Test Data Center Switchover Processes; Monitor Microsoft and Quickly Abandon NTLM When Possible; Disable HTTP or Block Internet Connection for all CISCO IOS XE Use

A scheduled chilled water system upgrade at an Equinix data center in Singapore caused outages for DBS Bank and Citi Singapore. The incident, which lasted for several hours, occurred on Saturday, October 14. Services in other locations, including India, the Philippines, and Hong Kong, were reportedly also affected.

John Pescatore

DBS Bank was unable to fail-over to services in another Equinix data center, which raises the question of why not. So far Equinix hasn't provided an answer on the interdependencies that prevented failover. The point being, when you setup for multiple physical locations with failover in mind, it's not always possible to ensure that failover will succeed. Work with your hosting provider to identify these dependencies and how they can be mitigated. Make sure you capture the risk and ROI of proposed mitigations.

Lee Neely

Fundamentals matter. Ensuring back-up and failover sites are operational before attempting an upgrade is about as fundamental as you can get. We are too often enamored by the sexy tech and forget that physical procedures are actually pretty important.

Mark Weatherford

The investigation is continuing but it does highlight that even planned upgrades can have unexpected consequences. Therefore, it’s important as part of the planning process to be able to quickly roll back system upgrades. This ensures continuity of business operations should the upgrade not go as planned.

Curtis Dukes

Removing NTLM will be a significant security improvement. We keep having vulnerabilities in various software (most recently WordPad) that trick clients into establishing SMB connections, potentially transmitting NTLM password hashes.

Johannes Ullrich

The fall-back NTLM use cases: Only supported protocol with local accounts, works when there is no connection to a DC, or when you don't know who the target server is. The changes include IAKerb, for relay communication to a system with "line of sight" access to the DC; having a local KDC (LocalKDC) for local accounts and fixing windows components hard-coded to use NTLM to use the Negotiate protocol, which can leverage IAKerb and LocalKDC. While the date is not set to phase out NTLM, it's time to start gathering your use cases, so you can test the replacement options prior to the forced retirement of NTLM.

Lee Neely

Dave Mayer at Neuvik, where I worked, looked at some articles because the curiosity about dropping NTLM is essential. How do you drop NTLM and use two workstations? Who is the KDC? We got the answer: the KDC will be set up on a non-domain computer on each machine. They will act as the KDC for the transaction. Does this mean there is a krbtgt account on your Windows 11 Workstation? What will this look like? But just like vbScript, there is no stopping this, so Farewell NTLM. You were such a good friend for the Redteam.

Moses Frost

It took something like 15 years for the US to make the shift away from leaded gasoline – removing dangerous stuff from a large installed base is not easy, but in the modern software world “legacy software backwards compatibility” needs to be measured in single digit years not decades.

John Pescatore

Could this finally be the end of NTLM? NTLM has had a checkered security history, being susceptible to replay attacks among other security vulnerabilities (i.e, pass-the-hash). By making these changes to Kerberos part of the default configuration in Windows 11, Microsoft is easing adoption.

Curtis Dukes

Never ever expose these admin interfaces to the public internet. It is sad how no vendor is able to apply secure coding practices to these high risk applications. Instead of "shift left", this feels more like "shift right for the customer to secure".

Johannes Ullrich

First thing: eliminate Internet access to your Cisco devices management interfaces, ideally to management networks with very limited access. For those of you in the federal space, that should have been part of implementing BOD-23-02. For the rest of us, quick like a bunny, get that taken care of. Exploiting this flaw allows a remote unauthenticated attacker to create an administrator account with level 15 privileges, which can be used to take over the device.

Lee Neely

As someone who knows how to operate old-school Cisco gear, don’t use the WebUI on IOS XE. Unless there is some weird vManage (Viptela) requirement, this is just… no, bad. Turn off. No. That’s all I have to say. I’m sure there are tons of issues with it. There must be; who uses this?

Moses Frost

Yet another example of why you should not have your web management interface exposed onto the internet. If you do you are hoping that a critical vulnerability is never discovered or exploited. It is much better to have access to the web management interface restricted to internal IP addresses accessible via a VPN.

Brian Honan

This is a dangerous vulnerability – zero day and CVSS score of 10. Heed Cisco’s mitigation guidance and be ready to implement the software update once it becomes available.

Curtis Dukes

Stating that "the new requirements would put a significant financial burden on small towns" is, while a legitimate concern, a poor excuse for not doing something everyone realizes is necessary. Following a ransomware attack on computer systems in Hinds County, MS last month, a county administrator said that "we felt like we were vulnerable" and that it "just that it came too soon before we could get to it.” It's human nature to a degree to think we always have a little more time, but security incidents aren't something that arrive on a schedule. Next to electricity, water is one of society's most critical resources and these lawsuits filed by states and non-profit water associations are not in the best interest of the public unless followed with specific and timely action."

Mark Weatherford

Highly likely that Congress will see bills to add the regulatory authority and this will be back. It is not a defensible position to say water utilities *do* have the funding, expertise and local laws needed to add computers and internet connections but *don’t* have the ability to do so safely and reliably.

John Pescatore

The requirement, from March 2023 as part of the National Cybersecurity Strategy, which had a stay July 12, 2023, of the memorandum under litigation, is still a good idea. Regardless of regulatory requirement, critical infrastructure remains a target, as such, operators need to ensure the security of their water and wastewater systems, ideally hiring a third-party to audit and/or test their configuration to ensure objectivity. One hopes future regulatory requirements address concerns raised to make them more palatable

Lee Neely

As previously discussed, use of the Sanitary Survey program as means to compel a cybersecurity audit was problematic from the get go. In rescinding the audit requirement, EPA is simply acknowledging that fact. That said, the EPA can do two things: 1) work with the water utility sector on establishing a measurable cybersecurity program; and, 2) work within the USG to normalize a baseline set of cybersecurity requirements applicable to every critical infrastructure sector.

