VMWare, Apple, Roundcube Patches and Exploits; Free Help from CISA and HSS for Healthcare Sector

vCenter has been in the crosshairs of ransomware gangs for a while. Patch this before the next issue of NewsBites talks about how they are taking advantage of this flaw to extort organizations. As a first step: Please ensure any IPs allowing direct access to vCenter are not reachable from the internet.

Use this quote from VMWare to drive immediate patching: “In-product workarounds were investigated, but were determined to not be viable.”

If you're running one of the older, unsupported, vCenter Server products, you caught a break here and have an update. Apply the patch, then move to the latest supported/patched version. POC exploit code is available on the Internet, there are no workarounds.

The vendor is sending a clear signal when it chooses to provide an update for end-of-life products – the install base is high. Users of vCenter Server and its cloud foundations products should download the update and patch immediately.

This update is most important for users of older devices. Apple is providing a patch for an already exploited vulnerability to devices unable to run more recent versions of iOS.

Apple released updates for pretty much all their operating systems, to include iOS/iPadOS 15 and macOS 12 (Monterey). Don't overlook that older hardware is still running those versions, patch them, then initiate plans to update them to devices that can run the current versions. It's time to bring that newer hardware up to the current release as well. Even with the updates applied, take a look at running mobile devices in lockdown mode for users in risky areas.

Here are a lot of resources you're going to want all in one place. Not only guidance on actions to take, but also aids to explain the threat landscape to management as you garner support to implement selected security improvements. Don't overlook that CISA is a free resource, and you can leverage that to not only assess your current state but help you plan improvements. Having a second set of eyes, while it may result in issues which need addressing, is far better than having your adversaries exploit those shortfalls.

This 82 page document definitely “consolidates” a lot of other documents but really does not bring any value to overcoming the obstacles to actually doing all those things mentioned across those 82 pages.

Kudos to HHS and CISA in leveraging existing cybersecurity best practices into a single repository. The guidance has been available for quite some time, just a Chrome or Bing search away. So, perhaps this will spur implementation by healthcare organizations.

This initiative is timely. It will be helpful only to the extent that healthcare management makes it a priority.

One of those things we cover in SEC588, so let me describe what’s happening here. TL;DR There is a good news set of angles: First you need to be able to control the nginx yaml, so you do need some level of authentication. Second If you’ve architected your CI/CD pipelines correctly, you can replace this container quickly. The problem may be that most people do not consider updating tags as often, so this is one of those hair-on-fire bugs, but only to the attackers and defenders who understand Kubernetes. Unlike all systems, Kubernetes heavily relies on authentication tokens and permissions. This container service, which is required to have certain permissions in Kubernetes, is vulnerable to that key material being read. Just make sure you know who is able to apply PodSpecs, guard your API Server, make sure its not on the internet, like most of them seem to be.

Ingress in Kubernetes is an API object that provides HTTP and HTTPS routing to services based on a set of rules, including hostnames or URL paths. NGINX Ingress Controller is a solution that manages this routing mechanism using the widely known NGINX reverse proxy server. Update to Kubernetes 1.8, update to NGINX version 1.19 and add the "-enable-annotation-validation" command line configuration.

Many issues exposed in this one: (1) Need to Share always has to be satisfied with “Need to Protect.” (2) “Need to Protect” includes requirement for “Need to Notice.” (3) All those Needs are more complex when a supply chain is involved. (3) Finger-pointing down the supply chain rarely reduces liability and never reduces damage to information owner. Many organizations probably have this same potential exposure – use this item to get approval for action now.

Encrypting data at rest, limiting access to those with need-to-know, let alone annually verifying those settings are in place, may sound like regulatory and bureaucratic overhead/PITA until you find you've got exposed data and need to explain to management, staff, regulators and possibly the press why. In this case, the weakness was at a third-party, and the contract included data protection provisions, but validation of appropriate access controls seems to have been missing. The third-party is the data steward, you're still the data owner, and protection remains your responsibility.

Unfortunately, a basic configuration setting was not applied, leading to the data exposure. The Center for Internet Security has foundation security benchmarks for the major cloud service providers as well as configuration recommendations for individual products (i.e., databases). Going forward, the Garda can make configuration to the benchmarks a requirement of the SLA.

While the breach appeared to end in July, the PHI reporting didn't happen until October, just about the end of the allowed 90-day window for HIPAA reporting. While the delay is likely due to forensic and other analysis to ensure the reporting was accurate, which is something we would all want, make sure that your incident reporting plans are on as short a timeline as possible, not only for transparency, but also to keep the information authoritative, neutralizing third-party speculative releases.

I hate to be a grumpy Gus in my comments today, but any time I see an “Incident of Notice” that includes the phrase “In an abundance of caution…” I stop reading. If an organization even just had slightly more than modicum of caution most incidents would have been avoided. Even just a scintilla of caution should result in less than two months of dwell time for active attacks.

The biggest takeaway from this disclosure is the apparent lack of incident response planning by the city. After containing the breach, communicating the possible loss of PII (including protected health information) to its residents has to be at the top of the list of actions to take.

Interesting stats, some not surprising: 50% of the attacks targeted North America, 30% Europe and then Asia with 9%. The most prolific attacker was LockBit 3.0, followed by LostTrust, BlackCat and RansomedVC. Surprising was that Clop, the group behind the MOVEit attacks, didn't appear in the September list. Newcomer RansomedVC, has a twist to their extortion plan, claiming any flaws found on victims' networks would be reported under the GDPR, which could trigger hefty fines for data breaches which may include compensation to affected individuals. Make sure you haven't relaxed your anti-ransomware protections and awareness.

Notwithstanding International law enforcement efforts, ransomware attacks are still on the rise in 2023. More needs to be done to take away the main advantage evil-doers have: ransomware payment via crypto-currency.

I suspect that what the UK Parliament will find as a result of the call is that sufficient cybersecurity guidance already exists to protect critical infrastructure. The next step will be to enforce a minimum cybersecurity standard for each critical infrastructure sector. Additionally, one must look at the potential insider threat, and include both physical and procedural security controls in the minimum standard.

The committee acknowledges the challenges caused by a mixture of government and private sector owned systems comprising their CNI, which heightens the need for comment from those operators who don't operate in the government sector. Responses need to be submitted by November 10th, using the Cyber resilience of the UK's critical national infrastructure portal. Documents up to 25mb can be submitted, be sure to follow the guidance to ensure acceptance.