Update on SVR Cyber Operations and Vulnerability Exploitation

The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) released this Joint Cybersecurity Advisory to highlight the tactics, techniques, and procedures (TTPs) employed by the Russian Federation’s Foreign Intelligence Service (SVR) in recent cyber operations and provide network defenders with information to help counter SVR cyber threats.
Since at least 2021, Russian SVR cyber threat actors – also tracked as APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Dukes – have consistently targeted US, European, and global entities in the Defense Industrial Base, Information Technology, and Financial Services sectors to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine since February 2022. Their operations continue to pose a global threat to government and private sector organizations.
The authoring agencies are releasing this advisory to warn network defenders that SVR cyber threat actors are highly capable of and interested in exploiting software vulnerabilities for initial access and escalation of privileges. Organizations should prioritize rapid patch deployment and keep software up to date. The SVR continues using TTPs, such as spearphishing, password spraying, abuse of supply chain and trusted relationships, custom and bespoke malware, cloud exploitation, and living-off-the-land (LOTL) techniques to gain initial access, escalate privileges, move laterally, maintain persistence in victim networks and cloud environments, and exfiltrate information. SVR actors often use The Onion Router (TOR) network, leased and compromised infrastructure, and proxies to obfuscate activity.

CISA: Avoid Scams After Disaster Strikes

As hurricanes and other natural disasters occur, CISA urges individuals to remain on alert for potential malicious cyber activity. Fraudulent emails and social media messages—often containing malicious links or attachments—are common after major natural disasters. Exercise caution in handling emails with hurricane-related subject lines, attachments, or hyperlinks. In addition, be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events. Before responding, ensure hurricane-related guidance is from trusted sources, such as local officials and disaster response organizations, including Federal Emergency Management Agency (FEMA) and DHS’s Ready.gov.

CISA encourages users to review the following resources to avoid falling victim to malicious cyber activity: 

GorillaBot Pounds Its Chest After Unleashing Over 300,000 DDOS Attacks

Image Source: NSFOCUS
The newest threat to emerge from Mirai’s leaked source code has made itself known in a big way. The botnet, dubbed GorillaBot , issued over 300,000 attack commands across 113 countries from September 4 to September 27, with China (20 percent), the United States (19 percent), and Canada (16 percent) as the most targeted countries. These attacks involved over 20,000 organizations worldwide, including almost 4,000 organizations in the United States. At its peak, over 20,000 commands were issued over 24 hours, demonstrating a consistent and substantial flow of commands.
Image Source: NSFOCUS
GorillaBot utilizes several different attack methods but favors UDP Flood attacks, followed by ACK Bypass Flood attacks and Valve Source Engine (VSE) Flood attacks. Using the same process as the original Mirai , GorillaBot randomly selects one of five C2 servers to establish a connection and receive commands. GorillaBot employs 19 different distributed denial-of-service (DDOS) attack vectors and encryption algorithms, which the Keksec threat group often utilizes to encrypt key strings. An exploit named “yarn_init” is written into the code that uses a vulnerability in Hadoop Yarn RPC that allows for remote code execution without authentication. To maintain persistence, GorillaBot writes the “custom.service” file into the /etc/systemd/system directory and sets it to run automatically upon system boot. There is also a check to determine if the /proc file system exists on the infected device and if the system is a honeypot.
Recommendations
Monitor network traffic, checking for any abnormal increases that could indicate the beginning of a DDOS attack. Regularly check for and remediate exploitable security flaws and vulnerabilities. Distribute servers and critical data in multiple data centers to ensure they are on different networks with diverse paths. Keep all devices patched with the latest security updates.

Review the DDOS Attack Types and Mitigation Strategies
NJCCIC Product for more information on DDOS attacks.
Read more about IoT Devices and best practices in the IoT Device Security and Privacy NJCCIC product.

