blogmirnet – Page 6 – My information Resource (blog.mir.net)

Free Training: Defend Against Threats with Extended Detection and Response training day

Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft Security Virtual Training Day from Microsoft Learn. Join us at Defend Against Threats with Extended Detection and Response to learn how to better protect apps and data in Microsoft 365 Defender, Microsoft Defender for Endpoint, and Microsoft Sentinel. You’ll get an in-depth view into attack disruption, incidents and alerts, and best practices for investigation and incident management. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Defender and Microsoft Sentinel. Understand how integrating Microsoft 365 Defender and Microsoft Sentinel enhances security and response time. Discover how to help mitigate threats across your entire infrastructure with Microsoft Security tools and solutions. Join us at an upcoming Defend Against Threats with Extended Detection and Response event:
October 29, 2024
11:00 AM – 2:15 PM | (GMT-05:00) Central Time US & Canada
12:00 PM – 3:15 PM | (GMT-04:00) Eastern Time US & Canada
10:00 AM – 1:15 PM | (GMT-06:00) Mountain Time US & Canada
9:00 AM – 12:15 PM | (GMT-07:00) Pacific Time US & Canada

Delivery Language: English
Closed Captioning Language(s): English

REGISTER TODAY >

NIST small business cybersecurity webinar

Event Date: October 23, 2024

Event Time: 2:00PM – 3:00PM EDT

Event Location: Virtual

Description:

Identity and Access Management is a fundamental and critical cybersecurity capability for businesses of all sizes. To protect your business from fraud and unauthorized system and data access, you want to take steps to ensure that only the right people and technologies have the right level of access to the right resources at the right time.

For many busy small business owners, the use of passwords has been the primary method for locking down access to sensitive systems and data. However, passwords alone are not effective for protecting your data from most attackers. They have become too easy for threat actors to exploit at scale and with limited effort. So that leaves us with the question: what can a small business owner with limited resources do to protect their systems and information from unauthorized access?

During this webinar, we’ll take it back to the fundamentals to discuss practical steps small businesses can take to enhance their identity and access management, resulting in a stronger, more resilient business in the face of increasing cybersecurity risks. We will cover:

Current guidance and leading-practices for multi-factor authentication (MFA), including phishing-resistant MFA.
Identity and Access Management approaches to consider as your business grows.
How identity and access management is covered in the NIST Cybersecurity Framework 2.0.

Speakers:

Ryan Galluzzo, Digital Identity Program Lead, Applied Cybersecurity Division, NIST
Robert Thelen, CEO and Co-Founder, Rownd

Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution – PATCH NOW

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution.

Adobe is a software that is used for creating and publishing a wide variety of contents including graphics, photography, illustration, animation, multimedia, motion pictures and print.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Adobe Substance 3D Painter 10.0.1 and earlier versions
Adobe Commerce 2.4.7-p2 and earlier versions
Adobe Commerce 2.4.6-p7 and earlier versions
Adobe Commerce 2.4.5-p9 and earlier versions
Adobe Commerce 2.4.4-p10 and earlier versions
Adobe Commerce B2B 1.4.2-p2 and earlier versions
Adobe Commerce B2B 1.3.5-p7 and earlier versions
Adobe Commerce B2B 1.3.4-p9 and earlier versions
Adobe Commerce B2B 1.3.3-p10 and earlier versions
Magento Open Source 2.4.7-p2 and earlier versions
Magento Open Source 2.4.6-p7 and earlier versions
Magento Open Source 2.4.5-p9 and earlier versions
Magento Open Source 2.4.4-p10 and earlier versions
Adobe Dimension 4.0.3 and earlier versions
Adobe Animate 2023 23.0.7 and earlier versions
Adobe Animate 2024 24.0.4 and earlier versions
Lightroom 7.4.1 and earlier versions    
Lightroom Classic 13.5 and earlier versions
Lightroom Classic (LTS) 12.5.1 and earlier versions
Adobe InCopy  19.4 and earlier versions
Adobe InCopy  18.5.3 and earlier versions
Adobe InDesign ID19.4 and earlier version
Adobe InDesign ID18.5.3 and earlier version
Adobe Substance 3D Stager 3.0.3 and earlier versions 
Adobe FrameMaker 2020 Release Update 6 and earlier versions
Adobe FrameMaker 2022 Release Update 4 and earlier versions

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Adobe Products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows

Tactic: Execution (TA0002)

Technique: Exploitation for Client Execution (T1203):

Substance 3D Painter:

Out-of-bounds Read (CVE-2024-20787)

Adobe Commerce:

