Less Patch Work from Microsoft, but Be Aware of Apache Struts; Russian Hacktivists Disrupt Ukraine Cell Phone Network

I can just imagine a CFO seeing a report of a ‘Divide By Zero’ flaw and spewing her coffee over her keyboard. CVE 2023-20588 is not one of the critical ones this month by any means, but it does point out how far away “software engineering” is from escaping oxymoron status: under certain conditions, CPU firmware avoided crashing when dividing by zero by instead possibly exposing sensitive data. And: the mitigation advice was to first “Do a dummy division 0/1 before returning from the #DE exception handler in order to avoid any leaks of potentially sensitive data.” Seems kinda like “wiggle the handle a bit if you hear gurgling” kind of engineering.

John Pescatore

As a present to all of us, the final update for 2023 appears to be a smaller set of fixes; I'll call that a win. The most serious flaw, CVSS-2023-36019, Microsoft Power Platform Connector Spoofing Vulnerability, has a CVSS score of 9.6, is a RCE flaw triggered by a crafted link that can be executed remotely, and has a low complexity and requires no existing privileges/access. While the Adobe updates don't include Acrobat, they do include Prelude, Illustrator, InDesign, Dimension, Experience Manager and Substance3D, so it's a more specialized set of users, Creative Cloud should already be prompting users to update, so you just need to make sure they have.

Lee Neely

As patches go, a light month for Microsoft, not so much for Adobe. The one critical Microsoft vulnerability is a RCE via the outlook client and should be prioritized for patching. Likewise, Adobe has several vulnerabilities within the 200 that allow code to be executed and should be prioritized for patching.

Curtis Dukes

This attack exemplifies how we need to change our thinking regarding our cybersecurity strategy with a particular focus on how our business depends on other businesses to be resilient. While you do not have control over how a third party secures their systems and services you do have control over how you design and develop your own organisation’s ability to remain resilient and operational due to an attack in its supply chain.

Brian Honan

This is the largest compromise of a civilian telecommunications provider to date, and the most disruptive so far in the 21-month Russia-Ukraine war. Talk about scorched earth, the Solntsepek gang is claiming to have "destroyed 10,000 computers, more than 4000 servers and all cloud storage and backup systems," and has links to Ukraine's old adversary Sandworm. The other group "killworm" claims to have targeted mobile operators and some banks. While the outages are impacting primary air-raid systems, they still have their backup system to fall back on. While we can't do much to help Kyivstar, we can consider what we would do if the Solntsepek claims applied to us. Do you still have an offline backup which can be restored, let alone records of what needs to be replaced and how?

Lee Neely

We must expect this kind of attack against information infrastructure in time of armed conflict. Hopefully we will have time to prepare (but hope is not a strategy.)

William Hugh Murray

An exploit was made public for this vulnerability, and is already exploited. This is a "must patch" vulnerability. As so often with Apache Struts and similar vulnerabilities, identifying vulnerable systems will be difficult and you will rely on help from vendors.

Johannes Ullrich

I've written Struts vulnerability checks for Burp plugins, and they're fiddly, to say the least. They may lie dormant for years before the wrong person finds them. Be sure 1) to know what you're running, and 2) you patch as soon as practicable.

Christopher Elgee

Am I the only one thinking of Equifax? CVE-2023-50164, CVSS score of 9.8, is a path traversal flaw that allows files to be uploaded and which then can be remotely executed. The update is intended to be a drop-in replacement, provided you're not updating Struts 2.5 to 6.3 - regardless, get on the regression testing so you can get this deployed quickly, this is blood in the water. Note Struts 2.5.x is EOL in six months, so after you get the update deployed you need to get on that too. Unless you have a high risk tolerance, take the Struts 6 update as a separate project, particularly this time of year when so many folks are on leave.

Lee Neely

The bank did so many things wrong in handling this employee’s access that I’m sure it will be on the cover of the next issue of “Shoot Yourself in the Foot” magazine. But it is a good ‘tick tock’ to use to walk through and make sure your organization would not do some of the same things, starting with assuring that external access is removed immediately and fired employees are not allowed to “mail your company laptop in later” after being fired.

