Still, Immersive Labs senior threat director Kev Breen told eSecurity Planet by email that the low number of vulnerabilities shouldn’t suggest any lack of urgency or importance. “A number of the patches released have been identified as ‘more likely to be exploited,’ and as we have seen over the last several years, attackers are quick to exploit newly released patches, with the average time from patch to exploit being seven days,” he said.

Microsoft announced only one zero-day flaw this month: CVE-2023-20588, which is found in AMD processors. “A division-by-zero error on certain processors can return speculative data resulting in loss of confidentiality,” according to AMD. Microsoft has included the vulnerability in its announcement because the latest Windows updates protect against the flaw.

The severity of the flaw, it seems, is open to debate. “AMD believes the potential impact of the vulnerability is low since local access is required; however, Microsoft ranks [its] severity as important under its own proprietary severity scale,” Rapid7’s Adam Barnett observed in a blog post.

Four Critical Vulnerabilities Announced

The first of the four critical flaws announced, CVE-2023-35628, is a remote code execution vulnerability in the Windows MSHTML platform with a CVSS score of 8.1. “Exploitation of this vulnerability requires that an attacker send a malicious link to the victim via email, or that they convince the user to click the link, typically by way of an enticement in an email or Instant Messenger message,” Microsoft stated in its advisory.

Crucially, the flaw can be triggered without any user interaction. “In the worst-case email attack scenario, an attacker could send a specially crafted email to the user without a requirement that the victim open, read, or click on the link,” Microsoft warned. “This could result in the attacker executing remote code on the victim’s machine.”

“These kinds of zero-click exploits are always appealing to threat actors, both nation states, and financially motivated groups like ransomware operators, as they are easy to weaponize threats at scale,” Immersive’s Breen observed.

Two critical flaws in Internet Connection Sharing (ICS), CVE-2023-35630 and CVE-2023-35641, have a CVSS score of 8.8. “These vulnerabilities share similar characteristics, including an adjacent attack vector, low complexity, low privilege requirements, and no user interaction needed,” Action1 president and co-founder Mike Walters noted in a blog post.

“Care should be taken to determine if any hosts running ICS are present in networks that have grown over time and steps taken to either disable the service if not required or patch as soon as possible if ICS is required,” Immersive Labs principal cyber security engineer Rob Reeves advised by email.

The fourth critical flaw, CVE-2023-36019, is a spoofing vulnerability in the Microsoft Power Platform with a high CVSS score of 9.6. “The exploitation scenario involves an attacker crafting a malicious link, application, or file that appears legitimate to the victim,” Walters noted. “For instance, this vulnerability could be used in conjunction with malware that automatically downloads and installs itself once a user clicks on a deceptive link.”

Flaws Impacting Bluetooth & Antivirus 

Immersive Labs cyber security engineer Nikolas Cemerikic also highlighted CVE-2023-35634, a remote code execution vulnerability in the Windows Bluetooth Driver with a CVSS score of 8.0. “Should a victim be deceived into connecting to a malicious device, and the attack proves successful, the ensuing remote code execution vulnerability would result in an immediate compromise of the integrity, confidentiality, and availability of information on the targeted system,” Cemerikic observed. 

Finally, CVE-2023-36010 is a notable denial of service (DoS) vulnerability in Microsoft’s antivirus solution, Microsoft Defender, with a CVSS score of 7.5. “Interestingly, the attack vector for this vulnerability is listed as network-based, suggesting that an attacker could initiate the condition remotely from a device on the same network,” Immersive’s Reeves noted.

“DoS conditions in antivirus software are of interest to attackers as they can impede efforts to detect adversaries,” Reeves added. “In this instance, an attacker may be able to effectively disable the antivirus service before initiating lateral movement to a target, or include the DoS method as part of an initial access payload. If your enterprise network is using Windows Defender as its default antivirus product, it is important to patch this vulnerability to maintain this security functionality.”

The post Microsoft’s December 2023 Patch Tuesday Includes Four Critical Flaws appeared first on eSecurity Planet.

The highest-rated of the vulnerabilities is CVE-2023-35349, a critical remote code execution vulnerability in the Microsoft Message Queuing (MSMQ) service with a CVSS score of 9.8.

Immersive Labs principal security engineer Rob Reeves told eSecurity Planet that the attack doesn’t require credentials or authentication in order to execute code on the system. Still, he noted, “It would be considered unusual for an enterprise environment to expose the MSMQ service publicly on the internet, given a number of high-profile vulnerabilities in the service that have occurred historically, so it is reasonable to assume that to leverage this vulnerability in an attack, an attacker would have first successfully phished a target network and discovered the vulnerable service during enumeration.”

“To mitigate this vulnerability, users should protect TCP Port 1801 from untrusted connections via the firewall where possible but should also look to apply the relevant patch to fully fix the issue,” Reeves added.

