Merlin Labs Memo -- Week of December 4-8
Federal Agency Breached via ColdFusion Vulnerability
CISA reported recently that a federal agency was breached via a vulnerability in Adobe ColdFusion. The vulnerability was?patched in Adobe's latest ColdFusion release of March 2023. The breach occurred in June-July 2023. By exploiting the vulnerability, attackers were able to traverse file systems, embed malicious binaries in hosted web pages, and spread additional malware. The good?news?is that the attacks were detected and while the attackers attempted to exfiltrate data and set up a command and control arrangement, they were not able to successfully complete those tasks.
Our take: Clearly, this could have been avoided with faster implementation of vendor patches and upgrades. This is why automated patch management is an integral part of a complete cybersecurity defense solution. While, traditionally, patch management teams have frequently been part of larger siloed operations, it's time for them to have integration with security teams. Additionally, the CISO needs a seat at regular top executive meetings to make sure that all organizational officers are made aware of security statuses more often than once a quarter or year. It's not enough for the CISO to report up through either the CIO or via a physical security executive, as that dilutes the CISO's ability to get strong coordination with other teams.
Back to the automated patching, development environments have to lead the way on this front. If development lingers on an older version of its tools - for whatever reasons - it will jeopardize the entire organization. Testing and finding a way forward with the new version must accelerate, or the attackers out there will find their own ways to disrupt production. – Dean Webb
Additional Reading:
Ukraine Ransomware Gang taken down
Article release by Darkreading.com states “European cyber police last week arrested a 32-year-old suspect they believe to be the leader of a Ukrainian ransomware affiliate gang. According to Europol, authorities searched 30 properties in Kyiv, Cherkasy, Rivne, and Vinnytsia before locating the suspect. More than 20 investigators from a variety of countries were in Kyiv to assist with the operations. Authorities also seized four other individuals from locations across the country, as well as "technological devices." These suspects, whose nationalities weren't released, were identified after 12 other individuals were arrested in Ukraine and Switzerland in 2021.
This particular ransomware gang, which doesn't have a specific moniker, is suspected of extorting hundreds of millions of euros from victims in 71 countries and encrypting more than a thousand servers worldwide. The group is known for targeting large corporations, and has deployed LockerGoga, MegaCortex, Hive, and Dharma ransomware to perform its attacks.
According to a spokesperson, more details will be released later, as the operation is ongoing and more arrests will be made in the future.”?
领英推荐
Our Take: Ransomware is on the rise and poses a serious threat to the economy and businesses of all sizes.? With tactics such as “living off the land” and using native applications to move laterally through the network Blue Teams must be even more vigilant. While defense starts with having the right tools, threat hunting teams must understand heuristic behaviors and detect changes in baselines to defeat these types of adversaries. It’s going to take a significant effort and focused workforce to combat these threats. If you’d like to know more about layering your defenses to better protect your organization against these threats Merlin Cyber is here to help. – Rick Friend, CISSP
Additional Reading:
Pre-Boot Vulnerability Announced: Nearly Every Device Affected
The title is not hyperbolic clickbait. Binarly Research and major hardware vendors confirmed that the way hardware processes a logo image in the UEFI boot process leaves a device vulnerable to hostile code executing from within the image file due to known issues in the way those image files are processed. Just as we’ve seen the .webp file libraries targeted by attackers to execute malicious code, we now see something similar in legacy boot processes with how they read logo images. Should an attacker maliciously replace the logo image that is displayed at power-on, and that can be done without most of our current security tools detecting it, an attack would execute at the next reboot, outside of any secure boot process activating. And this vulnerability has been active for many years across a wide range of computing devices.
Our Take: All is not lost: we know about it now. Expect hardware patches to come out in the weeks and months ahead and expect to take time out to install them. These would include both OS and security tool patches to watch out for an attempt to exploit the “logofail” vulnerability, but also hardware vendor patches for their boot-level graphics readers. The hardware-level patches are most likely to not be part of a regular patching regimen, so it will be critical for organizations to track firmware levels in their devices so that they know which ones are patched and which ones are still at risk. If organizations have held back from embracing a visibility solution to track hardware that closely, the time has come to embrace it warmly. – Dean Webb
Additional Reading:
Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected]. Thank you!