President Trump on Tuesday fired his top election security official Christopher Krebs (no relation). The dismissal came via Twitter two weeks to the day after Trump lost an election he baselessly claims was stolen by widespread voting fraud.
Krebs, 43, is a former Microsoft executive appointed by Trump to head the Cybersecurity and Infrastructure Security Agency (CISA), a division of the U.S. Department of Homeland Security. As part of that role, Krebs organized federal and state efforts to improve election security, and to dispel disinformation about the integrity of the voting process.
Krebs’ dismissal was hardly unexpected. Last week, in the face of repeated statements by Trump that the president was robbed of re-election by buggy voting machines and millions of fraudulently cast ballots, Krebs’ agency rejected the claims as “unfounded,” asserting that “the November 3rd election was the most secure in American history.”
In a statement on Nov. 12, CISA declared “there is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”
But in a tweet Tuesday evening, Trump called that assessment “highly inaccurate,” alleging there were “massive improprieties and fraud — including dead people voting, Poll watchers not allowed into polling locations, ‘glitches’ in the voting machines that changed votes from Trump to Biden, late voting, and many more.”
Twitter, as it has done with a remarkable number of the president’s tweets lately, flagged the statements as disputed.
By most accounts, Krebs was one of the more competent and transparent leaders in the Trump administration. But that same transparency may have cost him his job: Krebs’ agency earlier this year launched “Rumor Control,” a blog that sought to address many of the conspiracy theories the president has perpetuated in recent days.
Sen. Richard Burr, a Republican from North Carolina, said Krebs had done “a remarkable job during a challenging time,” and that the “creative and innovative campaign CISA developed to promote cybersecurity should serve as a model for other government agencies.”
Sen. Angus King, an Independent from Maine and co-chair of a commission to improve the nation’s cyber defense posture, called Krebs “an incredibly bright, high-performing, and dedicated public servant who has helped build up new cyber capabilities in the face of swiftly-evolving dangers.”
“By firing Mr. Krebs for simply doing his job, President Trump is inflicting severe damage on all Americans – who rely on CISA’s defenses, even if they don’t know it,” King said in a written statement. “If there’s any silver lining in this unjust decision, it’s this: I hope that President-elect Biden will recognize Chris’s contributions, and consult with him as the Biden administration charts the future of this critically important agency.”
KrebsOnSecurity has received more than a few messages these past two weeks from readers who wondered why the much-anticipated threat from Russian or other state-sponsored hackers never appeared to materialize in this election cycle.
That seems a bit like asking why the year 2000 came to pass with very few meaningful disruptions from the Y2K computer date rollover problem. After all, in advance of the new millennium, the federal government organized a series of task forces that helped coordinate readiness for the changeover, and to minimize the impact of any disruptions.
But the question also ignores a key goal of previous foreign election interference attempts leading up to the 2016 U.S. presidential and 2018 mid-term elections. Namely, to sow fear, uncertainty, doubt, distrust and animosity among the electorate about the democratic process and its outcomes.
To that end, it’s difficult to see how anyone has done more to advance that agenda than President Trump himself, who has yet to concede the race and continues to challenge the result in state courts and in his public statements.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks.
“Most of the vulnerabilities […] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and should be prioritized for immediate patching,” the agency noted.
The list of vulnerabilities exploited by Chinese hackers
The list is as follows:
The vulnerability list they shared is likely not complete, as Chinese-sponsored actors may use other known and unknown vulnerabilities. All network defenders – but especially those working on securing critical systems in organizations on which US national security and defense are depending on – should consider patching these as a priority.
Mitigations are also available
If patching is not possible, the risk of exploitation for most of these can be lowered by implementing mitigations provided by the vendors. CISA also advises implementing general mitigations like:
- Disabling external management capabilities and setting up an out-of-band management network
- Blocking obsolete or unused protocols at the network edge and disabling them in device configurations
- Isolating Internet-facing services in a network DMZ to reduce the exposure of the internal network
- Enabling robust logging of Internet-facing services and monitoring the logs for signs of compromise
The agency also noted that the problem of data stolen or modified before a device has been patched cannot be solved only by patching, and that password changes and reviews of accounts are a good practice.
