Friday, December 23, 2022

Become a Collaborator on the Responding to and Recovering from a Cyber Attack

 The National Cybersecurity Center of Excellence (NCCoE) has issued a Federal Register Notice inviting industry participants and other interested collaborators to participate in the Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector project. In conjunction with the Federal Register Notice, the NCCoE has published the Final Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector Project Description, Revision 1.

Industrial control systems (ICS) and devices that run manufacturing environments play a critical role in the supply chain. These same systems face an increasing number of cyber attacks that present a threat to safety, production, and economic impact to a manufacturing organization. This project will demonstrate an approach for responding to and recovering from a cyber attack on ICS within the manufacturing sector.

Join Us

There are two ways to join the NCCoE for this project:

  • Become an NCCoE Collaborator – Collaborators are members of the project team who work alongside the NCCoE staff to build the demonstration by contributing products, services, and technical expertise. Collaborators are expected to participate in regularly scheduled conference calls and to help build and document the demonstration.
  • Get Started TodayIf you are interested in becoming an NCCoE collaborator for the Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector project, first review the requirements identified in the Federal Register Notice. If you wish to become a collaborator, you can find the final project description and the form to request a Letter of Interest (LOI) template on the project page. Once you have filled out the request form on the project page, you will be provided a link to download the project’s LOI template. The completed LOI should be sent to the NCCoE Manufacturing team at manufacturing_nccoe@nist.gov. Completed submissions are considered on a first-come, first-served basis within each category of components or characteristics listed in the Federal Register Notice, up to the number of participants in each category necessary to carry out the project build. 
  • Collaborator Selection The NCCoE Manufacturing team will review all submissions and may follow up with respondents with questions or to discuss your capabilities. The NCCoE Manufacturing team will notify each selected collaborator via email and begin the process to establish a Cooperative Research and Development Agreement (CRADA) to formalize your collaboration with the NCCoE. Once the CRADA has been established, the selected collaborators can begin working with the NCCoE to draft white papers, playbooks, and demonstrable proof-of-concept implementations.
  • If you submit a Letter of Interest and are not selected, the project team will notify you via email. We encourage those who are not selected to be collaborators to stay engaged via our Community of Interest and to bring your expertise when project deliverables are posted as drafts for public comment and during any public meetings held for this project.
  • Join our Community of Interest – By joining the NCCoE Manufacturing Community of Interest (COI), you will receive project updates and the opportunity to share your expertise to help guide this project. Request to join our COI by visiting our project page.

If you have any questions, please contact our project team at manufacturing_nccoe@nist.gov.

Project Page

These free and in-depth virtual training events

 NEW Virtual Training Day: Secure Access and Management

The new Secure Access and Management Virtual Training Day replaces the Zero Trust Virtual Training Day and features new, extended content on the topic. It explores how using identity as a security perimeter protects data. After attending, participants will be able to:

  • Explain what Zero Trust is, and how Microsoft uses identity as the foundation of Zero Trust.
  • Configure Conditional Access to allow for granular access and monitoring of Azure resource usage.
  • Use Defender for Cloud Apps and Identity Governance to protect cloud and on-premises solutions and data.

 

The Secure Access and Management Virtual Training Day is available now. Register for this new course on the Microsoft Security Virtual Training Days home page.

Tuesday, December 20, 2022

Great resource for transitioning service members and veterans

Microsoft Software and Systems Academy (MSSA) provides transitioning service members and veterans with critical technical and career skills required for today’s growing technology industry.


