Blog

Apache Tomcat: Stealthy Risk Vector
A recently disclosed security flaw impacting Apache Tomcat is actively exploited in the wild following the release of a public proof-of-concept just thirty hours after public disclosure. CVE-2025-24813 is the (for a short while) attackers new best friend since authentication is not required to pull off an attack

Tomcat is an infrastructure component: its embedded in something else you own and run. As such, it might not be on your radar. After all, you bought and paid for Biggus Software Inc’s software, not open-source patchy tomcats. But, nonetheless, it is there inside, and no SBOM in sight. And, you have no means (usually) of upgrading that middleware, so you are beholding to the top level bundler.

Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation. It’s designed to execute Java servlets, JavaServer Pages (JSPs), and other Java web technologies: a cornerstone for deploying Java-based web applications. Tomcat is embedded in various environments, including:
- Web applications: It serves as the underlying server for numerous web applications, from simple websites to complex enterprise systems.
- Integrated development environments: Developers often use embedded Tomcat instances within IDEs like Eclipse or IntelliJ IDEA for testing and debugging web applications during development.
- Standalone servers: Tomcat can function as a standalone web server, handling HTTP requests and serving web content.
- Within larger Java EE applications: While Tomcat itself is a servlet container, it is also used as a component within larger Java Enterprise Edition (Java EE) application servers, or Jakarta EE application servers.
- Various software products: many software products that require the ability to host web based interfaces will embed Tomcat into their products. This can included embedded products (e.g. cameras, video recorders, etc).
How would an attacker exploit this risk? Would it be the primary way in the door? It could be, there is certainly no shortage of Tomcat servers hanging out on the public Internet. Embedded ones, IT ones, etc. Everyone’s favourite search engine, shodan.io makes it one click away of finding a few non stealthy ones.

Would it be the lateral traversal? E.g. I trick you into doing something, and then go onwards through your Tomcat to bigger better badness?

Would it be some sort of living off the land, the attacker hangs out in the Tomcat server for some time and then resurfaces?

Would it be an attack on the data the Tomcat server mediates? It might have access to your corporate data lake, your payroll system, your quote-to-order, your CRM. Maybe industrial espionage is on the table?

Would it be going after your developers and thus your spot in the supply chain to your customers?

One thing is for sure, since its a deeply embedded component, the specific vulnerability will be with us for years, much like log4j still ricochets around. The “Industrial Supply Chain Matryoshka Risk“.

As always, I recommend “Three Strategies To Help“, based on a solid foundation of Defence in Depth, powered by the best implementation of Zero Trust, Agilicus AnyX. This one is a marathon, not a sprint.
2025-03-19
Many Headed Hydra Medusa Meets Critical Infrastructure
“Medusa ransomware gang has infected more than 300 organizations in critical infrastructure sectors such as the medical, manufacturing and technology industries” is not the sort of news you want to hear. Nonetheless, facts are facts. And the facts are not that great for team blue.

Medusa gets in via some unpatched CVE, often your firewall or VPN, or sometimes your monitoring tools (e.g. SolarWinds).

Medusa uses “Living of the Land” techniques, meaning, it uses the same tools you do. The biggest ones are Windows-oriented (PowerShell, CMD, WMI).

It uses lateral traversal, walking sideways through the network via open ports with vulnerable services, such as:
- 21 (FTP)
- 22 (SSH)
- 23 (Telnet)
- 80 (HTTP)
- 115 (SFTP)
- 443 (HTTPS)
- 1433 (SQL database)
- 3050 (Firebird database)
- 3128 (HTTP web proxy)
- 3306 (MySQL database)
- 3389 (RDP)
Since it is minimising the executable space, it is not caught by anti-virus or endpoint detection type tools. It also has counter-measures, e.g. installing a signed, vulnerable driver that can then disable the endpoint protection tool.

To add insult to injury, it uses security tools like Cloudflared to obtain a secure command and control channel.

CISA had this to say on immediate actions to take.

For more information on how to detect if you have an issue, or protect from the issue of Medusa, read the advisory.

The best enduring protection against threats like Medusa is Defence In Depth. And a Zero Trust product like Agilicus AnyX is the best means of reducing the lateral traversal risk, and, of protecting the inbound infection risk. Ask us how.
2025-03-15
It’s Been 0-Days Since The Last Municipal Cyber Security Attack

On February 28th the Texas border city of Mission detected bad people doing bad things in their City computer network, announcing it on their Facebook and Instagram, subsequently requesting a state of emergency from the governor. This state of emergency allows them to suspend freedom-of-information requests, perhaps allowing them to negotiate with an attacker without it being reported.

Mission isn’t the first city to be targeted by cyber criminals, and sadly it won’t be the last.

In June 2019, the city of Edcouch reported that its systems were being held hostage by a ransomware attack in which the cyber criminals were demanding a $40,000 bitcoin payoff.

A separate, larger, incident struck Texas just a few months later: in August 2019, nearly two dozen Texas cities were the victims of a coordinated ransomware attack with a malware variant known as Sodinokibi/REvil, according to the Texas Department Information Resources.

In 2021, the U.S. Justice Department indicted a Russian national named Yevgeniy Polyanin for carrying out that attack — which at the time prompted the Governor to issue Texas’ first-ever disaster declaration due to a cybersecurity threat. Polyanin remains at large.

Texas has announced a new effort in the fight against cybersecurity threats by creating a “Texas Cyber Command center”.

city-of-mission-disaster-declaration-030425 Download

https://www.govtech.com/security/mission-texas-asks-state-for-help-following-cyber-breach

2025-03-08
CN APT Use VPN CVE for ICS in OT: Acronym Much?
A Chinese Advanced Persistent Thread actor used CVE-2024-24919 (a vulnerability in Checkpoint VPN) to gain ongoing access into operational technology networks. This group earlier used the exploit to compromise an ‘unnamed national grid’ for 6 months.

According to Dark Reading,

Though they didn’t limit themselves to one part of the world, the attackers were largely focused on specific, highly valuable OT industries. For example, a number of targets were significant supply chain manufacturers to aviation and aerospace companies. Around half of all victims tracked were manufacturers of one kind or another.

This is a topic I have covered many times: the security appliances themselves become the bad-actor-superhighway-conduit. Its a combination of ‘The Matryoshka Risk‘ (supply chain compromise) and and the ‘Quis custodiet ipsos custodes: When Good Firewalls Go Bad‘ problem. Security devices are complex, making it more likely they have compromises, and, they are often used as all-or-nothing bastions. The VPN and inspecting firewalls provide all-in-one spots to take over the world, and often in turn break your own encryption.

A particular challenge is the asymmetric nature of the problem: the attacker is better funded, with better training, better tools, and, no downside. The defenders are many, small, and fragmented.

The solution is not the one taken by the ostrich. Instead, a few simple tactics:

Multi-factor authentication

First, multi-factor authentication. The nature of this attack is secret extraction. IPSEC certificates, passwords, SSL trust chains. If we were to use multi-factor on all places these secrets might be shared (the ASA, other Cisco routers, etc), that would make it much harder for the attacker to traverse. If all the devices has multi-factor, and, the attacker extracted the shared password from the Cisco ASA, well, we’d fall back to single-factor. Couple that with some logging and alerting, we’d have a shot at stopping the attacker in their tracks. Couple that with some segmentation, and, the attacker would be materially slowed, giving us time to react.

You may feel there are barriers to implementing multi-factor authentication on some of those “legacy” devices. Maybe you need to access them with local accounts not part of your Domain Identity Provider? Maybe you need to have a contractor or network managed service provider use them? Agilicus has you covered, see the case study at the right, implementing multi-factor authentication as an identity-aware proxy without any changes.

Logging

Second, logging. Devices and software generate logs. These are not just used for install-time debugging and diagnostics. Make sure the logs are available in a central, non-tamperable location. Make sure the devices all have NTP real-time, synced properly. Use UTC to avoid embedded device databases not understanding changes in Daylight savings time. This is non-negotiable… If its not UTC, the odds of some random Y2K bug showing up are high.

Logs can be stored in a fancy SIEM. Logs can also be stored in flat files in a syslog collector. Start collecting, get the timestamps, and, then, on the first incident, you will at least have some information to work through. And, after that incident, you’ll have a better understanding of what you want to budget here.

Segmentation

Third, segmentation. Think of your medieval castle here,its got a moat, its got a drawbridge, its got a wall, its got a keep. Every time some monty-pythonesque attacker got through the first line, you fell back.

Now think of the famed Maginot line, a long thing ‘infinitely strong’ line of defence built by France in the 1930s to deter Nazi Germany. Worked great, the Germans went around to the Benelux and… boom, the wall was not so great from the inside.

Network segmentation is a core principle of Zero Trust. In fact, Zero Trust is the limit, one user, one resource, rather than the VPN model of one user, all resource.

Implementing network segmentation can seem daunting. Look up private VLANs in your switches. Look up ACL’s. Group devices by either type or purpose. Every bit helps. Make sure there are logs generated (see above) for things traversing, or being blocked from traversing, the segments.

