July 2024 – My information Resource (blog.mir.net)

Building cyberthreat resilience

Cyberthreats are more sophisticated and frequent than ever, and the devastating impact of a breach is a reality that every organization must face. Join us at Microsoft Discovery Day: Building Cyberthreat Resilience to learn how Microsoft empowers security operations teams to protect, detect, and respond against these cyberthreats. During this free event, you’ll discover how to expedite your response by pairing extended detection and response (XDR) with security information and event management (SIEM). Gain a deeper perspective on the current state of cybersecurity and global threat intelligence and explore a roadmap for machine learning and AI at Microsoft. You’ll have the opportunity to:  Uncover the latest challenges and trends facing the cybersecurity world and what it means for your organization. Discover how to protect, detect, and respond to cyberthreats effectively by using XDR and SIEM together with Generative AI. Improve your security posture by learning how other business leaders have implemented comprehensive cyberthreat protection in their security strategies. Space is limited. Register for free today. Delivery language: English
Closed captioning provided in: English Microsoft Teams delivers a rich, interactive experience that works best with the Teams app. We recommend downloading the app if you don’t have it, as not all browsers are supported. When you join this event, your name, email, or phone number may be viewable by other session participants in the attendee list. By joining this event, you’re agreeing to this experience. When: Thursday, August 22, 2024, 3:00 – 4:00 PM (GMT-04:00)
Where: Online

Microsoft Discovery Hour: Building Cyberthreat Resilience

Register now >

Defend Against Threats with Extended Detection and Response training day

Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft Security Virtual Training Day from Microsoft Learn. Join us at Defend Against Threats with Extended Detection and Response to learn how to better protect apps and data in Microsoft 365 Defender, Microsoft Defender for Endpoint, and Microsoft Sentinel. You’ll get an in-depth view into attack disruption, incidents and alerts, and best practices for investigation and incident management. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Defender and Microsoft Sentinel. Understand how integrating Microsoft 365 Defender and Microsoft Sentinel enhances security and response time. Discover how to help mitigate threats across your entire infrastructure with Microsoft Security tools and solutions. Join us at an upcoming Defend Against Threats with Extended Detection and Response event: Delivery Language: English Closed Captioning Language(s): English

August 06, 2024 \| 12:00 PM – 3:15 PM \| (GMT-05:00) Eastern Time (US & Canada) August 20, 2024 \| 12:00 PM – 3:15 PM \| (GMT-05:00) Eastern Time (US & Canada)


Visit the Microsoft Virtual Training Days website to learn more about other event opportunities.

NIST Cloud Computing Forensic Reference Architecture: SP 800-201

The final version of NIST Special Publication (SP) 800-201, NIST Cloud Computing Forensic Reference Architecture, is now available. This document addresses the need to support a cloud system’s forensic readiness, which is the ability to collect digital forensic evidence quickly and effectively with minimal investigation costs by proactively addressing known challenges that could impact such data collection. Forensic readiness supports incident response processes and procedures, secure internal enterprise operations, and criminal justice and civil litigation system functions.

The document presents a reference architecture to help users understand the forensic challenges that might exist for an organization’s cloud system based on its architectural capabilities. The architecture identifies challenges that require mitigation strategies and how a forensic investigator would apply those strategies to a particular forensic investigation. The reference architecture is both a methodology and an initial implementation that can be used by cloud system architects, cloud engineers, forensic practitioners, and cloud consumers to analyze and review their cloud computing architectures for forensic readiness.

Last Day to Comment: Draft NIST SP 1800-36, Trusted IoT Onboarding

The NIST National Cybersecurity Center of Excellence (NCCoE) is seeking public comment on Draft NIST Special Publication (SP) 1800-36, Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management.

About the Project

Provisioning network credentials to IoT devices in an untrusted manner leaves networks vulnerable to having unauthorized IoT devices connect to them. It also leaves IoT devices vulnerable to being taken over by unauthorized networks. Instead, trusted, scalable, and automatic mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials —a process known as trusted network-layer onboarding. Trusted network-layer onboarding, in combination with additional device security capabilities, such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement, could improve the security of networks and IoT devices.

To help organizations protect both their IoT devices and their networks, the NCCoE collaborated with 11 IoT product and service providers. This joint effort resulted in the development of five functional technology solutions for trusted network-layer onboarding, as well as two factory provisioning builds, detailed in the practice guide.

Submit Your Comments

The public comment period for the draft is open until 11:59 p.m. (ET) today, July 30, 2024. Visit the NCCoE IoT Onboarding project page for the draft publication and comment form.

Contribute

If you have expertise in IoT and/or network security and would like to help shape this or future projects, please consider joining the IoT Onboarding Community of Interest (COI). You can become a COI member by completing the sign-up form on our project page here.

