Top five Cyber Threat Intel stories of the week: 11/14 to 11/18/2022
Top 5 general threat intelligence stories of the week. This is from TLP white/open source websites, so please feel free to share with anyone inside or outside the company you think would benefit and enjoy reading about these events. Please reach out if you have any questions on any of these events. Thank you!
General Worldwide activity:
1st: Iranian APT Actors Breach US Government Network
Overview: An unpatched VMware Horizon server allowed an Iranian government-sponsored APT group to use the Log4Shell vulnerability to not only breach the US Federal Civilian Executive Branch (FCEB) systems, but also deploy XMRing cryptominer malware for good measure. FCEB is the arm of the federal government that includes the Executive Office of the President, Cabinet Secretaries, and other executive branch departments. A new update from the Cybersecurity and Infrastructure Security Agency (CISA) said that along with the FBI, the agencies determined the Iranian-backed threat group was able to move laterally to the domain controller, steal credentials, and deploy Ngrok reverse proxies to maintain persistence in the FCEB systems. The attack occurred from mid-June through mid-July, CISA said.
Breakdown: This is the exact reason patching systems, especially critical infrastructure organizations with externally facing machines, needs to priority number one for a better security posture internet wide. Here we have one of the most widely publicized vulnerabilities being used to attack an unpatched system, one running VMWare Horizon, which has also had its own share of widely publicized major vulnerabilities this year as well. The threat of APT attacks is a constant, and they will take advantage of the oldest and easiest methods of breaching systems just like any other criminal would, you cannot assume anything with externally exposed systems. They need to be updated for everything, and there is no excuse at all here with the timeframe between awareness and the existence of patches.
2nd: EXCLUSIVE: Rounding up a cyber posse for Ukraine
Overview: They call themselves the Cyber Defense Assistance Collaboration (CDAC), and it is the brainchild of Greg Rattray, a former chief information security officer at JP Morgan Chase. For months, he has been helping build a kind of public-private partnership to combat destructive cyberattacks. This is the first time he’s speaking in depth about the initiative publicly. U.S. officials have been talking about public-private partnerships to fight destructive cyberattacks for years. The animating logic is that the National Security Agency and the military’s cyber arm, Cyber Command, often have intelligence about cyberattacks before or while they are happening. U.S. cybersecurity companies have the expertise to block them. So it would make sense that they should join forces to stop them.
Breakdown: A major gap we have in the U.S. compared to other countries is the deep connection between private industry and government. In many other countries this is less of an issue because of government involvement way too deep into private business, which is not something to aspire to either. Here in the U.S., while still maintaining proper separation of government and private orgs, we need better ways to work together, and it is great to hear some progress is being made. A huge amount of network infrastructure and internet traffic flows through private businesses in the U.S., and those companies have been solely responsible for protecting their own systems, without good information flow back and forth with the government organizations tasked with computer security such as the FBI and NSA. I hope this continues and grows, not just as part of supporting the current Ukraine crisis.
3rd: Majority of DOD cyber incident reports are incomplete, GAO finds
Decipher — US DOD Struggles with IR
Overview: Failures in reporting cyber incidents at the U.S. Department of Defense risks leaving commanders in the dark about the effects hackers could have on their missions, according to a new report by the Government Accountability Office. While external information sharing around the Russian invasion of Ukraine has won the DOD and broader U.S. security and intelligence community plaudits, the lack of internal information sharing within the DOD and the defense industry is leading to “lost opportunities to identify system threats and improve system weaknesses.”
Breakdown: Incident reporting data is a key factor in being able to triage future attacks and correlate activity over time to show areas that need a focus or more support going forward. Many companies struggle to keep and gather this data into a usable format, and obviously the U.S. Federal governmental agencies are having the same issues. As noted in the overview, while tracking attacks in other countries is important, closing the gaps in tracking attacks against our organizations is also vital and is another area that needs serious consideration and improvement.
4th: CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching
Overview: The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday announced the release of a Stakeholder-Specific Vulnerability Categorization (SSVC) guide that can help organizations prioritize vulnerability patching using a decision tree model. The SSVC system was created in 2019 by CISA and Carnegie Mellon University’s Software Engineering Institute (SEI), and a year later CISA developed its own customized SSVC decision tree for security flaws relevant to government and critical infrastructure organizations. CISA is now encouraging organizations of all sizes to use its version of the SSVC for vulnerability management.
Breakdown: Acknowledging that the patching process is so necessary as demonstrated above, CISA has now released a platform guide to tailoring patching to your own organization to get prioritization on critical systems and vulnerabilities. This is targeting specifically at the small and medium businesses(SMB) that have a high chance of a very small team of IT/Infosec staff, many times maybe one person in the whole company. SMB’s can follow this guide step by step, but it’s also a good resource to review for any sized company to ensure their general practices are focused in the right direction.
5th: Unencrypted Traffic Still Undermining Wi-Fi Security
Overview: Even cybersecurity professionals need to improve their security posture. That’s the lesson from the RSA Conference in February, where the security operations center (SOC) run by Cisco and NetWitness captured 55,525 cleartext passwords from 2,210 unique accounts, the companies stated in a report released last week. In one case investigated by the SOC, a chief information security officer had a misconfigured email client that sent passwords and text in the clear, including sensitive documents such as their payment for a professional certification.
Breakdown: This is a great reminder around passwords and device configurations. With the move to remote work constantly increasing, the perimeter for company devices no longer exists, it is pretty much the entire world, all the time, depending on where your employees live. As pointed out, with a conference attended by mostly infosec professionals and executives, the assumption that they have the best security configs on their devices is a good one to make, and shows there is still a lot of growth needed for configuration management.
Contact Us
contact@hunterstrategy.net