Torqued to address the unique needs of the military community

Microsoft Software and Systems Academy (MSSA) is a full-time, 17-week technical training program leading to in-demand careers in cloud development, cloud administration, and related fields. Our proven training model incorporates live instruction, hands-on virtual labs, real-life application scenarios, and opportunities to obtain industry-recognized certifications to prepare our participants for rewarding tech jobs in any industry

To learn more, go here

Withdrawal of NIST Special Publication 800-107 Revision 1 

 In August 2021, NIST’s Crypto Publication Review Board initiated a process to review NIST Special Publication (SP) 800-107 Revision 1, Recommendation for Applications Using Approved Hash Algorithms. SP 800-107 Rev. 1discusses the security strengths of hash functions and provides recommendations on digital signatures, HMAC, hash-based key derivation functions, random number generation, and the truncation of hash functions. See the initial public comments received by NIST. 

On June 8, 2022, NIST proposed the withdrawal of SP 800-107 Rev. 1 and called for comments on that decision proposal. See the decision proposal comments received by NIST. 

After considering the received comments, NIST is planning to withdraw SP 800-107 Rev. 1. Since the publication of SP 800-107 Rev. 1 in 2012, NIST has published (or revised) multiple recommendations that cover hash functions in different applications in more detail (e.g., SP 800-90A/B/C, SP 800-56A/B/C, SP 800-131A, SP 800-133, SP 800-135). In order to keep specific use requirements for a primitive in their most relevant publications—and avoid duplicating them in a separate publication—NIST has decided to withdraw SP 800-107 Rev. 1. 

NIST has moved the supplementary material currently in SP 800-107 Rev. 1 to NIST’s hash functions webpage. Next, NIST will move the requirements listed in SP 800-107 Rev.1 that are not currently addressed in other standards to a new Implementation Guidance (IG) developed by the Cryptographic Module Validation Program (CMVP). These requirements will again be considered when hash-function-related standards are revised. Once the new IG has been published, NIST will withdraw SP 800-107 Rev. 1. 

Information about the review process is available at NIST's Crypto Publication Review Project

Read More

NIST and AIM Photonics Team Up on High Frequency Optical/Electronic Chips

 The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has entered into a cooperative research and development agreement with AIM Photonics that will give chip developers a critical new tool for designing faster chips that use both optical and electrical signals to transmit information. Called integrated photonic circuits, these chips are key components in fiber-optic networks and high-performance computing facilities and are used in laser-guided missiles, medical sensors and other advanced technologies.

AIM Photonics, a Manufacturing USA institute, is a public-private partnership that accelerates the commercialization of new technologies for manufacturing photonic chips. The New York-based institute provides small and medium-sized businesses and academic and government researchers access to expertise and fabrication facilities during all phases of the photonics development cycle, from design to fabrication and packaging.

Read More

Wi-Fi Could Help Identify When You’re Struggling to Breathe

 Wi-Fi routers continuously broadcast radio frequencies that your phones, tablets and computers pick up and use to get you online. As the invisible frequencies travel, they bounce off or pass through everything around them — the walls, the furniture, and even you. Your movements, even breathing, slightly alter the signal’s path from the router to your device.

Those interactions don’t interrupt your internet connection, but they could signal when someone is in trouble. NIST has developed a deep learning algorithm, called BreatheSmart, that can analyze those minuscule changes to help determine whether someone in the room is struggling to breathe. And it can do so with already available Wi-Fi routers and devices. This work was recently published in IEEE Access.

Read More

Monday, December 19, 2022

Webinar: Introduction to the National Cybersecurity Center of Excellence (NCCoE)

Date: January 25, 2023

Time: 3:00 p.m.-3:45 p.m. ET

Event Description:

Part of National Institute of Standards and Technology’s (NIST) Applied Cybersecurity Division, the NCCoE is a collaborative hub where industry, government, and academia work together to address businesses’ most pressing cybersecurity challenges for specific industries as well as for broad, cross-sector technology areas.

What makes the NCCoE unique is the hands-on nature of our work and our close association with industry and the cybersecurity technology community. This public-private partnership enables the creation of modular and adaptable example cybersecurity demonstrations that show practitioners how to apply standards and best practices using commercially available technologies.

