access, and also require any default accounts be removed or disabled, theoretically this type of password spraying attack shouldn’t work very often – the level of success always points out how compliance actually does not equate to secure. If you are still facing resistance to requiring MFA for remote access, at least start with all privileged users and use this item to expand from there.

John Pescatore

Read the Cisco bulletin carefully: the vulnerabilities require multiple conditions to be true, albeit they are likely things you have. Pass the IoC's to your threat hunting team to determine where you stand, while focusing on implementing mitigations until a patch is released. Make sure you're limiting VPN access for default user groups, make sure you're requiring MFA for VPN connections, and disable or remove the default accounts the threat actors are using to exploit the vulnerability.

Lee Neely

The Cisco ASA VPN Software getting press this time is valid but requires a specific implementation. It does work because it was discovered in an actual breach. There are a very large number of implementations that meet the requirements. MFA helps, but many implementations that leverage MFA may need to leverage it entirely, leaving specific profiles vulnerable. Please watch this until the patch is out; when it is out, patch. This is not a 0-day; this is already an N-Day in the wild, having been exploited. It would also be ideal to look through your logs.

Moses Frost

While the vulnerability is actively being exploited, it does require brute force guessing of the username/password combination. Further, if you’ve implemented MFA as you should, the likelihood of attacker success is extremely low. That said, IT staff should remain vigilant for such attempts whilst reviewing their audit logs.

Curtis Dukes

If you are a BroadWorks user, patching this needs to be high priority. Also, a good reminder to those using other SSO solutions – ask your vendor if they are vulnerable to similar attacks and do some threat hunting to be proactive.

John Pescatore

CVE-2023-20238 scores a perfect 10 base CVSS score. There are no workarounds, you have to apply the update. If you're using another SSO solution, verify they are properly validating SSO tokens, rather than assume they are not vulnerable to a similar exploit.

Lee Neely

This vulnerability requires immediate attention by users of the Cisco BroadWorks application. Download and implement the available software update as soon as possible.

Curtis Dukes

This is an excellent paper and huge kudos to the NCSC and NCA for producing and sharing this report. It is an essential read for anyone wanting to understand the threat landscape as it applies to ransomware attacks, in particular the key role initial access brokers play in the whole ransomware ecosystem.

Brian Honan

As with any risk, having too narrow of a focus on mitigation leaves you vulnerable to variants. Ransomware protections, including training, physical and technical countermeasures, should not be strain-specific and are one part of your overall cyber security and hygiene plans. Ransomware is still an active threat, and you should assess your mitigations for effectiveness, but don't overlook the rest of the threats you're mitigating.

Lee Neely

While a good primer on the arc of ransomware attacks, the best defense is still, adherence to the core tenets of basic cyber hygiene – know your environment, configuration management, patch management, and system monitoring. If you get those pieces right, you exact a cost on the cybercriminal to attack you.

Curtis Dukes

This white paper is a long description, not to say an admiration, of the problem. It seems to be based on the idea that the reason that enterprises do not address the problem is that they do not appreciate it or its risks rather than that they believe that the solution is inconvenient or inefficient, or just have not gotten around to it. If one is interested in the solution, one should go immediately to the links at the end of the paper.

William Hugh Murray

As international law agencies continue to cooperate to bring down cyber criminals, the need to prosecute those which have violated International law, particularly when cyberwarfare is involved, needs to be addressed. With 123 countries as parties to the Rome Statue, they are well positioned to take on these cases.

Lee Neely

An interesting move by the ICC. First a definition of cybercrime will need to be agreed to by nations. It does at least acknowledge the importance of the cyber domain and how it can potentially be used in the commission of crimes.

Curtis Dukes

While we may not have seen one yet, it is certainly easy to visualize a cyberattack that would rise to the level of a crime against humanity. Our dependence and vulnerability increase daily.

William Hugh Murray

Better your users are noting reminders to relaunch Chrome in the next X hours to apply the update than being oblivious. Ensure that you've configured an upper limit to deferring that relaunch. Don't forget to watch for updates for your other Chromium based browsers.

Lee Neely

Any time you see the words ‘zero-day vulnerability’ pay immediate attention. The fix is easy: simply relaunch your chrome browser. Don’t be a victim!

Curtis Dukes

MGM has moved to manual transaction processing, but the volume of transactions may prove unmanageable. Note to self: fully understand the limits of moving to manual processing during an incident, including short-term mitigations which can be leveraged. MGM and other Hotels/Casinos are targeted these days. Last December, MGM's online sports betting company BetMGM reported a breach; Meliá Hotels international was hit hard in 2021; Marriott was targeted for extortion after 20 GB was exfiltrated last year. The draw is the mass amount of financial information they retain on clients; it'd be a good idea to review what information you are storing in any hotel/casino loyalty programs and minimizing it.

Lee Neely

Not many details to work with. Suspect it will turn out to be yet another ransomware event. So far, 2023 has seen a decidedly large uptick in ransomware attacks.

Curtis Dukes

Consider the volume of the attempted attack, involving TCP connection requests. The maturity of DDoS protection continues to evolve, and it is past time to make sure you're protected. This is no longer an attack vector you can just roll your own defense. You're going to need multiple approaches, from your ISP, Cloud Service Providers, CDN, who are actively developing defenses, and don't forget your perimeter, then go out and verify everything is working.

Lee Neely

Though both DoS and ransomware attacks may involve extortion, DoS attacks tend to end in hours to days and without leaving permanent damage. On the other hand, they may interfere with the mission and damage reputation. As in this case, the ability to mitigate them usually depends upon third parties and advance planning.

William Hugh Murray

It's easy to focus on the backups lost from May 17 - August 26, overlooking the exploit leveraged flaws in the outdated Exchange service, the updates, planned for 2021, had been delayed due to funding constraints and board decisions. Email is somewhere between a critical system and a system of record in current use; as such, you need to make sure you're maintaining it, and using a hosted or cloud email platform brings more than just up-to-date services, it also adds layers of security and monitoring you can leverage, even if you have to outsource; which was problematic for your in-house solution.

Lee Neely

This ransomware attack serves as a reminder for organizations to set up a reasonable backup frequency. There is not a hard and fast rule on backup frequency, as data sensitivity is an important factor. That said, most organizations do so on a weekly basis. And while you’re at it, also remember to store a backup off-site in order to aid data recovery.

Curtis Dukes

Two weaknesses were leveraged for this attack -- CVE-2022-47966 was leveraged to access their public-facing Zoho Manage Engine ServiceDesk Plus, and CVE-2022-42475 to access their firewall, at which point they were able to scan internal networks and find added vulnerabilities to exploit. Making sure that your boundary protection and Internet facing services are kept updated is critical. Set hard limits on mitigating weaknesses for these devices. The CISA report is a good writeup of how the attack progressed and should provide you points to your argument to raise the bar. Also, there are IoC's for your threat hunters to investigate.

Lee Neely