Ukraine Sheds More Light on Sandworm; SolarWinds Disputes SEC Findings; SysAid is the Next MoveIT

This is where your legal team will earn their retainer. And they need support from you to succeed. Without taking sides in the SolarWinds lawsuit, there are some lessons here we can leverage. Finalize and review assessment documents. Address deficiencies and document actions taken. Make sure that you're fully following your security standards, including documenting any risk acceptance or deviations. Have frank conversations with your internal auditors, remember they work for you, follow their guidance, or document why not and have management sign off either way.

And, so, the legal posturing begins. Ultimately, it is the CEO who bears responsibility for informing investors on the state (including cybersecurity) of the company. There is also a fine line in how material cybersecurity deficiencies are discussed with investors absent an actual attack. Too much information can provide a roadmap for the attacker. Too little, well, then you might get sued by the government.

This lawsuit is not so much about SolarWinds security posture as it is about misleading customers and investors. That said, their security posture notwithstanding, they did ship malicious code to their customers for which they have not been held accountable. This may well be the single most expensive security failure ever, with the cost borne not by the failing party but by its customers.

Malware that lives off the land in an OT attack, which seems to have been developed in 1-2 months is a peek at how Sandworm's cyber capabilities have evolved. Note they also deployed CADDYWIPER via GPO from a domain controller using the TANKTRAP PowerShell script, (also used for NEARMISS, SDELETE and PARTYTICKET), on the IT systems to distract from the attack on the OT systems. The mitigations remain the same. Focus on securing the attack vector and detection/monitoring. Have the hard discussion about exactly which entry points are exposed and needed. While many OT components don't have security updates, there are other components which do, such as hypervisors, firewalls, routers and monitoring components, that need to be considered. Have an in-depth conversation on how to keep them updated without unacceptable impact to operational objectives.

Two points stand out in the Mandiant report. First, the attacker applied ‘living off the land’ tactics to compromise the OT environment. We’ve seen this tactic used in information technology (IT) environments but, perhaps this is the first time used against OT. Second, the attacker, exploited the physical connection of the two environments, IT and OT, to enable the attack. Yes, there are legitimate business reasons for connecting the two environments, but that just means you had better understand the security consequences and protect accordingly.

Novel attack or otherwise, the risk of mis-operation of critical infrastructure in time of armed conflict should not surprise anyone. What may be concerning in the Mandiant report is the increasing maturity of the Russian attackers.

For these packages, both the setup.py and init.py scripts include the scripts, used during package installation, which receives and executes code from an external source. The primary fix is to make sure that you properly vet all your included packages. Leverage services from Git, Google, your CI/CD tools and others as a force multiplier here.

This malware highlights the fragile nature of open-source software libraries. If done correctly, malware introduced in the supply chain can have disastrous consequences for developers across a large number of vendors. This malware demonstrated that level of skill. What’s baffling though is that the consequence is about the least possible thing that could happen. Strange.

We're all aware of the seemingly perpetual list of WP vulnerabilities, particularly in the myriad of plugins. Wordfence (aka Defiant Inc) is working to raise the security bar with this program. To participate, register with the Wordfence bug bounty program, carefully read the conditions, paying particular attention to what is and is not in scope. If you've previously submitted vulnerabilities, they can be associated with your account to increase your status/ranking. Note that bounties are not paid for out-of-scope vulnerabilities, and while each submission is checked, you're encouraged to limit out-of-scope submissions as there are limits on how many of your reports will be checked.

Kudos to Wordfence for implementing such a program. As we’ve discussed in previous SANS NewsBites, WordPress plugins are the security weak link. Bug bounty programs are an efficient way to ferret out vulnerabilities before they can cause harm. It’s proven highly successful in large organizations such as the US Department of Defense.

This breach, and a recent breach of plastic surgeons shows that HIPAA is missing the teeth to prevent these breaches. HIPAA may have a lot of reasonable rules to help clinics protect this data, but without per-breach enforcement and independent auditing, the rules are meaningless.

US Radiology is a private service provider for partner companies. At core, they failed to quickly update their firewall to provide adequate protections to both their and partner connected networks as well as failing to upgrade other systems in a timely fashion. In addition to the fine, they are also required to update their IT infrastructure, properly secure their network and update data protection policies. Meaning they need to incur both the cost of the deferred actions and the penalty as well as any costs associated with the ransomware incident. While it may be easy to defer updates to systems and security practices, consider this scenario, then work to prioritize needed improvements, to include scheduling out-year activities so they are not lost. Make sure that any interconnected networks, such as one to a service provider, are properly constrained and have monitoring you're watching. Think trust but verify.

The State of New York, both the OAG and the DFS, have been on a tear this year in fining companies for inadequate cybersecurity practices. Per the OAG, US Radiology Specialists, did not demonstrate a standard of reasonableness in implementing its cybersecurity program. In addition to the fine the OAG also required adoption of data security practices. A good starting point for any organization implementing security practices is the CIS Critical Security Controls, Implementation Group 1.

Regulators have been punishing victims for a generation now with no measurable effect on security.

Another protocol that should never have been exposed to the public internet. But if it can be exposed: It will be exposed.

CVE-2023-29552, CVSS Score of 7.5, allows an unauthenticated remote hacker to register arbitrary service, which then is used to conduct an amplified DDoS attack leveraging spoofed UDP traffic. You can apply your vendor specific mitigations or disable the SLP (RFC 2608) service on UDP port 427. Vulnerable systems share the characteristic of being old and not otherwise using the service. Odds are this is an old service you're not using and can simply block/disable.

Verify that your DDoS protections include layer 7 defenses as well as make sure that you don't already own services (in house or otherwise) you haven't leveraged to keep the bar on this sort of attack.

2023 has seen a dramatic increase in DDoS attacks. Threat intelligence generally attributes the uptick in DDoS attacks to the military conflict in Ukraine. Organizations should review their SLAs with their upstream provider to limit the effect of DDoS attacks.