My information Resource (blog.mir.net) – A users view of technology by Jay Ferron

Cybercriminals Exploit Assassination Attempt to Steal Cryptocurrency

Example of deepfake video with QR code. Image Source: Bitdefender.

The NJCCIC recently received reports of cryptocurrency scams exploiting current events, similar to open-source reporting. Opportunistic cybercriminals are using the recent assassination attempt that targeted former President Donald Trump to lure unsuspecting victims into a new pig-butchering cryptocurrency investment scam. The scam involves hijacked YouTube channels that broadcast deepfake videos of Tesla CEO Elon Musk, promising to share insights into the attack. The compromised channels, many of which have millions of subscribers, are cleared of their original content and rebranded with attention-grabbing name-drops, such as “Tesla” and “Donald Trump Jr.”.

Image Source: Bitdefender.

These broadcasts feature a repeated deep fake video of Elon Musk urging followers and the crypto community to join a giveaway by scanning the embedded QR code. The QR codes direct users to fraudulent websites hosted on domains that imitate the impersonated brand or domains associated with Musk’s and Trump’s names. The cybercriminal attempts to convince the victim to invest in cryptocurrency to take advantage of the potential high-yield returns. After individuals have made multiple cryptocurrency investments through these fraudulent websites that promise significant returns, requests to withdraw or cash out their investments are denied for various reasons. The cybercriminal then cuts off contact with the victim and disappears with the invested money.

Recommendations

Exercise caution when encountering videos with click-bait titles and avoid scanning QR codes in YouTube videos promoting cryptocurrency giveaways. Verify investment claims that offer higher-than-average returns. Consider running recommendations by a third party or an investment professional with no stake in the investment. Inspect YouTube channels promoting cryptocurrency giveaways for suspicious activity and report any suspicious activity to the respective platform or authorities. Educate yourself and others regarding these types of scams. Additional recommendations can be found in the Bitdefender blog post. Maintain robust and up-to-date endpoint detection tools on every endpoint and consider using a comprehensive security solution that can block phishing attempts and fraudulent links. Cryptocurrency scams and other malicious activity may be reported to the FBI’s IC3 and the NJCCIC.

Play Ransomware Targets VMWare ESXi Environments

A new Linux variant of Play ransomware has been targeting VMWare ESXi environments. Businesses often use ESXi environments to run multiple virtual machines (VMs), typically hosting backup solutions, critical applications, and data storage. This new variant of Play ransomware still utilizes many of the same tactics, techniques, and procedures (TTPs) as prior Windows versions.

Play’s Linux infection chain. Image Source: Trend Micro

Play’s attacks begin with a phishing attack using shortened URLs received from Prolific Puma, a threat actor that provides link-shortening services for cybercriminals. Once in the system, Play runs specific commands to determine if it is running in an ESXi environment before performing malicious activities. The malware will terminate and delete itself if it is not in the correct environment. Upon successful connection, Play will run a series of shell commands that scan for and power off all VMs in the environment. After completing this process, Play will encrypt files, including the VM disk, configuration, and metadata files. Once encrypted, files will have the “.PLAY” extension appended to them.

Play ransomware was first discovered in 2022 and is known for exfiltrating sensitive information from compromised systems and using double-extortion tactics to pressure victims into paying the ransom to prevent data leakage. In December, the FBI released a joint advisory with CISA and the Australian Cyber Security Centre (ACSC) stating that Play had breached approximately 300 victims as of October 2023. A new report shows that from January to July 2024, Play ransomware has targeted 187 victims, with over 82 percent of the attacks based in the United States.

Recommendations

Establish a comprehensive data backup plan that includes regularly performing scheduled backups, keeping an updated copy offline in a separate and secure location, and testing it regularly. Avoid clicking links, responding to, or otherwise acting on unsolicited emails. Keep systems up to date and apply patches after appropriate testing. Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes. Utilize network segmentation to isolate valuable assets and help prevent the spread of ransomware and malware. Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs). Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. Report ransomware and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.

