NewsBites Volume XXV – Issue 06

Top of the News

2023-01-17

Microsoft Pro Guest SMB Insecure Guest Auth Off by Default

Microsoft Windows Insider Pro now has SMB insecure guest authorization turned off by default. In a blog post, Microsoft’s Ned Pyle notes that “guest logons don't require passwords & don't support standard security features like signing and encryption.” The change is effective in the Windows 11 Insider Preview Build 25276, which was released earlier this month.

Editor's Note

I’m going to skew *really* old here: before we had houses, we had caves, which mostly had only one way in and out. Perimeter security was pretty straightforward. Operating systems in general and certainly Windows in particular started out essentially like fields, not caves – everything could walk, slither or fly in and out as the default. Even though this change is not a big deal, always good to see Windows being more cave-like than field-like. In real businesses, as long as we don’t send paychecks to customers and products to employees, perimeters exist (albeit more complex than caves…) and will need to be defended.

John Pescatore

This is a move in the right direction, shares should only be enabled with a defined process, ideally never from a workstation, beyond what is required for management. Guest logins should only be enabled with deliberate care and forethought. Better still, use cloud-based file sharing services which have many options, including self-registration, logging, and centralized management.

Lee Neely

SMB is a network file sharing protocol that cybercriminals can leverage as part of a ‘living off the land’ attack. For years, standard cybersecurity best practice guidance has been to disable guest accounts. By turning off by default for Windows Pro editions, Microsoft removes one additional configuration change that end users have to make – a good thing!

Curtis Dukes

Ermetic Researchers Find Cross-site Request Forgery Flaw in Azure Cloud Services

Researchers from Ermetic have detailed their findings of a cross-site request forgery vulnerability affecting Azure cloud services. The flaw, dubbed EmojiDeploy, can be exploited to achieve remote code execution. The vulnerabilities are due to a series of misconfigurations and bypasses in the Kudu back-end source control management tool. Microsoft was alerted to the issues in October 2022 and addressed them in early December.

Editor's Note

This item, and the similar Server-side Request Forgery vulnerability found by Orca in Azure, point out 3 key issues: (1) Cross-site Request Forgery was on the OWASP Top 10 for many years, Server-Side Request Forgery is on the list for 2022. I’d like to hear some lessons learned from Microsoft about why these were in Azure code when so many tools find them easily. (2) Azure was patched when the patches were ready – Microsoft did not have to wait until the monthly Vulnerability Tuesday. (3) We still see external parties (good guys with responsibly disclosed vulnerabilities and bad guys exploiting zero days) being credited on the majority of patches that come out in Windows. This all adds up to faster patching is still important and the monthly patch cycle is like using a 4800 baud modem for IT ops hygiene when the bad guys are on gigabit connections.

John Pescatore

GitLab Releases Address Critical Security Issues

Git source code version control system maintainers have released versions 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE) to address critical vulnerabilities. The vulnerabilities – a parsing integer overflow issue and a heap overflow issue – can be exploited to achieve remote code execution.

Editor's Note

GitLab addresses some vulnerabilities that were found in the open source tool "git" as part of a recent code audit. Aside from GitLab, you should watch out for updates to git from various vendors. Many developers will also install various versions of "git" independently. Unix based operating systems like MacOS often include git, but may have other versions installed as well by development tools.

Johannes Ullrich

My experience is folks running their GitLab services are all over keeping them updated, but it doesn’t hurt to verify. Also make sure that your scanning software is checking for versions of GitlLab/Atlassian and similar tools. If you don’t have visibility to their security bulletins, sign up on the announcement page.

Lee Neely

The Rest of the Week's News

2023-01-19

T-Mobile Discloses Breach in SEC Filing Document

In a Form 8-K filing with the US Securities and Exchange Commission (SEC), T-Mobile disclosed a breach that affects 37 million customer accounts. The attacker was able to gain access to the information through an Application Programming Interface (API). The intruder first gained access to the data in late November 2022; T-Mobile learned of the breach on January 5, 2023.

Editor's Note

This is T-Mobile's 8th breach in less than 5 years. Everybody gets breached at some point. But if you get breached 8 times, it may be time to not just look at technology but the overall culture and management of your security organization.

Johannes Ullrich

While T-Mobile’s statement downplays the sensitivity of information obtained, characterizing it as marketing information, the information included name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features. Take appropriate steps to watch for your information being misused, not just credit monitoring, but also very targeted social engineering.

