A spoofed version of an Israeli rocket-attack alerting app is targeting Android devices, in a campaign that shows how cyber-espionage attacks are shifting to individual, everyday citizens.

Using a trending item as a malicious lure is relatively common; to do it in a period of military conflict and deliberately target users in the affected region is a different step.

Recently, a genuine app — RedAlert - Rocket Alerts — has been popular among users in the Israel and Gaza region, since it allows individuals to receive timely and precise alerts about incoming airstrikes. However, a malicious, spoofed version of the app was detected last week, which collected personal information including access to contacts, call logs, SMS, account information, and an overview of other installed apps.

This and the discovery of a similar incident indicates that unfortunately, the Israel-Hamas conflict's cybercrimes will extend beyond nation-state attacks on critical infrastructure — and into the palm of the user's hand.

**The Initial Malicious App**

According to the discovery by Cloudflare, the website hosting the malicious file was created on Oct. 12, and it has been taken offline since. Only those users who installed the Android version of the app are impacted, and they are urgently advised to delete the app.

A statement from Cloudflare said it became aware of a website hosting a Google Android Application that impersonated the legitimate RedAlert - Rocket Alerts application. "Given the current climate in Israel, this application is heavily relied upon by individuals living in the country to be notified when it is critical to seek safety," it said.

The creation of a malicious app spoofing a known brand is common, according to a recent report from Arctic Wolf, which said malicious apps found in official app stores are often disguised with the use of names, images, or descriptions similar to popular or malware-free apps. They also may have fake reviews to help increase the malicious app's rating and to make them look more realistic.

But in this case, the malicious application mimicked a widely used app to steal data, in what Cloudflare called "a time of distress" where services such as this are replied upon, adding that this is "another example of threat attackers leveraging authenticity to carry out impactful attacks."

Casey Ellis, founder and CTO of Bugcrowd, says he does expect to see more cases like this where the Gaza conflict is used as a malware lure — both regionally and globally.

"Attackers are always on the lookout for events that create fear, uncertainty, and a volatile information environment, and the Israel-Hamas conflict definitely meets these criteria," he says.

Cloudflare was unable to add attribution to whoever was behind this malicious app, and there is no evidence that this was even a threat actor from the Middle East. So this could be the work of an unrelated cybercriminal looking to use the conflict for their malicious gain.

**More Than One Incident**

In a separate detection, Cloudflare said the pro-Palestinian hacktivist group AnonGhost exploited a vulnerability in another application, Red Alert: Israel. This allowed the group to intercept requests, expose servers and APIs, and send fake alerts to some app users, including a message that a nuclear bomb strike was imminent.

In its detection of that incident, Group-IB Threat Intelligence said this shows that the actions of attackers can be diverse, as hacktivists are generally associated with conducting small-scale DDoS attacks and defacement. But as the ongoing conflict shows, sometimes their actions can be far more devastating and costly, and "it's essential to map and properly mitigate the risk of hacktivism as part of a threat intelligence program."

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says spoofing mobile apps is easy, as many app teams are inadvertently giving threat actors a blueprint for abuse.

He says, "App teams focus on code optimization and speed to market, but never ensure sufficient threat visibility and protection for their apps once they are published. Threat actors know this and use reverse engineering to truly understand an app's inner workings."

Vishnubhotla adds, "Knowing an application's architecture, data flow, and security mechanisms allows a hacker to easily create spoofed apps."

**Be Careful With Clicks**

The advice to avoid becoming victimized by these types of attacks is fairly straightforward. Arctic Wolf recommend checking the app's developers and reviews, restricting permissions when necessary; users should download apps only from reputable developers and look for mentions of scams or malicious activity mentioned in reviews by other users.

The advice from Group-IB was for organizations to carefully examine and fortify all Web-facing applications, as "it's not uncommon for hacktivists to exploit web and mobile APIs, often perceived as softer targets compared to the principal product APIs."

Ellis admits his advice on protection from malicious apps — saying users should trust, but verify — is nothing groundbreaking, but it persists for a reason.

"Double-check before you trust anything that offers to assist you in issues of personal safety, and triple-check before you share it with others," he says. He acknowledges that in this case, the malicious apps were downloaded by people in a state of concern and potentially without the due consideration they would usually give to vetting them.

