Top | |
Newsletter 04/10/2022 |
Back to Contents A Printable PDF of this post is available here. |
They're B-A-A-C-K!!
Sooner or
later, everything old is new again. Spring4Shell Bad Routers, the FBI, and you Id.me, The IRS, and me And These Clowns Are Back.
Each of the week's Topics #1 derives from what I detect is an unifying theme
in IT news stories I read. Once developed, I use that theme to
make a greater statement about where we are all at as we do our best to
navigate the ever more complex digital world. What I noticed when
looking at the news headlines as a whole over a 2 week span, the theme that developed, as I
saw it, was many of the major themes discussed in this blog over the last 6 months
have all come back in spades. And, as I was just settling in to begin
writing out this theme, a real oldie, but a goodie, came back into the
headlines.
Cybercriminals are tricking victims into downloading malware by
telling them their browsers are outdated and need to be updated in order
to view the contents of the page. Wordpress and Joomla are web development applications that make it easier for anyone to develop webpages. Both applications are constantly under threat, need ever vigilant updating, and are still a large attack surface. I have never used either application in developing webpages. That is not, however, what got my attention. It
was the porn sites aspect that got my attention. It seems like a very
long time ago, but I discovered porn sites to be a very common source of
malware. My common joke at the time was:" You want to watch porn?
That's why god made DVDs." A concerning security vulnerability has
bloomed in the Spring Cloud Function, which could lead to remote code
execution (RCE) and the compromise of an entire internet-connected host. Although extensive reporting among the digerati about the vulnerability was made, the story did not get much traction in the national media as far as I could tell. On April 1, Ars Technica declared "Spring4Shell: The Internet security disaster that wasn’t." Even criticizing early posters about this new Java vulnerability, who "warned of severe damage the flaw might cause to “tonnes of applications” and claimed that the bug “can ruin the Internet” for being overtly hyperbolic. Much of the criticism was directed to security vendors. In language that might sound familiar to my readers, Ars Technica roasted these vendors for their obvious opportunism. "Almost immediately, security companies, many of them pushing snake oil, were falling all over themselves to warn of the imminent danger we would all face. And all of that before a vulnerability tracking designation or advisory from Spring maintainers was even available." As I watched the news on this new vulnerability unfold, it did seem that another shoe was bound to drop. On April 4, the discussion indeed changed. Dark Reading reported that "Millions of Installations Potentially Vulnerable to Spring Framework Flaw." Security firms produced two data points on Monday to estimate the number of Spring Framework installations that are vulnerable to the most recent flaw — CVE-2022-22965, also known as Spring4Shell or SpringShell — suggesting anywhere from hundreds of thousands to millions of instances are affected. And, in the course of a couple days, all of the earlier reporting, was roundly refuted. "Given early reports suggest [SpringShell affected] around 6,000 devices, this new number is much worse," Smith says. "Log4j was much harder to assess whether an exposed port was using a Java-based application with Log4j behind the scenes. This is much more visible and directly available to exploit and test." Indeed, major computer companies, both hardware and software, reported the presence of SpringShell. "Microsoft 365 Defender Threat Intelligence Team also chimed in, stating it has been "tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities." On April 8, Microsoft had patched its vulnerable systems. By April 5, BleepingComputer reported that "Roughly one out of six organizations worldwide that are impacted by the Spring4Shell zero-day vulnerability have already been targeted by threat actors." By April 8, "SpringShell was detected being actively exploited by threat actors to execute the Mirai botnet malware, particularly in the Singapore region since the start of April 2022," according to BleepingComputer. And this brings us full circle, with this vulnerability, which was first seemingly poo-pooed by all the important players, having maybe a more negative impact on regular computers users, like the readers of this post. SpringShell is weaponized: This is far from the first time the
botnet operators have quickly moved to add newly publicized flaws to
their exploit toolset. In December 2021, multiple botnets including
Mirai and Kinsing were uncovered leveraging the Log4Shell vulnerability
