The IT Nerd

On Monday the CISA and the FBI published a “secure-by-design” alert urging technology manufacturers to eliminate the “unforgivable” class of vulnerabilities known as SQL injection.

It states that threat actors were able to exploit just such a vulnerability in MOVEit file transfer software last year to devastating effect – data exfiltration from thousands of MOVEit corporate clients impacting the personal details of tens of millions of customers. 

   “Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk.

   “CISA and the FBI urge senior executives at technology manufacturing companies to mount a formal review of their code to determine its susceptibility to SQLi compromises. If found vulnerable, senior executives should ensure their organizations’ software developers begin immediate implementation of mitigations to eliminate this entire class of defect from all current and future software products,” the alert noted.

The alert offered the following guidelines for technology manufacturers:

• Take Ownership of Customer Security Outcomes
• Embrace Radical Transparency and Accountability
• Build Organizational Structure and Leadership to Achieve These Goals

Emily Phelps, Director, Cyware:

   “This CISA and FBI initiative, particularly in eliminating SQL injection vulnerabilities, is important. It highlights the need for proactive cybersecurity measures to protect sensitive data from well-known threats. This effort is not just about improving security; it’s about building a foundation of trust between technology providers and their users, ensuring that privacy and safety are prioritized.

   “Collaboration between the private and public sectors is crucial. By working together, these sectors can share knowledge, tools, and strategies, making it much harder for cyber threats to penetrate their defenses.”

It’s 2024 and SQL Injection vulnerabilities should be a thing of the past. I’m not sure why this has to be constantly deemed to be unacceptable. But hopefully everyone gets the message and does something to relegate them to the history books.

In a joint effort, CISA, the FBI, and the EPA have introduced an incident response guide designed to aid owners and operators in the Water and Wastewater Systems (WWS) Sector.

The agencies partnered with over 25 industry, non-profit and government organizations within the WWS Sector to create the response guide which outlines four pivotal stages of the incident response lifecycle:

• Preparation
• Detection and Analysis
• Containment, Eradication, and Recovery
• Post-Incident Activities

“The Water and Wastewater Systems Sector is a vital part of our critical infrastructure, and the FBI will continue to combat cyber actors who threaten it. A key part of our cyber strategy is building strong partnerships and sharing threat information with the owners and operators of critical infrastructure before they are hit with an attack,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division.

Mark B. Cooper, President & Founder, PKI Solutions had this to say:

   “Just as we have seen the creation and focus of Critical Infrastructure Protection (CIP) controls for the energy industry, vital infrastructure services such as water, waste treatment, and gas should have similar regulatory and industrial standards for cybersecurity controls. Through enforcing strong CIP standards for all vital services, these critical services can be better prepared for a world that has ever evolving cybersecurity threats and deliberate actors seeking to disrupt services.”

Incident response guides like these are valuable as they save a company or a sector from the trouble of trying to figure out what the best practices are to responding to an incident. Frankly, we need to see more of these out there ASAP.

The FBI and CISA have revealed in a joint advisory that the Royal ransomware gang has breached the networks of at least 350 organizations worldwide since September 2022.

Since approximately September 2022, cyber threat actors have compromised U.S. and international organizations with Royal ransomware. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.

Frankly that’s a staggering number. John Gunn, CEO, Token had this comment:

It is ridiculous that organizations are left to fend for themselves. Imagine there were this many bank robberies without any action against the perpetrators – just more advice from the Feds on how to protect the bank from robbers – never. Our government needs to do more to proactively target and eliminate groups that are making US institutions their targets.

Perhaps he has a point and maybe it’s time to go on offence as being constantly on defence is tiring, and more importantly isn’t stopping these groups from operating. It’s certainly food for thought.

The CISA and FBI have put out an advisory on Zeppelin ransomware that is very much reading. The advisory goes into great detail about how the ransomware works and includes some threat mitigation strategies.

Dr Darren Williams, CEO and Founder of BlackFog has this comment to share:

     “Zeppelin ransomware, a fairly well-known malware strain has been in known use since 2019, often to target a wide range of businesses and critical infrastructure organizations. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.

Zeppelin’s unique attack path is such that the FBI have observed the attackers executing the malware multiple times in the network, leaving a great big sting on the victim, who needs multiple unique decryption keys to combat the attack.

Attacks on hybrid working companies are nothing new, however it is crucial that employees remember they play a part in protecting themselves and the employer, too.

Attacks from vectors such as Zeppelin often start with a simple phishing email – employers must ensure they educate and remind their employees on cyber security best practices, to minimize attack risk. Standard, good cyber hygiene practice is essential here: remembering to regularly change passwords and use MFA as a basic practice. That said, if a threat actor wants to find their way in, they will! What matters is the data they were able to obtain and leave with…

Most cybercriminal gangs aim for extortion – organizations should also consider anti-data exfiltration to block the attacker and prevent data from being exfiltrated.”

I strongly suggest that you read this advisory because if the FBI and the CSI put out an advisory on this, you need to take it seriously.