SANS NewsBites

Vulnerabilities in Microsoft Apps for macOS; 400 CVE Numbering Authorities; More National Public Data Breach Information

August 20, 2024  |  Volume XXVI - Issue #64

Top of the News


2024-08-19

Cisco Talos: Vulnerabilities in Microsoft Apps for macOS

Researchers from Cisco Talos have provided details about eight vulnerabilities in Microsoft apps for macOS. The flaws could be exploited by injecting specially crafted libraries into the apps to access microphones, cameras, folders, input, and other functions. The vulnerabilities affect three different Microsoft Teams apps, as well as Outlook, PowerPoint, OneNote, Excel, and Word.

Editor's Note

The issue here is that once an application has the entitlements like camera access, these entitlements extend to the entire application, including libraries loaded at run time or extensions and plugins. It is up to the application at this point to protect itself. The issue Cisco points out is that the applications do not enforce security features available to protect the application. However, all of these applications have some form of scripting interface. This would allow an attacker to abuse these applications even if dynamically loaded libraries are validated.

Johannes Ullrich
Johannes Ullrich

As always, this is a good writeup from the Talos group around a portion of the enterprise ecosystem that seldom gets talked about. There is a lot of effort to subvert Windows, but how many MacOS devices are in the corporate ecosystem? Specifically in the executive suites at a minimum.

Moses Frost
Moses Frost

macOS has a layered security model, including TCC and entitlements which are aimed at protecting user privacy and system security. They are not foolproof. These apps include the entitlement to disable library validation, which only allows them to access libraries signed by their developer, which was removed with updates to Teams and OneNote. Excel, Outlook, PowerPoint and Word remain this capability to support plug-ins. Other than pushing updated applications, reviewing their access (user granted, e.g. Camera/Microphone access) is a good idea.

Lee Neely
Lee Neely

2024-08-13

There are Now 400 CVE Numbering Authorities (CNAs)

Earlier this month, MITRE added Wiz to its list of CVE Naming Authorities, bringing the total numbers of CNAs to 400. This milestone comes at a time when the US National Institute of Standards and Technology (NIST) is struggling to clear a significant backlog of CVEs yet to be analyzed.

Editor's Note

I appreciate Mitre making it easier to assign CVEs. The solution to the current "flood" of vulnerability is not to ignore them. NIST has laid out a plan to catch up with its NVD database, and even if the data enrichment is incomplete, it is better to have a CVE than not to have a CVE.

Johannes Ullrich
Johannes Ullrich

While I applaud multiple organizations stepping up here, most are scoped to support their products only, this does give them more skin in the game which is needed. Even so, the bigger need is to support CVE analysis to clear both the current and seven-month backlog. As of June 3, there were 13,358 CVEs waiting to be analyzed, as of August 13th the number was 17,372 and is projected to hit nearly 28,400 by the end of 2024. Fingers crossed the contractor is able to scale up to process 200-300 CVEs/day to overcome the backlog.

Lee Neely
Lee Neely

2024-08-19

National Public Data Confirms Breach

In a filing with Maine’s attorney general, background check company National Public Data confirmed a December 2023 data breach, but says that the compromised personally identifiable information (PII) affects just 1.34 million people, not the nearly 3 billion initially reported. While the breach occurred at the end of 2023, the data started appearing for sale online in April 2024.

Editor's Note

National Public Data is downplaying the breach. The data posted by USDoD for sale was analyzed by Troy Hunt (maintainer of HaveIBeenPwned) found the data contains 134 million unique email addresses, as well as criminal record data for 70 million of those addresses. Access Data Privacy analyzed the data and found as many of 272 million unique SSNs, many of which are no longer living. While there is precedent for changing the amount of data exfiltrated as the investigation proceeds, it's important to get this straight rapidly, particularly when others are analyzing the data and find a discrepancy with your reporting. While this gets sorted, double down on ID protection/restoration services and don't forget to freeze your credit.

Lee Neely
Lee Neely

The current read on this is that the company is “unsure” of how many records have been stolen. They claim that only 1.3 million (instead of 2.9 billion) records were taken. According to reports from Troy Hunt, 134 million email addresses are in the dump. This doesn’t mean that all the data is from the same place, so there is still speculation about this entire breach. One to watch. Is this the fourth or fifth time our social security number data has been breached? I lose count.

