Backlash Causes IRS to Rethink Choice of Facial Recognition as Only Authentication Method; Microsoft Increases Safety by Blocking Internet Macros in Office by Default; FBI Publishes IoCs for LockBit 2.0 Ransomware

This is a great lesson for security practitioners how you often have to balance the interests of different stakeholders. The IRS has a difficult job. It has been the target of massive fraud, and at the same time, needs to provide efficient access to tax data and filing resources. Most users will only connect with the IRS once a year, making some of the traditional authentication methods unpractical. In addition, the filings often happen last minute. Now add a good amount of politics to a difficult technical problem. Solutions may include a government-wide identity management (login.gov does attempt to provide that. Not sure why this wasn't here). Canada, for example, leverages financial institutions to identify individuals.

Johannes Ullrich

First, it is important to point out: years of sensitive information compromises has proven that no data is private when it is accessible by a reusable password. It is critical that sensitive citizen tax-related information (already being compromised for several years because of weak authentication) be given stronger protection – privacy is impossible without it. In my comment on the IRS announcement a few weeks ago I said, “The government needs to do strong vetting and testing of the ID.me service.” That, as well as exploring other alternatives, should have been done first and data made available showing the protection provided to the authentication data.

John Pescatore

This is a great step in privacy and security, but it's important to note that others in government (such as the Department of Veterans Affairs) still use the same underlying service for identity. It would be nice to see a government clearinghouse for vetting the security of privacy invasive technologies and building implementation guidelines.

Jake Williams

There are two challenges. First what strength of authentication is appropriate for your data. NIST 800-63-3 says you need MFA for accessing PII, which applies to the IRS. Second, what level of identity verification is necessary when issuing the authenticator. This is the problem the IRS was working to solve with the facial recognition. Services such as Login.gov are working to solve this problem, providing the appropriate level of authentication and identity assurance before issuing credentials, while allowing partnering agencies to have a single IDP for non-government users.

Lee Neely

The IRS is in a tough spot here. They are trying to do the right thing by stopping rampant identity fraud. In addition, I’m not sure that this should be the IRS’s problem to solve as strong validation and authentication is needed by numerous government agencies, to include SSA. It appears that this is the path the government is taking with login.gov, but perhaps the solution is not robust enough yet? Either way, this is a problem that needs to be solved, so good to see this being worked on.

Lance Spitzner

Many of the objections raised here are knee-jerk and not well considered. Unlike the password, even in the rare cases when an actual image is stored, as in the case of the facial image on a driver's license or passport, the utility does not rely upon secrecy. The world is awash with pictures of me, in both public and private databases. We have been using facial images for authentication purposes since the invention of photography. Computers have only recently become as good at reconciling them as toddlers.

William Hugh Murray

This is a tremendously positive change that will roll out over time for Microsoft Office users. Change like this is not easy, and may break some functionality which a small number of users leverage in Microsoft Office. This is no small feat, and kudos to Microsoft and the team behind this change for prioritizing the security benefits this change introduces.

Joshua Wright

This is a welcome change. VBA macros remain an attack vector which works, this change makes these macros harder to enable, no more single click activation, you will have to click “Learn More” and review the risk before an option to enable is offered. Organizations should have already enabled the “Block macros from running in Office files from the Internet” policy to prevent these macros today. Even so, you should, by default, not be enabling macros unless you really know where they are from, ideally requiring them to be digitally signed.

Lee Neely

This is a major win for all Microsoft Office users. The offensive community (as well as threat actors) have been leveraging macros to gain initial access for years. Kudos to everyone that has worked to highlight and resolve this issue.

Jorge Orchilles

Add these IOCs to your defenses and scan for any undiscovered activity. Review the mitigations, consider using execution allow/deny lists, particularly on servers to prevent execution of unauthorized code. Doubly so on your domain controllers.

Lee Neely

LockBit is one of the most common ransomware variants we are seeing. This report provides procedure-level intelligence about adversary behaviors you should be able to detect and respond to. Keep in mind that ransomware is the “action on objectives” that cause the final impact. You will want to improve your ability to detect the intrusion before high privilege is already obtained to perform exfiltration and encryption.

Jorge Orchilles

The measures that one needs to take to resist breaches, including ransomware, are rarely specific to the methods used in the attack. These measures are efficient because they protect us from most attacks, both those that we anticipate and those that surprise us.

William Hugh Murray

Slides 9 and 10 of the hhs.gov article highlight contributing factors to the attack's efficacy; chief among them were organizational control deficiencies. The victim lacked communications and incident response plans and had no single cybersecurity leader or oversight committee. While many of us nerdfolk like to focus on technologies, the expensive blinky boxes don't excuse us from having trained, empowered people and proven procedures.

