Posts

The Dangers of Zero-Days in Popular Products

In recent years, we have witnessed cybercriminals targeting technology vendors at an alarming rate. Their quest to find a way to breach one entity to access many others is the ultimate prize. Some threat actors are increasingly focusing on moving upstream into the global supply chains of software and hardware components, targeting the build process to increase the impact of an attack. These “supply-chain attacks,” such as the SolarWinds breach of 2020, can be devastating.

Similarly, some attackers are focusing on finding and exploiting weaknesses already present in widely used products and solutions. The latest of such attacks is currently tracking as CVE-2023-2868 with a CVSS severity score of 9.8/10. While not the result of a supply-chain attack itself, this highly critical vulnerability follows the hallmarks of previous well-recognized supply chain attacks, including 3CXDesktop App (2023)Kaseya VSA (2021), SolarWinds (2020), Asus Live Update Utility (2018), and NotPetya Ransomware (2017).

Much has been written in the past two weeks on this publicly known vulnerability. But this blog highlights the nature of the vulnerability, why it should matter to you even if the affected product is not in your network, and what you can do to minimize your exposure to similar attacks in the future.

To help you with that, we highlighted several critical strategies for consideration below, which included components of a Business Impact Plan (BIP), a vendor management program, and an incident response playbook.

What is CVE-2023-2868?

In the case of CVE-2023-2868, a threat actor exploited the target security vendor’s SMTP daemon software components with a new weaponized vulnerability. This attacker successfully injected and executed a uniquely crafted payload containing backdoor functionalities and a reverse shell tool to gain remote access to the vendor’s affected systems, which are deployed at an undisclosed number of client networks. As a result, persistence mechanisms were established on infected devices for eight months before discovery. These mechanisms include system manipulation with backdoor command and control (C2) operations, tunneling capabilities to obfuscate C2 communication channels and exfiltration of clients’ sensitive data from affected vendor systems without detection.

For our technical-minded readers, you’ll appreciate the nature of this exploit for its sophistication and impact on the various parts of the target vendor’s software stack. To help us keep track of the effects, the vendor assigned codenames SALTWATER, SEASIDE, and SEASPY to inform you of identified indicators of compromise (IOC) as it continues its investigation and remediation. Moreover, to aid clients’ incident response teams in investigating their environments, a series of YARA rules and lists of observed endpoints and network IOC is publicly published.

Malicious payloads with advanced backdoor and reverse shell features — such as we’re seeing with UNC4841’s SALTWATER, SEASPY and SEASIDE attacks — are popular because they can bypass firewall filters, initiate persistent connections from inside the target network and obfuscate C2 traffic from intrusion scanners. These features make such exploits all the more dangerous.

Why should this matter to you?

What we can learn from the CVE-2023-2868 incident is that sometimes there’s no easy remediation. The vendor is unable to adequately remediate actions taken by the threat actors while the appliances are in the field, creating a vicious cycle that could impact your organization — even if you think you’re safe.

You may know for sure that the affected products aren’t present in your own environment. But do you know that they aren’t present in the networks of your vendors? What about the organizations that hold your data in SaaS platforms: Is your data impacted there?

Combined with supply chain attacks, the ongoing exploitation of this vulnerability and ones like it demonstrates how interconnected — and fragile — all of our networks truly are. Even if you’re able to confirm this vulnerability can’t affect you in any way, it’s only a matter of time before another high-quality, zero-day vulnerability is discovered. Once it’s found and weaponized, there’s a thriving marketplace with brokers and buyers waiting to acquire it. Where a zero-day vulnerability with a fully verified proof-of-concept (POC) exploit ends up rests entirely at the creator’s discretion. The odds of it falling into the hands of threat actors looking for a big return are a near-certainty.

Taking this as fair warning should encourage us to establish processes to regularly assess and improve our security capabilities and vendor vetting practices.

What actions should you take to manage the risk and impact?

As threat actors continue to shift away from targeting specific organizations and toward targeting supply chains and popular products, we must evolve our security response capabilities to manage the risk and impact that could stem from our technology stack.  Here are some key strategies that you can implement at your discretion and as your budget allows:

Develop a Business Continuity Plan (BCP) or Business Impact Plan (BIP) to comprehend the impact of a complete business disruption. Components of these plans can include:

  • Mapping of all assets that product-based and supply-chain attacks can impact
  • Conducting security pen testing to profile your technology risks
  • Identifying the necessary resources, such as personnel and technology, needed for remediation, recovery and continuity of all business functions
  • Determining the acceptable downtime or recovery time after the impact
  • Describing the testing frequency and processes for updating and maintaining the plan to ensure its relevance over time
  • Specifying record-keeping practices and reporting mechanisms to document the findings, actions and lessons learned from an incident
  • Outlining the training programs and awareness campaigns to educate employees and stakeholders about the Business Impact Plan, their roles and the actions needed to respond to disruptions

Execute a vendor management program that encompasses:

