Taking the Pledge, Caught on Camera, Introducing ADP, FBI Kills 911, and Justified Paranoia

Welcome to This Week in Security for May 27th through June 2nd, 2024.  Once again, MegaZone is your editor for the week, it's good to be back.  This time around I have a little F5 security news to share, a follow-up on VulnCon 2024, an update on NVD and the unveiling of CISA's Vulnrichment effort, news of the FBI taking down the world's largest botnet, and a reminder to be aware of your surroundings.

Overall, the security news this week didn't have anything that especially caught my eye, aside from the botnet, but there was the usual deluge of news on ransomware, data theft, etc.  I think I'm getting desensitized to that kind of news.  Week in, week out we see the same kinds of stories, and it never ends.  All we can do is keep fighting to make our little piece of the puzzle better, more secure, and hope it all adds up in the end.

CISA Pledge, For Protection As You Go

In April 2023, CISA launched their ‘Secure by Design’ initiative as an effort to make technology vendors responsible for better security in their products.

Part of this effort is a voluntary ‘Pledge’ for vendors of enterprise software products and services who commit to make a good-faith effort to work toward the goals as outlined in the pledge, and then publicly document their progress within one year of signing.  I'm happy to say that F5 has signed the pledge and is now listed amongst the Pledge Signers. 

You can download the full pledge as a PDF, but to summarize there are seven areas of interest:

1. MULTI-FACTOR AUTHENTICATION (MFA) - GOAL: Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
2. DEFAULT PASSWORDS - GOAL: Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
3. REDUCING ENTIRE CLASSES OF VULNERABILITY - GOAL: Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
4. SECURITY PATCHES - GOAL: Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
5. VULNERABILITY DISCLOSURE POLICY - GOAL: Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.
6. CVES - GOAL: Within one year of signing the pledge, demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.  While not required for this goal, companies are encouraged to go above and beyond by filing CVEs for other vulnerabilities that do not meet these criteria for the reasons described below. Companies are also encouraged to explore additional ways to enrich their CVE records to help customers better respond to vulnerabilities.
7. EVIDENCE OF INTRUSIONS - GOAL: Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.

F5 has already made significant progress in these areas over the past few years, and you will see more movement over the coming year.

• https://www.cisa.gov/securebydesign
• https://www.cisa.gov/securebydesign/pledge
• https://www.cisa.gov/sites/default/files/2024-05/CISA%20Secure%20by%20Design%20Pledge_508c.pdf

Pics Or It Didn't Happen

In my last stint in the editor's chair I wrote about the then just completed VulnCon 2024 wherein I mentioned that the panels had been recorded and would be out soon.  Well, since then, they were indeed made available and there is a full playlist on YouTube.  44 videos full of great content that I encourage you to explore at your leisure.

As I said last time, VulnCon 2025 will be back at the McKimmon Center in Raleigh, NC April 7-11, 2025.  Instead of three days and three tracks, we're planning for four days and four tracks, for even more content.  We've already started meeting to plan 2025 and I hope to see more of you there.  I'm sure I'll have more to say later this year when it is time for the Call for Papers, etc.

• https://www.youtube.com/playlist?list=PLWfD9RQVdJ6db44oVABnI_JhIFEumoQn

NVD Staggers On, While CISA Shows A Better Way

Also in my last go-round, I wrote about the meltdown with NVD and the then-pending announcement of some kind of consortium effort.  Since then, things have changed - there is still no sign of the consortium details, but NIST has announced that they have issued a contract for additional processing support for the NVD.  Additionally, NIST is working with CISA to try to tackle the backlog that has built up.  Since mid-February, less than 1/10th of new CVEs have been analyzed by NVD.  So, it seems like they're trying to resurrect NVD as it has been, which I remain skeptical about.  The volume of CVEs is going to continue to increase and attempting to re-evaluate every CVE remains a sisyphean task.

There are better ways to do it, in my opinion - speaking of, CISA has tossed their hat into the ring with their 'Vulnrichment' effort.  Unlike NVD, CISA is working with CVE.org and is the first active Authorized Data Publisher (ADP) in the CVE program.  This means that CISA's data is included directly in the official CVE Record, with no need to pull from a second feed.  The primary goal of Vulnrichment is to provide Stakeholder-Specific Vulnerability Categorization (SSVC) and Known Exploited Vulnerabilities (KEV) information for CVEs, as well as CVSS, CWE, and CPE data, as NVD has done.  However, unlike NVD, CISA will only be providing CVSS, CWE, and/or CPE for CVE records with the CNA has not already provided the information.  CISA will not be second guessing CNAs, as NVD does.