Zero-Day Vulnerabilities: HTTP/2, WordPad, Skype

The zero-day flaws addressed by Microsoft are:

• CVE-2023-36563, an information disclosure vulnerability in Microsoft WordPad with a CVSS score of 6.5
• CVE-2023-41763, an elevation of privilege vulnerability in Skype for Business with a CVSS score of 5.3
• CVE-2023-44487, an HTTP/2 rapid reset attack with recommended workarounds

HTTP/2 Flaw Leads to Record DDoS Attacks

The HTTP/2 protocol flaw made headlines before the Patch Tuesday list was released, as Google, AWS and Cloudflare jointly announced that the flaw affected almost all web servers and has led to record-shattering DDoS attacks.

Immersive Labs lead cyber security engineer Natalie Silva told eSecurity Planet that the HTTP/2 attack exploits a weakness in the protocol. “This attack method abuses the stream cancellation feature of HTTP/2 to continuously send and cancel requests, overwhelming the target server or application and causing a Denial of Service (DoS) state,” she said.

“The impact to customers can be significant, as it can lead to prolonged downtime, loss of access to services, and potential financial losses for businesses relying on the affected web servers,” Silva added. “It is crucial for organizations to apply the latest patches and updates from their web server vendors to mitigate this vulnerability and protect against such attacks.”

The CVE record contains links for mitigations and patches that web server vendors and open source projects are issuing for the vulnerability.

Also read:

• How to Stop DDoS Attacks in Three Stages
• How to Prevent DDoS Attacks: 5 Steps for DDoS Prevention

WordPad Flaw Could Disclose NTLM Hashes

The Microsoft WordPad flaw, which could disclose NTLM hashes, requires the attacker to be logged into the system and either to run a specially crafted application or to trick a local user into opening a malicious file.

Ivanti vice president of security products Chris Goettl noted that while the CVSS score is a relatively low 6.5, “proof-of-concept code has been disclosed and there are exploits detected in the wild. This CVE should be treated as a higher severity than Important due to the risk of exploit.”

Rapid7 lead software engineer Adam Barnett pointed out, “It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given. Unsurprisingly, Microsoft recommends Word as a replacement for WordPad.”

Skype for Business Flaw Could Expose IP Address, Ports

Regarding the Skype for Business flaw, Microsoft explained, “An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker.”

In some cases, the company advised, the information exposed could provide the attacker with access to internal networks. Ivanti’s Goettl noted that, as with the WordPad flaw, the CVE should be treated as a higher severity than its rating due to the risk of exploit.

See the Top Patch and Vulnerability Management products

9 Critical Layer 2 Tunneling Vulnerabilities

Nine critical remote code execution flaws were identified in the Layer 2 tunneling protocol, all with a CVSS score of 8.1: CVE-2023-38166, CVE-2023-41765, CVE-2023-41767, CVE-2023-41768, CVE-2023-41769, CVE-2023-41770, CVE-2023-41771, CVE-2023-41773, and CVE-2023-41774.

All nine vulnerabilities, Action1 president and co-founder Mike Walters noted, “possess a network-based attack vector, have a high level of complexity for successful exploitation, do not require any special privileges, and demand no user interaction.”

“To successfully exploit these vulnerabilities, an attacker must overcome a race condition,” Walters added. “An unauthenticated attacker could achieve this by sending a carefully crafted protocol message to a Routing and Remote Access Service (RRAS) server, potentially leading to remote code execution (RCE) on the targeted RRAS server computer.”

Immersive Labs senior director of threat research Kev Breen also highlighted CVE-2023-36778, a remote code execution vulnerability in Microsoft Exchange Server flagged as “exploitation more likely,” with a CVSS score of 8.0.

“The patch notes indicate that an attacker must be authenticated and local to the network; this means that an attacker must already have gained access to a host in the network,” Breen said. “This is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other internal vulnerable targets. Just because your Exchange Server doesn’t have internet-facing authentication doesn’t mean it’s protected.”

EOL for Server 2012, Win 11 21H2

Ivanti’s Goettl also noted that this Patch Tuesday includes the final updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2. “End-of-life software poses a risk to an organization,” he said. “No public updates will be available for these OS versions going forward. For Windows 11 users, this means upgrading to a new Windows 11 brand. For Server 2012/2012 R2 it is highly recommended to subscribe to ESU or migrate to a newer server edition.”

Read next:

• Network Protection: How to Secure a Network
• Weekly Vulnerability Recap – October 9, 2023 – Zero-Days Strike Android, Microsoft, Apple, Cisco & More

The post October 2023 Patch Tuesday Includes Three Zero-Days Flaws appeared first on eSecurity Planet.

The two vulnerabilities currently being exploited are CVE-2023-36761, an information disclosure flaw in Microsoft Word with a CVSS score of 6.2; and CVE-2023-36802, an elevation of privilege flaw in Microsoft Streaming Service with a CVSS score of 7.8 that could provide an attacker with system privileges.

Natalie Silva, lead cyber security engineer at Immersive Labs, told eSecurity Planet that the Word vulnerability in particular poses a high risk, noting that the Preview Pane is a potential attack vector.

