Open source software and threats to critical infrastructure.
The direct warning of a Russian threat to US infrastructure that the CISA, NSA and FBI jointly issued earlier this week came after a few weeks of work to find and fix vulnerabilities in the vulnerable Log4j open source library. of the Apache Foundation. Yesterday, the US Cyber Command officially attributed the activities of the threat group colloquially known as MuddyWater to Iranian intelligence agencies, in particular the Ministry of Intelligence and Security (MOIS). Among the tools used by the group are variations of the open source PowGoop DLL sideloader. MuddyWater seems to have been more involved in espionage than sabotage, but its reliance on open source tools is notable.
The White House summit on open source software security is meeting today.
Senior representatives from U.S. technology companies and government agencies are meeting today to discuss ways to address open source security issues that have risen to prominence during protracted research and remediation of Log4j vulnerabilities . CyberScoop reports the list of participants:
“The full list of technology participants includes Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook / Meta, GitHub, Google, IBM, Linux Open Source Foundation, Microsoft, Oracle, RedHat and VMware.
“Federal authorities present include representatives from the Ministries of Commerce, Defense, Energy and Homeland Security, as well as agencies such as the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, the National Science Foundation, the Office of the National Cyber Security Director. and the Office for Science and Technology Policy.
Log4j is a unique case of a more common challenge. We saw on Tuesday that the Apache Software Foundation intended to argue that downstream users of open source software should play a bigger role in securing the supply chain on which their products depend so much. Kent Walker, President, Global Affairs and Chief Legal Officer of Google and Alphabet, this morning welcomed the administration’s decision to convene the meeting:
“Given the importance of digital infrastructure in our lives, it’s time to start thinking about it the same way we think about our physical infrastructure. Open source software is a connective tissue for much of the online world – it deserves the same attention and funding as we do. give to our roads and our bridges. Today’s meeting at the White House was both an acknowledgment of the challenge and an important first step toward resolving it.
Yesterday Claroty’s blog outlined hopes for the summit:
“Many open source projects are under-resourced and poorly funded; these challenges are often only uncovered when a critical vulnerability emerges. Heartbleed, the crypto vulnerability found in 2014 in OpenSSL, shed light on the lack of resources keeping OpenSSL afloat, despite the fact that software lives everywhere from commercial software to smartphones to industrial devices. There was a small now OpenSSL team at the time, woefully behind on updates, but loyal to keeping the project on track. Heartbleed put a lot of companies at risk and reactive, industry was forced to form groups to audit the code base and funnel development money and resources to the project.
“Tomorrow’s meeting at the White House is a concrete step the Biden administration is taking to proactively assess the risks posed by open source software.”
Industry comments on the importance of open source code for critical infrastructure.
Several industry sources began by pointing out that “critical infrastructure” is not just a tribute to a buzzword or a collection of agency actions, but that the designation of a system as “Critical” represents the end result of serious thinking about risk. Tim Erlin, vice president of strategy at Tripwire, explained it this way:
“It’s important to remember that critical infrastructure is more than just a sentence. It describes a vast array of infrastructure upon which our nation relies. Critical infrastructure is really critical.
“This alert contains not only information about the threat, but real, actionable information that organizations can use to defend themselves. Using the MITER ATT & CK framework to identify malicious activity and to map valid mitigation actions is very valuable.
This alert focuses on a specific set of threats and actions to identify and respond to those threats. Organizations should also review their preventive controls against the tools and techniques described in this alert. It is important to identify the attack in progress, but preventing the attack from being successful is better.
Erich Kron, security awareness advocate at KnowBe4, thinks it’s important to understand that the risk of attacks on critical infrastructure increases with international tensions:
“Targeting critical infrastructure is nothing new, however, the increase in attacks is certainly something to be concerned about, especially given the tensions between the United States and Russia over the Ukrainian border crisis. Russia has very advanced cyber warfare skills that keep them hidden once a network is compromised, although ironically the initial attack vectors are usually low-tech email phishing campaigns. , taking advantage of people reusing already compromised passwords or using easily guessed passwords.
“To strengthen organizations against these attacks, it is essential that they have a comprehensive security awareness program in place to help users spot and report suspected phishing attacks and educate them on good corporate hygiene. Passwords. Additionally, technical controls such as multi-factor authentication and monitoring against potential brute force attacks can play a critical role in preventing initial network intrusion.
Mark Carrigan, Cyber Vice President, Process Safety and OT Cybersecurity at Hexagon PPM, bets on form and is happy to name names. He thinks the GRU team that has been active against the power grids (Western nickname “Energetic Bear”) is likely to be heard again:
“The political influence that can be gained from infiltrating critical infrastructure is enormous. The fingerprints of Energetic Bear, the Russian organization behind past attacks on critical infrastructure, are visible in these recent activities. Highly sophisticated threats from state-sponsored actors aren’t going away and corporations large and small are in the crosshairs. For OT/ICS security leaders, 2022 should be the year of resilience. We know it’s not if but when you will be attacked as history has proven. The element of resiliency is to ensure that you have a reliable restore point that includes “configuration settings for common devices and critical OT equipment”.
Eric Byres, CTO at aDolus Technology Inc., would like to remind infrastructure operators not to neglect the validation and authentication of patches before they are applied.
“This CISA alert certainly contains general advice on best practices for reducing cybersecurity risks, but it missed a critical point in the Vulnerability and Configuration Management section. CISA says to update the software and use a centralized patch management system, but they fail to mention the importance of validation or authentication before installing these patches. There’s no point updating a vulnerability with a counterfeit, malware-infested patch. Critical infrastructure operators should verify that the patch they have on hand can be safely installed and that it has arrived from their vendor (not a Russian agency). “
Ron Brash, vice president of technical research at aDolus Technology Inc., added a recommendation of resources that organizations are trying to manage with fixes and updates:
“To help triage and prioritize patches, asset owners should use resources like SBOMs and VEX documents. These types of documents help vendors share with their customers which vulnerabilities are present and actually exploitable (because most of them are not). aDolus worked with several major SCI vendors to produce the first real-world VEX documents in response to the Log4j vulnerability. This type of effort highlights the benefit of intelligent vulnerability response over general declarations of untimely patches. “
And updates on Russian talks with NATO and the United States on threats against Ukraine.
POLITICO reports that talks between Russian and NATO officials yesterday ended in an “impasse”. NATO Secretary General Jens Stoltenberg drew a grim record: “There is a real risk of a new armed conflict in Europe. We are lucid. So we also sent a message to Russia that if they use military force, the consequences will be serious; economic sanctions; political sanctions.
According to Newsweek, senior Russian officials are blaming the United States for deteriorating relations. Vyacheslav Volodin, chairman of the Duma’s lower house, complained that Washington was acting like “an elephant in a porcelain store”, carelessly destroying structures that had been carefully constructed in Europe after World War II to prevent another conflict of this type. (As if NATO was a negotiated construct with the Soviet Union, not an alliance designed to prevent the Soviets from engulfing more Europe than they already had.)