  • Adopting the National Institute of Standards and Technology (NIST) Risk Management Framework to help you assess, uncover and mitigate potential risks within your supply chain
  • Executing a clear and comprehensive agreement outlining specific security requirements and expectations involving vulnerability assessments, security controls and incident response protocols
  • Putting into motion a regular cadence for auditing and evaluating suppliers’ security development practices, Product Security Incident Response Team (PSIRT) procedures and supply-chain management processes

Establish an incident response playbook and run practice simulations to curtail the impact by:

  • Following the NIST Response Framework as a procedural guide
  • Assigning roles and responsibilities of the incident response team
  • Defining the decision hierarchy and escalation process
  • Setting clear communication protocols up and down the organization chain
  • Sharing and receiving information regarding new vulnerabilities and remediation procedures to collectively strengthen supply-chain security
  • Putting necessary tools in place to help hunt indicators of compromise (IOC) and identify and isolate affected systems

Alternatively, you can outsource the incident response tasks to a third-party threat management service provider to augment your in-house security team. Find a company with experience using the MITRE ATT&CK framework to increase the effectiveness of its threat-hunting activities.

Up your threat detection capabilities by:

  • Deploying an intrusion detection/prevention system (IDP/IPS) to hunt for indicators of compromise (IoCs) such as unexpected data transfers, unauthorized access attempts, or unusual system behavior.
  • Implement continuous monitoring and log analysis to identify any suspicious activities or unauthorized access attempts.

At no cost, get threat feeds and free tools from the Cybersecurity and Infrastructure Security Agency (CISA)

  • Sign up for alerts to be notified whenever a new vulnerability has been added
  • Apply the workflow below to help you determine if the new vulnerability directly impacts your organization
  • Determine whether there are weaknesses in your defense against that vulnerability
  • Utilize SonicWall Capture Client’s ability to scan hosts for vulnerabilities. Alternately, you can leverage this free security scanning tool to uncover software bugs and configuration problems that you need to address

A chart that shows how you can maintain continuous awareness with the Cybersecurity and Infrastructure Security Agency.

This shouldn’t be taken as an all-inclusive list: Given the complexity of both today’s threat landscape and many of the networks at risk from it, there will almost certainly be things left to do in order to secure your specific environment. But taking the steps outlined above will put you in a vastly better position to prevent and combat attacks such as the ones exploiting CVE-2023-2868.

SonicWall, like other cybersecurity vendors, is working to ensure greater security on our end, as well. We are acutely aware that, even with over 30 years of maturity and experience in the security industry, we’re not immune to attacks targeting popular products. That’s why we’re committed to incorporating every possible security best practice, including PSIRT and Shift-Left secure software development processes, into each stage of our development and design cycles to earn and maintain our customer’s confidence and trust when using our technologies.

Contact us to explore how we can strengthen your defense against supply-chain and product-based threats.

U.S. National Cybersecurity Strategy Represents Paradigm Shift in IT Security

The U.S. federal government’s National Cybersecurity Strategy charts a course toward a stronger, more secure and more resilient future.

The Office of the National Cyber Director (ONCD) has released its new National Cybersecurity Strategy (NCS), which provides strategic guidance for how the United States should protect its digital ecosystem against malicious criminal and nation-state actors. The new strategy marks a fundamental shift in how the U.S. allocates roles, responsibilities and resources in cyberspace — both from a defensive posture as well as a long-term investment play.

Perhaps the most significant departure from previous practices is that the new strategy is focused on “cybersecurity” rather than “cyber strategy,” and therefore does not address influence operations or disinformation. (For reference, the U.S. government operates from a definition of “cybersecurity” communicated in 2008 under NSPD-54 and HSPD-23.)

The National Cybersecurity Strategy is built around five pillars:

  1. Defend Critical Infrastructure
  2. Disrupt and Dismantle Threat Actors
  3. Shape Market Forces to Drive Security and Resilience
  4. Invest in a Resilient Future
  5. Forge International Partnerships to Pursue Shared Goals

We’ll look at each of these pillars and summarize how SonicWall is positioned to support and align with the overall strategy.

Pillar One: Defend Critical Infrastructure

This pillar is interesting, as it addresses the need for an even playing field vis-à-vis regulation and aims to ensure a consistent, performance-based and data-based application of cybersecurity across all infrastructure.

According to the strategy, a minimum set of cybersecurity requirements should be set across critical infrastructure sectors, as well as non-regulated entities. These regulations should leverage existing cybersecurity frameworks, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity and CISA’s Cybersecurity Performance Goals.

How SonicWall helps defend critical infrastructure:

SonicWall is in accord with pillar one and is currently working to align with and conform to NIST SSDF and NIST Zero Trust Architecture standards. Defending critical infrastructure requires a multi-layered approach that includes proactive measures such as risk assessments, vulnerability scanning, and regular security updates, as well as reactive measures such as incident response planning and disaster recovery strategies.

