Actively Exploited MSHTML Flaw with Questionable Workaround; CrossAccount Cloud Vulnerabilities; White House Zero Trust Guidance Draft Docs; SEC Sanctions Firms Over Cybersecurity

For now, follow Microsoft's advice on how to disable ActiveX, but realize the mitigation may not be perfect. Microsoft's workaround prevents the installation of new ActiveX controls, but an attacker may be able to use existing controls. Similarly, the protected view warnings appear to be easily bypassed. Let's hope we will get a patch for this on Tuesday, but until then, the only thing we've got protecting us is vigilant users.

Johannes Ullrich

Trident is the embedded browser rendering HTML content within Office documents. By default, documents opened from the Internet are opened in protected mode or application guard and cannot execute the exploit. A user needs to be tricked into both opening the document and trusting it (disabling those protections); a key mitigation still requires user caution when opening Internet-provided documents. Microsoft’s Defender and Defender for Endpoint will detect and prevent this exploit. Verify your endpoint protection service does as well.

Lee Neely

Zero-days and breaches are inevitable. While prevention is a goal, detection and response is the reality. Focus on detecting things like Microsoft Word spawning other processes that are not normal.

Jorge Orchilles

Note that ProtonMail and ProtonVPN are two products by the same company. They use different privacy/logging policies. For the VPN product, IP addresses are not logged. As an easy "workaround": Use ProtonVPN to connect to ProtonMail (or TOR if you want to stay more anonymous).

Johannes Ullrich

Review privacy claims carefully. Even with end-to-end encryption, consider that access logs are going to exist for some period, if for no other purpose than to support problem diagnosis and resolution. If you’re providing services aimed at protecting privacy, be clear about what is maintained and under what conditions it can be revealed. Expect increased used of anonymizing services such as Tor to further obfuscate users who truly wish not to be tracked.

Lee Neely

Most agreements with service providers include a provision that allows them to comply with any legal service – warrants, subpoenas, and national security letters – without notifying the subjects. The Google Transparency Report shows that such service is frequent, growing, and expensive to comply with. A small number of large firms have begun to charge for the cost of compliance. All should do so; the cost of such compliance should not be borne by the constituents of the service providers.

William Hugh Murray

Getting to “Zero Trust” first requires reaching the essential security hygiene level, as captured by the CIS Critical Security controls. Only after that can the functions called out as “Zero Trust” be implemented. The CISA “Zero Trust Maturity Model” released for review points that out: “Moving to a ZTA is non-trivial… zero trust may require a change in an organization’s philosophy and culture around cybersecurity.”

John Pescatore

The comment period is open until October 1st. If you’ve got experience with Zero Trust, provide input so others can leverage your experience. One doesn’t just buy Zero Trust and click install. Foundational cyber security maturity must be in place to mitigate the risks of an anytime, any device, anyplace access model. DHS’s CDM project compels agencies to implement core critical controls to meet program requirements, e.g., hardware and software inventory of active devices, as well as configuration and vulnerability assessment status. These roadmap documents, when finalized, should be leveraged to plot the course between current state and Zero Trust. Be sure to include sufficient time and resources to implement identified shortcomings.

Lee Neely

I love the concept of “Zero Trust” but have a hard time seeing how most organizations can implement it. When you have the budget, technical know-how and leadership support like Microsoft and Google, then absolutely. But for the literally millions of companies that are still struggling with the basics concepts of knowing what assets they have, keeping those assets patched and the use of strong passwords - the concept of “Zero Trust” is a loooooong way off. To make “Zero Trust” truly global, we have to first make it truly simple.

Lance Spitzner

The expression "Zero Trust" got its currency as marketing hype, but the principles go back to the Orange Book. In those days we expected the principles to be the default. While I am a strong advocate for process-to-process isolation and strong process (to include users) to process authentication, both horizontally and vertically, I am not sure that the expression embraces all of that for many organizations. One hopes that CISA and OMB will embrace the Orange Book principles in their guidance. Otherwise, we may see a great deal of compliance that falls far short of the implied security.

