CISA Scolds Microsoft; Ivanti Promises to do Better; xz-utils Backdoor Open Source Community Response; Help Us Improve NewsBites

Share on X Share on linkedin Share on facebook

Jump to:

Top of the News
The Rest of the Week's News
Internet Storm Center Tech Corner
Sponsors
Read More

Top of the News

03 Apr 2024
CISAs Cyber Safety Review Board Report on 2023 Microsoft Exchange Online Intrusion
The US Cybersecurity and Infrastructure Security Agency's (CISAs) Cyber Safety Review Board (CSRB) has released a report on the Microsoft Exchange Online intrusion that occurred last summer. The threat actor accessed Microsoft Exchange mailboxes of high-level officials in the US government using authentication tokens that were signed by a key Microsoft had created in 2016. Microsoft does not know how the threat actor obtained the key. CSRB report finds that the intrusion was preventable, and concludes that Microsofts security culture was inadequate.
Editor's Notes
Slide 1 of 4

I think this quote from the CSRB report sums it up: Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management. During this review time frame Microsoft announced their Secure Future Initiative focusing on the required internal culture change is a pre-requisite for that being anything more than a marketing campaign.
John PescatoreDirector of Emerging Security Trends
Slide 2 of 4

Security culture (or lack thereof) was emphasized in the report at least 12 times. Security is no longer just a technical issue but a people and ultimately cultural issue. Kudos to Microsoft for being so open and cooperative with the CSRB in creating the report.
Lance SpitznerBoard of Directors
Slide 3 of 4

This was not a single event but a combination of events, from a compromised laptop in an acquired company which wasn't verified prior to connection to the corporate network to those old MFA tokens. Take the issues outlined in the report and see if you have any similar gaps. Don't omit culture from your consideration. Not just secure day one but remaining so always, with verification and incentives if possible.
Lee NeelyCommunity Instructor
Slide 4 of 4

This is an excellent report and I encourage you to read it. It highlights to me that Microsoft need to have another Bill Gates Trustworthy Computing moment but focused on Trustworthy Cloud Computing.
Brian HonanSANS NewsBites Editorial Board
Slide 1 of 0
Read more in
- Review of the Summer 2023 Microsoft Exchange Online Intrusion (PDF)
  CISA
- Cyber review board blames cascading Microsoft failures for Chinese hack
  Cyberscoop
- Microsoft's Security Chickens Have Come Home to Roost
  Security Week
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack
  Bleeping Computer
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online
  The Register
- Review board slams Microsoft's lax security practices and culture
  SC Magazine
- Microsoft blamed for a cascade of security failures in Exchange breach report
  Ars Technica
- DHS blames cascade of security failures at Microsoft for China hack on US
  The Record
04 Apr 2024
Ivanti Promises Security Culture Change and Releases Fixes for Four More Vulnerabilities
Ivanti has published a security advisory that includes fixes or four vulnerabilities in their Connect Secure and Policy Secure Gateways. The flaws CVSS scores range from 5.3 to 8.2. Over the past several months, Ivanti has been struggling with the fallout of government breaches related to their products. The company's CEO, Jeff Abbott, published an open letter promising a revamp of their core engineering, security and vulnerability management practice, and an emphasis on secure by design.
Editor's Notes
Slide 1 of 3

Another CEO admitting a need for a security culture change for focus on making sure their products are secure but this time from a security product vendor. To make sure these culture changes are more than just posters in the lunch room, any security vendor should show results of measurable progress, such as third-party security testing/review of all products. Here's an idea: no security product company should be allowed to use the terms AI or machine learning in their marketing/advertising unless they go at least 12 months without a vulnerability with a CVSS score above 7.
John PescatoreDirector of Emerging Security Trends
Slide 2 of 3

Real culture change takes time. Even so, kudos to Ivanti publicly stating they'll hit this head on. Which means you need to trust but verify when it comes to your Ivanti products.
Lee NeelyCommunity Instructor
Slide 3 of 3

An open letter is merely the first step in changing the culture to that of security accountability. Bill Gates did something similarly in 2012 that ushered in the era of trustworthy computing. What comes after the letter is what matters, and that takes leadership that doesn't prioritize revenue and valuation over basic software security.
Curtis DukesExecutive Vice President for Security Best Practices
Slide 1 of 0
Read more in
03 Apr 2024
More Details About the XZ Backdoor
An interview with Andres Freund, who discovered the backdoor; more information about the malicious code itself; and musing about the identity of the developer, Jia Tan, who contributed the malicious code.
Editor's Notes

As more details emerge on this near miss, it's clear this was a nation-state backed supply chain attack. Why so? The level of sophistication employed, the patience in building the supply chain attack, the use of cryptography to protect the exploit, the social engineering to include use of sock-puppet accounts. Lots of lessons learned here; many that are also applicable to commercial software configuration control processes.
Curtis DukesExecutive Vice President for Security Best Practices
Read more in
07 Apr 2024
Help Us Improve NewsBites
Please take 3 minutes to give us your suggestions.
Editor's Notes
Slide 1 of 0