DPRK Delivers Updated BeaverTail Malware to Job Seekers

Analysts recently identified a new iteration of BeaverTail malware associated with the CL-STA-240 Contagious Interview campaign , first discovered in November 2023. The threat actors, associated with the Democratic People’s Republic of Korea (DPRK), pose as prospective employers and target individuals seeking employment within the Information Technology sector through popular job search platforms such as LinkedIn and X. The threat actors then attempt to convince the victims to participate in online interviews to trick them into downloading and installing malware.
Profile of a fake recruiter on X. Image Source: Unit 42
This new BeaverTail variant was detected as early as July 2024. It was written in Qt rather than JavaScript, allowing threat actors to create cross-platform applications for Windows and macOS simultaneously. The updated malware has expanded to target 13 distinct cryptocurrency wallet browser extensions. Other updated features enable password theft in macOS and the theft of cryptocurrency wallets in macOS and Windows. These changes align with the ongoing financial interests of North Korean threat actors.
Once installed, BeaverTail runs in the background and forwards stolen sensitive data to the command and control (C2) server. After exfiltration, BeaverTail attempts to download the Python programming language from hxxp://<c2_server>:1224/pdown. Python is necessary for InvisibleFerret to function on different operating systems. The first stage of InvisibleFerret then downloads from hxxp://<c2_server>:1224/client/<campaign_id>.
InvisibleFerret components infographic. Image Source: Unit 42
The attack ends with the delivery of the InvisibleFerret backdoor, which can be used for keylogging, file exfiltration, and downloading remote control software such as AnyDesk. If the malware is successfully downloaded, this campaign could potentially compromise prospective companies that may hire the targeted job seekers, leading to the extraction and exfiltration of sensitive data.
Recommendations
Educate yourself and others about these and similar scams. Refrain from clicking on links and attachments delivered via emails or social media messages. Avoid downloading software at the request of unknown individuals, and refrain from divulging sensitive information or providing funds. Confirm the legitimacy of requests by contacting the careers section of a company’s official website or by calling the company’s human resources department to verify if the job offer is legitimate. 

Report malicious cyber activity to the FTC, FBI’s IC3.

Free Training: Defend Against Threats with Extended Detection and Response training day

Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft Security Virtual Training Day from Microsoft Learn. Join us at Defend Against Threats with Extended Detection and Response to learn how to better protect apps and data in Microsoft 365 Defender, Microsoft Defender for Endpoint, and Microsoft Sentinel. You’ll get an in-depth view into attack disruption, incidents and alerts, and best practices for investigation and incident management. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Defender and Microsoft Sentinel. Understand how integrating Microsoft 365 Defender and Microsoft Sentinel enhances security and response time. Discover how to help mitigate threats across your entire infrastructure with Microsoft Security tools and solutions. Join us at an upcoming Defend Against Threats with Extended Detection and Response event:
October 29, 2024
11:00 AM – 2:15 PM | (GMT-05:00) Central Time​ US & Canada
12:00 PM – 3:15 PM | (GMT-04:00) Eastern Time US & Canada
10:00 AM – 1:15 PM | (GMT-06:00) Mountain Time​ US & Canada
9:00 AM – 12:15 PM | (GMT-07:00) Pacific Time US & Canada


Delivery Language: English
Closed Captioning Language(s): English
 
REGISTER TODAY >
 

NIST small business cybersecurity webinar

Event Date: October 23, 2024

Event Time: 2:00PM – 3:00PM EDT

Event Location: Virtual

Description:

Identity and Access Management is a fundamental and critical cybersecurity capability for businesses of all sizes. To protect your business from fraud and unauthorized system and data access, you want to take steps to ensure that only the right people and technologies have the right level of access to the right resources at the right time.

For many busy small business owners, the use of passwords has been the primary method for locking down access to sensitive systems and data. However, passwords alone are not effective for protecting your data from most attackers. They have become too easy for threat actors to exploit at scale and with limited effort. So that leaves us with the question: what can a small business owner with limited resources do to protect their systems and information from unauthorized access?

During this webinar, we’ll take it back to the fundamentals to discuss practical steps small businesses can take to enhance their identity and access management, resulting in a stronger, more resilient business in the face of increasing cybersecurity risks. We will cover:

  • Current guidance and leading-practices for multi-factor authentication (MFA), including phishing-resistant MFA.
  • Identity and Access Management approaches to consider as your business grows.
  • How identity and access management is covered in the NIST Cybersecurity Framework 2.0.

Speakers:

  • Ryan Galluzzo, Digital Identity Program Lead, Applied Cybersecurity Division, NIST
  • Robert Thelen, CEO and Co-Founder, Rownd 
Register Here

Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution – PATCH NOW

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution.

  • Adobe is a software that is used for creating and publishing a wide variety of contents including graphics, photography, illustration, animation, multimedia, motion pictures and print.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild. 

SYSTEMS AFFECTED:

  • Adobe Substance 3D Painter 10.0.1 and earlier versions
  • Adobe Commerce 2.4.7-p2 and earlier versions
  • Adobe Commerce 2.4.6-p7 and earlier versions
  • Adobe Commerce 2.4.5-p9 and earlier versions
  • Adobe Commerce 2.4.4-p10 and earlier versions
  • Adobe Commerce B2B 1.4.2-p2 and earlier versions
  • Adobe Commerce B2B 1.3.5-p7 and earlier versions
  • Adobe Commerce B2B 1.3.4-p9 and earlier versions
  • Adobe Commerce B2B 1.3.3-p10 and earlier versions
  • Magento Open Source 2.4.7-p2 and earlier versions
  • Magento Open Source 2.4.6-p7 and earlier versions
  • Magento Open Source 2.4.5-p9 and earlier versions
  • Magento Open Source 2.4.4-p10 and earlier versions
  • Adobe Dimension 4.0.3 and earlier versions
  • Adobe Animate 2023 23.0.7 and earlier versions
  • Adobe Animate 2024 24.0.4 and earlier versions
  • Lightroom 7.4.1 and earlier versions    
  • Lightroom Classic 13.5 and earlier versions
  • Lightroom Classic (LTS) 12.5.1 and earlier versions
  • Adobe InCopy  19.4 and earlier versions
  • Adobe InCopy  18.5.3 and earlier versions     
  • Adobe InDesign ID19.4 and earlier version
  • Adobe InDesign ID18.5.3 and earlier version                                      
  • Adobe Substance 3D Stager 3.0.3 and earlier versions 
  • Adobe FrameMaker 2020 Release Update 6 and earlier versions
  • Adobe FrameMaker 2022 Release Update 4 and earlier versions

