Analysts recently identified a new iteration of BeaverTail malware associated with the CL-STA-240 Contagious Interview campaign , first discovered in November 2023. The threat actors, associated with the Democratic People’s Republic of Korea (DPRK), pose as prospective employers and target individuals seeking employment within the Information Technology sector through popular job search platforms such as LinkedIn and X. The threat actors then attempt to convince the victims to participate in online interviews to trick them into downloading and installing malware.
Profile of a fake recruiter on X. Image Source: Unit 42
This new BeaverTail variant was detected as early as July 2024. It was written in Qt rather than JavaScript, allowing threat actors to create cross-platform applications for Windows and macOS simultaneously. The updated malware has expanded to target 13 distinct cryptocurrency wallet browser extensions. Other updated features enable password theft in macOS and the theft of cryptocurrency wallets in macOS and Windows. These changes align with the ongoing financial interests of North Korean threat actors.
Once installed, BeaverTail runs in the background and forwards stolen sensitive data to the command and control (C2) server. After exfiltration, BeaverTail attempts to download the Python programming language from hxxp://<c2_server>:1224/pdown. Python is necessary for InvisibleFerret to function on different operating systems. The first stage of InvisibleFerret then downloads from hxxp://<c2_server>:1224/client/<campaign_id>.
InvisibleFerret components infographic. Image Source: Unit 42
The attack ends with the delivery of the InvisibleFerret backdoor, which can be used for keylogging, file exfiltration, and downloading remote control software such as AnyDesk. If the malware is successfully downloaded, this campaign could potentially compromise prospective companies that may hire the targeted job seekers, leading to the extraction and exfiltration of sensitive data.
Recommendations
Educate yourself and others about these and similar scams.Refrain from clicking on links and attachments delivered via emails or social media messages.Avoid downloading software at the request of unknown individuals, and refrain from divulging sensitive information or providing funds.Confirm the legitimacy of requests by contacting the careers section of a company’s official website or by calling the company’s human resources department to verify if the job offer is legitimate.
Report malicious cyber activity to the FTC, FBI’s IC3.
Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft Security Virtual Training Day from Microsoft Learn. Join us at Defend Against Threats with Extended Detection and Response to learn how to better protect apps and data in Microsoft 365 Defender, Microsoft Defender for Endpoint, and Microsoft Sentinel. You’ll get an in-depth view into attack disruption, incidents and alerts, and best practices for investigation and incident management. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Defender and Microsoft Sentinel. Understand how integrating Microsoft 365 Defender and Microsoft Sentinel enhances security and response time. Discover how to help mitigate threats across your entire infrastructure with Microsoft Security tools and solutions. Join us at an upcoming Defend Against Threats with Extended Detection and Response event: October 29, 2024 11:00 AM – 2:15 PM | (GMT-05:00) Central Time US & Canada 12:00 PM – 3:15 PM | (GMT-04:00) Eastern Time US & Canada 10:00 AM – 1:15 PM | (GMT-06:00) Mountain Time US & Canada 9:00 AM – 12:15 PM | (GMT-07:00) Pacific Time US & Canada
Delivery Language: English Closed Captioning Language(s): English
Identity and Access Management is a fundamental and critical cybersecurity capability for businesses of all sizes. To protect your business from fraud and unauthorized system and data access, you want to take steps to ensure that only the right people and technologies have the right level of access to the right resources at the right time.
For many busy small business owners, the use of passwords has been the primary method for locking down access to sensitive systems and data. However, passwords alone are not effective for protecting your data from most attackers. They have become too easy for threat actors to exploit at scale and with limited effort. So that leaves us with the question: what can a small business owner with limited resources do to protect their systems and information from unauthorized access?
During this webinar, we’ll take it back to the fundamentals to discuss practical steps small businesses can take to enhance their identity and access management, resulting in a stronger, more resilient business in the face of increasing cybersecurity risks. We will cover:
Current guidance and leading-practices for multi-factor authentication (MFA), including phishing-resistant MFA.
Identity and Access Management approaches to consider as your business grows.
How identity and access management is covered in the NIST Cybersecurity Framework 2.0.
Speakers:
Ryan Galluzzo, Digital Identity Program Lead, Applied Cybersecurity Division, NIST
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution.
Adobe is a software that is used for creating and publishing a wide variety of contents including graphics, photography, illustration, animation, multimedia, motion pictures and print.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights
THREAT INTELLIGENCE: There are currently no reports of these vulnerabilities being exploited in the wild.
