Author: blogmirnet

According to the Verizon 2023 Mobile Security Index white paper, the number of diverse endpoints is increasing, especially those that are mobile or using mobile connectivity. Mobile devices offer users convenience, connection, control, and content, both personally and professionally. However, they transmit and store data and could be exploited by threat actors to compromise networks, devices, or accounts. Unpatched vulnerabilities in mobile devices increase the risk of compromised devices and cyberattacks. Additionally, mobile devices routinely connected to a home network can have further implications when subsequently connected to corporate networks and may introduce additional vulnerabilities and risks. Therefore, it is vital for users to employ cybersecurity best practices and ensure mobile devices currently in use are properly protected and secured.

The Open Web Application Security Project (OWASP) raises software security awareness and provides quality information regarding risks and vulnerabilities. OWASP posted an initial release of the top 10 mobile risks of 2023, including inadequate supply chain security, insecure authentication/authorization, insecure communication, inadequate privacy controls, and security misconfiguration. These risks are evident in the recent vulnerabilities highlighted below.

Security researchers discovered a credential-stealing vulnerability, dubbed AutoSpill, in the autofill functionality of Android mobile password manager apps. This vulnerability is a concern when both Android calls a login page via WebView and a password manager is used. Affected password managers include 1Password, LastPass, Enpass, Keeper, and Keepass2Android. DashLane and Google Smart Lock are also affected if the credentials are shared via a JavaScript injection method. This vulnerability does not require phishing or malicious in-app code.

Additionally, vulnerabilities in Qualcomm and MediaTek 5G modems, collectively dubbed 5Ghoul, impact many 5G Android and Apple smartphone models, routers, and USB modems. Threat actors do not need the target’s SIM card, as the attack can occur before the NAS authentication step. Therefore, they can impersonate a legitimate 5G base station using known Cell Tower connection parameters and cause temporary service disruptions and network downgrades to the 4G domain, potentially introducing more vulnerabilities. These vulnerabilities highlight the implications for mission-critical environments dependent on cellular service.

Furthermore, a Bluetooth authentication bypass vulnerability, CVE-2023-45866, was discovered in the Bluetooth protocol. Threat actors trick Bluetooth devices into pairing with a fake keyboard to connect to Android, Apple, and Linux devices without user confirmation. They can then inject keystrokes to install apps, run malicious code, and more.

Zero-day exploits pose a significant security risk as threat actors take advantage of vulnerabilities in software or apps that may be unknown to the vendor. Threat actors exploit these vulnerabilities before the vendor can release security patches or updates. Zero-day exploits may bypass device security measures, potentially resulting in data theft and exfiltration or the installation of malware.

Threat actors may also employ zero-click attacks, which do not require user interaction, such as opening malicious attachments or links. Instead, zero-click attacks rely on unpatched vulnerabilities in messaging, SMS text messaging, or email apps. These apps allow threat actors to hide manipulated data in text or images to exploit vulnerabilities and execute malicious code without user knowledge.

A critical concern of unpatched vulnerabilities is data leakage, which refers to the unauthorized transmission of sensitive data from an organization to an external recipient. It is typically due to unencrypted connections, weak mobile security settings, or when apps have excessive permissions that permit access and share user data without consent. Data leakage exposes personal or corporate data, which leads to privacy breaches and regulatory implications.

Grow your skills at Security Virtual Training Day: Security, Compliance, and Identity Fundamentals from Microsoft Learn. At this free, introductory event, you’ll gain the security skills and training you need to create impact and take advantage of opportunities to move your career forward. You’ll explore the basics of security, compliance, and identity—including best practices to help protect people and data against cyberthreats for greater peace of mind. You’ll also learn more about identity and access management while exploring compliance management fundamentals. You will have the opportunity to: Learn the fundamentals of security, compliance, and identity. Understand the concepts and capabilities of Microsoft identity and access management solutions, as well as compliance management capabilities. Gain the skills and knowledge to jumpstart your preparation for the certification exam. Join us at an upcoming two-part event: January 8, 2024 | 12:00 PM – 3:45 PM | (GMT-05:00) Eastern Time (US & Canada) January 9, 2024 | 12:00 PM – 2:15 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Grow your skills at Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments from Microsoft Learn. At this free event, you’ll learn to perform advanced hunting, detections, and investigations, and remediate security alerts with Microsoft Defender and Microsoft Sentinel. Using automated extended detection and response (XDR) in Microsoft Defender and unified cloud-native security information and event management (SIEM) through Microsoft Sentinel, you’ll learn to confidently perform investigations and remediations to help defend against threats. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Use Microsoft Defender for Cloud to perform cloud security posture management and to help protect cloud workloads. Understand ways to help protect people and data against cyberthreats with Microsoft technologies. Join us at an upcoming two-part event: January 16, 2024 | 12:00 PM – 2:45 PM | (GMT-05:00) Eastern Time (US & Canada) January 17, 2024 | 12:00 PM – 2:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Critical Updates to NIST’s CUI Publications: What You Need to Know