Once you have those 3 simple tactical things underway, every day you get stronger, and, you start to be able to focus on longer term evergreen tactics, giving simple, effective security. Let’s focus on practical, cost-effective measures, regardless of the specific attack vector:
- Stronger Identities, Not Shared Passwords: The number one problem? Default passwords and shared accounts. A recent CISA report revealed that 94.4% of US Coast Guard entities had at least one default password. This is a disaster waiting to happen. The solution? Move to single sign-on (SSO) and multi-factor authentication (MFA) across all your systems. We recommend focusing on the HMI first, as it’s the most human-facing element. An identity-aware proxy can make even legacy systems secure by handling authentication separately. This eliminates guessable passwords, accounts that never change, and simplifies access for employees and third parties.
- Defence in Depth – Beyond the Air Gap: The “air gap” is porous. USB drives, cellular modems, and remote support tools all represent potential entry points. Defence in depth requires multiple layers of security. Network segmentation, robust backups (offsite and protected from flooding!), and well-defined incident response plans are crucial. Understand what you have through thorough inventory and regular security assessments.
- Zero Trust is a Principle, Not a Product: Zero trust isn’t a magic bullet; it’s a philosophy centered around three things: Who (identity – strong authentication of individual users), What (authorisation – defining what each user can access), and How (secure access methods). If you have those three components, you’re well on your way to a zero-trust architecture.
- Addressing the Moral Hazard: Your vendors and partners may prioritise simplicity over security, pushing for shared credentials. This creates a moral hazard; you bear the risk, they enjoy the ease of access. SSO and MFA align these interests; it’s simpler for your partners and significantly more secure for your plant.
Moving Beyond the “Avalanche” – Practical Steps

In “CISA: 8 Top Cyber Actions for Securing Water Systems” we covered the government’s eight key recommendations for securing water systems. They apply to other industries equally, and boil down to:
1. Reduce Exposure to the Public-Facing Internet
2. Conduct Regular Cybersecurity Assessments
3. Change Default Passwords Immediately
4. Conduct an Inventory of Operational Technology/Information Technology Assets
5. Develop and Exercise Cybersecurity Incident Response and Recovery Plans
6. Backup Operational Technology AND Information Technology Systems
7. Reduce Exposure to Vulnerabilities
8. Conduct Cyber security Awareness Training
Remember, you don’t have to be better than a nation-state actor; you just need to be better than your neighbours.

And the first step, call Agilicus.

BOOK A MEETING

First Name

Last Name

Email

Comment
2025-02-28
CityWorks CVE Breaches IIS

CityWorks by Trimble is a commonly used GIS system. And, it is commonly either self-hosted, or, hosted by a set of individual partners, running as a virtual host within Microsoft IIS. A newly issued alert from CISA, and a note from Trimble, indicate that CVE-2025-0994 is being actively exploited (a Known Exploited Vulnerability) as an 8.6. How do you read an 8.6? Well, roughly the same way you would read an earthquake. Versions prior to January 29th, 2025 are vulnerable.

Trimble has released some preliminary “how can I tell if I’ve been breached”, notable in here is the Rust loader.

The vulnerability is up-levelled if you either a) run CityWorks or IIS with elevated privileges, or b) run other web applications on the same host (in other vhosts), or c) run other applications on the same host, or d), the web host is on the same network as other servers.

How can you protect? The simplest is to put an identity-aware-proxy in front like Agilicus AnyX. This maintains a seamless experience to the end-user, but prevents any connectivity except for users with valid accounts via single-sign-on and multi-factor authentication.

A quick search with everyone’s favourite search engine, shodan.io, shows no shortage of CityWorks sites without protection.

The good news? If you are not yet exploited, Agilicus can help while you work on the upgrade, with a simple deployment in minutes without disrupting anything. Contact us and learn how Agilicus AnyX can provide a Zero-Trust Identity-Aware Proxy for CityWorks and other web applications today.

2025-02-10
Come see us at the 2025 Texas Water Conference in the Innovation Lounge

Agilicus will once again be exhibiting at Texas Water 2025, taking place March 18-21 in Houston, Texas at the George R. Brown Convention Center.

Texas Water is the joint annual conference of the Texas Section – American Water Works Association and the Water Environment Association of Texas. The conference is celebrating its 30th year as the largest regional water conference in the U.S. and caters to professionals in the wastewater and water industry.

In previous years, John Chiappetta, Director of Sales, represented Agilicus at the conference in the Innovation Lounge – a focused area within the exhibit hall dedicated to featuring companies offering leading edge technologies in the water and wastewater industry. The dedicated space allows John to sit down with decision makers in the water industry for a casual discussion to showcase Agilicus AnyX.

Water and Wastewater plants are increasingly becoming remotely operated, introducing security risks into the critical infrastructure network. Agilicus AnyX introduces a Zero Trust framework tailor-made for industrial control systems in public water utilities. Zero Trust is the best current practice for cybersecurity in industrial control systems for Public Water Infrastructure. It integrates effortlessly with existing networks and offers a cost-effective method to enhance both efficiency and security.

By implementing Agilicus, water facilities can effectively reduce risk, streamline management, and lower operational costs while maintaining the highest level of security.

Read how Midland Texas Transforms Water Purification Cyber Security With Agilicus AnyX

READ THE CASE STUDY

2025-02-06
FTC To GoDaddy: Heal Thyself
The US Federal Trade Commission issued an order to GoDaddy to implement robust information security practices, extending the techniques the government is using to improve cyber security in a broad-based fashion.

GoDaddy is not (yet) in a regulated industry, supplying DNS, web hosting and related services. In the complaint, the FTC indicates that: “GoDaddy’s data security program was unreasonable for a company of its size and complexity. Despite its representations, GoDaddy was blind to vulnerabilities and threats in its hosting environment. Since 2018, GoDaddy has violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats. … As a result of GoDaddy’s data security failures, it experienced several major compromises of its hosting service between 2019 and December 2022, in which threat actors repeatedly gained access to its customers’ websites and data“.

This is a relatively new tactic being employed to increase the base level of security in otherwise unrelated areas. We have seen actions, threats, fines, against equipment manufacturers (e.g. D-Link, TP-Link), but this marks an expansion in the supply chain regarding securing small business.

Proposed order will prohibit GoDaddy from misleading customers about its security protections and require it to establish a robust information security program

A parallel government agency, the SEC, introduced new rules for disclosure and management of cyber security, introducing another push in the supply chain improvement of cyber security practices. This implies that there is a ‘full court press’ underway to improve cyber security at all levels, equipment, supplier, practices, large, small, etc.

In the case of GoDaddy, they have a very large market position, and, are directly or indirectly responsible for a large amount of risk in 62 million domains, 21 million customers. Consider the humble DNS. If i can alter/add records to your DNS, I can (this is not a comprehensive list!):
- take over your Microsoft Azure of Google Workspace setup
- Enable email sending as you via SPF, DKIM (and thus e.g. Business Email Compromise to your suppliers or customers)
- Remove visibility to spoofing your email via DMARC
- Issues SSL certificates in your name via CAA and HTTP-01 or DNS-01 challenge
- Read your email via changing your MX record, and thus take over most of your online accounts via a ‘password reset -> email flow’
- Inject malware into your e-commerce website to steal credit card info (via an AiTM proxy and the above SSL)
I would hazard a guess that most companies didn’t consider the ‘website hosting’ as a key part of their security and risk posture. Its a cornerstone pillar, an unlimited skeleton key to all your locks, all your SaaS, all your online activities, the security of your supply chain, etc.

Defence in Depth: its not just for others, look up and down your supply chain.
2025-01-18
Krooked Kriminals Krack Krispy Kreme
In 2023 the US SEC adopted rules requiring disclosure about cyber security practices and outcomes, on the basis that this material affects stock price and risk understanding. Today Krispy Kreme fessed up to becoming a victim to some ne’er do well, affecting online activites and operations in a material fashion. They are in good company, according to SecurityScorecard, 97% of the top 100 US retailers experienced a third-party break in 2024. This reminds me of a joke, when I owe the bank $100K, I have a problem. When I owe it $100M, the bank has a problem (attributed to J. Paul Getty). When we are talking about 100% of the top 20 and 97 of the top 100, its now the new normal.

krispy-kreme-2024-12-11-8k Download

How could we get to nearly 100% hit rate? Well, the combination of a large attack surface (many locations, many online systems, many vendors supporting, many people) and value (if you ran a thousand+ retail locations and were faced with any time outage, you would pay a ransom and have the means to do it).

