The IT Nerd

In a report released Wednesday, Microsoft published the findings of its internal investigation which detailed that, for more than two years, Chinese hackers accessed high-level, US and European governmental agencies’ email accounts before the breach was discovered in June.
 
The Chinese-based criminal, Storm-0558, first gained access to the Microsoft emails in April 2021. The breach affecting 33 U.S. and global entities happened when a bug caused Microsoft’s email system to crash, resulting in a data purge that inexplicably contained email access keys. The hacker then forged security tokens that allowed backdoor access to Outlook.com.
 
As Microsoft admitted, at the time, the system didn’t alert IT to the issue as it should have, and the crack went unnoticed until just two months ago. Microsoft said that it released the investigative findings “as part of our commitment to transparency and trust,” adding that the company was working to tighten up its security protocols.
 
“For this reason — by policy and as part of our Zero-Trust and ‘assume breach’ mindset — key material should not leave our production environment. While these tools are important, they also make users vulnerable to spear phishing, token stealing malware, and other account compromise vectors,” Microsoft said, referring to emails, conferencing, and web research tools that were used previously by corporate-level employees.

Ted Miracco, CEO, Approov Mobile Security had this to say:

   “The two most disconcerting parts of the report are that: Storm-0558 could forge tokens to access email accounts of high-level officials; and that the breach persisted for years without being discovered. This would lead one to question how many other accounts are being compromised today with forged tokens, and how do you go about identifying additional compromised accounts?

   “The findings reinforce that constant vigilance is required to stay ahead of sophisticated attackers, and keys and tokens need to be rotated frequently to prevent persistent access to compromised accounts.”

Microsoft should get some kudos for posting this info as it is not easy to admit where you’ve gone wrong. But let’s see what Microsoft does going forward to make sure that this situation isn’t repeated.

In tweets dated August 28, 2023, Microsoft reported a significant increase in adversary-in-the-middle (AiTM) strategies facilitated by phishing-as-a-service (PhaaS) platforms.

Researchers have observed the emergence of new PhaaS platforms equipped with AiTM capabilities throughout 2023. Simultaneously, established phishing services like PerSwaysion have also incorporated AiTM features.

The two predominant techniques employed in AiTM-enabled phishing attacks are reverse proxy servers and synchronous relay servers.

In the first scenario, as seen in phishing toolkits such as EvilGinx, Modlishka, Muraena, and EvilProxy, every HTTP packet is proxied to and from the original website, making the URL the sole discernible distinction between the phishing page and the authentic site.

In AiTM attacks using synchronous relay servers, the target is presented with a fake sign-in page, much like traditional phishing attacks. Threat group Storm-1295 was reported to offer synchronous relay services to other attackers.

AiTM phishing aims to steal session cookies from browsers, allowing users access to protected systems without reauthentication. Incident response for AiTM attacks requires the revocation of stolen session cookies.

Microsoft emphasized the importance of implementing MFA methods such as Microsoft Authenticator, FIDO2 security keys, and certificate-based authentication as crucial measures for securing identities – “This emphasizes the importance of MFA thru methods like Microsoft Authenticator, FIDO2 security keys, & certificate-based authentication in securing identities.”

George McGregor, VP, Approov had this comment:

   “AiTM phishing aims to steal cookies from browsers and use them to access backend systems.

   “However, there is an even bigger AiTM threat posed by mobile apps which is not mentioned by Microsoft: Mobile apps are highly susceptible to AiTM attacks and secret theft at runtime because hackers can easily manipulate the client environment and/or the communication channel(s). This could certainly also be packaged “as a service” for hackers.

   “Defense against this threat requires app and client attestation and pinning of the communication channel.”

Emily Phelps, Director, Cyware follows with this:

   “Multifactor authentication is table stakes when it comes to safeguarding data. Strong authenticator apps should be used with each log-in session. Human behavior continues to be a common exploit for attackers because it continues to be effective.

   “As an industry, cybersecurity must work to get ahead of these tactics, with threat intelligence programs that include intelligence sharing so that once these strategies are known and can be widely distributed, enabling other organizations and individuals to protect themselves against them.