SYSTEMS AFFECTED:
Adobe Substance 3D Painter 10.0.1 and earlier versions
Adobe Commerce 2.4.7-p2 and earlier versions
Adobe Commerce 2.4.6-p7 and earlier versions
Adobe Commerce 2.4.5-p9 and earlier versions
Adobe Commerce 2.4.4-p10 and earlier versions
Adobe Commerce B2B 1.4.2-p2 and earlier versions
Adobe Commerce B2B 1.3.5-p7 and earlier versions
Adobe Commerce B2B 1.3.4-p9 and earlier versions
Adobe Commerce B2B 1.3.3-p10 and earlier versions
Magento Open Source 2.4.7-p2 and earlier versions
Magento Open Source 2.4.6-p7 and earlier versions
Magento Open Source 2.4.5-p9 and earlier versions
Magento Open Source 2.4.4-p10 and earlier versions
Adobe Dimension 4.0.3 and earlier versions
Adobe Animate 2023 23.0.7 and earlier versions
Adobe Animate 2024 24.0.4 and earlier versions
Lightroom 7.4.1 and earlier versions
Lightroom Classic 13.5 and earlier versions
Lightroom Classic (LTS) 12.5.1 and earlier versions
Adobe InCopy 19.4 and earlier versions
Adobe InCopy 18.5.3 and earlier versions
Adobe InDesign ID19.4 and earlier version
Adobe InDesign ID18.5.3 and earlier version
Adobe Substance 3D Stager 3.0.3 and earlier versions
Adobe FrameMaker 2020 Release Update 6 and earlier versions
Adobe FrameMaker 2022 Release Update 4 and earlier versions
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Adobe Products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows
Unrestricted Upload of File with Dangerous Type (CVE-2024-47423)
Integer Overflow or Wraparound (CVE-2024-47424)
Integer Underflow (Wrap or Wraparound) (CVE-2024-47425)
RECOMMENDATIONS:
We recommend the following actions be taken:
Apply the stable channel update provided by Adobe to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this Fact Sheet, which provides information about threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) targeting and compromising accounts of Americans to stoke discord and undermine confidence in US democratic institutions.
IRGC actors have previously gained and continue to seek access to personal and business accounts using social engineering techniques by targeting victims across email and chat platforms. This fact sheet includes steps that individuals and organizations can take to enhance their security and resilience to protect themselves against the common techniques used by these cyber actors.
CISA and FBI strongly recommend all individuals and organizations associated with national political organizations apply the mitigations in this fact sheet, including protecting their sensitive accounts with phishing-resistant multi-factor authentication (MFA).
Election infrastructure stakeholders and the public can find more resources on how to protect against cyber and physical threats at #Protect2024. CISA encourages organizations to review its Iran Cyber Threat webpage for advisories and actions to defend their networks.
The initial public draft of NIST Internal Report (IR) 8539, Security Property Verification by Transition Model, is now available for public comment. Verifying the security properties of access control policies is a complex and critical task. The policies and their implementation often do not explicitly express their underlying semantics, which may be implicitly embedded in the logic flows of policy rules, especially when policies are combined. Instead of evaluating and analyzing access control policies solely at the mechanism level, formal transition models are used to describe these policies and prove the system’s security properties. This approach ensures that access control mechanisms can be designed to meet security requirements.
This document explains how to apply model-checking techniques to verify security properties in transition models of access control policies. It provides a brief introduction to the fundamentals of model checking and demonstrates how access control policies are converted into automata from their transition models. The document then focuses on discussing property specifications in terms of linear temporal logic (LTL) and computation tree logic (CTL) languages with comparisons between the two. Finally, the verification process and available tools are described and compared.
The public comment period is open through November 25, 2024. See the publication details for a copy of the draft and instructions for submitting comments.
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
THREAT INTELLIGENCE: The vulnerabilities Microsoft Management Console Remote Code Execution Vulnerability (CVE-2024-43572) and Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-43573) have been seen exploited in the wild and disclosed publicly.