Join us on January 25, 2023 to kick off our 2023 NCCoE Learning Series with an overview of the NCCoE. We’ll take some time to outline who we are, what we do, and why it matters. Learn about our applied cybersecurity mission, how we deliver value to industry, and ways you can get involved.

Agenda:

  • 3:00-3:30: Overview of the NCCoE
  • 3:30-3:45: Audience Q&A

Speaker:

  • Bill Newhouse, Cybersecurity Engineer, NIST National Cybersecurity Center of Excellence

Register Here

 

The Fine Art of SaaS Security

 Great article that I helped contribute to, in ChannelPro magazine.

The article talks about the risk or Software as a Service. You a read the article here

Announcement of Proposal to Update FIPS 197, The Advanced Encryption Standard

 As a part of the periodic review of NIST’s cryptographic standards and guidelines, NIST's Crypto Publication Review Board ("Review Board") announced the review of Federal Information Processing Standards Publication (FIPS) 197, The Advanced Encryption Standard (AES) in May 2021.  

NIST proposes to update FIPS 197. An update of a publication is appropriate when it only requires changes to correct errors or clarify its interpretation, and no changes are made to technical content. Proposed changes to FIPS 197 are summarized in the full announcement. 

A public comment period for the draft FIPS 197 update is open through February 13, 2023. Public comments on the decision to update the FIPS, or on the draft update itself, may be submitted to cryptopubreviewboard@nist.gov, with “Comments on Draft FIPS 197 Update” in the subject line. Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process. 

Read More

Friday, December 16, 2022

Please Submit Comments on NIST’s Draft Revision 4 of SP 800-63, Digital Identity Guidelines

 Digital Identities

The rapid proliferation of online services over the past few years has heightened the need for reliable, equitable, secure, and privacy-protective digital identity solutions. Revision 4 of NIST’s Special Publication 800-63, Digital Identity Guidelines, intends to respond to the changing digital landscape that has emerged since the last major revision of this suite was published in 2017—including the real-world implications of online risks. The guidelines present the process and technical requirements for meeting digital identity management assurance levels for identity proofing, authentication, and federation, including requirements for security and privacy as well as considerations for fostering equity and the usability of digital identity solutions and technology.

Taking into account feedback provided in response to our June 2020 Pre-Draft Call for Comments, as well as research conducted into real-world implementations of the guidelines, market innovations, and the current threat environment, this draft seeks to: advance equity, emphasize optionality and choice for consumers, deter fraud and advanced threats, improve privacy, and address implementation lessons learned.

Please submit your comments via email (dig-comments@nist.gov) by 11:59 PM ET on Friday, March 24, 2023. The Note to Reviewers section highlights the specific topics NIST is hoping for feedback on; please note that NIST will review all comments and make them available on the NIST Identity and Access Management Resource Center (NIST IAM).

NIST will host a virtual event, Digital Identity Guidelines – Kicking off Revision 4!, on January 12, 2023 at 1:00 PM ET. We will provide an overview of the draft, highlight key areas where input is needed from the community, and share information on how to get involved. REGISTER NOW!

 

Learn More

NIST Retires SHA-1 Cryptographic Algorithm

 In illustration featuring a laptop, text with the letters SHA-1 is crossed out, with check marks next to the letters SHA-2 and SHA-3.

The SHA-1 algorithm, one of the first widely used methods of protecting electronic information, has reached the end of its useful life, according to security experts at the National Institute of Standards and Technology (NIST). The agency is now recommending that IT professionals replace SHA-1, in the limited situations where it is still used, with newer algorithms that are more secure.

SHA-1, whose initials stand for “secure hash algorithm,” has been in use since 1995 as part of the Federal Information Processing Standard (FIPS) 180-1. It is a slightly modified version of SHA, the first hash function the federal government standardized for widespread use in 1993. As today’s increasingly powerful computers are able to attack the algorithm, NIST is announcing that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms

NIST Transitioning Away from SHA-1 for All Applications

 NIST is introducing a plan to transition away from the current limited use of the Secure Hash Algorithm 1 (SHA-1) hash function. Other approved hash functions are already available. The transition will be completed by December 31, 2030, and NIST will engage with stakeholders throughout the transition process. See the full announcement for more details.