Additional “most exploited vulnerabilities” lists
Earlier this year, CISA released a list of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals, the NSA and the Australian Signals Directorate released a list of web application vulnerabilities that are commonly exploited to install web shell malware, and Recorded Future published a list of ten software vulnerabilities most exploited by cybercriminals in 2019.
Admins and network defenders are encouraged to peruse them and patch those flaws as well.
If you had any doubts about the criticality of the Zerologon vulnerability (CVE-2020-1472) affecting Windows Server, here is a confirmation: the US Cybersecurity and Infrastructure Security Agency (CISA) has issued on Friday an emergency directive instructing federal agencies to “immediately apply the Windows Server August 2020 security update to all domain controllers” – and to do so by the end of Monday (September 21).
“If affected domain controllers cannot be updated, ensure they are removed from the network,” CISA advised.
To make sure the order has been complied with, the agency asks department-level Chief Information Officers (CIOs) or equivalents to submit completion reports by Wednesday.
About the vulnerability
Security updates fixing CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC), were provided by Microsoft in August, and the researchers who discovered the bug revealed more technical information about it last week.
That release was followed by the publication of a slew of PoC exploits.
Zerologon’s severity stems from the fact that it can be leveraged by an unauthenticated attacker with network access to a domain controller to impersonate any domain-joined computer, including a domain controller.
“Among other actions, the attacker can set an empty password for the domain controller’s Active Directory computer account, causing a denial of service, and potentially allowing the attacker to gain domain administrator privileges. The compromise of Active Directory infrastructure is likely a significant and costly impact,” CERT/CC says.
“CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” the agency noted in the emergency directive.
“This determination is based on the following: the availability of the exploit code in the wild increasing likelihood of any upatched domain controller being exploited; the widespread presence of the affected domain controllers across the federal enterprise; the high potential for a compromise of agency information systems; the grave impact of a successful compromise; and the continued presence of the vulnerability more than 30 days since the update was released.”
State and local governments should heed this call as well, not to mention organizations in the private sector.
We’re still to hear about the vulnerability being actively exploited in the wild, but it’s just a matter of time until attackers gain the ability to leverage it and start doing it.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a joint alert to warn about the growing threat from voice phishing or “vishing” attacks targeting companies. The advisory came less than 24 hours after KrebsOnSecurity published an in-depth look at a crime group offering a service that people can hire to steal VPN credentials and other sensitive data from employees working remotely during the Coronavirus pandemic.
“The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification,” the alert reads. “In mid-July 2020, cybercriminals started a vishing campaign—gaining access to employee tools at multiple companies with indiscriminate targeting — with the end goal of monetizing the access.”
As noted in Wednesday’s story, the agencies said the phishing sites set up by the attackers tend to include hyphens, the target company’s name, and certain words — such as “support,” “ticket,” and “employee.” The perpetrators focus on social engineering new hires at the targeted company, and impersonate staff at the target company’s IT helpdesk.
The joint FBI/CISA alert (PDF) says the vishing gang also compiles dossiers on employees at the specific companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research. From the alert:
“Actors first began using unattributed Voice over Internet Protocol (VoIP) numbers to call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company. The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee.”
“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA [2-factor authentication] or OTP [one-time passwords]. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account.”
The alert notes that in some cases the unsuspecting employees approved the 2FA or OTP prompt, either accidentally or believing it was the result of the earlier access granted to the help desk impersonator. In other cases, the attackers were able to intercept the one-time codes by targeting the employee with SIM swapping, which involves social engineering people at mobile phone companies into giving them control of the target’s phone number.
The agencies said crooks use the vished VPN credentials to mine the victim company databases for their customers’ personal information to leverage in other attacks.
“The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed,” the alert reads. “The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme.”
The advisory includes a number of suggestions that companies can implement to help mitigate the threat from these vishing attacks, including:
• Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
• Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
• Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
• Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
• Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.
• Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to
authenticate the phone call before sensitive information can be discussed.
• Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.
• Verify web links do not have misspellings or contain the wrong domain.
• Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.
• Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
• If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.
• Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.
• Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to patch a slew of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals.
“Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available,” the agency noted.
“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.”
The most often exploited CVE-numbered vulnerabilities
The list of the ten most often exploited flaws between 2016 and 2019 includes seven affecting Microsoft offerings (Office, Windows, SharePoint, .NET Framework), one affecting Apache Struts, one Adobe Flash Player, and one Drupal.
They are as follows:
IT security professionals are advised to use this list alongside a similar one recently compiled by Recorded Future, which focuses on the ten most exploited vulnerabilities by cybercriminals in 2019.
In addition to all these flaws, CISA points to several others that have been under heavy exploitation in 2020:
Additional warnings and help
CISA has also warned organizations to check for oversights in their Microsoft O365 security configurations (and to implement these recommendations and to start fixing organizational cybersecurity weaknesses they might have.
“March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365. Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack,” they noted.
Organizations can apply for CISA’s help in scanning internet-facing systems and web applications for vulnerabilities and misconfigurations – the agency offers free scanning and testing services (more info in the alert).
Scammers and other criminals are always quick to take advantage of crises, and this latest – centered around the spread of the deadly Covid-19 coronavirus around the world – is no exception.
With the Western world conducting a considerable chunk of its day-to-day life online, with the help of computers, mobile phones and email, they are open to a variety of coronavirus-related cyber scams and schemes.
A rising threat
Aside from those who (legally) exploit the crisis by gouging the panicking public on the price of face masks, disinfectants, and similar items that are currently in big demand, there are fraudsters who ostensibly sell masks but never send the hugely overpriced items to those who have paid for them.
According to Reuters, victims in the United Kingdom have lost more than 800,000 pounds ($1 million) to coronavirus-linked scams since last month.
And then there are the phishers and malware peddlers: since the very beginning of Covid-19’s surge in Wuhan, they’ve been tricking users with fake email notifications and fake alerts impersonating local authorities, the US Centers for Disease Control and Prevention (CDC), and the World Health Organization (WHO) to deliver malware or to steal email credentials.
New twists and warnings
As predicted, more localized variants of these malicious emails have been spotted as the virus spread to other countries: malware peddlers are delivering Trickbot to Italian-speaking victims, Sophos researchers warn.
(In Italy, thieves have also been impersonating Red Cross workers via phone, targeting old people and trying to trick them into letting them inside their apartments, ostensibly to do a free test for the coronavirus).
The WHO has already warned about criminals posing as WHO representatives, delivering malware and asking for login information and donations.
The US Cybersecurity and Infrastructure Security Agency (CISA) is also counseling individuals to remain vigilant for scams related to Covid-19.
“Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19,” the agency advised.
They also urge users to use trusted sources for up-to-date, fact-based information about the virus and its spread, and to verify a charity’s authenticity before making donations.
CISA has also published a document detailing risk management actions for executives to consider “to help them think through physical, supply chain, and cybersecurity issues that may arise from the spread of Novel Coronavirus.”
An unnamed US gas pipeline operator has falled victim to ransomware, which managed to encrypt data both on its IT (information technology) and operational technology (OT) networks and led to a shutdown of the affected natural gas compression facility, the Cybersecurity and Infrastructure Security Agency (CISA) has revealed.
“At no time did the threat actor obtain the ability to control or manipulate operations,” CISA’s advisory noted.
“Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days.”
The attackers started by sending a spearphishing email containing a malicious link. Whether that link lead to malware or a phishing page is unknown, but it allowed the attackers to gain access to the target facility’s IT network.
Next, they pivoted to the OT network, and deployed “commodity ransomware” on both networks. It affected human machine interfaces (HMIs), data historians, and polling servers, making it impossible to read and aggregate real-time operational data reported from low-level OT devices and, consequently, resulted in a partial loss of view for human operators.
