Year: 2023

The Cybersecurity and Infrastructure Security Agency (CISA) announced Logging Made Easy, a new Windows-based, free and publicly available log management solution designed to help organizations, especially target rich/cyber poor organizations, more effectively use available security data to detect and address cyber threats.    Logs give an administrator insight into their system and network performance. More specifically, logs pinpoint exactly who is connected to a device and how they are using it. System records, coupled with the practice of protective monitoring – the act of reviewing logs, either manually or through automation – plays an integral part in mitigating risk and identifying vulnerabilities as part of a proactive cybersecurity posture.    Logging Made Easy can help target rich/cyber poor organizations leverage key data to detect and mitigate intrusions more effectively. No sign-up or lengthy onboarding is required. It is right for your organization, if:   You are a small organization with limited resources and need a centralized logging capability.    You do not have a Security Operations Center, Security Information and Event Management solution, or any active monitoring functions currently in place.    You have small, isolated networks where your existing corporate monitoring practices cannot reach. You recognize the value of gathering logs and monitoring your enterprise’s information technology but lack a service that allows you to do so.   Those with further questions may contact the CISA Cybersecurity Shared Services Office at [email protected].

In an increasingly digital society, enterprise systems and software services offer various solutions that address the needs of government entities, organizations, and small businesses. The inner workings of these systems and services rely on vital components such as API keys, access tokens, and secrets to deliver business functionality to their clients. An API (Application Programming Interface) allows software components to connect and communicate with one another. API keys are a unique series of characters that grant verified access to an API and keys can be obtained through the permission of the API owner. Access tokens are similar to API keys; however, they contain a limited scope of what can be accessed and have a temporary lifespan. Secrets are sensitive credentials or privileged information that are contained or used within an application. These components are often connected to systems or services that store sensitive or business-critical data, and the increased reliance on them incentivizes cybercriminals to conduct cyberattacks. We explore Microsoft’s investigative report of the Storm-0558 key acquisition, lessons learned, other incidents, and recommendations to secure API keys, access tokens, and secrets. 

On July 11, 2023, Microsoft published an initial post of a cyberattack involving the advanced persistent threat (APT) actor, tracked as Storm-0558, accessed and exfiltrated unclassified email data from various government agencies. The threat actor gained access to enterprise email accounts on Outlook Web Access in Exchange Online (OWA) and Outlook.com by discovering a leaked Microsoft Account (MSA) Consumer key, which enabled the threat actor to forge access tokens to the enterprise email accounts. MSA Consumer Keys allow a user to cryptographically sign into a Microsoft consumer service, while an access token is a string that enables clients to call protected web APIs securely.

Microsoft’s Investigative Report of Storm-0558 Key Acquisition

On September 6, 2023, Microsoft published the results of their investigative report on how Storm-0558 acquired the MSA Consumer Key used to forge access tokens to OWA and Outlook.com. A consumer signing system crash in April 2021 led to a snapshot of the crashed process to be stored in a “crash dump.” Crash dumps are created when an application faces an exception/error when running its code. These crash dumps contain vital diagnostic data that assist a software development team in understanding what caused the error. As per standard Microsoft debugging procedure, the crash dump should have been cleaned of any sensitive data, such as the signing keys or access tokens, before being moved into a debugging environment. However, Microsoft’s credential scan failed to detect sensitive information in the crash dump. The APT actor retrieved the key when they compromised a Microsoft engineer’s corporate account, inadvertently giving the hackers access to their debugging environment. This debugging environment included the crash dump that contained the consumer key. However, to access enterprise applications, an enterprise key is needed. In September 2018, Microsoft introduced a common key metadata publishing endpoint that allows customers to access various accounts with a single click. To accommodate this change, Microsoft updated its documentation and libraries to automatically check the scope of the keys. The scope of the keys determines whether a key is authorized to access a consumer or enterprise account. However, the libraries that perform this scope validation failed to verify the key type. Therefore, the mail system accepted access to an enterprise email using a consumer key that was then used to forge access tokens to OWA and Outlook.com.

Lessons Learned

The Storm-0558 key acquisition highlights that the Azure AD Software Development Kit (SDK) should have included better documentation for validating an access/authentication token’s issuer ID, which would have enabled developers both within Microsoft and outside the organization to better implement token authentication. Also, any debugging logs and crash dumps that store secrets should be disposed of routinely or when no longer needed. Additionally, mechanisms that scan components for secrets should be regularly tested and monitored to ensure their efficacy. Furthermore, keys and tokens should be rotated or set to expire regularly to avoid any potential or negative impacts of a breach of API keys or access tokens.

