Archive for CISA

CISA Adds Zyxel & Spring Cloud Gateway Vulnerabilities To Their List Of Actively Exploited Bugs

Posted in Commentary with tags on May 17, 2022 by itnerd

The CISA has added two vulnerabilities to its list of actively exploited bugs. Specifically the code injection in the Spring Cloud Gateway library and the command injection flaw in Zyxel firmware for business firewalls and VPN devices. 

Artur Kane, VP of Product for GoodAccess had this to say:

“Zero-day vulnerabilities are inevitable in SW and HW engineering. Sometimes this may be due to a flaw in the design, but often it is a goofy engineer who makes a wrong decision when under pressure to deliver on time. Attackers have loads of time to discover and access vulnerabilities. Then, such intelligence is sold on the dark web, hence it can spread rapidly in the community. Companies should look for such vendors who have a proven record of responding fast to zero-day vulnerabilities by issuing patches fast, who also have sufficient security certifications and standards. IT experts have options to mitigate the risk and impact in their hands too, by having regular vulnerability assessments and patching and updating programs in place. If the organization can’t meet such precautionary practices, they should also consider replacing their technologies with applications delivered as a SaaS, where there’s no self-hosted HW (with firmware) and/or software. Patching is done on the level of the application infrastructure and in most cases, much faster as it is in hands of the vendor. When all these processes fail, as they sometimes do, it is a good practice to implement processes that minimize breach impact (micro segmentations, zero trust access, etc.) and incident response and remedial action plans.”

I would make it part of your security process to check the CISA list of exploited bugs so that you know where to focus your efforts on so that you don’t get caught with your pants down, metaphorically speaking. Also, you should look at SaaS as this takes all the guesswork out of this.

The Five Eyes Issues Warning To MSPs And Their Customers

Posted in Commentary with tags on May 12, 2022 by itnerd

If you use a MSP or Managed Service Provider to assist you in managing your IT infrastructure, or you are a MSP, you should pay attention to this. Members of the Five Eyes (Canada, USA, UK, Australia, New Zealand) today warned that managed service providers (MSPs) and their customers are being increasingly targeted by supply chain attacks. Multiple cybersecurity and law enforcement agencies have shared guidance for MSPs to secure networks and sensitive data against these rising cyber threats. 

Aimei Wei, CTO and Founder of Stellar Cyber had this comment:

“Attackers are more and more targeting organizations that have a cascading effect, and one compromise allows them to gain access to a large number of organizations. Sunburst supply chain attack and now the MSP targeted attacks are some of the examples.” 

“Implementing the measures and recommended by CISA and following their guidance to harden the MSP environment and increase the security posture, will greatly reduce the chances of getting compromised. It is especially critical for MSP to be able to detect the attack early and stop it before it spreads and cause more damages. MSP should consider implementing a detection and response system that:

  • Detect early signs and stop it before further progression to minimize the damage
  • Show a clear picture of how it happened to conclusively determine that the attack has been contained
  • Show how far it has gone and understand the impact to determine the customers that are impacted quickly”

Saumitra Das, CTO and Co-founder of Blue Hexagon adds this comment:

“MSPs are typically given a lot of privileges on their customer networks. They can be a portal for attackers to get into victim networks such as what happened in the Kaseya attack. Organizations that use MSPs should be vigilant about their MSPs’ security posture and assess the risk of what happens if the MSP software is compromised. Convenience often means the MSPs get a lot of privileges for remote maintenance and this convenience can increase the chance of a supply chain attack escalating into a victim network.”

Finally, Christopher Prewitt who is the Chief Technology Officer of MRK Technologies had this to say:

“Managed Service Providers are always under attack. They are often primarily focused on IT operations and service desk related services, and usually do not have a depth of knowledge or capability in cyber security practices. As an attacker, if I can breach and impact an MSP, my impact has an exponential outcome. We continue to see this IT supply chain be targeted through Kaseya and MSP’s.”

This warning is worth reading as it has a lot of recommendations to protect against attacks. Thus I would put aside time to read and implement these recommendations.

CISA Tells Everyone To Address F5 BIG-IP Vulnerability ASAP

Posted in Commentary with tags , on May 12, 2022 by itnerd

The CISA has told federal agencies to fix an actively exploited F5 BIG-IP bug. The bug in question is CVE-2022-1388 which is described as follows:

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication.

F5 customers using BIG-IP solutions include governments, Fortune 500 firms, banks, service providers and consumer brands including Microsoft, Oracle and Facebook. Thus this isn’t trivial in the slightest as it affects a lot of big companies. Which is why the CISA also said that private companies should also address this and other issues that the CISA brings to light.

I managed to get multiple comments on this. Starting with Christopher Prewitt who is the Chief Technology Officer of MRK Technologies:  

“This vulnerability is critical, should be remediated as soon as possible by turning off the iControl REST service. This vulnerability is simple to exploit by an attacker and with these systems internet connected, many organizations may be at risk of breach.”

Saumitra Das, CTO and Co-founder of Blue Hexagon had this to add:

“This continues the trend of security and access devices also proving to be portals for attackers to get into target networks. We have seen similar issues in 2021 with VPN devices, firewalls, and email gateways. Having MFA on admin logins, limiting lateral movement from and public exposure of third-party security and networking appliance is a critical requirement to protect organization. Be it a supply chain related or a new vulnerability, organizations need to minimize blast radius.”

This is something that needs to be addressed ASAP. Thus I would take the CISA’s advice and address this ASAP as it’s a safe bet that threat actors are exploiting this at present.