“Attackers could specially craft documents or files that contain malicious code or exploit vulnerabilities in the software rendering engine used by the Preview Pane,” Silva said. “When a user previews or opens such a document in the Preview Pane, malicious code can be executed, leading to potential compromise of the system.”

Exploiting the vulnerability could lead to the disclosure of Net-NTLMv2 hashes, she added. “Net-NTLMv2 hashes are used for authentication in Windows environments, and their disclosure can enable attackers to gain unauthorized access to sensitive information or systems via a relay attack or cracked offline to recover user credentials.”

Five Critical Vulnerabilities

The five critical flaws are as follows:

• CVE-2023-29332, an elevation of privilege vulnerability in Microsoft Azure Kubernetes with a CVSS score of 7.5
• CVE-2023-36792, CVE-2023-36793, and CVE-2023-36796, three remote code execution vulnerabilities in Microsoft Visual Studio with a CVSS score of 7.8
• CVE-2023-38148, a remote code execution vulnerability in Internet Connection Sharing (ICS) with a CVSS score of 8.8

Action1 vice president of vulnerability and threat research Mike Walters noted in a blog post that while CVE-2023-38148 seems particularly threatening due to its low attack complexity and since it requires no privileges or user interaction, it can only target systems in the same network segment as the attacker.

“Crossing network boundaries, such as a WAN, is not possible; it remains limited to systems connected to the same network switch or virtual network,” he wrote.

To exploit the vulnerability, Walters said, “an unauthorized attacker would send a specially crafted network packet to the ICS service, subsequently allowing for the execution of arbitrary code on the targeted system.”

“While Microsoft has not yet confirmed active exploitation of this vulnerability, they consider it highly likely,” he added. “Therefore, applying the provided security updates promptly is strongly recommended to mitigate potential risks.”

See the top Patch and Vulnerability Management products

Visual Studio and Azure Kubernetes Flaws

Cisco’s Jonathan Munshaw wrote in a blog post that the three flaws in Visual Studio, which can be triggered if a user opens a specially crafted file, are noteworthy since Lazarus Group hackers are apparently using that method to target security developers and researchers on social media.

Immersive Labs cyber security engineer Nikolas Cemerkic told eSecurity Planet that the flaw in Microsoft Azure Kubernetes could provide attackers with Cluster Administration privileges, enabling them to compromise or disrupt services.

“It is worth noting that any application housed within the cluster that has to follow strict, stringent regulatory compliance measures, such as PCI, could cause them to become in violation,” Cemerkic said. “This could result in legal consequences and reputational damage.”

“While updating the Kubernetes Service is a crucial step in remediating this vulnerability, it is also essential to implement robust security measures and monitor for any suspicious activity,” he added. “Additionally, it’s important to have an incident response plan in place to swiftly detect and mitigate any security breaches to minimize the potential impact.”

Read next: 8 Container Security Best Practices & Tips

The post Microsoft Patch Tuesday Includes Word, Streaming Service Zero-Days appeared first on eSecurity Planet.

The six critical vulnerabilities discussed in the release note are as follows:

• CVE-2023-29328 and CVE-2023-29330, a pair of remote code execution flaws in Microsoft Teams with a CVSS score of 8.8
• CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911, a trio of remote code execution flaws in the Windows message queuing service with a CVSS score of 9.8
• CVE-2023-36895, a remote code execution flaw in Microsoft Outlook with a CVSS score of 7.8

The first of the two advisories, ADV230003, addresses an actively exploited remote code execution flaw that was disclosed last month without a patch. Installing the latest Office and Windows updates, the company noted, “stops the attack chain leading to the Windows Search security feature bypass vulnerability (CVE-2023-36884).”

The second advisory, ADV230004, addresses an issue with the Memory Integrity Readiness Scan Tool (hvciscan_amd64.exe and hvciscan_arm64.exe), which checks for compatibility issues with memory integrity. “The original version was published without a RSRC section, which contains resource information for a module,” Microsoft stated. “The new version addresses this issue.”

Critical Flaws in Microsoft Teams and Outlook

The two critical vulnerabilities in Microsoft Teams are particularly notable due to their low complexity and the nature of the attack vector. “An attacker would be required to trick the victim into joining a Teams meeting which would enable them to perform remote code execution in the context of the victim user,” Microsoft stated. “The attacker does not need privileges to attempt to exploit this vulnerability.”

“Given how widely Teams is used not just within organizations, but for collaboration outside of the organization in contexts requiring a level of trust of third parties not known to participants – pre-sales calls, scoping calls, industry association calls and so on – these vulnerabilities surely deserve immediate remediation attention,” Rapid7 software engineer Adam Barnett wrote in a blog post.

The critical Outlook flaw, Barnett added, presents less of a threat. “Patch Tuesday watchers will be familiar with Microsoft’s clarification that this type of exploit is sometimes referred to as arbitrary code execution (ACE) since the attack is local – a malicious document opened on the asset – even if the attacker is remote,” he wrote. “With no known public disclosure, no known exploitation in the wild, and Microsoft assessing that exploitation is less likely, this is hopefully a case of patch-and-forget.”