Programmable logic controllers (PLCs), which read and manipulate physical processes at the facility, were now affected because the ransomware was only capable to affect Windows-based systems.
The attack was successful because the facility IT/security operators failed to implement robust segmentation between the IT and OT networks, and the extent and length of the shutdown was partly because the operator’s emergency response plan did not take into consideration the risk posed by cyberattacks.
“Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks,” the agency pointed out. “The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”
The ransomware used in the attack has not been named, so we don’t know whether it’s EKANS, the recently uncovered ransomware that’s able of stopping a number of processes related to industrial control system operations.
CISA advised asset owner operators across all sectors to learn from these mistakes and implement a number of planning, operational, technical and architectural mitigations to prevent becoming the next victim.
Among these are:
- Robust network segmentation between IT and OT networks
- Use of multi-factor authentication for remote access to the networks
- A better organization of access rights
- Conducting regular scans of IT network assets with AV programs
- Limiting access to resources over the network
- The implementation of application whitelisting
- The integration of cybersecurity into the organization’s safety training program
- Ensuring the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, and more.
The Transportation Security Administration (TSA) – an agency of the US Department of Homeland Security (DHS) – is tasked with developing broad policies to protect US pipelines, and offers resources and assessments (along with CISA) to help pipeline operators enhance their cybersecurity posture – though there have been calls for an increased mandatory oversight of cybersecurity for gas pipelines and for transferring the oversight responsibility for gas pipelines from the TSA to the US Department of Energy (DOE).
As Head of Research at CyberMDX, Elad Luz gathers and analyzes information on a variety of connected healthcare devices in order to improve the techniques used to protect them and/or report about their security issues to vendors. The research includes analyzing protocols, reverse engineering software, and conducting vulnerability tests.
Healthcare organizations are increasingly experiencing IoT-focused cyberattacks. What is the realistic worst-case scenario when it comes to such attacks?
The first and most important risk to bear in mind and protect against in our space is always patient risk. In a place like hospital, this may happen on different levels. Care critical devices that are directly connected to patients like infusion pumps, ventilation, anesthesia, patient monitoring and such obviously represent the most critical endpoints from a security perspective. Compromises to those devices can cause serious immediate effects.
After care critical devices, the next most critical line of defense should be drawn around diagnostic machines like radiology devices, or lab devices that can also result in situations of serious short term negative impact. Beyond that, you have to account for care adjacent devices that pose near term risk, such as connected sterilization machines and medication dispensers. Even devices that have only little to do with the medical flow but are still necessary for the hospital to operate — like wireless tags, access controls, connected washers may affect the responsiveness of the medical staff which may later affect patient health.
It’s been cited ad nauseam and for good reason — but the WannaCry attacks immediately come to mind as a really poignant example of how even administrative devices being compromised can result in patient harm. And that threat hasn’t gone away in the last 3 years since WannaCry. Just in 2019, a truly astonishing 759 ransomware attacks were launched against healthcare organizations. Of those, at least 10 forced hospitals to turn away patients due to an impaired ability to deliver care. In fact, there’s a very serious impact on care even when hospitals don’t need to turn away patients.
When researchers measured the effects of cyber attacks on patient safety they found an operational ripple effect that added — on average — 2.7 minutes to medical response times. In a health emergency like a heart attack, minutes are often the difference between life and death. To wit, the same report noted a 3.6% increase in cardiac event fatalities at hospitals that had recently suffered cyberattacks. In other words, all other things being equal, for every 30 cardiac event patients admitted to a cyber-exploited hospital, statistically, one patient who would have survived elsewhere will be lost.
How do the complex medical device supply and value chains ultimately impact the security of connected devices in the healthcare industry?
Because of the complex medical device supply and value chains, it’s not always clear who should take responsibility for security best practices. While hospital administrators tend to think device manufacturers should be responsible for the security of their devices — which if not designed securely can hardly be operated securely — device manufacturers think the responsibility lies with the hospitals who create the network conditions that largely define the attack surface. This gap in expectations makes effective medical device security all the more difficult.
