NewsBites Volume XXVI – Issue 27

Top of the News

2024-04-03

CISAs Cyber Safety Review Board Report on 2023 Microsoft Exchange Online Intrusion

The US Cybersecurity and Infrastructure Security Agency's (CISAs) Cyber Safety Review Board (CSRB) has released a report on the Microsoft Exchange Online intrusion that occurred last summer. The threat actor accessed Microsoft Exchange mailboxes of high-level officials in the US government using authentication tokens that were signed by a key Microsoft had created in 2016. Microsoft does not know how the threat actor obtained the key. CSRB report finds that the intrusion was preventable, and concludes that Microsofts security culture was inadequate.

Editor's Note

I think this quote from the CSRB report sums it up: Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management. During this review time frame Microsoft announced their Secure Future Initiative focusing on the required internal culture change is a pre-requisite for that being anything more than a marketing campaign.

John Pescatore

Security culture (or lack thereof) was emphasized in the report at least 12 times. Security is no longer just a technical issue but a people and ultimately cultural issue. Kudos to Microsoft for being so open and cooperative with the CSRB in creating the report.

Lance Spitzner

This was not a single event but a combination of events, from a compromised laptop in an acquired company which wasn't verified prior to connection to the corporate network to those old MFA tokens. Take the issues outlined in the report and see if you have any similar gaps. Don't omit culture from your consideration. Not just secure day one but remaining so always, with verification and incentives if possible.

Lee Neely

This is an excellent report and I encourage you to read it. It highlights to me that Microsoft need to have another Bill Gates Trustworthy Computing moment but focused on Trustworthy Cloud Computing.

Brian Honan

Ivanti Promises Security Culture Change and Releases Fixes for Four More Vulnerabilities

Ivanti has published a security advisory that includes fixes or four vulnerabilities in their Connect Secure and Policy Secure Gateways. The flaws CVSS scores range from 5.3 to 8.2. Over the past several months, Ivanti has been struggling with the fallout of government breaches related to their products. The company's CEO, Jeff Abbott, published an open letter promising a revamp of their core engineering, security and vulnerability management practice, and an emphasis on secure by design.

Editor's Note

Another CEO admitting a need for a security culture change for focus on making sure their products are secure but this time from a security product vendor. To make sure these culture changes are more than just posters in the lunch room, any security vendor should show results of measurable progress, such as third-party security testing/review of all products. Here's an idea: no security product company should be allowed to use the terms AI or machine learning in their marketing/advertising unless they go at least 12 months without a vulnerability with a CVSS score above 7.

John Pescatore

Real culture change takes time. Even so, kudos to Ivanti publicly stating they'll hit this head on. Which means you need to trust but verify when it comes to your Ivanti products.

Lee Neely

An open letter is merely the first step in changing the culture to that of security accountability. Bill Gates did something similarly in 2012 that ushered in the era of trustworthy computing. What comes after the letter is what matters, and that takes leadership that doesn't prioritize revenue and valuation over basic software security.

Curtis Dukes

More Details About the XZ Backdoor

An interview with Andres Freund, who discovered the backdoor; more information about the malicious code itself; and musing about the identity of the developer, Jia Tan, who contributed the malicious code.

Editor's Note

As more details emerge on this near miss, it's clear this was a nation-state backed supply chain attack. Why so? The level of sophistication employed, the patience in building the supply chain attack, the use of cryptography to protect the exploit, the social engineering to include use of sock-puppet accounts. Lots of lessons learned here; many that are also applicable to commercial software configuration control processes.

Curtis Dukes

Help Us Improve NewsBites

Please take 3 minutes to give us your suggestions.

The Rest of the Week's News

2024-04-03

Google is Prototyping Device Bound Session Credentials Feature in Chrome

By stealing authentication cookies, thieves can bypass multi-factor authentication and access accounts belonging to true owner of the cookies. Google is taking steps to make stolen cookies useless. A Chromium Blog post reads, we're prototyping a new web capability called Device Bound Session Credentials (DBSC) that will help keep users more secure against cookie theft. The project is being developed in the open at github.com/WICG/dbsc with the goal of becoming an open web standard.

Editor's Note

This is an interesting feature that may help with one of the current, fundamental, web application security issues. While there are some "workarounds" that try to fix this issues, a standard approach will make implementation easier.

Johannes Ullrich

Creating cookies and tokens which will only work on the device/browser they were created with seems like it'd already be a thing wouldn't it? While this won't change overnight, having Google behind this proposed standard should provide the needed drive to make that happen sooner than later.

Lee Neely

Using compromised credentials is one of the easiest methods attackers employ for initial access. By binding authentication to the device, it forces the evildoer to be local on the device, where defensive protections can kick in to protect the device and enterprise. One potential stumbling block will be a dependency on use of a TPM for storage. Here's hoping the trial goes well and DBSC becomes mainstream.