Malicious Apps Spoof Israeli Attack Detectors: Conflict Goes Mobile

Organizations should be careful that the workers they hire on a freelance and temporary basis are not operatives working to funnel money to North Korea's WMD program, US DOJ says.

US organizations that hire freelance and temporary IT workers should be sure they are not signing up individuals working on behalf of the North Korean government.

In recent years, the Democratic People's Republic of Korea has flooded the freelance market with thousands of skilled IT workers who are quietly directing their earnings to the sanctions-ridden nation's nuclear weapons program. The workers primarily reside in Russia and China and use a medley of pseudonymous email and social media accounts, false websites, proxy computers, and other mechanisms to hide their true identities and locations when applying to work on a freelance basis for US and other firms worldwide.

**Seizure of Web Domains and Cash**

Last week, the US Department of Justice released details of the massive scam in announcing court-authorized seizures of 17 domains and some $1.7 million in revenues associated with the operation.

"The Democratic People's Republic of Korea has flooded the global marketplace with ill-intentioned information technology workers to indirectly fund its ballistic missile program," Special Agent in Charge Jay Greenberg of the FBI St. Louis Division said in a statement last week. "This scheme is so prevalent that companies must be vigilant to verify whom they're hiring."

The DOJ described the 17 domains it seized as being used by some North Korean IT workers to apply for remote work in the US and elsewhere. The websites appeared to be the domains of legitimate US-based IT services companies. In reality, however, the people behind it were North Korean IT workers with a China-based company called Yanbian Silverstar Network Technology Co. Ltd and another Russian company identified as Volasys Silver Star.

The North Korean IT workers at these companies used various online payment services and Chinese bank accounts to funnel earnings from their work as freelance IT workers back to North Korea. Each year, the workers have been generating millions of dollars for entities like North Korea's Ministry of Defense and other agencies tied to the country's WMD programs, the DoJ said.

**Previous Warning**

This is not the first time that the DoJ has warned US organizations of the scam. In a May 2022 advisory, the US government issued a similar warning about North Korean IT workers using VPNs, virtual private servers, purchased third-party IP addresses, proxy accounts, and stolen ID documents to pass themselves off as IT workers from other countries.

The advisory also provided specific guidance that hiring managers and other decision-makers could use when contracting for work with a freelancer. Some red flags: multiple logins into one account from various IP addresses in a short period; IP addresses associated with different countries; frequent money transfers through payment platforms, especially in China; and requests for payment in cryptocurrencies, the DoJ had noted.

The DoJ also urged US organizations to be on the lookout for other potential signs including inconsistencies in name spellings, claimed work location, contact information, and details about their education and work history across social media profiles, professional websites, and payment profiles. An inability by a freelancer to work during required business hours or any difficulty reaching the worker in a timely fashion are also factors to consider, the DoJ said.

**Camera Shy**

Last week's advisory provided updated advice for US organizations on how to spot a potential North Korean IT worker. Red flags include an unwillingness or inability by the freelance worker to come on camera or do video interviews and conferences, inconsistencies such as time of day and location, when they do appear on camera. Other giveaways include signs of cheating on coding tests or interviews — such as excessive pausing, stalling and eye scanning movements; repeated requests for prepayment and threats to release source code if payment is not made.

The advisory provided organizations with a list of things they can do to minimize risk including requesting documentation of background checks when using a third-party staffing firm; conducting due-diligence checks on individuals that a third-party firm might provide for freelance work; and not accepting background checks from unknown firms.

"These kinds of threats are incredibly challenging and costly to manage at a corporate level," said Andrew Barrett, vice president at Coalfire, in a statement. "Freelancers and contractors are an integral part of many businesses and entire companies have spun up, such as Fiverr, to help create a marketplace for them."

Detecting fake identities can be hugely challenging using typical background checks when dealing with state-sponsored fake identities, Barrett said.

Freelance Market Flooded With North Korean IT Actors

To protect themselves from threats, companies also need proactive cybersecurity.

The Federal Trade Commission (FTC) and the National Association of Insurance Commissioners (NAIC) have issued guidance suggesting companies consider cyber insurance as a means of resilience against cyberattacks. While essential, merely suggesting cyber insurance isn't enough. The government must ensure its availability and affordability, especially for small businesses. Businesses must also take other steps to prevent cyber-risks and keep policies affordable. 

The digital age brings immense benefits, but with it comes increased cyber threats to businesses. The solution isn't just insurance — it's proactive cybersecurity.

