The IT Nerd

On Monday, CISA announced that under its new Ransomware Vulnerability Warning Pilot (RVWP) program it has started scanning critical infrastructure entities’ networks for vulnerabilities to warn and help entities fix the flaws ahead of the bad actors.

As part of RVWP, CISA leverages existing authorities and technology to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks. Once CISA identifies these affected systems, our regional cybersecurity personnel notify system owners of their security vulnerabilities, thus enabling timely mitigation before damaging intrusions occur.

CISA accomplishes this work by leveraging its existing services, data sources, technologies, and authorities, including CISA’s Cyber Hygiene Vulnerability Scanning service and the Administrative Subpoena Authority granted to CISA under Section 2209 of the Homeland Security Act of 2002.

Naveen Sunkavalley, Chief Architect at Horizon3.ai had this to say:

   “CISA’s new program is a necessary and definite step in the right direction to protect critical infrastructure. Many N-day vulnerabilities are now being exploited by threat actors within days of being disclosed. Time is of the essence. The faster organizations are notified of critical vulnerabilities, the faster they can react to avoid compromise.

   “CISA’s program is not a panacea though. Many vulnerabilities are exploited as zero days, and there is often a delay of at least a few days between the time a new vulnerability is disclosed and when CISA adds that vulnerability to its Known Exploited Vulnerabilities catalog. Understanding which vulnerabilities are likely to be exploited and notifying prior to any known exploitation would be valuable.

   “Moreover, exploiting vulnerabilities isn’t the only method ransomware actors have at their disposal. Phishing attacks and leaked credentials are used just as often (for instance with the Colonial Pipeline attack). Organizations need to operate under the mindset that a breach will eventually happen, and critically evaluate their attack surface, both external and internal, against a wide spectrum of possible attacks.”

Dave Ratner, CEO of HYAS follows up with this:

   “We continue to see increasing attacks on all aspects of critical infrastructure and believe that increased visibility and observability into what is happening in real-time inside the environment is critical to rapid identification of these attacks and shutting them down before they expand into major incidents.  

   “Attackers continue to find new and innovative ways to circumvent the perimeter and breach both IT and OT networks; however, given that the malware then needs to beacon out for instructions, visibility into outgoing communication – which domains and what infrastructure is being communicated with and how often — can identify anomalous and nefarious activity inside the network and provide a key layer of protection, if not the “last line of defense”, for all aspects of critical infrastructure.”

This is a good step in terms of fighting threat actors. But it is only a step. This has to be combined with the hard work of those responsible for defending networks against threat actors along with spending money on the tools to effectively fight threat actors. Otherwise the CISA’s work will mean nothing.

The CISA has added two vulnerabilities to its list of actively exploited bugs. Specifically the code injection in the Spring Cloud Gateway library and the command injection flaw in Zyxel firmware for business firewalls and VPN devices. 

Artur Kane, VP of Product for GoodAccess had this to say:

“Zero-day vulnerabilities are inevitable in SW and HW engineering. Sometimes this may be due to a flaw in the design, but often it is a goofy engineer who makes a wrong decision when under pressure to deliver on time. Attackers have loads of time to discover and access vulnerabilities. Then, such intelligence is sold on the dark web, hence it can spread rapidly in the community. Companies should look for such vendors who have a proven record of responding fast to zero-day vulnerabilities by issuing patches fast, who also have sufficient security certifications and standards. IT experts have options to mitigate the risk and impact in their hands too, by having regular vulnerability assessments and patching and updating programs in place. If the organization can’t meet such precautionary practices, they should also consider replacing their technologies with applications delivered as a SaaS, where there’s no self-hosted HW (with firmware) and/or software. Patching is done on the level of the application infrastructure and in most cases, much faster as it is in hands of the vendor. When all these processes fail, as they sometimes do, it is a good practice to implement processes that minimize breach impact (micro segmentations, zero trust access, etc.) and incident response and remedial action plans.”

I would make it part of your security process to check the CISA list of exploited bugs so that you know where to focus your efforts on so that you don’t get caught with your pants down, metaphorically speaking. Also, you should look at SaaS as this takes all the guesswork out of this.

If you use a MSP or Managed Service Provider to assist you in managing your IT infrastructure, or you are a MSP, you should pay attention to this. Members of the Five Eyes (Canada, USA, UK, Australia, New Zealand) today warned that managed service providers (MSPs) and their customers are being increasingly targeted by supply chain attacks. Multiple cybersecurity and law enforcement agencies have shared guidance for MSPs to secure networks and sensitive data against these rising cyber threats. 

Aimei Wei, CTO and Founder of Stellar Cyber had this comment:

“Attackers are more and more targeting organizations that have a cascading effect, and one compromise allows them to gain access to a large number of organizations. Sunburst supply chain attack and now the MSP targeted attacks are some of the examples.” 

“Implementing the measures and recommended by CISA and following their guidance to harden the MSP environment and increase the security posture, will greatly reduce the chances of getting compromised. It is especially critical for MSP to be able to detect the attack early and stop it before it spreads and cause more damages. MSP should consider implementing a detection and response system that:

• Detect early signs and stop it before further progression to minimize the damage
• Show a clear picture of how it happened to conclusively determine that the attack has been contained
• Show how far it has gone and understand the impact to determine the customers that are impacted quickly”

Saumitra Das, CTO and Co-founder of Blue Hexagon adds this comment:

“MSPs are typically given a lot of privileges on their customer networks. They can be a portal for attackers to get into victim networks such as what happened in the Kaseya attack. Organizations that use MSPs should be vigilant about their MSPs’ security posture and assess the risk of what happens if the MSP software is compromised. Convenience often means the MSPs get a lot of privileges for remote maintenance and this convenience can increase the chance of a supply chain attack escalating into a victim network.”

Finally, Christopher Prewitt who is the Chief Technology Officer of MRK Technologies had this to say:

“Managed Service Providers are always under attack. They are often primarily focused on IT operations and service desk related services, and usually do not have a depth of knowledge or capability in cyber security practices. As an attacker, if I can breach and impact an MSP, my impact has an exponential outcome. We continue to see this IT supply chain be targeted through Kaseya and MSP’s.”

This warning is worth reading as it has a lot of recommendations to protect against attacks. Thus I would put aside time to read and implement these recommendations.