SonicWall provides several security solutions that align with this multi-layered approach, including (but not limited to) firewall protection, intrusion prevention, VPN security, advanced threat protection, endpoint detection and response, email security, and zero-trust network access, along with a centralized management platform.

SonicWall understands the various use cases, certification requirements and compliance thresholds that must be met, and we will continue to work with federal agencies and state-regulated entities to help support and defend critical infrastructure.

Pillar Two: Disrupt and Dismantle Threat Actors

The second pillar is straightforward and doesn’t stray too far from previous practices. Instead, it enhances these prior practices and clarifies what needs to be done at the federal level for cybersecurity optimization. This pillar’s strategic objective is to “counter cybercrime and defeat ransomware.”

How SonicWall helps disrupt and dismantle threat actors:

It’s worth noting that Phishing has become the most frequently used ransomware attack vector in the last few years. SonicWall knows a thing or two about phishing, and is well suited to disrupt and mitigate this threat using Email Security. SonicWall Email Security protects against targeted phishing attacks by blocking ransomware and zero-day malware via attachment sandboxing, machine learning, and advanced analysis techniques like Domain-based Message Authentication, Reporting and Conformance (DMARC). We helped defend against 493.3 million ransomware attacks in 2022, and will continue to help defeat and disrupt ransomware (and ransomware-as-a-service, or RaaS) in 2023 and beyond.

Pillar Three: Shape Market Forces to Drive Security and Resilience

Pillar three takes direct aim at software providers that fail to take “reasonable precautions” to secure their software. “Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance,” the report states.

It then calls for legislation to shift liability to software providers that are negligent in this capacity, both within the federal government’s software supply chain and in consumer IoT devices. The call for a liability shift is combined with support for a “safe harbor” that would shield from liability companies that securely develop and maintain software products and services.

How SonicWall helps shape market forces to drive security and resilience:

SonicWall’s commitment to transparency and vulnerability discovery is paramount. SonicWall publicly shares both product notifications and security advisories on its SonicWall domain and remains committed to full transparency as a leading cybersecurity software vendor.

As we mentioned previously, SonicWall is committed to aligning with the NIST SSDF. As part of this process, we’re implementing a Software Bill of Materials (SBOM), which will attest to our users and buyers what the state of vulnerability discovery is for our solutions.

SonicWall believes in a robust cybersecurity approach, and we help to achieve awareness throughout the industry and beyond with our annual Cyber Threat Report, which sources real-world data gathered by the SonicWall Capture Threat Network. Collected across more than a million security sensors in 215 countries and territories across the globe, the sum of this intelligence telemetry presents a guide to attackers’ rapidly evolving tactics.

Pillar Four: Invest in a Resilient Future

The last two pillars are more forward-looking. Investing in a resilient future includes hardening the backbone of the internet and prioritizing cybersecurity across the all industries and locales.

How SonicWall helps invest in a resilient future:

With sixteen mentions of “CISA” throughout the document, it’s safe to assume that any regulation created will include some form of threat emulation testing to ensure optimal performance. These regulations can also be expected to be mapped to threat techniques, like those enumerated in the MITRE ATT&CK.

SonicWall’s Capture Client (our EDR solution) is powered by SentinelOne, which has been a participant in the MITRE ATT&CK Evaluations since 2018 and was a top performer in the 2022 Evaluations. SonicWall is fully invested in threat-informed capabilities, and will continue to invest in and utilize tactics and techniques based on empirical evidence. Continuous validation of our cybersecurity methodology and quick adaptation to new tactics and techniques is a core strategy for staying resilient.

Pillar Five: Forge International Partnerships to Pursue Shared Goals

Pillar five calls for greater cooperation and partnership surrounding shared cybersecurity goals. The strategy even promises that the U.S. Department of Defense and the intelligence community will work within their (legally established) roles to disrupt the activities of malicious perpetrators.

The strategy acknowledges that a successful defensive effort of civilian infrastructure by the Defense Department will not be an easy feat and will require closer relationships for the best outcome. When looked at from a global point of view, this coordinated cybersecurity effort becomes even more complex. International coalitions and partnerships will be vital to ensure cybersecurity across global supply chains of products and services.

How SonicWall helps forge international partnerships and pursue shared goals:

As a global company, SonicWall recognizes the importance of international partnerships and aspires toward compliance with international regulations and standards such as GDPR, HIPAA, and PCI-DSS.

Moreover, SonicWall has several solutions geared toward collaboration and visibility. For example, SonicWall Capture Advanced Threat Protection (ATP) provides a cloud-based sandboxing solution that can analyze suspicious files and URLs to identify and stop cyberattacks.

By sharing threat intelligence and collaborating on threat mitigation strategies, SonicWall can work together with governments and the rest of the cybersecurity community to pursue shared cybersecurity goals across networks, endpoints, cloud environments and more. By monitoring and analyzing network traffic, organizations can identify potential security threats and take proactive measures to address them — and by compiling and sharing this data, SonicWall can help build trust with partners, customers and the wider intelligence community, helping create a safer future for all.