Merlin Labs Memo -- Week of May 2-6

Zero-Day Discoveries Surged in 2021

“Google and Mandiant separately called attention to a dramatic surge in the discovery of in-the-wild zero-day attacks and warned that nation-state APT actors, ransomware gangs and private mercenary exploit firms are burning through zero-days at record pace.” -- Via Security Week

In the article, author Ryan Naraine shares these 2021 stats:

• There were 58 in-the-wild zero-day discoveries by Google, the most ever recorded since they started tracking the problem
• There were 80 zero-days exploited in 2021 per Mandiant’s threat intelligence team, which is more than double the previous record from 2019

Naraine's piece makes a few key points:

1. Some of the increase could be explained by improved detection/reporting of zero-days, rather than an increase in zero-day events
2. Most of the exploits use the same bug patterns and known exploitation techniques
3. Vendors need to standardize a practice of openly sharing information about exploitation publicly, even when there are no known patches/mitigations
4. Vendors should be aware that memory corruption vulnerabilities continue to be the primary target of breaches

Our Take: A zero-day is a software vulnerability (either unknown or known and without a fix/patch) that is exploited by malicious actors to gain access to and potentially gain control over IT systems and the data being housed. They are uniquely problematic because there is no known fix to the specific vulnerability. As security professionals, it's critical that we factor in the knowledge, technologies, and practices required to equip our customers to deal with zero-day attacks. That means our customers, with our guidance, need to prevent what they can and be prepared to respond to what can’t be prevented, i.e., mitigating the risk and lessening the potential degree of damage.

In addition to having a robust incident response plan in place and some obvious tools in the security stack (next-generation firewalls, next-gen anti-virus, threat intelligence, EUBA/behavioral monitoring, and IDS/IPS to name a few), the best defense is a good offense. And a good offense, in this case, is a strong commitment to cyber hygiene. Tools that enforce patching, automate cybersecurity compliance, monitor cybersecurity controls, track security and awareness training, and orchestrate incident response scripts are all critical in the fight against zero-day attacks. -- Sarah Hensley

Additional Reading:

• New Record for 'In-the-Wild' Zero-Day Exploits in 2021 (SecureWorld)
• Managing Zero-Day Exploits (Cyber Security Hub)

---------------------------------------------------------------------------------------------------------------

What’s in those Russian Cyberattacks? 

In the 237 identified Russian cyberattacks on Ukrainian targets from Feb. 23 to April 8 this year, six groups and four classes of attack tools have been identified. Thirty-eight of the attacks were successful in destroying files. Of the attacks seen, the four classes include data wipers that render target machines unbootable, data deletion malware, ransomware-style attacks that encrypt files, and operational technology attacks. At the same time, the Russian attackers have been probing and attacking government IT assets in NATO member countries, including IT service firms that work with government customers. -- Summary of Microsoft Blog Post

Our Take: These are not attacks with a financial goal in mind, but are geared towards destruction. These are intended to incapacitate their targets. As such, they are capable of spreading destruction most widely in unsegmented environments with accounts that have wide-ranging access. As the war in Ukraine continues, we would expect cyberattacks more and more to resemble the unrestricted submarine warfare that drew America into official conflict in World War I and unofficial conflict in World War II. That means, as the war continues, Russian attacks will not be restricted to military or government targets. The software and services supply chains will be increasingly targeted. We can best assume that preparations for such attacks are being made now and that the attacks themselves will follow in weeks and months to come. Expect both the ferocity and number of attacks to increase beyond what we’ve seen in the past. -- Dean Webb 

Additional Reading:

• Special Report: An overview of Russia's cyberattack activity in Ukraine (Microsoft)
• Data-wiper malware strains surge as Ukraine battles ongoing invasion (The Register)

--------------------------------------------------------------------------------------------------------------

RMF 2.0 Aims to Reduce Paperwork for Cybersecurity Efforts

Lt. Gen. John B. Morrison, Jr. spoke recently at TechNet Cyber 2022 and underlined the need to significantly reduce the bureaucratic aspects of risk management and implement cybersecurity defenses. By reducing the 80% of time spent on bureaucratic approval as part of a security project, Morrison said that cybersecurity staff would be able to devote more time to monitoring and actual security. Having a high-level risk management council review risks and how they are to be bought down will provide the right amount of bureaucratic oversight and free up lower-level staff from having to be tied down in that decision-making process. -- Summary of Breaking Defense Article

