Microsoft Allowed Malicious Drivers To Be Signed As Legitimate, Prioritize This Month’s Patches; Patch Everything With An Apple Logo On It; Expect to Receive Phishing Email Pretending to Be From FBI InfraGard

Microsoft notes that their investigation “…revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature.” I’d like to hear what Microsoft will do to improve the certification of Microsoft Software “Partners” just as we’ve seen Apple and Google have to improve the processes for developers to get apps through their app store mechanisms.

John Pescatore

It appears these drivers were used after compromising a system for post-exploitation activities, most likely tied to the Cuba Ransomware campaign (which has no known connection to the republic of Cuba). Applying this month's updates, and Microsoft revoking the certificates associated with these developers, which should prevent execution of the drivers, are two steps needed to prevent these attacks. You still need to use strong authentication, offline backups, segmentation and keep things updated. Read the CISA bulletin for IOCs, TTPs and added mitigations.

Lee Neely

There has been a marked increase in reported supply chain attacks in the last couple years. In this case the malicious signed drivers can enable privilege escalation and ability to move across the victim’s network. Although the user is dependent on MSFT to correct deficiencies in its signed driver program, they can still protect themselves by limiting an attacker’s ability to gain initial access to their network. Users should revisit their configuration and patch management processes.

Curtis Dukes

Is it necessary to remind people that certificates are public information about key pairs, are not sensitive, and cannot be used to create other certificates and are cryptographically bound to the software for which they vouch? It is the private half of the key-pair that can be used to create certificates, is sensitive, must be kept secret.

William Hugh Murray

As usual, Apple updated "everything." There is a lot of overlap between Apple's operating systems. In addition to fixing vulnerabilities, Apple added the ability to enable encryption for many iCloud resources, most notably backups. Carefully read the instructions as you enable these features. Once enabled, Apple by design is no longer able to recover your data in case you lose access to your iCloud account.

Johannes Ullrich

This was a busy week for Apple, releasing updates for macOS 11, 12 and 13, Safari 16.2, watchOS 9.2. A couple of weeks ago Apple quietly dropped iOS 16.1.2 and a critical fix to iOS 16.2 beta to address a zero-day: these fixes are included in 16.2 if you didn't get 16.1.2 deployed. iOS and iPadOS 16.2 allow for more uses of end-to-end encryption with iCloud storage. Push out the updates to iOS/iPadOS quickly so you can have bandwidth for your regression testing for macOS/Safari. The iOS 15 updates work for devices back to the iPhone 6s; these are six- to seven-year-old devices you really need to replace.

Lee Neely

Two shortfalls enabled the access to be granted. First, the impersonated executive's identity wasn't sufficiently verified, second, the MFA options were leveraged to allow a second factor that hacker controlled. (Email in this case.) Both of these processes were implemented with what was deemed as an acceptable level of risk. The identity information was correct, and likely validated via on-line services, much like loan applications, and having multiple MFA options reduces account lockout scenarios. The attack risks/threats were likely very different when these decisions were made. When engineering services similar to this, keep an eye on threats and trends, revisiting your decisions and updating controls as the threat environment changes.

Lee Neely

The fact that individuals’ data is for sale on a cybercrime forum is not the worrying aspect of this story, after all our data is being bought and sold constantly. The concern is that criminals now have details of those people who are involved in a trusted network and can exploit that to scam or exploit the inherent trust relationships people may have in that network. It is always useful therefore to remind staff, particularly senior staff, to be always mindful of communications they receive from others.

Brian Honan

OK, NewsBites readers: warn yourselves you are likely to see really well-crafted phishing attacks from members of your InfraGard chapter…

John Pescatore

The release onto the cybercrime forum was to be expected. On the surface, the material is of limited value as it is publicly findable. However, given the amount of material, its value to a buyer is the reduction in time to create cyber target packages.

Curtis Dukes

Many of those in the population were trusted by most other members; the essential purpose of the association is to create a level of trust. That trust is diminished by this publication. Furthermore, the association of name, e-mail and enterprise is sensitive and may be used to dupe other members of the enterprise in social engineering attacks. While I am in that database, I am not associated with any enterprise. The site is not responsive, so I cannot check my profile, but I do not think there is any information in it that is not available on LinkedIn.

William Hugh Murray

Note that this will be the last (or next to last) patch Tuesday for Window 8.1. In case you still have any 8.1 systems hanging around in your network, try to have them upgraded to Windows 10/11.