Moses Frost
Moses Frost

Well that was a bit of a rounding error by National Public Data. Still, its 1.34M people affected that had little say in how their information was collected and used. Perhaps it’s time to regulate data brokers and ‘for Pete’s sake,’ let’s pass a national data protection law.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2024-08-19

Columbus Officials Warn Citizens that Sensitive Data were Compromised in Ransomware Attack

At a press conference over the weekend, Columbus, Ohio, city officials said that the threat actors accessed data belonging to city employees and residents during a ransomware attack, and urged citizens to be vigilant. The attackers have leaked information stolen from the Columbus city prosecutor’s office.

Editor's Note

This is data from the July 18th ransomware attack by the Rysida gang which claims to have stolen 6.5 terabytes of data. The data appears to have been released on the dark web, and while the average citizen doesn't have access to it, criminals likely do which is why the city attorney is letting city residents, customers and employees know they are ready to support them with needed protection or other civil orders relating to this data being released. Offering to support your customer in a breach, beyond just ID/Credit monitoring/restoration is a classy move to consider for your playbook.

Lee Neely
Lee Neely

Good on Columbus for not paying the ransom. Bad on Columbus for not exhibiting a standard of reasonableness in protecting its citizens information. While much of the information is likely public, the city still has a responsibility to protect it as some of it may be sensitive. Take a look at the ‘Blueprint for Ransomware Defense,’ an actionable framework for ransomware mitigation, response, and recovery.

Curtis Dukes
Curtis Dukes

2024-08-19

Flint, Michigan Recovering from Ransomware Attack

The city of Flint, Michigan, is in the process of recovering from an August 14 ransomware attack that has disrupted the availability of their online services, such as telecommunications and water, sewer, and tax payments. According to a statement on August 15, the city’s emergency services are unaffected by the incident, as are public works, and public health.

Editor's Note

Flint residents can pay for the affected city services only via cash or check. Double check with your FI if your online bill-pay electronic payment mechanism needs to fall back to sending a check. Even if you're not in Flint, ask them if they have a protocol for failing back to an analog payment. To date, no ransomware gang is taking credit for this attack and the city doesn't yet have an ETA for service restoration. While it can be hard to get your arms around that timeline, make sure that your tabletop exercises include flushing out how you'd determine a recovery date and how to meet it.

Lee Neely
Lee Neely

2024-08-19

Oregon Zoo Website Security Breached, Payment Card Data Stolen

Cyber criminals have stolen payment card information from the Oregon Zoo’s website. The incident affects more than 117,000 people. Officials detected unusual activity on the zoo’s online ticketing service earlier this summer, and took the website offline. A subsequent investigation revealed that transactions in the system had been being redirected between December 2023 and June 2024.

Editor's Note

The third-party payment site was decommissioned in late June, and a new secure site provisioned. Nevertheless, payment information, including names, card numbers, CVV and expiration dates were exfiltrated for six months. The zoo is notifying affected parties and offering them a year of credit monitoring.

Lee Neely
Lee Neely

While not as serious as new account application fraud, card transaction fraud remains a nuisance and a cost in the system. This is in part because online merchants continue to accept, not to say rely on, them rather than use payment proxies like PayPal, Amazon, Google Pay, and Apple Pay. While use of the proxies does have a cost, it is more than offset by the reduction in fraud loss.

William Hugh Murray
William Hugh Murray

2024-08-19

Mandatory MFA for Azure

Microsoft is rolling out mandatory multi-factor authentication (MFA) for Azure starting on October. At that time, “MFA will be required to sign-in to Azure portal, Microsoft Entra admin center, and Intune admin center.” Starting early next year, Microsoft will gradually roll out MFA enforcement for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools.

Editor's Note

Microsoft provides multiple MFA options for Entra including FIDO2 security keys, certificate-based authentication (CAC, PIV, X509), passkeys and the Microsoft authenticator using biometrics, push notifications or OTP. Don't enable SMS/phone-call based MFA; it's too easily compromised. alk to your Azure/Entra ID administrators about their plans for MFA, not only about which technical options they will support but also their communication and user-support activities.

Lee Neely
Lee Neely

The trend continues making MFA mandatory for users. Microsoft signaled its intent late last year and this is its follow-through. We can add Microsoft to the ‘mandatory use’ club and MFA as the de facto standard for identity management.

Curtis Dukes
Curtis Dukes

2024-08-19

Carespring Healthcare Notifies 77,000 of Data Breach

Ohio-based Carespring Healthcare Management has begun notifying nearly 77,000 people that their personally identifiable information (PII) was compromised in a 2023 cybersecurity incident. The attack was detected in October 2023; the subsequent investigation took nine months. The compromised data include names and associated passport, Social Security, and driver’s license numbers, health insurance and medical information, payment card data, and tax identification numbers.

