Spanish Telecom Breached; UN Aviation Recruitment Data Stolen; Slovakian Land Agency Struggling After Cyberattack

In today's threat environment, implementing Multi-Factor Authentication (MFA) is now table stakes for all systems, but in particular sensitive systems, whether they are internal or external-facing. MFA should now be viewed in the same regard as seatbelts in a car, and those that don't use MFA viewed in the same way as those who don't wear seat belts

Brian Honan

Strong authentication, multi-factor and resistant to fraudulent reuse, is both essential and efficient. Well-chosen and implemented, it is more convenient than so-called strong passwords, whose convenience goes down as their strength goes up.

William Hugh Murray

The breach resulted in exfiltration about 2.3GB of documents, tickets and data. Make sure you're tied into credential breach notification for proactive password changing, or better still, move away from reusable passwords. As this internal Jira system was breached with compromised credentials, I would ask what other controls should have been in place to prevent external access to an internal system.

Lee Neely

Credential harvesting has been on the rise over the last couple years. It is perhaps the easiest means for an evildoer to access an organization and compromise. Multi-factor authentication (MFA) has proven to be effective in mitigating loss of passwords. It’s a best practice as part of Implementation Group 1 of the CIS Critical Security Controls.

Curtis Dukes

The ICAO statement that the breach does not affect the security of airtraffic is solely based on the compromised system not being connected to any aviation systems. However, this does not consider whether the stolen data could be used to disrupt air traffic in the future. It is also unclear if this was a targeted attack or if ICAO just got caught in a threat actor vacuuming up data spilled by careless employment application systems, regardless of where the data originated.

Johannes Ullrich

While the compromise is unfortunate, it would be helpful to understand what “…additional security measures [were implemented] to protect its systems from future attacks.” This way we all learn and can offer better protection against cyber-attacks.

Curtis Dukes

Deciding whether one is a likely target of choice is fundamental to choosing one's risk tolerance and security policy. Most large enterprises should assume that they are targets of choice for so-called APTs and that they must be prepared to resist resourceful and persistent attacks.

William Hugh Murray

This appears to be work of the Natohub threat actor, who is claiming to have released the information. ICAO is reaching out to the affected individuals directly. While it is common to have resume/CV data online, during an application or background check additional sensitive data is combined with that information, and as an individual you should be prepared in case that data gets compromised. As an employer, make sure you have contingency plans for the compromise of these systems, which are often outsourced these days, to include notification, ID monitoring/restoration for individuals as well as having your responsibilities and liabilities clearly defined. Include your legal team.

Lee Neely

One question executive management might well ask is "what is the expected mean time to recovery from a ransomware attack." The answer to the question would be useful in choosing between prevention and recovery.

William Hugh Murray

This appears to be another politically motivated attack; in this case indications are it came from the Ukraine. The bigger concern is how long it will take to restore systems. Make sure that you have clear understanding of your RTO and RPO, and that both your backups and team are sufficient (training, experience and equipment) to meet these. Be sure you've executed restorations, not just tabletops, which included running dummy transactions. You don't want to figure this out when the chips are down.

Lee Neely

The security of any government systems, even those not essential to national security, may be essential to public trust and confidence and should be managed accordingly.

William Hugh Murray

There is no shortage of political wrangling around foreign investment and control of US companies and assets, which will drive a lot of high level conversations about what is behind the attack. There was also a similarly motivated attack targeting the Office of Foreign Assets Control (OFAC). The trick will be focusing on remediation and prevention of recurrence. The Treasury compromise leveraged an API key for the BeyondTrust remote support agent as well as a corresponding zero-day. Have you considered the risks of any remote support/assistance agents you have on systems, to include factoring in not only working from home but also changes relating to a zero-trust environment? Check in on that ubiquitous MFA implementation as well as your monitoring and response capabilities. Compare what information you're capturing against OMB's M-21-31 logging levels for possible gaps.

Lee Neely

Given the focus on the potential for misuse and abuse of AI, one is left to wonder if the potential increase in productivity will be sufficient to justify its use.

William Hugh Murray

The actors appear to have used API keys obtained from code repositories to access the Microsoft AI services. Microsoft provides guidance to not include these in code repositories, and states that advice is regularly ignored. Make sure that you're not including these in your code repositories. When discovered, have required procedures to not only purge them but also update these keys.

Lee Neely

There are two issues. First, CVE-2024-49113, LDAP denial of service flaw, CVSS score 7.5, which needs to be patched. Second, the fake POC exploit for CVE-2024-49113, dubbed LDAPNightmare, which installs an infostealer on your system. Address the LDAP flaw by rolling the December 2024 patch bundle, which also addresses CVE-2024-49112, a remote code execution flaw. Next, get the IOCs from the TrendMicro blog post to check for LDAPNightmare activity. Make sure your exploit POC researchers are using reputable/validated sources as well as sufficiently isolated environments. Consider not only reviewing the POC code but also uploading binaries to VirusTotal before executing.

Lee Neely

CVE-2024-50603, improper handling of user parameters, has a CVSS score of 10.0. When the Aviatrix Controller is deployed to AWS, it allows privilege escalation by default. You need to take three steps here. First, upgrade to the latest version; second, restrict access to the controller regardless of how implemented; and lastly, forensicate your environment looking for the IOCs in the Wiz blog.

Lee Neely

Given that exploit code has existed for a week and that the controller operates with elevated privileges makes this a must patch immediately.

Curtis Dukes

This is a database compromise, where malicious code is injected into the wp_options table, which isn't where you're normally looking for issues. Beyond looking for the IoC in the table, make sure you've got an active/enabled WAF, are actively keeping plugins updated, enforcing MFA on your WordPress accounts, and lastly (this is the hard one), remove and replace deprecated/abandoned/no-longer-supported plugins.

Lee Neely

It is time to ask whether the vulnerability of WordPress is simply implementation-induced or fundamental? Whether the risk of its use can be managed to an acceptable level, or whether it is a bad choice?

William Hugh Murray

BeyondTrust applied a patch to all their cloud hosted RS/RPA customers on December 16th. On-premises RS/RPA environments need to apply the patch, which fixes all versions 22.1.x and higher. If you're running versions older than 22.1, you'll need to upgrade before you'll be able to apply the patch.

Lee Neely