SANS NewsBites

Patch Tuesday; Microsoft president Brad Smith Appears Before US Congressional Committee; GAO: US Federal Agencies Still Have Not Implemented More Than a Third of Cybersecurity Recommendations

June 14, 2024  |  Volume XXVI - Issue #46

Top of the News


2024-06-13

Microsoft Patch Tuesday

On Tuesday, June 11, Microsoft released fixes for more than 50 security issues. One of the flaws, a low, complexity, use-after-free vulnerability in Microsoft Message Queuing (MSMQ) (CVE-2024-30080), is rated critical; all the rest are rated important. Of those, one is a denial-of-service issue in DNSSEC implementations (CVE-2023-50868) that was reported in February. Another of the important issues is a zero-click vulnerability in Outlook that could be exploited to bypass Outlook registry block lists.

Editor's Note

Don't let the small number of vulnerabilities, and the fact that only one is labeled "critical", fool you. The MSMQ issue has a lot of potential. The "no click code execution" in Outlook with be discussed in depth at Defcon, and it is very much possible that an exploit will emerge around that time, if not earlier. The patch for the DNSSEC vulnerability, while only a DoS issue, was long overdue and the issue has been known since February.

Johannes Ullrich
Johannes Ullrich

CVE-2024-30080, MSMQ flaw, CVSS score 9.8, can be exploited remotely without any user interaction to execute arbitrary code, and is accessed over port 1801. Make sure that you're not exposing that port to the Internet. CVE-2024-50868, DNSSEC DOS/CPU exhaustion, CVSS score 7.5, aka KEYTRAP, warrants pushing the update to your servers as it impacts not just the Microsoft DNS server.

Lee Neely
Lee Neely

2024-06-13

Microsoft's Brad Smith Faces US Legislators' Questions

Microsoft president Brad Smith appeared before the US House Homeland Security Committee on Thursday to answer questions about how the company handled a 2023 breach that compromised Microsoft 365 accounts of US diplomats and government officials. Smith also told lawmakers that Microsoft CEO Satya Nadella has taken on the responsibility personally to serve as the senior executive with overall accountability for Microsoft's security.

Editor's Note

By all accounts Mr. Smith handled the heightened scrutiny of MSFT with aplomb. The takeaway is that even Fortune 50 companies can fall victim to lapses in adherence to security processes. Don't expect the federal government to switch out use of MSFT products and services any time soon.

Curtis Dukes
Curtis Dukes

The testimony seems to range from how Microsoft is doing business in China to the SolarWinds compromise to Recall. Read the transcript and responses to consider if those types of responses would reflect well on your company were you in his spot, then take action to put your enterprise in a stronger position where needed. For example, raising the bar on security should not be a conversation about what has been done in the last few weeks for a mature company like Microsoft.

Lee Neely
Lee Neely

Microsoft is learning the hard way that changing corporate culture is like changing the course of a super tanker. It takes more than a command from the top. Among other things, it takes time. The CSRB Report makes it clear that the present course ends up on the rocks. Given Microsoft's market dominance, the present course imperils the Ship of State.

William Hugh Murray
William Hugh Murray

2024-06-13

GAO: Federal Agencies Have Implemented Just 65% of Cybersecurity Recommendations

According to a report from the US Government Accountability Office (GAO), federal agencies have implemented just two-thirds of the 1,610 cybersecurity recommendations it has made since 2010. The report notes that US federal agencies reported 30,659 IT security incidents to the Department of Homeland Security's Computer Emergency Readiness Team in fiscal year 2022.

Editor's Note

My guess is that the historical average percentage of agencies implementing GAO recommendations (security or otherwise) is at best in the 66% range. What is really needed across Federal IT is a focus on improving IT operations where most vulnerabilities originate: lack of inventory, using unpatchable/unsupported software, failure to require developed or acquired software to demonstrate security needs have been met, etc. If IT operations is constantly blowing on dandelion seed puffballs, security operations plucking 66% of the dandelions that sprout is probably the best most government agencies will be able to do.

John Pescatore
John Pescatore

A recurring theme here is legacy, unsupported, systems are operating without needed fixes. Replacing these systems, particularly key business systems such as your ERP or HCM systems, require a lot of time and resources, which often has to come out of the mission budget, so youÕre going to find a lot of mitigations and stop-gap efforts. GAO is proposing an overarching approach focusing on four cybersecurity challenges and ten critical actions to build support and focus action to reduce the threat to the nation's essential technology systems.

Lee Neely
Lee Neely

A troubling statistic given the report goes back to 2010. It highlights the fact that US Departments and Agencies do not regularly plan (budget) for HW/SW obsolescence leading to cybersecurity risks. Perhaps a relook at the Technology Modernization Fund is in order with a renewed focus on prioritizing expenditures to close more of these GAO cybersecurity recommendations.