It’s important that security be considered at the earliest stages and built into medical technology research, development, procurement, deployment, and management processes. This means not only thinking about security, but also testing for it so that potential issues can be identified and addressed before they graduate into real-world problems. That applies equally to medical device stakeholders in the pre-market and post-market — manufacturers and hospitals.
Today, the type of testing required is woefully neglected by both sides of the market, with only 9% of manufacturers and 5% of users say they test medical devices at least annually.
What are the main challenges when it comes to vulnerability research of medical devices?
From a purely research perspective, there are challenges to do with access. For example, device procurement costs that can be prohibitively expensive, laws and policies that prevent vendors from selling to non-hospitals, sometimes difficult-to-accommodate spatial prerequisites, as well as installation, configuration, and calibration complexities, or even networking codependencies.
From a slightly less tactical perspective, looking more at strategy and the bigger picture, the research is only valuable insofar as it manages to improve the industry’s security. To that point, challenges can sometimes come in how vendors relate to researchers — if the relationship becomes adversarial, it will be difficult for both sides to work together to actually improve security. Of course, we need to also think about the facts on the ground in hospitals. Even if the researchers and vendors do everything right on their end, it doesn’t guarantee a positive outcome if hospitals continue using vulnerable devices without implementing patches or other mitigations.
So, there are definitely challenges in trilaterally coordinating positive real-world impact. And with the worst-case scenario for our industry always revolving around cases of cyber-physical harm, a severity scoring system (CVSS) that fundamentally ignores physical impact, the system itself may do a disservice in misrepresenting and poorly prioritizing the risks.
It’s imperative that all the stakeholders be able to come together, share a clearly understood frame of reference and common objectives in dialing down the real-world risk exposure.
What does this type of research entail? Were you surprised by some of the findings?
Our research methodology involves some proprietary technology and tactics that I can’t discuss, but the parts that I can talk about normally begin with data collection and good old fashioned detective work.
We break down and reverse-engineer the communication protocols used by medical devices, we analyze device network behavior, we crawl the internet and scraping device references, we dig into MDS² files, we use a good amount of inductive reasoning, trial & error, and “poking around” in the lab to follow the breadcrumbs and build the investigation.
When we “crack” a case open and discover a previously undocumented security issue, we’re often surprised by things like lack of authentication, hard-coded credentials, and other vulnerabilities that are caused less by human error and more by bad or lazy design decisions taken.
What’s your take on responsible disclosure? What can be done to safeguard users in case a vendor is not responsive to vulnerability reports?
Cybersecurity is still fairly new and somewhat unfamiliar territory to most healthcare organizations. In fact, the whole industry is still working on getting its arms around it, and that goes to national oversight bodies and institutionalized safeguards as well. The process is still not perfectly standardized or very granularly governed. There may not be official rules dictating who is informed of what, what controls are applied to whom, who has influence over bottom line determinations, and what can be said to whom for every stage in the process.
Similarly, the factors governing the timeline for disclosure can be somewhat opaque and, from an institutional perspective, the guiding logic for disclosure is not always clear. So, if you’re dealing with a cooperative vendor you might expect that CISA — the division of homeland security responsible for overseeing the disclosure process for matters of public infrastructure — would withhold disclosure until patches can be developed and issued for the vulnerability in question. Yet, that’s not always the case. I think it’s important that we not lose sight of the forest for the trees or reduce the task of vulnerability management to items on a static checklist. We need to maintain a view of the mission: making healthcare safer and more secure.
That said, the fact is that more often than not, the process works as designed; and improvements are being introduced all the time. So I think, all in all, responsible disclosure is very important to the long-term security health of the industry. I also think it will only get better as lessons are learned and CISA collaborates more closely with other bodies like the FDA.
To your second question, I think we should concern ourselves less with how users can protect themselves from an unresponsive vendor, and more with how the public, the demand side of the market, researchers, and national oversight bodies can work together to apply pressure as needed to make sure that vendors are always responsive to matters of cybersecurity.