Curtis Dukes

Omni Hotels Discloses Cyberattack

Omni Hotels & Resorts has told customers that recent IT outrages were due to a cyberattack. In a statement on their website, the company says it began responding to the attack on Friday, March 29. Omni initially took some of their systems offline as a precaution; most have since been restored. Customers reported that door locks were not working and that they were unable to pay their bills with a credit card.

Editor's Note

One of the interesting side effects of the outage was advice to be nice to the hotel staff as so much isn't working and there is little they can do. I'm going to remember that one next time I run into a systems down situation. As systems are being restored and still offline since last Friday, this has the markings of a ransomware attack. The latest from Omni is that most of their systems are back online. They stop short of a target date for restoring everything. While tricky, it's not a bad idea to let folks know your target date for service restoration to manage expectations as well as increase transparency.

Lee Neely

Fix Available for LayerSlider WordPress Plugin Vulnerability

A critical vulnerability in the LayerSlider plugin for WordPress could be exploited to steal data, including password hashes. The SQL injection flaw was discovered by a security researcher participating in a recent Wordfence Bug Bounty Extravaganza. The vulnerability was submitted on March 25 and the plugins developers were notified of the flaw that same day. They fixed the vulnerability in LayerSlider version 7.10.1, which was released on March 27. The plugin, which is used to create animated content, has more than one million active installations.

Editor's Note

The $5,000 bounty is Wordfence's largest bounty to date. Given the publicity, unpatched versions will be targeted. Make sure you're updated. Yup, unsafe input handling strikes again. And the maintainers had the patch out in less than a week after being notified. SQLi/input validation has to be table stakes. At this point both the free and paid versions of Wordfence have rules to prevent the exploit.

Lee Neely

Jackson County, Missouri Government Discloses Ransomware Attack

On Tuesday, April 2, Jackson County, Missouri, confirmed that a ransomware attack was responsible for disrupting county services and declared a state of emergency. Impacted services include online property, marriage license, and inmate searches, as well as tax payments. The incident is being investigated by the FBI, the Department of Homeland Security, and third-party IT experts.

Editor's Note

Not a lot of deets on the attack. Suffice it to say that state and local government continue to be targets. This is the second such ransomware event for Jackson County, having paid a ransom in 2019. It strengthens the argument not to pay a ransom as it only incentives evildoers to revisit for another payout.

Curtis Dukes

City of Hope Cancer Treatment and Research Center Reports Data Breach

City of Hope, a California-based cancer treatment and research center, has disclosed a data breach that impacts personal information belonging to more than 800,000 individuals. The incident occurred between September 19 and October 12, 2023. In a notification letter, City of Hope said that an intruder accessed their IT systems and stole data, including names, various ID information, bank account and payment card numbers, and health insurance and medical information.

Fixes Available for Critical Flaw in Progress Flowmon

Progress Software has released updates to address a critical Improper Neutralization of Special Elements used in an OS Command vulnerability in their Flowmon network monitoring and security solution. The flaw can be exploited to attain remote, unauthenticated access to vulnerable systems. The issue affects Flowmon versions 11.x and 12.x on all platforms. Users are urged to upgrade to Flowmon version 12.3.5 or 11.1.14.

CISA Cybersecurity Resources for High Risk Communities

The US Cybersecurity and Infrastructure Security Agency (CISA) has compiled a library of cybersecurity resources for high risk communities, which include activists, journalists, human rights defenders, academics, and other employees associated with civil society organizations that are at heightened risk of being targeted by cyber threat actors because of their identity or work, and many of which have little to no budget for cybersecurity. The resources are grouped into categories: customized tools to assess and mitigate risk; helplines and communities; and tools and services to strengthen your cyber defenses.

Editor's Note

You have heard advice about taking steps to protect folks in high risk locations but not a lot about what that means. And this includes free as well as reduced cost resources, tools and security communities. As an exercise, consider having your team divide up the list from CISA and report out on relevance of each item.

Lee Neely

A very useful guide from CISA. The UK's National Cyber Security Centre (NCSC) also has a very useful and similar guide: https://www.ncsc.gov.uk/collection/defending-democracy

Brian Honan

A helpful library but ultimately, the high-risk communities need the resources and skills to implement the cybersecurity advice. As a part of the security community, we collectively must automate cybersecurity best practices.

Curtis Dukes

Cisco Talos: CoralRaider Threat Actor Steals Financial Data

Researchers from Cisco Talos have discovered a threat actor that has been stealing financial data and account access credentials from individuals in Asian and Southeast Asian countries. The researchers say the threat actor, which they're dubbed CoralRaider, has been active since at least May 2023. CoralRaider uses a Telegram bot, as a C2, to exfiltrate the victims data.

Oil and Gas Industry Targeted in Info-Stealing Campaign

Researchers at Cofense have detected a phishing campaign targeting organizations in the oil and gas sector with intent to infect systems with a new variant of Rhadamanthys information-stealing malware. The phishing emails purport to be vehicle incident communications from the Federal Bureau of Transportation, which does not exist.