Month: July 2024

Microsoft 365 Virtual Training Day: Fundamentals   Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft 365 Virtual Training Day from Microsoft Learn. Join us at Microsoft 365 Fundamentals to learn how to simplify the adoption of cloud services while supporting strong security, compliance, privacy, and trust. Also, discover how applications such as Microsoft Teams and Microsoft Viva help improve productivity, facilitate collaboration, and optimize communications. After completing this training, you’ll be eligible to take the Microsoft 365 Fundamentals certification exam at 50% off the exam price. You will have the opportunity to: Find out how the productivity, collaboration, and endpoint management capabilities of Microsoft 365 empower people to stay connected and get more done across hybrid environments. Discover how Microsoft 365 security, compliance, and identity solutions help secure an entire digital estate, simplify compliance, and reduce risk. Explore the pricing models, licensing, and billing options available to meet the needs of your organization. Join us at an upcoming two-part Microsoft 365 Fundamentals event: Delivery Language: English Closed Captioning Language(s): English   August 01, 2024 | 12:00 PM – 3:30 PM | (GMT-05:00) Eastern Time (US & Canada)  August 02, 2024 | 12:00 PM – 4:00 PM | (GMT-05:00) Eastern Time (US & Canada)  August 19, 2024 | 12:00 PM – 3:30 PM | (GMT-05:00) Eastern Time (US & Canada)  August 20, 2024 | 12:00 PM – 4:00 PM | (GMT-05:00) Eastern Time (US & Canada)   August 26, 2024 | 12:00 PM – 3:30 PM | (GMT-05:00) Eastern Time (US & Canada)  August 27, 2024 | 12:00 PM – 4:00 PM | (GMT-05:00) Eastern Time (US & Canada)     Visit the Microsoft Virtual Training Days website to learn more about other event opportunities.   Unsubscribe | Privacy Statement   Microsoft Corporation One Microsoft Way Redmond, WA 98052

In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the use of Personal Identity Verification (PIV) credentials, including those on PIV Cards. NIST Special Publication (SP) 800-73-5: Parts 1–3 and SP 800-78-5 have subsequently been revised to align with FIPS 201.

SP 800-73-5: Parts 1–3
SP 800-73-5: Parts 1–3, Interfaces for Personal Identity Verification, describe the technical specifications for using PIV Cards. The three parts cover the PIV data model (Part 1), the card edge interface (Part 2), and the application programming interface (Part 3). Major changes to the documents include:

• Removal of the previously deprecated CHUID authentication mechanism
• Deprecation of the SYM-CAK and VIS authentication mechanisms
• Addition of an optional 1-factor secure messaging authentication mechanism (SM-Auth) for facility access applications
• Additional use of the facial image biometric for general authentication via BIO and BIO-A authentication mechanisms
• Addition of an optional Cardholder identifier in the PIV Authentication Certificate to identify a PIV credential holder to their PIV credential set issued during PIV eligibility
• Restriction on the number of consecutive activation retries for each of the activation methods (i.e., PIN and OCC attempts) to be 10 or less
• SP 800-73-5: Part 3 on PIV Middleware specification marked as optional to implement

SP 800-78-5
SP 800-78-5, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, defines the requirements for the cryptographic capability of the PIV Card and supporting systems in coordination with FIPS 201-3. It has been modified to add additional algorithm and key size requirements and to update the requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing, including:

• Deprecation of 3TDEA algorithms with identifier ‘00’ and ‘03’
• Removal of the retired RNG from CAVP PIV component testing where applicable
• Removal of retired FIPS 186-2 key generation from CAVP PIV component testing where applicable
• Accommodation of the Secure Messaging Authentication key
• Update to Section 3.1 and Table 1 to reflect additional higher strength keys with at least 128-bit security for use in authentication beginning in 2031

Read More

The initial public draft of NIST Special Publication (SP) 800-233, Service Mesh Proxy Models for Cloud-Native Applications, is now available for public comment.

