<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. en-us info@decipher.sc (Amy Vazquez) Copyright 2022 3600 <![CDATA[Node.js Update Fixes High Severity Flaws]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/node-js-update-fixes-high-severity-flaws https://duo.com/decipher/node-js-update-fixes-high-severity-flaws

A new security update for the Node.js JavaScript framework fixes several vulnerabilities, including a pair of HTTP request smuggling flaws and an updated patch for a DNS rebinding bug that was not fixed completely in a previous release.

The DNS rebinding vulnerability only affects macOS devices and was disclosed originally in July. However, the fix for the vulnerability only addressed part of the issue, so the Node.js maintainers released an updated fix for it/

“The fix for CVE-2022-32212, covered the cases for routable IP addresses, however, there exists a specific behavior on macOS devices when handling the URL that allows an attacker-controlled DNS server to bypass the DNS rebinding protection by resolving hosts in the .local domain,” the September advisory says.

“An attacker-controlled DNS server can, resolve .local to any arbitrary IP address, and consequently cause the victim's browser to load arbitrary content at This allows the attacker to bypass the DNS rebinding protection.”

The bug affects all versions of 18.x, 16.x, and 14.x of Node.js.

One of the HTTP request smuggling bugs (CVE-2022-32215) is also an update to address an incomplete fix. The other (CVE-2022-35256) is a newly discovered bug that involves the way that Node.js handles headers in some cases.

“This vulnerability relates to the handling of header fields immediately preceding a header such as Transfer-Encoding. When the preceding header is not properly terminated with a CLRF - and when the value is empty - node will accept the Transfer-Encoding header (or most other headers such as Content-Length). This malformed request should be rejected by the HTTP server. If it is not rejected, it may be used for HTTP request smuggling,” an analysis by Octavia Johnston of Prelude, which discovered the bug, says.

This flaw also affects all of the 18.x, 16.x, and 14.x releases.

The Node.js updates also include a fix for an issue in the way that the framework sources entropy for key generation.

“Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail,” the advisory says.

Users should upgrade to versions 14.20.1, 16.17.1, or 18.9.1 to protect against these bugs.

<![CDATA[Watchdog Report Highlights Nuclear Agency’s Security Shortcomings]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/watchdog-report-highlights-nuclear-agency-s-security-shortcomings https://duo.com/decipher/watchdog-report-highlights-nuclear-agency-s-security-shortcomings

A watchdog report has detailed several cybersecurity weak points afflicting the National Nuclear Security Administration (NNSA), including a lack of consistently enforced risk management practices in the agency’s operational technology (OT) environment and lax oversight of subcontractor cybersecurity policies.

The NNSA, a semi-autonomous agency within the Department of Energy, is in charge of the safety and security of the U.S. nuclear weapons reserve. Cybersecurity has previously been an issue for the NNSA; the agency was targeted in 2005, for instance, by hackers who exfiltrated a file with the names and social security numbers of 1,502 NNSA employees. Since then, IT systems have become further integrated into the agency’s equipment for designing nuclear weapons and automating manufacturing processes, making cybersecurity an even more significant priority for the NNSA.

After a Senate committee report in 2020 charged the Government Accountability Office (GAO) with reviewing the agency’s cybersecurity policies, the GAO found that the NNSA’s “foundational risk management practices” are not complete or consistent, particularly across its OT and contractor environments. These practices include the identification of risk management roles and responsibilities, the establishment of an organization-wide risk management strategy, the continual assessment of security risks, the designation of controls available for information systems and the development of a strategy for continually monitoring risks across the entity.

“The OT environment is vast and highly complex, encompassing hundreds of thousands of systems potentially at risk,” according to the GAO report released on Friday. “However, NNSA’s [Operational Technology Assurance] initiative is still in its inception phase after 3 years and is proceeding at a pace out of sync with the potential scope and severity of the cybersecurity risk present in this environment.”

Operational Technology Security 'Weaknesses'

While the NNSA has fully implemented most of these pillar risk management practices in the traditional IT environment, the GAO raised concerns that the agency has lagged behind in implementing those same practices for its OT devices. The agency has not identified the resources necessary to achieve full implementation, but it is also managing its OT security with a risk management program developed for traditional IT, according to GAO. OT devices are drastically different from IT devices and that impacts how - and the level to which - they are secured. For instance, OT devices need to be managed by control engineers, as opposed to IT teams, and may not have certain features like error logging or password protection that are present in IT systems.

“Consequently, OT systems may require different approaches when selecting and implementing cybersecurity safeguards or compensating controls for their unique circumstances, such as network segmentation,” according to GAO. “NNSA officials acknowledged that there are weaknesses in managing OT under a cybersecurity program developed to address traditional IT risks.”

In 2018, the NNSA began launched an initiative called the Operational Technology Assurance (OTA) in order to better implement these types of policies in the OT environment. As part of that initiative the agency has taken some steps in securing OT devices, such as attempting to identify the highest priority mission-impact OT function at each NNSA site. However, the OTA program's rollout has taken years, the GAO said.

“Notwithstanding these efforts, NNSA officials told us that they did not have an overall plan or roadmap to guide its future actions on OT cybersecurity—including efforts to provide guidance and expectations to contractors operating the sites—and to ensure that those actions will be consistent with the foundational risk management practices,“ according to GAO.

Lax Contractor Cybersecurity Oversight

The GAO report also found gaping holes around how cybersecurity measures are enforced and assessed when it comes to the contractors that manage and operate its nuclear security enterprise sites.

NNSA, which has over 50,000 federal and contract employees at labs, plants, and sites nationwide, requires contractors to document how their subcontractors are complying with security standards through its Baseline Cybersecurity Program, which is incorporated into NNSA contracts. However, contractors’ efforts to provide this type of oversight are mixed, and three of seven contractors do not believe it is a contractual responsibility, according to GAO.

“Representatives from each of the M&O [management and operating] contractors told us that they complied with the requirement by including cybersecurity provisions in their subcontracts,” according to the GAO report. “However, through interviews and written responses from representatives of each of the seven M&O contractors, we found that once a subcontract was awarded, M&O contractors’ monitoring of such measures was inconsistent among the sites.”

Another challenge inherent in the Baseline Cybersecurity Program is that the onus for cybersecurity oversight falls on the contractors, and no further supervision from the NNSA exists. The GAO said that while an NNSA official had proposed adding an evaluation of such oversight to its annual contractor performance evaluation process, there was no evidence that the NNSA had applied this measure.

“In light of the increasing threat to systems with federal information, NNSA needs to have greater assurance that contractors and subcontractors are implementing a standardized cybersecurity framework,” according to the GAO report. “These oversight gaps, at both the contractor and NNSA level, leave NNSA with little assurance that sensitive information held by subcontractors is effectively protected.”