Businesses should consider cyber insurance a risk management tool, but it's not a comprehensive solution to all cybersecurity challenges. It also may be beyond some small businesses' financial means, and the cost is increasing. According to NAIC, cyber-insurance premiums grew 61% in 2021 alone, when the average annual cost for cyber insurance for a business with $1 million in revenue to have $1 million in coverage (with a $10,000 deductible) was $1,485. The prices have since increased, and some businesses find insurers unwilling to renew policies or even cancelling them. 

Even for businesses that can get — and afford — cyber insurance, it isn't comprehensive and doesn't cover every possible type of security breach. Instead, policies cover a set of named perils. An inexperienced buyer may not realize the protection limitations, given the variety of coverages, exceptions, and exclusions in policies. Policies, for example, may not cover cyber terrorism, state-sponsored attacks, contractual liabilities, or intellectual property infringement, and may have exclusions for war, terrorism, bodily injury, and property damage. Policies may also have deductibles, co-payments, and sublimits that reduce the amount of coverage. 

**How Agencies Can Help**

A recommendation to invest in cyber insurance is excellent, even if it doesn't protect against all threats. However, businesses must be able to afford and obtain it to follow the recommendation. Agencies can increase and expedite cyber-insurance adoption — and general business cyber protection — by implementing a holistic approach that supports businesses' use of proactive cybersecurity measures, provides education, and encourages industry and policy cost subsidization.

The cyber-insurance market lacks standardization, with companies offering policies that cannot be readily compared. This creates challenges for consumers and brokers alike when trying to evaluate policies. A standardized format for presenting policies, perhaps patterned on the 100/300/100 approach used for auto insurance or the energy facts labels used on appliances, could aid consumers in making informed purchase decisions. Agencies can offer incentives to encourage industry self-regulation to promote consistent policy presentation and clarity. This can benefit insurers, underwriters, brokers, and policyholders alike.

**Government Should Subsidize Cyber Insurance**

The government can also aid in cyber-insurance uptake through targeted subsidization. Uninsured businesses create harms that are transferred to the public if they fail after an incident. Companies are also faced with threats from state actors and state-affiliated attackers, which are, rightly, costs borne by the government. Agencies can promote cyber insurance and offer incentives, such as tax credits, for purchasing it. Federal and state governments can aid in policy affordability by creating a backstop fund to cover catastrophic cyber-incident costs, which may cause insurers to fail, and incidents attributable to state actors and state-affiliated attackers. State-backed models exist for other catastrophic risks, like hurricanes and floods. The federal government has also provided airlines with terrorism coverage after incidents. 

Government outreach to businesses can help them understand the importance and implementation of good cybersecurity practices. This will help keep losses and, in turn, policy premiums low. It also prevents incidents from occurring, benefiting society at large. 

Regulators can increase market efficiency by ensuring policies provide the implied coverage. Existing fair-trading authorities can be leveraged to this end. Common policy benefits presentation, and ensuring its accurate translation into policy language facilitates competition and reduces the effort required to compare and purchase policies. Agencies can enable this by developing curriculum and licensing practices targeted at cyber-insurance providers and resellers. 

Government agencies can aid insurance uptake through targeted actions and provide public benefit. Implementing these actions should be a top priority for relevant agencies.

Telling Small Businesses to Buy Cyber Insurance Isn't Enough

What cloud service providers need to know to prepare for FedRAMP Baselines Rev. 5, as documented in the new Transition Guide.

On May 30, 2023, the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board approved new Revision 5 (Rev. 5) baselines. The new baselines align with the National Institute of Standards and Technology's (NIST) "Special Publication (SP) 800-53 Rev. 5" and "SP 800-53B Control Baselines for Information Systems and Organizations."

This article covers high-level information that cloud service providers (CSPs) need to know to prepare for their transition to FedRAMP Rev. 5, as documented in the "FedRAMP Baselines Rev. 5 Transition Guide."

**What's Changing in FedRAMP?**

The FedRAMP baseline security controls, documentation, and templates were updated to reflect changes in NIST SP 800-53, Rev. 5. This means the two programs will better align with each other.

FedRAMP has also added guidance for many of its controls. There is a new control family, Supply Chain Risk Management. The baselines also require a higher configuration management level of diligence and increased focus on privacy and customization for agency requirements.