This is what CISA has to say:

Since the CISA ADP is committed to encouraging CNAs to Do The Right Thing and provide their own CWE, CVSS, and CPE data, if a CVE entry is updated to include that data after the CISA ADP has made their assessment, the CISA ADP will drop its own assessments from the CVE entry. This approach will reduce duplicate (and conflicting) data within the CVE record. In the rare event that there is CWE, CVSS, or CPE data provided by the originating CNA and the CISA ADP, this should be treated as an error in the CISA ADP container, and the originating CNA's data should take precedence.

The ADP process has been in the works for a long time at CVE.org and it is great to see the first ADP go live.  If you'd like to learn more, check out the ADP page at CVE.org, but the short version is that an ADP is an organization that is authorized to provide specific data to enhance CVE records - in the case of CISA this is SSVC, KEV, CVSS, CWE, and CPE, for example.  The ADP program is what I was alluding to last time when I wrote: "Ideally, in my opinion, NVD would feed enriched data into the CVE program and could also stop spending resources on creating their own data feed, CVE website, etc.  Everything would be in the CVE Record and the official CVE feeds and website."  I believe that, if NVD insists on continuing to try to push that rock up the mountain, it would be better if they worked with the CVE program and became an ADP.  They could save resources from having to create and host their own site, feeds, etc., which duplicate the work already being done by the program.  And as other ADPs come online, the CVE Records will contain even more information, which today NVD does not have any process for ingesting and forwarding.

• https://www.nist.gov/itl/nvd
• https://www.cybersecuritydive.com/news/nist-cve-analysis-gap/717226/
• https://github.com/cisagov/vulnrichment
• https://www.cve.org/Media/News/item/blog/2024/06/04/CISA-Added-as-CVE-Authorized-Data-Publisher
• https://www.cve.org/ProgramOrganization/ADPs

The Bigger They Are, The Harder They Fall

The FBI, working with international partners, has taken down what they termed "likely the world's largest botnet, ever" with the arrest of Yunhe Wang, the alleged administrator of the 911 S5 Botnet.  The botnet was comprised over over 19 million compromised Windows machines spread across nearly 200 countries.  The FBI also seized infrastructure and assets and levied sanctions against Wang's alleged co-conspirators, Jingping Liu and Yanni Zheng.  The US Treasury Department claims Wang made roughly US$99 million from operating the botnet and spent some of that on sweet loot including a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, and a Rolls-Royce.  (Sometimes having morals hurts.)

The botnet was fronted by apparently legitimate paid VPN services, including Mask VPN, Dew VPN, Paladin VPN, ProxyGate, Shield VPN, and Shine VPN.  When users installed the VPN clients they were also installing a backdoor for the botnet to use their machine.  Another infection vector was thr,ough pay-per-install services used for pirated software or copyrighted materials, which would also install the backdoor.  911 S5 Botnet services were sold to all comers who would then us it for their own criminal activities.  It was used for crimes including filing fraudulent COVID aid relief and unemployment claims, costing the US billions, making bomb threats, and distributing child exploitation materials.

• https://www.justice.gov/opa/pr/911-s5-botnet-dismantled-and-its-administrator-arrested-coordinated-international-operation
• https://www.theregister.com/2024/05/29/911s5_botnet_arrest/
• https://www.scmagazine.com/news/fbi-takes-down-911-s5-botnet-likely-the-worlds-largest-at-19m-ips

Paranoia, The Destroyer

This one is a bit of a light-hearted story that highlights a serious issue - physical security is part of cyber security.  Shoulder surfing is a real risk, and all of the software protections in the world won't help you if you don't protect physical access to your devices, or the information displayed thereon.  UK veterans' affairs minister Johnny Mercer was using his laptop on a train when a shoulder surfer photographed his screen, capturing confidential party memos.  They were then published in The Times.  Sometimes the simplest attacks are the most effective, and it is a reminder to maintain situational awareness when working in public locations.

• https://www.theregister.com/2024/05/24/little_weirdo_shoulder_surfer_teaches/
• https://www.thetimes.com/uk/politics/article/no-10-neglecting-rishi-sunaks-more-popular-colleagues-laments-minister-w0jgw7tzt

As always, if this is your first TWIS, you can always read past editions.  I also encourage you to check out all of the content from the F5 SIRT.  Until next time.