Also read: Secure Access for Remote Workers: RDP, VPN & VDI

Message Queuing, .Net, Visual Studio Vulnerabilities

Regarding the three critical flaws in the Windows message queuing service, Jonathan Munshaw and Vanja Svajcer of Cisco Talos pointed out that message queuing needs to be manually enabled for the exploit to work, making it relatively easy to mitigate. “Users can check to see if they’re vulnerable by checking if there is a service named ‘Message Queuing’ running on their device and if port 1801 is listening on the machine,” they wrote.

In a blog post, Ivanti vice president of product management Chris Goettl also highlighted CVE-2023-38180, a denial of service vulnerability in .NET and Visual Studio that has a lower severity rating but is being actively exploited. “The CVE is only rated as Important and the CVSS v3.1 score is 7.5, but taking a risk-based approach this should be treated as a higher priority this month,” he wrote.

Read next: What is Patch Management? Getting Vulnerability Protection Right

The post Patch Tuesday Targets 74 Flaws, Including Microsoft Teams, Office appeared first on eSecurity Planet.

The AI and quantum spin-out from Alphabet uses the Sandwich framework for its SandboxAQ Security Suite, currently used by several U.S. government agencies, global banks, telcos, and tech companies. The framework is designed to simplify cryptography management and give developers greater observability and control.

“Modern cryptography management and cryptographic agility are becoming increasingly more essential for businesses of all sizes; however, there has been a distinct lack of open-source tools for developers to support these features,” Graham Steel, head of product for the company’s Quantum Security Group, said in a statement.

“We created Sandwich to rapidly accelerate development of our own cryptographic remediation solutions, but realized that open-sourcing these tools would enable developers to experiment with agile cryptography and advance the preparedness of the community before quantum computers can break today’s encryption standards,” Steel added.

With its Alphabet origins and former Google CEO Eric Schmidt as chairman, SandboxAQ landed a $500 million funding round earlier this year, the biggest cybersecurity round of 2023 thus far, with an A-list of investors that includes Schmidt, Salesforce CEO Marc Benioff, T. Rowe Price, Breyer Capital, Guggenheim Partners, AI investor and film producer Thomas Tull, Paladin Capital Group, and others.

Also read: The U.S. Is Falling Behind on Encryption Standards – And That’s a Global Problem

Changing Algorithms Without Changing Code

The Sandwich framework lets developers build their own “sandwich” of protocols and implementations they want available at runtime, which are compiled as a Sandwich object.

Sandwich’s API enables developers to embed cryptographic algorithms into their applications, then change or reconfigure them in response to new threats and the development of new technologies without rewriting code.

SandboxAQ says the API also helps developers avoid common mistakes made when manipulating cryptography at a low level, and helps audit teams verify that cryptography is being used in accordance with company policies.

The open-source solution can be embedded into internal applications and commercial software. It supports multiple languages (C/C++, Rust, Python, Go, and others), operating systems (MacOS and Linux), and cryptographic libraries (OpenSSL, BoringSSL and libOQS), with future additions planned.

See the Top Code Debugging and Code Security Tools

Anticipating Post-Quantum Challenges

“Quantum computers will necessitate a complete reengineering of cryptographic systems, including implementing new hardware and software solutions, but many organizations are taking a wait-and-see approach before committing to a particular strategy,” SandboxAQ vice president of product Nadia Carlsten said.

“Sandwich provides developers with a risk-free means to explore post-quantum cryptography, share questions and insights with community members, build cryptographic solutions that protect their organization, and potentially generate revenue from commercial applications they develop,” Carlsten added.

Future plans for the solution include the ability to create smaller and larger “sandwiches” to access basic or broad functionality, as well as multi-layered “sandwiches” with an array of functions, such as enabling access to cryptography at different abstraction levels.

Read next:

• Top Enterprise Encryption Products
• Top Cybersecurity Startups

The post SandboxAQ Open Sources Cryptography Management Tool for Post-Quantum Era appeared first on eSecurity Planet.

The rules, which will become effective 30 days after publication, require public companies to disclose any cybersecurity incident they determine to be material within four business days, detailing its nature, scope, timing, and actual or expected material impact.

Delays in disclosure are only permissible “if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing,” according to the SEC.

Separately, the new Regulation S-K Item 106 requires public companies to detail their processes for identifying and managing risks from cyber threats, the role of management and the board of directors in managing such risks, and the potential impact from cyber threats and from any previous cybersecurity incidents.

A Focus on Shareholders

Stressing the potential impact of an incident on shareholders, SEC chair Gary Gensler said in a statement that a cybersecurity incident can be as material to investors as a company’s factory burning down in a fire.

“Currently, many public companies provide cybersecurity disclosure to investors,” Gensler said. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

Still, Exabeam CISO Tyler Ferrar told eSecurity Planet by email that he’s hopeful the rules will benefit consumers too by encouraging better security.