The service mesh has become the de facto application services infrastructure for cloud-native applications. It enables an application’s runtime functions (e.g., network connectivity, access control, etc.) through proxies that form the data plane of the service mesh. Different proxy models or data plane architectures have emerged, depending on the distribution of the network layer functions (i.e., L4 and L7) and the granularity of association of the proxies to individual services/computing nodes.

The purposes of this document are two-fold:

1. Develop a threat profile for each of the data plane architectures by considering a set of potential threats to various proxy functions and assign scores to the impacts and likelihoods of their exploits.
2. Analyze the service mesh capabilities that are required for each class of cloud-native applications with different risk profiles (i.e., low, medium, and high) and provide recommendations for the data plane architectures or proxy models that are appropriate and applicable for each class.

The public comment period is open through September 3, 2024. See the publication details for a copy of the draft and instructions for submitting comments.

NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Read More

MS-ISAC ADVISORY NUMBER:
2024-083

DATE(S) ISSUED:
07/22/2024

SUBJECT:
A Vulnerability in Cisco Secure Email Gateway Could Allow for Remote Code Execution

OVERVIEW:
A vulnerability has been discovered in Cisco Secure Email Gateway that could allow for remote code execution. Cisco Secure Email Gateway is an email security product that uses signature analysis and machine learning to identify and block malicious emails before they reach recipients inboxes. Successful exploitation could allow the attacker to replace any file on the underlying file system. The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device.

THREAT INTELLEGENCE:
There are no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

• Content Scanner Tools versions earlier then 23.3.0.4823 if either the file analysis feature, which is part of Cisco Advanced Malware Protection (AMP), or the content filter feature is enabled and assigned to an incoming mail policy.

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

A vulnerability has been discovered in Cisco Secure Email Gateway that could allow for remote code execution. Details of the vulnerability include: 

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

• A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system. This vulnerability is due to improper handling of email attachments when file analysis and content filters are enabled. An attacker could exploit this vulnerability by sending an email that contains a crafted attachment through an affected device.

Successful exploitation could allow the attacker to replace any file on the underlying file system. The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate mitigations provided by Cisco to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
     
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. (M1035: Limit Access to Resource Over Network)
   
• Use intrusion detection signatures to block traffic at network boundaries. (M1031: Network Intrusion Prevention)
  • Safeguard 13.3: Deploy a Network Intrusion Detection Solution: Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
  • Safeguard 13.8: Deploy a Network Intrusion Prevention Solution: Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
     
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 13.10:  Performing Application Layer Filtering:  Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.

REFERENCES:

Cisco:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-afw-bGG2UsjH

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20401

Register now >

Azure Network Security | Unlock the Power of Azure Firewall Governance with Azure Policies Tuesday July 23, 2024 | 8:00AM – 9:00AM (PST, Redmond Time) Description: Join us for an insightful webinar on Azure Policies for Azure Firewall, where we will delve into the governance aspects to ensure your Azure Firewall is configured with the optimal settings for robust security and compliance. The following topics will be covered during the webinar: • An overview of Azure Firewall and its role in network security. • The importance of Azure Policies in maintaining governance and compliance. • Best practices for configuring Azure Firewall using Azure Policies. Whether you are new to Azure Firewall or looking to enhance your existing setup, this webinar will provide valuable insights and practical knowledge to help you govern your network security effectively. Don’t miss this opportunity to learn from the experts and take your Azure Firewall configuration to the next level. Presenter(s):

MS-ISAC ADVISORY NUMBER:
2024-082

DATE(S) ISSUED:
07/18/2024

SUBJECT:
Oracle Quarterly Critical Patches Issued July 16, 2024

OVERVIEW:
Multiple vulnerabilities have been discovered in Oracle products, the most severe of which could allow for remote code execution.