FBI, CISA, and Partners Release Advisory Highlighting North Korean Cyber Espionage Activity

Today, CISA—in partnership with the Federal Bureau of Investigation (FBI)—released a joint Cybersecurity Advisory, North Korea State-Sponsored Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs. The advisory was coauthored with the following organizations:

U.S. Cyber National Mission Force (CNMF);
U.S. Department of Defense Cyber Crime Center (DC3);
U.S. National Security Agency (NSA);
Republic of Korea’s National Intelligence Service (NIS);
Republic of Korea’s National Police Agency (NPA); and
United Kingdom’s National Cyber Security Centre (NCSC).

This advisory was crafted to highlight cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju. The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions.

The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India.

All critical infrastructure organizations are encouraged to review the advisory and implement the recommended mitigations. For more information on North Korean state-sponsored threat actor activity, see CISA’s North Korea Cyber Threat Overview and Advisories page.

Andariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities. For more information on this ransomware activity, see joint advisories #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities and North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.

NIST Releases RMF Small Enterprise Quick Start Guide

Introducing the RMF Small Enterprise Quick Start Guide

Today, NIST released the RMF Small Enterprise Quick Start Guide. The new guide is designed to help small, under-resourced entities understand the value and core components of the RMF and provides a starting point for designing and implementing an information security and privacy risk management program. Within the guide you’ll find:

An overview of the seven steps of the RMF process
Foundational tasks for each RMF step
Tips for getting started
Sample planning tables
Key terminology and definitions
Questions for organizations to consider
Related resources

View the New Guide

About the NIST RMF

The RMF provides a comprehensive, flexible, repeatable, and measurable seven-step process that organizations can use to manage their unique information security and privacy risks. The RMF can be applied to new and existing systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.

NIST has developed a suite of resources to help users get the most out of the RMF, including the recently released introductory courses for SP 800-53, SP 800-53A, and SP 800-53B. This portfolio of resources is designed to make the RMF easier to put into action for organizations of all sizes and types.

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution – PATCH NOW

OVERVIEW:
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:
There are no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Chrome prior to 127.0.6533.72/73 for Windows and Mac
Chrome prior to 127.0.6533.72 for Linux

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Drive-By Compromise (T1189):

Use after free in Downloads (CVE-2024-6988)
Use after free in Loader (CVE-2024-6989)
Use after free in Dawn (CVE-2024-6991)
Out of bounds memory access in ANGLE (CVE-2024-6992)
Inappropriate implementation in Canvas (CVE-2024-6993)
Heap buffer overflow in Layout (CVE-2024-6994)
Inappropriate implementation in Fullscreen (CVE-2024-6995)
Race in Frames (CVE-2024-6996)
Use after free in Tabs (CVE-2024-6997)
Use after free in User Education (CVE-2024-6998)
Inappropriate implementation in FedCM (CVE-2024-6999, CVE-2024-7003)
Use after free in CSS (CVE-2024-7000)
Inappropriate implementation in HTML (CVE-2024-7001)
Insufficient validation of untrusted input in Safe Browsing (CVE-2024-7004, CVE-2024-7005)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
- Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Google:

https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_23.html

Microsoft 365 Fundamentals training day

Microsoft 365 Virtual Training Day: Fundamentals

Personal Identity Verification (PIV) Interfaces, Cryptographic Algorithms, and Key Sizes: NIST Revises SP 800-73 and SP 800-78

In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the use of Personal Identity Verification (PIV) credentials, including those on PIV Cards. NIST Special Publication (SP) 800-73-5: Parts 1–3 and SP 800-78-5 have subsequently been revised to align with FIPS 201.