“With the new rules in place, companies may be more incentivized to avoid the reputational damage and potential drop in stock value that could follow a public breach disclosure,” Ferrar said. “This added layer of accountability can thus create a safer environment for consumers’ personal information.”

Also read: Network Protection: How to Secure a Network

National Data Privacy Law Still Needed

Traceable AI CSO Richard Bird said the new rules are an insufficient response to a much larger problem. “Rather than exhibiting the courage and coordination required to create something as crucial as a national data privacy law, once again agencies like the SEC are pushing for faster breach notifications in the hopes that the American people will think the government is addressing the need for stronger cybersecurity,” he said. “But breach notices are not security – and never will be.”

The problem, Bird said, lies in viewing security through a rearview mirror. “Breach notices are an outcome, not a protection,” he said. “The enormous resistance of our federal government to mandate basic security principles as a requirement for doing business in our nation is inexcusable. It is time for it to treat cybersecurity as a proactive measure rather than an afterthought.”

The Biden Administration has proposed a national data privacy law as part of its cybersecurity strategy – but such a law would face resistance in the current divided Congress.

See our guide to Security Compliance & Data Privacy Regulations

Getting Ready to Respond

Safe Security CEO and co-founder Saket Modi said by email that organizations will need to move fast to be ready to follow the new rules, particularly since it may not be easy to determine what the key word “material” actually means. “Most organizations are not prepared to comply with the SEC guidelines, as they cannot determine materiality, which is core to shareholder protection,” he said. “They lack the systems to quantify risk at broad and granular levels.”

However, KnowBe4 security awareness advocate James McQuiggan pointed out that while the requirements may seem aggressive, they’re far more lax than those in many other countries. “Within the EU, the UK, Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident,” he said. “In other countries like China and Singapore, it’s 24 hours. India has to report the breach within six hours. Either way, organizations should have repeatable and well-documented incident response plans with communication plans, procedures, and requirements on who is brought into the incident and when.”

Private Companies May Be Affected

The focus on shareholders creates something of a two-tier cybersecurity regulation system between public and private companies – and their customers.

But Jeffrey Wheatman, senior vice president and cyber risk evangelist at Black Kite, said private companies should also take note of the new rules, since they may be working with customers or vendors who will need to comply with them.

Key steps for such companies to take, Wheatman said, include the following:

• Speak with security teams and find out what security and risk management programs they have in place — this should also be articulated to the board and C-Suite.
• Create a process for drafting 8-Ks (a report of unscheduled material events or corporate changes at a company that could be of importance to the shareholders or the SEC) faster, which can include a template for different types of breaches and attacks to meet the deadline for reporting them.
• Put a cyber expert on the board of directors — right now, this role is often missing on the board and can help expedite and manage security challenges.
• Have an automated solution in place to help you fully understand and manage third-party risk — this will help get ahead of breaches and identify compliance and security gaps before they become a point of compromise for your organization.

Read next:

• Top Governance, Risk and Compliance (GRC) Tools
• Best Risk Management Software
• Best Incident Response Tools and Software

The post New SEC Rules Require Breach Disclosure within Four Days appeared first on eSecurity Planet.

Even as the threat has passed, Microsoft officials are still analyzing how a Chinese threat group was able to access U.S. government accounts using a stolen inactive Microsoft account (MSA) consumer signing key.

Chinese hacker group Storm-0558 breached an undisclosed number of email accounts belonging to 25 organizations, including U.S. government agencies, over the past month using authentication tokens forged with the stolen MSA key.

In an update on the issue published late last week, Microsoft Threat Intelligence said an analysis of the Exchange Online activity revealed that “the actor was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key. This was made possible by a validation error in Microsoft code. The use of an incorrect key to sign the requests allowed our investigation teams to see all actor access requests which followed this pattern across both our enterprise and consumer systems. … Microsoft’s investigations have not detected any other use of this pattern by other actors and Microsoft has taken steps to block related abuse.”

Microsoft said it’s unsure how the threat actor was able to steal the key. “The method by which the actor acquired the key is a matter of ongoing investigation,” the Threat Intelligence team wrote. “Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.”

Microsoft said it has taken a number of other steps, and no other action is required by customers. “We have substantially hardened key issuance systems since the acquired MSA key was initially issued,” the company said. “This includes increased isolation of the systems, refined monitoring of system activity, and moving to the hardened key store used for our enterprise systems. We have revoked all previously active keys and issued new keys using these updated systems.”

The attack was discovered by a U.S. government agency using premium Microsoft 365 logging data. As a result, Microsoft said it will “include access to wider cloud security logs for our worldwide customers at no additional cost.”

MSA Key Used to Breach Azure AD

Leveraging the validation error, the hackers were able to use the stolen consumer-level key to access enterprise systems, said a Microsoft Security Response Center (MSRC) blog post. “MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems,” MSRC said. “The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail.”

The attack, Microsoft says, has now been mitigated for all users. “We added substantial automated detections for known indicators of compromise associated with this attack to harden defenses and customer environments, and we have found no evidence of further access,” Microsoft Security EVP Charlie Bell wrote in a blog post.

