Author: blogmirnet

Two Days Left to Register for our NIST Webinar! Learn about Revisions to Two of our Identity Special Publications

Event Date: November 8, 2023

Time: 1:00 PM-2:30 PM ET

Description:

The National Institute of Standards and Technology (NIST) will be hosting a webinar to introduce two recently published Public Draft Special Publications (SPs):  The 3-part Drafts of SP 800-73 Revision 5, Interfaces for Personal Identity Verification (PIV) and Draft SP 800-78 Revision 5, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. These publications are complements to FIPS 201-3, which defines the requirements and characteristics of government-wide interoperable identity credentials used by federal employees and contractors.

The webinar will discuss the necessary changes made to the PIV card, its credentials, and cryptographic capability to align with FIPS 201-3. 

Full Agenda:

1:00 PM-1:05 PM – Introduction and Welcome

1:05 PM-1:15 PM – Introduction to the PIV Standard

1:15 PM-1:45 PM – Changes to Draft SP 800-73 Revision 5

1:45 PM-2:15 PM – Changes to Draft SP 800-78 Revision 5

2:15 PM-2:30 PM – Key Dates/Next Steps/Closing

Visit the event page to register and learn more about the webinar. If you have any questions, please reach out to our team at piv_comments@nist.gov.

Event Page

The Cybersecurity and Infrastructure Security Agency (CISA) has published When to Issue Vulnerability Exploitability eXchange (VEX) Information, a guide to help strengthen software security and supply chain risk management. This guide explains the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information.

Whether, and when, to issue VEX information is a business decision for most suppliers and possibly a more individual decision for independent open source developers. This document identifies factors that influence the decision.

VEX allows a software supplier or other parties to assert the exploitability status of specific vulnerabilities in a particular product or set of products. Issuing VEX information allows developers, suppliers and others to provide information in a human-readable and machine-comprehensible format, regardless of whether software is affected by a specific vulnerability.

Widespread adoption of VEX is one of three critical steps CISA outlined for transforming and advancing the vulnerability management ecosystem. Also, VEX helps support secure-by-design practices and rewards organizations with proactive product security teams by streamlining responses to newly-discovered risks.

For more information this and other VEX resources, visit Software Bill of Materials (SBOM).

Announcing Microsoft Applied Skills, a new verifiable credential that validates that you have the targeted skills needed to implement critical projects aligned to business goals and objectives. It offers you a new way to showcase your expertise in specific, real-world scenarios and verify technical skills that you—and your organization—need in real-time. We are thrilled to share this exciting news about Applied Skills credentials, and we look forward to sharing more news soon. Read the blog.

A critical information disclosure vulnerability, known as “Citrix Bleed” and affecting Citrix NetScaler ADC/Gateway devices, is being actively exploited by threat actors. The vulnerability, tracked as CVE-2023-4966, is remotely exploitable and can allow threat actors to obtain valid session tokens from the memory of internet-facing NetScaler devices. The compromised tokens can be used to hijack active sessions, bypassing authentication – even multi-factor authentication (MFA), to gain uauthorized access.

Citrix initially addressed the vulnerability in a security advisory on October 10, and on October 17, researchers determined that threat actors have exploited the vulnerability since at least August 2023. A Python script to automate the attack chain has been distributed by a ransomware threat group and attacks have become more widespread over the past several days.

Organizations are highly advised to update impacted devices and ensure accounts and devices have not been compromised.

Initial indicators of compromise may include the downloading of executable files from a command-and-control server, running commands consistent with elevating privileges and network enumeration, and preparing files for exfiltration.

Organizations whose Citrix devices were compromised are advised to remove impacted devices from the network, terminate all active sessions, and remove any backdoors or web shells to ensure all threat actor access to the device has been disabled; simply updating the system is insufficient. Mandiant provides guidance on addressing Citrix NetScaler ADC and NetScaler Gateway vulnerabilities.

Affected Citrix devices include:

NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50 NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19 NetScaler ADC 13.1-FIPS before 13.1-37.164 NetScaler ADC 12.1-FIPS before 12.1-55.300 NetScaler ADC 12.1-NDcPP before 12.1-55.300

Greynoise maintains a running list of malicious IP addresses involved in the recent exploitation of Citrix NetScaler devices and could be useful for network defenders and forensic analysts.

Today, President Joseph R. Biden signed an Executive Order (EO) to build U.S. capacity to evaluate and mitigate the risks of Artificial Intelligence (AI) systems to ensure safety, security, and trust, while promoting an innovative, competitive AI ecosystem that supports workers and protects consumers. The U.S. Department of Commerce will play a key role in implementing the EO, combining sophisticated standards and evaluation capabilities with a robust combination of reporting requirements and voluntary measures. Specifically, the National Institute of Standards and Technology (NIST), the Bureau of Industry and Security (BIS), the National Telecommunications and Information Administration (NTIA), and the U.S. Patent and Trademark Office (USPTO) will be responsible for carrying out a significant portion of the EO’s objectives.

