ALPHV/BlackCat Fights Takedown; CitrixBleed Causes Large Xfinity Breach; QakBot Resurrected

This is good news to end the year on. While the criminals claim to have set up an alternative website already, it should not be underestimated the impact this operation will have. Firstly, any servers seized will be forensically examined by law enforcement which in turn should lead to other operations and possible arrests. Secondly, by taking this action law enforcement is sending a clear message to all criminals that they are not untouchable and that law enforcement will come after them. Finally, the disruption and distrust that operations like this have on criminal gangs can be quite effective in undermining their activities. So well done to all involved in this operation.

Brian Honan

The Justice Department is ending the year on a high note with the ALPHV-BlackCat takedown. To date, law enforcement has been effective in infrastructure takedowns, international arrests, and recovery of ransomware payouts. Unfortunately, ransomware gangs have also been equally successful in compromising systems and obtaining payouts. Most expect a continuation of ransomware events in 2024, as we haven’t forced criminal gangs to work harder to knock over systems.

Curtis Dukes

Don't count the ALPHV gang out. Their site was seized, unseized and re-seized, during which the gang posted they are relaxing all their rules against one - don't attack the Commonwealth of Independent States (CIS) - everything else, from hospitals to nuclear power plants is fair game as well as offering as much as 90% commissions to affiliates. The good news is the FBI has the decryption key for BlackCat ransomware; the bad news is that won't help with any exfiltrated being held for ransom.

Lee Neely

If you are on duty over the holidays and have some extra time, ask how people access your network remotely, and take a closer look at choke points like VPN gateway, RDP gateways, and similar tools. Are they up to date? Are they properly configured? Are the logs collected and reviewed? Too many incidents start with remote access tools.

Johannes Ullrich

This points to a needed raising of the bar to reduce time to patch for high CVSS score vulnerabilities. For many enterprises, patching network appliances within a week may seem fast but for high leverage targets (like ISPs and cloud service providers) it is way too slowly for real world attacks today. Those same attacks will inevitably be used against individual companies and agencies – use this attack to pull the “Stop – we have to patch right now” cord.

John Pescatore

Two things here. First, take a look at how rapidly you're applying critical patches like this. Yeah, regression testing, and reality is threat actors are on these issues so quickly. Make sure that you're also leveraging every trick in the book, from MFA to ZTA, to make sure that access to management and end user services is only granted to devices and users in a sufficiently robust and recognized state. Second, if you are, or ever were, a Xfinity (Comcast) customer, assume your data is in scope. Data exfiltrated included names, contact information, DOB, answers to security questions, usernames and hashed passwords. So, both those passwords and security questions are dead to you.

Lee Neely

A good case study on the importance of timely patching. It appears that Xfinity took 13 days to patch for the critical vulnerability. Another aspect for the case study is just how proactive network operations teams should be in looking for signs of exploitation once announced. By some accounts, 13 days may be reasonable. By most, with daily reporting that the vulnerability is being actively exploited, it doesn’t reach the standard for duty of care in managing their enterprise.

Curtis Dukes

QakBot, taken down with operation Duck Hunt, leverages phishing emails claiming to be from the IRS targeting the hospitality industry which contain a non-viewable PDF which can be remedied by clicking a link to install an updated viewer. Rather than focus on this resurgence and eventual die-off of QakBot, continue to focus on phishing protections to reduce the likelihood and efficacy of the behavior they are trying to trigger.

Lee Neely

It generally takes an adversary 36-48 hours to develop exploit code from a vendors patch announcement. The data from Qualys suggests that the time to exploit has reduced to as low as 24 hours. That’s eye popping as it forces the defender to run a highly efficient patch management process. Bottom line, more work needs to be done to automate patch management.

Curtis Dukes

What struck me in this post is that “25 percent of high-risk CVEs are exploited the same day the vulnerability was disclosed,“ which reinforces that your vulnerability management program should not rely solely on the use of patching. You should look at other mitigations you can put in place to prevent known vulnerabilities being exploited while you wait for a patch to be released, or to get it scheduled into your patch management program.

Brian Honan

I’ve overused the “Would you eat sandwich made with 6 year old mayonnaise?” analogy too often, so how about this: make a deal with your CIO and CFO to have an escrow fund for the cost of updating and patching any Microsoft software that you are using past end of life and when the inevitable incident occurs see how much money was really saved. New analogy: you can save money each year by not changing the oil in your car, too.

John Pescatore

This is a six-year-old Office vulnerability. Don't accept the argument that an old version is used because "nobody" will pay for an updated copy for the user. The cost of keeping those licenses updated is far less than remediation of the infection. Make sure you've enabled the auto update capabilities in Office, including time limits on voluntary application update/restart.