Curtis Dukes
Curtis Dukes

That might even be okay, provided that the 65% includes the most essential and efficient measures (e.g., strong authentication, network segmentation, least privilege). My experience suggests that auditors tend to view all recommendations as being of equal importance.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2024-06-13

Former Microsoft Employee Says Company Dismissed Concerns Over SAML Vulnerability

A former Microsoft employee says the company dismissed his warnings about a vulnerability in one of their products that was later used by threat actors in the SolarWinds supply chain attack in 2020. Several years earlier, Andrew Harris found the vulnerability in Active Directory Federation Services, or AD FS, a product that allowed users to sign on a single time to access nearly everything they needed. The problem, he discovered, rested in how the application used a computer language known as SAML to authenticate users as they logged in. Harris eventually left Microsoft in August 2020 after his pleas to address the issue were pushed aside.

Editor's Note

I've commented in NewsBites in the past a big issue for Microsoft has been chasing cloud revenue but not updating a Secure Development Life Cycle that was used to working at operating system version release speed - definitely NOT 'agile' cloud speed. In his written testimony to Congress, Microsoft President Brad Smith says Microsoft has added close to 2,000 security engineers but barely mentioned development with one very high level promise: 'Secure by Design: Make security the first priority when designing any product or service.

John Pescatore
John Pescatore

A few weeks ago we were praising Satya Nadella's statement about Microsoft refocusing on security before features. Sadly, this story and the debacle over Microsoft Recall highlights this will be not be an easy change to implement as Microsoft appears to need a major cultural change in how it develops and secures its products and services. As with many things in life actions speak louder than words and thus far Satya Nadella's statement is akin to a pinkie promise.

Brian Honan
Brian Honan

One lesson here is to pay attention to vulnerability disclosure, internal and external. Before dismission or deciding that will never happen, consider an external assessment or demonstration of exactly how difficult and impactful exploiting the flaw is. The other lesson is to keep an eye on enabling technologies used to connect to service providers, cloud or otherwise, making sure that you continue to follow best practices and all components are kept updated.

Lee Neely
Lee Neely

2024-06-13

More US City Governments Dealing with Cybersecurity Incidents

The US cities of Traverse City, Michigan, and Newburgh, New York, are both dealing with disruption of government services due to cybersecurity incidents. In Traverse City, network irregularities prompted the city's government and IT Department to take the city offices network offline. In Newburgh, New York, a Ònetwork security incidentÓ has disrupted numerous city services, including processing and accepting payments for property taxes, water, sewer, sanitation, and other services. In Cleveland, Ohio, city government is still struggling with an incident that was disclosed earlier this week.

Editor's Note

Two takeaways: 1) Ransomware continues to be a scourge against the cyber underserved; and 2) we, the cybersecurity community, must find ways to ease implementation and monitoring of cybersecurity best practices for resource-constrained organizations.

Curtis Dukes
Curtis Dukes

Take a look at the communications from Newburgh and Traverse City below, noting elements that would aid your communication efforts in an incident. Note that Cleveland is posting on X, which may be necessary if your primary communications paths are impacted. Whether social media or web site updates, make sure (test) these can be securely updated by staff independent of being on your corporate network. Question the model of dropping security during a (security) incident for access. Creating these processes while the chips are down is unpleasant and stressful at best; practice ahead of time.

Lee Neely
Lee Neely

2024-06-12

Ransomware Threat Actors May Have Exploited Known Flaw as a Zero-day

Symantec Threat Intelligence researchers analysis of a recently used exploit tool suggests that ransomware operators may have exploited a Windows Error Reporting Service privilege elevation vulnerability before it was patched in March. The researchers say the recent observed attack was unsuccessful.

Editor's Note

The vulnerability was reported by an outside security researcher so Symantec could very well be right. Regardless, the vulnerability was quickly fixed by MSFT and a patch made available to limit further attack.

Curtis Dukes
Curtis Dukes

The threat actors were exploiting CVE-2024-26169 prior to the fix being available, taking advantage of permission inheritance in how Windows wekernel.sys creates registry keys. When the fix was released, Microsoft reported no evidence of exploitation in the wild. Given the Symantec research, have your threat hunters check for IOCs while you're making sure the fix is in.

Lee Neely
Lee Neely

When people ask me why I am against paying criminals money resulting from extortion attacks such as ransomware, this story, and the other on PHP flaws being exploited, is one of those reasons. Paying criminals provides them with funds to research and/or purchase exploits that they can then use to victimise others.

Brian Honan
Brian Honan

2024-06-13

Ransomware Operators are Actively Exploiting PHP Vulnerability

A ransomware group is actively exploiting a recently-disclosed remote code execution vulnerability in PHP on all versions of Windows. PHP released patches to address the flaw last week. Within days, threat actors have been observed exploiting the vulnerability to deploy ransomware.

Editor's Note

While this only impacts Windows PHP servers, you're going to want to update your other PHP platforms as well for consistency. Note that PHP 8.0, 7 and 5 are impacted, but are discontinued so no fixes will be released. Note that moving between major PHP versions needs regression testing due to changes in security models and function calls, watch for warnings of soon to be deprecated behavior as you update. Even so, it's time to get current.

Lee Neely
Lee Neely

2024-06-11

GitHub Users Targeted in Phishing Campaign

A phishing campaign has been targeting GitHub users since February. The campaign makes use of the GitHub notification system and a malicious OAuth app. The phishing email generally offers the recipient a job or notifies them of a purported security incident and leads to a prompt asking for control of and access to their accounts and repositories through OAuth. If the attack is successful, the threat actors wipe the repositories and replace them with a ransom demand.

