Prioritized Fast Patching of Windows and Kubernetes; Limit Controlled Unclassified Information Storage To Certified Cloud Services

CVE-2023-36761 is the vulnerability to watch out for. It is not only already being exploited, but it is also not a difficult problem to exploit. Note that Windows 11 will soon have the ability to disable NTLM hashes for SMB which may help with problems like this in the future.

Johannes Ullrich

The Microsoft Word information disclosure vulnerability (CVE-2023-36761, CVSS score 6.2) understates what's disclosed. This flaw discloses Net-NTLMv2 (authentication) hashes, which makes it very attractive to exploit. Also take note of CVE-2023-38148, a RCE flaw in the Internet Connection Sharing (ICS) service, where an unauthenticated attacker can exploit this just by sending a properly crafted packet to the ICS service. This flaw has the highest rating of the bunch at CVSS score of 8.8.

Lee Neely

Rapid patching of any Windows vulnerability at least at Microsoft’s Critical level is the minimum that is defensible based on real world exploitation of unpatched Windows systems.

John Pescatore

Interestingly, the two vulnerabilities being actively exploited have relatively low CVSS scores yet, can lead to either loss of user credentials or system-level access. Follow the standard security advice by prioritizing critical vulnerabilities first, as part of your patch cycle.

Curtis Dukes

This is a complex case with many claims being made, but one thing that stood out to me: Penn State had selected a FedRAMP certified cloud storage solution for CUI data but ended up using the Microsoft 365 OneDrive consumer cloud storage service instead, which is not OK for CUI data. This is a common temptation: “We are already paying for these bundled storage services, why should we pay for these other services?” This one is a good example to use to convince management when there is a need to avoid that temptation.

John Pescatore

An interesting sequence of events. The University has been claiming compliance with NIST 800-171, via self-attestation. Meanwhile, an interim Vice Provost and University CIO doesn’t get the permanent job, later finds misuse of the cybersecurity compliance self-reporting, and ‘dimes out’ the University six years later. A few points: 1) self-attestation is reasonable given that the DoD has upwards of 300,000 contractor organizations providing services; 2) in those six years, the DoD should have done a spot assessment for compliance to the cybersecurity requirements; 3) what took the whistleblower so long to file a complaint; and, 4) the government, when it finds potential fraud, should hold those contractor organizations accountable.

Curtis Dukes

While the attorney general acknowledges that even well implemented security can have incidents, he is stating that in this case the University knowingly failed to implement and follow the required cybersecurity requirements in 800-171. The implementation of 800-171 has largely been a self-attestation, albeit an ATO was still required, new regulations will require third-party validation that controls are in pace to properly protect CUI. Stepping back, consider how your service providers are protecting your sensitive information to include how that is validated. If they are using services, do your protection requirements flow down to those third-party systems? Moreover, do you have clear, tested, reporting and response plans in place?

Lee Neely

This is a civil suit brought, qui tam, by a private citizen, a former official of the defendant, on behalf of the government and himself, in his role as plaintiff-relator (whistle blower), a role defined in the False Claims Act. It seeks to recover financial damages which it asserts were suffered by the government as a result of false statements made by the defendant. It does not seek any other remedy. The suit does not specify the amount of the damages. It seeks a jury trial. This suit is about the money, not the false claims, not about security. It is punitive, not remedial. That said, the lesson for the rest of us is do not lie to the government.

William Hugh Murray

This specifically apply to Windows endpoints in the cluster. In addition to applying the update, make sure you're limiting the number of users who can perform actions on a cluster. Another workaround is to disable the use of Volume.Subpath, which was being passed to a PowerShell script to evaluate and execute, without proper sanitization, test for impacts as you may be using it.

Lee Neely

Good reminder to check that patch management processes actually extend to software like Kubernetes and the ability to update API objects on running configurations.

John Pescatore

This malware has been available for about three years, and it appears a link on the legitimate website was used at times to direct users to the malicious version. A victim had no real indication that they are downloading malware.

Johannes Ullrich

Grab those IOCs and check for compromised systems. While the attack is inactive, you may still have cleanup. Probably want to bag any remnants of the Free Download Manager as well as it is unknown how systems were delivered the legitimate versus malicious version.

Lee Neely

This attack seems to bear the hallmarks of being nation-state driven. Some addresses received a benign copy, others the buggered version. Once the spotlight was cast, poof it disappeared. It serves as a reminder to trust only your OS distributor.

