First Officer’s log, Terrestrial date, 05232022. Officer of the Deck reporting. We’ve had another active week, with several stories getting our attention and the following are four of the most interesting.
CISA’s CVE backtrack
What happened
CISA has temporarily removed CVE-2022-26925 from the Known Exploited Vulnerability Catalog due to some unforeseen issues when it’s deployed to domain controllers. It’s an unusual step, but not unheard of where there are special circumstances.
Why it matters
The patch for CVE-2022-26925 could cause authentication failures if it was applied to domain controllers, which would lead to obvious problems. The patch is still appropriate for other systems and should be applied normally. For domain controllers, it’s best to follow Microsoft’s advice for mitigating the problem until they release an updated version of the patch.
What they said
Dive deeper into the story here
U.S. govt loses big in Telegram cybercrime
What happened
The US government lost over $160 Billion in Covid aid to fraud by cybercriminals using botnets and messaging applications like Telegram. The messaging applications gave the criminal groups and others looking to defraud the system a way to exchange tactics and techniques, while the botnets let them amplify their attacks to overwhelm the target systems. Instead of sending tens of requests from an attacker’s host, the botnets let them send millions.
Why it matters
Jokes about government waste aside, these attacks lost huge amounts of money and have had a fallout on the innocent individuals whose identities were used to make the claims. Some indirect victims have found they are having trouble getting aid after criminals used their identities.
The Covid relief efforts were deployed quickly to meet a crisis, but this is a reminder that things need to deploy securely as well as quickly.
What they said
It’s no surprise that this story got plenty of attention. Read more here
NIST updates guidelines
What happened
The National Institute for Standards and Technology (NIST) has updated their guidelines for Supply Chain Security management. At over 350 pages, the guide provides a comprehensive overview of security considerations for the supply chain.
Why it matters
Threat actors have used 3rd party vendors, both in the supply chain and in other supporting roles, to launch some high-profile attacks over the years. With recent supply chain disruptions and organizations having to scramble to compensate, there’s pressure to move quickly that could lead to overlooking checks on the new supplier’s security. Considering the increased threat of attack, and the relative fragility of the current situation, organizations should seriously consider reviewing NIST’s guidelines and making sure they and their vendors are up to date.
What they said
Dive deeper into NIST’s reasoning here
Iranian hackers get in on Log4J action
What happened
The Iran-linked APT group Cobalt Mirage continues attacking US based organizations for financial and intelligence gains.
Why it matters
The most notable aspect of this ongoing threat is their continued use of Log4J as a vector. While some might consider Log4J to be “so 2021” the fact remains that it will have a Long Tail effect as organizations and developers find and fix applications and deployments that they didn’t even remember building with Log4J.
The long term challenge with Log4J will be finding all those forgotten systems that will remain vulnerable simply because no one remembers they’re there, or what they were built on. Though, to be fair, this isn’t the only vulnerability that attackers are still leveraging months, or even years, after a fix came out.
What they said
It’s safe to say that Cobalt Mirage is making waves. Go deeper.
Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel