To Avoid Multiple Active Exploits, Patch Progress Software WS_FTP, Exim MTA, and Arm Mali GPU Driver

An exploit has been made available publicly. No reason to believe that this is not already being exploited.

You already applied the patches to WS_FTP, right? The vulnerability and POC exploit code are both out there. And Progress Software lists their high-profile customers on their website, simplifying target selection. On top of all that, Progress is dealing with a bunch of lawsuits after the MOVEit breach, which is going to, at best, impact their ability to respond to additional issues, building the case to find an alternate solution.

Roughly 72 hours from patch release (vulnerability) to active exploit. A useful metric for defenders as they evaluate patches before introducing them into their environment. Part of me wonders if the CVSS score that usually accompanies vulnerability announcement helps evil-doers prioritize their workload. In this case, a vulnerability with a CVSS score of 10 certainly gets attention from both attacker and defender.

WS_FTP is not the option I would choose for an FTP today. There are many more options robust and more straightforward options. So, who is using this software today? Are those environments easier to breach than others? This software package is also maintained by the same company that maintains MoveIT. Where there was smoke, there was plenty of fire.

Exim released an update fixing the three most severe issues. They also provided guidance to mitigate the remaining vulnerabilities. One issue here is communications between the zero day initiative and the EXIM team. This could have likely been dealt with better.

While researchers discovering the Exim flaws have been notifying the company of the flaws, the company has been slow to respond, so issues are now getting published, patched or otherwise. Move to the latest version of Exim post haste, noting you're going to want to jump again when the rest of the fixes are released. When you get a vulnerability reported, don't ignore it: respond, working with the discovering party, or parties, to reproduce and remediate it before their non-disclosure window closes.

A lot of finger-pointing between ZDI and Exim developers; however, given the large install base, download and install the patches as they become available. Separately, it does resurface the need for vendors to find ways to support vulnerability management of open-source software applications. It’s a continuing problem we all are facing given large open-source software usage.

What is clear is that Exim is a very popular MTA, and everyone should watch their MTA closely. I would look at the Security Mailers like Bugtraq to see what all the fuss was about from the devs.

Another Android patch gap issue avoided by Google Pixel phones, as Google pushed the fix out to its Pixel phones in the September update.

Google released fixes for CVE-2023-4211 in September for affected Pixel and Chromebook devices. The issue also impacts Samsung S20/21, Motorola Edge 40, and other Android devices, make sure that you've got the September update for AOSP, which may not yet be available depending on your device OEM. For Linux or other systems with the chipset, make sure that you have the appropriate ARM Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0.

Current estimates are almost 2200 organizations are impacted, the number jumping when it was disclosed that nearly 900 colleges and universities were also impacted. The primary actor behind the attack appears to be the Clop ransomware group, which seems to be working as hack and extort gang, foregoing the ransomware step; which has, according to Coveware, netted them between $75 and $100 million. Whether or not you're impacted or suing Progress Software, double down on moving away from MOVEit.

No real surprise here as companies often have a regulatory or State requirement to announce a data breach. It also takes a bit of time for third-party providers to inform their clients of a data breach.

Breaches via third parties are only going to keep increasing as criminals move to the supply chain to either target larger number of victims via a thirds party or to launch a specific attack against an organization via its supply chain. The European Union Agency for Cybersecurity provides an excellent guide on Good Practices for Supply Chain Security: https://www.enisa.europa.eu/publications/good-practices-for-supply-chain-cybersecurity

If you have it installed, assume that you are compromised and initiate mitigation. File transfer is problematic if only because everyone does it.

Since neither of these variants generally succeed if the attackers don’t get user credentials first, I’d like to see the FBI update its guidance to first recommend moving to phishing resistant MFA instead of having that advice be second after ancient password complexity recommendations that don’t reduce the risk of phishing.

With multiple ransomware variants deployed decryption becomes much more challenging. On top of that, the ransomware gang is adding/tweaking the malware to make it both harder to detect and include multiple separately timed data wipers. Go through the PIN verifying you've taken as many of those steps as possible. For things that you're taking a pass on, set a time to revisit. Ever more critical is ensuring your third/fourth/fifth party risks are mitigated. Don't forget to include these when calculating critical business functions.

The scourge of ransomware is not going to go away any time soon. As with all security events, prevention is better than the cure. This guide provides some good information on how to prevent becoming a victim of ransomware. In addition, Europol provides recommendations and known decryption keys as part of its industry partnership No More Ransom initiative: www.nomoreransom.org

You can expect ransomware gangs to adjust their TTPs (tactics, techniques, and procedures) as victims balk at paying the ransomware – this PIN highlights that shift. In addition to the mitigations listed in the notification, an excellent resource is the ‘Blueprint for Ransomware Defense.’ It remains effective even with changes in adversary TTPs.

Here’s a bumper sticker for your security awareness campaign during October’s Computer Security Awareness month: “Every form of messaging will be used by attackers. Treat all inbound messages as if they were asking to borrow your toothbrush.”

The malware was disguised as a coding challenge in an executable, which was protected to only decrypted on the intended victim's system, making detection/sandboxing much more difficult. Even so, remind users to beware of recruiters bearing executables, noting that many threat actors, such as the Lazarus group, are really good at social engineering and will work to convince users the payload is benign.

This is a great example highlighting that in today’s modern business environment, email is not the only potential vector for a phishing attack and criminals can target staff via many other messaging platforms.

All messages are suspicious. All should be treated with skepticism, as bait. Many can simply be thrown away. A few should be confirmed out of band. Edge systems should be isolated from mission critical applications. One user clicking on a bait message should not compromise the enterprise.

This attack highlights the fact that third-party providers often collect customer data as part of normal business operations. Organizations should revisit with their third-party providers what information is collected, whether it should be collected, and how it is secured. Additionally, as third-party provider relationships end, the SLA should specify how company sensitive data is to be disposed of.

We all trust sensitive data to third parties we hire to do work for us. Have we considered the impact of that data being released? Once upon a time, physical security mitigated a lot of those risks, as well as many of those documents being just that, physical, but with so many things, including OT systems, being connected and reachable, information now fully digitized, that bar may not be where you think it is. Make sure that your control systems are properly protected, that you know what information is held by third parties and walk through what can be done with it as well as verify how they are protecting it.

DHS is only one of tens of thousands of enterprises that have Johnson Controls, most installed by contractors, and unknown to the using enterprise. Best to start looking.

This is an example of a low value incident press release: no information on why the attacked succeeded, how long it took to detect the database exfiltration, etc. And it ended with a disappointing “Following this incident, ETSI asked their online services users to change their passwords.” vs. committing to movement away from reusable passwords.

This body is responsible for the development and testing of technical standards for information and communication including GSM. 3G, 4G, 5G and others, so don't be too hard on them for flaws in their IT system security. They were well positioned to value the proposed mitigations and have already fixed the vulnerability, updated their IT security procedures and are working with online users to reset credentials. If your core strength isn't IT security, hiring someone to help you where you need to be, and then help you stay there is going to be more cost effective than data breach recovery, particularly when you include secondary impacts to your business.

Hopefully ETSI will be forthcoming in the coming weeks with details of how the evil-doer compromised the IT environment and what changes they’ve taken in response to the data breach.