SYSTEMS AFFECTED:

• JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.8.3
• JD Edwards EnterpriseOne Tools, versions prior to 9.2.8.2
• JD Edwards World Security, version A9.4
• Management Pack for Oracle GoldenGate, version 12.2.1.2
• MySQL Cluster, versions 7.5.34 and prior, 7.6.30 and prior, 8.0.37 and prior, 8.1.0 and prior, 8.3.0 and prior, 8.4.0 and prior
• MySQL Connectors, versions 8.4.0 and prior
• MySQL Enterprise Monitor, versions 8.0.38 and prior
• MySQL Server, versions 8.0.37 and prior, 8.0.38, 8.2.0 and prior, 8.3.0 and prior, 8.4.0 and prior, 8.4.1, 9.0.0
• MySQL Workbench, versions 8.0.36 and prior
• Oracle Access Manager, version 12.2.1.4.0
• Oracle Agile Engineering Data Management, versions 6.2.1.0-6.2.1.9
• Oracle Analytics Desktop, versions prior to 7.7.0, prior to 7.8.0
• Oracle Application Express, version 23.2
• Oracle Application Testing Suite, version 13.3.0.1
• Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2
• Oracle Banking Branch, versions 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
• Oracle Banking Cash Management, versions 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
• Oracle Banking Corporate Lending Process Management, versions 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
• Oracle Banking Credit Facilities Process Management, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
• Oracle Banking Deposits and Lines of Credit Servicing, version 2.12.0.0.0
• Oracle Banking Liquidity Management, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
• Oracle Banking Origination, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
• Oracle Banking Party Management, version 2.7.0.0.0
• Oracle Banking Platform, version 2.4.0.0.0
• Oracle Banking Virtual Account Management, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
• Oracle Big Data Spatial and Graph, version 3.0.6
• Oracle Business Activity Monitoring, version 12.2.1.4.0
• Oracle Business Intelligence Enterprise Edition, versions 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0
• Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0
• Oracle Commerce Guided Search, version 11.3.2
• Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2
• Oracle Communications ASAP, version 7.4
• Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0
• Oracle Communications BRM – Elastic Charging Engine, versions 12.0.0.4-12.0.0.8, 15.0.0.0
• Oracle Communications Cloud Native Core Automated Test Suite, versions 23.1.0, 23.4.0
• Oracle Communications Cloud Native Core Binding Support Function, versions 23.4.0-23.4.3
• Oracle Communications Cloud Native Core Console, versions 23.4.0, 23.4.1
• Oracle Communications Cloud Native Core Network Data Analytics Function, version 24.2.0
• Oracle Communications Cloud Native Core Network Exposure Function, version 23.4.3
• Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 23.4.0, 24.1.0
• Oracle Communications Cloud Native Core Network Repository Function, version 23.4.2
• Oracle Communications Cloud Native Core Policy, versions 23.4.0-23.4.4
• Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 23.4.0, 24.1.0
• Oracle Communications Cloud Native Core Service Communication Proxy, versions 23.4.0, 23.4.1, 23.4.2, 24.1.0
• Oracle Communications Cloud Native Core Unified Data Repository, versions 23.4.1, 23.4.2
• Oracle Communications Converged Charging System, versions 2.0.0.0.0, 2.0.0.1.0
• Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0
• Oracle Communications Diameter Signaling Router, versions 8.6.0.4-8.6.0.8
• Oracle Communications EAGLE Element Management System, versions 46.6.4, 46.6.5
• Oracle Communications Element Manager, versions 9.0.0-9.0.3
• Oracle Communications Network Analytics Data Director, versions 23.4.0, 24.1.0
• Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0
• Oracle Communications Operations Monitor, versions 5.1, 5.2
• Oracle Communications Performance Intelligence, version 10.5
• Oracle Communications Policy Management, versions 12.6.1.0.0, 15.0.0.0.0
• Oracle Communications Pricing Design Center, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0
• Oracle Communications Service Catalog and Design, versions 7.4.0-7.4.2, 8.0.0
• Oracle Communications Session Border Controller, versions 4.1.0, 4.2.0, 9.2.0, 9.3.0
• Oracle Communications Session Report Manager, versions 9.0.0-9.0.3
• Oracle Communications Unified Assurance, versions 5.5.0-5.5.21, 6.0.0-6.0.4