Moving Forward

The GAO made sweeping recommendations for the NNSA to improve its cybersecurity measures, including advocating that site contractors develop and maintain cybersecurity continuous monitoring strategies and a risk management strategy that incorporates NIST guidance and that is reviewed annually. Contractors also need more transparent communication that they are required to monitor subcontractor security measures, and a better process should be in place for evaluating the contractor oversight of these subcontractor security measures as part of the performance evaluation process, according to the GAO.

Additionally the GAO recommended that the Office of Information Management identify resources needed to implement foundational practices for the OT environment, including the development of an OT “business case” to be made across the NNSA planning, programming, budgeting and evaluation processes. According to GAO, NNSA agreed with the recommendations and has started to develop planned actions to address them.

“The Department of Energy’s National Nuclear Security Administration recognizes the importance of cybersecurity, including nuclear weapon cybersecurity and for the associated equipment used for production and testing,” according to Jill Hruby, NNSA administrator, in a September statement provided to the GAO. “As noted in the report, DOE/NNSA has taken positive steps to address the ever-growing digital threat to our programs.”

<![CDATA[CISA: Critical Zoho ManageEngine Flaw Actively Exploited]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/cisa-critical-zoho-manageengine-flaw-actively-exploited https://duo.com/decipher/cisa-critical-zoho-manageengine-flaw-actively-exploited

A previously patched, critical vulnerability in Zoho ManageEngine, which offers enterprise IT management software, is now being exploited, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The unauthenticated remote code execution bug (CVE-2022-35405) exists in several Zoho ManageEngine tools for managing privileged accounts and their access. Specifically, ManageEngine Password Manager Pro before 12101 and PAM360 (ManageEngine’s privileged access management program) before 5510 are vulnerable (ManageEngine Access Manager Plus before 4303 is also affected but an attacker would need previous authentication).

“CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation,” according to CISA’s Thursday alert. “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.”

Zoho fixed the flaw in June by removing the vulnerable components from PAM360 and Access Manager Plus, as well as removing the vulnerable parser from Password Manager Pro. However, a proof-of-concept (POC) exploit for the flaw is available, and customers are strongly recommended "to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus immediately,” according to Zoho's advisory.

CISA did not provide further details about how the flaw is being exploited and how widespread exploitation efforts are. Bob Rudis, VP of data science with GreyNoise, said GreyNoise started seeing exploitation attempts for CVE-2022-35405 on Sept. 7, "but has not seen widespread exploitation attempts since those initial ones."

The ManageEngine platform has previously been a popular attack vector for threat groups, with APT groups in December targeting a months-old remote code execution vulnerability in ManageEngine ServiceDesk Plus in order to upload malicious files, drop webshells and other malicious activities. In November, the U.S. government also warned that APT actors were using several different tools in attacks exploiting an authentication bypass flaw in the Zoho ManageEngine ADSelfService Plus password management application.

Per CISA’s previously issued binding operational directive (BOD 22-01), federal agencies have until Oct. 13 to fix the bug on its Known Exploited Vulnerabilities catalog.

However, “although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice,” according to CISA.

<![CDATA[Decipher Podcast: Source Code 9/23]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-9-23 https://duo.com/decipher/decipher-podcast-source-code-9-23

<![CDATA[The NSA is Here to Help]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/the-nsa-is-here-to-help https://duo.com/decipher/the-nsa-is-here-to-help

PHOENIX–The National Security Agency does not spend much time showing its work publicly. Indeed, the agency’s work depends on most people not knowing what’s going on inside Fort Meade. But recently, NSA has stepped up its efforts to work with cybersecurity analysts and researchers in the private sector, hoping to gain insights from outside practitioners while also lending context to the discoveries and research private companies produce.

The centerpiece of that effort is the NSA’s Cybersecurity Collaboration Center, a new group created about two years ago with the mission of building lasting, productive relationships with private sector partners that help defenders on both sides of the fence react more quickly and efficiently. The CCC is not meant to be another in the endless list of public-private partnerships or information-sharing silos that the federal government has created over the years. Instead, it is meant as a two-way street, with NSA giving as well as taking.

“We only know one part of the picture. The intelligence community has to be in that conversation. We need to bring our data and understanding of what’s happening to get ahead of it.” Morgan Adamski, director of the CCC, saud during a keynote at the LabsCon conference here Thursday.

“Operational collaboration is a conversation between us government defenders and you, sharing unique and timely info with context.”

That last word is the real crux of the effort. NSA and its partners in the signals intelligence community collect massive amounts of information on a daily basis and have insights into networks and environments that private organizations don’t. That gives the agency the ability to add context and color to discoveries that other organizations make, creating a more complete picture of a given threat or attacker’s activities. In the past, NSA and other government agencies typically have shared very limited information on attacks or vulnerabilities, and usually on a case by case basis. Adamski wants to change that.

“We were only helping one company at a time. Ninety percent of the time, when we share technical indicators, people already know them. What we were missing is real time sharing with context and actionable unique information. The intelligence community had to come to the table,” she said.

To underscore the spirit of cooperation and openness, the CCC itself is physically located outside the fence line on NSA’s Maryland campus and Adamski said much of the work the group does with outside partners is done on an unclassified level. The goal is to build a level of trust with the private sector that has not always been there in the past.

“We have to make sure we care about the same things. We need trust. If you don’t trust me with your data, things can break down pretty quickly, she said.

Though the CCC is meant to share information with outside organizations and help defenders protect their networks, the NSA is benefitting, as well.

“We’re learning a ton back about things we didn’t know. We’re moving faster. Attribution is coming faster because everyone is feeding data into ont place and we’re building a more complete picture,” Adamski said.

One recent example of that is the advisory that CISA published in April 2021 warning that state-sponsored attackers from China were targeting users of the Pulse Connect Secure VPN, including federal government employees. Adamski said NSA became aware of the attacks when a partner in the private sector alerted the agency, which then set off NSA’s own investigation.

“We saw significant targeting of VPN users after the shift to remote work. We were able to take the information from our partner and add context and color and put out the advisory,” she said.

<![CDATA[New Metador APT Discovered Targeting ISPs, Telcos]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/new-metador-apt-discovered-targeting-isps-telcos https://duo.com/decipher/new-metador-apt-discovered-targeting-isps-telcos

PHOENIX–Researchers have identified a previously unknown, high line attack group that has compromised telcos, universities, ISPs, and other organizations across the MIddle East and Africa using custom malware platforms and tools that have been in play for many years. It’s not clear yet where the group originates from or whether it is affiliated with a government or is a private actor.

The group has been operating for some time, but researchers at SentinelLabs only just discovered its activities recently while investigating a series of intrusions at one organization. That organization had been compromised by several separate APT groups, including Chinese and Iranian teams, and researchers discovered that a new actor, known as Metador, was also in the environment and had deployed several custom pieces of malware, including Linux implants. The new threat group is highly skilled, has shown the ability to evade security tools, and uses unique infrastructure for different victims. Metador is mainly focused on cyber espionage and SentinelLabs researchers say it’s possible the actor is a high level contractor rather than an intelligence agency or other state entity.

