Merlin Labs Memo -- Week of May 9-13

Costa Rica Offline: Can It Happen Here?

Costa Rica continues to suffer widespread government outages due to cyberattacks by the Conti ransomware group. The Finance Ministry is hardest hit, along with the Science and Labor Ministries, the national weather service, the social security fund, a university, and a civic energy supplier. The attack has been ongoing for two weeks and Conti has threatened to leak sensitive information that it has obtained. The U.S. State Department has issued a $10 million bounty for information on Conti group members, with a $5 million bonus if the information leads to arrest. This year alone, Conti attackers have made over $150 million in victim ransoms. So, could such a situation ever affect the United States?

Our Take: The short answer is, “Yes, but.” Let’s qualify the attack: Costa Rica is a nation with a GDP of roughly $95 billion and a population of roughly 5 million, so it’s on par with states like New Mexico (GDP $100 billion), South Carolina, and Alabama (population ~5 million). The resources available to Costa Rica are nowhere near those available to our federal government and its agencies. State and large local government entities make for a much better comparison. That being said, we have seen several major municipalities suffer temporary shutdowns from cyberattacks, but none have been as hard-hit as Costa Rica. There is much work to do to convert our network architectures from trust but verify to zero trust, and Costa Rica definitely serves as a wake-up call to any department head or executive who thinks they’ve “done enough” with cybersecurity. Once the major tools are in place, it’s time to cover the gaps between them with specialized “better together” tools. -- Dean Webb

The U.S. also has infrastructure and technology advantages over Costa Rica; it hosts the majority of the DNS root servers for the world's internet, maintains multiple physical connections to the outside world, and acts as the hub for this region of cyberspace. Interestingly, even if the municipality was knocked offline, commercial internet would still remain active. The free enterprise that created the internet itself in such a deregulated way is its greatest strength, making the creation of a true kill-switch nearly impossible. Can its service be degraded? Certainly, but not lost entirely. -- Jeremy Newberry

Original Sources:

• Costa Rica's new president declares state of emergency after Conti ransomware attack (The Record)
• Reward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Jusice (State Department)

---------------------------------------------------------------------------------------------------------------

NIST’s New Supply Chain Guidance

The National Institute of Standards and Technology (NIST) has updated its supply chain cybersecurity guidance . The revised publication “gives organizations key practices to adopt as they manage cybersecurity risks across their supply chains. In particular, it advises organizations to consider vulnerabilities in the components of a finished product they are considering using, and not just of the product itself.”

“The guidance is primarily aimed at acquirers and end-users of products, software and services. It aims to help these organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes.”

To enforce the importance of this, research published by the NCC Group revealed a 51% increase in supply chain attacks on global organizations in H2 2021. -- Summary of InfoSecurity Magazine Article

Our Take: Supply chain attacks have become too common in recent months, with high-profile incidents such as SolarWinds capturing everyone’s attention. And with the explosion in highly-networked operations that link logistics, facilities, and other operational technologies with internet technologies, the chance of a vulnerability in a “downstream” product or product component being the origination point for a damaging breach or incident is a growing threat. Minimally, for our industry, it means we must continue to find technologies that scan vulnerabilities across and within the OT, IoT, and IT environments, covering both cloud and on-prem technologies, and make sure our customers have everything they need in their cybersecurity stack. As the threat landscape gets broader, so must our solutions!

Of course, organizations need to focus heavily on cyber hygiene and implement a strong cybersecurity program based on the latest NIST controls. This will help to competently tackle prevention, detection, and incident response activities. In addition, organizations need to enhance those best practices by defining and enforcing controls specifically related to the use of third-party solutions, to include requirements that guide a component-level assessment-driven procurement process for those solutions. Further, organizations must consider only using suppliers that adhere to a minimum set of security standards, and are willing to contractually commit to that adherence. -- Sarah Hensley

?Additional Reading:

• NIST Releases Updated Cybersecurity Guidance for Managing Supply Chain Risks (The Hacker News)

---------------------------------------------------------------------------------------------------------------