I’ve been saying for a while to my clients that they need to move towards MFM or passwordless solutions. Because the threats out there are so many and so sophisticated that you will leave yourself open to having bad things happen to you if you don’t.

If you value your sanity, or simply don’t want your computer to suddenly start having the “blue screen of death”, then you might want to avoid installing KB5029351 and KB5029331 onto your Windows 10 or 11 PC as those updates will do just that according to widespread reports:

Microsoft has received reports of an issue in which users are receiving an ‘UNSUPPORTED_PROCESSOR’ error message on a blue screen after installing updates released on August 2,” Redmond said. The company also added that the problematic cumulative updates “might automatically uninstall to allow Windows to start up as expected.” Microsoft is investigating the newly acknowledged known issue to find out whether it stems from a Microsoft-related cause. The company also urged users encountering these BSOD errors to file a report using the Feedback Hub.

The purpose of preview updates is to allow Windows admins and users to test fixes and improvements scheduled for release with the forthcoming September 2023 Patch Tuesday rollout. In other words, it’s a form of beta testing. But it looks like this beta is problematic and you should steer clear of it at all costs.

Consider yourself warned.

In a new study by Microsoft called the State of Play report, Microsoft highlighted the growing opportunities for threat actors to target high-profile sporting events, “especially those in increasingly connected environments, introducing cyber risk for organizers, regional host facilities and attendees.”While managing the critical-infrastructure cybersecurity at the 2022 FIFA World Cup in Qatar, Microsoft observed attackers continuously attempting to compromise connected systems through identity-based attacks.

• “What we saw was consistent, with cyber-criminals being opportunistic and seeing where they can infiltrate and find gaps between a lot of connected systems, in the context of a large event. The cybercrime economy’s sheer size and low barriers to entry make this kind of opportunism a significant risk to account for in planning and having layered defenses in place.
• “What makes the sports landscape unique is that the IT assets and operations are so different, you have a lot of mobile devices across teams and staff, and a lot of connectivity across different stadiums, training facilities, hotels and other venues. And the nature of these connections is that they stand up and down as teams complete in seasons and tournaments,” said Justin Turner, Principal Group Manager, Microsoft Security Research.

Furthermore, this allows threat actors to simultaneously target mobile payment and retail systems, socially-engineer participants, and scan for unpatched/misconfigured devices. Also, security complexity is compounded as there are numerous parties managing a multitude of systems, such as corporate sponsors, municipal authorities and third-party contractors.

George McGregor, VP, Approov has this comment:  

“A key element are the apps which are launched for events (for example the FIFA Women’s World Cup app – 10M+ downloads on Android) which are intended to be a “one-stop shop” for events. Unless they are protected, they can leak personal financial data and also be a source of other information which can be used in broader infrastructure attacks.”

Amit Patel, SVP, Cyware follows up with this:  

“Anytime you gather tens of thousands of people together using shared infrastructure it’s an attractive target for attackers. Major sports leagues are realizing that they need to address security collectively – not relying on local capabilities. By monitoring threats globally, and sharing intel automatically across leagues and venues, and anticipating attacks, we can reduce risks considerably.”

Sporting events are clearly not the safe places that they once were. This is why not only the people who run these events have to make sure that there is a holistic view of their cybersecurity landscape, but we have to do our part by being mindful of the fact that there are threats that might be lurking at these events.

Trend Micro researchers have a report on a signed rootkit that communicates with a large C&C infrastructure whose main victims are the gaming sector in China. The malware appears to have passed through the Windows Hardware Quality Labs (WHQL) process for getting a valid signature. Which to me is mind-blowing. I’ll explain why in a moment.