“Metador is notable precisely in their pragmatic combination of rudimentary techniques (e.g. LOLbins) with carefully executed advanced techniques (like per victim infrastructure segmentation, port knocking, and inscrutable custom anti-analysis techniques). Their operations are massively successful precisely in that they’ve eluded victims, defenders, and threat intel researchers until now despite maintaining these malware platforms for some time,” said Juan Andres Guerrero-Saade, senior director of SentinelLabs at SentinelOne.

“At this time, there’s no clear sense of attribution. Traces point to multiple developers and operators that speak both English and Spanish, alongside varied cultural references. We encountered multiple languages, with diverse idiosyncrasies indicative of multiple developers. There are indications of a separation between developers and operators. And despite a lack of samples, the version history for at least one of the platforms suggests a history of development that extends far beyond the intrusions we’ve uncovered.”

Guerrero-Saade unveiled the new research into Metador at the LabsCon conference here Thursday.

The two main pieces of malware that SentinelLabs discovered on Windows machines are called metaMain and Mafalda, and they both operate only in memory. Matador maintains very tight operational security and uses a single IP address and build for each victim. Guerrero-Saade said the actor is well aware of common Windows security tools and has shown the ability to adapt quickly when new tools are deployed on a compromised system. The researchers were not able to determine the initial infection vector for any of the machines that Metador compromised.

“Once on the target, the Metador operators can choose between multiple execution flows to load one or more of their modular frameworks. For example, the execution flow used on our Magnet of Threats combines a WMI persistence mechanism with an unusual LOLbin in order to kick off the decryption of a multi-mode implant we named ‘metaMain’ directly into memory,” Guerrero-Saade said.

“Even though metaMain is a fairly feature-rich backdoor, in this case the Metador operators used the metaMain implant to decrypt a subsequent modular framework called ‘Mafalda’ into memory. Mafalda is a flexible interactive implant, supporting over 60 commands.”

Mafalda looks to be a key part of Metador’s arsenal, and the actor takes great care to protect it and prevent it from being detected by security tools. The backdoor implant has gone through many versions, and Guerrero-Saade said the actor is still actively developing and maintaining Mafalda. The researchers saw indications of some other Metador implants, as well, but were not able to find the malware variants themselves. One of those implants is called Cryshell, and the other is an unnamed Linux-based tool.

The Metador actors host their command-and-control servers at a Dutch hosting provider. “Being a highly OPSEC aware actor, Metador manages their infrastructure rather carefully. Throughout the analysis of Metador infrastructure, much like its implants, we found no obvious overlaps with previously reported actors,” Guerrero-Saade said.

“In all Metador intrusions we’ve observed so far, the operators use a single external IP address per victim network at a time. That IP is utilized for command-and-control over either HTTP (metaMain, Mafalda) or raw TCP (Mafalda).”

The earliest timestamp in a metaMain sample that the SentinelLabs researchers discovered was Dec. 29, 2020. Guerrero-Saade said that although there are no concrete indications of who Metador is, the actor is clearly well-resourced and skilled.

“The limited number of intrusions and long-term access to targets suggests that the threat actor's primary motive is espionage. Moreover, the technical complexity of the malware utilized and its continuous active development suggests a well-resourced group, not only in a position to acquire multiple frameworks but also maintain and develop them further. Internal comments support that claim, as the developers provide guidance for a separate group of operators,” he said.

Metador so far has only been seen on a small number of victim networks, most of which are ISPs, telecom companies, or universities, all of which are common targets for APTs.

<![CDATA[Attackers Deploying Noberus Ransomware Update Tactics]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/attackers-deploying-noberus-ransomware-update-tactics https://duo.com/decipher/attackers-deploying-noberus-ransomware-update-tactics

The prolific ransomware known as Noberus, BlackCat or ALPHV has undergone a major update, and researchers warn that attackers using the ransomware have also been spotted evolving their tactics by leveraging a new version of the Exmatter data exfiltration tool as well as an information stealer called Eamfo as part of their attack chain.

Noberus, which is coded in Rust and was first seen in November 2021, was developed by a group identified by Symantec as Coreid (also tracked as FIN7 or Carbon Spider). Since then, the ransomware has emerged in attacks across multiple countries, including the U.S., Australia and India, with the FBI saying it had compromised at least 60 entities as of March. Of note, Coreid runs a ransomware-as-a-service program, meaning that Noberus is being distributed by various affiliates that can sometimes explain the different TTPs and attack chains associated with the ransomware.

“There’s no doubt that Coreid is one of the most dangerous and active ransomware developers operating at the moment,” said researchers with the Symantec threat hunter team in a Thursday analysis. “Its continuous development of its ransomware and its affiliate programs indicates that this sophisticated and well-resourced attacker has little intention of going anywhere anytime soon.”

In June, Coreid made sweeping updates to Noberus by including an ARM build for the encryption of non-standard architectures and introducing additional encryption functionality to the Windows build (via rebooting into safe mode). Several updates were also made to the locker component of the ransomware, including the addition of new restart logic and a change that simplifies the Linux encryption process. The threat actors also began indexing stolen data on their data leaks website, meaning that leaks can be searched for by keyword, file type and more.

In August, researchers observed attackers starting to use an updated version of the known Exmatter data exfiltration tool alongside Noberus in ransomware attacks. This malware, initially seen in November 2021 being used alongside the Blackmatter ransomware, is designed to steal files from targeted directories. The newest Exmatter version reduced the number of file types it aims to exfiltrate. It also has added several new functionalities, including the capabilities to build a report listing all processed files, to corrupt processed files, and to self-destruct if executed in a non-corporate environment.

“In addition to this, the malware was extensively rewritten, and even existing features were implemented differently,” said Symantec researchers. “This was possibly a bid to avoid detection. Whether Exmatter is the creation of Coreid or a skilled affiliate of the group is not clear, but its use alongside two different iterations of Coreid’s ransomware is notable.”

Researchers said that at least one Noberus affiliate was observed in late August using information-stealing malware called Eamfo that is designed to steal credentials stored by Veeam backup software, which can store credentials for systems ranging from domain controllers to cloud services. Eamfo has been around since at least August 2021, and researchers said there is evidence that it was previously used by attackers alongside Yanluowang and LockBit ransomware attacks.

“Stealing credentials from Veeam is a known attack technique that can facilitate privilege escalation and lateral movement, providing the attackers with access to more data they can potentially exfiltrate and more machines to encrypt,” said Symantec researchers.

<![CDATA[Government Makes Headway in Executing Cybersecurity Commission’s Recommendations]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/cyberspace-solarium-commission-significant-improvement-in-government-security-strategy https://duo.com/decipher/cyberspace-solarium-commission-significant-improvement-in-government-security-strategy

Since the Cyber Solarium Commission (CSC) first released its watershed recommendations for the government to overhaul its cybersecurity strategy in 2020, more than half (60 percent) of these recommendations have now been fully implemented or are nearing implementation, according to a new progress report released this week.