John Pescatore

Note to self, be really aware of incidental use policies, and make sure employees know where the limit lines are. While the bank was working to terminate the employee and reclaim the laptop, he became disgruntled and retaliated using his and other active credentials. Make sure that access is terminated or suspended immediately as part of your separation process, even if your equipment has not yet been reclaimed. Consider services which cannot only track remote systems but also render them inoperative, LoJack as it were, to reduce this type of risk.

Lee Neely

One should not grant privileges and capabilities that one cannot reclaim at the time of an unfriendly termination.

William Hugh Murray

The problem in this case is not so much OAuth, but missing two-factor authentication. OAuth has some issues, in particular when it comes to the user's perception (and lack of understanding) of the authentication process, but this does not appear to have been a major issue in this case.

Johannes Ullrich

The issue is “threat actors launched phishing or password spraying attacks to compromise user accounts that did not have strong authentication mechanisms and had permissions to create or modify OAuth applications.” The lesson: all privileged accounts should have strong authentication in use, especially privileged accounts that create or modify security controls!

John Pescatore

The attack targeted a federally approved cloud vendor system. It would be helpful to understand at what level the Oracle HCM was certified, and what security requirements were compromised by the evildoers to gain access. This knowledge can only help strengthen FedRAMP going forward, as well as sharpen continuous monitoring.

Curtis Dukes

Whether you firewall is EOL or not, it is good practice not to have the admin panel accessible via the Internet. You should look to have remote admin of firewalls, and indeed any other internet facing systems, from internal IP addresses using a VPN.

Brian Honan

This is a good move on Sophos' part, and if you've got one of the EOL devices, get it updated. Next, get it on the priority lifecycle replacement plan. I know it's tough to argue to replace something that is working fine, and remember that physical hardware does wear out. Couple that with the vendor isn't providing security updates, and the consequence of compromise, you should have a solid argument.

Lee Neely

The EMB3D ecosystem is currently in pre-release/review and will be publicly available in early 2024. This will be a good reference of threats, mitigations and best practices, intended to be leveraged the planning cycle, which should be cheaper than having to add-on security measures after the fact.

Lee Neely

It’s important to understand the threats to embedded systems and more importantly, the differences in security mitigations from those of more general IT systems. This recently came into focus with Unitronics control systems being targeted by Iranian hacking groups. How the mitigation approaches differ will be crucial as one implements their cybersecurity program.

Curtis Dukes

This incident is a prime example of how a data leak/breach can have real life consequences for people. A number of the police officers whose data was exposed have had to move location due to the potential threat to their lives and that of their families. We need to remind ourselves that it is often not just bits and bytes we are protecting, but people.

Brian Honan

The post-breach investigation found there wasn't any one factor that led to the incident, but rather a combination of factors, meaning they need to work from the top down to change their culture to consider data protection as well as implement technical controls to help monitor/classify and control data. The technical controls are likely the easiest to implement; culture change can be challenging and painful. Hopefully the incident and investigation can be leveraged to ease this process. If you're involved in rights management/DRM/DLP, make sure you're observing the impacts of proposed controls and socializing them before they go live to prevent workarounds.

Lee Neely

Data breaches have a way of sharpening processes that fail to protect sensitive information. In this case lack of oversight and review before releasing information to the public led to the data leak. As always, the human element remains a critical component of an effective cybersecurity program.

Curtis Dukes

There are couple of techniques used here. The first is obfuscated malicious code is in the middle of the packages’ main module (__init__.py) so it runs whenever the package is imported. The second is a PowerShell script embedded in the setup.py script run by package managers such as pip. The third is all legitimate code is gone, replaced by obfuscated malware. The best mitigation is to check your python package BEFORE you install installing it, checking carefully when updated packages are downloaded to make sure they are not bringing "gifts." you're going to regret later.

Lee Neely