September 19, 2023

Good morning, everyone!

This week’s critical vulnerabilities: Apple has released patches for older operating systems to fix a critical zero-day vulnerability under active exploit, specifically iOS/iPadOS 15.7.9, macOS Monterey 12.6.9 and macOS Big Sur 11.7.10 Apple also fixed two new zero-days, releasing iOS/iPadOS 16.6.1, macOS 13.5.2, watchOS 9.6.2 In last week's Patch Tuesday, Microsoft released fixes for 66 vulnerabilities, including 5 critical and 2 already being exploited, and Adobe released critical fixes for multiple products, including zero-days in both Adobe Acrobat and Reader that are under active exploit Google Chrome is being updated to fix a new zero-day (remember to close and restart for the update to be installed) Cisco has announced that an unpatched zero-day in the remote access VPN feature of its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) is under active exploit. Workarounds are recommended. Cisco has also released a patch to secure the single sign-on (SSO) implementation of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform Kubernetes has released fixes for security flaws for Windows endpoints in the cluster Azure HDInsight Instances should be patched immediately Patch All the Things!

A simple phone call

Heard about that attack on MGM last week? Slot machines shut down, hotel room keys not working, credit card payments can't be processed, pandemonium in Las Vegas. How did it all begin?

"All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk," the organization wrote in a post on X.

Apparently, the caller managed to convince an IT help desk employee to reset passwords for administrative accounts in the company's 2FA system, Okta, and it all went down hill from there. The attack itself was technically complex, but it all started with a simple phone call.

The attackers posted a lot of information about the entire process, including a scathing assessment of MGM's incident response efforts:

MGM made the hasty decision to shut down ... On Sunday night, MGM implemented conditional restrictions that barred all access to their Okta (MGMResorts.okta.com) environment due to inadequate administrative capabilities and weak incident response playbooks. Their network has been infiltrated since Friday. Due to their network engineers' lack of understanding of how the network functions, network access was problematic on Saturday. They then made the decision to "take offline" seemingly important components of their infrastructure on Sunday....

What are our takeaways from this story?

• Beware of social engineering attacks. Train your family and your employees to double-check information, call other people, verify claims, be skeptical of requests, question everyone and everything.
• Have a plan. We often find that organizations have a written incident response plan, but it's a template from their insurance agency or from the Internet in general, and it's not really tailored to that organization. If they needed to put it into action, either (1) they couldn't actually follow the plan, or (2) they'd be doing the wrong things.
• Practice the steps. How many times have you discovered that your instructions to someone weren't actually correct? Isn't it usually when you try to reproduce them yourself? It's so hard to write a recipe down from memory, isn't it? The classic way to prepare for an emergency is to practice your responses. CISA has a number of tabletop exercises for organizations of all sizes to use, free of charge. For personal and family situations, just imagine a few likely scenarios and what your response might be: you get locked out of online banking, you are warned that an important online account has been compromised, you get ransomware on your home computer, your laptop is stolen. How do you respond? Who do you call for help? Write down a few bullet points of the steps that need to be taken in each situation, and work through them with family members, so that everyone understands what needs to be done.
• Be prepared for manual processing. The standard fallback position when systems go offline is "manual processing." If that's your fallback position, make sure you are prepared to actually do it. Do you have the equipment for manual processing? Is it readily available, or is it boxed up and stored in a warehouse somewhere? Have your people been trained in how to do manual processing?

Stay cyber safe this week!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Have a great week!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