SP 800-73-5: Parts 1–3
SP 800-73-5: Parts 1–3, Interfaces for Personal Identity Verification, describe the technical specifications for using PIV Cards. The three parts cover the PIV data model (Part 1), the card edge interface (Part 2), and the application programming interface (Part 3). Major changes to the documents include:

Removal of the previously deprecated CHUID authentication mechanism
Deprecation of the SYM-CAK and VIS authentication mechanisms
Addition of an optional 1-factor secure messaging authentication mechanism (SM-Auth) for facility access applications
Additional use of the facial image biometric for general authentication via BIO and BIO-A authentication mechanisms
Addition of an optional Cardholder identifier in the PIV Authentication Certificate to identify a PIV credential holder to their PIV credential set issued during PIV eligibility
Restriction on the number of consecutive activation retries for each of the activation methods (i.e., PIN and OCC attempts) to be 10 or less
SP 800-73-5: Part 3 on PIV Middleware specification marked as optional to implement

SP 800-78-5
SP 800-78-5, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, defines the requirements for the cryptographic capability of the PIV Card and supporting systems in coordination with FIPS 201-3. It has been modified to add additional algorithm and key size requirements and to update the requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing, including:

Deprecation of 3TDEA algorithms with identifier ‘00’ and ‘03’
Removal of the retired RNG from CAVP PIV component testing where applicable
Removal of retired FIPS 186-2 key generation from CAVP PIV component testing where applicable
Accommodation of the Secure Messaging Authentication key
Update to Section 3.1 and Table 1 to reflect additional higher strength keys with at least 128-bit security for use in authentication beginning in 2031

Service Mesh Proxy Models for Cloud-Native Applications: Draft SP 800-233 Available for Public Comment

The initial public draft of NIST Special Publication (SP) 800-233, Service Mesh Proxy Models for Cloud-Native Applications, is now available for public comment.

The service mesh has become the de facto application services infrastructure for cloud-native applications. It enables an application’s runtime functions (e.g., network connectivity, access control, etc.) through proxies that form the data plane of the service mesh. Different proxy models or data plane architectures have emerged, depending on the distribution of the network layer functions (i.e., L4 and L7) and the granularity of association of the proxies to individual services/computing nodes.

The purposes of this document are two-fold:

Develop a threat profile for each of the data plane architectures by considering a set of potential threats to various proxy functions and assign scores to the impacts and likelihoods of their exploits.
Analyze the service mesh capabilities that are required for each class of cloud-native applications with different risk profiles (i.e., low, medium, and high) and provide recommendations for the data plane architectures or proxy models that are appropriate and applicable for each class.

The public comment period is open through September 3, 2024. See the publication details for a copy of the draft and instructions for submitting comments.

NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

A Vulnerability in Cisco Secure Email Gateway Could Allow for Remote Code Execution – PATCH: NOW

MS-ISAC ADVISORY NUMBER:
2024-083

DATE(S) ISSUED:
07/22/2024

SUBJECT:
A Vulnerability in Cisco Secure Email Gateway Could Allow for Remote Code Execution

OVERVIEW:
A vulnerability has been discovered in Cisco Secure Email Gateway that could allow for remote code execution. Cisco Secure Email Gateway is an email security product that uses signature analysis and machine learning to identify and block malicious emails before they reach recipients inboxes. Successful exploitation could allow the attacker to replace any file on the underlying file system. The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device.

THREAT INTELLEGENCE:
There are no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

Content Scanner Tools versions earlier then 23.3.0.4823 if either the file analysis feature, which is part of Cisco Advanced Malware Protection (AMP), or the content filter feature is enabled and assigned to an incoming mail policy.

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

A vulnerability has been discovered in Cisco Secure Email Gateway that could allow for remote code execution. Details of the vulnerability include:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system. This vulnerability is due to improper handling of email attachments when file analysis and content filters are enabled. An attacker could exploit this vulnerability by sending an email that contains a crafted attachment through an affected device.

Successful exploitation could allow the attacker to replace any file on the underlying file system. The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate mitigations provided by Cisco to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. (M1035: Limit Access to Resource Over Network)
Use intrusion detection signatures to block traffic at network boundaries. (M1031: Network Intrusion Prevention)
- Safeguard 13.3: Deploy a Network Intrusion Detection Solution: Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
- Safeguard 13.8: Deploy a Network Intrusion Prevention Solution: Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 13.10: Performing Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.

REFERENCES:

Cisco:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-afw-bGG2UsjH

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20401

Azure Network Security | Unlock the Power of Azure Firewall Governance with Azure Policies