The Washington Post named the U.S. Departments of Commerce and State as victims and reported that one of the people whose email accounts were breached was U.S. Secretary of Commerce Gina Raimondo. Still, a senior FBI official told the Post that no classified information was accessed.

Also read: How to Improve Email Security for Enterprises & Businesses

Sophisticated Authentication Hack

Microsoft noted that Storm-0558’s core working hours are impressively businesslike, from 8 a.m. to  5 p.m. China Standard Time, Monday through Friday. “In past activity observed by Microsoft, Storm-0558 has primarily targeted U.S. and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests,” the company stated.

“Historically, this threat actor has displayed an interest in targeting media companies, think tanks, and telecommunications equipment and service providers,” Microsoft added. “The objective of most Storm-0558 campaigns is to obtain unauthorized access to email accounts belonging to employees of targeted organizations. Storm-0558 pursues this objective through credential harvesting, phishing campaigns, and OAuth token attacks.”

Microsoft’s investigation determined that, starting on May 15, 2023, Storm-0558 had accessed email data from a range of organizations, as well as consumer accounts belonging to people linked to those organizations. Microsoft’s investigation began after a customer report on June 16.

Also read: How DMARC Can Protect Against Phishing & Ransomware

The Importance of Email Security

KnowBe4 security awareness advocate Erich Kron told eSecurity Planet that the attack should serve as a reminder of the dangers of breached email accounts. “Not only do many of us use our email accounts to reset passwords, potentially to platforms these bad actors would like to access, but there are also conversations that have taken place that can be used to attempt to steal information or take actions,” he said. “It’s not unusual to see a bad actor restart an email thread, or take an active role in email discussions through the compromised account, using the trust built through previous interactions to victimize people.”

“Email is also the source of a lot of potentially sensitive information that is shared within an organization,” Kron added. “People tend to trust internal organizationally managed email systems to have conversations about sensitive topics, something they would not do using a commercial email platform such as Gmail or Hotmail.”

Multi-factor authentication (MFA) is always a good idea to help protect against account takeover, but it’s not foolproof. “In this case, because they are using forged tokens, protections may be limited by MFA,” Kron said. “It is very important that users report potential email oddities, such as receiving a notification of an email received but having it missing from the inbox, as that may be a sign of a bad actor communicating with someone else, then trying to cover their tracks.”

Read next:

• Top Secure Email Gateway Solutions
• Top Cloud Access Security Broker (CASB) Solutions

The post Microsoft Unsure How Chinese Hackers Stole MSA Key to Breach U.S. Agencies appeared first on eSecurity Planet.

Talos researcher Chris Neal discussed how the security problem evolved in a blog post.

“Starting in Windows Vista 64-bit, to combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority,” Neal wrote. “Without signature enforcement, malicious drivers would be extremely difficult to defend against as they can easily evade anti-malware software and endpoint detection.”

Beginning with Windows 10 version 1607, Neal said, Microsoft has required kernel-mode drivers to be signed by its Developer Portal. “This process is intended to ensure that drivers meet Microsoft’s requirements and security standards,” he wrote.

Still, there are exceptions – most notably, one for drivers signed with certificates that expired or were issued prior to July 29, 2015.

If a newly compiled driver is signed with non-revoked certificates that were issued before that date, it won’t be blocked. “As a result, multiple open source tools have been developed to exploit this loophole,” Neal wrote.

And while Sophos reported that it had uncovered more than 100 malicious drivers, Neal said Cisco Talos “has observed multiple threat actors taking advantage of the aforementioned Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification.”

Forged Timestamps

Neal said that two timestamp forging tools that are popular ways of developing game cheats are now being used by threat actors. The tools are FuckCertVerifyTimeValidity, which was launched in 2018; and HookSignTool, available since 2019.

“To successfully forge a signature, HookSignTool and FuckCertVerifyTimeValidity require a non-revoked code signing certificate that expired or was issued before July 29, 2015, along with the private key and password,” Neal wrote. “During our research, we identified a PFX file hosted on GitHub in a fork of FuckCertVerifyTimeValidity that contained more than a dozen expired code signing certificates frequently used with both tools to forge signatures.”

Both tools present a serious threat, Neal said, since malicious drivers can give attackers kernel-level access to a system.

“Microsoft, in response to our notification, has blocked all certificates discussed in this blog post,” he noted.

A Real-World Example

In a separate blog post, Neal described one example of the threat, a malicious driver named RedDriver that’s been active since at least 2021. “Bypassing the driver signature enforcement policies by using HookSignTool allows a threat actor to deploy drivers that would otherwise be blocked from running,” he wrote. “RedDriver is a real-world example of this tool being effectively used in a malicious context.”

“During our research into HookSignTool, Cisco Talos observed the deployment of an undocumented malicious driver utilizing stolen certificates to forge signature timestamps, effectively bypassing driver signature enforcement policies within Windows … RedDriver is a critical component of a multi-stage infection chain that ultimately hijacks browser traffic and redirects it to localhost (127.0.0.1),” Neal wrote.