Curtis Dukes

Hopefully the various entities within the Water Sector will look to conduct cybersecurity audits regardless of the withdrawal of this memorandum. I always state I’d rather have an auditor find issues with my cybersecurity program than the same issues being discovered by a criminal.

Brian Honan

The US Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the FBI have issued a joint advisory urging users to update to the most recent versions of Atlassian Confluence Data Center and Server. The privilege elevation vulnerability affects on-premises installations of Confluence Data Center and Server. Atlassian issued an advisory about the vulnerability earlier this month. The October 16 multi-agency advisory provides users with detection signatures and indicators of compromise.

Johannes Ullrich

The weakness affects Confluence Data Center and server versions 8.0 to 8.5.1. Versions prior to 8.0 are not affected , but you really don't want to be on an old version. This was added to the CISA's KEV on 10/5/23 with a due date of 10/13/23. Two core mitigations are to apply the update post-haste and implement phishing resistant MFA. Be sure to check for indications of compromise if you're running any of the affected Confluence versions.

Lee Neely

If the US Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the FBI Read urge you to patch your systems, then you patch your systems. I also recommend that even if you have already patched your Confluence systems that you check your environment for the Indicators of Compromise included in the alert to ensure your systems have not been compromised.

Brian Honan

The current list of Misconfigurations and Weaknesses on the StopRansomware site are: RDP, FTP, TELNET, SMB and VNC. You should be going, wait, really? Yeah, go make sure these are never exposed to the Internet, that they are only enabled where needed, you're on the latest (SMBv2 vs SMBv1), VPN is required to access the services, and you have implemented secure configurations. You need a plan to retire FTP, TELNET, and SMBv1 right away.

Lee Neely

Most if not all ransomware attacks take advantage of misconfiguration and missing patches to successfully execute the attack. The best advice to prevent a ransomware attack remains, know your enterprise, implement a patch management process, configure to a known security benchmark, and monitor your enterprise. An excellent starting point is the ‘Blueprint for Ransomware Defense.’ The blueprint is an action plan for ransomware mitigation, response, and recovery for small and medium sized enterprises.

Curtis Dukes

Kudos to CISA for providing this information as ransomware is probably the top, or one of the top threats, that most organisations are currently facing. However, I feel that the material produced is focused at a technical audience and that many of those that need to digest and take on board this information are small and medium sized businesses who need more plain speaking guidance.

Brian Honan

While the courts are operating, clerks cannot receive electronic filings or payments. All filings must be on paper or by fax. Paper filings can be sent by mail or hand delivered. Courts are being prepared to operate for at least the next two weeks on manual processes. While Jefferson County is able to continue business as usual, as the only site not to have been signed up for the state's new centralized eCourt system, it's not clear what aspect of the new system allowed it to be compromised. This introduces the consideration when introducing a new centralized system of not only measuring the overall security, but also developing viable scenarios to continue operations locally while the central system is impacted. Don't let a return to manual processing be the end of the discussion.

Lee Neely

Given the published length of downtime, it’s safe to assume a ransomware attack as the likely culprit. Hopefully, the State court system will provide an after-action report on the sequence of events that led to the security incident. This can shed some light on security responsibilities of the system provider, Tyler Technologies.

Curtis Dukes

Ah yes, that seldom seen security control, “Security by antiquity.”

Brian Honan

The idea is to have the browser executing malicious JavaScript, which means the protection falls to the endpoint, either via disablement of JavaScript or other EDR protections. As a service owner, your best protection is to prevent the addition of the malware via software updates, secure configurations and web application firewalls to intercept attempted malfeasance, rather than rely on the endpoint not executing malicious code. Note that there are now two controls in PCI/DSS version 4.0, intended to address Magecart attacks: requirement 6 "Development and Maintain Secure Systems and Software" and requirement 11 "Test Security of Systems and Networks Regularly." These are currently PCI/DSS best practices, not becoming mandatory until early 2025, you may want to look at early adoption.

Lee Neely

The headline doesn’t do this much justice because, on the surface, it appears it’s just a rehash of an older news story that’s been making the rounds forever. However, I'd look through some interesting technical details in this case. The fact that there are several novel variations that attackers are using listed in the article makes for an interesting read.

Moses Frost

The attacks by the Reichsadler Cybercrime Group, which target Windows systems, start with w3p3 (IIS component), "GodPotato" (an open-source privilege-escalation tool), then LB3 (ransomware payload crafted using an acquired copy of the LockBit 3.0 ransomware builder.) Make sure that you've updated your WS_FTP server to the latest version, then find an alternative to FTP file transfers.

Lee Neely

Will this be another MoveIT-like bug from the same manufacturer? It could depend on whether the same IT teams purchase from the same vendors. If you look for the WS_FTP server strings in Shodan, you’ll find about 1800 WS FTP servers listening on port 21. Does that mean there are 1800 targets? Could be.

Moses Frost

The flaw, which is fixed in version 1.3.79, allowed for arbitrary upload of PHP files with malicious content, allowing remote exploitation, and a complete takeover of a site. Make sure that you've updated your Royal Elementor plugin. The WordPress WAF already had protections, in the paid and free versions, to prevent the upload of files with malicious content, even so, make sure you've got the updated plugin, or that you've uninstalled it if no-longer used.

Moses Frost

Another week, another announcement of a WordPress plugin vulnerability. Given that the vulnerability is actively being exploited and carries a CVSS rating of 9.8, users of the website building kit should download the update and patch immediately. If you wish to roll the dice, use the free scanner to see if your website is vulnerable first.

Curtis Dukes