Check Cisco Routers for Compromised Firmware and Patch All Cisco Gear; More Zero Day Vulnerabilities in Google Chrome Require Priority Patching

Make sure that you’re using strong credentials with your routers, limit which networks/interfaces they can be used from. You may want to leverage capabilities in your existing PAM solution to enforce how users connect, those passwords are managed and create a good record of all actions taken.

Lee Neely

I am pretty hard on bombastic articles about “Cisco Critical Zero Days,” typically because they are usually around the SMB Routers. The following few articles will not be that. This is extraordinarily bad, and there needs to be an extremely high focus on these two articles. First, if you are a Cisco customer, look closely at your edge equipment. Make sure, make very sure, that your device has not been modified and that you know exactly what software was run. Protect your control planes. The attackers are getting in through weak passwords. Ensure your router's console logins are unavailable over the wider internet. This one is bad because it affects potentially even ISP customers. The way it is working is very well done. The attackers are downgrading the firmware, using a vulnerability in the firmware (it appears), and using a bug in that firmware to load and replace the bootloaders to not correctly check the boot anchors. They are then able to load their firmware that enables backdoors. The backdoors leverage EEM and can be opened and closed via TCP / UDP packets. Based on the amount of knowledge you need to be able to pull this off, this, on the surface, appears to be a very sophisticated threat actor.

Moses Frost

If a thief has a key to your house, then it becomes quite easy to break in and cause mischief. That adage applies here when it comes to digital credentials. Further, the 2023 Verizon DBIR highlighted that credential leaks continue to be a major issue. The best mitigation is implementation of Multi-Factor Authentication (MFA). It is very effective in limiting the effectiveness of attacks that lead to credential theft.

Curtis Dukes

While the attack requires control of a key server, and inside access, which would indicate a high level of complexity, the flaw is still being exploited successfully. This follows the release of their fix to their SAML authentication which allowed an attacker to authenticate as any user. Suggest high priority getting these deployed.

Lee Neely

On the heels of the previous article, this one is interesting because it was discovered by someone in Cisco ASIG and attempted to be exploited in the wild. It is a complex attack against the GET VPN feature in IOS. GET VPN is an older, but still highly used feature set. It is also really complex to exploit, requiring access to an existing member of the GET VPN Domain. Either way, if you are already looking at the first issue and are using GET VPN, this one may be a fix you want to implement quickly.

Moses Frost

This vulnerability requires the attacker to have authenticated access in order to exploit the device. Review your system logs and prioritize the software update accordingly.

Curtis Dukes

The quantity of zero days in 2023 is still below the record year of 2021, but the percentage of zero days that are being actively exploited when discovered seems higher that in the past. That could mean more threat hunting and better detection is reducing overall time to detect incidents and that does seem to be the case in many areas. But more “hoarding” of zero day vulnerabilities by threat actors is also being reported – threat hunting and purple teaming are still critical skills and processes.

John Pescatore

You know the drill. Push and verify. If you’re not leveraging Chrome enterprise, go check it out. Chrome updates are at least monthly, that will save you some headaches.

Lee Neely

Adobe Acrobat, errr, Google Chrome, has been in the news a lot lately, correct? Feels like déjà vu to me. Given the amount of focus on Google Chrome and its relevant offspring, such as Electron and Microsoft Edge, maybe it’s time to look back to Firefox or other browsers to reduce the risk of exploitation. This is one you’ll have to use a threat model to see how likely you are to reduce your risk given that every browser has its bugs.

Moses Frost

Thankfully Google has made the update process easy-peasy, so really no excuse not to update immediately. What is striking though, is the number of zero-days being used these days and our ability to detect them quicker.

Curtis Dukes

A complex issue but some simple parts: We’ve seen several times that government agency abuse of monitoring resulted in movement to require court warrants, and the agencies predicted catastrophic loss of intelligence ability - which rarely if ever actually happened. As more states enact meaningful privacy legislation, there is also an issue of government agency ability to actually protect collected sensitive information and any resulting liability impacting companies that provided customer data with no warrant obtained.

John Pescatore

Section 702 is a valuable intelligence gathering tool, but it has to be used responsibly. Most of the recommendations made by the PCLOB are reasonable and provide guardrails on the use of the tool. It also includes a couple exemptions that likely address the timeliness concern. Given that the law was enacted 15 years ago, some changes are likely warranted as we’ve learned has it is used and misused.

Curtis Dukes

While it’s always good to consider the checks and balances of government security vs. privacy, I’m personally far more concerned about the amount of data the private sector collects. The private world knows not only our age, gender, job and where we live but track our political and sexual preferences, our financial reliability, our travel records, our physical and mental health, our personal relationships, employment history, purchases, etc. In some cases, this information can even be purchased, not just on the Dark Web but via legitimate data brokers. It’s now to the point that I don’t teach people how to protect their privacy, but how to protect themselves assuming that data is already in the hands of threat actors (credit freeze, bank account & credit card real-time monitoring, MFA, etc).

