WinRAR Users Need toThreat Hunt for Compromise and Upgrade; Emphasize AI Data Governance and Privacy; Check Cisco IOS XE Devices for Compromise

You may be noticing a recurring theme of exploiting unpatched vulnerabilities recently. The take-away is to make sure that you’re applying patches, particularly critical ones, in a timely fashion. Where you have long intervals between updates, e.g., in business or mission critical systems, maximize the defenses around those to reduce the risk. Updates to end-user, commodity, and perimeter systems should be standardized changes so you can apply patches rapidly.

Lee Neely

This is an example of cybercriminals ‘banking’ on organizations’ slowness in downloading and installing software updates. The zero-day was first seen in the wild in early April, but you really couldn’t do much but monitor for signs of attack. Fast-forward, update released in August that fixes the underlying vulnerability. Fast-forward again to October and organizations still being exploited. Unfortunately, still a lot of work to be done in automating the software update process to get out in front of the exploit cycle.

Curtis Dukes

I’m going to skew old here, but you didn’t see risk surveys back when Visicalc, the first spreadsheet for a personal computer came out, or later when Lotus 123 and then Microsoft Excel turned spreadsheets into ubiquitous business software that has been responsible for a huge volume of data leakage and exposure (as well creation of intentional and unintentional disinformation) in the name of increased productivity. Governance around data management was largely ignored and the mistakes repeated as relational databases followed – don’t make the same mistakes with AI!

John Pescatore

Consider GenAI as emerging technology. It is incredibly powerful and has the promise of returning many employee hours of productivity. You need to learn how it differs from prior technology, to include how your GenAI engine is trained and what information it stores, and if possible, how it’s used. Decide how you want information created by GenAI to be handled/credited versus wholly original works as well as how you’re going to verify the information given as genuine.

Lee Neely

Generative AI as a technology hold great promise in automating business workloads in virtually every industry vertical. That said, it will also force risk managers to reframe existing business risks in new, unforeseen ways. For example, data privacy: businesses have always had that as a risk from a confidentiality and availability perspective, but now they have to consider the integrity of the data used for business purposes. As companies start to implement AI into business operations, the Chief Risk Officer has to be a part of the discussion.

Curtis Dukes

Insider error and malice are the internal risk. Generative AI and LLMs in particular represent a major advance in user interfaces to the computer. They permit us to express the results that we want in natural language. They make the computer an easier to use tool. However, it remains a tool. Tools vary in quality, utility, use, and usability. The user remains responsible for the selection of the tool, the purpose to which it is put, and all the properties of the result.

William Hugh Murray

Do a scan and make sure you’re not a member of that community. Cross check with asset discovery tools. If you’ve got IOS XE devices, not only make sure that access to their management interface is not Internet accessible, or disabled, but also take steps to protect or disable any Internet exposed management interfaces.

Lee Neely

Let me start by saying that I am very comfortable with the Cisco CLI because I remember using CatOS. The only reason I have thought of enabling the HTTP server on these devices would be to support some captive web portals. With that out of the way, I will be clear here on my comments. Using the Web Interface for a Cisco router or switch outside of something like the Viptela acquisition or Meraki is a terrible idea that should never be considered. The CLI is possibly the best way to manage it; outside of some network management system requiring it, this should never be consideredThe second statement is, why would any of your control plane items be on the internet, SSH, or HTTP? It doesn’t matter; you're asking for trouble.

Moses Frost

With the announcement, the exploit clock started ticking as every criminal gang and nation state went ‘full tilt’ on the offensive. Best advice for organizations continues to be, follow Cisco’s mitigation guidance until an update is available.

Curtis Dukes

Unfortunately, the key phrase is “strongly encouraged” – in ancient programming languages, this is what was known as a No-Op or NOP instruction which told the processor “read and do nothing.” The guidance is fine but it has been available for many years from many sources. Since legislation is not happening in the US at least, procurement pressure is what is needed.

