Cisco Lists Products Affected by RegreSSHion Vulnerability; ERP Firm Supply Chain Attack; OT/ICS Security Guidance

In case you missed it, RegreSSHion affects most currently in use versions of ssh. While not easy to exploit, you should look in particular at devices like routers and switches if updates are available.

The list identifies both affected and _NOT_ affected products. Read carefully. Cisco has published Snort rules to detect exploitation and recommends restricting SSH access to trusted hosts only. Other workarounds will be in the product specific bug references. Keep an eye on their Vulnerable Products list for information about when fixes are available. Due to the lack of immediate fixes, you want to get on those restrictions to the SSH service.

Cisco is a massive company with multiple product lines built both organically and through acquisition. One of their primary management protocols outside of HTTPS will be SSH. Unfortunately for them, this bug is going to be a hard one for all those business units to locate since it's a specific set of builds that are affected and not all builds. Expect them to take a bit to figure out what's affected and what's not, and based on their EoL/EoS cycles, you'll see several builds back.

Lists of vulnerable products from suppliers are useful only if one has a list of all products one is using.

Attacks against ERP servers have not seen much public coverage. But these systems are huge targets, and are often difficult to patch and secure.

We have seen an uptick in supply chain attacks in the last 18 months. Supply chain attacks are largely carried out by nation states, and provide the opportunity to attack once, exploit many. When successful, this sort of attack is difficult to thwart. While the onus is on vendors to secure their products as part of a standard duty of care, end-users can also play a part by monitoring for signs of data exfiltration.

Here's one a bit harder to detect. The ERP software provider's update server was compromised, allowing the delivery of compromised packages. Load the IOC's from ASEC to make sure you're not included. Make sure that your update processes include validation of packages, ensuring the source and contents are legitimate. Train users to be wary of unsolicited updates through unexpected channels, such as email.

The NCSC lays out best practice guidelines for incident response, but don't ignore segmentation! If you have operation technology of any kind, do all you can to keep it separate from IT networks. Your preferences should be, in order: 1) true air gap, 2) data diode for telemetry out only, and 3) highly secure network segment. If you have a valid business requirement for the third option, put all the preventive and detective controls you have to work!

This 20-page guide is a quick read and a good reference to prepare for ICS/OT incidents. These systems continue to be targets and you may as well stack the deck in your favor. Make sure that you have an ICS/OT specific response plan and play book, remember that in these systems availability and integrity are key, versus confidentiality in traditional IT systems, which calls for a different approach.

While it is useful to have environment specific security guidance, most successful attacks exploit common hygiene failures. Attend to the short list of common essential and efficient measures first.

The aim here is to discover and interrupt unlicensed versions of Cobalt Strike. Fortra, current owners of Cobalt Strike, have been working with law enforcement to help identify and remove these instances. That said, gangs are still leveraging older unlicensed/cracked copies which are still able to compromise systems. If you are using Cobalt Strike, make sure that you're using a licensed copy, irrespective of the use.

Kudos to all those involved in this operation. Cobalt Strike is a legitimate tool which is regularly abused by criminals to enable them launch ransomware attacks. However, by its nature it is difficult to detect it within your environment. This is a very good guide from The DFIR Report on how you can defend against unauthorised use of Cobalt Strike in your environment. (https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/) Remember criminals also abuse other legitimate remote access control software so you should regularly scan for installations of those remote tools and investigate any unauthorised installations.

This is a success for law enforcement. That said, the success is only possible with the support of private sector entities. Individually, they have telemetry and analytic capabilities that can be combined to give law enforcement the upper hand. That's the real gem in this story.

Remember the NoMoreRansom Project (www.nomoreransom.org) sponsored by Europol contains all known ransomware decryptors.

Make sure that you're looking for public decryptors when faced with ransomware. CISA, the FBI and others like Avast and the No More Ransom Project have made them, as well as supporting tools, available when needed.

NHLS provides diagnostic tests for about 80% of South Africans and has an estimated 6.3 million unprocessed blood tests. South Africa is in the midst of several concurrent health crises - mpox, HIV and TB, as such they are working to prioritize tests and develop alternate result delivery mechanisms as their self-service (WebView) portal remains offline. Take a read of the pivots NHLS is using to deliver services and consider if these are scenarios you need to incorporate into your BC/DR plans.

We have known for decades that it is impossible for the rogues to know enough about their targets to anticipate all the consequences of their attacks. However, it seems easy to anticipate that attacks against healthcare may put patients at risk of life and limb. Given this, one wonders at the continued special targeting of the healthcare sector.

Everyone uses online banking these days. Autopay is one of the most popular services. For the member, it's time to consider splitting accounts with different banking institutions to build resiliency. For the credit union, use this as a learning opportunity, build table-top exercises to test the recovery for all banking services offered. And finally, when the time is right share details on the security incident so that we can all learn. Everyone uses online banking these days. Autopay is one of the most popular services. For the member, it's time to consider splitting accounts with different banking institutions to build resiliency. For the credit union, use this as a learning opportunity, build table-top exercises to test the recovery for all banking services offered. And finally, when the time is right share details on the security incident so that we can all learn.

Patelco has about $9 billion in assets and around 500,000 members. They are working hard to communicate service impacts, both on their web page and in emails to members, promising to process backlogged deposits before withdrawals, and to advocate for members who have credit scores impacted as a result of the incident. Nobody has yet claimed responsibility for this attack. Initial advice amounted to using another FI while things got sorted out, which has been modified to helping members use the reduced services and weather the storm.

While deemed a success, and it is, there is much that can be learned. For example: What types of defenses were in place? What sort of training did the information system staff have in incident response and ability to restore systems? It's understandable organizations don't want to share this type of information, but the reality is, many organizations can benefit from knowing what works.

ALSDE has decided not to negotiate with the hackers, nor to pay the ransomware. Impacted systems have been restored and additional security measures deployed, which speaks highly to their preparedness.