Lance Spitzner

There are some of you saying “What do you think <TLA> does?” That this is their core business. With increased emphasis on transparency, and ever evolving privacy laws (GDPR, CCPA, etc.), having clear permission (e.g., a warrant) as well as a requirement on handling incidentally collected data is not a big surprise. Hopefully a middle ground can be found where investigations are still effective.

Lee Neely

The very existence of this data invites abuse. As predicted, we have seen the abuse both with and without warrants; it would be naive to think that we know about all of it. The sunset provision in 702 exists to provide an opportunity to resist abuse; it should not reauthorized without doing so. The fact that the FISA court has only rarely refused a request for a warrant is not an excuse for not requiring them. While the FISA court's threshold for probable cause may be low, warrants do come with judicial supervision.

William Hugh Murray

If your company does business with or competes with China, your executives are very likely to have been targeted by foreign intelligence activities. Use this item to justify and drive threat hunting around your company’s high value targets – people and facilities.

John Pescatore

Too often email accounts are used as the de facto file system by employees. On average, having 6,000 email messages per compromised State Department employee supports the premise. The Center for Internet Security critical security control 3 outlines a number of safeguards for data protection. It starts with having a data management process.

Curtis Dukes

A good example of why end to end encryption is so critical when dealing with sensitive data. Sadly, until vendors make vast improvements in end to end email encryption solutions, emails stored in mailboxes will always be vulnerable.

Brian Honan

Protect sensitive conversations in email with encryption. Encryption of stored email provides need to know protection beyond the encryption in transit already in place. Your email solution may already have options. Make sure that you consider how it interacts with business partners and collaborators.

Lee Neely

Microsoft making it easier for everyone to move away from reusable passwords is a good thing but the rate of critical vulnerabilities showing up in Microsoft software, and Microsoft’s slow (compared to the browser world) patch release process almost revives old fears that drove always waiting a few months before jumping on a Windows update. In this case, three months of use in the Windows Insider program should mitigate that risk.

John Pescatore

Make sure you’ve got folks using the Insider program to check out new features before the next update makes them available to everyone. As passkeys get increasingly incorporated into operating systems and applications, you’re going to want to be up to speed to embrace them.

Lee Neely

Passkeys are a great feature to implement from a security perspective. I think enabling and using them for everything that supports it is a good idea. The only “better” security solution (if you can argue better and worse) is leveraging a physical hardware security token such as Yubikey.

Moses Frost

Inclusion of passkeys in Windows 11 is another nail in the password coffin. Passkeys provide for a strong form of authentication and are phish-resistant. Perhaps, just perhaps, 2024 is the year we can finally say goodbye to passwords.

Curtis Dukes

Microsoft finally joins Apple and Google in supporting the user side of Passkeys. This support is essential. The convenience of Passkeys can reduce the resistance to strong authentication but only if the application side offers them at least as an option. Enterprises should consider making them mandatory internally. Users should prefer applications and services that offer Passkeys as an option and even ask for them where they are not offered.

William Hugh Murray

This appears to be a ransomware attack from the Dark Angels gang, who reportedly exfiltrated 27TB of data, and is demanding $51 million for the decryption key and to delete the data. The 8-K filing indicates that Johnson Controls is implementing system recovery procedures, and that most systems are back online, a hint they don’t intend to pay the ransom. The impact on York and Simplex is an indicator to understand downstream impacts of a similar event in your enterprise. Ask if your subsidiaries could operate independently. If not, how does that alter your recovery plan?

Lee Neely

JCI is a $25B international company that has unfortunately fallen victim to a ransomware attack. It proves that no matter how large or small a company is, they are being targeted and can become a victim. Once the dust has settled, I hope that JCI will publish an after-action report detailing initial attack access, privilege escalation, security defenses employed, and incident response plan to minimize the disruption. We all benefit from this knowledge.

Curtis Dukes

The 1990’s are calling: they want their software back. If you’re using WS_FTP, patch it, then seriously find an alternative. This is another issue from Progress Software, the folks who brought us MOVEit. They are now delivering service packs to make updates easier, which is great, and it’s time to move to more modern and secure data interchange solutions.

Lee Neely

I guess someone saw MoveIT having issues and thought, “Where there is smoke, there is fire.” I remember running WS_FTP in the late 90s or early 2000s. Although I’m sure significant pieces of it are rewritten since some exploits deal with .NET Deserialization.

Moses Frost

Before people start populating their conference slide decks citing this as an example of a business closing resulting from a cyber-attack we need to be aware that the company was already struggling to survive. It appears the ransomware attack was the proverbial last straw but not the sole reason for the closure.

Brian Honan

The most severe consequence of an incident is to go out of business. Have you incorporated that into your planning? Meaning do you know what thresholds or events the business can’t recover from? While implicit in your planning, having explicit information may cause you to rethink your plan.

Lee Neely