to breach susceptible servers on the internet. As of reporting April 5, "Data from Sonatype suggests that 80 percent of weekly Spring framework downloads are still exploitable versions." With "Patched versions of Spring are now available but a majority of developers are still downloading vulnerable iterations. " So I suggest you avoid the porn sites for awhile. Next on our list of everything old is new again, the subject just touched on above. Bad Routers, the FBI, and You. You might have heard that on Wednesday April 6, 2022, the FBI announced the Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU). Although the action itself was widely reported, what was not widely reported, but included in the Justice Department press release, was the fact that "a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the U.S. government has previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU). An "infected network hardware device" is a router
that should either have been patched or replaced long ago. So it
is not only me who is telling owners of old out of date networking gear,
that you unknowingly represent a fifth column in our ongoing cyberwar with
Russia. The court that agreed to issue the warrant to take down
the botnet also apparently agreed with the statement above. The infected devices were primarily made up of firewall appliances from WatchGuard and, to a lesser extent, network devices from Asus. Both manufacturers recently issued advisories providing recommendations for hardening or disinfecting devices infected by the botnet, known as Cyclops Blink. It is the latest botnet malware from Russia’s Sandworm, which is among the world’s most elite and destructive state-sponsored hacking outfits. Ironically, or so it seems, WatchGuard, fixed its vulnerabilities here in May 2021, but didn't bother to tell too many about having done so. So even if your network admin was usually on the ball, if that person didn't know to patch, then they probably didn't patch. "These issues were found by our engineers and not actively found in the wild. For the sake of not guiding potential threat actors toward finding and exploiting these internally discovered issues, we are not sharing technical details about these flaws that they contained," said WatchGuard in its May 2021 firmware update release. Moreover, the past couple of weeks have not been kind to other vendors of networking gear and their customers. In February, Cisco Systems announced "15 vulnerabilities affect routers used by small and medium-sized businesses (SMBs), businesses large and small are intertwined from a security perspective in 2022." What is brought out in the Venture Beat article referenced above is the single most unsettling fact about vulnerabilities in equipment so widely used in businesses, both large and small, is that large scale enterprises will (eventually) patch, while smaller firms might not ever patch. When an SMB doesn’t address a major
security issue such as this — due, for instance, to lack of resources —
this can spill over into becoming a problem for the enterprises they do
business with. One of the central tenants of Zero Trust, and
this reporter, is there are no boundaries to the network; or as I have
put it more plainly: "There is only one network." So any
vulnerability inherent within the system of any node of network (like
your PC) is a vulnerability to the entire network. Id.me, The IRS,
and me (Ah jeez...) On the Dispatch Posted
February 13, 2022, within the discussion
introducing Zero Trust, there was a discussion of the short lived IRS
experiment with Id.me. You may recall that there was an uproar
across both parties in Congress, and the public at large. The post
was timely.
On February 8, 2022, the IRS announced that the agency would
cease using facial recognition for taxpayers to log into their IRS
accounts. This change was widely reported in the
mainstream media, as well. “I am also extremely concerned about the amount of information ID.me collects and stores for every taxpayer that uses its website—as a matter of fact as ID.me tells me according to this California disclosure in its notice for residents includes things like, age, gender, military/veteran status, and the taxpayers’ location...where they access the ID.me website,” added Sen. Menendez. “Even though tax returns and tax identity information—including a taxpayers’ name, address, and taxpayer identification number—are protected from disclosure or potential disclosure by Internal Revenue Code section 6103, the information disclosed to ID.me is not protected.”
Senator Menendez has led the charge with over 200 other members
of Congress to stop the collection of facial recognition and the shoddy
reputation of ID.me. But no matter. Id.me
remains the gatekeeper to your IRS account. I tried. It's
really rotten technology.
In a post on
December 26, 2021, I commented on a TV
advertisement that I thought was a bit curious. The spot featured
an actor dressed in blue jeans and a blue work shirt; and he was
situated in a machine shop. The actor was the embodiment of the
mythical Blue Collar Worker. And he was here to tell the world to
tell Congress to not Send Our Tech Jobs To China, like had happened to
his job. I pointed out the inconsistency of the ad's presentation.
The guy looked like he was at work in the machine shop. What my
main commentary was that it seemed like an issue advocacy ad, but there
was no legislative proposal that the ad was promoting or attacking.
The ad was pure FUD. Beware of Maya Beware of Darkness, George Harrison
|
Back to Top | next post → |