Learn more about NIST’s responsibilities.

The NIST National Cybersecurity Center of Excellence (NCCoE) has released the second preliminary drafts of volumes B, C, and E for NIST Special Publication (SP) 1800-36, Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management. The public comment period for the drafts is open through December 15, 2023.

About the Project

Provisioning network credentials to IoT devices in an untrusted manner leaves networks vulnerable to having unauthorized IoT devices connect to them. It also leaves IoT devices vulnerable to being taken over by unauthorized networks. Instead, trusted, scalable, and automatic mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials—a process known as trusted network-layer onboarding. Trusted network-layer onboarding, in combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement, could improve the security of networks and IoT devices.

This practice guide aims to demonstrate how organizations can protect both their IoT devices and their networks. The updated drafts of volumes B, C, and E describe advancements to the IoT onboarding functional implementations. NCCoE is collaborating with product and service providers to produce example implementations of trusted network-layer onboarding and capabilities that improve device and network security throughout the IoT-device lifecycle to achieve this.

Submit Your Comments

The public comment period for draft vols. B, C, and E is open until 11:59 p.m. EST on Friday, December 15, 2023. The second preliminary drafts of vols. A and D released last month are also available for comment until 11:59 p.m. EST on Friday, November 10, 2023.

Visit the NCCoE IoT Onboarding project page for the draft publications and comment form.

Create more business impact using proactive and predictive analytics at Azure Virtual Training Day: Digitally Transform with Modern Analytics from Microsoft Learn. Join us for this free training event to learn how to build an analytics solution using Azure Synapse Analytics. Maximize your organization’s intelligent decision-making capabilities and learn to build an end-to-end solution by preparing data for storage, processing, and analysis. You will have the opportunity to: Create a data warehouse in the cloud. Accelerate your big data engineering with Spark in Azure Synapse Analytics. Build automated data integration with Azure Synapse Pipelines. Learn to perform operation analytics with Azure Synapse Link. Join us at an upcoming two-part event: November 27, 2023 | 12:00 PM – 3:30 PM | (GMT-05:00) Eastern Time (US & Canada) November 28, 2023 | 12:00 PM – 2:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Last week, Okta identity and access management (IAM) service identified adversarial activity that leveraged a stolen credential to access the support case management system. The threat actor was able to view sensitive HTTP Archive (HAR) files uploaded by a limited number of Okta customers as part of recent support cases. HAR files store information exchanged between the web client and web server and can store sensitive information such as authentication tokens, API keys, and session cookies. Okta’s support team typically requests customers to share these files when submitting a support ticket so that the Okta technician can replicate and troubleshoot the browser activity. Okta stated that all impacted customers were notified, which included BeyondTrust, CloudFlare, and 1Password. These organizations successfully terminated or blocked malicious activity using a defense-in-depth approach.

Multi-factor authentication (MFA) continues to be targeted by threat actors. Last month, Okta revealed social engineering campaigns targeting US-based Okta customer organizations’ IT service desk personnel in attempts to reset MFA for high-privilege users. The threat actor leveraged the compromised Okta Super Admin accounts to abuse legitimate identity features to impersonate users within the compromised organization. Impacted organizations include MGM and Caesar’s Palace, ultimately affecting millions of patrons worldwide due to subsequent ransomware attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) announced Logging Made Easy, a new Windows-based, free and publicly available log management solution designed to help organizations, especially target rich/cyber poor organizations, more effectively use available security data to detect and address cyber threats.    Logs give an administrator insight into their system and network performance. More specifically, logs pinpoint exactly who is connected to a device and how they are using it. System records, coupled with the practice of protective monitoring – the act of reviewing logs, either manually or through automation – plays an integral part in mitigating risk and identifying vulnerabilities as part of a proactive cybersecurity posture.    Logging Made Easy can help target rich/cyber poor organizations leverage key data to detect and mitigate intrusions more effectively. No sign-up or lengthy onboarding is required. It is right for your organization, if:   You are a small organization with limited resources and need a centralized logging capability.    You do not have a Security Operations Center, Security Information and Event Management solution, or any active monitoring functions currently in place.    You have small, isolated networks where your existing corporate monitoring practices cannot reach. You recognize the value of gathering logs and monitoring your enterprise’s information technology but lack a service that allows you to do so.   Those with further questions may contact the CISA Cybersecurity Shared Services Office at cybersharedservices@cisa.dhs.gov.

In an increasingly digital society, enterprise systems and software services offer various solutions that address the needs of government entities, organizations, and small businesses. The inner workings of these systems and services rely on vital components such as API keys, access tokens, and secrets to deliver business functionality to their clients. An API (Application Programming Interface) allows software components to connect and communicate with one another. API keys are a unique series of characters that grant verified access to an API and keys can be obtained through the permission of the API owner. Access tokens are similar to API keys; however, they contain a limited scope of what can be accessed and have a temporary lifespan. Secrets are sensitive credentials or privileged information that are contained or used within an application. These components are often connected to systems or services that store sensitive or business-critical data, and the increased reliance on them incentivizes cybercriminals to conduct cyberattacks. We explore Microsoft’s investigative report of the Storm-0558 key acquisition, lessons learned, other incidents, and recommendations to secure API keys, access tokens, and secrets. 