Editor's Note

There is nothing quite like the letter from a provider letting you know your data has been breached. Take note of the guidance on their incident web site; it provides in-depth options and contacts for organizations which can aid users both secure their credit as well as help monitor for activity related to the use of their data.

Lee Neely
Lee Neely

I’m sorry but nine months is about seven months too long to begin notifying individuals that their information has been taken. I get that there needs to be a balance between investigation and victim notification. Just remember for every day the investigation continues it’s a day the evil doer can use it, unbeknownst to the victim.

Curtis Dukes
Curtis Dukes

2024-08-19

Juniper Researchers: Ransomware Operators Exploited Known Jenkins Flaw in Attack on Digital Payment System Used by Indian Banks

Researchers from Juniper Networks have provided details about a vulnerability in the Jenkins Command Line interface. The vulnerability was exploited in a ransomware attack that targeted a digital payment system used by banks in India earlier this summer. On July 31, the National Payments Corporation of India (NCPI) said that the incident affected Brontoo Technology Solutions, which collaborates with C-Edge Technologies. NCPI temporarily prevented C-Edge Technologies from accessing NCPI-operated payment systems. The Juniper researchers say that the attackers leveraged a known path traversal vulnerability in Jenkins (CVE-2024-23897). The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-23897 to their Known Exploited Vulnerabilities catalog.

Editor's Note

CVE-2024-23897, parser flaw, has a CVSS 3 base score of 9.8. The command parser replaces @ followed by a pathname with the content of that file, allowing for arbitrary files to be read. CISA has a KEV due date of September 9th. Jenkins 2.442, Jenkins LTS 2.426.3 or LTS 2.440.1 disables the command parser feature which does this. Another workaround is to disable access to the CLI to prevent exploitation entirely.

Lee Neely
Lee Neely

2024-08-19

Vulnerability in InPost WordPress Plugins

A critical vulnerability in the woo-InPost and InPost PL plugins for WordPress could be exploited to gain read and delete arbitrary files. The vulnerability has a CVSS rating of 10.0. The vulnerability affects woo-InPost up and including version 1.4.0 and InPost PL up to and including 1.4.4. The vulnerability is fixed in InPost PL version 1.4.5; woo-InPost for has been closed since August 8, 2024; no update is available.

Editor's Note

Yet another vulnerability [er, software defect] in a WordPress plug in. The open-source plugin has had several critical vulnerabilities over the last 18 months, this continues that trend. Sometimes the open-source model comes at a cost to the end-user.

Curtis Dukes
Curtis Dukes

CVE-2024, InPost for WooCommerce and InPost PL plugin vulnerabilities, CVSS score of 10, needs to be addressed post-haste. Check for both plugins. InPost-for-woocommerce should already be auto-updated to 1.4.5 or higher. If you're still running woo-InPost, you need to replace it, including uninstalling the old one.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Summarizing Web Honeypot Logs

https://isc.sans.edu/diary/Guest+Diary+7+minutes+and+4+steps+to+a+quick+win+A+writeup+on+custom+tools/31170

Do you like donuts? Here is a donut Shellcode Delivered Through PowerShell Python

https://isc.sans.edu/diary/Do+you+Like+Donuts+Here+is+a+Donut+Shellcode+Delivered+Through+PowerShellPython/31182

How Vulnerabilities in Microsoft Apps for MacOS allow Stealing Permissions

https://blog.talosintelligence.com/how-multiple-vulnerabilities-in-microsoft-apps-for-macos-pave-the-way-to-stealing-permissions/

Microsoft IPv6 Vulnerability CVE-2024-38063

https://x.com/f4rmpoet/status/1825472703223992323

YouTube Video

https://www.youtube.com/watch?v=miBb1llFOYQ

Digital Wallet Security Loophole

https://www.umass.edu/news/article/new-study-reveals-loophole-digital-wallet-security-even-if-rightful-cardholder-doesnt

Large Scale Cloud Extortion Operation

https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/

Chrome Redacting Credit Cards and Passwords when you share Android Screens

https://www.bleepingcomputer.com/news/google/chrome-will-redact-credit-cards-passwords-when-you-share-android-screen/

Google Products Targeted by Search Ad Scammers

https://www.malwarebytes.com/blog/scams/2024/08/dozens-of-google-products-targeted-by-scammers-via-malicious-search-ads

MakeShift: Security Analysis of Shimano Di2 Wireless Gear Shifting in Bicycles

https://www.usenix.org/system/files/woot24-motallebighomi.pdf