ownCloud Critical Vulnerabilities Actively Exploited, Idaho National Labs Breached

The first of these vulnerabilities is trivial to exploit. In containerized installs, the vulnerability is devastating. Credentials for administrators, mail servers and cloud services used by ownCloud may be leaked. Assume compromise if you have exposed unpatched ownCloud installs.

Johannes Ullrich

CVE-2023-49103, CVSS score 10.0, can be fixed by deleting the GetPhpInfo.php out of the microsoft-graph/tests directory. Then change your secrets to include ownCloud admin passwords, mail server and database credentials, and Object-Store/S3 access-keys. CVE-2023-49105, CVSS score 9.8, WebDAV API authentication bypass is mitigated by denying the use of pre-signed URLs where no signing-key is configured, and the third vulnerability, CVSS score 8.7, subdomain validation bypass, is ideally mitigated by the updated oauth2.app, or you can disable the "Allow Subdomains" option. until you apply the patch.

Lee Neely

The politically motivated hacking group SiegedSed is taking credit for the attack. While work to get to the root cause is ongoing, initial indications are a subcontractor account without MFA was used to access data in their Oracle HCM instance. Things to consider here: First, make sure you're consistently implementing MFA across all environments. Second, don't allow unfettered Internet access to systems with sensitive data. Use Conditional Access or similar mechanisms, to include VPN, to limit access to vetted systems running an appropriate security profile. Third, make sure that your IDM processes include every user type so you're not leaving inactive, unauthorized accounts. Lastly, take a look at the logs you get from your SaaS services to not only ensure they are where your responders can analyze them, but that they also contain sufficient information to support forensic activities.

Lee Neely

The Labs and the DoE have always been of strategic importance. I wonder how many in the general cybersecurity population realize the importance of these labs. I suspect not as many as we would think.

Moses Frost

While details are sketchy, the breach highlights that no matter the size or security resources available, you too can be a victim of cyber-attack. The data lost to date, mostly affects employees of the Lab as opposed to national lab research, and likely will be used as part of identity theft schemes.

Curtis Dukes

This appears to be a case of exploiting CitrixBleed at the third-party service provider, CTS. The UK is looking at legislation to increase security requirements for MSPs, but it's not clear when anything will materialize. If you're not in the UK, it's not going to do a lot for you anyway. What is happening is customer guidance is being provided to help you assess your MSP to ensure they are providing appropriate security.

Lee Neely

Yet another example of an attack on the supply chain of businesses. We need to develop business continuity plans to support the business in the event a vendor is compromised while also ensuring we manage as best we can the cyber-risk in the supply chain.

Brian Honan

An example of a single attack on a service provider that causes a business disruption for a large portion of an industry. This is not solely an issue with the legal sector, but rather includes other industry segments where service providers have consolidated as part of normal merger and acquisition opportunities.

Curtis Dukes

TIL that in the UK there is a provider specifically tailored for lawyers. This makes a lot of sense. Does that exist in other countries? It should.

Moses Frost

Mirai is not going away. It still haunts us as there appears to be an unlimited supply of easily exploitable IoT vulnerabilities. This is for the first time that Mirai exploited unpatched/0-day vulnerabilities. Usually, Mirai is exploiting well known vulnerabilities.

Johannes Ullrich

Default passwords, the gift which keeps on giving. While we are pretty good at changing these in our work environment, we need to also encourage the same discipline at home. Then make sure that you're not exposing management interfaces to the Internet. Sure, it's cool to help a friend that way, but make sure it's really disabled when you're not actively doing so. Better still, go in person, don't even enable the risky access.

Lee Neely

It’s disappointing that default passwords are still used as an initial access vector to enable cyberattacks in 2023. The Center for Internet Security has recommended for well over a decade, that default passwords be changed, and unique passwords be used prior to device deployment. With easy access provided by default passwords, botnet activity and DDoS attacks by extension, will only continue.

Curtis Dukes

Before we start blaming people for not changing default passwords on their devices at home, remember that for the vast majority of the community this is very hard for them. Every device is different, how you access it is different, the interfaces are different, the options are different, etc. It would be like the automotive industry stating that its car owner’s responsibility for making the first oil change for all their cars. If vendors are expecting people to change the default passwords, they should make it as simple as possible.

Lance Spitzner

Including the attack you committed on the potential customer in your services sales-pitch is pretty low. Even so, this would be a good time to leverage a VDP for a second set of eyes on weaknesses, noting any overlap between the reported issues and offers to secure your firm against those same weaknesses. Don't fail to prioritize and address anything discovered in your VDP.

