Critical Intel CPU Flaw in the Shadows of Microsoft Patch Tuesday; Ransomware "Calls your Mom (SEC)" if You Don't Pay

In this case, the compromised company (MeridianLink) is not in violation since the new rules for 3 day disclosure haven’t become effective yet and the incident probably wouldn’t reach the material threshold anyway. But: As the old saying goes “There is no honor among thieves.” Hiding a breach from your customers and the SEC is really just another form of thievery.

John Pescatore

Anyone feel like someone just called your mom because you wouldn't budge? Add reporting to your regulator to the list of extortion techniques ransomware gangs are willing to use to extort payment. In MediaLink's defense, the new SEC four-day reporting requirement doesn't go into effect until next month. Make sure your incident response plans contain current reporting requirements, which are kept updated, then make sure you're prepared to meet or exceed those requirements, including knowing required the format and reporting mechanism.

Lee Neely

I have a feeling once the SEC rules officially go into effect we will see more ransomware tactics like this where the ransom states, “Pay now or we inform the SEC.” We saw something similar with the MGM breach; the reason we know so many details of how the breach happened is because the cybercriminal group (Scattered Spider) posted details (it all started with a social engineering phone call to the Help Desk). Finally, keep in mind that while ransomware is in the news, so many other attacks never hit the news simply because it they do not have to. When was the last time you read about a successful BEC/CEO fraud attack? Almost never, as you don’t have to go public when you lose money, and yet the FBI records billions in losses due to BEC. Don’t structure your approach to cybersecurity based on just what you read in the news.

Lance Spitzner

Another change in tactics by a ransomware gang to apply pressure on victims. Even though the rule is not yet in effect, the result is the same; it’s now known that MeridianLink is a victim of a ransomware attack. MeridianLink should have come clean with its customers from the get go.

Curtis Dukes

Yay, only three critical out of 64 vulnerabilities addressed this month. Trick is, 14 of the vulnerabilities are in Microsoft Edge and five affect the Mariner Linux distribution from Microsoft. I'd lump MS Edge updates in the same priority bucket as Chrome updates, and make sure they go out, including an enforced browser restart window.

Lee Neely

As Microsoft President Brad Smith said two weeks ago: “A more secure future will require new advances in fundamental software engineering.” I think reaching fundamental software “engineering” is still the first needed step but the reality is we will continue to need to deal with a similar level of patching for years to come. Bridges don’t fall down as often as they did before fundamental “civil engineering” became a reality, but we still need to patch road surfaces and fix problems constantly to prevent damage to bridge users.

John Pescatore

This is not your usual side-channel vulnerability. Instead, specific sequences of instructions may crash the CPU itself, leaving it in an undefined state. The minimum effect is a denial of service, but this could also lead to cross tenant information leakage in cloud environments.

Johannes Ullrich

Intel notes that real-world execution of this flaw, CVE-2023-23583, CVSS score of 8.8, is improbable. They have released a microcode update to address the issue. This flaw impacts desktop, mobile and server CPUs and the update will come from your device or motherboard manufacturers. Make sure you've practiced deploying the update in a lab to mitigate risks of bricking systems.

Lee Neely

Looks like both a DoS and a privilege escalation risk across virtual environments but with a fix that doesn’t even require a reboot. Also, see the related Citrix issue. Get assurances from Cloud Service Providers are addressing – SLAs do little to mitigate costs of outages or incidents.

John Pescatore

The headline is misleading; pushing out microcode may be the best that Intel can do but it hardly fixes the bug. Patching for such a pervasive and fundamental issue will be incomplete and inefficient.

William Hugh Murray

This was a great example how obscurity will only delay the disclosure of vulnerabilities. The delay made the problem worse as now thousands (millions?) of devices are deployed in the field with this vulnerable encryption algorithm. Open-sourcing the code will hopefully help gain back some of the lost trust.

Johannes Ullrich

The continuing volume of CVEs (and zero days) each month documenting vulnerabilities in proprietary code pretty much long ago proved that keeping source code secret does not lead to greater security. Going open source is no guarantee of higher levels of security, either – well managed bug bounty programs have often proven to be an optimum mix of effectiveness and efficiency in finding and fixing vulnerabilities because the bad guys can exploit them.

John Pescatore

Given the firestorm of criticism ETSI has faced over the last few months, this move was expected. With this announcement, ETSI now has a similar release policy to that of the US NIST standards organization. Having encryption algorithms open-source and available for review by security researchers is generally a good thing.

Curtis Dukes

The update from Citrix updates the AMD microcode to the October 19, 2023 release and the Intel microcode to IPU 2023.4, and includes prior hotfixes for the Citrix Hypervisor 8.2 CU1. While the Intel flaw is noted as unlikely to exploit, the AMD flaw appears less so, regardless the hotfix addresses both, a win-win. The hotfix requires a reboot, and can be installed manually using the xe CLI or via the XenCenter console. Leverage the ability to restart members of a pool separately to shift workload and minimize impact.