The annual implementation report points to significant developments made by the U.S. government as it overhauls the procedures and resources needed to tackle ongoing cybersecurity challenges. In a Wednesday briefing, Sen. Angus King (I-Maine), co-chair of CSC 2.0 (a project charged with continuing the work of the CSC), said he felt the government had certainly made progress over the past five years, pointing beyond the implementation of recommendations to a “much higher level of understanding of how urgent this problem is in Congress.”

“I do think we’re better off on a number of levels, in part because of the implementation of a number of these recommendations; for example the creation of the National Cyber Director, the development of a national cyber strategy… the development of a Bureau of Cyber in the Department of State, so a lot of progress,” said King during the event, “Assessing America’s Cyber Resiliency,” hosted by CSC 2.0 and the Foundation for Defense of Democracies (FDD).

The U.S. Cyberspace Solarium Commission (CSC) was created by Congress in the 2019 National Defense Authorization act to make recommendations for how the U.S. should approach its cybersecurity strategy. While Congress had directed the CSC to be sunset at the end of 2021, the commissioners upheld the work under the CSC 2.0 project in order to continually monitor and assess the implementation of different recommendations.

In an original report in March 2020, the commission made 82 recommendations for the government, which revolved around reforming the government’s structure and organization as it relates to its cybersecurity strategy, operationalizing federal collaboration with the private sector and more. Almost 60 percent of these recommendations are now fully implemented or nearing implementation, and more than 25 percent are on track to implementation, according to the Wednesday report.

The annual report referred to several significant changes made at the government level for cybersecurity, including critical legislation - like the Cyber Incident Reporting Act - becoming law. The level of funding for government cybersecurity efforts has also increased, especially for the Cybersecurity and Infrastructure Security Agency (CISA), with funding climbing 25 percent in Fiscal Year 2022.

“The reality is this is a problem that’s not going to go away and that will get worse."

Another win was the implementation of the National Cyber Director (NCD) to spearhead the charge on coordinating security efforts and strategy across government agencies. King said there will still be tensions around who is in charge of what when it comes to cybersecurity across different agencies, but director Chris Inglis has made key relationships with CISA and other agencies, as well as several measures to tackle challenges in the cyber workforce.

“The best sign of success was the fact that the president gave Chris [Inglis] the pen on writing the new cyber strategy, which will be done in a matter of weeks or months,” said King. “It wasn’t easy to get the White House to accept this new position, but it happened. That’s an indication that this office is having an impact.”

While many recommendations are listed as being "on track," some have faced roadblocks in their implementation. One recommendation that King said remains “unfinished business” is the codification of a proposal for “Systemically Important Critical Infrastructure,” which would help identify U.S. critical systems, give them special federal government security support and increase the responsibility needed for additional security requirements. However, the proposal has been met with private sector pushback, particularly from the software and banking industries, with organizations in these sectors saying they are already awash in regulation.

“We’re trying to strike that balance between the federal government saying ‘hey, private sector we need everyone in the C-Suite to understand why cyber is important, but we also don’t want to get the regulatory framework wrong,’” said Rep. Mike Gallagher (R-Wis.), co-chair of CSC 2.0, on Wednesday.

Other hurdles have existed in progressing the Bureau of Cyber Statistics, a provision introduced as part of the Defense of United States Infrastructure Act that would establish an agency for collecting and analyzing data related to cyber incidents and cybercrime, and sharing that data with federal agencies, the private sector and the public.

While the 2020 report had 82 recommendations, that number has since increased to 116. King said that while progress has been made, incidents like the Colonial Pipeline hack serve as “periodic reminders” that work is far from over in the implementation and evaluation of recommendations for shaping the government’s security strategy.

“The reality is this is a problem that’s not going to go away and that will get worse,” said King. “There’s plenty left to do, and there’s always a danger of relaxing and saying we’ve done all these things.”

<![CDATA[Decipher Podcast: Asheer Malhotra and Guilherme Venere]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-asheer-malhotra-and-guilherme-venere https://duo.com/decipher/decipher-podcast-asheer-malhotra-and-guilherme-venere

<![CDATA[Siemens Fixes Numerous Flaws in Wide Range of ICS Products]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/siemens-fixes-numerous-flaws-in-wide-range-of-ics-products https://duo.com/decipher/siemens-fixes-numerous-flaws-in-wide-range-of-ics-products

Siemens has released updates for a wide range of its industrial control products used in manufacturing and other settings that fix numerous security vulnerabilities, some of which can be used to run arbitrary code or gain administrator privileges.

The most serious issue, which allows remote code execution, affects the Siemens Parasolid and Simcenter Femap products. Both products are used for simulations and modeling in industrial settings. Parasolid allows users to model three-dimensional objects, and Simcenter Femap is a simulation app for complex systems. This issue is not just one single vulnerability, but rather includes 20 separate bugs, which are all file parsing bugs.

“Simcenter Femap and Parasolid are affected by multiple file parsing vulnerabilities that could be triggered when the application reads files in X_T file formats. If a user is tricked to open a malicious file with the affected applications, an attacker could leverage the vulnerability to perform remote code execution in the context of the current process,” the Siemens advisory says.

The vulnerabilities affect versions 33.1, 34.0, 34.1, and 35.0 of Parasolid, and versions 2022.1 and 2022.2 of Simcenter Femap.

Among the other vulnerabilities fixed by Siemens is an issue with the file permissions in the CoreShield One Way Gateway application, which is used to send information between network zones with different security levels.

“The default installation of the Windows version of the CoreShield One-Way Gateway (OWG) software sets insecure file permissions that could allow a local attacker to escalate privileges to local administrator,” the advisory says.

There are also several vulnerabilities fixed in SINEC Infrastructure Network Services, a web app that comprises a number of individual network components. Siemens released fixes for 14 vulnerabilities that affect the app, all of which are in third-party components used in SINEC INS.

Siemens also patched a denial-of-service bug in its RuggedCom ROS devices that can allow an attacker to consume all of the device’s resources by sending partial HTTP requests. This attack, first described by security researcher Robert Hansen several years ago, is known as Slowloris and can be quite effective.

“RUGGEDCOM ROS-based devices are vulnerable to a denial of service attack (Slowloris). By sending partial HTTP requests nonstop, with none completed, the affected web servers will be waiting for the completion of each request, occupying all available HTTP connections. The web server recovers by itself once the attack ends,” the Siemens advisory says.

The RuggedCom ROS software runs on switches and other network devices that are in difficult environments, including power substations.