SYSTEMS AFFECTED:
.NET and Visual Studio
.NET, .NET Framework, Visual Studio
Azure CLI
Azure Monitor
Azure Stack
BranchCache
Code Integrity Guard
DeepSpeed
Internet Small Computer Systems Interface (iSCSI)
Microsoft ActiveX
Microsoft Configuration Manager
Microsoft Defender for Endpoint
Microsoft Graphics Component
Microsoft Management Console
Microsoft Office
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft Office Visio
Microsoft Simple Certificate Enrollment Protocol
Microsoft WDAC OLE DB provider for SQL
Microsoft Windows Speech
OpenSSH for Windows
Outlook for Android
Power BI
Remote Desktop Client
Role: Windows Hyper-V
RPC Endpoint Mapper Service
Service Fabric
Sudo for Windows
Visual C++ Redistributable Installer
Visual Studio
Visual Studio Code
Windows Ancillary Function Driver for WinSock
Windows BitLocker
Windows Common Log File System Driver
Windows Cryptographic Services
Windows EFI Partition
Windows Hyper-V
Windows Kerberos
Windows Kernel
Windows Kernel-Mode Drivers
Windows Local Security Authority (LSA)
Windows Mobile Broadband
Windows MSHTML Platform
Windows Netlogon
Windows Network Address Translation (NAT)
Windows NT OS Kernel
Windows NTFS
Windows Online Certificate Status Protocol (OCSP)
Windows Print Spooler Components
Windows Remote Desktop
Windows Remote Desktop Licensing Service
Windows Remote Desktop Services
Windows Resilient File System (ReFS)
Windows Routing and Remote Access Service (RRAS)
Windows Scripting
Windows Secure Channel
Windows Secure Kernel Mode
Windows Shell
Windows Standards-Based Storage Management Service
Windows Storage
Windows Storage Port Driver
Windows Telephony Server
Winlogon
RISK:
Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY: Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.
A full list of all vulnerabilities can be found in the Microsoft link in the References section.
Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
RECOMMENDATIONS: We recommend the following actions be taken:
Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
THREAT INTELLEGENCE: There are currently no reports of these vulnerabilities being exploited in the wild.
SYSTEMS AFFECTED:
Chrome prior to 129.0.6668.100/.101 for Windows and Mac
Chrome prior to 129.0.6668.100 for Linux
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY: Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:
Type Confusion in V8 (CVE-2024-9602, CVE-2024-9603)
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
RECOMMENDATIONS: We recommend the following actions be taken:
Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.
SYSTEMS AFFECTED:
Android OS patch levels prior to 2024-10-05
RISK:
Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users:Low
TECHNICAL SUMMARY: Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution in the context of the logged on user. Following the MITRE ATT&CK framework, exploitation of the most severe of these vulnerabilities can be classified as follows:
Multiple vulnerabilities in Qualcomm components. (CVE-2024-33049, CVE-2024-33069, CVE-2024-38399)
A vulnerability in Qualcomm closed-source components. (CVE-2024-23369)
Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.
RECOMMENDATIONS: We recommend the following actions be taken:
Apply appropriate patches provided by Google to vulnerable systems, immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from un-trusted sources. (M1017: User Training)
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Apple® System Integrity Protection (SIP) and Gatekeeper™.
Safeguard 13.10 : Perform Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
In this digital age, the accurate identification of individuals is paramount to ensuring security, privacy, and trust in online interactions. Whether it’s for accessing medical records, applying for benefits, or engaging in other high-stakes transactions, the need to confirm the identity and attributes of individuals is crucial. The draft NIST report Attribute Validation Services for Identity Management delves into the architecture, security, privacy, and operational considerations surrounding Attribute Validation Services (AVS), offering considerations for government agencies seeking to implement these critical services.
At its core, an attribute is a “quality or characteristic ascribed to someone or something,” such as a person’s date of birth, residential address, or Social Security Number. Attributes are essential in confirming an individual’s identity or their eligibility to access certain services or information. An AVS validates these attributes against reliable data sources to confirm their accuracy; this validation process plays a pivotal role in secure identity proofing, access control, and fraud prevention.
The draft NIST report Attribute Validation Services for Identity Management positions AVS as a cornerstone of secure, privacy-preserving digital identity management. Whether through traditional query-based models or emerging technology such as cryptographically verifiable attributes, AVSs can offer a reliable way to validate user attributes, reduce fraud, and improve access control. For government agencies, the report provides a foundation for building AVS solutions that enhance security while ensuring equity and privacy.
The public comment period is open through 11:59 pm Eastern Time on Friday, November 8, 2024. Comments may be submitted to digital_identity@nist.gov.