What advice would you give to a healthcare CISO that wants to make sure the connected devices in use in the organization are as secure as possible?
There is obviously a need for an automated tool to do that. Otherwise we are talking about nonstop work of securing thousands of devices, tens of different models and deployments, each requiring its own permissions and rules, in an ever-changing environment both inside the hospital (new assets get connected, old ones disconnected) and outside (new threats and vulnerabilities are published).
The best option would be using a solution that is tailor-made for medical centers, which is what we do at CyberMDX. Our solution is already familiar with a huge collection of medical devices and their unique protocols and our researchers are always working to lock down vulnerabilities you don’t even know you have. We are THE experts when it comes to cybersecurity and clinical connectivity.
How do you expect the security of IoT medical devices to evolve in the near future?
As IoT continues to connect everyday devices, I think we’ll find, especially in the medical field, that the most basic and relied upon devices will quickly become our biggest liabilities from a security perspective. Some evidence of this trend can we seen in the recent MDhex vulnerabilities that revealed a number of products in the popular CARESCAPE family of patient monitoring devices to be extremely vulnerable to cyber sabotage.
The problem is that all of a sudden manufacturers are expected to be experts in something — cybersecurity — that they’ve barely had to consider until now. It’s challenging for the manufacturers because the largest variety and best quality of agent-based security solutions reside on Windows and Linux-based devices, and require frequent updates to be relevant. Meeting those requirements is usually challenging in IoT embedded devices. Therefore I expect organizations to rely more and more on centralized, third-party provided agentless solutions that monitor the network traffic and introduce security features.
As attackers continue to hit vulnerable Citrix (formerly Netscaler) ADC and Gateway installations, Citrix has released permanent fixes for some versions and has promised to provide them for other versions and for two older versions of SD-WAN WANOP by January 24.
A short timeline before the situation update
CVE-2019-19781, a critical vulnerability affecting Citrix ADC and Gateway that may allow unauthenticated attackers to achieve remote code execution and obtain direct access to an organization’s local network from the internet, was responsibly disclosed last December.
At the time, Citrix only offered mitigations advice instead of fixes, but both security researchers and hackers eventually used them to discern the nature of the flaw and create exploits for it.
The number of publicly available exploits quickly rose in the coming days and they began to be deployed by attackers. At the same time, scans revealed tens of thousands of (still) vulnerable installations.
Citrix CISO Fermin J. Serna then announced that the first available fixes will land on January 20.
The current situation
Several days after rising attacks, FireEye researchers flagged a threat actor gaining access to vulnerable Citrix installations and removing known cryptocurrency miners from them.
Simultaneously, the threat actor downloads and deploys a utility (NOTROBIN) that block exploitation attempts against the CVE-2019-19781 vulnerability, as well as effectively setting up a backdoor that can only be used if one knows the right password (hardcoded key).
“Across multiple investigations, FireEye observed actors deploying NOTROBIN with unique keys. For example, we’ve recovered nearly 100 keys from different binaries,” the researchers noted.
“FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign.”
A similar attack, delivering partial fixes, was spotted recently by SANS ISC, as it was used on their honeypots.
In the meantime, Citrix confirmed that some SD-WAN WANOP versions (v10.2.6 and 11.0.3) are also vulnerable to CVE-2019-19781 as they include Citrix ADC as a load balancer, and that the offered mitigation steps will work on them.
Finally, on Sunday, the company released fixes for CVE-2019-19781 for ADC versions 11.1 and 12.0.
“These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated,” Serna pointed out.
He also said that the remaining fixes – for ADC version 12.1, 13, 10.5, and SD-WAN WANOP 10.2.6 and 11.0.3 – are scheduled to be released on January 24.
He also warned that the offered fixes can be used only on the indicated versions. “If you have multiple ADC versions in production, you must apply the correct version fix to each system,” he advised.
In the meantime, mitigations should be implemented and admins should check whether they’ve been successfully applied. Citrix has provided a tool that will help them do that.