Our Take: With the current administration underlining the need for more and better cyber defenses in civilian agencies, we should expect similar exigencies to be emphasized as part of modernizing efforts within federal agencies. Innovating processes and procedures need to happen so that we spend less time pushing papers and more time actually making our IT and OT systems more secure. -- Dean Webb

Additional Reading:

• Army highlights service cyber risk reforms (U.S. Army)
• The Next Generation Risk Management Framework (RMF 2.0): A Holistic Methodology to Manage Information Security, Privacy and Supply Chain Risk (NIST CSRC)

---------------------------------------------------------------------------------------------------------------

CISA and FEMA Team to Continue Funding OT Efforts

"... the Cybersecurity and Infrastructure Security Agency prepares to disburse $1 billion in funding through the Federal Emergency Management Agency to improve the cybersecurity of critical infrastructure around the country... . Industrial control systems used in facilities like water treatment plants and gas pipelines can be particularly troublesome to secure and federal agencies have recently warned about malware constructed to target such infrastructure at scale." -- Via Nextgov

Our Take: The investment being made is heard loud and clear that securing our most vulnerable critical infrastructure is obvious and necessary with some needed focus on state and local entities. The Joint Cyber Defense Collaborative (JCDC) that was recently established also reads clear that collaboration between public and private, such as Nozomi Networks', will increase our nation's cybersecurity via visibility and shared threat intelligence. Our industry should be looking forward to when we're in an operational state in both sectors (including CDM) and be excited about playing a part in getting us there sooner rather than later. -- Tony Ko

Additional Reading:

• CISA Expands the Join Cyber Defense Collaborative to Include Industrial Control Systems Industry Expertise (CISA)
• Hackers Breached Colonial Pipeline Using Compromised Password (Bloomberg)

---------------------------------------------------------------------------------------------------------------

Un-patchable Flaws in IoT Devices Cause Vendors to Beg for Public Assistance

An IoT vulnerability (tracked under ICS-VU-638779, VU#473698) is affecting the Domain Name System (DNS) implementation of all versions of uClibc and uClibc-ng, a popular C standard library in IoT products. The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device.

According to their respective official websites, uClibc is known to be/have been used by major vendors such as Linksys, Netgear, and Axis (only until 2010, newer Axis products include other libraries), as well as Linux distributions such as Embedded Gentoo. uClibc-ng is a fork specifically designed for OpenWRT, a common OS for routers possibly deployed throughout various critical infrastructure sectors. -- Summary of Security Week Article

Our Take: While specific vendors are not mentioned in this, the fact it is a fork largely used by OpenWRT means it exists in many home, hobby, and enterprise systems. Most of us who have hacked our home routers have done so with OpenWRT and there are a wide number of inexpensive security devices that use the OS for packet capture and IDS backends. More importantly, popular consumer brands including Netgear, Linksys, and soft routers based in the cloud leverage OpenWRT for its easy-to-customize, modular system. OT is often at the forefront of issues we see on a daily basis, however, it is easy to forget how common consumer-grade IoT systems are in the Enterprise.

Short-term mitigation efforts for this attack vector rely on good DNS and DNS proxy solutions to prevent the redirection of traffic to a Command and Control node outside of the organization. Since this is essentially a DNS redirection attack, at the firewall and proxy the DNS request will need to be locked down to particular targets. Honestly, they should be locked down anyway. -- Jeremy Newberry

Additional Reading:

• Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk (Nozomi Networks)
• Gear from Netgear, Linksys, and 200 others has unpatched DNS poisoning flaw (Ars Technica)

---------------------------------------------------------------------------------------------------------------

Readers: What would you like to see in future editions? We've started this weekly memo as a simple way to share 3-5 bits of news and/or ideas, along with our professional opinions. What’s working, what’s not, and what’s on your mind? Let us know by leaving a comment below or sending a note to labs@merlincyber.com.