Topics that are top of mind for the week ending Aug. 19 | A ransomware defense blueprint for SMBs. Why phishing is getting worse and what to do about it. The government revises its cybersecurity guidance for pipeline operators. A roundup of important vulnerabilities, trends and incidents. And much more!
1. A ransomware defense guide for SMBs
Here’s a new resource for small and medium-sized businesses looking for help preventing ransomware attacks. Using the Center for Internet Security (CIS) Critical Security Controls as a foundation, the Institute for Security and Technology (IST) has just released its “Blueprint for Ransomware Defense.”
This 16-page guide offers SMBs “an action plan for ransomware mitigation, response and recovery” and recommends 40 safeguards, including:
Identify what’s on your network, both in terms of technology being used and of data being stored or transmitted. Create an asset inventory and a data management process.
Protect what’s on your network, via secure configurations, account and access management, vulnerability management and employee security awareness.
Have an incident response plan in place so that you can act quickly and deliberately if an attack occurs.
Establish and maintain a data recovery process.
For more information:
“7 Steps to Help Prevent & Limit the Impact of Ransomware” (CIS)
“Ransomware Preparedness: Why Organizations Should Plan for Ransomware Attacks Like Disasters” (Tenable)
“7 Simple Things You Can Do Right Now to Protect Your Business from a Ransomware Attack” (U.S. Chamber of Commerce)
CISA guidance for SMBs
2. Phishing risk: It’s getting worse
A new phishing study shows that this form of cybercrime is booming, with the number of attacks spiking and profits swelling. Bottom line: Phishing risk is a serious concern for organizations, as employees get bombarded with legit-looking emails and texts that try to dupe them into revealing confidential data about themselves or their employers. Plus, many threat actors like ransomware groups, initial access brokers and even APTs use as phishing as initial vectors to more complex attacks.
Based on an analysis of millions of phishing reports, Interisle Consulting Group’s “Phishing Landscape 2022: An Annual Study of the Scope and Distribution of Phishing” found that, comparing the 12-month period of May 2021 to April 2022 with the same period the prior year:
Phishing attacks grew 61% to 1.12 million
Domain names reported for phishing rocketed 72% to 854,000
Malicious domain name registrations surged 83% to 588,321
Cryptocurrency phishing increased 257%
So what can be done? Here are some of the report’s recommendations:
Enterprises can eliminate silos in the naming, addressing and hosting ecosystem so that policies and mitigation practices are more effective.
Registrars, registries and hosting providers must respond more quickly in a more coordinated and determined manner to phishing complaints and incidents.
Governments need to pass legislation and adopt regulations that clarify what operators must do to validate user identity, lawful access and respond to phishing incidence.
More information about phishing:
“Phishing scams Mac users should look out for” (Cult of Mac)
“10 Ways To Avoid Phishing Scams” (Phishing.org)
“Phishing attacks: defending your organisation” (U.K. National Cyber Security Centre)
“Counter-Phishing Recommendations for Federal Agencies” (CISA)
“US govt warns Americans of escalating SMS phishing attacks” (BleepingComputer)
“Avoiding Social Engineering and Phishing Attacks” (CISA)
3. Vulnerabilities associated with 2021’s top malware
Right after the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) outlined the top malware of 2021, Tenable’s Security Response Team identified vulnerabilities associated with these malicious strains.
In a blog post, SRT research engineers Claire Tills and Satnam Narang explain that, while the list of vulnerabilities isn’t exhaustive, it offers a starting point for organizations looking to cut off known attack paths exploited by the most prolific malware.
Check out the table below for the vulnerabilities and read the blog post to get detailed analysis and insights, including:
14 of the 17 vulnerabilities are in Microsoft products.
Nine of the flaws could lead to code execution.
All but four of the vulnerabilities are more than two years old.
The oldest was patched in 2015.
Only one is an elevation of privilege flaw.
CVE
Description
CVSSv3
VPR*
CVE-2015-5122
Adobe Flash Player user-after-free
v2 10.0
9.7
CVE-2016-0189
Scripting Engine memory corruption
7.5
9.8
CVE-2016-4171
Adobe Flash Player arbitrary code execution (apsa16-03)
9.8
8.9
CVE-2017-0144
Windows SMB remote code execution (EternalBlue)
8.1
9.6
CVE-2017-0199
Microsoft Office/WordPad remote code execution
7.8
9.8
CVE-2017-11882
Microsoft Office memory corruption
7.8
9.9
CVE-2017-8570
Microsoft Office remote code execution
7.8
9.8
CVE-2017-8750
Microsoft Browser memory corruption
7.5
8.9
CVE-2017-8759
.NET Framework remote code execution
7.8
9.8
CVE-2018-0798
Microsoft Office memory corruption
8.8
9.8
CVE-2018-0802
Microsoft Office memory corruption
7.8
9.8
CVE-2018-14847
MikroTik RouterOS remote code execution
9.1
8.8
CVE-2020-0787
Windows Background Intelligent Transfer Service elevation of privilege
7.8
9.8
CVE-2021-34527
Windows Print Spooler remote code execution (PrintNightmare)
8.8
9.8
CVE-2021-40444
Microsoft MSHTML remote code execution
7.8
9.8
CVE-2021-43890
Windows AppX installer spoofing vulnerability
7.1
9.7
CVE-2022-30190
Microsoft Windows Support Diagnostic Tool remote code execution (Follina)
7.8
9.8
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. These VPR scores are current as of Aug. 18.
