Let's Get Critical, Critical

MegaZone is back again for a roundup of the security news that caught my eye for the week of November 10th - 16th, 2024. This time, I want to get Critical. Yes, let's get into the Critical - issues, of course. We're going to look at some very recent Critical issues making the rounds, as well as issues which made the charts in 2023 - including an old friend which keeps on giving.

And I'll end with a critical issue for all of us in the cybersecurity field, one I feel strongly about.

Atomic Batteries to Power! Turbines to Speed!

Palo Uh-Oh

It's been a rough week for Palo Alto. Actually, it started the previous week with a CVSS v4.0 9.3 Critical vulnerability being actively exploited. That vulnerability, CVE-2024-5910, was in Expedition, a migration tool that helps admins migrate from other firewall vendors to Palo Alto.

Then, this week, Palo got hit with two more Critical issues: CVE-2024-9463, with a near perfect CVSS v4.0 9.9 score, and CVE-2024-9465, with a CVSS v4.0 9.3 score. They're both also in Expedition, the former is an OS command injection which allows an unauthenticated attacker to run arbitrary commands as root. The latter is a SQL injection that allows an attacker to reveal sensitive database contents, as well as create and execute files on the system. The good news is that the attacker must be able to reach the management interface to exploit either issue. And, as we've said repeatedly, you should never expose the management interface of any device to the Internet. Ideally, the management interface will be on a restricted access LAN, and, further, packet filters can be used to restrict all access to designated administrative devices, blocking pivot attacks from other devices on the LAN.

I'm not throwing stones at Palo - F5 has had our share of Critical vulnerabilities, and I've worked on most of them over the past 15 years. It's a lot of no fun, so I'm sympathetic to Palo's incident response team, I'm sure it was a rough week. I'm sure I'm not the only security professional who, when hearing there is a new Critical vuln making the rounds, has the initial reaction of dread, and then relief when you realize it isn't your issue - this time. No boom today. Boom tomorrow. There's always a boom tomorrow.

It's All Just A Little Bit of History Repeating

MOVEit has been a recurring subject for TWIS - appearing in at least nine issues from June of 2023 through April 2024. Well, I'm extending that streak, so, once more unto the breach. (See what I did there? MOVEit, breach... I feel no shame.) The issue itself, CVE-2023-34362, has been well analyzed, and fixed for well over a year now. While the active exploitation was mostly conducted in mid-2023, the fallout from those exploits is still raining down - and probably will be for a while yet.

This time https://www.infostealers.com/article/massive-moveit-vulnerability-breach-hacker-leaks-employee-data-from-amazon-mcdonalds-hsbc-hp-and-potentially-1000-other-companies/, said trove containing over five million records lifted from 25 different organizations. Some of that data includes Amazon employee records, including job title, name, email addresses, phone numbers, and work locations - sometimes more. Which this information may not, in itself, appear sensitive, it could be leveraged for social engineering attacks, spoofing, phishing, etc. The data also reveals internal organizational structures, which may be useful in planning and targeting attacks. Amazon was not the only victim in the dump, others include HP, 3M, Lenovo, and British Telecom, but Amazon's data accounted for the bulk of the records, over 2.86 million.

MOVEit was one of the most significant cybersecurity events in recent years, and the true impact continues to grow as the captured data trickles out. We don't yet know the true extent of the information that was exposed, and we may never. I will not be surprised to see MOVEit in the news again.

The Top 15 Answers Are On The Board

The Five Eyes cyber security agencies, those being from the UK, US, Canada, Australia, and New Zealand, have released a list of the 15 most-exploited vulnerabilities of 2023. Zero-days are a dominant issue, with most of the top 15 being issues discovered and disclosed in 2023. Our friend MOVEit made the list, coming in at number six! Citrix took first and second, Cisco third and fourth, and Fortinet slotted in fifth.

The good news is that F5 did not make the top 15, the bad news is that the announcement also included a list of 'Additional Routinely Exploited Vulnerabilities' beyond the top 15, and F5 does appear in the sixth slot for CVE-2021-22986, a CVSS v3.1 9.8 Critical disclosed in March, 2021. That is a bit disappointing, not so much for the vulnerability itself, but the fact that this was fixed before the disclosure in March, 2021 and, further, affects the management interface of BIG-IP and BIG-IQ - meaning that, to be 'routinely exploited' in 2023 there must be a lot of systems that have not been patched since 2021, despite a Critical vulnerability, and that have their management interface exposed to attackers.

There's only so much we can do to address an issue. The fix was released. The issue was disclosed as a 9.8 Critical. And we've been saying for years that access to management interfaces should be tightly restricted as a general best practice. But here we have a two year old critical vulnerability on the management interface making a 'routinely exploited' list. Please, patch your systems and lock down access to your management interface. It is for your own good.

Please, for your own good, monitor your vendors' security disclosures and software updates & patches, and apply them in a timely fashion. Especially for anything that appears in the CISA Known Exploited Vulnerabilities (KEV) Catalog. Follow best practices in keeping administrative interfaces off the Internet, and locking them down as tightly as possible for your environment. Default deny everywhere, and allow only what you need to. While this won't protect you from all issues, especially zero-days, it would have prevented a number of the commonly exploited issues from being so prevalent.

Anyway, now that I have that out of my system, I recommend reviewing the full bulletin and checking your network for any of the issues.

Double Your Pleasure

Time to speed-run a couple of issues.

Several D-Link NAS devices were hit by CVE-2024-10914, a CVSS v4.0 9.2. The bad news is all of the affected devices are out of support from D-Link, so affected users are out of luck.