<![CDATA[Decipher Podcast: Hack-a-Sat 2022]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-hack-a-sat-2022 https://duo.com/decipher/decipher-podcast-hack-a-sat-2022

<![CDATA[Decipher Podcast: Source Code 9/16]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-9-16 https://duo.com/decipher/decipher-podcast-source-code-9-16

<![CDATA[The Challenge of Securing Critical Operational Technology Systems at the Ground Level]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/the-challenge-of-securing-critical-operational-technology-systems-at-the-ground-level https://duo.com/decipher/the-challenge-of-securing-critical-operational-technology-systems-at-the-ground-level

Although a “shift in attitude” is happening around securing the operational technology (OT) that underpins critical infrastructure like manufacturing plants or utilities, the federal government is still working through challenges in targeting efforts toward smaller operators grappling with limited resources, and ensuring that the OT investments being made today have security built into them.

The Biden administration over the past year has spearheaded several initiatives that aim to better secure industrial control systems (ICS), including a National Security Memorandum passed last July, which directed the Cybersecurity and Infrastructure Security Agency (CISA) to work with the National Institute of Standards and Technology (NIST) to develop a number of security performance goals for critical infrastructure sectors. But at a Thursday hearing called “Building on our Baseline: Securing Industrial Control Systems Against Cyberattacks,” government officials discussed further security improvements needed at the ground level to secure critical infrastructure environments and the particularly complex challenge of building security into the design of OT systems.

“This is a topic that we, as lawmakers and Federal officials, don’t spend nearly enough time talking about, working on, or funding,” said Yvette Clarke (D-NY), chairwoman of the Cybersecurity, Infrastructure Protection and Innovation subcommittee. “We rely on industrial control systems and other operational technology, or OT, to make sure we have power in our houses, clean water to drink, and countless other functions and services essential to our health, safety, and livelihoods. Still, questions about how we secure these critical OT systems tend to take a backseat to traditional IT security.”

CISA has led many of the critical infrastructure security efforts at a federal level, in April expanding the Joint Cyber Defense Collaborative (JCDC) - an agency effort to develop cyber defense plans with both public and private sector entities - to focus on ICS security by bringing in new partners. The agency has also been working to finalize the performance goals required by the National Security Memorandum, according to CISA Executive Assistant Director for Cybersecurity Eric Goldstein during the hearing. These goals expand on the existing NIST Cybersecurity Framework, a standard for building and evaluating cybersecurity programs, by identifying significant IT and OT system controls “with known risk-reduction value that are broadly applicable across sectors,” he said.

“We need to find ways to educate those that are engineering and building systems and the components in those systems, that that work is done with cybersecurity in mind so they can be defended.”

Despite these efforts, Clarke and others reiterated a need previously emphasized by the Biden administration for further cooperation between federal agencies and critical infrastructure operators in order to better secure sectors like the electric grid, water, gas and more.

“I see these baseline standards as having real promise to reshape the OT security landscape – but they will only be as effective as CISA’s ability to engage and incorporate the feedback they are hearing from stakeholders,” stressed Clarke.

When asked how CISA is communicating with smaller organizations and utilities, Goldstein said CISA has expanded its regional offices to better partner with local critical infrastructure organizations and utilities, but acknowledged that currently “it’s asymmetric across sectors.”

“There are some sectors like the energy sector where there are a lot of electric co-ops or municipal utilities that are smaller,” said Goldstein. “I think CISA’s work in cooperation with the Energy Department has done an important job of understanding the risks and the controls. If we look across other sectors, for example the thousands upon thousands of small water utilities in this country, we have work to do to make sure we are identifying all possible means of communication and collaboration.”

While high-profile critical infrastructure attacks like the Colonial Pipeline hack have only recently occurred, security challenges in the OT space have long been discussed. OT devices are drastically different from IT devices and that impacts how - and the level to which - they are secured. While IT is actively managed, making it easy to install routine patches needed to fix critical security flaws, for instance, the critical nature of OT devices means that their downtime will have a much greater impact, adding a tangle of complexity to any sort of update or replacement.

Vergle Gipson, senior advisor at the Idaho National Laboratory, said other design issues exist as well that make the security and management of OT devices more complicated. While the refresh cycle for IT infrastructure calls for devices to be upgraded every few years, for instance, OT is designed to last for decades and many devices were built at least 20 years ago, long before the need for strong cybersecurity defenses was being discussed. The education of those who are currently building and designing these systems is one vital opportunity for bolstering security, he said.

“This is a big opportunity for us in the U.S.- a lot of the existing infrastructure simply isn’t securable from a cyber viewpoint, and so as we are upgrading and replacing infrastructure, it’s the perfect time to make that infrastructure cyber secure and defendable, and the design stage is the right place to start,” said Gipson. “We need to find ways to educate those that are engineering and building systems and the components in those systems, that that work is done with cybersecurity in mind so they can be defended.”

<![CDATA[CISA Warns of Critical Flaw in Honeywell SoftMaster PLC Software]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/cisa-warns-of-critical-flaw-in-honeywell-softmaster-plc-software https://duo.com/decipher/cisa-warns-of-critical-flaw-in-honeywell-softmaster-plc-software

CISA is warning organizations in the manufacturing sector about a critical vulnerability in Honeywell’s SoftMaster desktop tool that can enable an attacker to run arbitrary code.

The vulnerability (CVE-2022-2333) affects version 4.51 of SoftMaster, a desktop application used by engineers to program Honeywell programmable logic controllers (PLC). PLCs are dedicated computers used in industrial settings to control specific processes and machines. They’re prevalent in a wide range of industries, and Honeywell’s PLCs are widely deployed.

“If an attacker manages to trick a valid user into loading a malicious DLL, the attacker may be able to achieve code execution in the application’s context and permissions,” CISA said in its advisory Tuesday.

There is a second, less serious, flaw in the same version of SoftMaster that can allow a local user to escalate privileges.

“A local unprivileged attacker may escalate to administrator privileges, due to insecure permission assignment,” the advisory says.

Researchers on Claroty’s Team82 discovered the vulnerabilities and disclosed them to Honeywell, which has released updates to SoftMaster to address the bugs.

“These are two local privilege escalation vulnerabilities that can be abused to gain admin privileges, depending on the user’s permissions. Both vulnerabilities are relatively simple to exploit once an attacker has local access to the SoftMaster application,” said Noam Moshe, a vulnerability researcher on Team82.

“An attacker with this type of local access could disrupt a physical process, either by shutting it down or forcing it to perform operations that could impact safety and reliability.”

Organizations running vulnerable versions of SoftMaster should update as soon as possible, and if upgrading isn't practical right away, isolate vulnerable systems from the Internet.

<![CDATA[U.S. Government Hits Alleged Iranian Hackers with Indictments, Sanctions]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/u-s-government-hits-iranian-hackers-with-indictments-sanctions https://duo.com/decipher/u-s-government-hits-iranian-hackers-with-indictments-sanctions

The Department of Justice (DoJ) charged three Iranian nationals who allegedly have targeted hundreds of victims - including critical infrastructure organizations - in the U.S., the UK, Israel and Iran since October 2020.