Lee Neely

It is sad to see VMWare die. The move to subscriptions isn't such a big deal, and many competitors like Proxmox are already using the subscription model. But the reduction in staff at the same time sends a clear message that VMWare will no longer offer regular feature updates to keep your business but follow the ransomware model of extorting subscription fees from you as it is too expensive and painful to switch to a different product.

Johannes Ullrich

VMware is moving to pure subscription model, which they hinted at in May when the merger was announced by Broadcom, in hopes of doubling EBITDA (Earnings before Interest, Taxes, depreciation and amortization) in three years. The option to renew support contracts for perpetually licensed products ended with the announcement. If you want support and updates, beyond you're going to have to move to a subscription.

Lee Neely

Nice move by Mozilla to support trusted types. However, given the small market share of Firefox, it doesn't really matter until at Safari joins the "Trusted Type Club."

Johannes Ullrich

Every step in the right direction is, if nothing else, one more step away from the wrong direction.

John Pescatore

Trusted Types is an optional mechanism for web sites to protect against cross-site scripting attacks, enabling a content security policy and filtering mechanism. In the three years since its introduction, DOM-XSS attacks have become less common. Trusted Types doesn't eliminate the capability for XSS, but it reduces it, and developers should be working to incorporate it into their applications.

Lee Neely

Welcome Firefox to the “trusted types” community. Perhaps Firefox’s announcement will spur Apple Safari to action as they maintain about 20% of the browser market.

Curtis Dukes

Are you set for a third-party breach? Make sure the lines of communication are open, that your contacts are current and that you're on the same page, not only for any regulator required reporting, but also on how you want your customers notified, made whole, etc. This is as important as the work you've done assuring the are properly protecting your information.

Lee Neely

It’s been a tough year for healthcare providers and their suppliers dealing with ransomware incidents. Add ESO to the list. While they were able to recover from backups, it appears from the company statement that they paid the ransom demand as well. From a defender’s perspective, knowing what security controls were in place, or not, would be helpful going forward.

Curtis Dukes

Certificate trust, in practice, can be mind-bending, even so we are increasingly using certificates/PKI for assurance and validation, so it becomes necessary to keep an eye on certificate related vulnerabilities and their fixes. CVE-2023-5594 has a base CVSS score of 7.5, and ESET has released a fixed version of Internet protection module 1464 which is being distributed via automatic updates to affected products.

Lee Neely

Bruce Schneier taught us that cryptography is harder than it looks. Brian Snow taught us that systems and implementations are at least as important as codes and ciphers.

William Hugh Murray

Ivanti Avalanche (formerly MobileIron) isn't aware of active exploitation for these flaws, albeit 12 of the CVE's have a CVSS score of 9.8 and can be leveraged for remote code execution. Given the prevalence of attacks on mobile devices, keeping your MDM updated has to be considered as important as keeping your boundary control systems current.

Lee Neely

There is a lot of talk about PQC. These guides should help you get your arms around what to expect, and understand how you could test it. Moving to PQC is going to be more of a how rather than an if statement. You should also be in conversations with your suppliers about what they are planning and how you can test their new options in your non-production environments.

Lee Neely

Cloudflare reported in their 2023 year-end report that more than one percent of Internet traffic is already using TLS 1.3 with quantum resistant cryptography. One assumes that this application is for sensitive traffic with a long life, vulnerable to "store now decrypt later (SNDL)" attacks. However, it demonstrates that anyone can do it if and when needed. There will not be a Quantum Apocalypse.

William Hugh Murray

Many Chrome zero-days end up being described as “sandbox escapes,” which means either the sandbox was made of straw vs. brick, or the walls were high enough to contain only varmints that can’t hop very high. I’d like to hear Google talk about “next generation sandboxing” soon.

John Pescatore

This wasn't the sort of holiday present I was hoping for. The challenge here will be getting the update deployed as so many folks are out. If you've already configured auto updates for Chrome, you're good to go. Otherwise, expect to check when folks (and systems) are back online after the holidays. If you elect to close browsers and patch, make sure you send a message to users that it was intentional rather than a crash/etc. Nothing like unlocking your screen after being gone and finding it all different.

Lee Neely

Looking at the stats, the trend is positive – 15 zero-day exploits in 2021, 9 in 2022, and 8 in 2023. Unfortunately, with their ginormous install base, they will be a frequent target for vulnerability researchers. Thankfully, Google has made the update process easy and straight-forward – simply close and reopen the browser.

Curtis Dukes