On January 10, 2024, from 1 p.m. to 2 p.m. EST, NIST will host a webinar to provide an overview of the significant changes in draft Special Publication (SP) 800-171r3 (Revision 3) and SP 800-171Ar3. This is the first time that NIST has concurrently released both the draft controlled unclassified information (CUI) security requirements and the draft CUI assessment procedures for public comment. 

During this webinar, the authors will:

• Provide an overview of the significant changes in the final public draft of SP 800-171r3 and the initial public draft of SP 800-171Ar3
• Describe the design principles and rationale behind the changes
• Identify areas where NIST seeks additional and specific input
• Share information about how to engage, provide feedback, and next steps
• Take live audience Q&A

Capacity is limited so reserve your seat today!

Additionally, NIST is announcing an extension of the public comment period on both publications to January 26, 2024. See the SP 800-171 publication details and SP 800-171A publication details for a copy of each draft, additional resources, and instructions for submitting comments.

Please direct questions and comments to 800-171comments@list.nist.gov. 

Recording Note: The event will be recorded, and audience Q&A or comments may be captured. The recorded event may be edited and rebroadcast or otherwise made publicly available by NIST.  Slides will also be made available following the eventNIST Cybersecurity and Privacy Program
Questions/Comments about this notice: 800-171comments@list.nist.gov
CSRC Website questions: csrc-inquiry@nist.gov

NICE has proposed a new Work Role for addition to the NICE Workforce Framework for Cybersecurity (NICE Framework) and the comment deadline is quickly approaching! Please share your thoughts by email to NICEFramework@nist.gov by December 22, 2023. Proposed Insider Threat Analysis Work Role: As insider threats and their tactics have evolved to encompass network and digital assets, analysts with cybersecurity skills are required to examine and respond to those threats as part of an enterprise cybersecurity risk program. Codifying the Insider Threat Analysis Work Role in the NICE Framework supports learning and career pathways that help ensure that organizations are well equipped to address insider threats and manage cybersecurity risks. This proposed role includes a name, description, and Task, Knowledge, and Skill (TKS) statements. It also identifies the Work Role category this role would fall under. Review the proposed Work Role, Insider Threat Analysis (clicking the link downloads an XLSX file)

DON’T FORGET! REFACTORED TASK STATEMENTS ARE ALSO AVAILABLE FOR COMMENT

Proposed updates to the NICE Framework Task statements have also been announced. These updates include improvements that address consistency, clarity, and redundancy in alignment with the Task, Knowledge, Skill (TKS) Statements Authoring Guide for Workforce Frameworks. Comments on the proposed updates to Task statements are due by January 29, 2024. Read the Task Statement Summary of Updates and review the refactored Task statements (clicking the link downloads an XLSX file)

WE WANT TO HEAR FROM YOU!

All comments should be submitted by email to NICEFramework@nist.gov. Take Action:  Submit comments to NICEFramework@nist.gov Join the NICE Framework Users Group to join community discussions Visit the NICE Framework Resource Center for additional information

CISA and International Partners Release Advisory on Russia-based Threat Actor Group, Star Blizzard

12/07/2023 12:00 PM EST

Today, the Cybersecurity and Infrastructure Security Agency (CISA)—in coordination with the United Kingdom’s National Cyber Security Centre (UK-NCSC), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), and the U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cyber Command Cyber National Mission Force (CNMF)—released a joint Cybersecurity Advisory (CSA) Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. The joint CSA aims to raise awareness of the specific tactics, techniques, and delivery methods used by this Russia-based threat actor group to target individuals and organizations. Known Star Blizzard techniques include:

• Impersonating known contacts’ email accounts,
• Creating fake social media profiles,
• Using webmail addresses from providers such as Outlook, Gmail and others, and
• Creating malicious domains that resemble legitimate organizations.