The three individuals - Mansour Ahmadi, 34; Ahmad Khatibi Aghda, 45; and Amir Hossein Nickaein Ravari, 30, who all reside in Iran - were allegedly behind a number of cyber-theft and extortion attacks that victimized healthcare centers, transportation services and utility providers, as well as small businesses, government agencies, non-profit organizations and educational and religious entities.

The DoJ’s charges are part of a broader wave of actions against Iran-linked threat actors by multiple agencies across the U.S. government on Wednesday, coming on the heels of the White House promising “further action to hold Iran accountable” after a July cyberattack on Albania. Ahmadi, Aghda and Ravari were added by the U.S. Treasury Department to the specially designated nationals (SDNs) list along with seven other Iranian nationals and two companies “for their roles in conducting malicious cyber acts, including ransomware activity.” The U.S. government also said that all sanctioned individuals and entities are affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) along with multiple other global security center organizations released further information on the trademark tactics used by the threat actors.

“They were looking to steal information, encrypt networks, and sell private data, all in the hopes of persuading victims to pay sizable ransoms,” said FBI Director Christopher Wray in a Wednesday statement. “In addition to targeting victims here in the U.S. the defendants also targeted companies and entities around the world, including in their own country of Iran, demonstrating that few targets were off-limits. These three individuals are among a group of cybercriminals whose attacks represent a direct assault on the critical infrastructure and public services we all depend on.”

The three allegedly targeted a number of companies including an accounting firm in New Jersey, regional electric utility companies in Mississippi and Indiana, a shelter for domestic violence victims in Pennsylvania and more. The goal of these attacks was to either exfiltrate data or launch ransomware.

“To these sorts of actors, nothing is off-limits,” said Wray. “Not even, for example, Boston Children’s Hospital, which they set their sights on in the summer of 2021. Fortunately, before they could successfully launch their attack, we received a tip from a partner that the hospital had been targeted. And working closely with the hospital, we were able to identify and defeat the threat protecting both the network and the sick children who depend on it. I’m very proud of our success thwarting that attack.”

The tactics allegedly used by Ahmadi, Aghda and Ravari - including exploiting known vulnerabilities in popular network devices and software applications - are indicative of broader Iran-linked APT trends, highlighted in a Thursday advisory by CISA. CISA linked previous security alerts of Iranian government-sponsored APT actor activity with IRGC affiliates, and said these threat actors have continued to exploit Fortinet and Microsoft Exchange flaws - as well as VMware Horizon Log4j vulnerabilities - for initial access in ransomware operations. These actors have often operated under the names Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. Both entities were sanctioned on Thursday.

The charges and sanctions follow a previous round of sanction designations on Friday, with the Treasury Department designating the Iran Ministry of Intelligence and Security (MOIS) and the Iranian minister of intelligence. Last week, Albania cut off diplomatic relations with Iran and expelled Iran’s diplomats from the country after saying a July cyberattack had been orchestrated by Iranian actors and sponsored by the Iranian government. The U.S. also condemned the attack, saying it would hold Iran accountable for threatening the security of a U.S ally.

The cluster of malicious activity higlighted by U.S. government agencies on Wednesday has also previously been analyzed by Mandiant researchers, which have tracked the operations under the categorization UNC2448 since 2020. Mandiant said that UNC2448 is known for widespread scanning of various flaws and the use of the Fast Reverse Proxy tool.

“The indictment is focused on the criminal activity of Iranian actors Mandiant has tracked for some time,” said John Hultquist, VP with Mandiant Intelligence, in a statement. "We believe these organizations may have been moonlighting as criminals in addition to their status as contractors in the service of the IRGC. The IRGC leans heavily on contractors to carry out their cyber operations.”

<![CDATA[Software Supply Chain Security Takes Center Stage in Washington]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/software-supply-chain-security-takes-center-stage-in-washington https://duo.com/decipher/software-supply-chain-security-takes-center-stage-in-washington

The Biden administration has released new guidance for federal agencies that will require them to use only software that has been developed using secure development practices and instructs agencies to require some form of certification from the vendors they work with. The guidance is a follow-up to a 2021 executive order, and is just the beginning of what will be a long process of securing the federal software supply chain.

Supply chain security has become a serious concern for both private enterprise and government agencies, particularly in the last couple of years as APT groups have focused their efforts on compromising vendors and products that are widely used and/or incorporated into other software packages. The canonical example at this point is the intrusion at SolarWinds in late 2020 that also affected FireEye, Microsoft, and many of the company’s other customers. Attackers affiliated with the Russian government were able to compromise a build server inside of SolarWinds and insert a backdoor in the company’s Orion IT monitoring software, which was then propagated to a subset of SolarWinds’s customers, giving the attackers access to those environments, as well.

Other supply chain attacks have surfaced recently, including an attack on Kaseya in 2021 by REvil ransomware actors. The new guidance from the Office of Management and Budget at the White House seeks to address the issue by requiring agencies to get self-attestations from software vendors, documents that will lay out the vendors’ compliance with software development and cybersecurity practices from the National Institute of Standards and Technology.

“Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised. With the cyber threats facing Federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries,” Chris DeRusha, federal CISO and deputy national cyber director, said.

“This is not theoretical: foreign governments and criminal syndicates are regularly seeking ways to compromise our digital infrastructure.”

The guidance from OMB is the beginning rather than the end of this process. It is rather general and broad and does not include any specifics of what exactly self-attestations must include. The guidance also says agencies may require a software bill of materials (SBOM) from a vendor, but does not lay out any specifics for that document, either, aside from the minimum elements of an SBOM described by the Cybersecurity and Infrastructure Security Agency. An SBOM is a specific type of document that details what the basic and nested elements of a given piece of software are, including libraries and dependencies.

“This is moving at lightspeed, honestly, for government regulations."

Some of those specifics will come in the next 90 days, while others may be farther down the line. The release of the guidance is a signal from that the federal government that it plans to use its purchasing power to raise the bar for software makers’ security practices.

“This is step one in getting this going. It’s hard for companies to exert this kind of pressure. It has to start with somebody somewhere,” said Dan Lorenc, co-founder of Chainguard, a software supply chain security firm.

SBOMs have been around for several years, but their adoption rate among software makers is not very high at the moment, even among large, mature vendors. Lorenc stressed that there’s much more to it than simply filling out a form and listing the software ingredients in a product.

“I think adoption is pretty low across the board right now among all companies. They’re just getting into a position now where they can do this,” he said. “Everyone is waiting until the last minute to get in.”

There are a number of milestones included in the new guidance, the first of which is the requirement that federal agencies inventory all of their software, critical and otherwise, within the next 90 days. Within 120 days, agencies have to design a process to get the guidance’s requirements to their vendors, and within 180 days develop a training plan to review the attestations. The road may seem long, but given that the executive order from President Biden only landed in May 2021, just having the guidance out within 18 months is a feat unto itself.

