NewsBites Volume XXV – Issue 63

Top of the News

2023-08-10

Intel Patch Release for August 2023

On Tuesday, August 8, Intel published 46 security advisories alerting customers to roughly 80 vulnerabilities in its software and firmware. Eighteen of the flaws are high-severity vulnerabilities that could be exploited to attain privilege elevation or cause denial-of-service (DoS) conditions. Among the vulnerabilities addressed is a side-channel attack nicknamed Downfall.

Editor's Note

Downfall is another case of the CPU predictively using cached data (Gather) to speed processing, not unlike Spectre/Meltdown. Downfall affects as many as seven generations of Intel CPU/chipsets. The micro patch that addresses the vulnerability can cause as much as a 50% slowdown; you are going to want to regression test fully before deploying.

Lee Neely

Google Will Now Release Chrome Security Updates Every Week

Google is now releasing Stable channel Chrome security updates weekly in an effort to minimize the patch gap – the amount of time between a patch being released for testing and the patch being publicly released to the Stable channel. Previously, Chrome security updates were released every other week. The first update released under the new schedule is Chrome 116, which made its appearance on the stable channel on Wednesday, August 9.

NIST Releases New Draft of Cybersecurity Framework

The US National Institute of Standards and Technology (NIST) is seeking feedback on the newest draft of its Cybersecurity Framework, CSF 2.0. NIST would like to know “whether this draft revision addresses organizations’ current and anticipated future cybersecurity challenges, is aligned with leading practices and guidance resources, and reflects comments received so far.” The updated document also adds a Core Function to its Framework Core: Govern now joins Identify, Protect, Detect, Respond, and Recover.

The Rest of the Week's News

2023-08-09

UK Electoral Commission Discloses 2021 Cyberattack

This week, the UK Election Commission disclosed that its network suffered a “complex cyber-attack” in August 2021; the Commission learned of the incident in October 2022. The intruders had access to the Election Commission servers, which contain email, control systems, and electoral registers. It is possible that the intruders were able to gain access to the system by exploiting the ProxyNotShell vulnerability in Microsoft Exchange Server, which was disclosed in September 2022 and patched in November 2022.

Editor's Note

A Time to Detect of 14 months for a critical national system is a huge failure in security operations. The Commission states they have taken needed mitigation steps (such as “We have strengthened our network login requirements…”) and improved monitoring – perhaps that explains why disclosure took 10 months.

John Pescatore

This was an attack on election support systems, rather than devices at polling places, which included information about voters and their choices for opting/out of data sharing. The nine month delay of public notice from the Election Commission hints they don’t have good data to fully determine the extent of the breach. Make sure that your team has sufficient information, not only about what sort of data is on which systems, but also forensic data is being forwarded and available for analysis, to include both system and application logs.

Lee Neely

Three things are bothersome about this data breach: 1) 14 months for the UK Election Commission to determine they had suffered a cyber incident; 2) nine months for the UK Election Commission to notify residents of the loss of PII; and 3) the e-mail server was exploited 12 months before the critical ProxyNotShell vulnerability was publicly announced; is this patient zero? None of these numbers inspire confidence in the Election Commission’s ability to protect UK citizen data.

Curtis Dukes

Microsoft Patch Tuesday August 2023

On Tuesday, August 8, Microsoft released security updates to address nearly 90 security issues in multiple products. Six of the flaws are rated critical; two are being actively exploited. The US Cybersecurity and Infrastructure Security Agency (CISA) has added one of those issues, the Microsoft .NET Core and Visual Studio Denial of Service Vulnerability (CVE-2023-38180), to its Known Exploited Vulnerabilities catalog; Federal Civilian Executive Branch (FCEB) agencies have until August 30 to mitigate the issue.

New York State Now Has a Cyber Security Strategy

New York Governor Kathy Hochul has introduced the state’s first cybersecurity strategy. She writes that, “This strategy unifies New York State’s cybersecurity services, functions, and operations … [and] provides a framework for aligning the actions and resources of both public and private New York stakeholders.” The strategy has four parts: a description of cyber threats; NY’s approach to managing these threats by being unified, resilient, and prepared; identification of critical stakeholders; and a description of the strategy’s five strategic pillars: Operate, Collaborate, Regulate, Communicate, and Grow.

Phishing as a Service Platform Shut Down

An international law enforcement effort led by Interpol has taken down a phishing-as-a-service (PaaS) platform that is believed to have compromised more than 70,000 users in 43 countries. Authorities in Indonesia have arrested two individuals in connection with the scheme; a third individual was arrested in Japan.

Black Hat: DARPA Announces AI Cyber Challenge

Earlier this month at Black Hat USA 2023, the US Defense Advanced Research Projects Agency (DARPA) announced the AI Cyber Challenge (AIxCC), “a two-year competition aimed at driving innovation at the nexus of AI and cybersecurity to create a new generation of cybersecurity tools.” The competition has both a funded track and an open track. Proposals for the funded track are due next month; open track registration begins this fall.

AMD CPU Side-Channel Attack

Researchers from the Department of Information Technology and Electrical Engineering (D-ITET) at ETH Zürich (Switzerland), a public research university, have disclosed details of a CPU side-channel attack that affects AMD processors. Dubbed Inception, the attack could lead to information disclosure. The attack involves a combination of “two phenomena that enable an unprivileged attacker to leak arbitrary information on all modern AMD CPUs: Phantom speculation and Training in Transient Execution.

SAP’s August Security Patch Day Updates Include Fix for Critical Flaw in PowerDesigner

On Tuesday, August 8, SAP released 16 security notes to address vulnerabilities in multiple products. One of the most pressing issues SAP addressed is a critical (CVSS score 9.8) improper access control vulnerability affecting SAP Power Designer version 16.7. The security note that addresses this vulnerability also addresses an information disclosure vulnerability (CVSS score 5.3) in the same product.