Cyber Risk Leaders Magazine - Issue 6, 2021

"Every day, our adversaries are using known vulnerabilities to target federal agencies…we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors"

- Jen Easterly, Director, US Cybersecurity and Infrastructure Security Agency, November 3, 2021

As 2021 draws to a close, we consider what are the top security threats enterprises face today – amidst the uncertainty of what 2022 may hold.

Changes in working patterns, in tandem with a rising tide of security threats have forced many enterprises to think about their reliance on legacy network architecture. With a majority of workers now working remotely from their home offices, we have an expanded attack surface, with some applications still in an on-premise data centre, others protected by SASE, many in multiple clouds, around the world, helping to manage employees and support customers. The threats extend to applications, the end user and the devices users are connecting from. Attackers are busily adapting to the new defensive measures that everyone is putting in place and there is no shortage of critical vulnerabilities being discovered and exploited at scale.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries. The Directive establishes a CISA-managed catalog of known exploited vulnerabilities and requires federal civilian agencies to remediate all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. With over 18,000 vulnerabilities identified in 2020 alone, organizations in the public and private sector find it challenging to prioritize limited resources toward remediating the vulnerabilities that are most likely to result in a damaging intrusion.

The White House confirmed approximately 150 US-based utility providers, serving some 90 million customers, had moved to fortify their cybersecurity defences in the last three months. The May 2021 ransomware attack on Colonial Pipelines highlighted the vulnerabilities of such critical infrastructure. Cybersecurity business Nuspire says ransomware activity spiked 55,239% in the early part of Q2 2021. Ransomware attacks have since trailed off, but Nuspire says that’s no reason for complacency. They say a new ransomware gang called BlackMatter has risen from the “ashes” of the DarkSide and REvil cyber gangs.

And to highlight the issue, two alerts were announced at the time of writing. A critical alert regarding a vulnerability present in certain versions of Microsoft Excel and the second, a remote code execution vulnerability present in certain versions of Palo Alto Networks’ firewalls utilising the GlobalProtect VPN component.

Palo Alto Networks says they are not aware of any malicious exploitation of this issue discovered and disclosed by Randori. This vulnerability allows for unauthenticated remote code execution on vulnerable installations of the product, with numerous vulnerable instances exposed on internet-facing assets, with in excess of 10,000 assets exposed.

The Randori Attack Team developed a reliable working exploit and leveraged the capability as part of their red team platform. The team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more. With control over the firewall, they had visibility into the internal network and could proceed to move laterally, thereby being able to disrupt system processes and potentially execute arbitrary code with root privileges. The vulnerability is deemed critical with a Common Vulnerability Scoring System (CVSS) score of 9.8.

The Microsoft Excel vulnerability (CVE-2021- 42292) could allow an unauthenticated person to bypass a key security control. A bona fide user could be tricked into opening a malicious spreadsheet, potentially initiating a spearphishing campaign. The vulnerability scores 7.8/10 on the CVSS, seeing it ranked as a high severity threat. Microsoft notes the vulnerability is currently being exploited, with 18 versions of Excel impacted, although there is no indication that the Microsoft hosted Office365 Excel product is affected.

Guillaume Noé has also contributed in this edition, with a look at the impact on the health care sector. The pandemic has put medical institutions under operational stress and the related cyber-attack surface increased with new health-related targets arising from medical transport and supply chain service providers. The pandemic provided cyber-criminals with the opportunity to build targeted attacks against a disrupted workforce and a vulnerable population through campaigns including COVID-19 themed scams. Cyber security vulnerabilities do not only apply to technology. They also apply to people and even more so when stretched in an industry under stress.

Miryam Meir for SecurityScorecard has appropriately focused on Third-Party Risk Management (TPRM). Across the supply chain, third parties are providing cloud services, storing sensitive data, and providing other important services, so are also a major source of cyber risk. Cybercriminals often target third-party providers to target their clients’ data and networks so there is a need to be able to trust third parties and their security posture.

As an international edition, we have a Singapore focus, with Singapore Correspondent, Jane Lo reporting on the ISACA Singapore Chapter’s GTACS 2021 conference and Singapore International Cyber Week 2021 (SICW, 4th – 8th October 2021). The 6th edition of SICW opened to a global audience that saw more than 2,000 delegates and speakers participating globally, including government ministers, cyber principals and heads of agencies and leaders from industry and academia.

In this edition, we also provide you the opportunity to deep dive into the cybersecurity domain, corporate risk management and throughout we have links through to our Tech & Sec Weekly Series and the latest Cyber Security Weekly podcasts. There is a lot here to unpack. On that note, as always, there is so much more to touch on and we trust you will enjoy this edition of Cyber Risk Leaders Magazine. Enjoy the reading, listening and viewing!

Chris Cubbage CPP, CISA, GAICD Executive Editor