Along with these changes, FedRAMP includes "integration of new privacy considerations, notable control families, and guidance not featured in Rev. 4," as well as "changes to the control totals," according to IT attestation and compliance firm Schellman.

However, program management (PM) controls remain an agency responsibility and are not reflected in the updated baselines.

**How CSPs Can Transition to FedRAMP Rev. 5**

Your transition timeline will vary depending on your organization. To begin, identify your current FedRAMP authorization phase. There are three phases outlined in the Rev. 5 transition guide: planning, initiation, and continuous monitoring. Each phase has detailed instructions on the next steps, including an overall timeline; refer to the "Transition Guide" for further information.

**Develop a Schedule**

To transition to Rev. 5, you need to develop a schedule demonstrating your transition plan, called a Plan of Action and Milestones (POA&M). Major milestone activities listed in the "Transition Guide" are:

1.  **CSP:** Complete a new Rev. 5 System Security Plan (SSP) and appendices (which, along with the other documents listed below, can be found on the FedRAMP Documents and Templates page).
2.  **Assessor:** Complete the Security Assessment Plan (SAP) template.
3.  **CSP and Assessor:** Submit the SSP and SAP to your FedRAMP Joint Authorization Board (JAB) Point of Contact (POC) or agency authorizing official (AO) for approval.
4.  **Assessor:** Conduct testing.
5.  **Assessor:** Complete the Security Assessment Report (SAR) template.
6.  **CSP and Assessor:** Submit the SAR, POA&M, attachments, and updated SSP to the FedRAMP JAB POC or agency AO.

**Update Your Documentation**

Included in Rev. 5 are new, updated templates for the SSP and attachments, provided by the FedRAMP project management office (PMO). You must complete a new authorization package based on the updated templates.

**Determine the Scope of Your Assessment**

The scope of your assessment will depend on your determination of specific FedRAMP NIST SP 800-53 Rev. 5 controls that require an assessor to test. According to the "Transition Guide," all new or modified requirements must be tested and, depending on CSP-specific implementations and continuous monitoring activities, other control testing may be required.

**Control selection process:** FedRAMP provides in-depth worksheets and information for the control selection process. The main template, the "FedRAMP Rev. 4 to Rev. 5 Assessment Controls Selection Template," is categorized into High, Moderate, and Low — just like FedRAMP impact levels.

The template, which comes in the form of a spreadsheet, contains four worksheets: Rev. 5 List of Controls, Conditional Controls, CSP-Specific Controls, and Inherited Controls. You can find more information on these worksheets and how to use them in the "Transition Guide."

**Complete the Security Assessment**

While there are quite a few differences between FedRAMP Rev. 4 and Rev. 5, assessors will perform the same processes and procedures for a FedRAMP Rev. 5 assessment. The scope of the assessment will differ based on the organization. Testing will require using the FedRAMP Rev. 5 Test Case templates, which can be found in Section 6, FedRAMP Rev. 5 Test Cases (available on the FedRAMP templates page), as well as the requirements outlined in the "Continuous Monitoring Strategy Guide."

To complete your security assessment, you must: define your processes, procedures, and methodologies for testing in your SAP; define the processes, procedures, and methodologies used in testing as required and document the results of the tests in your SAR; and have your assessor prepare and submit the relevant FedRAMP Security Assessment Test Cases as part of the SAR.

**Complete the POA&M**

To complete your POA&M, you will need to use the "FedRAMP Plan of Actions and Milestones (POA&M) Template Completion Guide." All residual risks listed in your SAR will need a defined plan for remediation. In the POA&M, you also need to include known risks identified by the third-party assessment organization (3PAO) associated with your platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) systems.

**Learn More**

Tackling FedRAMP Rev. 5 can be overwhelming, but there are governance, risk, and compliance (GRC) tools available to help you get a full repository of your controls, track your progress against the framework, and streamline assessments using automated evidence collection. FedRAMP also provides training and educational forums specific to the Rev. 5 updates and transition process for those looking for additional support. You can also join the FedRAMP subscriber list to receive program updates, important reminders, blog announcements, and the monthly PMO Newsletter to stay up to date on the latest FedRAMP changes.

**About the Author**

    

Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member. He focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.