“As of publication time, the end goal of this browser traffic redirection is unclear,” he added. “However, regardless of intent, this is a significant threat to any system infected with RedDriver, as this allows all traffic through the browser to be tampered with.”

Defending Against Signed Drivers

Neal recommended blocking the certificates in question, “as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. However, it is important to note that compilation dates can be altered to match signature timestamps.”

KnowBe4 data-driven defense evangelist Roger Grimes told eSecurity Planet by email that an even greater threat could be presented if an attacker were to create something highly wormable. “A wormable exploit using a bogus signing certificate could cause a lot of problems,” he said.

The good news, Grimes said, is that all of this is preventable. “Microsoft provides several ways, such as Windows Defender Application Control, to prevent unwanted installing of drivers and software,” he said. “Customers just have to research how they work and enable them. Then this entire threat is gone.”

Read next:

• Best Antivirus Software
• Top Endpoint Detection and Response (EDR) Solutions
• Best Patch Management Software & Tools

The post Malicious Microsoft Drivers Could Number in the Thousands: Cisco Talos appeared first on eSecurity Planet.

“While some Patch Tuesdays focus on fixes for minor bugs or issues with features, these patches almost purely focus on security-related issues,” Cloud Range vice president of technology Tom Marsland said by email. “They should be pushed to vulnerable machines immediately.”

The July 2023 fixes include updates for 130 vulnerabilities, a significant increase from last month’s total of 78. Here are the details.

See the Top Patch Management Tools

Malicious Drivers Addressed by Advisory

Microsoft also released a pair of advisories. The first, ADV230001, warns that drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) are being used maliciously by attackers who have gained admin privileges on compromised systems. The issue was first discovered by Sophos researchers on February 9.

“Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified,” Microsoft said. “We’ve suspended the partners’ seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat.”

In a blog post, SophosLabs principal researcher Andrew Brandt reported that the advisory was published following a Sophos research discovery of more than 100 malicious drivers that had been digitally signed by Microsoft and others, dating as far back as April 2021.

The second advisory, ADV230002, notes that Trend Micro released a patch in March for CVE-2023-28005, a secure boot bypass vulnerability in Trend Micro Endpoint Encryption Full Disk Encryption. “Subsequently Microsoft has released the July Windows security updates to block the vulnerable UEFI modules by using the DBX (UEFI Secure Boot Forbidden Signature Database) disallow list,” Microsoft said.

Actively Exploited Flaws

Microsoft identified five vulnerabilities that are being actively exploited:

• CVE-2023-32046, an elevation of privilege vulnerability in Windows MSHTML with a CVSS score of 7.8
• CVE-2023-32049, a security feature bypass vulnerability in Windows SmartScreen with a CVSS score of 8.8
• CVE-2023-36874, an elevation of privilege vulnerability in the Windows Error Reporting Service with a CVSS score of 7.8
• CVE-2023-36884, a remote code execution vulnerability in Office and Windows HTML with a CVSS score of 8.3
• CVE-2023-35311, a security feature bypass vulnerability in Microsoft Outlook with a CVSS score of 8.8

Ivanti vice president of security products Chris Goettl said by email that CVE-2023-32046 could be leveraged in a variety of ways, including email and web-based attacks. “If exploited, the attacker would gain the rights of the user that is running the affected application, so running least privilege would help to mitigate the impact of this vulnerability and force the attacker to take additional steps to take full control of the target system,” he wrote.

Action1 vice president of vulnerability and threat research Mike Walters observed in a blog post that CVE-2023-35311 requires user interaction but not elevated privileges. “It’s important to note that this vulnerability specifically allows bypassing Microsoft Outlook security features and does not enable remote code execution or privilege escalation,” he wrote. “Therefore, attackers are likely to combine it with other exploits for a comprehensive attack.”

CVE-2023-36874, Walters noted, can be exploited locally with low complexity and without requiring elevated privileges or user interaction. “To exploit this vulnerability, an attacker needs to gain access to the system using other exploits or harvested credentials,” he wrote. “The compromised user account must have the ability to create folders and performance traces on the computer, which is typically available to normal users by default.”

Unpatched RomCom Office Exploit

In an unusual move, CVE-2023-36884 was announced with no patch yet available.

“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products,” Microsoft said. “Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers,” the company added. “This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

A separate Microsoft blog post links CVE-2023-36884 to a phishing campaign by a Russian hacker group named Storm-0978 or RomCom, which has been “targeting defense and government entities in Europe and North America” by “using lures related to the Ukrainian World Congress.” The campaign was first detected in June 2023.

Microsoft Defender for Office 365 protects users from attachments designed to exploit CVE-2023-36884. Microsoft said organizations who cannot that don’t have those protections can set the registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION to avoid exploitation.

“Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications,” the company added.

Rapid7 lead software engineer Adam Barnett told eSecurity Planet that a patch could be issued as part of next month’s Patch Tuesday, but admins should be alert for a potential earlier fix.

