Open Redirect Links Still Being Used in Phishing Campaigns; Singapore Expands Crowd-sourced Vulnerability Hunting Program; CISA Says Stop Using Single Factor Authentication

Make sure your email and endpoint protection services detect these links. Make sure the URL protection features are enabled. Note that while these tools rewrite URLs and some familiarization is needed, the current encoding used by open redirects which capture user trends and clicks is already heavily encoded making it impractical for a user to visually verify the target URL. Microsoft Defender for Office 365 is included with E5/G5 licensing and has these capabilities.

Lee Neely

Open Redirects used to be part of the OWASP Top 10 list of web application vulnerabilities. But while they no longer make the "Top 10", open redirects are common and often underestimated. Their use in phishing is pretty obvious, but in some cases, they can also be used to steal OAUTH credentials.

Johannes Ullrich

The Microsoft blog entry notes that “Today’s email threats rely on three things to be effective” but doesn’t list the most important enabling factor: the use of reusable passwords. Microsoft’s own research showed that 99.9% of phishing attacks would not have succeeded if simple text messaging as a second authentication factor was used. Another item in today’s NewsBites has US CISA finally putting single factor authentication in their Bad Practices list, along with using unpatchable software and default passwords.

John Pescatore

Singapore had already been running well-managed bug bounty programs for several years with very positive results. The key is “well-managed” – not just managing the submission review and payout process, but also having the processes and playbooks in place for quickly remediating the vulnerabilities discovered. The next step is using the data to change software development and IT operations practices that resulted in vulnerable applications.

John Pescatore

It's wonderful to see more public entities moving this way. So many, at present, don't even have clear points of contact for responsibly disclosing vulnerabilities found. Related: does your site have /.well-known/security.txt ?

Christopher Elgee

Read the restrictions carefully. The programs are seasonal, focusing on 10 critical and “high-profile” systems during each run. Also hackers must meet a set of criteria before being permitted to participate; these checks are performed by HackerOne which will also provide the VPN gateway needed to investigate the identified targets. Violation of the terms of service will result in that access being terminated.

Lee Neely

Single-factor authentication needs to be minimized and eliminated where possible. Prioritize your actions based on the criticality of both the system and data processed. Where it remains, long passphrases, ideally checked against breach data, need to be used. Gain user support by using solutions which allow for single sign-on which fail-over to multi-factor authentication when accessed from non-trusted. Require endpoints/trusted devices to use MFA. Some authenticators can be configured to require MFA when the system attempting to use SSO has been logged in using single-factor authentication. Read the CISA National Critical Functions (https://www.cisa.gov/national-critical-functions) if you’re wondering what NCFs are.

Lee Neely

Of the current three Bad Practices listed, two of them are password-related. For the past three years the VZ DBIR has identified passwords as one of the top two drivers of breaches globally (phishing is the other). I’m a huge fan and supporter of MFA. Interested to see if / what CISA adds to this list in the future.

Lance Spitzner

While this will not tell you if your user data was requested, it is interesting to see the groupings by request types. In the US, the top requests have shifted from search warrants, subpoenas and preservation requests to search warrants, preservation requests and subpoenas, indicating an uptick in investigative activities. Preservation requests hold information for future actions relating to active investigations until they can compel its legal release, and if the information is released it is reported in the other categories.

Lee Neely

Build it and they will come. The ability to ask for geofence warrants is too tempting to not use them. This may serve as warning what may happen with other surveillance features built into future devices.

Johannes Ullrich

The guidance is useful even if you’re not impacted by E.O. 14028. Make sure that you have your bases covered: needed events are logged, with a consistent and reliable time source, that access to read and update logs is appropriate, that they are retained and secured to facilitate analysis and response activities. Agencies are required to assess and report their maturity as defined in the memo within 60 days, reach EL1 maturity within one year, EL2 within eighteen months and EL3 within three years. NIST SP 800-92 will be updated to include the requirements from this memo.

Lee Neely

The UK’s National Cyber Security Centre (The NCSC) also has an excellent guide to help organisations tackle the challenge of monitoring their logs. Their Logging Made Easy (LME) guide is a great start for any organization. https://www.ncsc.gov.uk/blog-post/logging-made-easy

Brian Honan

These specific OpenSSL vulnerabilities are not severe enough to lose any sleep over. Also, any device using OpenSSL (which means at least all Linux/BSD based devices) are vulnerable. Similar updates are available for other devices.

Johannes Ullrich

NAS devices need to be carefully protected, not only as exploits continue to surface, but also as they are now being targeted by Ransomware such as eChoraix which is specifically targeting QNAP and Synology devices. Make sure that your NAS device is only accessible by authorized hosts, that default credentials have been changed, and that any unused or unexpected applications are uninstalled.

Lee Neely

NAS services and devices should not be connected to the public networks.

William Hugh Murray

ProxyToken is different from ProxyShell, so make sure you’re checking on the mitigations for the correct vulnerability. We can no longer afford to treat Exchange and MS Server patches as items that need careful regression testing; these are now addressing actively exploited vulnerabilities and need to be applied judiciously with minimal evaluation. Take a look at your email/productivity solution and assess the viability of a cloud alternative to lessen the burden of the current vulnerability/mitigation/update cycles. Where you have migrated, make sure that you decommission old services once new functionality is verified. Set limits to that verification window to minimize risks.

Lee Neely

Given that every halfway competent threat actor has been scanning for Exchange vulnerabilities this year, this vulnerability, while easily exploited, does not substantially alter the threat landscape. One possible issue may be that this vulnerability is used for more subtle but high impact configuration changes that are easily missed. For example, an attacker could configure forwarding email addresses.

Johannes Ullrich

Make sure to test your communication plan for an outage like this ahead of time. Also make sure that there are routes to your public affairs staff to respond to media and other enquiries that will function during an interruption. Train users and set expectations for response during an outage.

Lee Neely

The patch is targeted for September 15th. Given the plethora of weaknesses, take steps to isolate these devices only allowing communication with authorized devices. Monitor traffic for inappropriate connection attempts and don’t allow these to be directly reachable from the Internet; at a minimum, require a secure supported VPN for external access.

Lee Neely