Changelog: Security teams caught between a rock and a hard place
Paul Harris / Unsplash
Welcome to Changelog for 11/2/23, published by Synack! README senior editor Nathaniel Mott here after the first upstate New York snow of the season with the week’s top infosec news.
The payload
The impossibility of cybersecurity is demonstrated by back-to-back Wall Street Journal headlines this week: “Budget Cuts, Layoffs Add to Pressure on Cyber Teams” and “New York Adds Stiffer Requirements to Cybersecurity Rules.”
The first report covered how “almost half of cybersecurity professionals say their teams have had cutbacks in spending or personnel in the past year” as various industries engage in mass layoffs. The second explained how the New York State Department of Financial Services updated its cyber regulations with “strict provisions around board oversight and ransom payments that go further than recent federal rules.”
WSJ said that CISOs in particular will be affected by the new regulations, which explicitly require them to make sure their organizations enforce the new rules. That seems unlikely to make an already stressful week, thanks to the Securities and Exchange Commission’s filing against SolarWinds CISO Timothy Brown, any less taxing for those cybersecurity practitioners who’ve made it to the C-suite.
All of which means we have security teams—many of which were already understaffed—being forced to make do with even less staffing and resources while they face increasing scrutiny on both the state and federal level. (To say nothing of the rate of ransomware attacks continuing to rise.) How is this supposed to be sustainable for those in the cybersecurity industry or the organizations that rely on them?
The week, compiled
Logging is vital to identifying, containing and responding to incidents. Few organizations prioritize quality logging, however, and fewer still have the expertise to effectively use those logs anyway. But it’s still disheartening to hear that a severe vulnerability that’s been exploited since August doesn’t produce any evidence of exploitation attempts that can be used by those rare orgs that fit into both categories.
Mandiant said on Oct. 31 that CitrixBleed—a vulnerability in Citrix’s NetScaler ADC and NetScaler Gateway appliances—is forcing defenders to deal with that exact problem. “The challenge of investigating a vulnerable appliance for the exploitation CVE-2023-4966 is that the webserver running on the appliance does not record requests (or errors) to the vulnerable endpoint,” the company said. “Mandiant is not aware of any configuration change that can be made to force request logging for these endpoints.”
Organizations instead have to “rely on web application firewalls (WAF) or other network appliances that record HTTP/S requests directed toward the NetScaler ADC or Gateway appliances” for signs of attempted exploitation. Despite that limitation, Mandiant said it has evidence that CitrixBleed has been under active exploitation since August, or at least two months before it was publicly disclosed on Oct. 10. And now that it’s been made public it’s being used in mass exploitation attempts, too.
Agence Olloweb / Unsplash
Best wishes to organizations that use Citrix NetScaler ADC and NetScaler Gateway appliances, then, especially those that didn’t apply the patches related to CitrixBleed as soon as they were released. (Which isn’t to say it’s reasonable to expect all orgs to immediately patch every vulnerable part of their stack—I’m aware of the infeasibility of that approach.) Here’s to hoping they have those other logs available.
Now for the week in README:
Commit 10_30_2023: Wiper malware is deployed against Israeli organizations, LockBit claims responsibility for the hack of Boeing, Russia plans to make its own VirusTotal, interrogating the relationship between Hunters International and Hive and Stanford gets ransomwared again.
Commit 10_31_2023: The SEC files suit against SolarWinds and its CISO, Israel turns to its spyware industry, the “CitrixBleed” vulnerability sees mass exploitation, the U.S. reveals that its workers’ emails were compromised via the MOVEit Transfer vuln and an agreement not to pay ransomware operators.
And some additional reports from around the web:
CPR: Check Point Research published a report on espionage campaigns conducted by an Iranian threat actor it tracks as Scarred Manticore, which has been targeting “high-profile organizations in the Middle East with a focus on government, military, and telecommunications sectors, in addition to IT service providers, financial organizations and NGOs” for years, and saw a surge of activity in mid-2023.