By the way: CISA has released last week a utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability. It’s available here.
Also: TrustedSec provided instructions for checking whether your Citrix endpoints have already been compromised through CVE-2019-19781.
Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org. But a recent experience suggests this trust may be severely misplaced, and that it is relatively straightforward for anyone to obtain their very own .gov domain.
Earlier this month, KrebsOnSecurity received an email from a researcher who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a “.us” domain name, and impersonating the town’s mayor in the application.
“I used a fake Google Voice number and fake Gmail address,” said the source, who asked to remain anonymous for this story but who said he did it mainly as a thought experiment. “The only thing that was real was the mayor’s name.”
The email from this source was sent from exeterri[.]gov, a domain registered on Nov. 14 that at the time displayed the same content as the .us domain it was impersonating — town.exeter.ri.us — which belongs to the town of Exeter, Rhode Island (the impostor domain is no longer resolving).
“I had to [fill out] ‘an official authorization form,’ which basically just lists your admin, tech guy, and billing guy,” the source continued. “Also, it needs to be printed on ‘official letterhead,’ which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts.”
Technically, what my source did was wire fraud (obtaining something of value via the Internet/telephone/fax through false pretenses); had he done it through the U.S. mail, he could be facing mail fraud charges if caught.
But a cybercriminal — particularly a state-sponsored actor operating outside the United States — likely would not hesitate to do so if he thought registering a .gov was worth it to make his malicious website, emails or fake news social media campaign more believable.
“I never said it was legal, just that it was easy,” the source said. “I assumed there would be at least ID verification. The deepest research I needed to do was Yellow Pages records.”
Earlier today, KrebsOnSecurity contacted officials in the real town of Exeter, RI to find out if anyone from the U.S. General Services Administration — the federal agency responsible for managing the .gov domain registration process — had sought to validate the request prior to granting a .gov in their name.
A person who called back from the town clerk’s office but who asked not to be named said someone from the GSA did phone the mayor’s office on Nov. 24 — which was four days after I reached out to the federal agency about the domain in question and approximately 10 days after the GSA had already granted the phony request.
WHO WANTS TO BE A GOVERNMENT?
Responding today via email, a GSA spokesperson said the agency doesn’t comment on open investigations.
“GSA is working with the appropriate authorities and has already implemented additional fraud prevention controls,” the agency wrote, without elaborating on what those additional controls might be.
KrebsOnSecurity did get a substantive response from the Cybersecurity and Infrastructure Security Agency, a division of the U.S. Department of Homeland Security which is leading efforts to protect the federal .gov domain of civilian government networks [NB: The head of CISA, Christopher C. Krebs, is of no relation to this author].
The CISA said this matter is so critical to maintaining the security and integrity of the .gov space that DHS is now making a play to assume control over the issuance of all .gov domains.
“The .gov top-level domain (TLD) is critical infrastructure for thousands of federal, state and local government organizations across the country,” reads a statement CISA sent to KrebsOnSecurity. “Its use by these institutions should instill trust. In order to increase the security of all US-based government organizations, CISA is seeking the authority to manage the .gov TLD and assume governance from the General Services Administration.”
The statement continues:
“This transfer would allow CISA to modernize the .gov registrar, enhance the security of individual .gov domains, ensure that only authorized users obtain a .gov domain, proactively validate existing .gov holders, and better secure everyone that relies on .gov. We are appreciative of Congress’ efforts to put forth the DOTGOV bill [link added] that would grant CISA this important authority moving forward. GSA has been an important partner in these efforts and our two agencies will continue to work hand-in-hand to identify and implement near-term security enhancements to the .gov.”
In an era when the nation’s top intelligence agencies continue to warn about ongoing efforts by Russia and other countries to interfere in our elections and democratic processes, it may be difficult to fathom that an attacker could so easily leverage such a simple method for impersonating state and local authorities.
