Microsoft Patch Tuesday; 8Base Ransomware Suspects Arrested; Salt Typhoon Exploited Cisco Devices

This update includes yet another patch for LDAP. Given the central role of LDAP and AD to Windows security, consider if these systems are well protected and patched.

Johannes Ullrich

What is interesting in this patch Tuesday may not be the exploited vulnerabilities that exist, but the ones that are also patched and not fully understood. A potentially wormable LDAP vulnerability provides us Remote Code Execution; I'm not sure, given how many protections are in the modern Windows landscape, how 'wormable' it is. The other one is a vulnerability in the DHCP Client, and yes, given that you need to be in the middle of the conversation, the complexity is high. Yet, it's a broadcast protocol, and those are highly useful for attackers. There are no details yet on any of these to work off of.

Moses Frost

If I'm tracking, this is the ninth elevation of privilege vulnerability (CVE-2025-21418) in Winsock since 2022; a prior variant, CVE-2024-38193, was leveraged by the Lazarus group last year to implant the FudModule rootkit. To be honest, with the breadth and number of fixes in the updates these days, you should have your systems categorized such that in the majority you can deploy the update without analysis, saving that for higher impact systems. The cycle time to reverse engineer patches to develop viable exploits continues to shrink; don't be caught in analysis paralysis.

Lee Neely

A win for the good guys. Cybercriminals now must factor in where they travel with their ill-gotten gains. Soon it will be just a few countries that offer a safe haven from which to operate. This may be one of the better deterrents that law enforcement has Ð mutual extradition treaties.

Curtis Dukes

Effective takedowns now require multi-national law enforcement efforts. Back in November 2023, an analysis of the 8Base ransomware found that it shared nearly 90% of its code with a Phobos sample from 2019, which indicates a connection, but it's not clear how much this takedown affects Phobos operations.

Lee Neely

The risk of cybercrime continues to escalate but is not yet sufficient to deter.

William Hugh Murray

There are a lot of Cisco Routers with real Cisco IOS at many collocations, and it makes you wonder how many of them have their control planes locked down and how many of them allow access. I bet there are tons of Telnet-enabled routers on the internet still. It makes for good headlines for major manufacturers to be in the news like this; however, how much of this falls onto the network engineers to maintain? This is a reasonably tricky problem to solve as it will require much effort. Secure every potential router on the internet. There are many of them.

Moses Frost

The two key phrases in the report are: "compiled a list of target devices" and "Unpatched public-facing appliances serve as direct entry points" For the first, it's clear that a nation-state was behind the attack, and this will be a skill set increasingly in demand by cybercriminals. For the second, for companies as large as those compromised not to patch internet facing devices demonstrates a failure in the standard duty of care requirement. They shouldn't get a pass simply because the attack originated from a nation-state.

Curtis Dukes

Regaining trust in these systems will be both difficult and expensive. Simply patching the initial vulnerability is not sufficient. Satisfying ourselves that we have eliminated any corruption from a system with poor content control is rather like trying to prove a negative. Tripwire on top of Tripwire.

William Hugh Murray

The targets were unpatched devices, in this case Cisco network devices. Internet-facing appliances are at the top of the list for threat actors. A takeaway should be active updates to your network devices, particularly any that are internet facing, or connected. If you're getting pushback about outages needed for updates, it's a good time to make the argument for HA/failover devices, or defined outage/maintenance windows. Make sure that you're actively monitoring for malfeasance, to include scanning for IoCs.

Lee Neely

Kudos to Ivanti for rolling out updates before these are actively exploited. Ivanti seems to not only be getting their arms around the updates for their increased product lines, but also incorporating input from their vulnerability discovery program. There are no workarounds for these flaws, you need to push out the updates. Make sure that your web console is available only to verified/trusted hosts. Note the Ivanti Neurons (N-MDM) service is cloud hosted and was updated January 17th.

Lee Neely

The cost of hiring includes that of a face-to-face meeting.

William Hugh Murray

The scam involves getting stolen identities for workers, so they appear to be legitimate citizens which are hired through third-party staffing agencies or temporary contracting agencies. The employers sent laptops to her house, which were then used remotely from China, Laos, Russia, etc. She then funneled their paychecks through her company, effectively laundering them. While this worked in public sector, a few attempted government agency hires failed due to their identity verification process. As easy as it is to hire remote staff, never meeting them in-person, you need to leverage both strong background checks as well as modern identity validation systems which not only include aliveness checks but also validation of government ID against authoritative services. Make sure you detect remote workstations being used remotely themselves, or VDP offerings being accessed from unexpected locations. Next, talk to Finance/HR about how they would detect a paycheck "laundering" scheme such as this; this is a defense in depth.