TechCrunch: Atlassian warned on-premise users of Confluence Data Center and Server to update their installations so attackers can’t exploit CVE-2023-22518 to cause “significant data loss.” The company has been tight-lipped about how exactly the vulnerability can lead to data loss, however, and reportedly declined to offer additional information when TechCrunch contacted it for comment.
A message from Synack
How companies approach security testing is in need of a makeover. Traditional pentesting satisfied compliance requirements, but that doesn’t stop critical vulnerabilities from affecting the business. With a strategic testing approach, companies can discover the vulnerabilities that matter most, manage remediation more quickly and see security posture improvement in real time with essential analytics. Learn how to start your journey to strategic testing.
Flash memory
Gather round, for I must tell a tale of a time when people listened to the radio and believed whatever was broadcast, even if it was something as outlandish as Martians suddenly invading New Jersey. That isn’t a random example—I’m referring to reports of mass panic resulting from Orson Welles reading an adaptation of “The War of the Worlds” on Oct. 30, 1938 as a series of fake news bulletins.
“Some listeners mistook those bulletins for the real thing, and their anxious phone calls to police, newspaper offices, and radio stations convinced many journalists that the show had caused nationwide hysteria,” the Smithsonian magazine recapped in 2015, nearly 80 years after the broadcast. “By the next morning, the 23-year-old Welles’s face and name were on the front pages of newspapers coast-to-coast, along with headlines about the mass panic his CBS broadcast had allegedly inspired.”
That wouldn’t happen today, of course, not least because fewer people listen to the radio. Many of us of a certain age were also told not to believe everything we read—especially on the internet—by people who, ironically, now believe pretty much everything they read on the internet. Mass panic has been replaced by wearying and worrisome conversations. Whether or not that’s an improvement is a matter of opinion.
Local files
The Record: The Querétaro Intercontinental Airport, which according to The Record is “one of the highest-traffic airports in Mexico,” said this week that it was responding to “a cyberattack incident.” LockBit took credit for the hack and said it would publish the information it made off with by Nov. 27 if its ransom wasn’t paid, but according to the airport, the only compromised data is already publicly available.
Deep Instinct: Iranian threat actor MuddyWater has reportedly launched a new campaign, which “has been observed attacking two Israeli targets,” that uses the Storyblok file-sharing service and N-Able’s Advanced Monitoring Agent remote administration tool as part of a spearphishing attack that is ultimately expected to incorporate compromised systems in the group’s command-and-control infrastructure.
BleepingComputer: LeVar Burton’s gonna be pissed. BleepingComputer reported that the Black Basta ransomware gang is responsible for various outages at the Toronto Public Library, including the unavailability of public computers and printing services available at its many branches. The report indicated that the full extent of the incident was still being investigated as of Nov. 1.
Off-script
I can’t remember the first time I was told some aspect of a story—its headline, the links it contained, a particular turn of phrase—needed to change to appeal to Google’s algorithms. I doubt there will be a last time. (At least until I’m no longer able to convince people to pay me to write for them.) These concessions to Google’s unwritten preferences, known broadly as search engine optimization, are here to stay.
Which is why I want to highlight a recent article from The Verge explaining that “nearly everyone hates SEO and the people who do it for a living” because “the practice seems to have successfully destroyed the illusion that the internet was ever about anything other than selling stuff.” Though I’d probably follow The Plain White T’s in saying “hate” is a strong word… I just really, really, really don’t like them.
charlesdeluvio / Unsplash
The irony, as The Verge pointed out, is that SEO has made search engines less useful than before. There are countless results for practically every search term now, but these days, many of them are barely intelligible gobbledygook generated by a large language model. The rest make all of the same concessions at the altar of SEO even when doing so leads to an objectively worse reading experience.
I’m aware that I’m preaching to the choir; I haven’t seen any good-faith arguments that the web is doing great, actually, or that search results are of the same quality that they used to be. But as long as I have the soapbox, I figured I would make it clear that many of us producing this #content are probably even more annoyed by our tributes to Google’s algorithms than the people reading it. Amen.