How do you reduce the risk? Adopt a defence in depth strategy, limit the blast radius, slow the attacker, increase the visibility. Recognise that the number of interconnected systems, API’s, cloud, etc is only going to increase, so ‘all-in-one’ firewall/VPN/bastion security will not work. Adopt identity (of the user, of the system, strongly authenticated via multi-factor) as part of the authorisation logic (user X can do Y on system Z). Remove all VPN, all shared passwords. When working with external vendors, ensure that each person uses their native single-sign-on (yes, that means userA@vendor, not contractor-A@me) for identity. Implement the advice I give in Advice Avalanche:

Evergreen Tactics: Simple, Effective Security

Let’s focus on practical, cost-effective measures, regardless of the specific attack vector:
- Stronger Identities, Not Shared Passwords: The number one problem? Default passwords and shared accounts. A recent CISA report revealed that 94.4% of US Coast Guard entities had at least one default password. This is a disaster waiting to happen. The solution? Move to single sign-on (SSO) and multi-factor authentication (MFA) across all your systems. We recommend focusing on the HMI first, as it’s the most human-facing element. An identity-aware proxy can make even legacy systems secure by handling authentication separately. This eliminates guessable passwords, accounts that never change, and simplifies access for employees and third parties.
- Defence in Depth – Beyond the Air Gap: The “air gap” is porous. USB drives, cellular modems, and remote support tools all represent potential entry points. Defence in depth requires multiple layers of security. Network segmentation, robust backups (offsite and protected from flooding!), and well-defined incident response plans are crucial. Understand what you have through thorough inventory and regular security assessments.
- Zero Trust is a Principle, Not a Product: Zero trust isn’t a magic bullet; it’s a philosophy centered around three things: Who (identity – strong authentication of individual users), What (authorisation – defining what each user can access), and How (secure access methods). If you have those three components, you’re well on your way to a zero-trust architecture.
- Addressing the Moral Hazard: Your vendors and partners may prioritise simplicity over security, pushing for shared credentials. This creates a moral hazard; you bear the risk, they enjoy the ease of access. SSO and MFA align these interests; it’s simpler for your partners and significantly more secure for your plant.
Moving Beyond the “Avalanche” – Practical Steps

The government’s eight key recommendations for securing water systems boil down to:
1. Reduce Exposure to the Public-Facing Internet
2. Conduct Regular Cybersecurity Assessments
3. Change Default Passwords Immediately
4. Conduct an Inventory of Operational Technology/Information Technology Assets
5. Develop and Exercise Cybersecurity Incident Response and Recovery Plans
6. Backup Operational Technology AND Information Technology Systems
7. Reduce Exposure to Vulnerabilities
8. Conduct Cyber security Awareness Training
And, most importantly, let’s talk about implementing Zero Trust. Its not hard to get started, and getting started reduces risk.
2024-12-13
Advice Avalanche: Practical Steps for Wastewater Treatment Plants
There has been an avalanche of advice, best practices on best practices for industrial cyber security (e.g. Fast, Simple, Secure: Implement CISA et al HMI (practically) recommends Agilicus AnyX, CISA: 8 Top Cyber Actions for Securing Water Systems). This blog post summarises key takeaways from my recent webinar on this topic, focusing on practical steps you can take to improve your plant’s security posture.

Cyber Alerts, Best Practices: Put Advice To Action

The Risks Are Real – and Growing

We’ve all seen the headlines: the Kansas City freshwater plant shutdown, the Muleshoe, Texas water tank overflow (we even posted the video of the HMI hack on our website!), and the infamous Oldsmar, Florida incident. These aren’t isolated incidents; they’re the tip of the iceberg. For every publicly reported attack, there are likely many more going unreported. Nation-state actors aren’t just after a quick ransom; they want persistent access for future exploitation. This makes even undetected vulnerabilities a serious concern.

Deciphering the Avalanche of Advice

The constant stream of alerts from CISA, the DOJ, the FBI, and other agencies can be overwhelming. They often call for immediate and sweeping changes that may be difficult, if not impossible, to implement. Many of these directives, while well-intentioned, lack the practical context needed for implementation in industrial settings. For example, the blanket call to remove all VPNs from networks is unrealistic for many plants. These advisories need to be translated into concrete action items.

Evergreen Tactics: Simple, Effective Security

Let’s focus on practical, cost-effective measures, regardless of the specific attack vector:
- Stronger Identities, Not Shared Passwords: The number one problem? Default passwords and shared accounts. A recent CISA report revealed that 94.4% of US Coast Guard entities had at least one default password. This is a disaster waiting to happen. The solution? Move to single sign-on (SSO) and multi-factor authentication (MFA) across all your systems. We recommend focusing on the HMI first, as it’s the most human-facing element. An identity-aware proxy can make even legacy systems secure by handling authentication separately. This eliminates guessable passwords, accounts that never change, and simplifies access for employees and third parties.
- Defence in Depth – Beyond the Air Gap: The “air gap” is porous. USB drives, cellular modems, and remote support tools all represent potential entry points. Defence in depth requires multiple layers of security. Network segmentation, robust backups (offsite and protected from flooding!), and well-defined incident response plans are crucial. Understand what you have through thorough inventory and regular security assessments.
- Zero Trust is a Principle, Not a Product: Zero trust isn’t a magic bullet; it’s a philosophy centered around three things: Who (identity – strong authentication of individual users), What (authorisation – defining what each user can access), and How (secure access methods). If you have those three components, you’re well on your way to a zero-trust architecture.
- Addressing the Moral Hazard: Your vendors and partners may prioritise simplicity over security, pushing for shared credentials. This creates a moral hazard; you bear the risk, they enjoy the ease of access. SSO and MFA align these interests; it’s simpler for your partners and significantly more secure for your plant.
Moving Beyond the “Avalanche” – Practical Steps

The government’s eight key recommendations for securing water systems boil down to:
1. Reduce Exposure to the Public-Facing Internet
2. Conduct Regular Cybersecurity Assessments
3. Change Default Passwords Immediately
4. Conduct an Inventory of Operational Technology/Information Technology Assets
5. Develop and Exercise Cybersecurity Incident Response and Recovery Plans
6. Backup Operational Technology AND Information Technology Systems
7. Reduce Exposure to Vulnerabilities
8. Conduct Cyber security Awareness Training
Remember, you don’t have to be better than a nation-state actor; you just need to be better than your neighbours.

Conclusion: Security as an Enabler

The world has changed. Remote access is now essential for efficiency and responsiveness. Security doesn’t need to be a barrier; it can be an enabler. By implementing these practical steps, you can significantly reduce your risk while maintaining operational efficiency. Contact us at Agilicus to learn more about how our solutions can help you secure your wastewater treatment plant.
2024-09-27
CityNews The Mike Farwell Show Interview
This morning, 2024-09-03, I was interviewed on the Mike Farwell Show (CityNews). You can check the interview here @ 54:50.

Key take aways:
- Communitech is good for collaboration
- AI initially favours the attackers
- Local community is good for interworking since we are big enough to have the skillsets, but not so big we typically have direct competitors
- You know when you know, but later you know you were wrong
- Lifetime achievement means old
2024-09-03
SolarWinds Gives Federal Agencies Labour Day Present
SolarWinds Web Help Desk CVE-2024-28986 (rated 9.8 our of 10) is now included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, indicating its active use in cyber attacks, giving affected agencies until September 5, 2024 to fix the flaw under Binding Operational Directive 22-01. How fun.

This is a different type of issue than the December 2020 Christmas present of a breached supply chain, allowing all sorts of software update shenanigans. CVE-2024-28986 instead is a more run-of-the-mill deserialisation issue, where system A trusts what system B gave it.

The ‘Known Exploited Vulnerabilities’ catalog means:
- its bad
- you know its bad
- bad actors know its bad
- bad actors are using it right now
In this case, the Web Help Desk product is at risk. In addition to the specific mediation (patch), I recommend working on a Defence In Depth strategy. In particular, earlier I gave three enduring strategies that give you more time to respond, while lowering the blast radius of what does go bad, giving you time to react, information to react on, and, methods to slow down the attacker while you do react.

This isn’t going to get easier anytime soon. In this case, its not a buffer-overflow type issue, so one cannot simply say “switch to pointerless languages”. Its not a supply-chain issue, solved with better SBOM’s etc. Its Java code, reading information from elsewhere, and, making a mistake in interpreting it. This is going to continue to happen, and, attackers are going to continue to be motivated to do so by various economical and socio-political motives.

Enjoy that long weekend of patch and deploy.
2024-08-18
Operate Your Plant Virtually with Agilicus AnyX
Introduction

The demand for remote plant operation is increasing in today’s ever-changing industrial environment. With technological advancements, it is now possible to manage, monitor, and control plant operations from any location, at any time, and using any device. Agilicus AnyX utilizes state-of-the-art Zero Trust Network Access principles to offer secure, smooth, and effective remote access to your plant operations. This article delves into how Agilicus AnyX facilitates virtual plant operations, improving efficiency, security, and flexibility.

Stay Connected to Your Operations

Agilicus AnyX allows you to fully utilize remote plant management by giving you immediate access to real-time plant data and control systems from any device, no matter where you are. With Agilicus AnyX, you can stay connected to your plant’s performance whether you’re at home, in the office, or on the go. This empowers you to make informed decisions and quickly address any operational issues.

Fortified Security for Peace of Mind

Agilicus AnyX prioritizes security and offers advanced features to safeguard your plant data and operations. These features include:
- Unified Authentication: Agilicus AnyX is pre-integrated with various identity providers for robust user authentication, ensuring that only authorized personnel can access critical systems.
- Advanced Encryption: The platform utilizes industry-leading encryption standards such as AES-256, ChaCha20-Poly1305 to protect data transmissions.
- Firewall Compatibility: Agilicus AnyX can be easily deployed within existing firewall configurations and can also be placed in a DMZ for additional protection.
- Granular Access Control: The platform implements detailed role-based access controls, giving users access only to the necessary resources and minimizing potential attack surfaces.
Effortless Maintenance and Management

Agilicus AnyX provides a user-friendly experience with no need for client installation and minimal maintenance. You can easily access the platform using your smart device and login details. The intuitive interface and unified management console make setup and administration simple, freeing up your IT team to focus on important initiatives instead of routine maintenance.