Lee Neely

This is criminal intent from the get-go, and she should be held accountable to the full extent of the law. My question, did she come up with scheme on her own or was she coached by someone else?

Curtis Dukes

This story is fascinating, and I have many questions. What dictates a farm? Did she have 10 laptops, or 20 or 100? How did this entire scam work? How did she get involved? Why October 2020? Because the person was out of work, or was it just the opportunity? I am curious. Can someone do a deep dive into this? It's fascinating.

Moses Frost

This large tribe has 44,000+ members and pays for many of its services through their ownership of the five Kewadin Casinos, which have halted gaming operations. The communication from the Tribe explains their current state and also lists not only contacts for each of their affected services, but also general numbers when all else fails. They hope to resolve the outage, which started February 9th, within a week, but are prepared to take longer. Many businesses are operating on a cash-only basis, gas is not available, their hotels are open for current guests, but new guests cannot check-in, while other services are operating on an in-person only basis. Watch their Facebook page for updates and information.

Lee Neely

The miscreants no longer even bother to deny that they target healthcare.

William Hugh Murray

How is your firmware update capability? With increased security capabilities in firmware such as UEFI and flaws that not only include allowing boots of malicious OS components but also deployment of falsified firmware, we all need to be able to reliably update. That said, this is a non-trivial function as you can wind up bricking systems if you're not careful. Gone are the days of moving a jumper or dip switch to allow updates, which also means that malware can do an update for you. Don't panic, and don't kick this can down the road, help your IT team get this function operational.

Lee Neely

Will we see some nice Nvidia software impacting AI at some point? Makes me wonder how many 'cross-platform' issues between hardware and AI systems we may see in the future.

Moses Frost

Buffer overflows were declared as "unforgivable vulnerabilities" over 20 years ago, back when worms were continually exploiting them in Microsoft Windows to crash systems. Businesses that sell food or meals that contain the "unforgiveable" E. Coli virus can and have been sued for compensation. While the CISA advice is solid, we are past the point where forgiving the unforgivable will lead to any progress. Real financial pain has to be attached to failures in this area.

John Pescatore

I'm watching what the guidance from CISA is. I'm just sitting back and analyzing the situation mostly, because much of the guidance is pushed together from sources that have been around for more than 10 or 15 years. We know this information, we know what the problem and the solution is. The question now is, what is different, and will it work?

Moses Frost

This is one in the series of publications that will be released to help mitigate "unforgivable defects." You're going to want to watch for these, looking for ways to improve your processes. Mitigations for buffer overflows include using memory safe languages where feasible (they acknowledge this is significant and not always achievable), using compiler flags which implement protections against buffer overflows, running both instrumented unit tests and adversarial product testing, providing guidance to developers for best practices, and conducting root cause analysis of past vulnerabilities, incorporating findings into those practices.

Lee Neely

Protecting procedures from contamination by their data inputs is fundamental. That we do not have tools and processes in place to resist this vulnerability has proven to be very expensive. Teach this lesson to every apprentice. It is a qualification for journeyman.

William Hugh Murray

GAO could have easily "dusted off" a previous report for a given industry sector, changed a few things (i.e., system names, accountable government organization, etc.) and issued this report. The cyberthreats and IT vulnerabilities are likely the same, and the government responsibility is likely the same. What seems to be missing is documented actions in response to GAO findings. Rinse and repeat.

Curtis Dukes

The Coast Guard did create a strategy to address MTS issues in 2021, but neglected to include the risks, vulnerabilities and key milestones to measure progress against. The problem was further exacerbated by open staffing positions needed for improvements to be implemented. Make sure that your strategy includes these components, to include the hard conversation about resources truly needed to be successful, which may lead you to conversations at a very high level for either resolution or risk acceptance.

Lee Neely

Not everything that is free is bait. However, enough bait is free to make one suspicious of things that are.

William Hugh Murray

This report proves the adage; nothing comes for free. You always have to give something in return to get something else. In this case, browser cookies in return for the game.

Curtis Dukes