FedRAMP Rev. 5: How Cloud Service Providers Can Prepare

If we really want to move the dial on security habits, it's time to think beyond phishing tests. Our panel of CISOs and other security heavy-hitters offer expert tips that go beyond the obvious.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

9 Innovative Ways to Boost Security Hygiene for Cyber Awareness Month

Attackers compromised customer support files containing cookies and session tokens, which could result in malicious impersonation of valid Okta users.

Okta, an identity and access management services provider, disclosed that its customer support case management system was recently compromised, exposing sensitive customer data including cookies and session tokens. Attackers could potentially use the information to impersonate valid users contacting support.

The customer support case management system is separate from the Okta service itself and the incident only impacted customers with recent support cases, the company's Chief Security Officer David Bradbury stressed in a blog post on Oct. 20. Impacted customers have been notified, he said.

"Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens," Bradbury added.

In its blog post, Okta listed IP addresses and user-agents that security teams can use in their threat hunting efforts.

The announcement comes after Okta was identified as the initial attack vector in recent twin cyberattacks on MGM Resorts and Caesars Entertainment.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Okta Customers Hacked

Most companies offer some kind of awareness training these days. But how much of those lessons are employees actually retaining?

Imagine this: As part of an exercise to teach security awareness, employees enter a room. An actual, physical operational security "escape room," which at first looks like a regular office room. But as people look closer, roleplaying as criminal social engineers that broke into the building, they start to spot information they can use for nefarious purposes.

For example, there's a password in a trash can. And there's a video conference meeting left unclosed. All around the participants are clues that could help them exploit the business. The hope is this experience helps them see through the eyes of a criminal — and leaves them understanding the importance of physical security. Once they are done, the goal is to have them remember the need to keep things like whiteboards clean, laptops locked, and documents hidden or shredded to protect the company.

This is the kind of security awareness training that Kim Burton, head of trust and compliance with Tessian, has used to make sure training leaves its mark on employees.

Awareness training that sticks is still desperately needed as human error is responsible for many breaches and data loss events. In fact, the most recent Verizon Data Breach Investigations Report found that 74% of breaches involved the human element, which includes social engineering attacks, errors, or misuse.

Figures also reveal many companies still fall short in their delivery of awareness training. New data from Hornetsecurity found that 33% of companies are not providing any cybersecurity awareness training to users who work remotely, a common arrangement in a post-COVID world. And those organizations that do provide awareness training — whether to on-site or remote employees — often administer it only annually. This is far from effective, according to Lisa Plaggemier, executive director at National Cyber Security Alliance, who has a long history of developing and running security awareness programs.

It's time, she says, for organizations to get it together when it comes to effective awareness.

"Short but frequent; no more of this once-a-year nonsense," she says.

**Go Beyond Compliance**

But more frequency is only one of many ways that modern security awareness training needs to improve. In a constantly evolving threat landscape, what does an effective security awareness training look like?

"At the National Cybersecurity Alliance, a lot of the behaviors we're trying to influence are the same, so the advice is the same — using MFA, reporting phishing, etc. — but we deliver them through unique messages over time," says Plaggemier. "Those messages use different approaches: storytelling from a victim's perspective, storytelling from the defender's perspective, leveraging current events in the headlines."

Compelling, timely, engaging, and memorable. It sounds simple, right? But it's not. They key problem holding many companies back, is attitude, says Dr. Jason Nurse, director of science and research at CybSafe and associate professor in cyber security at University of Kent.

"Many security awareness programs still fall flat because the organization views the training as a box that must be ticked," he says. "Organizations often focus on compliance and meeting the basic requirements, which may result in training that lacks depth and engagement."

**Create 'Sticky' Awareness**

How can security leaders put together a program that moves far beyond compliance mandates and shape training into something people not only remember, but actually use when faced with risk-based decisions?

One way is to deliver the content through a communication channel that works for them, says Nurse. Research by CybSafe earlier this year found that 79% of office workers are likely to act on security advice provided on the platforms they use daily, such as Slack and Teams. And 90% of respondents thought security nudges on instant messaging platforms would be valuable. Similarly, people who received cyber information daily and weekly were twice as likely to remember all of their training as those who received it monthly, quarterly, or annually.

"While a base-level understanding of cyber hygiene is essential through regular, engaging training, it's equally crucial to help employees when they need it in a helpful format," says Nurse. "Training should go beyond just conveying information; it should guide individuals on how to behave securely in their day-to-day activities. Furthermore, it should ensure people know where to seek help when needed."