Despite the ease with which apparently anyone can get their own .gov domain, there are plenty of major U.S. cities that currently do not have one, probably because they never realized they could with very little effort or expense. A review of the Top 10 most populous U.S. cities indicates only half of them have obtained .gov domains, including Chicago, Dallas, Phoenix, San Antonio, and San Diego.
Yes, you read that right: houston.gov, losangeles.gov, newyorkcity.gov, and philadelphia.gov are all still available. As is the .gov for San Jose, Calif., the economic, cultural and political center of Silicon Valley. No doubt a great number of smaller cities also haven’t figured out they’re eligible to secure their own .gov domains. That said, some of these cities do have .gov domains (e.g. nyc.gov), but it’s not clear whether the GSA would allow the same city to have multiple .gov domains.
In addition to being able to convincingly spoof communications from and websites for cities and towns, there are almost certainly a myriad other ways that possessing a phony .gov domain could be abused. For example, my source said he was able to register his domain in Facebook’s law enforcement subpoena system, although he says he did not attempt to abuse that access.
Now consider what a well-funded adversary could do on Election Day armed with a handful of .gov domains for some major cities in Democrat strongholds within key swing states: The attackers register their domains a few days in advance of the election, and then on Election Day send out emails signed by .gov from, say, miami.gov (also still available) informing residents that bombs had gone off at polling stations in Democrat-leaning districts. Such a hoax could well decide the fate of a close national election.
“Back in the day, everyone not in the federal government was supposed to register in the .us space,” Levine said. “At some point, someone decided .gov is going to be more democratic and let everyone in the states register. But as we see, there’s still no validation.”
Levine, who served three years as mayor of the village of Trumansburg, New York, said it would not be terribly difficult for the GSA to do a better job of validating .gov domain requests, but that some manual verification would probably be required.
“When I was a mayor, I was in frequent contact with the state, and states know who all their municipalities are and how to reach people in charge of them,” Levine said. “Also, every state has a Secretary of State that keeps track of what all the subdivisions are, and including them in the process could help as well.”
Levine said like the Internet itself, this entire debacle is yet another example of an important resource with potentially explosive geopolitical implications that was never designed with security or authentication in mind.
“It turns out that the GSA is pretty good at doing boring clerical stuff,” he said. “But as we keep discovering, what we once thought was a boring clerical thing now actually has real-world security implications.”
The Cybersecurity and Infrastructure Security Agency (CISA) is teaming up with election officials and their private sector partners to develop and pilot an open source post-election auditing tool ahead of the 2020 elections.
The tool, known as Arlo, is being created by VotingWorks, a non-partisan, non-profit organization dedicated to building secure election technology.
Arlo is open source software provided free for state and local election officials and their private sector partners to use.
The tool supports numerous types of post-election audits across various types of voting systems including all major vendors.
Arlo provides an easy way to perform the calculations needed for the audit: determining how many ballots to audit, randomly selecting which ballots will be audited, comparing audited votes to tabulated votes, and knowing when the audit is complete.
The first version of Arlo is already supporting pilot post-election audits across the country, including several from this month’s elections.
Some partners of this pilot program include election officials in Pennsylvania, Michigan, Missouri, Virginia, Ohio, and Georgia. Additional partners will be announced in the coming weeks.
Improving post-election auditing
CISA’s investment is designed to support election officials and their private sector partners who are working to improve post-election auditing in the 2020 election and beyond.
“Heading into 2020, we’re exploring all possible ways that we can support state and local election officials while also ensuring that Americans across the country can confidently cast their votes,” said CISA Director Christopher Krebs.
“At a time when we know foreign actors are attempting to interfere and cast doubt on our democratic processes, it’s incredibly important elections are secure, resilient, and transparent. For years, we have promoted the value of auditability in election security, it was a natural extension to support this open source auditing tool for use by election officials and vendors, alike.”
“We’re very excited to partner with CISA to develop Arlo, a critical tool supporting the implementation of more efficient and effective post-election audits. Because Arlo is open-source, anyone can take it and use it and anyone can verify that it implements audits correctly,” said Ben Adida, Executive Director of VotingWorks.