FCC Proposes Rules for Internet Routing Security Reporting; Zyxel Patches Critical Flaws in EoL NAS Devices; Threat Actors Exploit Old Vulnerabilities in ThinkPHP Apps

This move comes at the right time. For the most part, large ISPs are already implementing RPKI. As of earlier this year, the number of protected prefixes exceeds the number of unprotected once. This will hopefully get the stragglers on board.

First comes the plan then comes the implementation. ISPs have known that BGP is vulnerable to attack and has been for decades. This future requirement shouldn’t come as a surprise to any of them.

The FCC is working to hold ISPs feet to the fire implementing BGP security measures specifically Resource Public Key Infrastructure (RPKI). In effect, signed changes/updates to BGP information. They want to have the ISPs provide a confidential (detailed) report on their plans to improve BGP security, and the nine largest ISPs will be held to a higher bar for delivery. However, if they meet the desired security threshold, they will not need to file subsequent detailed plans.

Nice to have patches available even after the product is officially EoL. Too often we end up with no longer supported devices. I just looked at some EoL policies for different vendors, and around four years appears to be standard. How many devices in your network are older?

CVE-2024-29972, backdoor account, CVE-2024-29973, Python code injection, and CVE-2024-29974, RCE/persistence flaw, all have CVSS scores of 9.8. CVE-2024-29972 the "NsaRescueAngel" backdoor/remote support root account, was supposed to be resolved in 2020 but remains. The patches are only available if you have extended support; apply the patches expeditiously. Regardless of support, take steps to replace these devices; they were EOL December 31, 2023. Make sure the old devices are retired/recycled so they don't re-appear in your radar at a time where issues won't be addressed.

ThinkPHP has been one of the most actively exploited web apps for years. Must have been a slow news days for this to get picked up. I would be very surprised to find a vulnerable ThinkPHP install in the wild that is not already exploited multiple times.

There were initially two major releases of ThinkPHP, an object-oriented lightweight PHP development framework, version 3 and 5, licensed under Apache 2 Open Source. CVE-2018-20062 affects ThinkPHP versions prior to 5.0.23, and CVE-2019-9082 impacts ThinkPHP prior to version 3.2.4. Make sure you're using the latest release and investigate moving to ThinkPHP 6.0/6.1 which use PHPO 7 strong typing (strict mode) and are compatible with PHP 8.1.

This announcement serves as good reminder that vulnerabilities that are known to work are a good first bet for evildoers to try. Evildoers are using them because they’re still working. The bigger question is why organizations fail to patch. That answer can be a bit more complicated, but the requirement is if don’t patch you regularly review the risk of not doing so.

The FCC should include program implementation guidance with the release of these funds. For example, a must is completion of a standardized cybersecurity assessment. This creates the sort of data that will prove valuable in identifying specific products and services to implement essential cyber hygiene.

Understanding what services and equipment best serves schools includes deployments at schools. In other words, the pilot program will provide financial support to schools and libraries seeking to reduce the burden of maintaining/implementing cybersecurity services and equipment. This program is part of FCC Chairwoman Jessica Rosenworcel's Learn Without Limit's initiative, which includes ensuring connectivity in schools and libraries, Wi-Fi on school busses, as well as E-Rate support for libraries and tribal communities.

We don’t fund our public schools very well, and the staff’s salary is not what it should be. I’ve known some IT people at these county schools, and their staffing levels are some of the smallest. Any amount of help is appreciated.

Welcome and long overdue news from the Microsofties. Granted admins still have some time to make the transition fully to Kerberos or another authentication protocol. That said, no time like the present to inventory NTLM usage and start planning for its eventual deprecation.

Yeah, I thought NTLM (LANMAN, NTRLMv1 and NTLMv2) were long gone, and the April 2024 security update broke it for some as a reminder it's still around. (This was resolved in the May 14 update). Calls to NTLM should be replaced with calls to Negotiate, which uses Kerberos, falling back to NTLM only when necessary. If you've not already cataloged your use of NTLM, do so, then take active steps to phase it out.

The hospitals have disconnected from Synnovis IT systems while the incident is resolved. Synnovis is not yet sharing an ETA for service restoration, and it's being noted that the recent Synlab Italia incident, even though not directly connected, took a month to restore services. Take a note here - where you're not sharing your targets of service restoration, connections will be made to other incidents to extract and publish a timeline by others. You've set recovery time objectives, if you're not comfortable stating these, you need to rehearse and revise your plans until you are.

The key statement from Synnovis is “…This is a harsh reminder that this sort of attack can happen to anyone at any time…” Heed Synnovis’ advice and review your credential, configuration, and patch management processes on a regular basis. Where possible enable MFA. Configure your devices to a known benchmark standard. And, ideally, patch high severity vulnerabilities within 24-hours of patch release.