“This is moving at lightspeed, honestly, for government regulations,” Lorenc said.

<![CDATA[Microsoft Fixes Exploited Windows Bug]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/microsoft-fixes-exploited-windows-bug https://duo.com/decipher/microsoft-fixes-exploited-windows-bug

Microsoft has fixed an important-severity flaw that could give an attacker that is authenticated the ability to execute code with elevated privileges, as part of its regularly scheduled security updates released on Tuesday.

The elevation-of-privilege flaw (CVE-2022-37969) exists in the Windows Common Log File system driver, which is a logging service that can be used by software clients in user mode or kernel mode. Microsoft said that an attacker that exploited the flaw could gain SYSTEM privileges, but it’s important to note that the attacker would already need to have access to a system, and the ability to run code. The flaw has been publicly disclosed and exploitation has been detected, according to Microsoft. Researchers with DBAPP Security, Mandiant, Crowdstrike and Zscaler were credited with discovering the flaw.

“We found this zero-day bug during a proactive Offensive Task Force exploit hunting mission," said Dhanesh Kizhakkinan, senior principal vulnerability engineer with Mandiant, one of the companies that discovered the issue. "An escalation of privilege (EOP) exploit was found in the wild, exploiting this Common Log File System (CLFS) vulnerability. The exploit seems to stand-alone and is not part of a chain (like browser + EOP).”

Microsoft listed the attack vector as “local,” which the company said means the vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. However, the attack complexity and privileges required are listed as “low,” and Microsoft said that no user interaction is required for the flaw.

Genwei Jiang, senior vulnerability engineer with Mandiant and one of the researchers who was credited with discovering the bug, said after the flaw was found it was immediately submitted to Microsoft, and the company "quickly developed and issued an initial patch." The issue was first discovered on Aug. 30 and reported to Microsoft Sept. 1. As the exploit is public available, it’s very easy to develop and exploit, said Jiang.

Overall, Microsoft’s security advisory addressed 79 CVEs, including five critical-severity flaws and 57 important-severity flaws. One of those critical vulnerabilities (CVE-2022-34718) exists in Windows TCP/IP and could enable a remote, unauthenticated attacker to execute code with elevated privileges on impacted systems, sans user interaction. Microsoft said exploitation is “more likely” for this flaw, the vulnerability only impacts systems that have IPv6 enabled and IPSec configured.

“An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine,” according to Microsoft’s advisory.

Other noteworthy vulnerabilities include an important-severity denial-of-service bug in Windows DNS server, which can be exploited by a remote, unauthenticated actor, and two remote code execution flaws in the Windows Internet Key Exchange protocol (CVE-2022-34721 and CVE-2022-34722) that can be exploited by an attacker that sends a specially crafted IP packet. Microsoft has in the last few months fixed a number of zero-day flaws. The company in August said it fixed a variant of a publicly known, important-severity remote code execution flaw (CVE-2022-34713) in the Microsoft Windows Support Diagnostic tool, which had been exploited by attackers.

<![CDATA[New Regulation May Follow Twitter Disclosures]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/new-regulation-may-follow-twitter-d https://duo.com/decipher/new-regulation-may-follow-twitter-d

The revelations contained in the whistleblower disclosure by a former Twitter security executive paint a bleak picture of the company’s security culture and data governance practices, but many of the problems and shortcomings are not unique and reflect broader challenges many large organizations face while trying to get a handle on what data they’re collecting and who may have access to it. Those issues are attracting the attention of lawmakers and may lead to new legislation or further regulation of tech companies.

In his disclosure last month and in testimony Tuesday before the Senate Judiciary Committee, Peiter Zatko described serious security issues, including a lack of meaningful security controls, broad access to user data by thousands of employees with no need for such access, and no logging on critical internal systems. Zatko, who was in charge of information security, privacy, IT, and physical security at Twitter from November 2020 until he was fired in January 2022, said that when he first joined the company he discovered that it had at least 10 years of technical debt and was well behind its peers on security and technical innovation. Perhaps most worryingly, Zatko, known as Mudge in the security community, described an environment in which Twitter engineers and officials did not know how much data the company gathered on users, where that data was stored, or who had access to it.

“They don’t know what data they have, where it lives, or where it came from, and so unsurprisingly, they can’t protect it. So employees have to have too much access to too much data,” Zatko said in his testimony Tuesday.

“Twitter didn’t even know what it was collecting. Why do they keep having the same incidents year after year? What is fundamentally broken under the hood?”

Zatko said shortly after he joined Twitter, engineers raised concerns about some of these issues to him, and he in turn brought them to the attention of senior executives several times.

“This was a ticking bomb of security vulnerabilities. Staying true to my ethical disclosure philosophy, I repeatedly disclosed those security failures to the highest levels of the company. It was only after my reports went unheeded that I submitted my disclosures to government agencies and regulators,” Zatko said in his testimony.

A Twitter spokesperson said that the company manages access to data with access controls, monitoring, and detection systems.

Some of the problems Zatko describes in his disclosures are applicable to just a small handful of companies. The misinformation and disinformation operations, impersonations, and mass influence campaigns are serious issues for Twitter and Facebook, but they don’t really apply to most enterprises, even at the largest scale. But the broader concerns Zatko raised about excess data collection, mishandling of data, and a lack of security controls, are everyday challenges for many organizations, regardless of the industry they’re in.

“The lack of ability to internally identify inappropriate access in our own systems, it was extremely difficult to track people. The lack of logging, what info was accessed, or to contain activities let alone set steps for reconstitution or remediation,” Zatko said.

“Trying to understand what an adversary is doing would be pretty challenging without logs.”

“I’m basically risking my career and reputation, and if something good comes from this five or ten years down the road, then it’s worth it."

The idea that you can’t protect what you don't know you have is axiomatic in security and it applies not just to devices, but to the information an organization collects and stores. Knowing where user and customer data is, what it's used for and who can get to it and why are all difficult things to address.

"It’s not a tech problem, it’s a hard thing to overcome years of neglect. We’ve underestimated and underinvested in privacy for decades because privacy is justa air and no one wants to invest in air," said Michelle Finneran Dennedy, co-founder of Privacy Code and co-author of The Privacy Engineer's Manifesto.

"Privacy is contextual and time based, it’s storytelling. If you haven’t built data intentionality and data flows, you get that answer that we don't know where things are."

Platforms such as Twitter, Facebook, Instagram, and others collect huge amounts of data for a variety of purposes, and protecting that information is no small task. Many companies have discovered this firsthand, including Twitter, which in 2011 signed a consent decree with the Federal Trade Commission as a result of incidents in which attackers were able to gain admin privileges on Twitter systems in 2009. Under the terms of the agreement, Twitter was subject to 10 years of independent audits of its security practices.

Zatko said that in his time at Twitter, the consent decree did not seem to be a huge concern.

