Lack of MFA Contributed to Massive Medibank Breach; SaaS Outage Affects North American Car Dealerships; Firewall Configuration Problem Disrupts 911 System

Did you catch that? The lack of MFA is now equated to a lack of basic security measures. The writing is on the wall: password only authentication has got to go, particularly when password stores can be synchronized between work and business browsers. Consider the weakest link security cliche. Any of your directly accessible services - VPN, Cloud, Email and administrator/privileged accounts - should be at the top of your list. Your existing IDP should already support it, possibly including passkeys. It's a matter of planning, piloting and enabling.

Lee Neely

CIS's Critical Security Control 6, Access Control Management, requires MFA for externally exposed applications, remote network access, and administrative access. Each of those safeguards is defined as essential cyber hygiene (IG1). Not implementing the safeguards that make up IG1, or applying other risk reduction methods, would demonstrate shortcomings in an organizations duty of care to protect consumer information and open them to liability claims.

Curtis Dukes

In healthcare, to prevent spread of infection, many items are not reusable. In healthcare IT, reusable passwords are just as dangerous! Lack of MFA for privileged access was reported to Medibank as a critical defect in 2020. This will be a very expensive event for Medibank.

John Pescatore

Said another way, reliance on passwords is reckless. Well-designed, strong authentication is essential, efficient, and more convenient than passwords.

William Hugh Murray

Beware the temptation to restore services too quickly without being certain you've mitigated the attack vectors, to include neutralizing any remaining malware. Yeah, that's hard, but being repeatedly compromised is worse. Make sure your DR plan has not only your eradication and validation processes but also communication to management about this critical setup which has to be done right before restoration can commence. You may want to call in outside help for those processes; have those options established ahead of time.

Lee Neely

Another example of a single point failure in the supply chain that has unintended consequences for downstream customers. The government should conduct a study of the long-term effects that mergers and acquisitions have had on supplier resiliency.

Curtis Dukes

If one relies upon recovery, rather than prevention, the recovery system must be well designed. It must be capable of recovering entire applications and systems in hours, rather than simply recovering files from backup.

William Hugh Murray

That the outage occurred between 1:30 and 3:30 PM on a Tuesday suggests that the firewall installation or change was targeted at a time when services were less critical. That they don't know why the services were impacted indicates a lack of comprehensive understanding of the traffic or possibly a claim it's good enough and we'll see what breaks. For critical services, this is not the ideal way to discover undocumented dependencies. Today's discovery tools can help you do that in a non-disruptive fashion but be sure to have sufficient discovery intervals to find infrequent activities as well as identify anything "odd." Comtech has likely added new services to their regression testing, and likely a better environment for testing changes.

Lee Neely

Blaming this on the firewall is kind of like blaming a fire extinguisher if someone left it jamming shut a revolving door; Something changed somewhere that caused the firewall to disrupt calls - could be a change in the app or a change in the firewall configuration. This a good reminder of the importance of change control and change logging Ð often easy to resolve outages are because an unapproved or mistaken 'oops' happened and was rolled back. Critical systems like 911 obviously deserve high levels of 'oops'-proofing.

John Pescatore

The human element continues to be the single largest source of cyber incidents globally. While this was the result of an installation error, it's a good reminder that evildoers frequently target humans to enable cyber-attacks.

Curtis Dukes

This one is a good reminder that moving to MFA requires thinking through the entire registration/restoration process to make sure you are not putting strong authentication on top of a weak foundation. Strong authentication means using standards-based phishing-resistant techniques and a strong foundation means thinking through attack scenarios like this one or SIM swapping approaches.

John Pescatore

Of interest here is the employees reporting a lack of transparency and communication from the company. The root cause appears to be an employee falling for a social engineering attack which allowed the attacker to install remote access software. There are a lessons learned we can incorporate, such as how you want time reported as well as compensation processes while those systems are offline, not only for good communication but also a known process which can be followed; where do you want people to report and what will you have them do?

Lee Neely

MFA setup as social engineering. Sounds suspiciously as though this is another enterprise relying on passwords. What could possibly go wrong?

William Hugh Murray

Kaspersky software has been banned on US Government systems since 2017 for similar security concerns. While the ban doesn't go into effect until September 29th, the company is prohibited from signing up any new customers after July 20th. At this point, if you're a Kaspersky shop, start qualifying alternate solutions so you can have them deployed by this fall. Right or wrong, you don't want to run a risk of disruption of your EDR platform, nor do you want to go toe-to-toe with the regulators tasked with enforcement.

Lee Neely

Without the ability to update software, to include malware signatures, existing users are best served in moving to other endpoint security products. So, this becomes a total ban of the product in this country. Ultimately, this and the TikTok case will be settled by the courts and marks a new era in tech nationalism.

Curtis Dukes

A good reminder that supply chain security needs to include identifying product and service-providers that are at risk of retaliatory bans.

John Pescatore

I'm seeing what looks like three-year dwell times here. As an industry we're doing much better: recent Sophos reports show dwell time is down, but we can't let our guard down. Have you checked for Coolclient - a keylogger/file manipulation tool associated with Mustang Panda/Earth Preta/RedDelta; Quickheal - a backdoor for information harvesting/remote shell and file manipulation associated with RedFoxTrot/APT 15/Nomad Panda; or Rainyday -a backdoor sideloadeed with F-Secure for recon, lateral movement, credential theft, data exfil and payload deployment associated with Naikon/Firefly recently? The Symantec Blog has IOCs to help you hunt for these.

Lee Neely

Of course, the only credentials worth stealing are those which are vulnerable to fraudulent reuse, e.g., passwords. Passwords are not a security mechanism but a vulnerability.

William Hugh Murray

The prompt for the malware is really slick, including video instructions. And, of course, the script is obfuscated. One quick read while under stress and your users are going to slip down this rabbit hole. The delivery is being done via spam, OneDrive, Word docs and browser popups, and we're going to have to help our users learn to identify these. In addition, make sure that your EDR product is set to catch the attempted compromise.

Lee Neely

Social engineering remains the most efficient attack. Most user errors do not result in breaches; many breaches result from user error.

William Hugh Murray

CVE-2024-0672 has a CVSS score of 7.5, putting it on your radar. The good news is updates are available to address the flaw, the bad news is that not all of us are prepared to push out BIOS updates centrally without risk of bricking systems. The first thing you need to do is identify which of your systems have the vulnerable firmware. Your endpoint tools should be able to collect this information; if they cannot, add that to your wheelhouse. Then work through your processes to update those devices. In some cases, the OEM software which makes the update will itself need to be on an updated version before a central push will work, in other cases the update will not complete without user interaction. Test your use cases to come up with your optimal plan, with the increased security requirements for UEFI and Secure Boot, the need to actively maintain firmware is becoming critical.

Lee Neely

CVE-20244-37079 and CVE-2024-37080 both have CVSS scores of 9.8, and installing the patch will not affect running workloads, it just results in a brief disconnect of the vCenter client. If you're running vSphere 6.5 or 6.7, there is no patch, it's EOL you need to update. If you're running 7.0 U3q, with custom ciphers, you need to read the KB article on how the update impacts you, then work through it.

Lee Neely