• Oracle Communications Unified Inventory Management, versions 7.4.1, 7.4.2
• Oracle Communications User Data Repository, versions 12.11.0, 12.11.3, 12.11.4
• Oracle Data Integrator, version 12.2.1.4.0
• Oracle Database Server, versions 19.3-19.23, 21.3-21.14, 23.4
• Oracle Documaker, versions 12.6.4, 12.7.1
• Oracle E-Business Suite, versions 12.2.3-12.2.13
• Oracle Enterprise Data Quality, version 12.2.1.4.0
• Oracle Enterprise Manager Base Platform, version 13.5.0.0
• Oracle Essbase, version 21.5.6
• Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7, 8.0.8, 8.1.1, 8.1.2
• Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.7.3, 8.0.8.3
• Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.7.3, 8.0.8.3
• Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.1.1, 8.1.2.6, 8.1.2.7
• Oracle Financial Services Compliance Studio, versions 8.1.2.6, 8.1.2.7
• Oracle Financial Services Enterprise Case Management, versions 8.0.8.2.8, 8.1.1.1.18, 8.1.2.6.4, 8.1.2.7.3
• Oracle Financial Services Model Management and Governance, versions 8.1.2.5, 8.1.2.6
• Oracle Financial Services Revenue Management and Billing, versions 6.0.0.0.0, 6.1.0.0.0
• Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8.0
• Oracle FLEXCUBE Investor Servicing, versions 14.5.0.0.0, 14.7.0.0.0
• Oracle FLEXCUBE Universal Banking, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
• Oracle Fusion Middleware, version 12.2.1.4.0
• Oracle Global Lifecycle Management NextGen OUI Framework, version 12.2.1.4.0
• Oracle GoldenGate, versions 19.1.0.0.0-19.23.0.0.240716, 21.3-21.14
• Oracle GoldenGate Big Data and Application Adapters, versions 19.1.0.0.0-19.1.0.0.18, 21.3-21.14.0.0.0
• Oracle GoldenGate Studio, version 12.2.0.4.0
• Oracle GraalVM Enterprise Edition, versions 20.3.14, 21.3.10
• Oracle GraalVM for JDK, versions 17.0.11, 21.0.3, 22.0.1
• Oracle Graph Server and Client, versions 22.4.7 and prior, 23.4.2 and prior, 24.1.0 and prior
• Oracle Healthcare Data Repository, versions 8.1.4, 8.2.0
• Oracle Healthcare Foundation, versions 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4
• Oracle Healthcare Master Person Index, versions 5.0.0-5.0.9
• Oracle HTTP Server, version 12.2.1.4.0
• Oracle Hyperion Data Relationship Management, version 11.2.17.0.0
• Oracle Hyperion Financial Close Management, version 11.2.17.0.0
• Oracle Hyperion Infrastructure Technology, version 11.2.17.0.0
• Oracle Identity Manager, version 12.2.1.4.0
• Oracle Insurance Policy Administration J2EE, versions 11.2.12, 11.3.0-11.3.2
• Oracle Java SE, versions 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1
• Oracle JDeveloper, version 12.2.1.4.0
• Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0
• Oracle NoSQL Database, versions 1.4, 1.5, prior to 19.5.42, prior to 20.3.40, prior to 21.2.27, prior to 22.3.46, prior to 23.3.32
• Oracle Outside In Technology, version 8.5.7
• Oracle Reports Developer, versions 12.2.1.4.0, 12.2.1.19.0
• Oracle REST Data Services, versions prior to 23.3.1, prior to 24.1.0
• Oracle Retail Assortment Planning, versions 15.0.3, 16.0.3
• Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
• Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
• Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3
• Oracle Retail Xstore Office, versions 19.0.5, 20.0.3, 20.0.4, 22.0.0, 23.0.1
• Oracle Service Bus, version 12.2.1.4.0
• Oracle Solaris, version 11
• Oracle TimesTen In-Memory Database, versions 22.1.1.1.0-22.1.1.24.0
• Oracle Unified Directory, version 12.2.1.4.0
• Oracle Utilities Application Framework, versions 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1-4.5.0.1.3, 24.1.0.0.0, 24.2.0.0.0
• Oracle VM VirtualBox, versions prior to 7.0.20
• Oracle WebCenter Content, version 12.2.1.4.0
• Oracle WebCenter Portal, version 12.2.1.4.0
• Oracle WebCenter Sites, version 12.2.1.4.0
• Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0
• Oracle ZFS Storage Appliance Kit, version 8.8
• PeopleSoft Enterprise HCM Human Resources, version 9.2
• PeopleSoft Enterprise HCM Shared Components, version 9.2
• PeopleSoft Enterprise PeopleTools, versions 8.59, 8.60, 8.61
• Primavera Gateway, versions 19.12.0-19.12.19, 20.12.0-20.12.14, 21.12.0-21.12.12
• Primavera Unifier, versions 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.13, 23.12.0-23.12.6
• Siebel Applications, versions 22.12 and prior, 23.12 and prior, 24.6 and prior

