December 2023
Welcome to the sixth edition of Dellfer Insights, a series curated by our VP of Channels, Shawn Lorenz. The series highlights notable industry news, key takeaways, and why it matters to combat the next cyberattack. This month, we loop back to previous coverage of CISA’s argument for using memory-safe languages; we look at the impact of the SEC ruling against SolarWinds and what the future holds. Lastly, we review OKTA, CISCO, VMware, NXP, Fortinet, and Citrix’s recent attacks. Enough? Let’s get to it.
💡Dellfer Insight #1:Â
The results are in. Embedded engineers take a stand – With over 70% of vulnerabilities stemming from memory safety issues, developers must prioritize writing memory-safe code in C/C++, not other languages. This newsletter will explore why this remains a top concern and address the ongoing debate about alternative languages like Rust.
As highlighted in a previous Dellfer Insight post, the Cybersecurity and Infrastructure Security Agency (CISA) advocated for considering alternative languages, predominantly Rust, to mitigate the 70% of vulnerabilities reported by tech giants like Microsoft and Google, all attributed to memory attacks.
This week, an embedded developer group on Reddit had the opportunity to respond with a career-oriented topic: “Is it still valid to learn C++?” The group retribution was swift and pointed:
- “Rust fan here. I love Rust, but there’s a zero chance that Rust will make C++ (or C) obsolete in the foreseeable future.”
- “If you’re into embedded. If you need a system-level language, C++ and his older brother C are still THE languages to learn.”
- “End of C++ is like nuclear fusion, always a few years away.”
- “It’ll be 30 years before Rust might be more mainstream. Even then, C++ will probably be more common than it is now with future higher performance processors, and C will no doubt still be chugging along and embedded king.”
- “I haven’t seen Rust in an embedded code-base so far. I even floated the idea for a greenfield project at work, but there was immense resistance. It’s especially uphill if your software has to integrate into someone else’s system where they dictate libs and resource budgets (like flash). Also, Carbon and Jai aren’t even worth considering at the moment.”
- “Not any time soon. This isn’t web development; we don’t change languages/frameworks/patterns every other week here.”
Key Takeaway:
CISA’s position on memory safety language training was influenced by the audience of Carnegie Mellon CS undergraduates and professors when CISA Director Jen Easterly argued for better CS curricula. “How can we tackle this challenge?” Ms. Eastery asks, “What if we start a formal program – with material funding, incentives for professors, goals, an executive sponsor, and metrics – to migrate course materials to use memory-safe languages?” This emphasis on Languages, not development practices, is not finding traction in the embedded developer community.
Why It Matters:
Dellfer’s ZeroDayGuard is integrated into C/C++ source code, making C/C++ source code memory safe. Dellfer is the best development tool for embedded systems if you want to clean your existing code and implement safer development and deployment practices for the future. Let me repeat that. Dellfer’s ZeroDayGuard integrates into your C/C++ source code, making your C/C++ source code memory safe and correcting the years of ignoring security for embedded applications.
💡Dellfer Insight #2:Â
SolarWinds is being sued by the Securities and Exchange Commission (SEC). Is this the beginning of the end or the end of the beginning?
What happened? On October 30 the SEC filed the first of its kind lawsuit against SolarWinds CISO and the Company. The SEC alleged that SolarWinds failed to have adequate internal controls and made misleading statements in its public filings in violation of 1933 and 1934 SEC laws. SolarWinds says the SEC ‘lacks competence’ to regulate cybersecurity and will defend itself in court.
A little history: As reported in the 2021 New York Times Opinion article, SolarWinds’ approach to cybersecurity was inadequate, leading to major data breaches. The company’s use of cost-effective overseas software engineers, lax password management, and failure to heed security warnings allowed Russian and Chinese hackers to infiltrate their systems and access sensitive data. Misaligned corporate incentives to underinvest in cybersecurity and transfer this risk to customers who ‘won’t notice unless they have been attacked’ calls for Government Intervention. Companies need to pay the true costs of their insecurities through a combination of laws, regulations, and legal liability.