Source: Tenable Research, August 2022
More information:
Joint CISA/ACSC alert
“The most prolific malware strains of 2021 are yesterday’s news with a modern twist” (SC Media)
“What are the Top 2 Malware Strains Last Year According to CISA, ACSC?” (ITechPost)
4. Among IoT adopters, security is now less of a concern
Security concerns aren’t as big of a barrier to IoT adoption as they were five years ago, according to the Wi-SUN Alliance’s “The Journey to IoT Maturity” report, which surveyed 300 IT pros in the U.S. and the U.K. involved in IoT implementation projects. Security is also seen as less of a technical challenge today.
By contrast, respondents are more worried about data privacy issues, as well as about big data rollouts and regulation, according to the industry group’s report.
That’s not to say that security has become a non-issue. On the contrary, it remains a major challenge for IoT success, along with the cost of implementation failures, the IT infrastructure’s complexity and the need to see proven return-on-investment (ROI.)
Security also features prominently elsewhere in the report – specifically the “security and surveillance” use case, which ranks among the top IoT initiatives respondents are most likely to roll out in the next 12 to 18 months, along with:
Distribution automation
Advanced meter infrastructure
Smart parking
Electric vehicle charging
For more information:
“What is IoT security?” (TechTarget)
“Securing the Internet of Things Supply Chain” (IoT Security Foundation white paper)
“Top 5 IoT security threats and risks to prioritize” (TechTarget)
“Securing the Internet of Things” (U.S. Department of Homeland Security)
NIST Cybersecurity for IoT Program
5. TSA updates security requirements for pipeline operators
After facing criticism, the U.S. government’s Transportation Security Administration (TSA) has revised its cybersecurity requirements for oil and natural gas pipelines, aiming to make them clearer and more flexible by basing them on performance and outcomes.
The first iteration of the requirements, released in mid-2021 in response to the Colonial Pipeline ransomware attack, were more prescriptive, and that made them confusing and difficult to adopt.
The revised directive’s guidance includes:
Implement network segmentation so that compromises of operational technology (OT) systems don’t hobble IT systems, and vice versa.
Prevent unauthorized access to critical systems via access control measures.
Continuously monitor and detect cyberthreats and fix anomalies that affect systems.
Patch and update critical systems with a timely, risk-based process.
Requirements include:
Establish and execute a TSA-approved implementation plan that describes the cybersecurity measures being used to achieve security outcomes.
Develop and maintain a plan to respond to cybersecurity incidents that disrupt operations or impact business.
Establish an assessment program to test and audit cybersecurity measures and identify and resolve vulnerabilities in devices, networks and systems.
Report significant cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA.)
Establish a cybersecurity point of contact.
Conduct an annual cybersecurity vulnerability assessment.
More information:
“‘TSA has screwed this up’: Pipeline cyber rules hitting major hurdles” (Politico)
“What TSA’s updated cybersecurity guidelines mean for pipeline security” (Smart Industry)
“TSA revises cybersecurity guidelines for gas pipeline owners and operators” (FedScoop)
“TSA unveils updated cybersecurity regulations of oil and gas pipelines” (The Record)
“How Can We Strengthen the Cybersecurity of Critical Infrastructure?” (Tenable)
6. Quick takes
Here’s a roundup of vulnerabilities, trends, news and incidents from the world of cybersecurity to have on your radar screen.
Vulnerabilities to watch
Zoom has patched a vulnerability affecting its MacOS app.
A Google Chrome zero-day vulnerability is being actively exploited in the wild.
Multiple Zimbra CVEs are being exploited.
There’s an RSA private key leak vulnerability impacting Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
Microsoft called on Windows users to patch the DogWalk zero-day vulnerability as part of its August Patch Tuesday announcement.
Apple patched two critical zero-day vulnerabilities exploited in the wild affecting iOS and IPadOS, as well as MacOS Monterey.
Trends
Data stolen in ransomware attacks is getting leaked and fueling a spike in business email compromise (BEC) attacks.
The Log4j vulnerability is driving a surge in threat activity.
Fraudulent crypto apps have netted cybercrooks almost $43 million stolen from 244 victims, the FBI warned.
Incidents
Cisco was hit by an attack against its corporate IT infrastructure. More information from Cisco’s Talos team here, as well as from CSO Magazine and Dark Reading.
It may take weeks for a partner of the U.K.’s National Health Service to fully recover from a recent ransomware attack that disrupted various NHS services.
Twilio got breached via a social engineering attack.
News
CISA has released an elections-protection toolkit for state and local government officials, election officials and vendors.
A “quantum computing resistant” algorithm chosen recently as a finalist in a U.S. government competition barely put up a fight against a single-core CPU.
Check out guidance about the Zeppelin ransomware from the FBI and CISA.
(Tenable Senior Research Engineer Claire Tills contributed to this blog.)