RISK:
Government:

• Large and medium government entities: High
• Small government entities: High

Businesses:

• Large and medium business entities: High
• Small business entities: High

Home users: Low

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

• Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently

• Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
  • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:Oracle:
https://learn.cisecurity.org/e/799323/ecurity-alerts-cpujul2024-html/4trsfb/2222413518/h/N94Ci0NVvKPTkBrQZEV8psLw3ZK14k0TV6nEcODap6E

While Chinese, North Korean, and Russian state-sponsored cyber threat activity has recently surged, MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), has consistently targeted Israel and its allies with a barrage of cyberattacks since the onset of the Israeli-Hamas War. The threat group typically uses phishing campaigns, often sent from compromised business email accounts, to deploy legitimate Remote Management Tools (RMM) such as Screen Connect and Atera Agent. However, recent campaigns targeting Israel were observed delivering a new custom backdoor identified as BugSleep marking a notable change in TTPs. BugSleep appears to be in a perpetual development state, undergoing continuous improvement for functionality and bug fixes.

In addition, MuddyWater often uses Egnyte, a legitimate file-sharing service enabling organizations to conveniently share files via a web browser. They typically focus on specific sectors of interest, such as Israeli municipalities, airlines, travel agencies, and journalists; however, recent targets include the education, logistics, and healthcare sectors. Themes used in these campaigns include invitations to webinars and online courses allowing the threat actor to recycle the phishing template across different sectors and regions. The phishing emails are delivered to targets in the locally spoken language, though English is now used more frequently.

MuddyWater’s new infection chain. Image Source: Checkpoint

The malware can perform several commands to write, run, establish persistence, delete tasks, and other evasion techniques. One analyzed sample resulted in a custom loader that injects a shellcode to deliver BugSleep in-memory into specific processes. These processes include msedge.exe, opera.exe, chrome.exe, anydesk.exe, onedrive.exe, and powershell.exe, depending on whether they are already running. Cyberattacks using this new malware are targeting a wide range of global entities, with a particular focus on Israeli and Saudi Arabian targets. This Iranian threat group is highly active and has historically targeted various industry sectors worldwide, including telecommunications, government, IT services, and oil industry organizations. Over time, it has expanded its cyber-espionage operations to focus on governmental and defense institutions in Central and Southwest Asia, along with businesses in North America and Europe. Although MuddyWater is currently targeting Israel, the group often reuses newly developed and successfully tested malware to attack Western countries and Israeli allies.