Key Takeaway:
Timing. Tired of boilerplate disclosures and gamesmanship from public companies more concerned with protecting their reputations than their shareholders and customers, the SEC says it’s time to get tough. On December 15h, 2023, the new SEC regulations will go into effect, calling for disclosure of material cybersecurity vulnerabilities, including security processes, within four days of discovery.
Playing Catch-up. The bad guys are so far ahead of their victims. MeridianLink is a fin-serv solution for banks and recently was reported by the ALPHV/BlackCat ransomware operation to the SEC for not responding to their ransom demands quickly enough. Seriously. They are better at this than you are.
All of these reporting and transparency outcomes are reactionary, not proactive. Dellfer’s ZeroDayGuard removes all known exploits before you ship. Real-time monitoring catches all unknown exploits after you ship. There is no vulnerability, of any level, of being “material” for Dellferized code as we not only capture the attack, we shut it down. Schedule a discussion with Dellfer today.
💡Dellfer Insight #3:Â
In the “late is sometimes the same as never” department, we do a quick round-robin of recent attacks of our favorite networking vendors.
The last several months have been very busy if you are a hacker, even more hectic as a cyber security professional playing the role of a good guy.
- Citrix – Citrix Bleed exploitation. Besides applying the necessary security updates, they’re also advised to wipe all previous user sessions and terminate all active ones. Mandiant also warned that compromised NetScaler sessions persist after patching, enabling attackers to move laterally across the network or compromise other accounts depending on the compromised accounts’ permissions.
- Okta – Underreported number of customers attacked. Okta said last month that unknown threat actors had accessed support files for roughly 134 customers, or less than 1% of its customer base. They have revised that number up to 100%. At least four customers were known to be affected at the time, and it was later revealed that two of these included MGM Resorts and Caesars Entertainment, which together were forced to pay in excess of $115 million to clean up the mess.
- VMware – VIB Hacked. State actors used malicious vSphere Installation Bundles (VIBs) to deliver malware through a backdoor using hardcoded port numbers on VMware ESXi servers. VIM’s are used by VWware to Perform Secure Updates to 39,016 companies that use VMware ESX
- Fortinet – Remote FortiSIEM Report Server. CVE-2023-36553 allows remote, unauthenticated attackers to execute unauthorized commands by sending specially crafted API requests to the FortiSIEM report server.
- CISCO – The company said it had observed an attacker using the vulnerability to gain administrator-level privileges on IOS XE devices and then, in an apparent patch bypass, abusing an older remote code execution (RCE) flaw from 2021 (CVE-2021-1435) to drop a Lua-language implant on affected systems. https://www.networkcomputing.com/network-security/zero-day-alert-thousands-cisco-ios-xe-systems-now-compromised
- NXP – 2+ years looting secrets. For more than two years, a highly active hacking group associated with China targeted the corporate network of NXP, a chip manufacturer based in the Netherlands. NXP’s chips are crucial for securing smartphones, smartcards, and electric vehicles.
Key Takeaway:
Patch faster, fix faster is dead. “To say that our cybersecurity solution is at least in part, patch faster, fix faster, that is a failed model,” Goldstein, the executive assistant director for cybersecurity at CISA, said at an event held by the nonprofit International Information System Security Certification Consortium. “It is a model that does not account for the capability and the acceleration of the adversaries who we’re up against.”
Why It Matters:
As widely promoted, Dellfer’s ZeroDayGuard is essential for infrastructure technology companies in defeating all known and unknown attacks. The intangible benefit of having no false positives gives our users a sense of legitimacy that first-generation scanning tools are missing. However, a missing piece of the discussion is the importance of beating hackers’ persistence beyond patches. If this is a topic you would like to discuss further – reach out to us.