John Pescatore

Expect CISA and its global partners to continue refining their secure-by-design guidance with Industry review. For it to be ultimately successful, however, requires buy-in from regulators. Regulators can compel companies to make the necessary process and technology changes. We also have the added difficulty in how Industry shows compliance with secure-by-design requirements. Unfortunately, given politics in the US, Industry will mostly demur in implementing until at least 2025.

Curtis Dukes

Since the first version, this guidance input from hundreds of software publishers was incorporated into the document. While it will take time to evolve existing SDLCs and supporting processes to secure by design, the message is clear: software must be designed to be secure by default. Read through the guide and see where you can change the bar. If you’re adopting secure by design principles, publicize them. Don’t wait for regulatory requirements to start down this path.

Lee Neely

Ohhhh, we are supposed to make it so that people write SECURE software? I had this all wrong this whole time! I get the idea it should not be the onus of the customer to ensure that these things are safe. It’s a great consumer protection idea. The problem is that it’s just a piece of paper without regulation or teeth.

Moses Frost

Adding support is like putting a lock on the door but never actually setting the lock – a good first step but no increase in security. Google’s approach of making the passkeys the default but allowing users to switch to passwords is a much stronger approach and really what is badly needed today.

John Pescatore

This is effectively for the web versions of the Amazon Shopping and other apps. The mobile versions still rely on a password. If you setup a passkey, and you’ve enabled 2FA, you are going to need to confirm that with a code from your 2FA to get setup, even though passkeys are intended to replace that. You may want to watch for support in the mobile apps before changing your account.

Lee Neely

Welcome Amazon, to the potential of a passwordless future. It appears you still have some kinks to work out (one-time verification code) and some applications to add passkey support for; but all the tech giants are now aligning in the use of passkeys.

Curtis Dukes

Use Passkeys! If you can use a physical hardware token, but in the event you can’t use passkeys.

Moses Frost

The software dependence of modern cars will soon become a major issue as these cars age. If car makers do not open their API and other interfaces, a car may become obsolete just like a smartphone. This may be even more of a problem if current EV startups end up failing and support will cease for their cars.

Johannes Ullrich

Unlike recent publications from Tesla, this researcher seems to have reverse engineered the Mazda API for a home-assistant integration, which users were using for clever automation/monitoring of their vehicles. The lesson here is to make sure you have proper permission before reverse engineering an API and sharing the resultant application, particularly if you’re using hidden features, even if you’re not charging or otherwise making money from those efforts.

Lee Neely

This is the latest move this year by the FBI to take down ransomware gangs, the most recent being the Hive gang, limiting their ability to do “double extortion” of their victims. This doesn’t mean you can let down your guard when it comes to ransomware. It does mean law enforcement, the FBI and others, working together and separately, are working to reduce or eliminate the effectiveness of these threat actors.

Lee Neely

Kudos to international law enforcement on the website take down. Unfortunately, the advantage is still with cybercriminals taking advantage of poor cyber hygiene. The best defense continues to be configure, patch, back-up, and monitor.

Curtis Dukes

The MATA backdoor had been previously used by the Lazarus gang, but there is no ready connection to them for this campaign. The attack uses spear-phishing email to deliver Word documents, with a malware payload that leverages a flaw in Internet Explorer. Targeted or not, this is a good time to double down on your spear-phishing defenses.

Lee Neely

The seized domains were leveraged to ensure the legitimacy of the workers seeking jobs in the US. The mitigation is to make sure you’re doing strong background checks of workers, particularly remote and foreign workers, as well as limiting access to only the IP they are hired to work on. Beyond aiding the home country, you may also wind up with a deemed export, which will get you in hot water, including fines, with the Department of Commerce.

Lee Neely

Read the Symantec blog for IOCs to add to your library. Review your protections and monitoring, in this case the attack concentrates on Exchange, to ensure you’re able to detect a compromise sooner than later. An eight-month dwell time has to become a thing of the past.

Lee Neely