Lessons Learned from State Sponsored ICS Compromise; Perimeter Devices are Still a Big Risk

The attack "only" affected critical infrastructure systems. But at the same time, the techniques used will likely be used by other actors as well. Read the reports considering how you would prevent or detect these attacks against your systems.

Johannes Ullrich

I would give this a good read. This group is a bit more than opportunistic. It shows how they can leverage bugs in the VPN provider kit to get in and persist. I believe this group also targeted the same residential systems we all use. The fact that these threat actor groups are working this way is not by chance; the data is valuable to them.

Moses Frost

Make sure your team realizes that living-off-the-land techniques are not hypothetical or classroom exercises, that they are in fact actively used. The mitigations should be basic cyber hygiene: apply patches for Internet-facing systems and services, deploy phishing resistant MFA, ensure logging is turned on both for application and OS activities, and you're storing them in a central logging system. Make sure you're equipping your team with current tools to help automate these processes wherever possible.

Lee Neely

Keep your perimeter security devices up to date. Simultaneously, think about how you would detect a compromise of a perimeter security device. What kind of detective controls do you have in place to alert you of a misbehaving device?

Johannes Ullrich

The latest FortiOS can automatically update the system on a specified interval. To many FortiGate users, this may be a non-starter given the number of defects on the system at times. However, since most people are having a tough time keeping their systems even reasonably up to date, it may be a good option for those who don’t want to consider it. I know of one person who has a simple configuration on their FortiGate and has been running the automatic updates since the feature came out about six months ago. Suppose you find that people do not want to manage features and have the fewest options; this may be a reasonable choice. Another thing is that a writeup from the Dutch MOD describes how the implant works: you may want to read through it to see how FortiGate works under the hood.

Moses Frost

Title says it all. Have a plan to move on from Ivanti.

Johannes Ullrich

CVE-2024-22024 has a CVSS score of 8.3, and the fix is to apply the patch when released. If the patch hasn't been released for your version of Connect Secure and Policy Secure, Ivanti claims the mitigation from January 31 will address this. Due to the visibility of these services, and Ivanti's ongoing struggles, it'd be a good time to take a look at alternative solutions (as in having a fully fleshed out plan to switch) in the event management's risk tolerance is exhausted.

Lee Neely

Your VPN devices, specifically SSL VPN devices, may have code and architecture developed 20 years ago. This is not a coincidence we see bugs.

Moses Frost

Ivanti’s ‘vulnerability bell’ continues to be rung this year and we’re barely into February. If you’re using Ivanti products, be hyper vigilant in monitoring your network and be quick to respond to Ivanti vulnerability advisories.

Curtis Dukes

If you're using the cloud version of TeamCity, you're covered. CVE-2024-23917, authentication bypass, has a CVSS score of 9.8. The patch is specific to this vulnerability; other issues need to be addressed by applying the needed updates separately. JetBrains is advising to make any unpatched Internet accessible TeamCity servers inaccessible until mitigations can be applied.

Lee Neely

TeamCity is a CI/CD. Patch your CI/CD.

Moses Frost

Turns out most of our modern Linux systems are using UEFI (rather than BIOS) and secure boot is likely to be enabled. If you're using secure boot, whether workstation or server, you need to deploy the updated Shim. While RedHat is getting the press on this update, it also applies to other Linux distros, including Debian, Ubuntu and SUSE. The risk here is the Shim is executing at the lowest levels of the boot process, so any malware introduced via the weakness has a significant attack surface which can be leveraged to manipulate the kernel or OS.

Lee Neely

At core, this is about managing the capacity of the US power grid. This targets reporting from legitimate mining operations. The volume of crypto mining in the US has been steadily increasing over the last decade, but in 2019 saw a big jump, and when China started cracking down on digital currency mining in 2021, much of this activity moved to the US. The resource intensive activity is known as “proof of work” used currencies like Bitcoin in the process for releasing new cryptocurrency, versus “proof of stake” used by currencies like Ethereum, which uses 0.005% of the power demand of "proof of work." Even so, one wonders how much other activities, such as EV's and moving away from natural gas, are impacting the U.S. grid.

Lee Neely

The suggested mitigations are to update the printer firmware then isolate the devices, which is going to be counter intuitive as you're likely to be used to setting them up for anyone to use. The trick is that with the capacity of modern printers, they have enough capability and connectivity to effectively be a pivot point. Consider limiting what they can connect to over the Internet as well, allowing only what is necessary for operation and updates.

Lee Neely

It took Canon an inordinate amount of time to patch the seven critical vulnerabilities. That said, network printers are often overlooked when it comes to patch management. Hopefully, organizations are employing a secure network architecture that limits exposure of printers to the Internet.

Curtis Dukes

Ensure that your printers, Canon and others, are connected only to the local network.

William Hugh Murray

The good news is the attackers were limited to one network segment. The bad news, they compromised their devices using old flaws that hadn't been fixed. The COATHANGER malware is persistent, surviving reboots and firmware updates, and is purpose built for FortiGate appliances. If you're having trouble getting support to keep your Fortinet VPN updated (see story about exploits to old Fortinet bugs), use this story to make your case. At this point, you're going to want to assume compromise adding factory reset to your activities.

Lee Neely

Two points to call out: 1) Timing of the attack from when a patch was generally available; and 2) Network segmentation for the assist in limiting the attack from spreading. For one, while we don’t know precisely when the attack was found (early 2023), we do know that a patch was available in December 2022. It speaks to the need to be vigilant in patching critical vulnerabilities. For two, network segmentation is a key safeguard in maintaining a secure network architecture. It’s one of CIS’ critical security controls (CSC 12.2).

Curtis Dukes

Commercial surveillance is big business, the spyware vendors (NSO Group, Variston, Negg Group, Intellexa, RCS Lab, etc.) are licensing their services for millions of dollars. They are not just going after zero-days, they are going after unpatched flaws as well. Your primary mitigation is to make sure that devices are updated and patched, which means lifecycle management as well, then apply appropriately locked down configurations in risky areas. Give consideration to requiring loaners for out of the country trips, particularly to sensitive countries, to include destruction of the loaner when returned.

Lee Neely

An excellent read, well done TAG. Three things to highlight: 1) the relatively large number of commercial surveillance vendors creating spyware; 2) the number of 0-days that are found and used against both Google and Apple products; and 3) the advanced skillset that exists outside of government. Bottomline, it a very lucrative business to be in if you have the right technical skills.

Curtis Dukes

It is not frequently that we hear of a fraudulent app being published in the Apple App store. As additional app stores become available (based on the EU ruling to allow competing sources of iOS apps), this is going to be a more common concern as they will not have the same level of rigor for publishing apps as Apple does. Be prepared to train users on selection, and where possible restrict access to only vetted app stores.

Lee Neely

Perhaps a coincidence or more likely an attempt to discredit Apple given the recent European court ruling to open their app store to competition. Whatever the reason, one of the very few times that a fraudulent app got past Apple’s app vetting process.

Curtis Dukes

If you are still using LastPass, best to check your copy.

William Hugh Murray