The Rest of the Week's News

03 Apr 2024
Google is Prototyping Device Bound Session Credentials Feature in Chrome
By stealing authentication cookies, thieves can bypass multi-factor authentication and access accounts belonging to true owner of the cookies. Google is taking steps to make stolen cookies useless. A Chromium Blog post reads, we're prototyping a new web capability called Device Bound Session Credentials (DBSC) that will help keep users more secure against cookie theft. The project is being developed in the open at github.com/WICG/dbsc with the goal of becoming an open web standard.
Editor's Notes
Slide 1 of 3

This is an interesting feature that may help with one of the current, fundamental, web application security issues. While there are some "workarounds" that try to fix this issues, a standard approach will make implementation easier.
Dr. Johannes UllrichDean Of Research
Slide 2 of 3

Creating cookies and tokens which will only work on the device/browser they were created with seems like it'd already be a thing wouldn't it? While this won't change overnight, having Google behind this proposed standard should provide the needed drive to make that happen sooner than later.
Lee NeelyCommunity Instructor
Slide 3 of 3

Using compromised credentials is one of the easiest methods attackers employ for initial access. By binding authentication to the device, it forces the evildoer to be local on the device, where defensive protections can kick in to protect the device and enterprise. One potential stumbling block will be a dependency on use of a TPM for storage. Here's hoping the trial goes well and DBSC becomes mainstream.
Curtis DukesExecutive Vice President for Security Best Practices
Slide 1 of 0
Read more in
- Fighting cookie theft using device bound sessions
  Chromium
- Google Chrome Beta Tests New DBSC Protection Against Cookie-Stealing Attacks
  The Hacker News
- New Chrome feature aims to stop hackers from using stolen cookies
  Bleeping Computer
- Google Proposes Method for Stopping Multifactor Runaround
  Gov Infosecurity
04 Apr 2024
Omni Hotels Discloses Cyberattack
Omni Hotels & Resorts has told customers that recent IT outrages were due to a cyberattack. In a statement on their website, the company says it began responding to the attack on Friday, March 29. Omni initially took some of their systems offline as a precaution; most have since been restored. Customers reported that door locks were not working and that they were unable to pay their bills with a credit card.
Editor's Notes

One of the interesting side effects of the outage was advice to be nice to the hotel staff as so much isn't working and there is little they can do. I'm going to remember that one next time I run into a systems down situation. As systems are being restored and still offline since last Friday, this has the markings of a ransomware attack. The latest from Omni is that most of their systems are back online. They stop short of a target date for restoring everything. While tricky, it's not a bad idea to let folks know your target date for service restoration to manage expectations as well as increase transparency.
Lee NeelyCommunity Instructor
Read more in
- Cyberattack hits Omni Hotels systems, taking out bookings, payments, door locks
  The Register
- Omni Hotels confirms cyberattack behind ongoing IT outage
  Bleeping Computer
- Cyberattack Causes Disruptions at Omni Hotels
  Security Week
- Omni Hotels & Resorts Update on Recent Cyber Attack
  Omni Hotels
03 Apr 2024
Fix Available for LayerSlider WordPress Plugin Vulnerability
A critical vulnerability in the LayerSlider plugin for WordPress could be exploited to steal data, including password hashes. The SQL injection flaw was discovered by a security researcher participating in a recent Wordfence Bug Bounty Extravaganza. The vulnerability was submitted on March 25 and the plugins developers were notified of the flaw that same day. They fixed the vulnerability in LayerSlider version 7.10.1, which was released on March 27. The plugin, which is used to create animated content, has more than one million active installations.
Editor's Notes

The $5,000 bounty is Wordfence's largest bounty to date. Given the publicity, unpatched versions will be targeted. Make sure you're updated. Yup, unsafe input handling strikes again. And the maintainers had the patch out in less than a week after being notified. SQLi/input validation has to be table stakes. At this point both the free and paid versions of Wordfence have rules to prevent the exploit.
Lee NeelyCommunity Instructor
Read more in
- CVE-2024-2879 Detail
  NVD
- $5,500 Bounty Awarded for Unauthenticated SQL Injection Vulnerability Patched in LayerSlider WordPress Plugin
  Wordfence
- WordPress LayerSlider plugin bug risks password hash extraction
  SC Magazine
- Critical flaw in LayerSlider WordPress plugin impacts 1 million sites
  Bleeping Computer
- Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites
  Security Week
- Critical Security Flaw Exposes 1 Million WordPress Sites to SQL Injection
  Dark Reading
03 Apr 2024
Jackson County, Missouri Government Discloses Ransomware Attack
On Tuesday, April 2, Jackson County, Missouri, confirmed that a ransomware attack was responsible for disrupting county services and declared a state of emergency. Impacted services include online property, marriage license, and inmate searches, as well as tax payments. The incident is being investigated by the FBI, the Department of Homeland Security, and third-party IT experts.
Editor's Notes