Lee Neely

APIs are prevalent in today’s modern mobile and web applications and consequently are one of the most frequent attack vectors used by cybercriminals. The Open Web Application Security Project (OWASP) regularly publishes the ten most critical security concerns for web application security. Organizations that provide mobile and web services should become familiar with OWASP and implement the security recommendations provided as part of their software development process.

Curtis Dukes

Orca Researchers Find Server-side Request Forgery Issues in Azure Cloud Services

Researcher from Orca detected server-side request forgery issues that affect four Azure services: Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins. Microsoft has addressed the problems.

Health Sector Breaches

Health sector breaches recently reported to the US Department of Health and Human Services (HHS) include a network disruption affecting more than 250,000 patients at Bay Bridge Administrators, a network intrusion affecting more than 60,000 patients at Circles of Care Providers, and a data exposure affecting more than 35,000 patients at the Elizabeth Hospice.

Editor's Note

If you’re in the health care sector, don’t expect the volume of attacks to drop anytime soon. The challenge here is that while the third-party provider notified of the breach within 60 days after confirmation/validation, HIPAA actually wants notification “even if it is initially unclear whether the incident constitutes a breach as defined in the rule.” Have a conversation with your third-party providers to understand how they interpret this language, so you know what to expect. You may want to include your legal counsel in the conversation for peace of mind.

Lee Neely

An interesting interpretation of the HIPAA requirement to inform patients within 60 days of possible data exposure. Yes, organizations should be afforded some time to investigate a cyber breach but allowing that amount of time before notification is concerning. Simply put, victims should have been notified faster. Perhaps Congress will take on this reporting requirement ambiguity as they look at potential cybersecurity mandates for health systems.

Curtis Dukes

Flaws in Historian Servers Put OT Systems at Risk

Vulnerabilities in historian database servers raise concerns as they can provide a connection between an organization’s IT and OT networks. Researchers at Claroty have detailed their findings about a set of vulnerabilities in the GE Proficy Historian. The report notes that “these critical databases not only store data collected from industrial control systems, but they also extend to the corporate network by sharing information with enterprise resource planning systems and analytics platforms."

Editor's Note

There are business and operational reasons for an organization to connect its IT and OT networks. That said, once connected, it does provide a pathway for remote access to vulnerable OT systems. You can count on the adversary finding the connection once they have initial access. Proper planning and active monitoring of these connections should be a high priority for IT and security staff and a feature of regular reporting to executive leadership.

Curtis Dukes

Canadian Liquor Seller’s Website Hit with Cyberattacks

Canadian liquor retailer LCBO recently disclosed that its website had been infected with malware that attempted to steal customer data. Further investigation by Recorded Future revealed that LCBO suffered two payment skimming cyberattacks over the past month.

Royal Mail Still Working to Recover from Cyberattack

Royal Mail, which suffered a ransomware attack earlier this month, is slowly recovering from the incident. Initially, the attack disrupted the UK postal service company’s operations, rendering it unable to ship overseas. Earlier this week, Royal Mail said that it has “resumed the export of letters which do not require a customs declaration to all international destinations,” but asks that customers refrain from sending new parcels.

Editor's Note

Bravo to Royal Mail implementing “Operational Workarounds” indicating they are not paying the ransom but rather recovering their systems per their DR plan. The UK seems to be under a wave of increased ransomware attacks, this is a good time to make sure that your operations over there are prepared.

Lee Neely

In the face of our continued failure to resist extortion attacks, our backup and recovery procedures must enable us to recover entire mission critical applications in hours to days rather than simply a few files. It may be necessary to recover entire subnets in days.

William Hugh Murray

Cisco Releases Updates to Address Unified Communications Manager SQL Injection Flaw

Cisco has released updates to fix an improper user input validation vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). The vulnerability could be exploited to conduct an SQL injection attack.

Editor's Note

While Cisco is not aware of this being exploited in the wild, it’s a good time to gather all the updates they released this month and get them deployed, starting with anything which is directly Internet accessible. While you’re at it, make sure that you are able to detect (and ideally block) attempted exploits of these vulnerabilities.

Lee Neely

We continue to name vulnerabilities by the method of exploiting them rather than the development and coding practices and quality control failures that lead to them. It should not surprise us that the vulnerabilities persist and recur.