Lee Neely

The big online ad networks (Google is the biggest) need more proactive ad checking to raise the bar against malvertising. The ad networks seem to have moved quickly to innovate in ways of pricing and maximizing revenue from ads but have really lagged in doing more than reacting when criminals use their ad networks.

John Pescatore

While EDR and browsers are getting much better at triggering on bogus downloads, this is still going to take discipline on both our and our users parts, insisting downloads be performed from legitimate sources, and the download checked before use, avoiding the quick and easy free/discounted/faster downloads offered. Be doubly suspicious of unsigned downloads and those only offering a SHA1 signature.

Lee Neely

Unfortunately another technique used by ransomware gangs to gain initial access to a victim’s enterprise. Once initial access is established, they take advantage of poor cyber hygiene practices to fully compromise the victim. Instead of waiting for the ad network to fix the growing problem, the best defense remains a focus on secure configuration, patch management, and monitoring to limit the attack.

Curtis Dukes

This appears to be another MOVEit compromise curtesy of the Cl0p ransomware gang affecting the third-party service provider. Sadly, I don't think we're done hearing about MOVEit attacks. This attack occurred between March 27th and May 2nd of this year, with the first notification coming on July 21st. PJ&A didn't complete their initial investigation until September 28th, notices were sent to affected individuals on October 31st, and it was only this week the PHI breach notice was made to HHS. Check your third-party providers to see if any are still using Movies, and if so, verify they are checking for compromises and ask what they are doing to mitigate the ongoing risk.

Lee Neely

It is time for a ‘Time to Detect’ SLA to be required for any service provider you are going to trust with sensitive information. SLA’s just mean you get a free month of a badly-secured service, but it does have near term financial impact on the service provider. That SLA should be measure in days, not months.

John Pescatore

Not a lot of details on the cause of the vulnerability that led to the data breach. It does however highlight the critical cybersecurity relationship between PJ&A and their clients. The Service Level Agreement has to give the client insight into the PJ&A cybersecurity program, as the client also bears responsibility for protecting patient data through the 3rd party.

Curtis Dukes

In contrast to the FBI story about Scattered Spider below, this time the FBI had enough information reported to take action. The network reportedly had as many as 23,000 proxies. While Makinin's sentence is 30 years, he only made about $550,000 from the scheme. The IPStorm malware was first observed in 2019 due to its use of the InterPlanetary File System's P2P protocol. You may want to keep an eye out for unexpected protocols, particularly P2P services not normally needed in an enterprise setting.

Lee Neely

A win for the ‘good guys.’ Unfortunately, it will do little to deter others in harvesting botnets for sale. What it will likely do though, is cause a review of TTPs by cybercriminals. It continues to be a ‘cat-and-mouse’ game between evil-doers and law enforcement.

Curtis Dukes

This highlights the importance of keeping mail systems updated as quickly as possible. Better still, don't run your own email system, particularly for something as critical as your government's email services. If you still feel the need to do so, make sure you're not only subscribed to their security alerts, but also actively watching for updates, whether Github, or other software update channels. Don't lulled into thinking it's just email, consider it a juicy target in a critical business system.

Lee Neely

An example of defenders needing to stay on top of critical patches, as the evil-doer is ‘on the clock’ once the hot-fix/patch/software update is publicly released.

Curtis Dukes

Our readers, who use threat intelligence, have applied the update.

William Hugh Murray

This is a harder scenario to detect as the traffic wasn't passing over the court's network. Unless you're closely monitoring energy use, or inspecting these sorts of spaces, you're going to miss something like this. As cryptomining tends to be resource intensive, the spike in power consumption, particularly compared to historical use, should stand out if you're able to monitor it. You may have to rely on sweeps related to other maintenance activity with a penalty-free "if you see something, report something" incentive.

Lee Neely

The Achilles’ heel for cryptominers is a voracious need for electricity. There have been other cases over the past couple years here in the US as well. The best defense is monitoring your network, err power usage, for discrepancies in typical usage.

Curtis Dukes

The FBI doesn't have enough reported information to take actions against the people they suspect are part of Scattered Spider, which is the gang believed to behind the recent MGM, Caesars and Clorox attacks. The ask is for timely detailed incident information they can use to take this and future gangs down. The FBI is trying to assuage concerns by reinforcing that reporting company information will be kept confidential. Scattered Spider starts with phishing to entice users to share or reset passwords, shifts to SIM swapping to get MFA access, then uses social engineering to get your help desk to reset a victim's password, and leverages your normal, existing tools, to exfiltrate data. Mitigations include using phishing-resistant MFA, doubling down on access control for apps and data, and limit use of remote desktop services.

Lee Neely

Reluctance of victims and witnesses to press charges or testify is not a new problem and is not restricted to ransomware. We need to teach that, if one wants to live in an orderly society, the responsibility to report and bear witness is essential. While law enforcement can start an investigation on the basis of reasonable suspicion, this is rarely enough for a successful investigation, and never enough for a prosecution.

William Hugh Murray

This harkens back to the unsecured S3 bucket compromises of the past. Double check that you're really securing the information you're hosting, in the cloud, Internet accessible or otherwise. The most concerning information compromised was IMEI numbers, which facilitates device tracking or cloning.

Lee Neely