Enhance Efficiency and Responsiveness

Give your mobile team the power to act quickly and effectively with Agilicus AnyX. This tool equips them with the necessary resources to respond to real-time issues efficiently. With mobile access, they can easily monitor plant operations, troubleshoot equipment, address process anomalies, and make informed decisions on the spot. This increased responsiveness leads to lower field service expenses, less downtime, and enhanced operational efficiency.

Data-Driven Decision Making

Having access to real-time data is essential for making well-informed decisions. Agilicus AnyX offers in-depth analytics and thorough logging, providing valuable insights into operational metrics, resource usage, and user behaviour. These insights allow for process optimization, maintenance prediction, and improved overall plant performance, ensuring smooth and efficient operations.

Flexibility to Scale and Adapt

Agilicus AnyX is designed to meet the specific needs of your plant operations, whether it’s a small facility or a large industrial plant. It offers flexibility and scalability, effortlessly accommodating your requirements. Its cloud-based architecture allows for easy expansion and adaptation as your business grows, making it a future-proof solution for plant management.

Real-World Applications and Benefits

Agilicus AnyX provides unmatched advantages for industries such as manufacturing, utilities, and process control. These include:
- Remote Monitoring and Control: Easily manage and control plant operations from any location, eliminating the need for an on-site presence and increasing operational flexibility.
- Enhanced Security: Utilize a strong zero-trust security model that continuously verifies user identities and device integrity, safeguarding critical systems from unauthorized access.
- Cost Savings: Reduce expenses related to physical infrastructure and maintenance by utilizing a cloud-based solution, freeing up resources for innovation and growth.
- Improved Collaboration: Facilitate secure access for third-party vendors, consultants, and remote employees, promoting collaboration and operational efficiency while maintaining security.
Conclusion

Agilicus AnyX transforms plant operations with a secure, flexible, and efficient solution for remote management. By following zero-trust principles, Agilicus AnyX safeguards and enables access to plant operations from any location, at any time, on any device. Embrace the future of plant management with Agilicus AnyX and enjoy improved security, real-time visibility, and operational efficiency.

About Agilicus

Agilicus is dedicated to revolutionizing secure network access for the modern industrial landscape. Our focus is on zero-trust security and user-centric design. With Agilicus AnyX, you can access a comprehensive platform that streamlines remote plant management, improves security, and lowers costs. Experience the future of plant operations with Agilicus AnyX. To learn more, please visit Agilicus or request a demo to see the benefits of Agilicus AnyX for your plant operations.

Want to learn more? Read the case study!
2024-07-19
10 Billion Reasons Shared Passwords Are Bad: RockYou2024

Another day another piece of dismal cyber security news (well, dismal for team blue), RockYou2024 dumps 10 Billion passwords. This is in turn an amalgamation of earlier leaks and some new material, and, is the source of all those “We scan the dark web for you” services that you are considering investing in.

I know, all your systems use salted, hashed passwords (or better, passkeys and single-sign-on openid connect). But, this type of dump is used in a different way, a stuffing attack. Highly patient robots type the passwords one by one until they get a hit. And, systems without multi-factor authentication eventually get caught.

Compounding the problem is ‘shared password’ systems. These, often shadow-IT, systems are used by multiple people who for some reason don’t have unique accounts. Examples are TeamViewer, Jump box VPN’s, etc. By making it hard for them to sign in with their native single-sign-on, and being intrinsically team-oriented, the natural approach humans come up with is a ‘shared password’. Its strong, after all, we trust each other, right?

But all it takes is for one of those people to use that one shared password in one-more system, and there is a dramatic reduction in strength. And, of course, who wouldn’t do that, after all, its shared, not secret, why should you remember more of them?

To add to the misery pile, the services you subscribe to that check your core systems against being in these breaches, indeed they check the core systems. They run through the breaches and see if your users are using those passwords in your Microsoft Active Directory, or Google Workspace. But what they don’t check is those tools that sit on the periphery. TeamViewer. VPN to the jump box. etc.

Now, let me let you in on a secret. There is a simple solution to this. One that doesn’t change how you do business or how your teams operate. One that makes it in fact simpler for them, and more secure for you. Agilicux AnyX. Instead of requiring that shared password, or reworking the world to fit into your existing identity provider, our identity-aware proxy allows any user (staff, vendor, support) to sign in with their native identity (email), without another password, with multi-factor. Instead of hacking in TeamViewer with a ‘supp0rt-p@ss’ type security, directly use remote desktop with single-sign-on.

Want to learn more? Look in the upper right and contact us!

2024-07-08

Get Thee From BGP Rockwell: Ethernet/IP Is not Internet

Rockwell Automation has issued an urgent directive “IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet to Protect from Cyber Threats”.

Amongst the reasons given (other than the obvious, these devices have negligible security, control things which might be dangerous) are these CVE. But really, this is just a starting point, you need a firewall that confirms identity between the PLC and the net, in both directions.

CVE ID	Advisory
CVE-2021-22681	CISA \| Rockwell Automation Logix Controllers (Update A)
CVE-2022-1159	CISA \| Rockwell Automation Studio 5000 Logix Designer
CVE-2023-3595	CISA \| Rockwell Automation Select Communication Modules
CVE-2023-46290	CISA \| Rockwell Automation FactoryTalk Services Platform
CVE-2024-21914	CISA \| Rockwell Automation FactoryTalk View ME
CVE-2024-21915	CISA \| Rockwell Automation FactoryTalk Service Platform
CVE-2024-21917	CISA \| Rockwell Automation FactoryTalk Service Platform

This got me thinking, surely no one would do that, right? One second, let me duck into Shodan.io and see. OK, people do. The ‘myvzw’ is a Verizon sim card or Mifi type device. The one below is same but for AT&T. Indeed you can directly operate these PLC’s from the public Internet without any security, any authentication, any authorisation.

In “Howto: Open Source Intelligence and your Digital Footprint” I show some of the techniques you can use.

2024-05-22

Fast, Simple, Secure: Implement CISA et al HMI (practically) recommends Agilicus AnyX
A whole mouthful of alphabet organisations got together and gave us some advice on protecting operational technology from Russian hacktivists. And, to summarise, say “Deploy Agilicus AnyX to protect your HMI”. No, seriously. There is no simpler way to become compliant with this fact sheet.
- Implement proper single sign on to the HMI via VNC
- Enable multi factor to the HMI via VNC
- Have an audit trail of who used the HMI via VNC
- Have a read-only type of user when appropriate via VNC
- Have a GeoIP firewall
Its like they read our datasheet. Good on them, that is indeed a great spot to become informed.

The best advice from this point is given indeed on that data sheet at the bottom: engage with us. Agilicus can explain, demonstrate, help, immediately. Its not a project to build a gantt chart for, its a project to complete before lunch.

Read on the source doc to see the other advice.
81729543-defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity-508c Download
2024-05-03
Windows Update Breaks VPN, Good Riddance #zerotrust

Dateline Redmond, April 2024. “VPN connections might fail after installing the April 2024 security update“. For some gentle readers this might be a combination of a rock and a hard place. Commercial VPN’s have recent critical known exploits. Embedded VPN is now breaking. Is there a better way?

Check out Agilicus’ recent webinar on VPN Alternatives. It turns out that while the VPN can be a great and powerful tool for the “I run IT, I need all access”, its not the best tool for “I have a narrow set of tasks to achieve” set. For this, a Zero Trust architecture, as epitomised by Agilicus AnyX, is simpler, and more secure, with a lower blast radius.

So, if you are struggling with service packs breaking, and subnets not routing, and split horizon DNS topics, come on over and chat.

2024-05-02
Industrial Supply Chain Matryoshka Risk
The corollary to “I stand on the shoulder of giants” is “There’s a lot to know and understand inside the black box”. Last week we had a critical Palo Alto vulnerability announced. But, that code and trouble is also renamed and embedded in other things, things which often have a longer life. In this case a Siemens RUGGEDCOM APE1808 gets the security advisory. This comes from a partnership Siemens and Palo Alto did to “Protect Critical Infrastructure“. In this case, a rugged “PC” from Siemens, some software from Microsoft, some VM’s, some Palo Alto NGFW.

So here, some organisations will have read the big-news-headline “Palo Alto NGFW causes world ending issues”, and, said, “there but for the grace of god go I, someone else’s problem”. And, of course, they have the same tech in a different label. In this case, a type of vendor Matryoshka doll.
This nesting of code is a a very deep stack. To help unravel it, the industry created the concept of a Software Bill of Materials (SBOM). These suddenly came to light again in a 2021 US Executive Order “providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;“

At Agilicus, we use the SLSA attestation model to show what went in to our software. But it becomes very complex when there is entire-product composition as we see here.

To make this particular case even more complex, the Siemens APE1808 device discussed is designed to be used by system integrators, hosting even more software in side. The risk models are both nested, and, might even have loops.

So in this case, an application hosting platform that you may have parked in your brain as “unimportant side quest application” could be viewed by attackers as “express onramp to lateral traversal”. In much the same way as some phishy cyber-criminals once used a fish-tank at a Vegas casino.
Matryoshka Dolls Trivia

History and Origin

Matryoshka dolls, also known as Russian nesting dolls, originated in the late 19th century in the village of Sergiev Posad, near Moscow, Russia.

The first matryoshka was carved by a woodworker named Vasily Zvyozdochkin and painted by artist Sergei Malyutin in 1890.