Other Incidents

Earlier this year, on February 7, 2023, the Cybernews research team discovered publicly accessible environment files hosted on Lowe’s Market website that leaked access tokens to AWS S3 buckets containing website-related assets and API keys to third-party services. These API keys provide access to various website and partner software functionality and may have allowed threat actors to steal user information, access partial credit card information, change product pricing, use the company’s official communication channels, and send emails to Lowe’s Market users.

On August 30, 2023, Sourcegraph, an AI-assisted coding platform, confirmed a security breach that led to the access of limited data, such as the license key holder’s name and email addresses for paid customers and account email addresses for community users. Malicious actors gained access to Sourcegraph’s data through a leaked administrative access token that was accidentally pushed to their code repository by a Sourcegraph engineer. Using the administrative access token, the threat actor created a new account with elevated privileges that was later used to navigate their admin dashboard containing user information.

More recently, on September 23, OpenSea, a Non-Fungible Tokens (NFT) marketplace, notified their customers of a breach with a third-party vendor. The breach exposed the API keys of OpenSea’s customers. OpenSea attempted to mitigate the risks of the API leak by informing users that their current keys would expire on October 2, 2023 and that clients should replace the expired keys. Although OpenSea has placed rate limits on the usage of APIs per key, this incident highlights the cyber risks of trusted third-party vendors and their impact of breaches on organizations.

Recommendations

Although every business has its own unique business-critical infrastructure or software, a few basic principles can be applied to all business-critical infrastructure or system software:

• Any secrets, such as passwords, API keys, access tokens, or personally identifiable information (PII), should not be stored in plaintext within logging environments. Encrypt secrets or tokens.
• Implement an expiration or rotation schedule for API keys or access tokens.
• Identify failure points in generating, verifying, and accepting access tokens or API keys and automate the process of updating these points whenever a change has been made.
• Implement the Principle of Least Privilege for API keys or access tokens.
• Set up logging capabilities to track the usage of secrets within your systems or software services.

CyberSeek, a free online tool that can help career seekers learn more about cybersecurity, has been updated with new data showing a snapshot of open jobs across the United States.  The new data reveals that the labor market for cybersecurity talent remains undersupplied, with approximately 315,000 more cybersecurity workers needed to close current supply gaps. Read the full press release or explore CyberSeek.org to learn about common job titles, average salaries, commonly requested credentials, and more!

A vulnerability has been discovered in Cisco IOS XE Software Web UI that could allow for privilege escalation. Successful exploitation could allow an unauthenticated remote attacker to create an account on an affected system with privilege level 15 access, allowing them to use that account to gain control of the affected system. The Cisco IOS XE Software web UI is an embedded GUI-based system-management tool, that comes with the default image.

Threat Intelligence Cisco is aware of this vulnerability being exploited in the wild.

Systems Affected

This vulnerability affects Cisco IOS XE Software if the Web UI feature is enabled.

Risk Government: – Large and medium government entities: High – Small government entities: High

Businesses: – Large and medium business entities: High – Small business entities: High

Home Users: Low

Technical Summary According to Cisco, at this time a patch is not available, and there are no workarounds that address this vulnerability. As a defensive measure it is strongly recommended that users disable the HTTP Server feature on all internet-facing systems.

Recommendations

Once available, apply appropriate patches provided by Cisco to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Block execution of code on a system through application control, and/or script blocking. Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

References Cisco: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20198

Grow your skills at Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments from Microsoft Learn. At this free event, you’ll learn to perform advanced hunting, detections, and investigations, and remediate security alerts with Microsoft Defender and Microsoft Sentinel. Using automated extended detection and response (XDR) in Microsoft Defender and unified cloud-native security information and event management (SIEM) through Microsoft Sentinel, you’ll learn to confidently perform investigations and remediations to help defend against threats. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Use Microsoft Defender for Cloud to perform cloud security posture management and to help protect cloud workloads. Understand ways to help protect people and data against cyberthreats with Microsoft technologies. Join us at an upcoming two-part event: November 16, 2023 | 12:00 PM – 2:45 PM | (GMT-05:00) Eastern Time (US & Canada) November 17, 2023 | 12:00 PM – 2:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Register for our NIST Webinar! Learn about Revisions to Two of our Identity Special Publications

Event Date: November 8, 2023

Time: 1:00 PM-2:30 PM ET

Description:

The National Institute of Standards and Technology (NIST) will be hosting a webinar to introduce two recently published Public Draft Special Publications (SPs):  The 3-part Drafts of SP 800-73 Revision 5, Interfaces for Personal Identity Verification (PIV) and Draft SP 800-78 Revision 5, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. These publications are complements to FIPS 201-3, which defines the requirements and characteristics of government-wide interoperable identity credentials used by federal employees and contractors.