The malware goes to great lengths to remain stealthy and take control of the target systems, most of which should set off red flags:

• Disables the User Account Control (UAC) and Secure Desktop mode
• Initializes Winsock Kernel objects for initiating network comms with the C&C server
• Periodically connects to the C&C server, retrieves and decrypts new payloads and loads them directly into memory (never touching the disk to bypass detections)
• Plug-ins modify the Registry to achieve persistence, disarm Microsoft Defender Antivirus, and deploy a proxy on the machine, redirecting web browsing traffic to a remote proxy

Dave Ratner, CEO, HYAS had this to say:

“This is yet another example where having visibility into anomalous communication to command-and-control structures, aka adversary infrastructure, is a vital part of a defense-in-depth strategy and a key component of the overall security stack.  If organizations haven’t yet deployed Protective DNS across their infrastructure and environments, they should make plans to do so immediately.”

Why this blows my mind is simple. The whole point of having signed drivers is to stop this scenario dead. But it seems that somehow the threat actors managed to take advantage of the WHQL process to execute their plans. Hopefully Microsoft can do something to make this scenario far less likely in the future.

Microsoft said in a blog post published late yesterday that hackers linked to China, dubbed Storm-0558, broke into email accounts at approximately 25 organizations, including some U.S. government agencies, and hit consumer accounts as part of a suspected cyber-espionage campaign to access data in sensitive computer networks.   

The hackers took advantage of a security weakness in Microsoft’s cloud-computing environment gaining access to victims’ email by forging digital tokens beginning on May 15 and operated in stealth for more than a month, until June 16, when Microsoft began its investigation and mitigated the situation.  

“Last month, U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems. Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service. We continue to hold the procurement providers of the U.S. government to a high security threshold,” Adam Hodge, spokesman for the White House National Security Council, said.  

The full scope and severity of the incident, and which institutions and individuals were hacked, are currently not available. 

Willy Leichter, VP, Cyware had this comment:  

“Attacks like this will continue to grow in frequency, as vulnerabilities are inevitable, and many well-funded hacking groups are always looking to exploit them. The critical test is how quickly organizations like Microsoft react and take definitive action to stop the spread. In this case, 3+ weeks from the problem being reported to being fixed is well above industry average, but still leaves a large window of exposure. But compared to SolarWinds (which was exploited for months), we’re making progress.”

It’s clear from attacks like this one that nation states with hostile intent are coming for you and your infrastructure. Thus you need to ensure that your defences are in place to either stop them, or at least quickly detect them so that you can take the required action to stop them.

UPDATE: Snehal Antani, CEO and Co-Founder of Horizon3.ai adds this:   

“With everyone pointing fingers at Microsoft, there actually is a bigger concern. When thinking about credential stuffing, this attack is used to first gain access to credentials for one online account, and then use those same credentials to access other online accounts. Was that the motive?    

“In terms of password spraying, this attack is focused on reusing a username without knowing the password. Attackers then try commonly used passwords to log in to other systems. Maybe this was the motive? Either way, the key takeaway is that there is now a long tail of risk that exists for all victims of the compromise which could extend for quite a long period of time.” 

The second Tuesday of every month is Patch Tuesday. That means it’s time to patch all the things that are Microsoft related. And this month is huge. Bleeping Computer is reporting that there are 132 flaws including six zero day flaws.

Yikes!

Yoav Iellin, Senior Researcher, Silverfort highlights three that you really need to worry about:

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2023-35367, 35366, 35365 

“The Routing and Remote Access role is not commonly seen in Windows servers. It’s used for advanced routing, NAT, and VPN – and it is not installed by default. However, installing this role turns the server into a provider of these services – potentially directing some or even all network traffic through the server.

Sending a special packet to the Windows server may lead to remote code execution. This is particularly concerning if the specific Windows server acts as a domain controller as well.

With a CVSS score of 9.8, it’s worth taking note of this vulnerability. If you have this service enabled, you should consider installing the patch as soon as possible or even disabling the service.”

Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2023-33134, 33157, 33159, 33160

“Last month’s Patch Tuesday – which was light in comparison to this month – saw the release and disclosure of many SharePoint vulnerabilities, and this month we’re seeing RCEs in SharePoint affecting multiple areas. All of them require the attacker to be authenticated or the user to perform an action that, luckily, reduces the risk of a breach. Even so, as SharePoint can contain sensitive data and is usually exposed from outside the organization, those who use the on-premises or hybrid versions should update.”