William Hugh Murray

The SEC fines are small, and SEC requirements for cybersecurity are not very onerous, especially when compared to the EU GDPR requirements and consequences. But, the enforcement and penalties do catch the attention of CFOs and Chief Legal Counsels – good allies to help drive change like movement to strong authentication, essential security hygiene and increased supply chain security.

John Pescatore

If you’re having trouble getting financial support for your Cyber initiatives, remember that your CFO and Corporate Lawyers pay attention to SEC sanctions/fines and other actions and can be leveraged to support initiatives to ensure data is protected, such as multi-factor authentication, encryption at rest, in use and in transit, and rights management.

Lee Neely

These nominal fines are imposed only after the damage has been done.

William Hugh Murray

These credential dumps have become rather common following the FortiGate vulnerability leaking user credentials. This latest leak has significant overlap with prior leak, and I wouldn't worry too much about it. If you find an unpatched FortiGate appliance: Travel back in time to early 2019 and patch. Patching now is a nice thing to do but your credentials have been leaked, and attackers likely already used them.

Johannes Ullrich

You got the downtime, applied the FortiGate patch, verified it was in place. Did you remember to not just reset but change the passwords? Better still, switch to MFA so any compromised credentials are unusable. Make sure that you didn’t leave any reusable passwords behind, say for your Administrator or VIPs. System Administrators may be a harder sell than VIPs who usually want to be treated like everyone else.

Lee Neely

Enable multi-factor authentication everywhere. Where to start? VPN interfaces is a great start.

Jorge Orchilles

Yes, REST services need authentication too. It is sad how often we see these problems. I find developers sometimes get distracted by shiny tools and technology. Should be obvious that a system being used to manage enterprise-wide credentials needs special attention and should already be patched.

Johannes Ullrich

This most recent flaw in Zoho ManageEngine AdSelfService will be no surprise to administrators as this product has a history of significant vulnerabilities (9 CVEs with 4 critical vulnerabilities in 2021 to date). It's important to understand the operational costs for a product, particularly for those intended to save money by allowing users to self-service password management.

Joshua Wright

The Unit42 report, which explains how the exploits worked and shows how Microsoft responded to the issues as well as explains how controls failed, includes mitigations for your Kubernetes Environment. Irrespective of who is hosting it, start with the basics of keeping it patched and updated, do not send privileged access tokens anywhere but to the api-server as they can be used to masquerade as the token owner, and deploy policy enforcers to monitor and prevent suspicious activity.

Lee Neely

This account takeover vulnerability quickly follows the Azure Cosmos DB account takeover flaw from two weeks ago. Organizations should take note: security responsibility for vulnerability remediation does not end with the cloud provider when using PaaS services; you also need to revoke and reissue keys to mitigate the chance of successful attacks.

Joshua Wright

The Azure CrossAccount Container flaw is both fascinating and a bit unsurprising. Are we surprised that Microsoft, and probably many other vendors, are running a dated version of the software, runC in this case, in their environments? Doing ops is hard; keeping software patched is hard. The part that is novel here is that being on the container host meant being able to move laterally into other customer containers. The troubling part for defenders is the unknown. Did an attacker understand this flaw before the vendor disclosure? The current best architecture option you have is to reduce processing and storage on container workloads to the smallest amount of time. I would start looking back at “Shared Responsibility.” How can a vendor provide more telemetry to teams running workloads in this manner? After several flaws have been found in Windows Container workloads, Azure Container Service, and Azure Functions, it appears that people are smelling blood in the water.

Moses Frost

Talk to your ISP about their DDoS protections. These attacks show that your idea of being a target and attackers are likely very different. Also, even if the attack is not targeting you, a significant attack could take out your ISP which will ruin your day as well. Don’t forget to verify your outsourced and cloud services DDoS protections. If your service (ISP, Cloud, etc.) is not providing protections, research alternatives and develop a contingency plan. It’s no longer viable to unplug the Internet and remain operational.

Lee Neely