Improper Authentication (CVE-2024-45115, CVE-2024-45148)
Cross-site Scripting (Stored XSS) (CVE-2024-45116, CVE-2024-45123, CVE-2024-45127)
Improper Input Validation (CVE-2024-45117)
Improper Access Control (CVE-2024-45118, CVE-2024-45121, CVE-2024-45122, CVE-2024-45124, CVE-2024-45129, CVE-2024-45130, CVE-2024-45133, CVE-2024-45135, CVE-2024-45149)
Server-Side Request Forgery (SSRF) (CVE-2024-45119)
Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-2024-45120)
Incorrect Authorization (CVE-2024-45125)
Improper Authorization (CVE-2024-45128, CVE-2024-45131, CVE-2024-45132)
Information Exposure (CVE-2024-45134)

Adobe Dimension:

Use After Free (CVE-2024-45146)
Out-of-bounds Write (CVE-2024-45150)

Adobe Animate:

Stack-based Buffer Overflow (CVE-2024-47410)
NULL Pointer Dereference (CVE-2024-47411)
Use After Free (CVE-2024-47412, CVE-2024-47413, CVE-2024-47414, CVE-2024-47415, CVE-2024-47418)
Integer Overflow or Wraparound (CVE-2024-47416)
Heap-based Buffer Overflow (CVE-2024-47417)
Out-of-bounds Read (CVE-2024-47419, CVE-2024-47420)

Adobe Lightroom:

Out-of-bounds Read (CVE-2024-45145)

Adobe InCopy:

Unrestricted Upload of File with Dangerous Type (CVE-2024-45136)

Adobe InDesign:

Unrestricted Upload of File with Dangerous Type (CVE-2024-45137)

Substance 3D Stager:

Use After Free (CVE-2024-45138)
Heap-based Buffer Overflow (CVE-2024-45139, CVE-2024-45143)
Out-of-bounds Write (CVE-2024-45140, CVE-2024-45141, CVE-2024-45144, CVE-2024-45152)
Write-what-where Condition (CVE-2024-45142)

Adobe FrameMaker:

Out-of-bounds Read (CVE-2024-47421)
Untrusted Search Path (CVE-2024-47422)
Unrestricted Upload of File with Dangerous Type (CVE-2024-47423)
Integer Overflow or Wraparound (CVE-2024-47424)
Integer Underflow (Wrap or Wraparound) (CVE-2024-47425)

RECOMMENDATIONS:

We recommend the following actions be taken:

Apply the stable channel update provided by Adobe to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
- Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
- Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
- Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
- Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
- Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
- Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
- Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
- Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
- Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
- Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
- Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Protecting Against Iranian Targeting of Accounts Associated with National Political Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this Fact Sheet, which provides information about threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) targeting and compromising accounts of Americans to stoke discord and undermine confidence in US democratic institutions.

IRGC actors have previously gained and continue to seek access to personal and business accounts using social engineering techniques by targeting victims across email and chat platforms. This fact sheet includes steps that individuals and organizations can take to enhance their security and resilience to protect themselves against the common techniques used by these cyber actors.

CISA and FBI strongly recommend all individuals and organizations associated with national political organizations apply the mitigations in this fact sheet, including protecting their sensitive accounts with phishing-resistant multi-factor authentication (MFA).

Election infrastructure stakeholders and the public can find more resources on how to protect against cyber and physical threats at #Protect2024. CISA encourages organizations to review its Iran Cyber Threat webpage for advisories and actions to defend their networks.

Security Property Verification by Transition Model | NIST Invites Public Comments on IR 8539

The initial public draft of NIST Internal Report (IR) 8539, Security Property Verification by Transition Model, is now available for public comment. Verifying the security properties of access control policies is a complex and critical task. The policies and their implementation often do not explicitly express their underlying semantics, which may be implicitly embedded in the logic flows of policy rules, especially when policies are combined. Instead of evaluating and analyzing access control policies solely at the mechanism level, formal transition models are used to describe these policies and prove the system’s security properties. This approach ensures that access control mechanisms can be designed to meet security requirements.

This document explains how to apply model-checking techniques to verify security properties in transition models of access control policies. It provides a brief introduction to the fundamentals of model checking and demonstrates how access control policies are converted into automata from their transition models. The document then focuses on discussing property specifications in terms of linear temporal logic (LTL) and computation tree logic (CTL) languages with comparisons between the two. Finally, the verification process and available tools are described and compared.

The public comment period is open through November 25, 2024. See the publication details for a copy of the draft and instructions for submitting comments.

NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications

Critical Patches Issued for Microsoft Products, October 8, 2024 – PATCH NOW

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
The vulnerabilities Microsoft Management Console Remote Code Execution Vulnerability (CVE-2024-43572) and Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-43573) have been seen exploited in the wild and disclosed publicly.