Comment Now

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution – PATCH NOW

OVERVIEW:
Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
THREAT INTELLEGENCE:
Apple is aware of a report that CVE-2024-23296 was exploited in the wild.
SYSTEMS AFFECTED:
• Safari versions prior to 17.6
• iOS and iPadOS versions prior to 17.6
• iOS and iPadOS versions prior to 16.7.9
• macOS Sonoma versions prior to 14.6
• macOS Ventura versions prior to 13.6.8
• macOS Monterey versions prior to 12.7.6
• watchOS ersions prior to 10.6
• watchOS versions prior to tvOS 17.6
• visionOS versions prior to 1.3
RISK:
Government:
• Large and medium government entities: High
• Small government entities: Medium
Businesses:
• Large and medium business entities: High
• Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:
Tactic: Execution (TA0002):
Technique: Exploitation for Client Execution (T1203):
• An app with root privileges may be able to execute arbitrary code with kernel privileges. (CVE-2024-27878)
• An app may be able to overwrite arbitrary files. (CVE-2024-40827)
• A remote attacker may be able to cause arbitrary code execution. (CVE-2024-6387)
• An app may be able to execute arbitrary code with kernel privileges. (CVE-2024-27826)
Additional lower severity vulnerabilities include:
• Visiting a website that frames malicious content may lead to UI spoofing. (CVE-2024-40817)
• Processing maliciously crafted web content may lead to an unexpected process crash. (CVE-2024-40776, CVE-2024-40782, CVE-2024-40779, CVE-2024-40780, CVE-2024-40789, CVE-2024-40799)
• Processing maliciously crafted web content may lead to a cross site scripting attack. (CVE-2024-40785)
• Private Browsing tabs may be accessed without authentication. (CVE-2024-40794)
• An app may be able to bypass Privacy preferences. (CVE-2024-40774, CVE-2024-40814)
• Processing a maliciously crafted file may lead to unexpected app termination. (CVE-2024-40799, CVE-2024-40806, CVE-2024-40777, CVE-2024-40784, CVE-2024-27877)
• Processing a maliciously crafted video file may lead to unexpected app termination. (CVE-2024-27873)
• A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. (CVE-2024-40815)
• An app may be able to read sensitive location information. (CVE-2024-40795)
• Processing an image may lead to a denial-of-service. (CVE-2023-6277, CVE-2023-52356)
• A local attacker may be able to determine kernel memory layout. (CVE-2024-27863)
• A local attacker may be able to cause unexpected system shutdown. (CVE-2024-40788)
• An app may be able to bypass Privacy preferences. (CVE-2024-40805, CVE-2024-40824)
• An attacker with physical access may be able to use Siri to access sensitive user data. (CVE-2024-40813)
• Photos in the Hidden Photos Album may be viewed without authentication. (CVE-2024-40778)
• An app may be able to access protected user data. (CVE-2024-27871, CVE-2024-40793, CVE-2024-27872)
• A shortcut may be able to use sensitive data with certain actions without prompting the user. (CVE-2024-40833, CVE-2024-40835, CVE-2024-40836, CVE-2024-40807)
• A shortcut may be able to bypass Internet permission requirements. (CVE-2024-40809, CVE-2024-40812, CVE-2024-40787)
• An attacker may be able to view sensitive user information. (CVE-2024-40786)
• An attacker with physical access may be able to use Siri to access sensitive user data. (CVE-2024-40818)
• An attacker with physical access to a device may be able to access contacts from the lock screen. (CVE-2024-40822)
• An attacker may be able to view restricted content from the lock screen. (CVE-2024-40829)
• Private browsing may leak some browsing history. (CVE-2024-40796)
• An app may be able to read Safari’s browsing history. (CVE-2024-40798)
• A malicious application may be able to access private information. (CVE-2024-40804)
• Multiple issues in Apache. (CVE-2023-38709, CVE-2024-24795, CVE-2024-27316)
• A malicious application may be able to bypass Privacy preferences. (CVE-2024-40783)
• An app may be able to leak sensitive user information. (CVE-2024-40775, CVE-2024-40823)
• Multiple issues in curl. (CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466)
• A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. (CVE-2024-40815)
• A local attacker may be able to cause unexpected system shutdown. (CVE-2024-40816)
• An attacker may be able to cause unexpected app termination. (CVE-2024-40803)
• An app may be able to view a contact’s phone number in system logs. (CVE-2024-40832)
• A local attacker may be able to elevate their privileges. (CVE-2024-40781, CVE-2024-40782)
• An app may be able to modify protected parts of the file system. (CVE-2024-27882, CVE-2024-27883, CVE-2024-40800)
• An app may bypass Gatekeeper checks. (CVE-2023-27952)
• An app may be able to access information about a user’s contacts. (CVE-2024-27881)
• Third party app extensions may not receive the correct sandbox restrictions. (CVE-2024-40821)
• Enabling Lockdown Mode while setting up a Mac may cause FileVault to become unexpectedly disabled. (CVE-2024-27862)
• A shortcut may be able to bypass sensitive Shortcuts app settings. (CVE-2024-40834)
• A malicious app may be able to gain root privileges. (CVE-2024-40828)
• An app may be able to modify protected parts of the file system. (CVE-2024-40811)
• An attacker may be able to read information belonging to another user. (CVE-2024-23261)
• An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited. (CVE-2024-23296)
• An app may be able to cause unexpected system termination. (CVE-2024-27804)
• An attacker in a privileged network position may be able to spoof network packets. (CVE-2024-27823)
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
RECOMMENDATIONS:
We recommend the following actions be taken:
• Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
o Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
o Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
o Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
o Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
o Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
o Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
o Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
o Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
o Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
o Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

• Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
o Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
o Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassessbi-annually, or more frequently.
o Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
o Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.

• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
o Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

• Block execution of code on a system through application control, and/or script blocking. (M1038: Execution Prevention)
o Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
o Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
o Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.

• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
o Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
o Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:
Apple:
https://support.apple.com/en-us/HT201222
https://support.apple.com/kb/HT214121
https://support.apple.com/kb/HT214117
https://support.apple.com/kb/HT214116
https://support.apple.com/kb/HT214119
https://support.apple.com/kb/HT214120
https://support.apple.com/kb/HT214118
https://support.apple.com/kb/HT214124
https://support.apple.com/kb/HT214122
https://support.apple.com/kb/HT214123
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6277
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27952
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38709
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52356
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2004
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2379
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2398
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2466
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23261
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23296
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27316
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27804
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27826
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27862
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27863
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27871
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27877
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27878
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27881
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27882
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27883
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40774
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40775
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40776
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40777
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40778
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40779
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40780
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40781
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40782
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40783
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40787
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40789
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40793
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40796
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40798
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40799
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40800
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40804
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40809
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40811
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40815
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40817
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40818
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40821
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40822
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40824
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40827
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40828
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40829
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40834
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40836

Cybercriminals Exploit Assassination Attempt to Steal Cryptocurrency

Example of deepfake video with QR code. Image Source: Bitdefender.

The NJCCIC recently received reports of cryptocurrency scams exploiting current events, similar to open-source reporting. Opportunistic cybercriminals are using the recent assassination attempt that targeted former President Donald Trump to lure unsuspecting victims into a new pig-butchering cryptocurrency investment scam. The scam involves hijacked YouTube channels that broadcast deepfake videos of Tesla CEO Elon Musk, promising to share insights into the attack. The compromised channels, many of which have millions of subscribers, are cleared of their original content and rebranded with attention-grabbing name-drops, such as “Tesla” and “Donald Trump Jr.”.

Image Source: Bitdefender.

These broadcasts feature a repeated deep fake video of Elon Musk urging followers and the crypto community to join a giveaway by scanning the embedded QR code. The QR codes direct users to fraudulent websites hosted on domains that imitate the impersonated brand or domains associated with Musk’s and Trump’s names. The cybercriminal attempts to convince the victim to invest in cryptocurrency to take advantage of the potential high-yield returns. After individuals have made multiple cryptocurrency investments through these fraudulent websites that promise significant returns, requests to withdraw or cash out their investments are denied for various reasons. The cybercriminal then cuts off contact with the victim and disappears with the invested money.

Recommendations

Exercise caution when encountering videos with click-bait titles and avoid scanning QR codes in YouTube videos promoting cryptocurrency giveaways. Verify investment claims that offer higher-than-average returns. Consider running recommendations by a third party or an investment professional with no stake in the investment. Inspect YouTube channels promoting cryptocurrency giveaways for suspicious activity and report any suspicious activity to the respective platform or authorities. Educate yourself and others regarding these types of scams. Additional recommendations can be found in the Bitdefender blog post. Maintain robust and up-to-date endpoint detection tools on every endpoint and consider using a comprehensive security solution that can block phishing attempts and fraudulent links. Cryptocurrency scams and other malicious activity may be reported to the FBI’s IC3 and the NJCCIC.

Play Ransomware Targets VMWare ESXi Environments

A new Linux variant of Play ransomware has been targeting VMWare ESXi environments. Businesses often use ESXi environments to run multiple virtual machines (VMs), typically hosting backup solutions, critical applications, and data storage. This new variant of Play ransomware still utilizes many of the same tactics, techniques, and procedures (TTPs) as prior Windows versions.

