Dice Staff November 6, 2020
In the run-up to the 2020 U.S. elections, with reports of possible hacking and disinformation campaigns on everyone’s mind, it was easy to have missed a rare press release issued by the National Security Agency (NSA)—a part of the federal government not known for making significant public announcements.
On Oct. 20, the NSA published a list of 25 well-known vulnerabilities in various applications and IT systems that the agency’s analysts found are being actively exploited by several hacking groups with ties to the Chinese government, according to the alert. The list includes a well-known bug in VPN servers made by Pulse Secure, remote code execution flaws in Microsoft Windows, and a vulnerability in F5’s Big-IP traffic management user interface.
All of these vulnerabilities targeted by Chinese hackers are public, and most of the tech vendors have issued patches for the bugs, although customers have sometimes been lax in applying fixes for these products.
While it’s still unusual for the NSA to publicly list a series of vulnerabilities that are actively exploited by nation-state threat actors, the agency has been taking on a more public-facing role when it comes to cybersecurity. This includes alerts about a bug that its analysts found in Windows earlier this year, as well as publishing a security assessment of video conferencing and collaboration platforms just after the COVID-19 pandemic hit.
Other federal agencies are also following the same pattern of more public disclosures.
The U.S. Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security (DHS), has been increasingly issuing alerts for a wide range of vulnerabilities and threats to critical infrastructure, including elections. At the same time, U.S. Cyber Command has been more willing to issue alerts to the public.
It’s also not a trend particular to the U.S. In Britain, the National Cyber Security Centre, which is the public-facing arm of intelligence agency GCHQ, fills a similar role. The more public roles that these agencies are now taking on reflect a significant change in how government and private industry are approaching cybersecurity, experts said.
“The fact that these types of alerts are becoming public more often neither reflects an increased prevalence of attacks nor an increase in the ability of our government agencies to find them,” Oliver Tavakoli, CTO at security firm Vectra, told Dice. “Instead, this reflects the consensus among security practitioners that information sharing is key to achieving some level of herd immunity.”
One reason why U.S. government agencies have been more public in issuing alerts and guidance about cybersecurity issues can be traced to the creation of CISA in 2018. Its charter includes overseeing the nation’s critical infrastructure, which includes cyber, and the goal is to make the public more aware of the dangers that come with technology.
Since January 2019, CISA has issued a steady stream of public alerts and warnings about issues related to cybersecurity, including when federal agencies need to patch applications and systems after critical vulnerabilities have been disclosed.
“Government alerts are likely becoming more common due to joint efforts carried out by CISA and other government entities,” Kacey Clark, a threat researcher at security firm Digital Shadows, told Dice. “It’s also likely that advisories and warnings will become more frequent as we learn more about foreign and domestic cyber threats, their impact on private and public sectors, and defenses organizations can implement to thwart attacks.”
Joseph Carson, chief security scientist and advisory CISO at security firm Thycotic, noted that the CISA’s mandate to offer more advice and warnings about issues related to cybersecurity also comes at a time when organizations’ security and IT teams are realizing that their infrastructure is now being frequently targeted, whether it’s nation-state actors or ransomware cybercriminal gangs.
“Both the NSA and the CISA realize that, to protect the country and government from cyberattacks, they must also protect citizens from becoming victims of cyberattacks,” Carson said. “Everyone, including every company and every government, can easily become a victim of a cyberattack. No one is immune. While we do everything we can to protect ourselves, we are only as secure as the social sphere around us. That means a strong cybersecurity culture and society is our best way of becoming more cyber-resilient. The more the NSA and CISA proactively inform organizations and citizens to the current active threats, the more they can do to protect themselves.”
And CISA’s alerts have become timely over the past year. In early October, for example, the agency published a warning about sophisticated hacking groups chaining together several different kinds of vulnerabilities, including a recently discovered flaw in Windows called “Zerologon,” which can be used for a range of attacks.
Vectra’s Tavakoli noted that warnings such as these can make a big difference when it comes to protecting an organization’s infrastructure.
“While there are exceptional cases where attacks are entirely customized to a single target organization, most attacks involve the reuse of a large number of tools and techniques—for these, there is no real excuse not to have organizations broadly inoculated,” Tavakoli said. “Over time, these alerts have gone from being shared with a small number of organizations seen as potential targets to being more broadly disseminated. And, as a result, more of the alerts are now appearing in the public sphere.”
One reason why alerts such as those issued by CISA, NSA and U.S. Cyber Command are now critical, and why IT and security pros should heed their warnings, is that attackers are constantly changing their tactics and looking for new vulnerabilities.
“Raising awareness for organizations forces these attackers to continue evolving their tactics. While attackers are directly targeting these issues, many organizations likely have exposure well beyond this list,” said Jack Mannino, CEO at security firm nVisium.