NanoSSL Vulnerability Not Just for UPS Devices – Here Comes TLStorm 2.0

“The root cause of the UPS vulnerabilities, named?TLStorm ?by Armis, was related to the implementation of Mocana’s popular TLS library NanoSSL. Further analysis showed that other vendors also introduced similar vulnerabilities in their products due to misuse of the same TLS library. Armis researchers discovered a new round of vulnerabilities, which they have dubbed?TLStorm 2.0 , in switches made by Extreme Networks-owned Avaya and HPE subsidiary Aruba. Aruba switches are affected by two types of critical vulnerabilities tracked as CVE-2022-23677 and CVE-2022-23676, while Avaya devices are affected by CVE-2022-29860 and CVE-2022-29861. Each of these vulnerabilities can allow remote code execution (RCE) on the impacted device.” -- Via SecurityWeek

Our Take: TLStorm itself was a potential “bad day” for OT and now with similar vulnerabilities discovered in the popular Extreme Networks hardware, it moves from a potentially interesting hack to a potentially devastating one. The ability to manipulate an affected router or switch with any kind of RCE attack cannot be overlooked. One of the pillars of zero trust is the enforcement of network segmentation and isolation of individual users and hosts. If an attacker is able to crack the switching infrastructure that enforces those controls, that's what we call a bad day.

However, on the good side:

• This would be part of a larger attack, likely where the attacker has access already and is able to craft RADIUS packets
• This has not been seen actively exploited in the wild at this time
• Aruba has already released initial firmware patches for the vulnerability

Outside of the CVE itself, this does put a spotlight back on software supply chain management. This is the latest in a series of vulnerabilities around the NanoSSL implementation that allows execution of the RCE attacks. Vendors will need to prioritize discovery of their open-source modules that are in use across the industry to find if they are vulnerable in the same way. The popularity of the module suggests that other vendors likely have the same vulnerability and they just haven’t noticed it yet. -- Jeremy Newberry

Additional Reading:

• HPE, Extreme Networks working to address five vulnerabilities in widely used network switches (The Record)
• Product Security Advisory (Aruba)
• Multiple Aruba switches buffer overflow | CVE-2022-23676 (RedPacket Security)

---------------------------------------------------------------------------------------------------------------

Threat Actors Targeting Managed Service Providers (MSPs)

Members of the Five Eyes (FVEY) intelligence community warned of increasing cyber activity targeting managed service providers (MSPs). These threat actors – which may include state-sponsored advanced persistent threat (APT) groups – pose a serious threat to MSPs and the customers they serve. By targeting MSPs who may be vulnerable, threat actors can gain an initial access vector to multiple target networks, increasing the likelihood of a successful compromise.

Our Take: As more organizations move to outsource cybersecurity and IT services – largely driven by the shortage of available cybersecurity professionals – the threats to MSPs have the potential to have a more expansive impact to organizations. This recent advisory brings to mind the Kaseya VSA software supply chain ransomware attack , where MSPs who were using this software for remote management of customers’ networks exposed this vulnerable software into their clients' environments. Always ensure that your MSP employs good cyber hygiene practices such as:

1. Patching and hardening remote access and external facing systems
2. Using MFA
3. Protecting privileged access
4. Using logging to detect and alert
5. Educating the workforce to create a culture of cyber-awareness

In addition, it’s critical to have continuous communication with your MSP. A breakdown in communication is often the culprit when projects fail or when "things" hit the fan. It’s vital to have open communication with your MSP so that you’re on the same page with the shared responsibility model (i.e., who does what and when) and know how to respond in the event of an incident. -- Miguel Sian

Additional Reading:

• Alert (AA22-131A): Protecting Against Cyber Threats to Managed Service Providers and their Customers (CISA)
• FBI, CISA, and NSA warn of hackers increasingly targeting MSPs (Bleeping Computer)
• Government Agencies Warn of Increase in Cyberattacks Targeting MSPs (The Hacker News)
• Cyberattacks on managed service providers increasing, US and allies warn (The Record)

---------------------------------------------------------------------------------------------------------------

Readers:?What would you like to see in future editions? We've started this weekly memo as a simple way to share 3-5 bits of news and/or ideas, along with our professional opinions. What’s working, what’s not, and what’s on your mind? Let us know by leaving a comment below or sending a note to?[email protected] .