Before December 31, 2030, NIST plans to:

  • Publish Federal Information Processing Standard (FIPS) 180-5 (a revision of FIPS 180) to remove the SHA-1 specification,
  • Revise NIST Special Publication (SP) 800-131A and other affected NIST publications to reflect the planned withdrawal of SHA-1, and
  • Create and publish a transition strategy for the Cryptographic Module Validation Program (CMVP) and the Cryptographic Algorithm Validation Program (CAVP).

Throughout this process, NIST will actively engage with government agencies, validation testing laboratories, vendors, Standards Developing Organizations, sector/industry organizations, users, and other stakeholders to minimize potential impacts and facilitate a smooth transition.

NIST encourages these entities to begin planning for this transition now. By completing their transition before December 31, 2030, stakeholders – particularly cryptographic module vendors – can help minimize potential delays in the validation process.

Contact

Send questions about the transition in an email to sha-1-transition@nist.gov. Visit the Policy on Hash Functions page on CSRC to learn more.

Read More

Saturday, December 10, 2022

NIST SP 1800-34, Validating the Integrity of Computing Devices (Supply Chain)

 The National Cybersecurity Center of Excellence (NCCoE) has published the final version of NIST SP 1800-34, Validating the Integrity of Computing Devices.

What Is This Guide About?

Technologies today rely on complex, globally distributed and interconnected supply chain ecosystems to provide reusable solutions. Organizations are increasingly at risk of cyber supply chain compromise, whether intentional or unintentional. Managing cyber supply chain risks requires, in part, ensuring the integrity, quality, and resilience of the supply chain and its products and services. This project demonstrates how organizations can verify that the internal components of their computing devices are genuine and have not been altered during the manufacturing or distribution processes.

Let Us Know What You Think!

Questions? Email us at supplychain-nccoe@nist.gov with your feedback and let us know if you would like to join the Supply Chain Assurance community of interest. We recognize that technical solutions alone will not fully enable the benefits of our solution, so we encourage organizations to share lessons learned and best practices for transforming the process associated with implementing this guide.

What's Next

We will be hosting a community of interest webinar in February to discuss the final practice guide and share other exciting activities. The date and time will be announced later and we will send out another email to inform our community of interest.

Project Page

Wednesday, December 7, 2022

Free Training Azure webinar series Flexibility and Performance on Azure for SQL Server Data

 

Join this webinar to learn how new features in Azure SQL Managed Instance provide even more flexibility to modernize your data platform on your terms – and help you save money in the process.  

  • Understand when SQL Managed Instance is the right destination for your on-premises SQL Server data, and the price-performance benefits of modernization.  
  • Experience product demos showcasing data virtualization, hybrid flexibility with the link feature and more.  
  • Hear about exciting new offers that reduce your total cost of ownership on Azure SQL.  
  • Learn about the available tools, programs, and support to help you get to the cloud from wherever you are in the journey.  

SQL Managed Instance has continued to evolve as a service since its general availability, based upon feedback we receive from our customers. If you’ve considering modernizing your SQL Server workloads to fully managed database services in the cloud but hesitated in the past, now is the time to move to Azure SQL Managed Instance. 

 

Azure webinar series
Flexibility and Performance on Azure for SQL Server Data

Thursday, December 8, 2022
10:00 AM–11:00 AM Pacific Time

Register here 

Free Microsoft Azure Virtual Training Days

 Here is a site to help you expand your expertise, learn new skills. This site has training for IT, Devs., and business folks




There lots of content here for you. Go here

NCCoE Releases Preliminary Draft Practice Guide for Trusted IoT Onboarding and Lifecycle Management

 The National Cybersecurity Center of Excellence (NCCoE) has released the preliminary draft of NIST Special Publication (SP) 1800-36A: Executive Summary, Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management. The public comment period for the draft is open until February 3, 2023.

