Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On February 29th, the Cybersecurity and Infrastructure Security Agency (CISA) issued two separate advisories related to malicious behavior exhibited by threat actors. The first advisory AA24-060A pertains to Phobos Ransomware and the second advisory AA24-060B pertains to the exploitation of vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways.

As of August 2023, only 3 out of 23 US government agencies were compliant with Office of Management and Budget (OMB) requirements for log management and security observability. These requirements are outlined in M-21-31, a 2021 memorandum that was issued following Executive Order 14028 on improving national cybersecurity. Until all of these agencies implement the new requirements, the federal government’s ability to fully detect, investigate, and remediate cybersecurity threats will be constrained.

Cybersecurity professionals often point out that threat actors do not differentiate when choosing a victim. To an attacker, a hospital is as useful a target as a law firm or even a mining operation. After all, a mining company has the same attributes that make it as interesting as any other target: proprietary data and customer information, and it must stay in operation. All of which an attacker can exploit for financial gain.

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia: To be inclusive of all audiences here, in software security we’ve got sources (typically user input) and sinks – where that input (the data) ends up. In order to overflow something (e.g. an integer overflow) we clearly need some way to be able to do that (think pouring water from a kettle into a cup), and that’s the source (us using the kettle) to overflow the cup.