Recommendations

Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails. Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes. Keep systems up to date and apply patches after appropriate testing. Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior. Implement email filtering solutions, such as spam filters, to help block messages. Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from the information technology (IT) environments. Cyber incidents can be reported to the FBI’s IC3 and the NJCCIC.

CRYSTALRAY, a newly discovered threat actor, utilizes multiple open-source software (OSS) to grow its credential stealing and cryptomining operations. Researchers first identified this threat actor in February by tracking their use of the OSS SSH-Snake penetration testing tool to exploit vulnerabilities in the Atlassian Confluence platform. CRYSTALRAY has since expanded its arsenal using OSS tools such as ASN, ZMap, Httpx, Nuclei, and Platypus. CRYSTALRAY has targeted over 1,800 IPs, which will likely continue to grow.

CRYSTALRAY takes advantage of a mix of legitimate and malicious OSS tools during its attack chain. Many of these tools are sourced from ProjectDiscovery, a security platform that produces tools used by defenders. They begin their attack with ASN to receive a complete account of open ports, known vulnerabilities, and a listing of both software and hardware utilized by the system. ASN’s other benefit is that it can discover this information without sending packets that could potentially alert a target to an upcoming attack. This activity is followed by the use of ZMap, which scans specified ports for vulnerable services. Httpx is used to verify if a domain is live, followed by Nuceli to identify exploitable weaknesses in the attack surface.

Once an exploit is discovered, CRYSTALRAY uses a public proof-of-concept exploit to drop its malicious payload. The payload is often Sliver, a red team framework that allows CRYSTALRAY to connect to a command and control (C2) network, or Platypus , a web-based manager that can handle up to 400 reverse shell sessions on a breached system. The threat actors use SSH-Snake to discover SSH keys and credentials, which are used for lateral movement. The stolen credentials, especially those associated with cloud platforms and software-as-a-service email platforms, are often sold in underground marketplaces for a profit. Additionally, CRYSTALRAY typically loads cryptominers into a victim’s system using the stolen resources for further profit.

Recommendations

Keep systems up to date and apply patches after appropriate testing. Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior. Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs). Establish a continuous monitoring and audit process to monitor existing SSH keys. Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. Report ransomware and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.

Predictions 2024: Data and Analytics—Forrester report

Get the report

Data and analytics are the foundation of successful AI deployment. Learn how to maximize the value of your AI by providing the right data using the data and analytics best practices in this Forrester report. Read the Predictions 2024: Data and Analytics report on the future of data and analytics in the AI era to: Explore five predictions about the future of data and analytics that’ll help you prepare for changes coming to the AI landscape.Learn how to optimize your data management strategy to ensure your org is ready to scale for generative AI data.Discover how improving data quality will enhance the accuracy of AI and machine learning models by 20% and improve decision-making.

Microsoft Security Virtual Training Day: Configure Security Operations Using Microsoft Sentinel   Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft Security Virtual Training Day from Microsoft Learn. Join us at Configure Security Operations Using Microsoft Sentinel to learn best practices for hunting, detecting, and investigating threats and managing incidents with Microsoft Sentinel. You’ll also learn how to deploy an instance efficiently and how to work with data connectors, analytic rules, and workbooks more effectively. You will have the opportunity to: Learn how to plan and configure a Microsoft Sentinel instance. See how to deploy and configure Microsoft Sentinel content hub solutions. Discover how to automatically search for threats across your infrastructure by creating Microsoft Sentinel analytics rules. Explore Microsoft AI capabilities. Join us at an upcoming Configure Security Operations Using Microsoft Sentinel event: Delivery Language: English Closed Captioning Language(s): English   August 08, 2024 |  12:00 PM – 5:15 PM | (GMT-05:00) Eastern Time (US & Canada)   August 22, 2024 |  12:00 PM – 5:15 PM | (GMT-05:00) Eastern Time (US & Canada)     Visit the Microsoft Virtual Training Days website to learn more about other event opportunities.   Unsubscribe | Privacy Statement   Microsoft Corporation One Microsoft Way Redmond, WA 98052