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Adobe Products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows

Tactic: Execution (TA0002)

Technique: Exploitation for Client Execution (T1203): 

Substance 3D Painter:

  • Out-of-bounds Read (CVE-2024-20787)

Adobe Commerce:

  • Improper Authentication (CVE-2024-45115, CVE-2024-45148)
  • Cross-site Scripting (Stored XSS) (CVE-2024-45116, CVE-2024-45123, CVE-2024-45127)
  • Improper Input Validation (CVE-2024-45117)
  • Improper Access Control (CVE-2024-45118, CVE-2024-45121, CVE-2024-45122, CVE-2024-45124, CVE-2024-45129, CVE-2024-45130, CVE-2024-45133, CVE-2024-45135, CVE-2024-45149)
  • Server-Side Request Forgery (SSRF) (CVE-2024-45119)
  • Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-2024-45120)
  • Incorrect Authorization (CVE-2024-45125)
  • Improper Authorization (CVE-2024-45128, CVE-2024-45131, CVE-2024-45132)
  • Information Exposure (CVE-2024-45134)

Adobe Dimension:

  • Use After Free (CVE-2024-45146)
  • Out-of-bounds Write (CVE-2024-45150)

Adobe Animate:

  • Stack-based Buffer Overflow (CVE-2024-47410)
  • NULL Pointer Dereference (CVE-2024-47411)
  • Use After Free (CVE-2024-47412, CVE-2024-47413, CVE-2024-47414, CVE-2024-47415, CVE-2024-47418)
  • Integer Overflow or Wraparound (CVE-2024-47416)
  • Heap-based Buffer Overflow (CVE-2024-47417)
  • Out-of-bounds Read (CVE-2024-47419, CVE-2024-47420)

Adobe Lightroom:

  • Out-of-bounds Read (CVE-2024-45145)

Adobe InCopy:

  • Unrestricted Upload of File with Dangerous Type (CVE-2024-45136)

Adobe InDesign:

  • Unrestricted Upload of File with Dangerous Type (CVE-2024-45137)

Substance 3D Stager:

  • Use After Free (CVE-2024-45138)
  • Heap-based Buffer Overflow (CVE-2024-45139, CVE-2024-45143)
  • Out-of-bounds Write (CVE-2024-45140, CVE-2024-45141, CVE-2024-45144, CVE-2024-45152)
  • Write-what-where Condition (CVE-2024-45142)

Adobe FrameMaker:

  • Out-of-bounds Read (CVE-2024-47421)
  • Untrusted Search Path (CVE-2024-47422)
  • Unrestricted Upload of File with Dangerous Type (CVE-2024-47423)
  • Integer Overflow or Wraparound (CVE-2024-47424)
  • Integer Underflow (Wrap or Wraparound) (CVE-2024-47425)

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply the stable channel update provided by Adobe to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
    • Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
    • Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
    • Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
    • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
    • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
    • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
  • Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
    • Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
    • Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
    • Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
    • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
    • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Adobe:
https://helpx.adobe.com/security/Home.html
https://helpx.adobe.com/security/products/substance3d_painter/apsb24-52.html
https://helpx.adobe.com/security/products/magento/apsb24-73.html
https://helpx.adobe.com/security/products/dimension/apsb24-74.html
https://helpx.adobe.com/security/products/animate/apsb24-76.html
https://helpx.adobe.com/security/products/lightroom/apsb24-78.html
https://helpx.adobe.com/security/products/incopy/apsb24-79.html
https://helpx.adobe.com/security/products/indesign/apsb24-80.html
https://helpx.adobe.com/security/products/substance3d_stager/apsb24-81.html
https://helpx.adobe.com/security/products/framemaker/apsb24-82.html

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20787
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45116
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45118
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45119
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45124
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45132
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45135
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45136
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45137
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45138
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45139
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45140
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45141
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45142
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45143
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45145
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45146
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45148
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45150
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45152
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47411
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47412
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47413
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47414
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47415
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47416
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47417
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47418
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47419
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47420
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47421
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47422
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47423
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47424
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47425

Protecting Against Iranian Targeting of Accounts Associated with National Political Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this Fact Sheet, which provides information about threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) targeting and compromising accounts of Americans to stoke discord and undermine confidence in US democratic institutions.  

