Cisco Lists Products Affected by RegreSSHion Vulnerability; ERP Firm Supply Chain Attack; OT/ICS Security Guidance

In case you missed it, RegreSSHion affects most currently in use versions of ssh. While not easy to exploit, you should look in particular at devices like routers and switches if updates are available.

Johannes Ullrich

The list identifies both affected and _NOT_ affected products. Read carefully. Cisco has published Snort rules to detect exploitation and recommends restricting SSH access to trusted hosts only. Other workarounds will be in the product specific bug references. Keep an eye on their Vulnerable Products list for information about when fixes are available. Due to the lack of immediate fixes, you want to get on those restrictions to the SSH service.

Lee Neely

Cisco is a massive company with multiple product lines built both organically and through acquisition. One of their primary management protocols outside of HTTPS will be SSH. Unfortunately for them, this bug is going to be a hard one for all those business units to locate since it's a specific set of builds that are affected and not all builds. Expect them to take a bit to figure out what's affected and what's not, and based on their EoL/EoS cycles, you'll see several builds back.

Moses Frost

Lists of vulnerable products from suppliers are useful only if one has a list of all products one is using.

William Hugh Murray

Attacks against ERP servers have not seen much public coverage. But these systems are huge targets, and are often difficult to patch and secure.

Johannes Ullrich

We have seen an uptick in supply chain attacks in the last 18 months. Supply chain attacks are largely carried out by nation states, and provide the opportunity to attack once, exploit many. When successful, this sort of attack is difficult to thwart. While the onus is on vendors to secure their products as part of a standard duty of care, end-users can also play a part by monitoring for signs of data exfiltration.

Curtis Dukes

Here's one a bit harder to detect. The ERP software provider's update server was compromised, allowing the delivery of compromised packages. Load the IOC's from ASEC to make sure you're not included. Make sure that your update processes include validation of packages, ensuring the source and contents are legitimate. Train users to be wary of unsolicited updates through unexpected channels, such as email.

Lee Neely

The NCSC lays out best practice guidelines for incident response, but don't ignore segmentation! If you have operation technology of any kind, do all you can to keep it separate from IT networks. Your preferences should be, in order: 1) true air gap, 2) data diode for telemetry out only, and 3) highly secure network segment. If you have a valid business requirement for the third option, put all the preventive and detective controls you have to work!

Christopher Elgee

This 20-page guide is a quick read and a good reference to prepare for ICS/OT incidents. These systems continue to be targets and you may as well stack the deck in your favor. Make sure that you have an ICS/OT specific response plan and play book, remember that in these systems availability and integrity are key, versus confidentiality in traditional IT systems, which calls for a different approach.

Lee Neely

While it is useful to have environment specific security guidance, most successful attacks exploit common hygiene failures. Attend to the short list of common essential and efficient measures first.

William Hugh Murray

The aim here is to discover and interrupt unlicensed versions of Cobalt Strike. Fortra, current owners of Cobalt Strike, have been working with law enforcement to help identify and remove these instances. That said, gangs are still leveraging older unlicensed/cracked copies which are still able to compromise systems. If you are using Cobalt Strike, make sure that you're using a licensed copy, irrespective of the use.

Lee Neely

Kudos to all those involved in this operation. Cobalt Strike is a legitimate tool which is regularly abused by criminals to enable them launch ransomware attacks. However, by its nature it is difficult to detect it within your environment. This is a very good guide from The DFIR Report on how you can defend against unauthorised use of Cobalt Strike in your environment. (https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/) Remember criminals also abuse other legitimate remote access control software so you should regularly scan for installations of those remote tools and investigate any unauthorised installations.

Brian Honan

This is a success for law enforcement. That said, the success is only possible with the support of private sector entities. Individually, they have telemetry and analytic capabilities that can be combined to give law enforcement the upper hand. That's the real gem in this story.

Curtis Dukes

Remember the NoMoreRansom Project (www.nomoreransom.org) sponsored by Europol contains all known ransomware decryptors.

Brian Honan

Make sure that you're looking for public decryptors when faced with ransomware. CISA, the FBI and others like Avast and the No More Ransom Project have made them, as well as supporting tools, available when needed.

Lee Neely

NHLS provides diagnostic tests for about 80% of South Africans and has an estimated 6.3 million unprocessed blood tests. South Africa is in the midst of several concurrent health crises - mpox, HIV and TB, as such they are working to prioritize tests and develop alternate result delivery mechanisms as their self-service (WebView) portal remains offline. Take a read of the pivots NHLS is using to deliver services and consider if these are scenarios you need to incorporate into your BC/DR plans.

Lee Neely

We have known for decades that it is impossible for the rogues to know enough about their targets to anticipate all the consequences of their attacks. However, it seems easy to anticipate that attacks against healthcare may put patients at risk of life and limb. Given this, one wonders at the continued special targeting of the healthcare sector.

William Hugh Murray

Fortunately the university may have caught a bit of a break being on summer break, so the student impact is minimized. Online courses are still operational, but you cannot enroll online, nor can external calls be completed; even the elevators are offline as their control systems have not been confirmed to be safe. The hard part here will be lessons learned as the university had already taken measures to significantly strengthen their defenses. It's important to note there is no such thing as perfect security, and significant protection can be gained with the fundamentals. Start with authentication, monitoring, patching, segmentation and secure configurations.

Lee Neely

Everyone uses online banking these days. Autopay is one of the most popular services. For the member, it's time to consider splitting accounts with different banking institutions to build resiliency. For the credit union, use this as a learning opportunity, build table-top exercises to test the recovery for all banking services offered. And finally, when the time is right share details on the security incident so that we can all learn. Everyone uses online banking these days. Autopay is one of the most popular services. For the member, it's time to consider splitting accounts with different banking institutions to build resiliency. For the credit union, use this as a learning opportunity, build table-top exercises to test the recovery for all banking services offered. And finally, when the time is right share details on the security incident so that we can all learn.

Curtis Dukes

Patelco has about $9 billion in assets and around 500,000 members. They are working hard to communicate service impacts, both on their web page and in emails to members, promising to process backlogged deposits before withdrawals, and to advocate for members who have credit scores impacted as a result of the incident. Nobody has yet claimed responsibility for this attack. Initial advice amounted to using another FI while things got sorted out, which has been modified to helping members use the reduced services and weather the storm.

Lee Neely

While deemed a success, and it is, there is much that can be learned. For example: What types of defenses were in place? What sort of training did the information system staff have in incident response and ability to restore systems? It's understandable organizations don't want to share this type of information, but the reality is, many organizations can benefit from knowing what works.

Curtis Dukes

ALSDE has decided not to negotiate with the hackers, nor to pay the ransomware. Impacted systems have been restored and additional security measures deployed, which speaks highly to their preparedness.

Lee Neely

Required disclosure meet whistleblowing. While possibly philosophical, it's a good idea to have a plan for how you'd handle this scenario. Disclosure requirements include a measure amounting to having a material impact, but that doesn't mean all involved will agree with that determination. Having a plan ahead, including NDA, event protection requirements and responsible parties will smooth this path if needed.

Lee Neely