Editor's Note

MFA... The acronym to solve so many issues like this. Sadly, there has been some pushback from developers in the past as GitHub started to enforce MFA for some accounts. GitHub does a great job in making technologies like Passkeys approachable and usable. Take advantage of it.

Johannes Ullrich
Johannes Ullrich

This is a particularly sneaky phishing attack as it uses GitHub's comment feature to trigger a phishing email attack. By leaving comments in GitHub with the victim's username, the attacker triggers an official GitHub email using an official GitHub email address but with the attacker's comments making up the body of the email. Crafted this way, it can be hard to determine that the GitHub email is actually a phishing attack. I'm seeing more phishing attacks like this using the official email mechanism of legitimate companies (PayPay, Intuit, etc). So much for hovering over links. In addition, if you can trick someone into installing a malicious OAuth app, remember this not only bypasses MFA, but gives the attacker persistent access regardless if you change your password.

Lance Spitzner
Lance Spitzner

Targeted Identity and Access Management (IAM) campaigns appear to be the new normal. Recently, in addition to GitHub, there has been Snowflake. For both, the evildoer exploits different weaknesses [not vulnerabilities] in their governance processes. For GitHub it is the automated legitimate email notification, for Snowflake lack of mandatory use of multi-factor authentication. For both, the evildoer is looking to obtain legitimate credentials to easily bypass security controls.

Curtis Dukes
Curtis Dukes

Getting emails from mentions in repositories, ticketing systems or other platforms is pretty commonplace, and users are inclined to click the enclosing links to take actions, particularly where the message has a triggering topic like a security event or job offer. Make sure your training includes making sure users are checking these notifications are genuine. Encourage them to take advantage of the GitHub spam reporting system as well as verifying the sessions connected to your repos are legitimate.

Lee Neely
Lee Neely

2024-06-12

Fortinet Patches Multiple Vulnerabilities

On Tuesday, June 11, Fortinet released updates to address five CVEs in FortiOS, FortiProxy, and other products. CVE-2024-23110 addresses multiple stack-based buffer overflow vulnerabilities, and is rated high severity. Three of the CVEs are rated medium severity; they address stack-based buffer overflow vulnerabilities and an improper neutralization of input during web page generation. The fifth CVE addresses a low severity issue involving a password hash with insufficient computational effort vulnerability.

Editor's Note

No shortcuts here: you need to roll out updates to FortIOS, FortiProxy, FortiPAM and FortiSwitchManager as these flaws are susceptible to remote exploitation. Make sure that you're targeting FortiOS 7.2.8 or 7.4.4, while affected, the older branches are not getting all the same fixes.

Lee Neely
Lee Neely

2024-06-13

Patch Veeam Recovery Orchestrator Now

Proof-of-concept exploit code for a critical authentication bypass vulnerability in Veeam Recovery Orchestrator has been released. The issue exists because of a hardcoded JSON Web Token (JWT) secret. Users are urged to update to Veeam Recovery Orchestrator versions 7.1.0.230 or 7.0.0.379.

Editor's Note

CVE-2024-29855, authentication bypass, CVSS score 9.0, allows attackers to login to the Veeam Recovery Orchestrator with administrator privileges. While the exploit needs the exact username and role of an account with an active JWT token, there are only five roles and the meta-data in the SSL certificate typically has enough information to determine a valid username. The icing on the cake is a POC for this exploit is publicly available, so dawdle time is essentially non-existent.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

INTERNET STORM CENTER TECH CORNER

Microsoft Patch Tuesday

https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+June+2024/31000

MSMQ Packets

https://isc.sans.edu/diary/Port+1801+Traffic+Microsoft+Message+Queue/31004

The Art of JQ and Command-Line Fu

https://isc.sans.edu/diary/The+Art+of+JQ+and+Commandline+Fu+Guest+Diary/31006

Microsoft Outlook Vulnerability Details

https://blog.morphisec.com/cve-2024-30103-microsoft-outlook-vulnerability

Keeping our Outlook Personal Email Users Safe

https://techcommunity.microsoft.com/t5/outlook-blog/keeping-our-outlook-personal-email-users-safe-reinforcing-our/ba-p/4164184

Black Basta Exploited CVE-2024-26169 Prior to Patch

https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day

Exploiting ML models with pickle file attacks

https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/

Adobe Updates

https://helpx.adobe.com/security/products/magento/apsb24-40.html

Pixel Phone 0-Day Patched

https://source.android.com/docs/security/bulletin/pixel/2024-06-01

JetBrains IntelliJ Based IDE GitHub Plugin Vulnerability

https://blog.jetbrains.com/security/2024/06/updates-for-security-issue-affecting-intellij-based-ides-2023-1-and-github-plugin/

Veeam Recovery Orchestrator (VRO) vulnerability CVE-2024-29855

https://www.veeam.com/kb4585

Precor Treadmill Vulnerability

https://securityintelligence.com/x-force/internet-connected-treadmill-vulnerabilities-discovered/