Another way to make it mean more is to make training role-based. One-size-fits-all is "necessary to a degree for compliance," says Plaggemier, "but once you've fulfilled your compliance obligation, people should be receiving training that is appropriate for their role and the specific risks that affect them."

Tessian's Burton says in addition to making it too generic, many organizations fail to consider the culture and big picture when devising training.

"The programs fail to take into account the holistic experiences of employees, such as the current culture of the organization, the current signals from leadership about the importance of secure practices, and where the general employee is being asked to use most of their time and energy," she says. "Security awareness programs may neglect non-engineering employees, and engineers may lack mentorship to integrate the material into their practice."

"There is no one right way to train people to be cyber secure. There is only the right way for your organization, department, or team," adds Nurse.

**Play to the Room**

Another important factor to sticky awareness is knowing your audience, says Burton. Like a good stand-up comedian, you need to understand who you are playing to if you want them to remember what you're telling them.

"The first step is empathy," she says. "The security educator needs a deep understanding of the people they are teaching. Repetition over a longer period of time while introducing content in a variety of ways will also ensure recall. And finally, don't forget to have fun. Organizations frequently lose interest and engagement because of a fear of being too weird. However, people are more likely to retain unique content. Weird is good! Be funny, be creative, find joy!"

Burton, in addition to the escape room, has also had employees take part in a story contest that asked employees to write out a "spooky Halloween tale" of how they would attack the company. She has also created narratives that put people in the position of a security analyst at the company, in which they have to evaluate the security of external vendors.

The most effective security training, she says, covers core risks the business is concerned about; it is tailored to the audience; the concepts are presented over time and in a variety of ways; and the material is memorable due to its unique delivery, humor, or creative experience.

"The key component has been, and always will be, a focus on the people themselves."

**HOW TO MOVE FROM FORGETTABLE TO MEMORABLE SECURITY AWARENESS**

Sticky security awareness training can be elusive for many organizations. And with 74% of security events directly tied back to human error, it is important to find ways to reach employees and help them understand cyber risks. Kim Burton, head of trust and compliance with Tessian, uses a variety of awareness training techniques in her programs. Here are the important tenets she says to keep in mind when creating a program at your own company.

1.  **Work with how people work:** Use information about how human memory works, how human beings learn, what incentives provide the best long-term outcomes.
2.  **Approach holistically:** Understand the employees. What pressures do they face? What is the local culture like? What is the internal culture like? What professional backgrounds do these people have? How is the security team or IT team currently perceived internally? Do executives champion security?
3.  **Tell stories:** Share real anecdotes, tell stories from the industry or your experience, and use examples. This helps people see themselves in the narrative. Ideally, each individual would be able to see how they uniquely contribute to the security story of the organization.
4.  **Gamification:** Go beyond a leaderboard. Make engaging with security content fun by using your knowledge of how people work and the holistic experience of working at your company. Make puzzles, encourage curiosity and mystery, recreate the delight of discovery in learning, point out progress, and use positive reinforcement for secure behaviors.
5.  **Build trust:** Build relationships internally. Become a trusted source of information, but also a safe person to be vulnerable with about difficult concepts, security mistakes, and general concerns. The security educator should be one of the most well-known people within the business.

From Snooze to Enthuse: Making Security Awareness Training 'Sticky'

SolarWinds' access controls contain five high and three critical-severity security vulnerabilities that need to be patched yesterday.

Eight newly discovered vulnerabilities in the SolarWinds Access Rights Manager Tool (ARM) — including three deemed to be of critical severity — could open the door for attackers to gain the highest levels of privilege in any unpatched systems.

As a broad IT management platform, SolarWinds occupies a uniquely sensitive place in corporate networks, as the world learned the hard way three years ago. Its power to oversee and affect critical components in a corporate network is nowhere better epitomized than in its ARM tool, which administrators use to provision, manage, and audit user access rights to data, files, and systems.

So, admins should take note that on Thursday, Trend Micro's Zero Day Initiative (ZDI) revealed a series of "High" and "Critical"-rated vulnerabilities in ARM. As Dustin Childs, head of threat awareness at the ZDI, explains, "The most severe of these bugs would allow a remote unauthenticated attacker to execute arbitrary code at system level. They could completely take over an affected system. While we did not look at exploitability, the potential of these vulnerabilities is about as bad as it gets."