An existing Veeam Backing and Replication Critical issue, CVE-2024-40711, an unauthenticated RCE CVSS v3.0 9.8, is seeing a new wave of exploitation to distribute a new ransomware variant. This issue does have a fix - update to version 12.2.

It was that kind of week.

Being Human

This is a topic of personal importance to me - the mental health of security practitioners. A recent study by Hack The Box shows that cybercrime has increased 600% in the past few years, and that the cybersecurity industry is feeling the pain "with 84% of workers experiencing stress, fatigue, and burnout." Based my my own experience, and conversations with my peers, I am not at all shocked. Working in this industry has definitely affected both my mental and physical health, and I've struggled with burnout - as have many of my peers, at F5 and elsewhere. I've had a number of friends and peers express feelings of stress, burnout, and, worryingly, sometimes depression and despair, on social media and in personal conversations. It is a very real issue which I'd love to see get more attention and acknowledgment.

To be clear, this is no slight on F5. I've been here coming up on 15 years for a reason, I've been very happy to work here. I'm fortunate to be part of a stellar team with great management, but the entire industry is facing real challenges, independent of specific employers. And even the best teams can't avoid the realities of our industry.

This is an industry where we like to say the defender has to get it right every time, while an attacker only has to get it right once. There is a never-ending fire hose of new information to keep on top of, but you also need to keep up with your existing knowledge and skills. Systems get ever more complex, and there are never enough hours in the day to get everything done - long hours aren't unusual (he says, still up writing this at 06:00 because time keeps slipping away).

And the impact is on more than the individual, according to the report:

This poor mental well-being at work is costing the industry millions at a time when there is a rising skills shortage. 74% of cybersecurity professionals globally say that they have taken time off due to work-related mental well-being problems, with staff reporting taking an average of 3.4 sick days per year due to work-related mental well-being problems. This is also translating into lost productivity with an average of 3.4 hours of work lost per month, or 5.1 working days per year to poor mental well-being. This lost productivity is costing medium to large enterprises alone over $626 million per year in the US and £130 million in the UK.

Of course, this should be no surprise. Employees suffering from high stress and burnout aren't going to be at their most productive. I'm not ashamed to admit there have been times in the past I've taken a sick day because I'd gotten to the point where I needed to step away and take a breath because I felt overwhelmed. Being dedicated to your job is one thing, but taking care of yourself is part of that dedication. If you've ever experienced real exhaustion and burnout, when you see the signs again you tend to learn it is better to deal with it earlier rather than later. If taking a 'mental health day' can help you reset before you completely run out of energy, you should do it if you can. Before your body makes you do it - I've been there, done that.

There is also a disconnect between cybersecurity teams and upper management over these issues:

Research also shows that there is a significant gap in understanding between the board and cyber teams. 90% of CISOs globally say they are concerned about the impact of stress, fatigue, and burnout on their workforce’s well-being, whereas only 47% of CEOs globally seem to be equally concerned about their cybersecurity teams' stress, fatigue, and burnout on increased errors. This gap in understanding is not being prioritized across the board.

In addition, the gap is present in the reasons for burnout too. 66% of business leaders globally say that the top reasons why cybersecurity professionals are working over their contracted hours are due to increased numbers of cybersecurity threats and unpredictable threats after work hours. In contrast, 89% of cybersecurity professionals globally say the workload, volume of projects to deliver, and the time needed to deliver tasks are the key causes of burnout. In addition, they are experiencing pressure to perform outside their skillset, which ranks as a second key cause of burnout with 66%.

There is no one solution to the issue, but I can share some of what has helped me personally. The day to day battle in cybersecurity is a fight every defender knows they will eventually lose - that every time vs. one time will always get you at some point. So it can feel sisyphean - neverending with no satisfying resolution. I've learned that finding other areas where I can make progress and get the satisfaction of seeing your efforts pay off helps lift my mood. For me a big part of that has been working with CVE.org over the past few years, being involved in various working groups and being part of a community of people working to improve the CVE Program. There are real changes that have happened, and continue to happen, as a result of that work, and that's satisfying. The CVE Program is something I believe in, that I feel has value, and working to improve it just feels good.

I was also involved in organizing the first VulnCon this year, and I'm currently involved in organizing next year's, and seeing that succeed beyond our wildest expectations was hugely rewarding. Plus the event itself was energizing to attend - meeting a lot of passionate, brilliant security practitioners. Being reminded that there is a real community of great people.

I've volunteered for several grant committees at F5 in the past few years, picking grant recipients for STEM awards, etc. For me, it feels good to put something good back into the world in helping these programs. The hard part is having to pick a limited number of finalists from a pool of worthy candidates, but in the end there is a satisfaction in doing the work and in getting reports back from recipients on how the grants are helping them in their missions.

I volunteer for a local non-profit that supports our town's library, using my tech skills for something aside from work - running their website, social media, PayPal donations, etc. It's a way I can use my skills to help others - and to see positive results in my community. It's certainly less depressing than reading security industry news.

These may or may not work for you - my point is that I hope you, my colleagues in cybersecurity, find healthy mechanisms to help you cope with the immense stress we're all under, all the time. Find whatever it is that helps keep the fire alive and brings you some joy and satisfaction, which is often elusive in our day to day work. There will always be more vulnerabilities to manage. There will always be the next security incident to mitigate. That's the world we live, and work, in. The battle is not likely to end any time soon. But that battle is not all that there is, or needs to be. And I hope your employer is supportive of your efforts to find those things, as I do believe it benefits them in the end as well.

Take care of yourself. You have to do that before you can take care of anyone, or anything, else.

And yes, I need to do a better job of that myself. I'm working on it. And so I'll end this here and sign off, until next time.