IRGC actors have previously gained and continue to seek access to personal and business accounts using social engineering techniques by targeting victims across email and chat platforms. This fact sheet includes steps that individuals and organizations can take to enhance their security and resilience to protect themselves against the common techniques used by these cyber actors.  

CISA and FBI strongly recommend all individuals and organizations associated with national political organizations apply the mitigations in this fact sheet, including protecting their sensitive accounts with phishing-resistant multi-factor authentication (MFA).  

Election infrastructure stakeholders and the public can find more resources on how to protect against cyber and physical threats at #Protect2024. CISA encourages organizations to review its Iran Cyber Threat webpage for advisories and actions to defend their networks.

Security Property Verification by Transition Model | NIST Invites Public Comments on IR 8539

The initial public draft of NIST Internal Report (IR) 8539, Security Property Verification by Transition Model, is now available for public comment. Verifying the security properties of access control policies is a complex and critical task. The policies and their implementation often do not explicitly express their underlying semantics, which may be implicitly embedded in the logic flows of policy rules, especially when policies are combined. Instead of evaluating and analyzing access control policies solely at the mechanism level, formal transition models are used to describe these policies and prove the system’s security properties. This approach ensures that access control mechanisms can be designed to meet security requirements.

This document explains how to apply model-checking techniques to verify security properties in transition models of access control policies. It provides a brief introduction to the fundamentals of model checking and demonstrates how access control policies are converted into automata from their transition models. The document then focuses on discussing property specifications in terms of linear temporal logic (LTL) and computation tree logic (CTL) languages with comparisons between the two. Finally, the verification process and available tools are described and compared.

The public comment period is open through November 25, 2024. See the publication details for a copy of the draft and instructions for submitting comments.


NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the
Information Technology Laboratory (ITL) Patent Policy Inclusion of Patents in ITL Publications

Read More

Critical Patches Issued for Microsoft Products, October 8, 2024 – PATCH NOW

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
The vulnerabilities Microsoft Management Console Remote Code Execution Vulnerability (CVE-2024-43572) and Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-43573) have been seen exploited in the wild and disclosed publicly. 

SYSTEMS AFFECTED:

  • .NET and Visual Studio
  • .NET, .NET Framework, Visual Studio
  • Azure CLI
  • Azure Monitor
  • Azure Stack
  • BranchCache
  • Code Integrity Guard
  • DeepSpeed
  • Internet Small Computer Systems Interface (iSCSI)
  • Microsoft ActiveX
  • Microsoft Configuration Manager
  • Microsoft Defender for Endpoint
  • Microsoft Graphics Component
  • Microsoft Management Console
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft Office Visio
  • Microsoft Simple Certificate Enrollment Protocol
  • Microsoft WDAC OLE DB provider for SQL
  • Microsoft Windows Speech
  • OpenSSH for Windows
  • Outlook for Android
  • Power BI
  • Remote Desktop Client
  • Role: Windows Hyper-V
  • RPC Endpoint Mapper Service
  • Service Fabric
  • Sudo for Windows
  • Visual C++ Redistributable Installer
  • Visual Studio
  • Visual Studio Code
  • Windows Ancillary Function Driver for WinSock
  • Windows BitLocker
  • Windows Common Log File System Driver
  • Windows Cryptographic Services
  • Windows EFI Partition
  • Windows Hyper-V
  • Windows Kerberos
  • Windows Kernel
  • Windows Kernel-Mode Drivers
  • Windows Local Security Authority (LSA)
  • Windows Mobile Broadband
  • Windows MSHTML Platform
  • Windows Netlogon
  • Windows Network Address Translation (NAT)
  • Windows NT OS Kernel
  • Windows NTFS
  • Windows Online Certificate Status Protocol (OCSP)
  • Windows Print Spooler Components
  • Windows Remote Desktop
  • Windows Remote Desktop Licensing Service
  • Windows Remote Desktop Services
  • Windows Resilient File System (ReFS)
  • Windows Routing and Remote Access Service (RRAS)
  • Windows Scripting
  • Windows Secure Channel
  • Windows Secure Kernel Mode
  • Windows Shell
  • Windows Standards-Based Storage Management Service
  • Windows Storage
  • Windows Storage Port Driver
  • Windows Telephony Server
  • Winlogon

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low 

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found in the Microsoft link in the References section.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
       
  • Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
       
  • Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
    • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
       
  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
    • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
    • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:Microsoft:
https://portal.msrc.microsoft.com/en-us/security-guidance
https://msrc.microsoft.com/update-guide/releaseNote/2024-Oct

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43573