**Serious Issues in SolarWinds ARM**

Two of the eight vulnerabilities — CVE-2023-35181 and CVE-2023-35183 — allow unauthorized users to abuse local resources and incorrect folder permissions to perform local privilege escalation. Each was assigned a "High" severity rating of 7.8 out of 10.

A few more — CVE-2023-35180, CVE-2023-35184, and CVE-2023-35186, all rated 8.8 out of 10 by Trend Micro — open the door for users to abuse a SolarWinds service, or its ARM API, in order to perform remote code execution (RCE).

The most concerning of the bunch, however, are another trio of RCE vulnerabilities that Trend Micro assigned "critical" 9.8 ratings: CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187. (For its part, SolarWinds diverged from Trend Micro here, assigning them all 8.8 ratings.)

In each case, a lack of proper validation for the methods _createGlobalServerChannelInternal_, _OpenFile_, and _OpenClientUpdateFile_, respectively, could enable attackers to run arbitrary code at the SYSTEM level — the highest possible level of privilege on a Windows machine. And unlike the other five bugs released Thursday, these three do not require prior authentication for exploitation.

A new ARM version 2023.2.1, pushed to the public on Wednesday, fixes all eight vulnerabilities. SolarWinds clients are advised to patch immediately.

Critical SolarWinds RCE Bugs Enable Unauthorized Network Takeover

A patch for the max severity zero-day bug tracked as CVE-2023-20198 is coming soon, but the bug has already led to the compromise of tens of thousands of Cisco devices. And now, there's a new unpatched threat.

Cisco said a patch for two actively exploited zero-day flaws in its IOS XE devices is scheduled to drop on Oct. 22.

The first Cisco zero-day bug, tracked under CVE-2023-20198, was announced on Oct. 16 and has a severity rating of 10 out of 10. At the time it was discovered, it had already allowed threat actors to compromise more than 10,000 Cisco devices.

On Oct. 19, Cisco said it believed the cyberattacks against its IOS XE devices were all being carried out by the same threat actor.

Now, in an Oct. 20 update to its threat advisory, Cisco reported there's another previously unknown flaw involved, tracked under CVE-2023-20273 — it carries a slightly less scary CVSS score of 7.2.

Both are being used in the same exploit chain. Threat actors used the first bug for initial access, and the second to escalate privileges once authenticated, according to an emailed statement from Cisco announcing the coming patch release.

Cisco also added another clarification from its earlier reporting on the first bug: it was thought in the early response that the threat actor had combined the new zero-day with a known and patched vulnerability from 2021, raising the specter of a patch bypass issue. But Cisco has now dismissed that theory, according to a statement from the company.

"The CVE-2021-1435 that had previously been mentioned is no longer assessed to be associated with this activity," it said.

**Exploitation Could Continue for Years**

As Cisco continues to wrap its arms around the breadth of the threat, cybersecurity expert and consultant Immanuel Chavoya expects to see a spike in malicious activity against vulnerable devices in the lead up to the release of the updated version.

"Active exploitation will continue and lead to ransomware probably over this weekend, as threat actors rush to capitalize before any patch or remediation," he predicts.

But beyond the short-term, Chavoya is dubious many Cisco customers will take the necessary steps to remediate.

"I can tell you from experience many customers do not or will never patch — and are absolutely unaware of the exploitation status currently (SMBs, etc.) — and so thus, exploitation will continue for months or years."

Cisco Finds New Zero Day Bug, Pledges Patches in Days

Though there is speculation regarding potential candidates, the Department of Defense will likely not nominate someone in the near term.

The RAND Corporation, which the Pentagon assigned to study the measures it would take to create a position for an assistant secretary of defense for cyber policy, has submitted its research on the matter, and the US Defense Department is reviewing the results. However, it will be months until anyone is formally nominated.

RAND submitted its research at the end of September. A Department of Defense (DoD) spokesperson stated that it "will inform forthcoming decisions on the organizational structure, resourcing, and workforce of the new office."

Mieke Eoyang, current deputy assistant secretary of defense for cyber policy, is considered a likely candidate; however, her background as a senior Democratic staffer and as an MSNBC commentator has raised concerns that the country's divided Senate would not confirm her.

Another rumored potential candidate is Michael Sulmeyer, principal cyber adviser for the Army. His past experience includes working on cyber policy for the National Security Council.

The DoD, which was opposed to forming the post, has not commented on these potential candidates.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading