Archive for CISA

CISA to begin scanning for vulnerabilities

Posted in Commentary with tags on March 17, 2023 by itnerd

On Monday, CISA announced that under its new Ransomware Vulnerability Warning Pilot (RVWP) program it has started scanning critical infrastructure entities’ networks for vulnerabilities to warn and help entities fix the flaws ahead of the bad actors.

As part of RVWP, CISA leverages existing authorities and technology to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks. Once CISA identifies these affected systems, our regional cybersecurity personnel notify system owners of their security vulnerabilities, thus enabling timely mitigation before damaging intrusions occur.

CISA accomplishes this work by leveraging its existing services, data sources, technologies, and authorities, including CISA’s Cyber Hygiene Vulnerability Scanning service and the Administrative Subpoena Authority granted to CISA under Section 2209 of the Homeland Security Act of 2002.

Naveen Sunkavalley, Chief Architect at had this to say:

   “CISA’s new program is a necessary and definite step in the right direction to protect critical infrastructure. Many N-day vulnerabilities are now being exploited by threat actors within days of being disclosed. Time is of the essence. The faster organizations are notified of critical vulnerabilities, the faster they can react to avoid compromise.

   “CISA’s program is not a panacea though. Many vulnerabilities are exploited as zero days, and there is often a delay of at least a few days between the time a new vulnerability is disclosed and when CISA adds that vulnerability to its Known Exploited Vulnerabilities catalog. Understanding which vulnerabilities are likely to be exploited and notifying prior to any known exploitation would be valuable.

   “Moreover, exploiting vulnerabilities isn’t the only method ransomware actors have at their disposal. Phishing attacks and leaked credentials are used just as often (for instance with the Colonial Pipeline attack). Organizations need to operate under the mindset that a breach will eventually happen, and critically evaluate their attack surface, both external and internal, against a wide spectrum of possible attacks.”

Dave Ratner, CEO of HYAS follows up with this:

   “We continue to see increasing attacks on all aspects of critical infrastructure and believe that increased visibility and observability into what is happening in real-time inside the environment is critical to rapid identification of these attacks and shutting them down before they expand into major incidents.  

   “Attackers continue to find new and innovative ways to circumvent the perimeter and breach both IT and OT networks; however, given that the malware then needs to beacon out for instructions, visibility into outgoing communication – which domains and what infrastructure is being communicated with and how often — can identify anomalous and nefarious activity inside the network and provide a key layer of protection, if not the “last line of defense”, for all aspects of critical infrastructure.”

This is a good step in terms of fighting threat actors. But it is only a step. This has to be combined with the hard work of those responsible for defending networks against threat actors along with spending money on the tools to effectively fight threat actors. Otherwise the CISA’s work will mean nothing.

Zeppelin Ransomware Advisory Issued By The FBI and CISA

Posted in Commentary with tags , on August 23, 2022 by itnerd

The CISA and FBI have put out an advisory on Zeppelin ransomware that is very much reading. The advisory goes into great detail about how the ransomware works and includes some threat mitigation strategies.

Dr Darren Williams, CEO and Founder of BlackFog has this comment to share:

     “Zeppelin ransomware, a fairly well-known malware strain has been in known use since 2019, often to target a wide range of businesses and critical infrastructure organizations. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.

Zeppelin’s unique attack path is such that the FBI have observed the attackers executing the malware multiple times in the network, leaving a great big sting on the victim, who needs multiple unique decryption keys to combat the attack.

Attacks on hybrid working companies are nothing new, however it is crucial that employees remember they play a part in protecting themselves and the employer, too.

Attacks from vectors such as Zeppelin often start with a simple phishing email – employers must ensure they educate and remind their employees on cyber security best practices, to minimize attack risk. Standard, good cyber hygiene practice is essential here: remembering to regularly change passwords and use MFA as a basic practice. That said, if a threat actor wants to find their way in, they will! What matters is the data they were able to obtain and leave with…

Most cybercriminal gangs aim for extortion – organizations should also consider anti-data exfiltration to block the attacker and prevent data from being exfiltrated.”

I strongly suggest that you read this advisory because if the FBI and the CSI put out an advisory on this, you need to take it seriously.

CISA Adds Zyxel & Spring Cloud Gateway Vulnerabilities To Their List Of Actively Exploited Bugs

Posted in Commentary with tags on May 17, 2022 by itnerd

The CISA has added two vulnerabilities to its list of actively exploited bugs. Specifically the code injection in the Spring Cloud Gateway library and the command injection flaw in Zyxel firmware for business firewalls and VPN devices. 