About the Project

Provisioning network credentials to IoT devices in an untrusted manner leaves networks vulnerable to having unauthorized IoT devices connect to them. It also leaves IoT devices vulnerable to being taken over by unauthorized networks. Instead, trusted, scalable, and automatic mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials—a process known as trusted network-layer onboarding. Trusted network-layer onboarding, in combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement could improve the security of networks and IoT devices.

This draft practice guide aims to demonstrate how organizations can protect both their IoT devices and their networks. The NCCoE is collaborating with product and service providers to produce example implementations of trusted network-layer onboarding and capabilities that improve device and network security throughout the IoT-device lifecycle to achieve this.

Submit Your Comments

The public comment period for the draft is open now until February 3, 2023. See the publication details for a copy of the draft publication and comment instructions.

Comment Now

NIST: Industrial Advisory Committee Meeting Thursday, Dec. 8, 2022

Industrial Advisory Committee Meeting Thursday, Dec. 8, 2022

The Industrial Advisory Committee will hold an open meeting in-person and via web conference on Thursday, Dec. 8, 2022, from 9 a.m. to 3 p.m. Eastern Time. The primary purposes of this meeting are to update the committee on the progress of the Creating Helpful Incentives to Produce Semiconductors (CHIPS) Research & Development (R&D) Programs, receive updates from the committee working groups, and allow the committee to deliberate and discuss the progress that has been made. The final agenda will be posted on the committee page on the NIST website.

The meeting will be held in person and via web conference, from the Grand Hyatt Washington Hotel, located at 1000 H St. NW, Washington, D.C. 

We have reached capacity for our in-person registration. However, we have a registration option available to view virtually. To view the virtual event, please submit your full name, the organization you represent (if applicable), e-mail address, and phone number via https://events.nist.gov/profile/18507. You may contact Tamiko Ford at Tamiko.Ford@nist.gov for more information.

The Industrial Advisory Committee is currently composed of 24 members, appointed by the Secretary of Commerce, to provide advice to the United States Government on matters relating to microelectronics research, development, manufacturing, and policy.

Register Now


Overview of Microsoft Entra Permissions Management

 Do you want to understand how you can manage multi-cloud environments with ease, then don’t miss this stream, “Overview of Entra Permissions Management.” https://lnkd.in/gAvuwYBU 

Microsoft has a bunch of content around Entra Permission Management

here are some links

Kick-Off Blog: https://425.show/epm-blog

Microsoft Entra Permissions Management: Walk Through Demo: https://425.show/epm-click-thru

Microsoft Entra Permissions Management: Documentation: https://425.show/epm-docs




Wednesday, November 30, 2022

Free Microsoft Training for Security Professionals

FREE TRAINING Microsoft training for Security Engineers

Secure your systems and protect your data

You're responsible for the design and implementation of digital security controls, managing access, and protecting your data in cloud networks and hybrid environments. Get the skills and knowledge needed to build your career as a successful Security Engineer. To learn more, go here.

NIST: SP 1800-22 Bring Your Own Device (BYOD) Second Draft

 The Mobile Device Security Team at NIST’s National Cybersecurity Center of Excellence (NCCoE) has published the second draft of Special Publication 1800-22 Mobile Device Security: Bring Your Own Device (BYOD) and is seeking the public’s comments on its contents. Many organizations now support their employees’ use of personal mobile devices to remotely perform work-related activities.

This increasingly common practice, known as BYOD, provides employees with increased flexibility to telework and access organizational information resources. Helping to ensure that an organization’s data is protected when it is accessed from personal devices, while also protecting the privacy needs of employees, poses unique challenges and threats.

The goal of this practice guide is to provide an example solution that helps organizations use both a standards-based approach and commercially available technologies to help meet their security and privacy needs when permitting personally owned mobile devices to access enterprise resources.