Not a lot of deets on the attack. Suffice it to say that state and local government continue to be targets. This is the second such ransomware event for Jackson County, having paid a ransom in 2019. It strengthens the argument not to pay a ransom as it only incentives evildoers to revisit for another payout.
Curtis DukesExecutive Vice President for Security Best Practices
Read more in
- Missouri county latest local government ransomware victim, 18th of 2024
  SC Magazine
- Jackson County in state of emergency after ransomware attack
  Bleeping Computer
- Jackson County MO
  Twitter
04 Apr 2024
City of Hope Cancer Treatment and Research Center Reports Data Breach
City of Hope, a California-based cancer treatment and research center, has disclosed a data breach that impacts personal information belonging to more than 800,000 individuals. The incident occurred between September 19 and October 12, 2023. In a notification letter, City of Hope said that an intruder accessed their IT systems and stole data, including names, various ID information, bank account and payment card numbers, and health insurance and medical information.
Editor's Notes
Slide 1 of 0
Read more in
- US Cancer Center Data Breach Impacting 800,000
  Security Week
- Over 800K impacted by City of Hope systems breach
  SC Magazine
04 Apr 2024
Fixes Available for Critical Flaw in Progress Flowmon
Progress Software has released updates to address a critical Improper Neutralization of Special Elements used in an OS Command vulnerability in their Flowmon network monitoring and security solution. The flaw can be exploited to attain remote, unauthenticated access to vulnerable systems. The issue affects Flowmon versions 11.x and 12.x on all platforms. Users are urged to upgrade to Flowmon version 12.3.5 or 11.1.14.
Editor's Notes
Slide 1 of 0
Read more in
- Critical Vulnerability in Progress Flowmon Allows Remote Access to Systems
  Security Week
- CVE-2024-2389 Flowmon critical security vulnerability
  Kemp Technologies
- CVE-2024-2389 Detail
  NVD
02 Apr 2024
CISA Cybersecurity Resources for High Risk Communities
The US Cybersecurity and Infrastructure Security Agency (CISA) has compiled a library of cybersecurity resources for high risk communities, which include activists, journalists, human rights defenders, academics, and other employees associated with civil society organizations that are at heightened risk of being targeted by cyber threat actors because of their identity or work, and many of which have little to no budget for cybersecurity. The resources are grouped into categories: customized tools to assess and mitigate risk; helplines and communities; and tools and services to strengthen your cyber defenses.
Editor's Notes
Slide 1 of 3

You have heard advice about taking steps to protect folks in high risk locations but not a lot about what that means. And this includes free as well as reduced cost resources, tools and security communities. As an exercise, consider having your team divide up the list from CISA and report out on relevance of each item.
Lee NeelyCommunity Instructor
Slide 2 of 3

A very useful guide from CISA. The UK's National Cyber Security Centre (NCSC) also has a very useful and similar guide: https://www.ncsc.gov.uk/collection/defending-democracy
Brian HonanSANS NewsBites Editorial Board
Slide 3 of 3

A helpful library but ultimately, the high-risk communities need the resources and skills to implement the cybersecurity advice. As a part of the security community, we collectively must automate cybersecurity best practices.
Curtis DukesExecutive Vice President for Security Best Practices
Slide 1 of 0
Read more in
- Cybersecurity Resources for High-Risk Communities
  CISA
- CISA resource looks to help high-risk groups thwart cyberattacks
  Nextgov
04 Apr 2024
Cisco Talos: CoralRaider Threat Actor Steals Financial Data
Researchers from Cisco Talos have discovered a threat actor that has been stealing financial data and account access credentials from individuals in Asian and Southeast Asian countries. The researchers say the threat actor, which they're dubbed CoralRaider, has been active since at least May 2023. CoralRaider uses a Telegram bot, as a C2, to exfiltrate the victims data.
Editor's Notes
Slide 1 of 0
Read more in
- CoralRaider targets victims data and social media accounts
  Talos Intelligence
- Vietnam-Based Hackers Steal Financial Data Across Asia with Malware
  The Hacker News
04 Apr 2024
Oil and Gas Industry Targeted in Info-Stealing Campaign
Researchers at Cofense have detected a phishing campaign targeting organizations in the oil and gas sector with intent to infect systems with a new variant of Rhadamanthys information-stealing malware. The phishing emails purport to be vehicle incident communications from the Federal Bureau of Transportation, which does not exist.
Editor's Notes
Slide 1 of 0
Read more in