Microsoft and 23andMe Open Up about Breach with Different Takes on User Responsibility

The lack of MFA was obvious, even if not originally admitted by Microsoft. So, repeating part of my comment from the original news item: In Microsoft's recent “Secure Future Initiative” announcement, Microsoft President Brad Smith promised that “…over the next year we will enable customers with more secure default settings for multifactor authentication (MFA) out-of-the-box.” Replacing passwords with strong authentication has been done by many (though in this case, apparently not Microsoft) but needs the major IT platforms to make it easier to do and harder NOT to do. Additional lesson learned here: as an absolute minimum, require *all* privileged accounts to use phishing resistant authentication which means *denying* elevated privileges to all accounts relying on reusable passwords. And, remember your own policy probably already requires MFA for *all* remote access.

John Pescatore

First, this has several facets: password spraying as the initial compromise and persistence through OAuth applications. It's very nasty stuff for most students, I find. We discuss these attacks at length in the SEC588 class. The other component, the use of “residential proxy infrastructure,” was discussed a few years ago when Dr. Roberto Bamberger and I released a whitepaper at the Cloud Security Exchange for 2022. Get the whitepaper at the SANS Website. So, what can you do? First, turn on MFA, and use a powerful MFA like a Passkey or FIDO2 Token. Use a CASB or other product type to look at OAuth applications; finally, don’t allow your employees or non-admins to add OAuth applications. This is a nasty, hard-to-find hack from a state actor. Many people say Microsoft can do better, but this isn’t a 100-person company. This is a 250,000-person company with an extensive infrastructure. If they could solve it, we could move on and do other things.

Moses Frost

We have known for more than a decade, since the early DBIRs, the contribution of orphan systems to enterprise breaches and longer than that the contribution of reusable credentials. Microsoft is not alone among major enterprises that tolerate these risks. Do not be among them.

William Hugh Murray

If you build it, they will come. This motto applies to large collections of sensitive data and attackers. 23andMe attempts to deflect responsibility by stating that weak user credentials are to blame. But "brute forcing or other automated" attacks are part of the OWASP top 10 (A7), and for a site like 23andMe, dealing with highly sensitive health data, it is inexcusable to not prevent the exploitation of 1000s of accounts using these well-known techniques.

Johannes Ullrich

Five months to detect a breach that affected 50% of users is not ideal. Subsequently updating terms of service to prevent filing of class action lawsuits, even less so. Make sure that you're going beyond tabletop exercises to ensure that you can detect intrusions in a timely fashion. Make sure that you've got updated scenarios in your incident response plans that reflect your current architecture and services. Lastly, make sure key stakeholders are onboard, including legal, HR, C-Level and the board. You all need to be operating from the same sheet of music when it goes sideways.

Lee Neely

23andMe has become the poster child for why companies should enable MFA. It’s relatively simple to implement and raises the bar substantially in preventing credential theft. Companies no longer have an excuse for not implementing this valuable security control.

Curtis Dukes

Should not take months to detect brute force attacks. In today's threat environment, the objective should be to detect attacks in hours to days.

William Hugh Murray

I get it. It isn't easy to fix vulnerabilities in unmaintained legacy code. In particular if after acquiring a company like Pulse Secure, you prioritize short term financial gains, lay off many of the employees who may actually understand how the product works.

Johannes Ullrich

Ivanti is rightly not pushing out patches until they meet their quality standards. They hope to release updates next week. The rub comes from CISA's KEV deadline of 1/22 to either apply the patches or remove the software from government systems. In the interim, CVE-2023-46805 and CVE-2024-21887 can be mitigated by importing mitigation.release.20240107.1.xml file via the Ivanti download portal.

Lee Neely

Rushing a patch for a critical vulnerability often leads to further security issues. In this case Ivanti wants to solve the underlying security issue once and for all. Until the patch is available for download, follow the previously published mitigation guidance.

Curtis Dukes

What makes this even more painful is that some schools that hired third-party companies to provide security services were themselves not secure and were themselves, subsequently compromised. This is a case where strong consideration should be given to leveraging free services, such as those offered by CISA, to help schools, already on tight budgets, assess their security posture, making tweaks to avoid a me-too scenario.

Lee Neely

The Medusa ransomware gang is taking credit for this attack and is posting data samples in an attempted extortion ploy. KCATA was sufficiently prepared to only have their call center offline, stating all services are operating, immediately providing alternate options for the affected call center. We've all been walking through what we'd do if we were in a similar situation, but have we had the time to see if we could actually pull it off? Have some serious chats with organizations you're counting on to bridge gaps or take up the slack. Make sure that your capacity and startup time assumptions are sound.

Lee Neely

5000 successful extortion attacks in 2023. Large increase year over year. Billions of dollars in lost productivity. While we see an increase in the use of vulnerabilities, over phishing, to establish the initial foothold, the failure to mandate the use of strong authentication internally and to structure our networks facilitates the necessary lateral movement in these attacks.

William Hugh Murray

Now we have multiple PoC exploits for the vulnerabilities, published in GitHub, most validated, which means that you need to assume compromise if haven't applied the updates or workaround. (Disable the CLI.) The Jenkins advisory below lays out all the detail. Packet Storm has published two POC scripts you can use to validate your environment; these are referenced in the NIST NVD details for CVE-2024-23897 linked below.

Lee Neely

This is a case of the Cactus ransomware gang, first observed in March 2023, which likes to gain access using purchased credentials, phishing, malware distribution and even just exploiting vulnerabilities. They are attempting to extort payment leveraging the terabytes of data exfiltrated from Schneider Electric. The exfiltrated data appears to be relating to their customer's power utilization, ICS and automation systems, and compliance with environment and energy regulations. Customers include Walmart, PepsiCo, Lexmark, PepsiCo, DuPont, Clorox and DHL.

Lee Neely

The suspect is scheduled to be tried as an adult in Florida where swatting is a felony. Lately, swatting attacks are on the rise, particularly directed at prominent politicians. As of May, the FBI launched a collaborative effort to thwart swatting nationwide, which has processed over 550 reports since its inception. Florida's senator Rick Scott introduced a bill that proposes a maximum penalty of up to 20 years for individuals convicted of swatting.

Lee Neely

VoIP has enabled criminals to perpetrate swatting attacks anywhere. VoIP is hard to trace but with the help of federal law enforcement, there are techniques than can be used.

Curtis Dukes

People are exploiting weaknesses in our E-911 system. They exploit the Disability Systems to do this, and they exploit our inherent trust. This is a hard one to solve so I expect major penalties to whoever they do catch.

Moses Frost

Philbert's attacks affected about 1,330, with losses of about $49,000, including $15,000 from a small family-run business that thought an employee may have stolen the money. The chilling part is each victim is considered as an opportunity for income, not the effect of the crime on their wellbeing or business. His lawyer proposed sentence was two years, minus a day, to be served out of jail; the judge disagreed, feeling the crimes warranted two years behind bars. Additional court sessions are scheduled in March to discuss restitution to his victims.

Lee Neely

Initially, Trickbot was used to capture banking credentials from PCs to siphon those fees to the gang. It evolved into an expandable ransomware-as-a-service that you could rent for your own nefarious purposes in exchange for a cut of the take. This gang is reported to have extorted at least $180 million from people and organizations worldwide. Trickbot was shut down in 2022, but many of its developers have moved to other criminal organizations, so expect variants in the future.

Lee Neely

With time served, he basically has three years left on his prison sentence. Doubtful this will deter cybercriminals from continuing ransomware attacks; but it is a win for law enforcement.

Curtis Dukes