The dolls were inspired by Japanese “daruma” dolls, which were hollow and contained a smaller doll inside.

Design & Construction

Matryoshka dolls are traditionally made of linden wood, which is lightweight and easy to carve.

Each doll consists of a series of hollow, wooden figures that fit inside one another, from the largest to the smallest.

The outermost doll is typically a woman wearing a traditional Russian sarafan dress and a kerchief.

Each subsequent doll inside is progressively smaller and represents a different aspect of Russian culture, such as a child, a peasant, or a traditional craft.

The dolls are hand-painted with bright colors and intricate designs, often featuring floral patterns, scenes from Russian folklore, or other traditional motifs.
One thing is certain in my mind. Defence in Depth remains important. Rather than a single, infinitly strong firewall & VPN, we need to think about “they got in through the first layer, how to we slow, observe, protect” at each layer. And for this, Zero Trust remains part of the gold standard. In “Three Strategies To Help: Cisco ASA AnyConnect and WebVPN added to CISA Known Exploits” I give three simple tactics that have enduring value, and are uncorrelated to specific risks like the above. Give them a read and a try!
2024-04-28
Quis custodiet ipsos custodes: When Good Firewalls Go Bad

Recently Palo Alto announced a 10.0 CVE in the Global Protect feature of their PAN-OS firewall. “Unauthenticated attacker [can] execute arbitrary code with root privileges on the firewall”. Well, that is not good. But, how “not good” is it? It’s terrifyingly bad ungood in fact. Let’s discuss.

First, let’s think of the privileged position this firewall is in. It separates the trust from the non-trust. It is likely even used in a more complex zonal model, separating “Internet” from “DMZ” from “Desktops” from “Data Centre”. In fact, it can be a blueprint of where to look for someone. Fetch the firewall rules, look at the most restrictive blocks, and, well, attack there first.

Second, let’s think about other features commonly implemented on a NGFW. SSL Inspection. Its not uncommon in a corporate world to inject a “trusted CA Root Certificate” into all your devices and have the firewall inspect all the outbound traffic. And, where I say “inspect”, read “decrypt”. This means this device has the ability to read/write/modify all the traffic leaving your facility. Perhaps you have some JWT or API Key or Service Accounts used in your external cloud environment? Maybe your Identity Provider is a public one on Azure or Google. This firewall is reading your passwords in a proxyful fashion. And now, someone else owns it. A regular layer-4 firewall would be bad to breach, but one that you have taught to breach all your cryptography? Much much worse.

Third, how many of you have enabled proper single-sign-on, no-shared-account, multi-factor, for the administrative interface of all your network doo-dads and appliances? Right, none of you. So the miscreant which just waltzed into your Firewall via this attack probably now has the credentials to your other security appliances.

And, lastly, it was discovered in the field as a zero-day in active use. This means someone has known about it for perhaps a long time, and might have stealthily been using it until caught. This means… all your secrets are belong to us. Your backups. Your passwords. Your customer information. Your cloud SaaS data. The attacker might use this to spearphish your customers, business email compromise exploits, blackmail, who knows.

By having a fully-trusted device in the centre, we have facilitated what might have merely been bad to being worse. Much worse. That SSL inspection feature, once breached, that private SSL root key you installed, is a highway to hell when coupled with a critical exploit.

Now, the saving grace here, Palo Alto is acting responsibly. They have disclosed it, created a security advisory, and details on what they know. Imagine how much worse this would be if they were quiet and pretended it didn’t exist? “Palo Alto Networks is aware of malicious exploitation of this issue.” if instead of that they put some lawyer-language wishy-washy statement out?

So, once again, stop reading, start patching. And, when done, call me and let’s talk “Zero Trust” instead of “Fully Trusted”.

2024-04-13
CISA: 8 Top Cyber Actions for Securing Water Systems
CISA this week issued a Fact Sheet “8 Top Cyber Actions for Securing Water Systems” giving a set of “do it now” practical actions for securing water and wastewater systems. Let’s unpack the first one, “Reduce Exposure to the Public-Facing Internet”.

8 Top Cyber Actions for Securing Water Systems
Spoiler, the list is below. You should still read the Fact Sheet “Top Cyber Actions for Securing Water Systems”
- Reduce Exposure to the Public-Facing Internet
- Conduct Regular Cybersecurity Assessments
- Change Default Passwords Immediately
- Conduct an Inventory of Operational Technology/Information Technology Assets
- Develop and Exercise Cybersecurity Incident Response and Recovery Plans
- Backup Operational Technology AND Information Technology Systems
- Reduce Exposure to Vulnerabilities
- Conduct Cybersecurity Awareness Training
OK, after reading, not a lot of controversy there, nothing I would argue to not do. The nuance I wanted to discuss in this post is the word Exposure in the first one (Reduce Exposure to the Public-Facing Internet). That could mean many things:
Inbound open ports (DMZ etc)

Inbound VPN access

Outbound proxy-enabled access

Singular services (e.g. DNS, NTP)

Operational monitoring such as alarms, SMS gateways

Software updates, even if a network diode is present or an air gap

Outbound access for e.g. posting stats, license managers

Cross-over, e.g. user laptop on corporate network has web access, laptop is moved to operational technology network periodically
Upcoming Webinar!

See the webinar “Securing Wastewater Remote Connectivity with Segmentation and Zero Trust” for a practioner’s view on the challenges and solutions.

WEBINAR
For the first one, this is where I recommend heading to everyone’s favourite tool, shodan.io. A couple of queries to get started, your public IP, part of your company name. What do you see? If you see Remote Desktop, VNC, stop, contact me now! High risk, simple solution. Do you see a bunch of items thate are more of a grey area like certificates on someone else’s IP ranges? Hmm. Do you see inbound IP+Port access to anything? Contact me, we can make that go away without operational impact.

On the topics of certificates, now that you’ve come up from the rabbit hole of Shodan, lets try crt.sh. Enter part of your company name. This will now show you all the the Certificates that have been issued. Look for a couple of key weakness:
1. wildcard. Has someone made a *.yourdomain? Stop! contact me. This is fixable easily. If *anyone* gets control of the key associated with this, they can spearphish you, spoof your email, raid your fridge, you name it, its an open key. You want to limit the blast radius, one certiicate, one resource
2. long duration. Certificates should be less than 90 days of lifetime.
3. Similar names. This could be spearphishing. To do this, mispell your name a bit, see if there are certificates issued. (e.g. use a 1 instead of an I, or look for .co instead of .com).
The CISA Fact Sheet “8 Top Cyber Actions for Securing Water Systems” gives some great, simple, guidance for todo-now tasks. If you are struggling with understanding ‘Exposure’ and want to discuss Zero Trust, and specifically, how the Agilicus Connector can remove this requirement without altering your operations, contact me.
2024-02-24
Three Strategies To Help: Cisco ASA AnyConnect and WebVPN added to CISA Known Exploits

CVE-2020-3259 has been patched for a few years now, but, it seems that a lot of users place their key security appliances on autopilot. And, when you place the device on autopilot, bad people move into the neighbourhood (e.g. Akira Ransomware exploits it). And when that happens enough, CISA adds it to the Known Exploited Vulnerabilities catalog. The best time to patch this was when the notice came out, the second best time is now. Patch early, patch often. But, since you tired of hearing about patching, I give you three strategies you can implement to generically reduce your risk, reduce your cost, give your team time to react as you mull over your Cisco ASA AnyConnect and WebVPN added to CISA Known Exploits.

I have seen a lot of these devices used in “secondary” locations. Maybe a firewall between layers in the Purdue model (e.g. between the Information Technology and Operational Technology network). Maybe running the DMZ to your outside vendors. The device doesn’t have to have a direct external Ethernet jack to be a risk to you, lateral traversal is a thing.

The nature of the ‘attack’ is that ‘sensitive information’ is readable remotely, without being authenticated. Perhaps you have this device, and your more important routers, and you share the password on them. After all, how could this matter? One admin account for a few devices, shared, the password is strong, right? Its only as strong as the weakest link.

Now, this is an example where folks have had years to patch, and not patched. Is patching the only thing they should have done? Defence in depth is the strategy I would recommend. Lets examine a few ways.

Multi-factor authentication

First, multi-factor authentication. The nature of this attack is secret extraction. IPSEC certificates, passwords, SSL trust chains. If we were to use multi-factor on all places these secrets might be shared (the ASA, other Cisco routers, etc), that would make it much harder for the attacker to traverse. If all the devices has multi-factor, and, the attacker extracted the shared password from the Cisco ASA, well, we’d fall back to single-factor. Couple that with some logging and alerting, we’d have a shot at stopping the attacker in their tracks. Couple that with some segmentation, and, the attacker would be materially slowed, giving us time to react.

You may feel there are barriers to implementing multi-factor authentication on some of those “legacy” devices. Maybe you need to access them with local accounts not part of your Domain Identity Provider? Maybe you need to have a contractor or network managed service provider use them? Agilicus has you covered, see the case study at the right, implementing multi-factor authentication as an identity-aware proxy without any changes.

Logging

Second, logging. Devices and software generate logs. These are not just used for install-time debugging and diagnostics. Make sure the logs are available in a central, non-tamperable location. Make sure the devices all have NTP real-time, synced properly. Use UTC to avoid embedded device databases not understanding changes in Daylight savings time. This is non-negotiable… If its not UTC, the odds of some random Y2K bug showing up are high.