Christopher Elgee

The more detailed HSE board report shows the attack starting with email phishing, leading to an employee clicking on a malicious Microsoft Excel file which allowed the attackers to capture the user’s credentials, access the internal network and game over. The report also notes that the HSE had high risk gaps in “25 out of 28 of the cybersecurity controls that are most effective at detecting and preventing human operated ransomware attacks.” And that the board had been briefed on that in November 2020. It sounds like the majority of lessons to be learned are critical security hygiene at basic levels, though many other deficiencies were pointed out.

John Pescatore

The timeline is interesting, particularly the interval between malicious activity identification and infection. There were only four days, and the initial observation was on a DC, meaning other IOCs were likely missed. The lessons learned shows the value of being prepared, from current system and application inventories to assessments and effective leadership. Are you truly prepared? Do the incident reporting number or emails go to live people? Are your backups immutable? Are your DR/COOP plans where you can get them and up to date? Is your first anomalous activity detection point your servers? You don’t want your first alert to be the attackers owning your DC or other critical systems.

Lee Neely

A HUGE thank you for HSE makes this available for the public. Before people start attack HSE for their mistakes, we should recognize them for the courage to share so others can learn and benefit. The last report I know of to go to this level of detail was the 2018 Equifax breach report. Interestingly, many of the same lessons learned are shared, with the biggest being the security culture and structure at the root of the problem.

Lance Spitzner

Lessons Learned is an important step in incident response and purple team exercises. Take advantage of the lessons others have learned to apply them in your organizations; there is always something to learn.

Jorge Orchilles

On the one hand, I really like Microsoft's consolidated monthly rollups for applying security patches. But when Microsoft releases updates causing significant issues (like happened in January 2022), systems administrators are left choosing between the potential for being exploited by a local privilege escalation flaw or sacrificing uptime and operational availability. Microsoft would do well to enable organizations to choose the patches appropriate to their org. While this might cause some issues when administrators only apply high severity patches, the net effect is likely to be better security with CISA staying on top of these sort of notifications.

Jake Williams

The fix is to apply the January 2022 update right away as CVE-2022-21882, while not publicly disclosed, is being actively exploited. After the update check for systems encountering AD Domain Trust errors, where found, apply the out-of-band .NET fix referenced above.

Lee Neely

There's a hidden gem in this story that I'll be using with stakeholders for some time to come. In the interview, the school district superintendent says "We put in a lot of security measures that is very inconvenient for our staff, but it's very important because we need to protect the security of this information" - a comment that demonstrates a total lack of understanding about security. While it might seem to embrace security, it really highlights a culture antithetical to security. When we're talking about security vs usability in patient care, rock on. In primary education? Give me a break. It's not surprising the CISO resigned.

Jake Williams

The students were lucky no charges were filed; the school district was lucky this wasn’t the actions of a malicious actors seeking to perform harm. The district was provided a report about cyber weaknesses which when overlaid with the pandemic timing makes a perfect storm of missed opportunities for improvement. Ask yourself what you would do. Make sure that reports of weaknesses, either from an official engagement or otherwise filed are tracked, acknowledged, validated and remediation actions taken. Have a communication and response plan. Leverage lessons learned and share them with peers, we all get “our turn in the barrel” it’s nice to know who can help you survive.

Lee Neely

Given the typical level of resourcing for cybersecurity in school districts, this shocks no one. For most, absent a major shift in IT architecture/defense, incidents like this fall into the motorcycle accident category: not "if" - but "when."

Christopher Elgee

What is interesting here is it appears the CISO is resigning not due to the breach, but due to the way the breach notification was handled. Also, it was students who caused the breach. It appears the data was never publicly shared or sold, more along the lines of ‘grey hat hacking’. Students like these are at a vulnerable time where they are developing their skills faster than their ethics. This is where programs like Cyber Start can offer students the perfect environment to not only test and develop their skills, but their career and schooling options.

Lance Spitzner

Interesting approach and surprising that hasn't already happened yet. I hope other cloud providers will follow suite. The number one "IoC" of having your cloud resources compromised tends to be a billing alert triggered by cryptomining.

Johannes Ullrich

Google Cloud Cryptojacking Scanner

Lee Neely

Third-party notification of a breach continues to be a top identification method in the incident response process. Cryptominers are one of many payloads used to cause impact. This is a good step forward and other cloud providers should consider the same.

Jorge Orchilles

If you are getting the errors relating to this flaw, you’re going to have to search the Microsoft Update catalog for the KB article for the specific Windows and .NET versions running, then import the updates into your WSUS or Windows Endpoint Configuration Manager. Securing the system to the point where it cannot meet mission objectives isn’t the goal, expect IT staff to push for more regression testing if Microsoft continues to deliver flawed updates.

Lee Neely

At core this is a path traversal problem. Code was added to Argo CD to parse input to prevent that sort of attack in 2019. The problem is there were mistaken assumptions about where input was sanitized negating the code which prevented the exploit. Essentially when the input came from a file, the code to check the URI was skipped. There is no workaround, update to a fixed version.

Lee Neely