Weekly CyberTip: Consolidate security software
There are lots of good security solutions out there, and over time your organization may have invested in several different applications. But when was the last time you reflected on potential feature overlaps of these solutions? You may be paying twice – or more – for redundant similar services or tools. Taking a strategic look at your cyber program and consolidating solutions can help reduce costs and complexity, simplify training and management, and help you identify which systems should stay in house vs. those that should be outsourced.
Cisco discloses high severity vulnerability in IP phones
On December 8, Cisco announced a vulnerability in current versions of Cisco IP Phone 7800 and 8800 Series firmware that could allow an unauthenticated attacker to compromise an affected device. The vulnerability has a “High” severity rating with a CVSS score of Base 8.1.
According to the Cisco bulletin, the “vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. A successful exploit could allow the attacker to cause a stack overflow, resulting in possible remote code execution or a denial of service (DoS) condition on an affected device.” Remote code execution (RCE) bugs can allow a threat actor to take control of a device or even pivot to other systems within a network.
Cisco’s Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability and advises that, while the vulnerability is being “publicly discussed”, they are not currently aware of any malicious exploitation of the bug.
Cisco does not have a patch for the vulnerability, and does not expect one to be available until at least January 2023. The only current suggested workarounds are to:
- use network configurations or firewalls to isolate the affected devices; and/or
- disable CDP on the affected devices, which will then force them to use LLDP for discovery of configuration data such as voice VLAN, power negotiation, etc.
It is important to note, however, that neither workaround is straightforward, and would require thorough investigation and planning before deployment.
The vulnerability is being tracked as CVE-2022-20968. If you use these devices, monitor Cisco’s support website for updates and patch news as it become available.
Rackspace confirms security incident
On December 6, cloud computing service provider Rackspace confirmed that an “cyber incident” on December 2 was indeed a ransomware attack. The incident continues to affect thousands of users of the Hosted Exchange service provided by Rackspace. Only active email services are affected; archived emails were not involved in the incident.
Rackspace has been posting regular status updates on their incident tracking page. Their website advised that as of December 9, only 2/3 of customers on the Hosted Exchange environment were back on email so far. Every customer who has reported service problems has been offered support to transition to Microsoft 365.
Rackspace has provided no information on the specifics of the attack, advising only that they “remain focused on understanding the root cause of the incident, and implementing additional security measures to defend against future cyber threats. We will continue to share additional updates on these measures as appropriate.”
Rackspace has not yet determined whether customer data was exfiltrated in the attack, but are warning users to remain vigilant and monitor their credit reports and banking account statements for suspicious activity. The company has also warned customers to be on the alert for attempted phishing attacks: “If you do receive a message from an individual you do not recognize, do not reply. Please login to your control panel and create a ticket, including details about the message you received.”
In a broader news release, Rackspace warned investors of the business impacts of the incident. In addition to boosting support staffing levels, Rackspace noted that the business interruption may cause a loss of revenue in their Hosted Exchange business and may trigger “incremental costs associated with its response to the incident”.
A class action suit has already been launched against Rackspace citing “negligence and related violations arising out of the email hosting provider’s recent high-profile data breach.” The suit was filed on December 5 in Texas Western District Court by the Armstrong Firm and Cole & Van Note. Rackspace is based in San Antonio, Texas.
“Despite hundreds of data breaches every year in this country, I am receiving reports of vulnerabilities in Rackspace’s hosting environment that go back over a year. That, and a seeming lack of backup protocols is why a lawsuit like this is critical,” according to Scott Cole, CEO/Founding Attorney of Cole & Van Note.
Rackspace shares dropped over 34% from $4.85 on December 2 (the day the incident was first reported) to a closing low of $3.20 by December 8. All figures are USD.
Amnesty International Canada discloses cyber attack
In a statement released December 5, Amnesty International Canada announced that it had detected an intrusion by a threat actor on October 5.
According to the statement, “To date, the investigation has uncovered no evidence that any donor or membership data was exfiltrated. Appropriate law enforcement authorities as well as staff, donors, and other stakeholders have been notified of the breach. Amnesty International Canada will continue to work with security experts to mitigate against potential future risks.”
In an interview with IT World Canada, Amnesty International Canada’s secretary general Ketty Nivyabandi said the two-month investigation into the incident has led to the conclusion that Chinese-based threat actors had actually breached the network as early as July 2021, some 17 months before detection, with the attackers likely conducting covert surveillance of the network before being discovered in October. Nivyabandi said that the initial point of entry exploited by the intruders has not been determined.
According to a CBC report, China’s embassy in Ottawa issued an unsigned statement on December 9 denying involvement in the incident, and accused Amnesty Canada of “spreading lies and rumours about China” and misleading the public.
“As a staunch defender of cybersecurity, we firmly oppose and combat attacks of any kind. China will never encourage, support, or connive in such cyber attacks,” according to the embassy.