Logs can be stored in a fancy SIEM. Logs can also be stored in flat files in a syslog collector. Start collecting, get the timestamps, and, then, on the first incident, you will at least have some information to work through. And, after that incident, you’ll have a better understanding of what you want to budget here.

Segmentation

Third, segmentation. Think of your medieval castle here,its got a moat, its got a drawbridge, its got a wall, its got a keep. Every time some monty-pythonesque attacker got through the first line, you fell back.

Now think of the famed Maginot line, a long thing ‘infinitely strong’ line of defence built by France in the 1930s to deter Nazi Germany. Worked great, the Germans went around to the Benelux and… boom, the wall was not so great from the inside.

Network segmentation is a core principle of Zero Trust. In fact, Zero Trust is the limit, one user, one resource, rather than the VPN model of one user, all resource.

Implementing network segmentation can seem daunting. Look up private VLANs in your switches. Look up ACL’s. Group devices by either type or purpose. Every bit helps. Make sure there are logs generated (see above) for things traversing, or being blocked from traversing, the segments.

Conclusions, Next Steps

Once you start implementing the above strategies (multi-factor authentication, logging, network segmentation) you will find they get simpler and simpler. And, they provide sustained reduction of risk, reduction of cost. The best time to patch was the day the issue became known, the second best is today. The best time to implement these three strategies is everyday. And the best company to call to help you with this is Agilicus. Contact us today.

2024-02-19
Multiple Connections Inbound Access Challenge

In “High Availability Dual WAN Remote Industrial Connectivity” I discussed some of the challenges of achieving non-stop connectivity. One of the specific challenges relates to having multiple Internet connections from unlike providers. Different IP, different MTU, different latency, different firewall, etc. Point solutions like DDNS etc are challenged, let’s discuss the Multiple Connections Inbound Access Challenge.

Several years ago I wrote about assisting a friend in installing Starlink. Previously I had helped him bond multiple DSL lines together, a solution which gave a single IP and somewhat more bandwidth than any one link, but was not that great otherwise, DSL being DSL. In the new solution, I deployed a Mikrotik router, overwote it with OpenWRT, and setup MWAN3 for multiple WAN access.

MWAN3 is a load balancing/failover open source package that deploys on an OpenWRT router. It health checks each link, and switches between them. In the outbound direction, it can use more than one link simultaneously. In the inbound direction, its at the mercy of what you send it.

In that article, I wrote about some of the challenges of unlike speed and MTU. He had very minimal ‘remote access needs’, so I used our Agilicus AnyX to make the Starlink satellite statistics available remotely, from anywhere.

At the time, I had not given a lot of thought to this challenge, but subsequently, as Agilicus has evolved, it has become more evident that our strategy of “outbound only connections” has multiple advantages, functional, security, simplicity. In this case, let’s re-imagine that ‘remote access’ case without.

This house has 2 IP. 1 is ‘public’, on DSL. 1 is shared, NAT, private, on Starlink. Thus we could theoretically use DDNS and announce the DSL one, https://stats.myhouse.org. We could just accept that when Starlink is down, its unavailable. Would this be acceptable in a non-stop industrial environment? no.

Let’s say that Starlink would magnanimously provide my friend a public, routable IP. What would we do then? We might put the Starlink one in DDNS, and, when it fails, change it. This would take time to propagate, the TTL of DNS might be 1hour or more. Or, we could just call all the people using it using the phone, tell them to reconfigure their equipment. Would this be acceptable in a non-stop industrial environment? no.

Let’s say we could get a 3rd IP address, and, somehow magically NAT it back and forth across these. Would that resolve? Well, we would now run into an issues with the unlike MTU and unlike bandwidth-latency-product, which is kept on a per route-pair basis: there would be a significant glitch. Would this be acceptable in a non-stop industrial environment? no.

SSH Animated Data Flow

It turns out by using an outbound-only connection, we have inadvertently solved this key problem. The IP is on our public cloud, where we have access to tools like Anycast, load-balancers, regional availability zones, kubernetes, Istio, etc., without any real additional cost. The end users see a always-on available connection, and the distinction of which link it runs down is hidden. Individual HTTP transactions might split. Seamless to the end-user, no firewall changes, works across all links, non-stop? What’s not to like, we’ve resolved the Multiple Connections Inbound Access Challenge.

2024-02-16
Ground Hog Day: Fortinet VPN Edition

So its a few days after ground hog day. Side note: I once explained this tradition to a UK colleague and he thought I was putting him on. Chris C, this one is for you!

Ground hog day is famously about prognisticating rodents predicting the weather. But, its also a famous movie with Bill Murray where the time resets each morning and he relives the same day again and again.

Today we got the cheerful news that CVE-2024-21762 from Fortinet (as FG-IR-24-015) your VPN is once again letting it all flap in the breeze with a CVSS score: 9.6. Yes, you and your 9B best friends can now execute arbitrary commands (and new binaries!) on your key security appliance.

The Rust fans are all spinning this as yet another I told you so regarding out-of-bounds writing issue, in this case for inbound HTTP requests with some hanky-panky inside. I won’t link it, but there is an exploit available, meaning anyone with a device made in the last 20 years and the ability to type the or speak something to Google can find it. So obscurity security will not play here. National security agencies have already warned of this being actively exploited.

Above I used the metaphor Ground Hog day, because we just went through this with e.g. Ivanti. There I used the metaphor of Ole Yeller and shooting an old friend. Yes, Metaphors are my New Years resolution, Simile’s are so 2023.

So, what to do? Patch early, patch often? Maybe its time to invest in some Defence In Depth. Your VPN needs a firewall on each side, ideally by different vendors. Or, you need them in series, 2 VPN. Another approach, which I recommend, is adopting a Zero Trust strategy, so its not all or nothing, its one piece at a time (queue Johnny Cash).

2024-02-09
Dutch Defence Detail Dastardly Dirty Deed

The Netherlands ministry of defence just published the cliff-hanger document TLP:CLEAR MIVD AIVD Advisory COATHANGER regarding a remote access attack of their Fortinet FortiGate VPN by “a state-sponsored actor from the People’s Republic of China”. CVE-2022-42475 was the weakness. One thing that is unusual about the report is the direct attribution: this is rare.

The effects were limited because of prior
network segmentation.

Reading the lines and between the lines, the Netherlands implemented more than one control, a defence in depth strategy. This reduced the impact (or blast radius) of the attack.

One thing that stood out to me

Moreover, the infection survives firmware upgrades. Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied.

This is dangerous, a lot of companies will apply the upgrades, thinking they are now protected, but could remain vulnerable.

The document then goes into some detail about the various libraries affected, how the malware hides itself, how it sets up its command and control

A bastion device like a VPN or firewall is particularly complex to secure. By nature of its job, it has both outside and inside access. The comment in the document about ‘prior network segmentation’ is your clue to how to reduce the impact. And, there is no better network segmentation than Zero Trust. In “Industrial Zero-Trust Micro-Segmentation” I wrote about some techniques, including the use of Private VLAN, that can be coupled with a Zero Trust platform like Agilicus AnyX to provide layers of defence in depth.

2024-02-07
Howto: Open Source Intelligence and your Digital Footprint
Let me show you a very simple means of Open Source Intelligence (OSINT) on yourself. If I can do this, anyone can do this, and if anyone can do this, someone bad can do this.

Shodan

Head on over to shodan.io, type in ‘Rockwell’. Suddenly you can see a bunch of PLC that are publicly available via Ethernet/IP or modbus. Try this with some strings that mean something to your business, e.g. the main part of your domain name (so ‘agilicus’ from ‘agilicus.com’), etc. Do you see yourself? If so, so do others.

Here we can see a bunch of PLC’s, hanging out, with a lot of wireless carriers as the ISP. Let’s pick one and dig in, see what we can see. I will pick “166.169.157.23“, on myvzw.com (Verizon Wireless).

Now, we see a set of “Cards”, lets explore what they mean.

First, we see “General Information”. In this case, its not useful, since its genericall the ISP (Verizon Wireless) rather than a specific customer or site. Even the location is probably not valid since wireless is not fixed in location.

Second, we see some high level information on Web Technologies. Shodan has identified that jQuery is in use. We’ll look at this in a bit in the cURL and Browser section.

OK, now Shodan has taken a swag at vulnerabilities. Don’t consider this exchaustive, that requires a lot of work and more advanced tools like OpenVAS or Nessus etc. But, the list is non-zero, so we have some reason to think, and, perhaps be alarmed. These are all 4.3, so if this is is a mission-critical sign-in gateway, we might take action. If its something that doesn’t have any sign in, no csrf, no cookies, etc, we might not care.

Now we get to the services. Shodan has identified 3 open parts, 9191, 9443, 44818. We can google these to see more detail, noting that 44818 is commonly used for EtherNet/IP, an industrial protocol commonly used by Rockwell Automation.

Shodan now shows us was it found in its earlier query. 9191 . It knows its a web server, but nothing more.

Now we find our first real clue. Port 9443, it has an SSL certificate. It was signed for Sierra Wireless, in 2015, and references eairlink.com.

