Lessons Learned from State Sponsored ICS Compromise; Perimeter Devices are Still a Big Risk

The attack "only" affected critical infrastructure systems. But at the same time, the techniques used will likely be used by other actors as well. Read the reports considering how you would prevent or detect these attacks against your systems.

I would give this a good read. This group is a bit more than opportunistic. It shows how they can leverage bugs in the VPN provider kit to get in and persist. I believe this group also targeted the same residential systems we all use. The fact that these threat actor groups are working this way is not by chance; the data is valuable to them.

Make sure your team realizes that living-off-the-land techniques are not hypothetical or classroom exercises, that they are in fact actively used. The mitigations should be basic cyber hygiene: apply patches for Internet-facing systems and services, deploy phishing resistant MFA, ensure logging is turned on both for application and OS activities, and you're storing them in a central logging system. Make sure you're equipping your team with current tools to help automate these processes wherever possible.

Keep your perimeter security devices up to date. Simultaneously, think about how you would detect a compromise of a perimeter security device. What kind of detective controls do you have in place to alert you of a misbehaving device?

The latest FortiOS can automatically update the system on a specified interval. To many FortiGate users, this may be a non-starter given the number of defects on the system at times. However, since most people are having a tough time keeping their systems even reasonably up to date, it may be a good option for those who don’t want to consider it. I know of one person who has a simple configuration on their FortiGate and has been running the automatic updates since the feature came out about six months ago. Suppose you find that people do not want to manage features and have the fewest options; this may be a reasonable choice. Another thing is that a writeup from the Dutch MOD describes how the implant works: you may want to read through it to see how FortiGate works under the hood.

Title says it all. Have a plan to move on from Ivanti.

CVE-2024-22024 has a CVSS score of 8.3, and the fix is to apply the patch when released. If the patch hasn't been released for your version of Connect Secure and Policy Secure, Ivanti claims the mitigation from January 31 will address this. Due to the visibility of these services, and Ivanti's ongoing struggles, it'd be a good time to take a look at alternative solutions (as in having a fully fleshed out plan to switch) in the event management's risk tolerance is exhausted.

Your VPN devices, specifically SSL VPN devices, may have code and architecture developed 20 years ago. This is not a coincidence we see bugs.

Ivanti’s ‘vulnerability bell’ continues to be rung this year and we’re barely into February. If you’re using Ivanti products, be hyper vigilant in monitoring your network and be quick to respond to Ivanti vulnerability advisories.

If you're using the cloud version of TeamCity, you're covered. CVE-2024-23917, authentication bypass, has a CVSS score of 9.8. The patch is specific to this vulnerability; other issues need to be addressed by applying the needed updates separately. JetBrains is advising to make any unpatched Internet accessible TeamCity servers inaccessible until mitigations can be applied.

TeamCity is a CI/CD. Patch your CI/CD.

The suggested mitigations are to update the printer firmware then isolate the devices, which is going to be counter intuitive as you're likely to be used to setting them up for anyone to use. The trick is that with the capacity of modern printers, they have enough capability and connectivity to effectively be a pivot point. Consider limiting what they can connect to over the Internet as well, allowing only what is necessary for operation and updates.

It took Canon an inordinate amount of time to patch the seven critical vulnerabilities. That said, network printers are often overlooked when it comes to patch management. Hopefully, organizations are employing a secure network architecture that limits exposure of printers to the Internet.

Ensure that your printers, Canon and others, are connected only to the local network.

The good news is the attackers were limited to one network segment. The bad news, they compromised their devices using old flaws that hadn't been fixed. The COATHANGER malware is persistent, surviving reboots and firmware updates, and is purpose built for FortiGate appliances. If you're having trouble getting support to keep your Fortinet VPN updated (see story about exploits to old Fortinet bugs), use this story to make your case. At this point, you're going to want to assume compromise adding factory reset to your activities.

Two points to call out: 1) Timing of the attack from when a patch was generally available; and 2) Network segmentation for the assist in limiting the attack from spreading. For one, while we don’t know precisely when the attack was found (early 2023), we do know that a patch was available in December 2022. It speaks to the need to be vigilant in patching critical vulnerabilities. For two, network segmentation is a key safeguard in maintaining a secure network architecture. It’s one of CIS’ critical security controls (CSC 12.2).

Commercial surveillance is big business, the spyware vendors (NSO Group, Variston, Negg Group, Intellexa, RCS Lab, etc.) are licensing their services for millions of dollars. They are not just going after zero-days, they are going after unpatched flaws as well. Your primary mitigation is to make sure that devices are updated and patched, which means lifecycle management as well, then apply appropriately locked down configurations in risky areas. Give consideration to requiring loaners for out of the country trips, particularly to sensitive countries, to include destruction of the loaner when returned.

An excellent read, well done TAG. Three things to highlight: 1) the relatively large number of commercial surveillance vendors creating spyware; 2) the number of 0-days that are found and used against both Google and Apple products; and 3) the advanced skillset that exists outside of government. Bottomline, it a very lucrative business to be in if you have the right technical skills.

It is not frequently that we hear of a fraudulent app being published in the Apple App store. As additional app stores become available (based on the EU ruling to allow competing sources of iOS apps), this is going to be a more common concern as they will not have the same level of rigor for publishing apps as Apple does. Be prepared to train users on selection, and where possible restrict access to only vetted app stores.

Perhaps a coincidence or more likely an attempt to discredit Apple given the recent European court ruling to open their app store to competition. Whatever the reason, one of the very few times that a fraudulent app got past Apple’s app vetting process.

If you are still using LastPass, best to check your copy.