“Foreign regulators were much more feared than the FTC. One-time fines are priced in. Regulators do have tools, but they don’t know if they’re working. The laws get gamed by companies’ ability to answer questions in the affirmative without having done the work. They’re grading their own homework in a sense,” he said.

“In big tech, (regulators) are absolutely outgunned. From what I have seen, the tools that are used out of the toolbelt aren’t working. Other tools in the toolbelt do work but the regulators haven’t been able to quantify them in order to use them.”

During Tuesday’s hearing, several senators raised the possibility of increased regulation of large tech platforms, and Sen. Richard Blumenthal (D-Conn.) going so far as to suggest the creation of a new federal agency to handle the job, an idea that Sen. Lindsey Graham (R-SC) said he supported.

“We’re going to create a regulatory agency with teeth. The regulatory environment is insufficient for the task. It’s time to up our game,” Graham said.

The idea of a data privacy agency is not a new one and has been part of several privacy bills over the years, but Finneran Dennedy said it is not a simple conept to bring to fruitition.

"I'm not sure I want to see another giant bureaucracy in Washington and staffing it would be difficult. It’s such a specialty and you have to be a zealot to really do privacy well. We’re in a place where we’re making up for years of neglect. We’re in the clean up the abattoirs phase. We have to do the dirty, boring work," she said.

"We have real risk on the table and real tech debt. It's a wicked problem and there are no easy answers. There are going to be compromises all along the way."

For Zatko, who has spent 30 years working in the private sector and government trying to raise awareness about endemic security vulnerabilities, better oversight of data practices could be one positive outcome of an unpleasant process.

“I’m basically risking my career and reputation, and if something good comes from this five or ten years down the road, then it’s worth it,” he said.

<![CDATA[Iranian Attackers Upgrade Social Engineering Tactics]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/iranian-attackers-upgrade-social-engineering-tactics https://duo.com/decipher/iranian-attackers-upgrade-social-engineering-tactics

Iranian threat actor TA453 has been sending spear-phishing emails to individuals specializing in Middle Eastern affairs, nuclear security and genome research with a social engineering twist: As opposed to a one-on-one conversation, the known actor has been including multiple fake personas on the email chain in hopes of making the attack appear more legitimate.

TA453, which has activity overlaps with Charming Kitten and Phosphorous, has been active since at least 2012 and has historically launched malware campaigns that have aligned with priorities of Iran’s Islamic Revolutionary Guard Corps (IRGC) in the data it collects and the victims it targets (typically dissidents, academics, diplomats and journalists). Researchers observed TA453 using the tactic in mid-2022 in emails impersonating real individuals from Western foreign policy research institutions. The end goal of the campaigns so far appears to be collecting basic system information, although researchers with Proofpoint said they have not yet seen code execution or command and control (C2) capabilities.

“This is the latest in TA453’s evolution of its techniques and can be mitigated in large part by potential targets, such as those specializing in Middle Eastern affairs or nuclear security, by being cautious when they receive outreach from unexpected sources, even those that appear legitimate,” said researchers with Proofpoint in a Tuesday analysis.

In one observed campaign in June, threat actors reached out to two targets at an unnamed university, including a prominent academic that is involved in nuclear arms control. The actors claimed to be the director of political research with the Pew Research Center wanting to discuss an article referencing a possible clash between the U.S. and Russia. While they used the actual name and title of this Pew Research Center director, Proofpoint researchers said they have “no specific indication” that spoofed individuals were victimized by TA453 (though the group has previously used compromised email accounts to send phishing emails).

"As users have gotten better at identifying phishing emails, threat actors have to evolve their methods and techniques, including how they go about making their emails appear increasingly convincing.”

Also CC-ed on the email were three other spoofed individuals. After the target stopped responding for a week, the threat actors followed up under the initial personal with a OneDrive link that they purported was the article, and four days later followed up again under one of the other CC-ed personas, attempting to convince the target of the legitimacy of the campaign and resending the same OneDrive link.

This OneDrive link hosted malicious documents, which are the most recent version of a remote template document that has been previously discovered by PwC being used by TA453. This downloaded template has three macros, which collect data like username, the list of running processes and user public IP, and exfiltrate that information via the Telegram API.

“At this time, Proofpoint has only observed the beaconing information and has not observed any follow-on exploitation capabilities,” said researchers. “The lack of code execution or command and control capabilities within the TA453 macros is abnormal. Proofpoint judges that infected users may be subject to additional exploitation based on the software identified on their machines.”

Researchers said that the technique, which has been previously used by business email compromise (BEC) group Cosmic Lynx, is “intriguing” because attackers must leverage more resources and email addresses. TA453 appears to continue to evolve its tactics, with researchers observing the threat actor recently sending a blank email in an attempt to bypass security detection, then responding to the email with other emails CC-ed on the thread in order to make it appear as if there is an established connection between the sender and recipient.

“In general, threat actors will adopt tactics used by others so long as they think they will be useful for their campaigns,” said Sherrod DeGrippo, VP of threat research and detection at Proofpoint. “Social engineering is a component of nearly every threat actor’s toolbox who uses email as an initial access vector. As users have gotten better at identifying phishing emails, threat actors have to evolve their methods and techniques, including how they go about making their emails appear increasingly convincing.”

<![CDATA[Apple Patches Zero Days in macOS Monterey, Big Sur]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/apple-patches-zero-days-in-macos-monterey-big-sur https://duo.com/decipher/apple-patches-zero-days-in-macos-monterey-big-sur

Apple on Monday released iOS 16 and macOS Monterey 12.6, both of which contain a number of new features, along with numerous important security fixes. The update for Monterey includes a patch for a kernel vulnerability that Apple noted has been exploited in the wild.

That flaw (CVE-2022-32917) could allow an attacker to execute arbitrary code with kernel-level privileges, and it is also patched in the new release of macOS Big Sur 11.7. The same flaw was patched in iOS 16, but Apple did not note any active exploitation against it on iOS devices. This is the fifth actively exploited zero day that Apple has fixed in macOS. Last month, the company released an update for macOS Monterey that included patches for two distinct vulnerabilities–one in WebKit and the other in the kernel.

There is another zero day (CVE-2022-32894) patched in Big Sur that's not present in Monterey, and has been actively exploited against Big Sur machines.

Monterey 12.6 brings with it several other security fixes, including a patch for another kernel vulnerability that could allow an app to run arbitrary code with kernel privileges. A third kernel flaw could enable an app to disclose kernel memory.

In iOS 16, Apple fixed 11 vulnerabilities, four of which can lead to remote code execution.

It has been a bumpy year for many major vendors when it comes to zero days exploited in the wild. In addition to the five macOS flaws Apple has dealt with, there have been three in iOS, and two in WebKit. Microsoft and Google have also had their fair share of zero days in 2022, as has Mozilla. But with less than three months left in the year, it’s unlikely that the count will surpass 2021, when there were 59 zero days detected in the wild.