CISA encourages network defenders and critical infrastructure organizations review the CSA to improve their cybersecurity posture and protect against similar exploitation based on threat actor activity. CISA also urges software manufacturers to incorporate secure-by-design and -default principles into their software development practices, limiting the impact of threat actor activity. For more guidance to protect against the most common and impactful threats, visit CISA’s Cross-Sector Cybersecurity Performance Goals. For more information on secure by design, see CISA’s Secure by Design webpage

In our increasingly digital world, data has become one of the most valuable assets for individuals and organizations alike. At the same time, data breaches have become all too common, with consequences that can be devastating. With this growing reliance on data comes the pressing need for cybersecurity and privacy controls to achieve confidentiality.

In response, the NIST National Cybersecurity Center of Excellence (NCCoE) has worked closely with the industry and tech community to develop two draft NIST Special Publications (SP):

• 1800-28, Data Confidentiality: Identifying and Protecting Assets Against Data Breaches (Vol A-C)
• 1800-29, Data Confidentiality: Detect, Respond to, and Recover from Data Breaches (Vol A-C)

These guides provide recommendations on how to prevent and recover from data breaches, including cybersecurity and privacy considerations to prepare for data breaches and specific technical direction for implementation.

We Want to Hear from You!

The NCCoE is making volumes A-C available as drafts for public comment. Review the drafts and submit comments online by January 15, 2024.

• Comment here. 1800-28, Data Confidentiality: Identifying and Protecting Assets Against Data Breaches (Vol A-C)
• Comment here. 1800-29, Data Confidentiality: Detect, Respond to, and Recover from Data Breaches (Vol A-C)

We welcome your input and look forward to your comments. We invite you to connect with us at ds-nccoe@nist.gov or join our Community of Interest to receive news and updates about this project.  

A vulnerability has been discovered in Apache Struts 2, which could allow for remote code execution. Apache Struts 2 is an open-source web application framework for developing Java EE web applications. Successful exploitation could allow for remote code execution in the context of underlying operating system. Depending on the privileges associated with the logged on user, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence There are currently no reports of this vulnerability being exploited in the wild.

Systems Affected

Struts 2.0.0 – Struts 2.3.37 (EOL) Struts 2.5.0 – Struts 2.5.32 Struts 6.0.0 – Struts 6.3.0

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Technical Summary A vulnerability has been discovered in Apache Struts 2, which could allow for remote code execution.

Recommendations

Apply appropriate updates provided by Apache to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References Apache:  https://cwiki.apache.org/confluence/display/WW/S2-066

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50164

The US Federal Bureau of Investigation (FBI), US Cybersecurity and Infrastructure Security Agency (CISA), US National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.

Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations. Although the SVR used such access to compromise SolarWinds and its customers in 2020, limited number and seemingly opportunistic types of victims currently identified, indicate that the SVR has not used the access afforded by the TeamCity CVE in a similar manner. However, the SVR has been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.

To bring Russia’s actions to public attention, the authoring agencies are providing information on the SVR’s most recent compromise to aid organizations in conducting their own investigations and securing their networks, provide compromised entities with actionable indicators of compromise (IOCs), and empower private sector cybersecurity companies to better detect and counter the SVR’s malicious activity. The authoring agencies recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this Joint Cybersecurity Advisory. If potential compromise is detected, administrators should apply the incident response recommendations included in this advisory and report key findings to the FBI and CISA.

What’s next with generative AI in cybersecurity   Learn how AI can help protect your organization in this discussion with Microsoft Security leaders. In the security keynote from Microsoft Ignite, The Future of Security with AI, you’ll: Get a view into how cybersecurity will continue to evolve as AI advances.Explore how Microsoft Security Copilot capabilities enhance secure productivity.Gain deeper insights into the latest Microsoft Security product innovations announced at Microsoft Ignite.

Watch the video