Valiantly Trying to Save Western
Civilization,
One Attack At a Time, Part 1.
On this July 4th, circa 2023, I would like to thank all of
this nation's cyber warriors for your much needed service and your
selfless devotion to duty. You deserve more credit than you
get.
The past two months have been busy times for CISA Director, Jen Easterly, as she, the agency she heads, and affiliated agencies throughout the US government, and foreign governments allied with the US, gather their arsenals to fight serious trans-national cyber threats.
CISA, and other agencies, together have moved aggressively to mitigate the ongoing CLOP MOVEit vulnerability.
July 2, 2023, Bing summarized well the details of the CLOP MOVEit vulnerability.
The CLOP MOVEit vulnerability refers to a SQL injection vulnerability in Progress Software's managed file transfer solution known as MOVEit Transfer. This vulnerability is tracked as CVE-2023-34362. The CLOP Ransomware Gang, also known as TA505, began exploiting this vulnerability in May 2023. This allowed them to install a web shell named LEMURLOOT to enable data theft from MOVEit Transfer databases. The personal data of more than 15 million individuals has been stolen by hackers exploiting this vulnerability.
The CLOP Ransomware Gang, (TA505), has a long career in cybercrime. In its report of June 13, 2023, [pdf will open] by the US. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center (HC3), entitled, "Threat Actor Profile: FIN11", HHS states that the threat actor has been "active since at least 2016." The threat actor is known to originate from the Commonwealth of Independent States (CIS), otherwise known as the former Soviet Union.
The threat actor has a long history of attacking health care institutions. As it is with the current MOVEit attack. On June 14, 2023, The Baltimore Banner reported that Johns Hopkins University and Health System was attacked with the MOVEit vulnerability. On June 30, 2023, beckershospitalreview.com, listed "nine hospitals and health systems dealing with cybersecurity events that have taken their systems offline or have compromised patients' protected health information." Of those nine hospital data breaches, eight were due to a cyber attack, and one was unauthorized employee access.
Two teacher's retirement funds were among those reported to have been victimized by the MOVEit vulnerability. As of June 29, 2023, TechCrunch.com, reported that, taken collectively, "Hackers have compromised the personal data of more than 15.5 million individuals by exploiting a security vulnerability in the MOVEit file transfer tool."
As Bloomberg reported,
June 28, 2023, "The US Department of Health
and Human Services was ensnared by a sweeping hacking campaign that
exploited a flaw in file-transfer software called MOVEit."
Other Federal agencies were also compromised. Among those agencies
were the
Department of Energy and the
Department of Agriculture.
CISA's first efforts to mitigate the MOVEit vulnerability came June 2, 2023. As reported by BleepingComputer, June 4, 2023, CISA had ordered "U.S. federal agencies to patch their systems by June 23."
CISA and the FBI were jointly tracking the CLOP MOVEit vulnerability throughout June 2023. A "joint Cybersecurity Advisory (CSA)" was released on June 7, 2023 by the FBI and CISA. [pdf will open] The joint advisory was quite detailed in its technical descriptions of the ransomware and how it worked. The joint advisory concluded with four pages of mitigation techniques. Despite this effort, government agencies and their private sector partners were still falling prey to the MOVEit vulnerability throughout the month of June.
On June 13, 2023, CISA released the following announcement: "CISA Directs Federal Agencies to Secure Internet-Exposed Management Interfaces." The press release coincided with the issuance of "Binding Operational Directive (BOD) 23-02," in response to the attacks on government agencies. BOD 23-02 requirements apply not only to all federal agencies, but also apply to vendors and other private sector partners that do business with the Federal Government.
The BOD 23-02 "requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery." Among the devices BOD-23-02 points as vulnerable are "routers, switches, firewalls," and other networking equipment that use common networking protocols, such as "Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS)" — also known as the Internet. Enforcement of BOS 23-02 is also discussed. After 14 days notice that a device is not in compliance, CISA will scan networked connections to detect devices that are not in compliance. These requirements apply to are "All federal civilian executive-branch agencies."