Please review the second draft, which includes new updates to the iOS BYOD implementation, and submit comments online on or before January 13th, 2023. Visit the mobile device security page to submit your comments here.

We welcome your input and look forward to your comments. We invite you to join our Community of Interest to receive news and updates about this project by signing up on our website here

- The Mobile Device Security Team

Tuesday, November 22, 2022

Vulnerable SDK components lead to supply chain risks in IoT and OT environments as posted on Microsoft

 Vulnerabilities in network components, architecture files, and developer tools have become increasingly popular attack vectors to gain access into secure networks and devices. External tools and products that are managed by vendors and developers can pose a security risk, especially to targets in sensitive industries. Attacks on software and hardware supply chains, like Log4J and SolarWinds, have highlighted the importance of visibility across device components and proactively securing networks. A report published by Recorded Future in April 2022 detailed suspected electrical grid intrusion activity and implicated common IoT devices as the vector used to gain a foothold into operational technology (OT) networks and deploy malicious payloads. While investigating the attack activity, Microsoft researchers identified a vulnerable component on all the IP addresses published as IOCs and found evidence of a supply chain risk that may affect millions of organizations and devices.

We assessed the vulnerable component to be the Boa web server, which is often used to access settings and management consoles and sign-in screens in devices. Despite being discontinued in 2005, the Boa web server continues to be implemented by different vendors across a variety of IoT devices and popular software development kits (SDKs). Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files. Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.

In this blog, we detail the risks affiliated with vulnerable components, highlighting the Boa web server, and how we suspect these components could be exploited to target critical industries. We also discuss the difficulties with identifying these components in device supply chains. To provide comprehensive protection against such attacks, we offer detection information to identify vulnerable components and guidance for organizations and network operators to improve their security posture.

Investigating the attack activity

The attack detailed in the Recorded Future report was one of several intrusion attempts on Indian critical infrastructure since 2020, with the most recent attack on IT assets confirmed in October 2022. Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report’s release and that the electrical grid attack targeted exposed IoT devices running Boa.

Microsoft further identified that half of the IP addresses published by Recorded Future returned suspicious HTTP response headers, which might be associated with the active deployment of the malicious tool identified by Recorded Future. The combination of Boa and suspicious response headers was identified on another set of IP addresses, displaying similar behavior to those found by Recorded Future. While these IP addresses are not confirmed as malicious, we recommend they be monitored to ensure no additional suspicious activity. Users of Microsoft Defender Threat Intelligence will find these IP addresses in the portal labeled as block-listed or suspicious:

  • 122[.]117[.]212[.]65
  • 103[.]58[.]93[.]133
  • 125[.]141[.]38[.]53
  • 14[.]45[.]33[.]239
  • 14[.]55[.]86[.]138
  • 183[.]108[.]133[.]29
  • 183[.]99[.]53[.]180
  • 220[.]94[.]133[.]121
  • 58[.]76[.]177[.]166

Investigating the headers further indicated that over 10% of all active IP addresses returning the headers were related to critical industries, such as the petroleum industry and associated fleet services, with many of the IP addresses associated to IoT devices, such as routers, with unpatched critical vulnerabilities, highlighting an accessible attack vector for malware operators. Most of the suspicious HTTP response headers were returned over a short timeframe of several days, leading researchers to believe they may be associated with intrusion and malicious activity on networks.

Since the report’s publication, Microsoft researchers tracking the published IPs hosts have observed that all IP addresses have been compromised by a variety of attackers employing different malicious methods. For example, some of the IP addresses were further leveraged to download a variant of the Mirai malware family shortly following the report’s release. Microsoft also found evidence that across different devices on the IP addresses, there were attempts to connect with default credentials through brute force methods and attempts to run shell commands. Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector.