Artur Kane, VP of Product for GoodAccess had this to say:

“Zero-day vulnerabilities are inevitable in SW and HW engineering. Sometimes this may be due to a flaw in the design, but often it is a goofy engineer who makes a wrong decision when under pressure to deliver on time. Attackers have loads of time to discover and access vulnerabilities. Then, such intelligence is sold on the dark web, hence it can spread rapidly in the community. Companies should look for such vendors who have a proven record of responding fast to zero-day vulnerabilities by issuing patches fast, who also have sufficient security certifications and standards. IT experts have options to mitigate the risk and impact in their hands too, by having regular vulnerability assessments and patching and updating programs in place. If the organization can’t meet such precautionary practices, they should also consider replacing their technologies with applications delivered as a SaaS, where there’s no self-hosted HW (with firmware) and/or software. Patching is done on the level of the application infrastructure and in most cases, much faster as it is in hands of the vendor. When all these processes fail, as they sometimes do, it is a good practice to implement processes that minimize breach impact (micro segmentations, zero trust access, etc.) and incident response and remedial action plans.”

I would make it part of your security process to check the CISA list of exploited bugs so that you know where to focus your efforts on so that you don’t get caught with your pants down, metaphorically speaking. Also, you should look at SaaS as this takes all the guesswork out of this.

The Five Eyes Issues Warning To MSPs And Their Customers

Posted in Commentary with tags on May 12, 2022 by itnerd

If you use a MSP or Managed Service Provider to assist you in managing your IT infrastructure, or you are a MSP, you should pay attention to this. Members of the Five Eyes (Canada, USA, UK, Australia, New Zealand) today warned that managed service providers (MSPs) and their customers are being increasingly targeted by supply chain attacks. Multiple cybersecurity and law enforcement agencies have shared guidance for MSPs to secure networks and sensitive data against these rising cyber threats. 

Aimei Wei, CTO and Founder of Stellar Cyber had this comment:

“Attackers are more and more targeting organizations that have a cascading effect, and one compromise allows them to gain access to a large number of organizations. Sunburst supply chain attack and now the MSP targeted attacks are some of the examples.” 

“Implementing the measures and recommended by CISA and following their guidance to harden the MSP environment and increase the security posture, will greatly reduce the chances of getting compromised. It is especially critical for MSP to be able to detect the attack early and stop it before it spreads and cause more damages. MSP should consider implementing a detection and response system that:

  • Detect early signs and stop it before further progression to minimize the damage
  • Show a clear picture of how it happened to conclusively determine that the attack has been contained
  • Show how far it has gone and understand the impact to determine the customers that are impacted quickly”

Saumitra Das, CTO and Co-founder of Blue Hexagon adds this comment:

“MSPs are typically given a lot of privileges on their customer networks. They can be a portal for attackers to get into victim networks such as what happened in the Kaseya attack. Organizations that use MSPs should be vigilant about their MSPs’ security posture and assess the risk of what happens if the MSP software is compromised. Convenience often means the MSPs get a lot of privileges for remote maintenance and this convenience can increase the chance of a supply chain attack escalating into a victim network.”

Finally, Christopher Prewitt who is the Chief Technology Officer of MRK Technologies had this to say:

“Managed Service Providers are always under attack. They are often primarily focused on IT operations and service desk related services, and usually do not have a depth of knowledge or capability in cyber security practices. As an attacker, if I can breach and impact an MSP, my impact has an exponential outcome. We continue to see this IT supply chain be targeted through Kaseya and MSP’s.”

This warning is worth reading as it has a lot of recommendations to protect against attacks. Thus I would put aside time to read and implement these recommendations.

CISA Tells Everyone To Address F5 BIG-IP Vulnerability ASAP

Posted in Commentary with tags , on May 12, 2022 by itnerd

The CISA has told federal agencies to fix an actively exploited F5 BIG-IP bug. The bug in question is CVE-2022-1388 which is described as follows:

On F5 BIG-IP 16.1.x versions prior to, 15.1.x versions prior to, 14.1.x versions prior to, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication.

F5 customers using BIG-IP solutions include governments, Fortune 500 firms, banks, service providers and consumer brands including Microsoft, Oracle and Facebook. Thus this isn’t trivial in the slightest as it affects a lot of big companies. Which is why the CISA also said that private companies should also address this and other issues that the CISA brings to light.

I managed to get multiple comments on this. Starting with Christopher Prewitt who is the Chief Technology Officer of MRK Technologies:  

“This vulnerability is critical, should be remediated as soon as possible by turning off the iControl REST service. This vulnerability is simple to exploit by an attacker and with these systems internet connected, many organizations may be at risk of breach.”

Saumitra Das, CTO and Co-founder of Blue Hexagon had this to add:

“This continues the trend of security and access devices also proving to be portals for attackers to get into target networks. We have seen similar issues in 2021 with VPN devices, firewalls, and email gateways. Having MFA on admin logins, limiting lateral movement from and public exposure of third-party security and networking appliance is a critical requirement to protect organization. Be it a supply chain related or a new vulnerability, organizations need to minimize blast radius.”

This is something that needs to be addressed ASAP. Thus I would take the CISA’s advice and address this ASAP as it’s a safe bet that threat actors are exploiting this at present.