On July 11, 2023, Microsoft published an initial post of a cyberattack involving the advanced persistent threat (APT) actor, tracked as Storm-0558, accessed and exfiltrated unclassified email data from various government agencies. The threat actor gained access to enterprise email accounts on Outlook Web Access in Exchange Online (OWA) and Outlook.com by discovering a leaked Microsoft Account (MSA) Consumer key, which enabled the threat actor to forge access tokens to the enterprise email accounts. MSA Consumer Keys allow a user to cryptographically sign into a Microsoft consumer service, while an access token is a string that enables clients to call protected web APIs securely.

Microsoft’s Investigative Report of Storm-0558 Key Acquisition

On September 6, 2023, Microsoft published the results of their investigative report on how Storm-0558 acquired the MSA Consumer Key used to forge access tokens to OWA and Outlook.com. A consumer signing system crash in April 2021 led to a snapshot of the crashed process to be stored in a “crash dump.” Crash dumps are created when an application faces an exception/error when running its code. These crash dumps contain vital diagnostic data that assist a software development team in understanding what caused the error. As per standard Microsoft debugging procedure, the crash dump should have been cleaned of any sensitive data, such as the signing keys or access tokens, before being moved into a debugging environment. However, Microsoft’s credential scan failed to detect sensitive information in the crash dump. The APT actor retrieved the key when they compromised a Microsoft engineer’s corporate account, inadvertently giving the hackers access to their debugging environment. This debugging environment included the crash dump that contained the consumer key. However, to access enterprise applications, an enterprise key is needed. In September 2018, Microsoft introduced a common key metadata publishing endpoint that allows customers to access various accounts with a single click. To accommodate this change, Microsoft updated its documentation and libraries to automatically check the scope of the keys. The scope of the keys determines whether a key is authorized to access a consumer or enterprise account. However, the libraries that perform this scope validation failed to verify the key type. Therefore, the mail system accepted access to an enterprise email using a consumer key that was then used to forge access tokens to OWA and Outlook.com.

Lessons Learned

The Storm-0558 key acquisition highlights that the Azure AD Software Development Kit (SDK) should have included better documentation for validating an access/authentication token’s issuer ID, which would have enabled developers both within Microsoft and outside the organization to better implement token authentication. Also, any debugging logs and crash dumps that store secrets should be disposed of routinely or when no longer needed. Additionally, mechanisms that scan components for secrets should be regularly tested and monitored to ensure their efficacy. Furthermore, keys and tokens should be rotated or set to expire regularly to avoid any potential or negative impacts of a breach of API keys or access tokens.

Other Incidents

Earlier this year, on February 7, 2023, the Cybernews research team discovered publicly accessible environment files hosted on Lowe’s Market website that leaked access tokens to AWS S3 buckets containing website-related assets and API keys to third-party services. These API keys provide access to various website and partner software functionality and may have allowed threat actors to steal user information, access partial credit card information, change product pricing, use the company’s official communication channels, and send emails to Lowe’s Market users.

On August 30, 2023, Sourcegraph, an AI-assisted coding platform, confirmed a security breach that led to the access of limited data, such as the license key holder’s name and email addresses for paid customers and account email addresses for community users. Malicious actors gained access to Sourcegraph’s data through a leaked administrative access token that was accidentally pushed to their code repository by a Sourcegraph engineer. Using the administrative access token, the threat actor created a new account with elevated privileges that was later used to navigate their admin dashboard containing user information.

More recently, on September 23, OpenSea, a Non-Fungible Tokens (NFT) marketplace, notified their customers of a breach with a third-party vendor. The breach exposed the API keys of OpenSea’s customers. OpenSea attempted to mitigate the risks of the API leak by informing users that their current keys would expire on October 2, 2023 and that clients should replace the expired keys. Although OpenSea has placed rate limits on the usage of APIs per key, this incident highlights the cyber risks of trusted third-party vendors and their impact of breaches on organizations.

Recommendations

Although every business has its own unique business-critical infrastructure or software, a few basic principles can be applied to all business-critical infrastructure or system software:

• Any secrets, such as passwords, API keys, access tokens, or personally identifiable information (PII), should not be stored in plaintext within logging environments. Encrypt secrets or tokens.
• Implement an expiration or rotation schedule for API keys or access tokens.
• Identify failure points in generating, verifying, and accepting access tokens or API keys and automate the process of updating these points whenever a change has been made.
• Implement the Principle of Least Privilege for API keys or access tokens.
• Set up logging capabilities to track the usage of secrets within your systems or software services.