The workshop will discuss the necessary changes made to the PIV card, its credentials, and cryptographic capability to align with FIPS 201-3. 

Full Agenda:

1:00 PM-1:05 PM – Introduction and Welcome

1:05 PM-1:15 PM – Introduction to the PIV Standard

1:15 PM-1:45 PM – Changes to Draft SP 800-73 Revision 5

1:45 PM-2:15 PM – Changes to Draft SP 800-78 Revision 5

2:15 PM-2:30 PM – Key Dates/Next Steps/Closing

Visit the event page to register and learn more about the workshop. If you have any questions, please reach out to our team at [email protected].

Register Now

The National Cybersecurity Center of Excellence (NCCoE) is hosting a virtual event open to the public! Join the NCCoE Internet of Things (IoT) Onboarding team as we explore a process known as trusted network-layer onboarding, which in combination with additional device security capabilities could improve the security of networks and IoT devices.  

During this webinar, attendees will: 

• Meet the NCCoE IoT Onboarding team and their industry collaborators
• Learn about Draft NIST SP 1800-36, Vols. A-E, Trusted IoT Device Network-Layer Onboarding and Lifecycle Management, and how it can be used to help organizations protect both their IoT devices and their networks 
• Hear from the project’s collaborators about example technology solutions using Wi-Fi Easy Connect, BRSKI, and Thread 
• Engage in a Q&A period with the project team and industry experts 
• Gain resources and additional information to help contribute to this project  

Speakers

• Cherilyn Pascoe, Director, NIST NCCoE 
• Paul Watrobski, Principal Investigator, NIST NCCoE  
• Susan Symington, Cyber Architecture and Resiliency Principal, NCCoE/MITRE 
• Dan Harkins, Fellow, HPE Aruba  
• Danny Jump, Senior Product Manager, HPE Aruba  
• Michael Richardson, Chief Scientist, Sandelman Software Works  
• Craig Pratt, Lead Software Engineer, CableLabs 
• Darshak Thakore, Principal Architect, CableLabs 
• Andy Dolan, Senior Security Engineer, CableLabs 
• Brecht Wyseur, Senior Product Manager and Product Strategy, Kudelski IoT 
• Nick Allott, CEO, NquiringMinds  
• Steve Clark, Security Technologist, SEALSQ, a division of WISeKey

Contact Us

If you have any questions about this event, please reach out to the team at [email protected].  

To receive the latest project news and updates, consider joining the NCCoE IoT Onboarding Community of Interest (COI). You can sign up by completing the COI form here or by emailing the team declaring your interest. 

View Agenda and Register

---

My Research Can Help Protect You — and Your Company — From Hackers Trying to Steal Your Money and Information A scene from the movie Ocean’s 8 provides a surprisingly useful lesson on cybersecurity. The character played by Rihanna needs to hack into a security person’s computer. She looks up his social media to find he loves corgis. The Rihanna character sends him a phishing email featuring corgis, and he can’t help but click on it. With one click of a mouse, someone can accidentally give away their company’s secrets, their bank account information, or an organization’s medical records. Read More

Learning

Learn how to enable Advanced Security in your Azure Repos > Step by step tutorial to enable Advanced Security at the organization, project, or repository level.   Microsoft Azure Developer Cloud Skills Challenge > In under 30 hours, you’ll learn about storing data in Azure, creating serverless applications, connecting your services together, and more.   Learn how to provision and manage Azure AI Services > This learning path helps prepare you for Exam AI-102: Designing and Implementing a Microsoft Azure AI Solution.

It’s week three in our Cybersecurity Awareness Month blog series! 

This week, we interviewed NIST’s Michael Ogata (Computer Scientist) and Paul Watrobski (IT Security Specialist) about the importance of updating software.

1. This week’s Cybersecurity Awareness Month theme is ‘updating software.’ How does your work/specialty area at NIST tie into this behavior?

NIST’s Applied Cybersecurity Division’s core mission is to explore, measure, and evaluate both the cybersecurity guidance NIST provides as well as industry best practices. One of our current projects involves putting the practices described in NIST 800-218 Secure Software Development Framework (SSDF) into action. Many people think of updating software in the context of “that thing that happens randomly after I purchase a piece of software”…but today’s continuous integration and continuous delivery (CI/CD) environments—and the rapid pace of software evolution—tightly couple software updates into the daily functionality of many systems…

Read the Blog