NewsBites Volume XXIII – Issue 80

Top of the News

2021-10-11

Apple Updates iOS Again

Apple has released updates for iOS and iPadOS to address a flaw that is being actively exploited. The critical memory corruption vulnerability in IOMobileFramebuffer is fixed in iOS and iPadOS 15.0.2. The flaw can be exploited to execute commands with kernel privileges. iOS 15.0.2 also includes several bug fixes.

Editor's Note

A detailed analysis and a PoC have been published for this vulnerability. You should not delay applying this patch.

Johannes Ullrich

This is an emergency update to fix to a zero-day (CVE-2021-30883). You’re going to want to push this out to your ADE devices now, and for non-managed devices – you know the drill. The update also includes watchOS 8.0.1, which only includes bug fixes for Apple Watch Series 3 devices; no CVEs are included.

Lee Neely

Apple's strategy of releasing updates versus issuing patches reduces the burden on end users. iOS users should consider setting “Automatic Updates” to “on.” Note that the updates often require 50% battery power or connection to external power such that “automatic” may be less than fully so.

William Hugh Murray

OMB Memo Spells Out Steps for Endpoint Detection and Response

A memo from the White House Office of Management and Budget (OMB) directs federal agencies to provide the Cybersecurity and Infrastructure Security Agency (CISA) with access to their current endpoint detection and response (EDR) deployments within the next three months. The memo outlines other steps for agencies to take “to further the goal of centrally managing the information needed to support host-level visibility, attribution, and response with respect to agency information systems.”

Editor's Note

As much as I hate to say it, these “over the transom” mandates from OMB have pretty much been necessary to drive major progress in the protection levels of government systems and information. An important point here is the both the Executive Order and the latest OMB memo use the phrase “endpoint detection response” NOT as a product category but as a capability – which requires process, and skills before implementing products. The Continuous Diagnostics and Mitigation (CDM) program has offered easy acquisition of the types of product needed – the people and skills to update processes and to effective make use of such products are needed.

John Pescatore

Buying an EDR is very different than tuning an EDR. Every organization is different and will require people and process to continually tune and improve the technology as the threat landscapes evolves. This is why it is so important to implement a program to test and measure your people, process, and technology to improve your detection and response. Purple teaming is one of the most efficient ways to do that.

Jorge Orchilles

The intent of centrally monitoring activities on federal networks, in real-time, with automated response capabilities, is a lofty goal, particularly for specialized systems such as HPC and OT/ICS systems. Agencies are going to be providing CISA access to existing EDR deployments within 90 days, while CISA develops their continuous monitoring and response plan and ultimately publishes a playbook for best practices. The memo does not indicate any funding sources for EDR, agencies may wish to leverage CDM efforts and resources to augment EDR capabilities.

Lee Neely

GitHub Revokes Weak SSH Keys

GitHub has revoked weak SSH keys generated by GitKraken client versions 7.6.x, 7.7.x, and 8.0.0. The issue was due to a vulnerability in a GitKraken dependency. GitHub also revoked “other potentially weak keys created by other clients that may have used the same vulnerable dependency.”

Editor's Note

Nice work by GitHub (and GitKraken) responding to this. This issue isn't obvious to the user, but sadly similar problems have happened before. For developers: “Don't invent your own crypto” includes not inventing your own key generation.

Johannes Ullrich

Have you checked the strength of the SSH keys you generated lately? Are you still using those keys you generated ten years ago? Do you really know all the places you left the public and private keys? Maybe it’s time to create new ones. When you generate the new ones, make sure you’re using the larger key sizes, such as 4096 bit RSA or 521 bit EDCSA keys.

Lee Neely

The Rest of the Week's News

2021-10-11

Password Spraying Attacks Targeting Office 365 Accounts

In a blog post, researchers from Microsoft Threat Intelligence Center (MSTIC) describe the activity of a hacking group that has been targeting Office 365 users with password spraying attacks. The hackers appear to have ties to Iran. Microsoft has been tracking what it has named the DEV-0343 cluster since July 2021. Targets include “US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.” MSTIC notes that Office 365 accounts that use multi-factor authentication are more resilient against this type of attack.

