Skip to main content

2023.01.17.News You Should Know

Microsoft is set to introduce significant changes to the Windows enterprise over the next year. With multiple security settings going from recommended to enforced.
Highlights include the EOL for AD Connector 2.0.x, changes to MFA, and the end of standalone Office Apps for 2016/19.

Caniphish’s Sebastian Salla published a review of thousands of misconfigured SPF records today allowing emails to be sent on behalf of foreign governments, the Massachusetts Institute of Technology, the University of Miami, among others.
Supplementary information about SPF, DKIM, and DMARC are available from EasyDMARC

Slate leaks a new cybersecurity policy from Biden’s Whitehouse. The new policy introduces two controversial concepts. One, mandatory cybersecurity requirements for 20 key industries supporting “critical infrastructure”. Two, “hack back” authorizations for offensive actions by government agencies and public companies.
This comes after Trump officials began cybersecurity efforts in 2019 but stopped short of approving “hack back” policies. Regardless, NSA Chief, General Nakasone, continues to push for more offensive cyber capabilities in the press.

Note: The authors are against “hack back” policies and believe this sets a dangerous precedence for global cyber relations. Specifically, as attribution is concerned.

Speaking of attribution, the always relevant document “Beyond Attribution” by the Atlantic Council should be considered mandatory reading for all cyber professionals and the C-suite.

CISA published its 2022 Year In Review this week, covering 4 major categories: Cyber Defense, Risk Reduction and Resilience, Operational Collaboration, and Agency Unification. Highlights of the document were published in the attached PDF fact sheet.

Consulting company S-RM published a post-breach report on ransomware group Lorenz. The threat actor’s TTPs were notable due to the increased dwell time in the environment. Working as quickly as possible, Lorenz targeted organizations susceptible to CVE-2022-29499 with a backdoor, then returned months later to exploit the now-backdoored network. This deviates from other ransomware groups who generally encrypt and exploit companies as quickly as access can be obtained.

CircleCI disclosed details on a breach that began in late December. An attacker was able to steal a session token and impersonate a high-impact user within CircleCI despite the session being protected by MFA. Customer systems were then compromised resulting in the exfiltration of keys and tokens stored in CircleCI pipelines. This highlights the importance of setting reasonable MFA and SSO session lifetimes that match the risk tolerance of the organization. Likewise, alternatives to statically stored secrets (OIDC, RESTful key vault, etc.) may be implemented to minimize the likelihood of secret disclosure.

Shout out to Travis for his contributions to the News You Should Know this week!

Popular posts from this blog

LibWebP (CVE-2023-4863)

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications. This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms. A similar CVE ( 2023-5217 ) is pending analysis for the VP8 webstream video format (a sister library to libwep.) As working proof-of-concepts are generally available to the public and Google and Apple both acknowledge threat actors and spyware vendors making use of the vulnerability, it is essential that you begin reviewing and patching all business critical applications. Patch Browsers, All of them All major and minor browsers acr
Read more

Show And Tell

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them. Stories that are in the news. Stories that impact our work. Stories that impact our lives. Author’s Note: There’s some helpful tips below on how to gather these stories.  Why you should do it There’s a lot of great reasons to do this, but I want to drive home a few really important ones. How many times has this happened to you? You wake up, open infosec.exchange , and begin scrolling only to find out that $Vendor has a nasty zero-day and organiza
Read more

Savory Dutch Babies

Ingredients: 1/4 Stick butter 1/2C AP flour 3/4C room temp milk 3 room temp eggs Salt pepper mace nutmeg allspice etc if you want it Blend it or whisk it until homogeneous  Put a castiron in a cold oven at 425°.  Remove when preheat finishes and melt in a 1\4 stick of butter.   Pour in batter.  Top with parm and fresh herbs.  Cook 15m.
Read more