CyberClub

Because of its ubiquity as a network platform, Windows all too often gets blamed as the source of a host of network security vulnerabilities. But recent events have shown the truth — that all sorts of network components have flaws and that there are many nefarious means attackers can use to enter and take control.

With every day that passes, security professionals have blindly relied on false concepts such as Apple’s ecosystem being closed (and therefore not as susceptible to attack) and the conceit that many eyeballs mean vulnerabilities will be found and neutralized. It’s naive at best and potentially damaging to your firm at worst.

Security administrators running Microsoft systems spend a lot of time patching Windows components, but it’s also critical to ensure that you place your software review resources appropriately – there’s more out there to worry about than the latest Patch Tuesday.

It’s incredibly helpful to review the types of attacks that organizations similar to yours have received. Ask yourself if you would have done any better with the software you have in place. Reach out to your cyber insurance carrier as well as pen-testing consulting firms for additional guidance and advice.

Ensure that you have all of the resources you can to review all of your software. Because in reality, all of it is potentially vulnerable. We just may not be aware of how until it’s too late.

To illustrate that point, here are some recent issues that have affected non-Windows systems and how to mitigate them:

The dangerous XZ Utils Linux backdoor

A Linux vulnerability that almost (but not quite) made it into the distributions of nearly every Linux distro was caught by a savvy Microsoft engineer who realized that it was taking longer to log in with SSH with the machine making more CPU and throwing off valgrind errors.

He started digging into the details and found that the XZ repository and XZ tarballs had been backdoored. The potential for damage was great — if not for the efforts of one person who noticed that it was taking longer to log in and that the server had CPU overuse that didn’t make sense this backdoor could have made its way into many Linux distributions.

As noted, “On March 28, 2024, a backdoor was identified in XZ Utils. This vulnerability, CVE-2024-3094 with a CVSS score of 10, is a result of a software supply chain compromise impacting versions 5.6.0 and 5.6.1 of XZ Utils. The US Cybersecurity and Infrastructure Security Agency (CISA) has recommended organizations to downgrade to a previous non-compromised XZ Utils version.”

First, you’ll want to take the time to review if there is any exposure to CVE-2024-3094 to your organization. Reach out to your endpoint detection vendor and review if they already have detection in place for this vulnerability.

Next, review how you use such community software repositories such as Github and ask yourself if you properly vet and review checked-in code for potential security issues. Do you stress methodologies to vet and validate sources of code in your supply chain coding? Do you prioritize the source of code depending on its role in your environment?

Or do you, like many of us, assume that open-source software will be vetted by the community? In this case, it did, only because a single person in the right place at the right time, with the right skills was able to spot it.

Apple’s recent patches

Next, consider what many consider to be a secure platform — Apple iOS. Apple recently shipped patches for various security issues that included several with the notation that they’ve been used in attacks in the wild.

Two in particular deserve attention:

Kernel (CVE-2024-23225):  An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited. A memory corruption issue was addressed with improved validation.

RTKit (CVE-2024-23296): An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited. A memory corruption issue was addressed with improved validation.

While it appears that it’s most vulnerable in older phones and devices, Apple has clearly been increasingly in the crosshairs and used in attacks against individuals in businesses, key government roles, and other highly targeted industries.

The advice often recommended to me when deploying phones and other devices to staff is to ensure that such items are on the latest operating system and the latest hardware. Often older devices and especially older hardware do not have the necessary chipsets to provide the most secure operating system.

Thus, if you provide phones and devices to key personnel, always ensure they are on the latest generations and maintained on the latest operating systems. You must ensure that you have the same sort of patching and management tools for devices as you have for your operating systems.

Edge, VPN, remote access, and endpoint security

Review the security and patching status of your edge, VPN, remote access, and endpoint security. Each of these endpoint software has been used as an entryway into many governments and corporate networks. Be prepared to immediately patch and or disable any of these software tools at a moment’s notice should the need arise.

Ensure that you have a team dedicated to identifying and tracking resources to help alert you to potential vulnerabilities and attacks. Resources such as CISA can keep you alerted as can making sure you are signed up for various security and vendor alerts as well as having staff that are aware of the various security discussions online. 

These edge devices and software should always be kept up to date and you should review life cycle windows as well as newer technology and releases that may decrease the number of emergency patching sessions your Edge team finds themselves in.

Watch for homegrown attacks, not just those from abroad

Finally, don’t assume the attacker will come from overseas. While there is much attention paid to nation-state and other hackers from China, Russia, Iran, and North Korea, we often see bots and attacks from consumer-grade devices and domestic IP addresses.

If your security stance is to trust endpoints in your own backyard and to distrust everything overseas, the attackers know you have this attitude as well and are starting to launch their attacks from local endpoints.

Many of us have put in place geo-blocking for potential attackers from overseas but do not have the same level of protection for nearby endpoints, and attackers know that we don’t scan that traffic as well as we should.