Windows Remote Desktop Protocol Security Feature Bypass
CVE-2023-35332, 35352, 35303, 32043

“Remote Desktop Protocol provides a platform for remote communication with Windows machines, and recently, we’ve seen a number of vulnerabilities affecting it. This time there are multiple types of vulnerabilities that each attack different aspects of the service. One allows spoofing of a computer and acts as a “man in the middle” (MITM) to bypass its certificate validation warning, while another vulnerability targets environments where users can authenticate with smart cards. These vulnerabilities should be a warning to those who use them to ensure a higher level of protection between non-secure networks and high ones.”

As soon as I click publish on this story, I’ll be patching all the Microsoft gear in my environment. You should likely do the same.

It’s the second week of June, which means it’s Patch Tuesday. And that means that you need to get about patching all things Microsoft. Bleeping Computer has the details:

While thirty-eight RCE bugs were fixed, Microsoft only listed six flaws as ‘Critical,’ including denial of service attacks, remote code execution, and privilege elevation.

The number of bugs in each vulnerability category is listed below:

• 17 Elevation of Privilege Vulnerabilities
• 3 Security Feature Bypass Vulnerabilities
• 32 Remote Code Execution Vulnerabilities
• 5 Information Disclosure Vulnerabilities
• 10 Denial of Service Vulnerabilities
• 10 Spoofing Vulnerabilities
• 1 Edge – Chromium Vulnerabilities

This list does not include sixteen Microsoft Edge vulnerabilities previously fixed on June 2nd, 2023.

Dor Segal, Senior Research Tech Lead, Silverfort highlights two key fixes by Microsoft:

     “CVE-2023-29357 is a Microsoft SharePoint Server Elevation of Privilege Vulnerability with a high CVSS score of 9.8.

This vulnerability could be used by an attacker with access to spoofed JWT authentication tokens to bypass authentication, gain access to a SharePoint server and adopt the privileges of an authenticated user.

It’s currently unclear whether the access permissions are to the SharePoint application or to the server itself, meaning the impact of any exploitation attempts could range from data theft to initial access into a domain environment. This would explain its high CVSS score.

CVE-2023-29362 – a Remote Desktop Client RCE vulnerability – is pretty unique and well worth notice.

Admins use RDP clients for many of their day-to-day tasks, from managing servers to fixing user problems. Using an RDP client can give admins a false sense of security: they can see what’s going on in a remote server or that client’s computer, but they believe themselves to be protected from malicious activity on the client’s end thanks to the RDP. This vulnerability unfortunately proves that wrong.

CVE-2023-29362 allows an attacker who has compromised a Windows machine to attack and spread to any RDP client connected to that same machine. In the case of admins or other privileged machines, this could potentially lead to compromise of the entire domain.

It’s worth noting that patching is needed on the client’s side – not the server’s – so we recommend first patching privileged clients before moving on to the rest of the clients in the organization.”

After I post this, I will get about patching all the Microsoft gear in my home and home office. You might want to do the same thing as soon as you can.

DownDetector.com is reporting that Microsoft 365 Is down for thousands of users. It appears that users are complaining that the productivity suite is having slow performance to not being able to send emails or, or they can’t log in all together. I got a few calls on this starting about an hour ago from clients, thus I know that this is a somewhat widespread problem. I should note that Microsoft has admitted to this:

So until Microsoft figures this it, it might be a snow day for many Microsoft 365 users.

Bad news if you like Microsoft’s voice assistant Cortana. Its days are numbered according to this support document. Specifically, Microsoft will remove it from Windows 10 and 11. Instead, Microsoft will shift its focus to CoPilot which was announced last week. Other tools, such as Bing Chat AI are promising to deliver on, and possibly exceed, the features and functions offered by Cortana.

Are you sad or indifferent to Cortana getting deep sixed? I have to admit that I’ve never used Cortana, so I am in the latter category. But what about you? Leave a comment below and share your thoughts.