NewsBites Volume XXV – Issue 58

Top of the News

2023-07-24

Purloined MSA Key Used to Breach Exchange and Outlook Accounts Has Larger Implications

Researchers from Wiz say that attackers in possession of the stolen Microsoft signing key that was used to create phony access tokens for Exchange Online and Outlook accounts could also have used it to create forged access tokens for other Microsoft cloud applications, including SharePoint, Teams, and OneDrive. Microsoft has revoked the key and published indicators of compromise.

Editor's Note

Still very little from Microsoft about what exactly happened to the key. A Microsoft spokesperson in a response to the article published by The Register stated that Wiz came to its conclusion without knowing the internals of Microsoft's Cloud environment. But the same statement did avoid calling any of Wiz's conclusions wrong.

Johannes Ullrich

Microsoft hasn’t replied officially to these new analyses showing broader impact of the incident, which increases the probability Microsoft will amend its earlier statements. If so, this is worth a “Key Management is Job 1” kind of company-wide edict coming from Microsoft’s CEO.

John Pescatore

The authentication tokens worked with OpenID 2.0 apps and those supporting "login with Microsoft." Regrettably, you probably won't have the log data you need to properly detect this sort of activity until September. Realistically, any sessions signed by that key will need to be re-established. The default for MS 365 is 14 days, so if you've not increased the interval, you're good. Spend the energy on ingesting and processing the new logs to discover what you may be missing.

Lee Neely

While most of recent discussion has been on Microsoft up-charging for additional logging data and storage, the real question is how the evil-doer got access to the signing key in the first place. Wiz’s analysis doesn’t answer that question, but it does help in understanding the potential impact the use of that key has with other Microsoft applications.

Curtis Dukes

The important story of the compromise of this key has been obscured by the far less important story of the logs that led to the discovery of the compromise.

William Hugh Murray

Apple Releases Updates for Multiple Products

On Monday, July 24, Apple released updates for tvOS, watchOS, and multiple versions of macOS , iPadOS, and iOS. The update includes a fix for the WebKit vulnerability addressed in a recent Rapid Security Response (RSR) update. The updates address a total of 46 CVEs; of those, six are rated critical.

Backdoor in Code of Terrestrial Trunked Radio (TETRA) Standard

Security Researchers from Midnight Blue in the Netherlands have found five vulnerabilities in the Terrestrial Trunked Radio (TETRA) standard used by law enforcement, emergency responders, and government agencies to communicate by voice and transmit data. The flaws in TETRA’s cryptographic algorithms have existed for years. The flaws could potentially be exploited to achieve “realtime decryption, harvest-now-decrypt-later attacks, message injection, user deanonymization, or session key pinning.“

The Rest of the Week's News

2023-07-21

Seven Tech Companies Have Agreed to White House’s Trustworthy AI Commitments

Seven technology companies – Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI – have voluntarily committed to the Biden administration’s trustworthy AI principles. The companies have committed to ensuring products are safe before bringing them to market, prioritizing security in the development process, and being clear about which content is in its original form and which has been altered by AI.

Editor's Note

A positive first step in the public-private partnership around AI. The biggest win is identifying original content or that which has been artificially created. The reality though is that these principles can be easily discarded as competition heats up globally.

Curtis Dukes

Like the efforts for security labelling, this should help our end-users, but we also need to be fully aware that other AI projects, such as WormGPT, are making no such commitment, and are focused on empowering cyber criminals.

Lee Neely

Phew, we can all now relax now that big tech companies are going to self-regulate how they develop AI technologies. Sarcasm aside it is good the risks and issues are being identified but sadly with various industries in the past we have seen self-regulation only helps those doing the regulating.

Brian Honan

One can only wonder about IBM's absence from this discussion. The pioneer developers of Deep Blue and Watson, committed to "transparency and governance from the ground up" in AI, obviously have something to contribute.

William Hugh Murray

Some Norwegian Government Ministries Suffer Cyberattack

Norwegian authorities are investigating a cyberattack that has affected multiple government ministries. The attack affected 12 Norwegian government ministries that use a particular IT platform. According to a press briefing, the attackers exploited a previously unknown vulnerability which has since been mitigated. The country’s Office of the Prime Minister as well as the Foreign Affairs, Defense, and Justice Ministries use a different platform and were not affected in this attack.

Healthcare Sector Breach Costs Top the List in IBM’s Cost of a Data Breach Report 2023

According to IBM’s Cost of a Data Breach Report 2023, the average cost associated with a data breach in the healthcare sector was $11 million, up 10 percent over last year. The average cost of a data breach globally was $4.45 million. The report is based on data breaches reported by 553 organizations between March 2022 and March 2023.

Tampa General Hospital Discloses Data Breach

Tampa (Florida) General Hospital (TGH) is notifying 1.2 million patients that their personal data were compromised in a cyber incident that occurred in May of this year. After detecting “unusual activity” on its systems, TGH launched an investigation that revealed the theft of files between May 12 and May 30. TGH says the incident did not affect its electronic health record system.

Zenbleed Flaw Allows Data Theft from AMD CPUs

A vulnerability in AMD Ryzen and Epyc Zen 2 CPUs could be exploited to steal sensitive data at a rate of 30KB/sec per core. Dubbed Zenbleed, the flaw was discovered and reported to AMD in May by Google Project Zero’s Tavis Ormandy. AMD has provided firmware updates to address the vulnerability.

Unpatched Zyxel Devices are Being Roped Into DDoS Botnets

In late April, Zyxel released a security advisory for a critical OS command injection vulnerability in its network devices and urged users to apply patches. Five weeks after the fixes were released, Shadowserver said that if devices had not been patched, users/owners should assume compromise. According to a recent report from Fortinet, unpatched Zyxel devices are being drawn into botnets used to launch distributed denial-of-service (DDoS) attacks. The vulnerability (CVE-2023-28771) was added to CISA’s Known Exploited Vulnerabilities catalog at the end of May.

Recent Additions to CISA KEV Include ColdFusion and NetScaler Vulnerabilities

Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) added three security issues to its Known Exploited Vulnerabilities Catalog (KEV): a code injection vulnerability in Citrix NetScaler ADC and Gateway and two improper access control vulnerabilities in Adobe ColdFusion. Federal Civilian Executive Branch (FCEB) agencies have until August 9 to mitigate the Citrix vulnerability and until August 10 to mitigate the ColdFusion vulnerabilities.