Boa widespread through SDKs

The Boa web server is widely implemented across a variety of devices, including IoT devices ranging from routers to cameras, and is often used to access settings and management consoles as well as sign-in screens. The popularity of Boa web servers is especially concerning as Boa has been formally discontinued since 2005. Data from the Microsoft Defender Threat Intelligence platform identified over 1 million internet-exposed Boa server components around the world over the span of a week, as depicted in the below figure:

Global distribution map displaying exposed Boa web servers over the span of a week.
Figure 1. Global mapping of internet-exposed Boa web servers on devices

Boa web servers remain pervasive in the development of IoT devices, one reason for this could be its inclusion in popular SDKs, which contain essential functions that operate system on chip (SOC) implemented in microchips. Vulnerable components like Boa and SDKs are often distributed to customers within devices, contributing to supply chain vulnerabilities. Popular SDKs like those released by RealTek, are used in SOCs provided to companies that manufacture gateway devices like routers, access points, and repeaters. Critical vulnerabilities such as CVE-2021-35395, which affected the digital administration of devices using RealTek’s SDK, and CVE-2022-27255, a zero-click overflow vulnerability, reportedly affect millions of devices globally and allow attackers to launch code, compromise devices, deploy botnets, and move laterally on networks.

While patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities. Boa servers are affected by several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558). These vulnerabilities may allow attackers to execute code remotely after gaining device access by reading the “passwd” file from the device or accessing sensitive URIs in the web server to extract a user’s credentials. Moreover, these vulnerabilities require no authentication to exploit, making them attractive targets.

Boa web servers vulnerable to CVEs from 2017 and 2021 are used in RealTek SDKs that are vulnerable to CVEs from 2021 and 2022. Both of these components are then implemented in RealTek SOCs, which are used routers and similar IoT devices in corporate and manufacturing environments, leaving them vulnerable to unauthorized arbitrary file access and information disclosure.
Figure 2.  The IoT device supply chain demonstrates how vulnerabilities are distributed downstream to organizations and their assets

The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network. Updating the firmware of IoT devices does not always patch SDKs or specific SOC components and there is limited visibility into components and whether they can be updated. The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials. In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people.

Recommendations

As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations. This case displays the importance of proactive cyber security practices and the need to identify vulnerable components that may be leveraged by attackers.

Microsoft recommends that organizations and network operators follow best practice guidelines for their networks:

  • Patch vulnerable devices whenever possible to reduce exposure risks across your organization.
  • Utilize device discovery and classification to identify devices with vulnerable components by enabling vulnerability assessments, which identifies unpatched devices in the organizational network and set workflows for initiating appropriate patch processes with solutions like Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint with Microsoft Defender for IoT .
  • Extend vulnerability and risk detection beyond the firewall with platforms like Microsoft Defender External Attack Surface Management. Customers can identify internet-exposed infrastructure running Boa web server components in their inventory and use the insights tile under the Attack Surface Summary dashboard to surface assets vulnerable to CVE-2017-9833. The insight can be found under High Severity Observations.
  • Reduce the attack surface by eliminating unnecessary internet connections to IoT devices in the network. Apply network segmentation to prevent an attacker from moving laterally and compromising assets after intrusion. IoT and critical device networks should be isolated with firewalls.
  • Use proactive antivirus scanning to identify malicious payloads on devices.
  • Configure detection rules to identify malicious activity whenever possible. Security personnel can use our snort rule below to configure security solutions to detect CVE-2022-27255 on assets using the RealTek SDK.
alert udp any any -> any any (msg:"Realtek eCOS SDK SIP Traffic Exploit CVE-2022-27255"; content: "invite"; depth: 6; nocase;  content: "sip:"; content: "m=audio "; isdataat: 128,relative;   content:!"|0d|"; within: 128;sid:20221031;)
  • Adopt a comprehensive IoT and OT solution like Microsoft Defender for IoT to monitor devices, respond to threats, and increase visibility in order to detect and alert when IoT devices with Boa are used as an entry point to a network and protect critical infrastructure.