Editor's Note

Using cloud services like Office 365 without MFA is negligent. Office 365 credentials are at the top of the list of phishing attacks, and you don't have to be a valuable/special target.

Johannes Ullrich

There are no more excuses for not turning on MFA for our userbases. A well implemented MFA, such as in O365, does not pester users for new MFA codes every day, but instead is discretionary, meaning MFA is enforced when the user has changed significantly, or otherwise seem to be posing a risk. Turn on MFA now!

Chris Dale

You know I’m going to say it. Enable MFA for your Microsoft 365 accounts. Leverage conditional access to allow for SSO from trusted devices. Make sure you don’t disable MFA for VIP or System Admin accounts. Now review your settings for passwords. You really should be using long passphrases, checked against banned wordlists and data breach dumps. There are add-ins and/or services you can get to do this for you securely and transparently.

Lee Neely

Updates Available for Improper Certificate Validation Flaw in LibreOffice, OpenOffice

An improper certificate validation vulnerability affecting LibreOffice and OpenOffice could be exploited by an attacker to manipulate documents so they appear to be signed by a trusted source. Fixes are available, but neither suite offers auto-updating. Users are encouraged to upgrade to LibreOffice 7.0.5 or 7.1.1 and later and OpenOffice 4.1.11 and later.

Editor's Note

OpenOffice and LibreOffice use digital signatures to help with the authenticity of Macros, which is a good idea. The problem is that neither office suite features automatic updates, so you’re going to have to download and deploy the updated packages at least semi-manually. Alternatively, you can disable macros, or not trust documents containing macros.

Lee Neely

US K-12 Cybersecurity Act Signed into Law

The US K-12 Cybersecurity Act was signed into law on October 8, 2021. The legislation calls for the Cybersecurity and Infrastructure Security Agency (CISA) to assess the cyber risks faced by K-12 school systems, develop recommendations for K-12 cybersecurity guidelines, and create an online toolkit that K-12 schools can use to implement those recommendations.

Editor's Note

When completed, CISA will be providing an online toolkit for schools to leverage so they can implement strategies and recommendations for increased cybersecurity. This should provide information needed to prioritize fixes and drive the budget/grant and other mechanisms needed to fund the improvements.

Lee Neely

Education and election systems in the US are driven and mostly funded by local governments and budgets. It would be good to see additional funding going to the Multi-State ISAC for specific efforts to add direct support to local school districts to provide the skills and resources that so many local school districts do not have to make progress in securing school operations, especially with the need for remote learning.

John Pescatore

Many school systems can pay extortion while rarely commanding the necessary special knowledge and skills to adequately secure their systems. Federal assistance should be welcome.

William Hugh Murray

Fertility Clinic Says Data Stolen in Ransomware Attack

In a filing with the US Securities and Exchange Commission (SEC), Quest Diagnostics disclosed that an August ransomware attack against the ReproSource fertility clinic led to a data breach. Compromised data include both health and financial data. Quest owns the Massachusetts-based fertility clinic.

Editor's Note

We're entering a future where data is no longer private. Put it on the world-wide web and it is no longer yours; it will be leaked, and it will not remain a secret.

Chris Dale

RepoSource is providing credit and identity monitoring to affected patients but didn’t indicate how long that would be provided. Don’t wait for a breach; get your own identity and credit monitoring in place now where you can manage the duration of the coverage. Next, follow-up on issues identified; don’t ignore the alerts.

Lee Neely

Ukrainian Police Arrest Alleged DDoS-for-Hire Operator

Police in Ukraine have arrested an individual in connection with a DDoS for hire scheme. The individual controlled a botnet that controlled 100,000 devices. The botnet was also used to conduct brute-force password attacks, send spam, and plumb websites for exploitable vulnerabilities.

Editor's Note

Takedowns like this and last month’s takedown of the WireX Android botnet are a step in the right direction, but even so you cannot assume you’re covered. Talk to your service providers about DDoS protections to identify gaps, as well as understand what their protections actually do. Ask what trends they are seeing and how they are responding to them. Then look to either add solutions to fill those gaps, or have your board or senior management accept the risk of not addressing them.