Play’s Linux infection chain. Image Source: Trend Micro

Play’s attacks begin with a phishing attack using shortened URLs received from Prolific Puma, a threat actor that provides link-shortening services for cybercriminals. Once in the system, Play runs specific commands to determine if it is running in an ESXi environment before performing malicious activities. The malware will terminate and delete itself if it is not in the correct environment. Upon successful connection, Play will run a series of shell commands that scan for and power off all VMs in the environment. After completing this process, Play will encrypt files, including the VM disk, configuration, and metadata files. Once encrypted, files will have the “.PLAY” extension appended to them.

Play ransomware was first discovered in 2022 and is known for exfiltrating sensitive information from compromised systems and using double-extortion tactics to pressure victims into paying the ransom to prevent data leakage. In December, the FBI released a joint advisory with CISA and the Australian Cyber Security Centre (ACSC) stating that Play had breached approximately 300 victims as of October 2023. A new report shows that from January to July 2024, Play ransomware has targeted 187 victims, with over 82 percent of the attacks based in the United States.

Recommendations

Establish a comprehensive data backup plan that includes regularly performing scheduled backups, keeping an updated copy offline in a separate and secure location, and testing it regularly. Avoid clicking links, responding to, or otherwise acting on unsolicited emails. Keep systems up to date and apply patches after appropriate testing. Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes. Utilize network segmentation to isolate valuable assets and help prevent the spread of ransomware and malware. Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs). Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. Report ransomware and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.

FBI, CISA, and Partners Release Advisory Highlighting North Korean Cyber Espionage Activity

Today, CISA—in partnership with the Federal Bureau of Investigation (FBI)—released a joint Cybersecurity Advisory, North Korea State-Sponsored Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs. The advisory was coauthored with the following organizations:

U.S. Cyber National Mission Force (CNMF);
U.S. Department of Defense Cyber Crime Center (DC3);
U.S. National Security Agency (NSA);
Republic of Korea’s National Intelligence Service (NIS);
Republic of Korea’s National Police Agency (NPA); and
United Kingdom’s National Cyber Security Centre (NCSC).

This advisory was crafted to highlight cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju. The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions.

The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India.

All critical infrastructure organizations are encouraged to review the advisory and implement the recommended mitigations. For more information on North Korean state-sponsored threat actor activity, see CISA’s North Korea Cyber Threat Overview and Advisories page.

Andariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities. For more information on this ransomware activity, see joint advisories #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities and North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.

NIST Releases RMF Small Enterprise Quick Start Guide

Introducing the RMF Small Enterprise Quick Start Guide

Today, NIST released the RMF Small Enterprise Quick Start Guide. The new guide is designed to help small, under-resourced entities understand the value and core components of the RMF and provides a starting point for designing and implementing an information security and privacy risk management program. Within the guide you’ll find:

An overview of the seven steps of the RMF process
Foundational tasks for each RMF step
Tips for getting started
Sample planning tables
Key terminology and definitions
Questions for organizations to consider
Related resources

View the New Guide

About the NIST RMF

The RMF provides a comprehensive, flexible, repeatable, and measurable seven-step process that organizations can use to manage their unique information security and privacy risks. The RMF can be applied to new and existing systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.

NIST has developed a suite of resources to help users get the most out of the RMF, including the recently released introductory courses for SP 800-53, SP 800-53A, and SP 800-53B. This portfolio of resources is designed to make the RMF easier to put into action for organizations of all sizes and types.

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution – PATCH NOW

OVERVIEW:
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:
There are no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Chrome prior to 127.0.6533.72/73 for Windows and Mac
Chrome prior to 127.0.6533.72 for Linux

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Drive-By Compromise (T1189):

Use after free in Downloads (CVE-2024-6988)
Use after free in Loader (CVE-2024-6989)
Use after free in Dawn (CVE-2024-6991)
Out of bounds memory access in ANGLE (CVE-2024-6992)
Inappropriate implementation in Canvas (CVE-2024-6993)
Heap buffer overflow in Layout (CVE-2024-6994)
Inappropriate implementation in Fullscreen (CVE-2024-6995)
Race in Frames (CVE-2024-6996)
Use after free in Tabs (CVE-2024-6997)
Use after free in User Education (CVE-2024-6998)
Inappropriate implementation in FedCM (CVE-2024-6999, CVE-2024-7003)
Use after free in CSS (CVE-2024-7000)
Inappropriate implementation in HTML (CVE-2024-7001)
Insufficient validation of untrusted input in Safe Browsing (CVE-2024-7004, CVE-2024-7005)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
- Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Google:

https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_23.html