ArcaneDoor Uses Novel Cisco Bugs for Persistence; Cybersecurity Practitioner Licensing; PAN-OS Updated Remediation Knowledge Base; Presidents Cup Cybersecurity Competition Winners

The flaws patched by Cisco require authentication. Cisco states that they do not know how the attacker obtained initial access, but verify that authentication is configured properly and verify the password security for any devices. There have been persistent brute force attacks against these devices in the past.

Johannes Ullrich

The attackers are using an in-memory implant called Line Dancer which is used to disable syslog, exfiltrate the configuration, create packet captures, write to memory, and hook the crash dump and AAA processes to allow authentication and bypass/disable crash dumps needed for forensic analysis. Persistence is maintained with a backdoor called "Line Runner" which leverages the legacy capability to pre-load updated VPN clients and plugins on ASA devices. The update from Cisco prevents this technique from working, however it doesn't remove Line Runner so you need to check for new or unusual zip files, copying them off and reporting to Cisco as requested. Details on removing them are in the Talos blog.

Lee Neely

Brute force attacks against operator-less public network facing devices have been increasing. It is important to know if your devices are seeing and resisting such attack traffic.

William Hugh Murray

Businesses in general would never use an electrician or plumber that wasn't licensed and didn't carry an active business insurance policy. The same should certainly be true in selecting cybersecurity service providers. But in the US, states generally determine standards of workmanship as well as apprenticeship/licensing/certification requirements for skills/capabilities that are judged to be needed to adhere to those standards of workmanship. Federal requirements in the US for cybersecurity workmanship (let alone software quality and liability) aren't likely to happen anytime soon, if ever, in the US.

John Pescatore

This will be worth watching. Licensing has benefits as it validates a certain level of knowledge by individuals (certification) and business process by companies (accreditation). The devil will be in the details as the requirements for licensing comes later and whether they will grandfather in existing certification schemes.

Curtis Dukes

The idea is to offset risks of hiring unqualified professionals, possibly resulting in a registry of talent to draw upon, but the regulations also strengthen government oversight and regulation capabilities related to cyber activities, in some cases allowing for unlimited search and seizure powers as well as making activities by non-licensed cyber security researchers difficult if not illegal.

Lee Neely

It is not clear what problem such licensing is intended to solve, though our field is rife with pretenders. One recalls the abortive attempt by the state of New Jersey to license software "engineers" that was killed by the opposition of mere "programmers." One supports a requirement that one who holds oneself out as an engineer be held to the traditional standards of that profession, including licensing.

William Hugh Murray

This update contains additional insight you can leverage to make sure the updates you applied are indeed the droids you're looking for. Also note that they now state that disablement of device telemetry as NOT an effective mitigation as it is not required to exploit the vulnerability.

Lee Neely

The President's Cup was established in 2019, and is designed to organize and train members of the federal workspace, who can participate individually or in teams of up to five. The winners had to survive three rounds of competition, which are categorized into tasks and work roles in the NICE framework. Kudos to all who participated, and to the winners, who will likely be in high demand to keep this nation secure. The Award Ceremony is May 20th.

Lee Neely

Restart your browser at least once a day, and once a week, double check if your browser is up to date. Restarting your browser is the simplest way to make sure automatic updates are applied.

Johannes Ullrich

Of the fixes, CVE-2024-4058 (ANGLE type confusion) is rated a critical while CVE-2024-4059 (out of bounds read in V8) and CVE-2024-4060 (use after free om Dawn) are rated high. Chromium-based browsers have become really good at restoring your windows and tabs after a restart, so encourage users not to hesitate to click the restart/relaunch button when it appears. Your managed Chrome install should have an enforced time limit for that relaunch, a 48-72 hours max.

Lee Neely

Google wants to phase these out as both a security and privacy measure (reduction of cross-site and cross-application tracking) while keeping online content and services free for all. Ad providers are claiming Privacy Sandbox removes site owners, agencies and marketers to target and measure campaigns using their technologies in favor of a Google provided option. Some of you are saying, yes, that is kind of the point. Use this time to get a better understand of what Google's Privacy Sandbox provides and what you'd need to do to continue to have that measurement in the future or if you want to better know how to not be tracked.

Lee Neely

There are not a lot of examples of insecure update mechanisms being exploited by bad actors. Interesting to see this product being affected.

Johannes Ullrich

The attackers were able to MITM the antivirus service, which used HTTP to deliver updates, allowing them to infect end-users with malware. For. Five. Years. Beyond not using HTTPS, the AV client didn't sufficiently enforce digital signing of updated content, so the replacement malicious content wasn't detected. My gut says when they started deploying crypto miners, the resource hit gave them away. That gives you a couple of pointed questions to ask your EDR provider.

Lee Neely

This attack exposed two secure by design flaws by the vendor: 1) updates not digitally signed, and 2) using HTTP vice HTTPS. Both are common design principles and would have significantly raised the cybersecurity bar for the cybercriminal to execute the attack.

Curtis Dukes

Evilgrade is still a thing. It's also a thing that we barely test for anymore, isn't it?

Moses Frost

The Siemens Ruggedcom APE 1808 integrates security solutions from Palo Alto Networks, Fortinet and Nozomi Networks, and is an industrial application hosting platform for edge computing and cyber security in an industrial environment. As such, vulnerabilities in those components apply, in this case the updates to GlobalProtect which are pending release from Siemens. The workaround is to disable GlobalProtect gateway and portal, (these are disabled by default) until the update can be applied.

Lee Neely

Cisco, Palo Alto, and others have OEM agreements with Siemens and other vendors. Expect that as firewall issues occur (or switching issues occur), there will be some lag time for these OEMs to roll them into the equipment upgrade paths. That alone does not mean that they will be immediately pushed out to these OT systems.

Moses Frost

They are opening more locations, albeit with modified hours, in attempts to restore services to customers. They advise customers with appointments to verify their local office is open and operating. In today's climate, that is a fairly rapid return of services, and should spark conversations about whether you want to do partial service restoration, or a full waterfall, and how you'd communicate in either situation.

Lee Neely

This attack exposes an inconvenient truth: large amounts of data (i.e., PHI, PII, company confidential) are often stored on company email and messaging servers. Email is still the preferred communication method, even more so, now that most companies employ a remote workforce. Encrypt data in transit, at rest, and on end-user devices.

Curtis Dukes