The real excitement comes on 44818, the EtherNet/IP. Spoiler, its not the Ethernet and IP you think it is, it is the Common Industrial Protocol.. Shodan has identified this is a 2080-LC50-24AWB, better known as a Micro850. A discontinued PLC. We also get another breadcrumb, which is the IP on the ‘local’ side, meaning we know at least 1 subnet past the gateway.

cURL and Browser

OK, we’ve learned a lot from Shodan, let’s see what else we can find. So, lets open a browser to the links above (http://IP:9191 and https://IP:9443). Suddenly we see a login screen, a product name. Its ‘Sierra ACEmanager’. Its also helpfully giving us the veresion: ALEOS Version 4.9.3

It takes but a moment to figure out the default password for this device.
NMAP

Now lets switch gears to that PLC.
```
# nmap --script enip-info -sU -p 44818 166.169.157.23
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-03 11:25 EST
Nmap scan report for 23.sub-166-169-157.myvzw.com (166.169.157.23)
Host is up (0.25s latency).

PORT      STATE SERVICE
44818/udp open  EtherNet-IP-2
| enip-info:
|   type: Programmable Logic Controller (14)
|   vendor: Rockwell Automation/Allen-Bradley (1)
|   productName: 2080-LC50-24AWB
|   serialNumber: 0x60d08030
|   productCode: 157
|   revision: 11.11
|   status: 0x0034
|   state: 0x03
|_  deviceIp: 192.168.1.103
```
OK, that was easy, we know know the version of firmware (and confirmation of the internal IP and thus subnet).
CVE, Vulnerability

From here we can lookup some known vulnerabilities for our two devices (the Sierra Wireless and the PLC).

A simple search on ‘ALEOS Version 4.9.3 CVE’ finds an alert from CISA “Sierra Wireless AirLink with ALEOS firmware”. OK, that was easy. We now have a roadmap to 5 ways to take over the device (and this is ignoring the 12345 password issue from above). For the sake of argument, let’s assume we now can use this to gain full layer-3 access to the site, given the firewall is pretty vulnerable.

How about the one known device, the PLC? Well, there are a ton of issues referenced online. The EtherNet/IP protocol itself has no security, so we have a lot of room on that alone, but, CVE-2023-3595 seems like a good start for anyone who wishes us ill will, its rated 9.8 out of 10. If we are lazy, CISA has 10/10 one (ICSA-22-090-05) for us to dig into.

From here its an excercise for the reader to find the proof-of-concept code and exploit.

CVE and vulnerability are like an iceberg, for everyone known and reported, there is another set that are known and un-reported (the zero-days hoarded by bad actors), and for ever one of that set, there is another set of ones not yet found.

The known/known becomes the unknown/known, becomes the unknown/unknown. The ripples of risk expand.

Next Steps

The intent of this post was not to scare. It was not meant to demonstrate some deep knowledge of esoteric tools. Instead, I meant to show that the howto basics are a commodity. I don’t know where any of the sites i found in Shodan are, and I did not try to hack into them. But, anyone could, and someone will. Perhaps the example above is something deep in critical infrastructure: a water plant, an energy pipeline, a hydroelectric dam.

So my advice is, try hacking yourself. Its called red-teaming, capture the flag, pentesting, etc. If its eye-opening, then, well, use the knowledge, invest in some defense in depth, improve the authentication, authorisation, access, etc.
2024-02-03
US sanctions Iranian officials for cyber-attacks on water plants

In “Avoid Exploitation of Unitronics PLCs used in Public Water Systems” I wrote of a group named Cyber Av3ngers affiliated with the IRGC targetting, modifying the HMI of the Municipal Water Authority of Aliquippa along with several other water systems.

According to Cisa, thanks to a simple default password – like 1, 2, 3, 4, 5, 6 – the Iranian hackers were able to disable a monitor regulating water pressure, but plant managers were able to take over manually.

The Iranian attackers, posing as anti-israel / pro-palestinian, changed some pressure regulating settings. Well, they got noticed. The US has issued sanctions, personally, against those responsible, using Executive Order 13224 and the long arm of the US financial system. This order, September 23, 2001, by George W Bush, was about a different kind of terrorism, but had the same objective.

Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned six officials in the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), an Iranian government organization responsible for a series of malicious cyber activities against critical infrastructure in the United States and other countries.
https://home.treasury.gov/news/press-releases/jy2072

CISA uses the words ‘target rich, resource poor’ to describe a set of sectors, the critical infrastructure of water being one of them. Their key sectors, “Water, Hospitals, K-12 Eduction”.

As for that password mentioned above, yes, of course it should be stronger. Yes we all enjoy a bit of schadenfreude knowing full well we do it better.

But, you can’t. Some of that equipment is a permanent fixture, and permanently insecure. You need to haul the authentication up in front of it, an identity-aware proxy, Zero Trusts. There is no safe method to operate these things with a VPN or other layer-3 remote access systems either to them, or to the network they live in. So operating within the constraints of budget (are you going to redesign and rebuild this plant?), manufacturer equipment practices (are you going to reverse engineer the firmware and fix it?) and the asymmetric nature of cyber warfare (blue team needs to be right 24x7x365, red team only needs to be right once), are you really going to be better? YES, since you read this blog, and you now know that Agilicus can help.

2024-02-03
VPNs in Industrial Environments: Old Yeller
Industrial environments, with their complex machinery and interconnected systems, rely heavily on remote support for troubleshooting and maintenance. VPNs, often touted for their secure tunnel access, seem like a natural fit. But before diving in, consider the potential risks: VPNs, while convenient, are never the safest option for industrial remote support. VPNs in Industrial Environments: Old Yeller. It was a faithful friend for years, and now its time to shoot it before it bites you.

Its a harsh metaphor, but this old friend has bitten the hand that feeds it more than once. See VPN Alternative and step on the right path today.

The Colonial Pipeline Fiasco: A Stark Reminder

Remember the 2021 Colonial Pipeline shutdown, crippling fuel supply across the Eastern US? The culprit? A compromised VPN account. Hackers exploited a vulnerability in the VPN software, gaining access to critical systems and wreaking havoc. This incident serves as a stark reminder of the vulnerabilities inherent in using VPNs for industrial control systems (ICS).

Beyond The Colonial Pipeline: Common VPN Risks in Industrial Settings

The Colonial Pipeline attack wasn’t an isolated event. Here’s why relying solely on VPNs for industrial remote support can be risky:
- Increased Attack Surface: VPNs create a single point of entry into your network, making it a prime target for hackers. Exploiting a vulnerability in the VPN server grants access to everything within the tunnel.
- Unsecured Protocols: Many industrial protocols lack built-in security, making them vulnerable within a VPN tunnel. Hackers can leverage these weaknesses to manipulate systems or steal data.
- Limited Visibility: VPNs often provide poor visibility into user activity, making it difficult to detect suspicious behavior or unauthorised access.
- Human Error: Accidental misconfigurations or weak user credentials can easily compromise VPN security, leaving your systems exposed.
The Ivanti VPN Flaw: A Case for Secure Alternatives

The recent disclosure of a critical vulnerability in the Ivanti Pulse Connect Secure VPN software further highlights the risks. This flaw could allow attackers to bypass authentication and gain unauthorised access to networks. While patched versions are available, it underscores the need for alternative solutions for industrial remote support.

Exploring Safer Options for Industrial Remote Support

Several secure alternatives offer better protection for industrial environments:
- Single Sign On, strong authentication. Use the same web-based authentication you use for your other business systems like email. This helps reduce the risk of phishing due to the familiar experience. It also facilitates modern multi-factor such as WebAuthN and Passkey
- Zero Trust. Don’t create a ‘remote road to the world’, create a narrow pipe to the one resource the user needs, with fine-grained authorisation and audit. Principle of least privilege.
- Outbound only. Don’t show up on Shodan.io
The Verdict: The VPN’s Time Is Like Old Yeller

VPNs remain valuable tools for secure remote access in many contexts. However, for industrial environments where security is paramount, they should be not be used. Use Zero Trust coupled with Defense In Depth segmentation. Remember, secure remote support is not a one-size-fits-all solution. Evaluate your specific needs and risks to choose the best approach for your industrial environment.

Stay vigilant, stay informed, and stay secure!
2024-02-03
Begone Ivanti Industrial VPN Sayeth CISA

In Emergency Directive 24-01 agencies are directed to remove the affected Ivanti Industrial VPN products from service, wipe them, wipe all clients who have used it, reset all identities which have used it. A big ask in a hurry for a big problem which is really happening rather than theoretically might happen.

Of particular concern is the use of this technology as a means of bridging access to industrial control systems, allowing attackers access to broadly critical infrastructure. The particular vulnerability (CVE-2024-21893) relates to SAML, an authentication and authorisation protocol, use in the Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA products. These products function by having full access to everything, and then gateing users on/off for that access.

Now, zero days happen, and will continue to happen. The combination of complex software and high effort expended to find them makes that nearly impossible to resolve by itself. But, there are strategies (philosophies) which can de-risk. The primary strategy is Defense In Depth. In this mindset, instead of 1 big wall (the Maginot Line) that is the sole source of security, you instead think of “they will get in, how to slow them, make them more observable, have fallback positions”. Its not a new idea, the keep in a medieval castle has the same function.