Johannes Ullrich

I have to remind myself that SmartScreen is the service that detects a document is from the Internet and disables features until the user indicates it's secure, so kind of a big deal. Add that to CVE-2022-41076 - a PowerShell remote code execution flaw, I'm clicking install right now, but wait there is more - there is a spoofing bug in Outlook, which could allow an attacker to appear as a trusted user, so your attached word docs are trusted when they should not be. The holiday season makes it tough to get good regression testing, and often people are out with systems shutdown, so be prepared to do a cleanup sweep in January if your patching system won't automatically catch systems up when brought back online.

Lee Neely

I’m going to arbitrarily mark 1992 and the release of Windows 3.1 as the start of Windows vulnerabilities being remotely exploited. It took Microsoft until 2003 (11 years) to move to regular monthly patching with the now almost 20-year-old “Vulnerability Tuesday” approach. It is long past time for the monthly approach to go away and more frequent and more transparent patch pushing to be the norm. I’d like to see Microsoft make a major announcement about that happening before Vulnerability Tuesday leaves its teenage years…

John Pescatore

This impacts the 12.1 and 13.0 versions (including FIPS and NDcPP builds) where you've configured an IDP or SAML authentication - which most of us are using for centralized authentication. While you can apply updates to these versions, the better fix is to go to 13.1 which is not affected. Even if you don't have the SAML/IDP configuration today, apply the update so you're ready when and if you do. While you're at it, review the instructions for setting up auditing of unauthorized activity, make sure you didn't miss any tricks.

Lee Neely

From an actual risk perspective, wouldn’t it be more worrisome if the headlines said, “Grade School Kids Exploiting Citrix Vulnerability”? What I’d really like to see is a headline like “Grade School Kids Already Patched Their School’s Citrix Server.”

John Pescatore

You can be certain that if Chinese APT groups are exploiting these vulnerabilities, criminal gangs and ransomware groups won’t be far behind. So please don’t think that “we are not a target for an APT group” is a reason not to address this vulnerability.

Brian Honan

In essence, VLANs/SDN for 5G. (And so much more.) The biggest identified risks are DOS, MITM and configuration attacks. So, controls need to be there, only allow the devices/services intended, and not leak data. If you've ever configured devices or offices connected by cellular service, this virtualization raises the bar on isolating your traffic, with increased bandwidth, with flexibility and affordability we never saw with leased lines. If you're going down this path, ask your provider how they are responding to the identified risks and how they verify they are mitigated.

Lee Neely

Every shared media network technology (including satellite and fiber) has had this same sort of vulnerability, where isolation was in the specifications but the early implementations, not so much. State actors used to find and exploit these vulnerabilities for long periods of time, so it is good to see NSA putting a warning out vs. hoarding the information. But, this is not just a 5G issue, which seems to have been politicized. Make sure any plans to reduce communications costs include validated security in the evaluation process.

John Pescatore

This is mischaracterized as a threat; threats have both sources and rates, not potential. Rather it is a risk. Slices are analogous to connections in POTS and VPNs in the Internet. Those who set up and rely upon these routes should exercise due caution.

William Hugh Murray

Have you had a recent conversation about what DDoS mitigations are in place? Cloud, CDN, ISP, on-premise systems all have capabilities: make sure they are all enabled. When getting push-back, make sure it's based on current information, many services have evolved in the last year or so, so you may need to update your evaluation/opinion.

Lee Neely

You should have processes in place locally to ensure you're not sharing secrets, and the GitHub process will merely have your back. Don't miss that 2FA will also be required for all users next year.

Lee Neely

Kudos to GitHub for enabling this free service. Frankly, all Cloud Service Providers should enable a similar free scanning service for all of their customers. The cost to the company is miniscule, the value to the customer is immense.

Curtis Dukes

For those in the federal space, you now have targets for rolling out the updates we've been talking about. And yes, those dates are challenging with the holidays. The attackers are counting on us being distracted or not present so they can more easily exploit targets during this time of year, so we need to plan accordingly. Fingers crossed you can get things rolled out in the next week, to include any tune-up to your monitoring and alerting systems so you can give your staff time off.

Lee Neely

Common mechanisms that can be used to exploit the vulnerability are SMB, HTTP, and RDP. While you're no longer exposing SMB and RDP to the Internet, you are likely exposing HTTP. Don't panic: make sure the September update was rolled out to those servers. Microsoft included the update in the monthly rollup for their OSes, as well as their security specific update patch set.

Lee Neely