Curtis Dukes

The 22-page report notes the common attack vectors are exploits of vulnerabilities and misconfigurations, particularly VPN and RDP, particularly brute-force attacks of accounts not protected by MFA, inadequate or lacking firewalls. They also leverage vulnerable services, like ProxyShell on Exchange for launching phishing campaigns. Validation of your perimeter security, keeping services updated and using MFA are all well-known solutions here. Don't forget about outbound traffic protections. Only allowing access to approved services/ports/protocols is challenging, but worth in in the end. If the attacker's code can't connect to their services, it's a lot harder for them to operate.

Lee Neely

This report is one of the best cybersecurity reports available as it reflects what police forces are seeing. While the scope of the report is by its nature focused on incidents police are involved in, it is still a good indicator of the key threats.

Brian Honan

Kudos to Europol for publishing the report. If you routinely follow media reporting on cybersecurity events you will find nothing new in the report. If not, the report provides a good summary of cyber-attack trends over the past year.

Curtis Dukes

Goal 4, “Harden the OSS Ecosystem”, and in particular Objective 4.3 “Publish Guidance on OSS Security Usage Best Practices” are the most important parts of the CISA roadmap. Missing is an objective to drive adoption of those Best Practices by all consumers of federal funding.

John Pescatore

Having a framework for getting your arms around the security of open-source software is a helpful thing. Best practices, vulnerability disclosure, education and help generating a SBOM are all in this roadmap. Also look to projects like Google's AOSS where they are signing packages as being the legitimate versions as well as scanned for vulnerabilities. Don't lose sight of the fact that even if your open-source components are genuine and free of malicious code, that doesn't mean they are free of flaws or may not work in combination with the other application components.

Lee Neely

Establishment of a roadmap is but a small first step to ‘securing’ the open-source software ecosystem. I will be interested in the annual scorecard that CISA produces to demonstrate success against its roadmap and four central goals. That is, if CISA produces a scorecard.

Curtis Dukes

The statement by Caesars implies they paid a ransomware demand, and the Wall Street Journal is reporting they paid $15 million of the the initial $30 million demand. Caesars also states also are monitoring for use of the exfiltrated information and working with the affected IT service provider to prevent recurrence. Unlike the MGM incident, this didn't impact customer facing services: this appears to be an attack on a third-party service provider. Caesars made no mention of providing identity theft/recovery services for impacted club members, so if you're a Caesar's loyalty club member, make sure that you're covered.

Lee Neely

Caesars is finally confirming what has largely been reported over the past week. In Caesar’s case, a compromise in outsourced business process operations is the culprit. Business process outsourcing was recently highlighted in the Cyber Safety Review Board (CSRB) report on LAPSUS$. Interestingly, it also appears that Caesars paid the ransom to prevent member data from being released publicly. We can argue the merits of that decision but ultimately it is the companies to make.

Curtis Dukes

I love how the phrase “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result” highlights the problem with paying ransom demands to criminals, who by their very nature are not very trustworthy.

Brian Honan

As security of the grid and our critical systems remains forefront, these nine projects are designed to leverage modern technologies, AI, ML, IPv6, etc. to secure existing utility systems without disrupting them, as well as provide a model for future services which can be built with security in mind. These projects are collaborations between the national laboratories, universities, utilities and private sector companies.

Lee Neely

The primary impact is that users cannot easily top up (recharge) their Hop card. The guidance is to still use the cards, rather than try to bypass paying for travel (busses, trains, and ferries.) Ticketing machines are only taking cash, and users are unable to go to retailers to purchase concessions to make purchases with the Hop card or top them off. Ironically, the attack comes before the planned system upgrade to allow the use of Apple/Google pay, as well as credit/debit cards. There's another scenario to walkthrough - do you restore the old system, expedite the deployment of the new, or devise a hybrid?

Lee Neely

This was a case of 6 stored and 2 reflected XSS vulnerabilities being discovered in the Apache services incorporated in Azure HDInsight (Hadoop, Spark, Kafka). Resulting in eight CVE identifiers (CVE-2023-36881, CVE-2023-35394, CVE-2023-38188, CVE-2023-35393, and CVE-2023-36877.) The flaws, which permitted input and variable manipulation, come back to input sanitization and output encoding. Beyond making sure your developers are sanitizing input and output, make sure that you're keeping your frameworks and related tools updated. Take a close look at what a WAF can do to help protect you, particularly from flaws in vendor provided applications or components.

Lee Neely