Lee Neely

This used to be a mythical story that we all told each other: those evil hackers would hack you to drum up business. I guess some urban legends become self-fulfilling prophecies. Which class will this article show up in as an example?

Moses Frost

This guidance is based on AI, which includes machine learning, not just GenAI or LLMs, and while focused on developers of AI systems, it's a good read if you're looking to better understand the problems/risks with incorporating AI into your business processes. Don't overlook that part of the supply chain security in AI includes the model/foundation and the data set it's trained on, then monitoring these continuously, knowing where it's deployed and ensuring adequate testing is don't prior to release or deployment. This guidance also hopes to foster a culture of shared lessons learned to more quickly raise the bar collectively on AI security.

Lee Neely

Other than an increased focus on data integrity, AI system development really isn’t any different from any other secure software or system development activity. The same secure design, secure development, secure deployment, and secure operation principles still apply. That said, it’s always good to reiterate them as part of AI system development guidelines.

Curtis Dukes

IBM, a pioneer in AI, has a blog post addressing aligning AI with values. They admit that it is a hard problem, not because of the technology, but because of the tension among values. https://research.ibm.com/blog/what-is-alignment-ai

William Hugh Murray

The statement also expresses sorrow for the suffering the citizens face from the attack, as well as re-affirming they will stick to their core values as they work to resolve this case. Consider the value of the human element and acknowledgement of the impact on customers when planning your incident communication.

Lee Neely

In short, CISA is looking to offer their services as a MSP to non-federal organizations. While still a pilot, this could provide coverage for many small, privately owned, utilities which may not otherwise be able to afford this sort of cyber support. Reach out to your local CISA office to learn more.

Lee Neely

CISA has matured in its selection and delivery of cybersecurity services over the past decade. This pilot has a focus on healthcare, water, and K-12 entities which have become frequent targets of ransomware gangs. The only downside is a limit of 100 entities for the pilot program, but it is a start. Hopefully they can scale up quickly to protect the tens of thousands entities that make up these three critical infrastructure sectors.

Curtis Dukes

CISA Being an MSSP for the government. Thoughts? I know many companies that have this model, and it can work at scale. You do lose control of specific decisions in security but then again, did you have the budget to run the systems yourselves?

Moses Frost

The Alphv/BlackCat ransomware group has already claimed responsibility for the attack, and the posturing has commenced for data release if ransom is not paid. FNF claims the attack used compromised credentials. FNF is one of the largest title insurance entities and underwriters in the US, also offering settlement services to the real estate and mortgage industries. The thing is that at some level, phishing resistant MFA has to be SOP, particularly for larger companies. While SMBs may not be able to afford a comprehensive program, they can look to implement services which are already in their existing services to strengthen authentication.

Lee Neely

FNF is a massive company with many subsidiaries. Stories are circulating that people can’t pay their mortgages and some have stated that their escrow payments have disappeared. I would keep an eye on this one as I don’t think it will be a permanent issue but this one may have legs.

Moses Frost

Too often attackers are leveraging weaknesses in Human Management Interfaces (HMIs) which are exposed to the Internet. Today, the risks far outweigh the convenience of being able to directly reach management interfaces. Require a VPN or other secure access path before granting access to any management interface.

Lee Neely

Allowing remote access to your OT environment can be a ‘double-edged sword.’ While it creates efficiencies in the management of the critical infrastructure, it also opens a pathway for cyberattack. In this case the water authority had enabled alerting on changes to the environment and quickly took the system off-line. At a minimum, local government should track all remote access to the OT environment and put in place risk mitigation strategies for the eventuality of compromise.

Curtis Dukes

If you're affected, the best action is to not change your Google cloud storage, particularly the root/data folder until this is resolved, instead open a support ticket with Google. If you have room, copy your app data folder to a local hard drive. Google Drive tier one support appears to be volunteers, which means the ticket is needed to escalate to the paid support engineers. Take a look at where you're using non-enterprise cloud services to store enterprise data and revisit the backup and recovery processes for those to make sure that you're not needlessly risking data loss.

Lee Neely

If you haven’t looked at Cloud Backup solutions so that you’re not holding all your data solely in Google Drive, OneDrive, etc. You should.

Moses Frost

A week since the first reports; no resolution. May be limited to tens to low hundreds of users. May be a desktop client side problem but users complaining have been silent on their configurations. Some workarounds being discussed this AM.

William Hugh Murray