Defense in Depth requires observation points (so you can see it happening, tripwires if you will). It requires multiple points of enforcement in series, and, it requires thinking of Authentication, Authorisation, Access as <User>-<Resource> rather than <User>-<Location>. E.g. it requires you to ditch the VPN as means of providing layer-3 adjacency. The VPN, conceptually a long Ethernet cable, means that one breach and all are suspect, rather than one breach and one is suspect.

Administrators are always going to have to hot-foot it around “patch the world” vs “downtime again”, and Defense In Depth gives you a bit more time. More time is less risk. It means that when the bad happens (and not if), the bad happens in a smaller blast radius. And this can be the difference between being in the news, vs merely a bit tired from the sprint to finish of patch patch patch.

The architecture in a typical industrial control system is usually the Air Gap: 1 big wall, and inside no security to speak of. A world of telnet without passwords, of modbus with no particular security model. And, when the Air Gap is straddled by something like this Ivanti VPN, you find that suddenly, some internal segmentation and controls, as well as a more fine-grained Air Gap straddle, is a good thing.

If you would like to discuss a finer-grained, more defense in depth, Zero Trust type approach as personified by Agilicus AnyX, well, contact me!

2024-02-02
Inbound HMI: Cyber Army of Russia Targeting US water facilities
Hot on the heels of this CISA, FBI, EPA incident response warning, we have a video released showing some menancing music and some HMI manipulation for two US cities. The Cyber Army of Russia is targeting US water facilities. The HMI appears to be via VNC. The user changes all the set points, enables manual operation. You can almost hear the click of limit switches feeding safety PLC’s as the pressure builds. Is this the equivalent of an Austrian archduke getting shot?

CISA et al have some simple to read yet hard to implement common sense advice on the topic:
1. Preparation: WWS Sector organizations should have an incident response plan in place, implement available services and resources to raise their cyber baseline, and engage with the WWS Sector cyber community.
2. Detection and analysis: Accurate and timely reporting and rapid collective analysis are essential to understand the full scope and impact of a cyber incident. The guidance provides information on validating an incident, reporting levels, and available technical analysis and support.
3. Containment, eradication, and recovery: While WWS Sector utilities are conducting their incident response plan, federal partners are focusing on coordinated messaging and information sharing, and remediation and mitigation assistance.
4. Post-incident activities. Evidence retention, using collected incident data, and lessons learned are the overarching elements for a proper analysis of both the incident and how responders handled it.
I have a simpler, more actionable item: Use Agilicus AnyX as a Zero Trust platform to put strong authentication with multi-factor in front of that VNC. No change in operations, but an improvement in cybersecurity and reduction in risk.

Now that we have seen the scary video with the old school industrial interfaces, the call to action should be more actionable:
1. No inbound open ports (nmap, shodan should show empty)
2. All inbound connectivity should be per resource, not broader (no VPN)
3. All inbound authentication should be per person, not broader (no shared accounts)
4. Authorisation should be pairwise (person <-> resource)
Would you like to learn more? Contact Agilicus to learn more, or Book a Meeting.
2024-01-31
From Smoke Stacks to Smartscapes: Evolving Industrial Operations in the Digital Age
Introduction

Industrial control systems are the beating heart and soul of today’s world. Traffic lights, building management systems, food production, agriculture, energy, manufacturing. The humble HMI, SCADA, PLC make the world go round. They will also be the reason the world stops going round in some dystopian cyber-warefare future. Easy come, easy go. Smoke Stacks to Smartscapes, we’ll evolve.

Industrial control systems live and evolve as part of the broader processes they run. Old motors get new Variable Frequency Drives. Simple set-and-forget thermostats get PLC’s bolted to the side for more fine-grained control. Walk up, inspect, monitor, write-down on clipboard systems get live real time measurements to big data for predictive maintenance. The static system of a whole, built and deployed once, has become a constantly evolving system, and, along with it, the risk surface has expanded dramatically.

Most critical infrastructure systems have a simplistic security model: the air gap. Keep the bad out, so the inside can do its job untroubled by modern concepts like defence in depth or authentication (first-factor or second-factor). However, the relentless beat of progress demands greater output, greater efficiency, and with it, remote operations, remote data, turning the invincible air gap security model into the the crumbly swiss cheese risk model.

The ingredients of the problem are simple, fundamental:
- Industrial equipment has a long life span, incompatible with the disposable strategy of modern IT
- Big Data and AI are not edge concepts, they are only efficient, economical, effective, when central, cloud
- Increased efficiency means less humans, less humans means more remote operations and a skillset gap
Do we have the false choice of “evolve or die” vs “evolve and die”?

The Iron Horses of Industry

Industry does not stop. Equipment is designed to stay in service without scheduled downtime. The factory you are in today has equipment installed many years ago that has been piece-meail updated, greased, serviced. It was never designed for “Microsoft Patch Tuesday” type outages, let alone ‘0 day’ vulnerabilities.

Over the years, these steam engines became electric motors, mechanical timers became transistor, became PLC. These digital bolt-ons where added on, rather than redesigned. Sensors were added, control systems to the sensors, and then remote monitoring followed by remote decision making.

The analog manufacturing plant of the post-war era slowly and inexorably became a distributed control system supercomputer.

The Iron horse of industry and merged with the trojan horse of mythology, pulling IT technology in one piece at a time until the manufacturing floor resembles a data centre.

Beyond Ownership: Subscription Service Revolution

As the digital revolution has progressed, manufacturers have discovered their cost structure has changed. Its no longer design once, build forever. Instead, there is a cloud service, developers, bandwidth costs, customer support. Faced with this, the business model shifted. Rather than sell and support, the manufactures have shifted to subscription service. PLC as a service, HMI as a service, these are in our future.

The benefits (decreased mean time to repair, predictive maintenance, just-in-time everything) all align with the general beat of the drum of increased efficiency. Change is not evil, just unpredictable.

In turn, this has caused the plant operations to need to disrupt the holy of holies, the airgrap. Create some cracks in it.

Where once standards drove the world, we now face vendor lock-in on even simple things. And, that vendor lock in brings its own risks. Their operations becomes our operations, their shift in business direction becomes ours. Their staff work as an extension of ours.

What was once a capex world of RFP->select->design->build->operate, has become much more continuous. Todays state of the art industrial control system is a continuous operation partnership with the owner, the operator, the designer, the builder, the manufacturer. The network must keep up.

The Rise of the AI-Powered Factory Floor

The industry of the future makes faster decisions based on larger data sets. Spreadsheets became Datawarehouse and Business Intelligence. Data warehouses now feed real time decision making with no human involved.

Cyber physical systems driven by AI, faulty data can drive terrible outcomes. Temporary loss of connectivity becomes much more dangerous from a downtime, a cost standpoint.

As the efficiency goes up, the risk goes up. A small error in predictive maintenance can mean damaged or destroyed machines. The “grease it weekly” of yore is now timed to the microsecond.

AI and big data are not effective (either for cost or accuracy) as edge systems. They are tightly intermingled with the hyperscaler cloud systems.

The air gap security that worked for the smoke stack era, that held on by sheer perspicacity and doggedness during the subscription service revolution, will be well and truly no longer effective in the AI-powered factory floor era of the future. Plant operations will need to deeply understand cybersecurity and risk in order to reap the rewards.

Conclusion: Farewell, Airgap – Hello, Hyperconnected Zero Trust Future

As the industrial control systems have evolved, so too has the ecosystem as a whole. The beloved (and believed) airgap, on life support through the subscription service era, must be replaced. The mindset of ‘outside bad, inside good’ must be replaced by defence-in-depth.

Smoke stacks to smartscapes, the installations that evolve, the people that evolve, will remain, stronger, faster, better. The installations that fight the future will die. The air gap is not a sacred institution, it is an element of its time, a best practice of the past. Implement today a safe way to enable the subscription revolution, the big data, the AI, rather than delaying it.

There is no singular tool or technology, no panacea, that will one-stop “fix it all”. Instead, the same dogged determination on goal, the same evolution, coupled with the key components of defence-in-depth and zero trust, will yield new solutions, stronger, better.

Embrace the future because you are its past.
2024-01-28
Off-Grid Agricultural Cyber Physical Systems

My favourite topics just merged. The “John Deere Business Model” of taking something traditional and making it subscription. Starlink and its complex remote access needs due to CGNAT. And, cybersecurity, notably Cyber Physical Systems with their scary downsides of being able to move and cause damage. Yes, its a partnership with John Deere and Starlink enabling locked-down-no-maintenance-for-you tractors in off-grid areas to be self-driving and remotely controlled.

Now, for those thinking, how bad can this really be? A few farmers with some slow diesel tractors, not my problem. But, then you remember, you watched Maximum Overdrive, a fantastic moving starring the sound track of AC/DC. And, this is now coming to life with this partnership.

The world has gone AI crazy? Check
Ubiquitous satellite connectivity mesh? Check
Self-driving Cyber Physical Systems with moving teeth and high speed? Check

If you think there’s an easy way of stopping a Caterpillar D11, you are wrong. Put that in some evil person remote control hand (and we’ve already seen the damage smaller dozers can do, e.g. the killdozer when a zoning dispute went wrong). I know Caterpillar is a different company than John Deere, but a 9RX 640 is not all that different conceptually in size, power, weight, attachments. And, the world is already seeing the damage drones can do in the Russian-Ukraine war, including remote-driven tanks.

With that cheerful thought, I’ll leave you with a scene from Maximum Overdrive. Vroom Vroom.

2024-01-20