The State Department did its part, too. The Rewards For Justice Program offered a 10 million dollar reward for information leading to the arrest and capture of those responsible for the CLOP MOVEit attack.
Almost two weeks after the announcement of BOD 23-02, security vendor, Censys, reported its findings that non-compliance with BOD-23-02 was widespread. In its report of June 26, 2023, entitled, "Identifying CISA BOD 23-02 Internet-Exposed Networked Management Interfaces with Censys," researchers "discovered nearly 250 instances of web interfaces for hosts exposing network appliances, many of which were running remote protocols such as SSH and TELNET." Censys went on to list specific vendors whose products were not in compliance. Among them were industry standards, Cisco, Fortinet, and Sonicwall. The MOVEit vulnerability was proven to be present in many of these out of compliance network interfaces. And, remarkably, given all CISA's efforts to insure government systems and software is always current, Censys found "over 150 instances of end-of-life software, including Microsoft IIS, OpenSSL, and Exim. End-of-life software."
Among those out of compliance private sector
vendors was Siemens Energy. On
June 27, 2023, BleepingComputer reported that "Siemens
Energy has confirmed that data was stolen during the recent Clop
ransomware data-theft attacks using a zero-day vulnerability in the
MOVEit Transfer platform."
Not all of these private sector vendors took seriously the demands from CISA to secure its vulnerable devices. One such company, Enphase, apparently deliberately ignored two advisories CISA released in June 2023 concerning two of its products. The first advisory was released June 22, 2023. This advisory concerned "Enphase Envoy, an energy monitoring device," that CISA said was "vulnerable to a command injection exploit that may allow an attacker to execute root commands." Among its mitigation procedures, CISA recommended "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet."
CISA released a second advisory concerning Enphase products also on June 22, 2023, which was updated June 29, 2023. This advisory concerns "Enphase Installer Toolkit Android App (Update A)." The problem with this application, according to CISA, is:
Enphase Installer Toolkit versions 3.27.0 and prior have hard coded credentials embedded in binary code in the Android application. An attacker can exploit this and gain access to sensitive information.
It was reported that Enphase simply ignored CISA demands that the company fix its broken software. In a report of June 22, 2023, SecurityWeek noted that Enphase had ignored CISA's original outreach to the company on June 20, 2023. "According to CISA, Enphase Energy has not responded to requests to work with the agency in addressing these vulnerabilities." After the very bad press Enphase received, the recalcitrant vendor had a change of perspective. SecurityWeek posted an update with the message: “Enphase Energy is in direct contact with CISA and committed to quickly addressing any potential vulnerabilities.” On June 27, Enphase put its own press release out, announcing its users should now upgrade "the Enphase Installer App 3.27.0 to 3.30.1 or newer through the Apple App store or Google Play store, and revocation of hard-coded credentials." Enphase also thanked the anonymous researcher who first informed CISA of the vulnerabilities in its product by stating that, "Enphase would like to thank the anonymous researcher “OBSWCY3F” for reporting this issue." Well, Bless Its Heart!
I have a great deal of respect and admiration for CISA Director, Jen Easterly — empathy and sympathy — too. Demanding users STOP doing what they are doing online is more often than not a very frustrating and thankless job, even with the full authority of Uncle Sam behind you.
My first encounter with malware was with the Barrotes virus in 1995. Things have only continued in a downward spiral ever since. Sometime about 20 years ago, I had come to the conclusion that eventually government will step in to unravel and clean up the mess that the Internet had so quickly become. Maybe that future is now.
Here comes the
judge
Here comes the judge now
Don't nobody budge
'Cause
here comes the judge
Everybody doin' their time today
—
Here Comes The Judge, Shorty Long
Composers: Billie Jean Brown,
Suzanne Depasse, Frederick Earl Long
¯¯\_(ツ)_/¯
Gerald Reiff