“Microsoft Office is deployed just about everywhere, and this threat actor is making waves; admins should be ready for an out-of-cycle security update for CVE-2023-26884,” Barnett said.

Remote Desktop Flaw

Cyolo head of research Dor Dali highlighted CVE-2023-35332, a security feature bypass flaw in Windows Remote Desktop Protocol with a CVSS score of 6.8. The issue is linked to the fact that the RDP Gateway enforces the use of Datagram Transport Layer Security (DTLS) version 1.0, which has been deprecated since March 2021 due to known flaws.

“This vulnerability not only presents a substantial security risk, but also a significant compliance issue,” Dali said by email. “The use of deprecated and outdated security protocols, such as DTLS 1.0, may lead to non-compliance with industry standards and regulations – like SOC2, FEDRAMP, PCI, HIPAA, and others.”

If it’s not possible to apply Microsoft’s update, Dali recommends simply disabling UDP support in the RDP Gateway. “This prevents the establishment of the secondary channel over UDP, eliminating the use of the deprecated DTLS 1.0 and thereby mitigating the vulnerability – a necessary step that could potentially impact performance, but that will ensure security and compliance until the server can be updated,” he said.

Also read: Secure Access for Remote Workers: RDP, VPN & VDI

The post Microsoft Patch Tuesday Addresses 130 Flaws – Including Unpatched RomCom Exploit appeared first on eSecurity Planet.

“This implies that adversaries can execute around 150 different techniques that will be undetected by the SIEM,” says the CardinalOps report. “Or stated another way, SIEMs are only covering around 50 techniques out of all the techniques that can potentially be used by adversaries.”

The Third Annual Report on the State of SIEM Detection Risk by detection posture management vendor CardinalOps is based on analysis of configuration metadata from a wide variety of SIEM instances, including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic, across verticals that include banking and financial services, insurance, manufacturing, energy, media and telecom, professional and legal services, and managed security services providers (MSSPs) and managed detection and response (MDR) vendors.

See the Top SIEM Solutions

Misconfigured SIEM Rules

The researchers also found that 12 percent of all SIEM rules are broken and will never fire due to issues like misconfigured data sources, missing fields, and parsing errors.

“Worse, organizations are often unaware of the gap between the theoretical security they assume they have and the actual security they have in practice, creating a false impression of their detection posture,” the report states.

Key reasons for that gap, according to CardinalOps, include complexity, constant change, the unique nature of each enterprise, error-prone manual processes, and challenges in hiring and retaining skilled personnel.

Also read: 5 Ways to Configure a SIEM for Accurate Threat Detection

Plenty of Data, Not Enough Detections

At the same time, CardinalOps found that SIEMs already ingest enough data to cover 94 percent of all MITRE ATT&CK techniques. “This suggests we don’t need to collect more data, but rather we need to scale our detection engineering processes to develop more detections faster,” the report states.

Security layers monitored by SIEMs, according to the findings, include Windows (96 percent), Network (96 percent), Identity and Access Management (96 percent), Linux/Mac (87 percent), Cloud (83 percent), and Email (78 percent).

Still, just 32 percent monitor containers. “One explanation for this might be that, due to the dynamic nature of microservices-based application environments, monitoring them can be a hefty challenge and they are likely to bring a significant volume of data to SIEM platforms,” the report suggests. “Another explanation might be that detection engineers are challenged by the prospect of writing high-fidelity detections to alert on anomalous activity for these highly-dynamic assets.”

Key Steps to Take

The report offers four key recommendations to enhance SIEM detection coverage and quality — starting with reviewing current SIEM processes.

The other three recommendations are:

• Become more intentional about how you develop and manage detection content
• Build or refresh your use case management processes
• Measure and continuously improve

As part of the first step of reviewing current processes, the report offers a number of avenues for inquiry:

• What is the approach for finding false negatives – and what adversary techniques, behaviors, and threats are being missed?
• How are use cases managed and prioritized? “Typically, we find they’re added to the backlog via an ad-hoc process,” driven by a combination of:

• Threat analysts and threat intelligence

• Breach and attack simulation (BAS) tools

• News about high-profile attacks and vulnerabilities

• Manual pentesting

• Red teaming

• How are detections developed today and what is the process for turning threat knowledge into detections?
• How long does it typically take to develop new detections?
• Is there a systematic process to periodically identify detections that are no longer functional due to infrastructure changes, changes in vendor log source formats, etc.?

“Most organizations don’t have good visibility into their MITRE ATT&CK coverage and are struggling to get the most from their existing SIEMs,” CardinalOps CEO and co-founder Michael Mumcuoglu said in a statement. “This is important because preventing breaches starts with having the right detections in your SIEM – according to the adversary techniques most relevant to your organization – and ensuring they’re actually working as intended.”

Read next: Implementing and Managing Your SIEM Securely: A Checklist

The post Enterprise SIEMs Miss 76 Percent of MITRE ATT&CK Techniques appeared first on eSecurity Planet.