Once More With Feeling - Nov 20 - 26, 2023 - F5 SIRT - This Week in Security
Hello, MegaZone is back with you this time. It's been a while, sorry about that. I missed publishing the last time my turn came up, back in September. I'd travelled to F5 HQ in Seattle for a team summit, which was already going to make it a challenge, and I went and picked up a travel bug - on the way there. So it wasn't a great week, and I was just about able to make it through the day's summit before running out of spoons and heading right back to my room. First time back in Seattle since 2019 and I never left the tower. Shame, I was really hoping to hit at least a couple of favorites while in town. Well, anyway, sorry about that, stuff happens. But I'm back now.
Right, unless this is your first TWIS, you know the drill. I grabbed a few stories from the past week that caught my fancy and I'm sharing them here with you, along with a little commentary. Why these stories? There's no rhyme or reason really, they just appealed to me in some way. Don't expect any deep insights, I don't fancy myself any kind of expert. Just an another exhausted person trying to do their best and make things a little more secure, one fight at a time.
If this is your first TWIS, note you can always read past editions.
Oh, and it isn't security related, really, so I won't cover it below, but how about that OpenAI drama this past week? That was something else.
Caught Between the Scylla and Charybdis
OK, technically this happened the previous week, but since it wasn't covered in the last TWIS I get to talk about it. Which is great, because I really found this story interesting - and overdue: the weaponization of government regulations.
Ransomware group AlphV struck publicly traded company MeridianLink and had been pushing their victim to pay up, apparently unsuccessfully. So they decided to increase the pressure - by reporting their own attack to the SEC. The SEC recently introduced a rule that requires publicly traded companies to file an SEC disclosure within four days of learning of a security incident that has a material impact on their business. It seems their plan was to push MeridianLink into paying up to end the incident, to minimize the fallout, or at least to punish them (via SEC penalties) for not paying the ransom.
In this case it may not work as hoped - the rule doesn't actually go into effect until mid-December. Still, I kind of have to admire the brazenness of their approach.
I think we'll be seeing more of this - if it isn't already happening out of the public eye. We only know about this because AlphV decided to also publicly name and shame their victim, probably as a way to increase the pressure on them. But this could be an add-on to a ransomware attack - the incentive to pay the ransom is not only to get your data back, and restore operations, but also to keep the attacker from reporting you to your regulatory agency where you may face additional penalties. It also changes the equation for companies considering skirting regulations and not self-reporting incidents, or playing semantic games and to classify incidents in ways to avoid reporting requirements. The risk goes up if the attacker is willing to drop a dime on you.
While the law of unintended consequences is harsh, I do still think these regulations are good, overall. Some members of Congress, however, do not agree. Bills introduced in both the House and Senate seek to overturn the new SEC rule, in part because of exactly this type of unintended consequence. So that will be something to watch for. Currently the two bills appear to be stuck in committee.
I Like to MOVEit, MOVEit!
No, you didn't just experience deja vu. The last time I was in the editor's seat, in July, I did indeed have an entry for MOVEit. Which is why it caught my attention when it an article came across my feed this week with an update on the story. From this article, the latest tally is that 2,620 organizations and over 77 million individuals have been impacted by the vulnerability in the MOVEit file transfer application. One of the latest victims disclosed is, ironically, Avast. When I covered this in July it was a fairly new story and I, perhaps optimistically, wrote "it seems clear we'll have more than 500 victim organizations." Well, that turned out to be lowballing things a bit. A bit more accurately, I said "It seems likely that it will be a while before the true scope of the impact is known; just how many organizations were hit, and how many millions of individuals have likely had their records breached." Given the way things continue to unfold, that seems to be as true today as it was when I first wrote it.
Perhaps prophetically, I also wrote: "the MOVEit breach is turning into one of the largest cybersecurity incidents of the year." With 2023 rapidly drawing to a close, MOVEit is definitely remains in the running.
Hello, Is There Anybody In There?
This one interested me as I recently had my F5 laptop refreshed and my new machine included a decent fingerprint reader with Windows Hello support, so I'd been playing with it. Turns out it may have some issues to be aware of, at least if you lose physical control of the device. It doesn't seem to be any reason not to use Windows Hello, more something for vendors to be aware of and address to close off the avenue of bypass the researchers found. The attack isn't something most are going to be capable of carrying off, so it isn't something to be too concerned about.
What Does the Fox Say?
This one just has everything - a nuclear research lab breached by self-described 'gay furry hackers', SiegedSec, who want the lab to use radiation to create real-life human-feline hybrids... aka, catgirls. I mean, someone get Netflix, or Crunchyroll, on the line, we have the next animated series plot setup right here. I think someone is having a bit of fun, but theft of employee data from the Idaho National Laboratory (INL) is certainly a serious issue, and I'm sure quite concerning for those affected.
I kind of want to run into these folks at DefCon sometime, they sound fun. Criminal acts aside, of course.
Money, It's A Gas
This is one we see commonly on compromised devices, cryptominers. In this case the Kinsing malware is exploiting CVE-2023-46604 in Apache ActiveMQ to install cryptomining software on Linux systems. This is perhaps the most common use we see for compromised systems in customer cases, certainly one of the most common. I have to wonder how effective that is, trying to use CPU resources on generic Linux servers and appliances, like a BIG-IP, for cryptomining when you're competing with massive mining farms with dedicated rigs. It really doesn't seem like it would be that great of a return, even for a low effort scripted attack. But someone has probably done an analysis on that - feel free to point it out in the comments if you know of one.
Hush Hush, Keep It Down Now
CISA continues to update their Secure by Design guidelines, which they first started publishing in April of this year. The project has expanded to include a number of US and international partners, with the goal of encouraging vendors to follow best practices to produce software that is, well, secure by design. I think this is a great thing, and a worthy goal, and I encourage anyone doing software development to look at their guidance.
That's all I have this time around. Hopefully I'll see you again around the end of January. We'll see if another silly theme comes to me for that one.