SYSTEMS AFFECTED:

.NET and Visual Studio
.NET, .NET Framework, Visual Studio
Azure CLI
Azure Monitor
Azure Stack
BranchCache
Code Integrity Guard
DeepSpeed
Internet Small Computer Systems Interface (iSCSI)
Microsoft ActiveX
Microsoft Configuration Manager
Microsoft Defender for Endpoint
Microsoft Graphics Component
Microsoft Management Console
Microsoft Office
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft Office Visio
Microsoft Simple Certificate Enrollment Protocol
Microsoft WDAC OLE DB provider for SQL
Microsoft Windows Speech
OpenSSH for Windows
Outlook for Android
Power BI
Remote Desktop Client
Role: Windows Hyper-V
RPC Endpoint Mapper Service
Service Fabric
Sudo for Windows
Visual C++ Redistributable Installer
Visual Studio
Visual Studio Code
Windows Ancillary Function Driver for WinSock
Windows BitLocker
Windows Common Log File System Driver
Windows Cryptographic Services
Windows EFI Partition
Windows Hyper-V
Windows Kerberos
Windows Kernel
Windows Kernel-Mode Drivers
Windows Local Security Authority (LSA)
Windows Mobile Broadband
Windows MSHTML Platform
Windows Netlogon
Windows Network Address Translation (NAT)
Windows NT OS Kernel
Windows NTFS
Windows Online Certificate Status Protocol (OCSP)
Windows Print Spooler Components
Windows Remote Desktop
Windows Remote Desktop Licensing Service
Windows Remote Desktop Services
Windows Resilient File System (ReFS)
Windows Routing and Remote Access Service (RRAS)
Windows Scripting
Windows Secure Channel
Windows Secure Kernel Mode
Windows Shell
Windows Standards-Based Storage Management Service
Windows Storage
Windows Storage Port Driver
Windows Telephony Server
Winlogon

RISK:

Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found in the Microsoft link in the References section.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
- Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:Microsoft:
https://portal.msrc.microsoft.com/en-us/security-guidance
https://msrc.microsoft.com/update-guide/releaseNote/2024-Oct

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43573

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution – PATCH NOW

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Chrome prior to 129.0.6668.100/.101 for Windows and Mac
Chrome prior to 129.0.6668.100 for Linux

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Drive-By Compromise (T1189):

Type Confusion in V8 (CVE-2024-9602, CVE-2024-9603)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
- Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Google:
https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_8.html

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9602
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9603

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution – PATCH NOW

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Android OS patch levels prior to 2024-10-05

RISK:

Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution in the context of the logged on user. Following the MITRE ATT&CK framework, exploitation of the most severe of these vulnerabilities can be classified as follows:

Tactic: Execution (TA0002)

Technique: Exploitation for Client Execution (T1203):

A vulnerability in System that could allow for remote code execution. (CVE-2024-40673)
Multiple vulnerabilities in Framework that could allow for elevation of privilege. (CVE-2024-0044, CVE-2024-40676)
Multiple vulnerabilities in System that could allow for elevation of privilege. (CVE-2024-40672, CVE-2024-40677)

Details of lower-severity vulnerabilities are as follows:

A vulnerability in Framework that could allow for denial of service. (CVE-2024-40675)
A vulnerability in System that could allow for denial of service. (CVE-2024-40674)
Multiple vulnerabilities in Imagination Technologies. (CVE-2024-34732, CVE-2024-34733, CVE-2024-34748, CVE-2024-40649, CVE-2024-40651, CVE-2024-40669, CVE-2024-40670)
Multiple vulnerabilities in MediaTek components. (CVE-2024-20100, CVE-2024-20101, CVE-2024-20103, CVE-2024-20090, CVE-2024-20092, CVE-2024-20091, CVE-2024-20093, CVE-2024-20094)
Multiple vulnerabilities in Qualcomm components. (CVE-2024-33049, CVE-2024-33069, CVE-2024-38399)
A vulnerability in Qualcomm closed-source components. (CVE-2024-23369)

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate patches provided by Google to vulnerable systems, immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from un-trusted sources. (M1017: User Training)
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Apple® System Integrity Protection (SIP) and Gatekeeper™.
- Safeguard 13.10 : Perform Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.

REFERENCES:

Google:
https://source.android.com/docs/security/bulletin/2024-10-01

Submit Comments | Draft Report: Attribute Validation Services for Identity Management

In this digital age, the accurate identification of individuals is paramount to ensuring security, privacy, and trust in online interactions. Whether it’s for accessing medical records, applying for benefits, or engaging in other high-stakes transactions, the need to confirm the identity and attributes of individuals is crucial. The draft NIST report Attribute Validation Services for Identity Management delves into the architecture, security, privacy, and operational considerations surrounding Attribute Validation Services (AVS), offering considerations for government agencies seeking to implement these critical services.

At its core, an attribute is a “quality or characteristic ascribed to someone or something,” such as a person’s date of birth, residential address, or Social Security Number. Attributes are essential in confirming an individual’s identity or their eligibility to access certain services or information. An AVS validates these attributes against reliable data sources to confirm their accuracy; this validation process plays a pivotal role in secure identity proofing, access control, and fraud prevention.

The draft NIST report Attribute Validation Services for Identity Management positions AVS as a cornerstone of secure, privacy-preserving digital identity management. Whether through traditional query-based models or emerging technology such as cryptographically verifiable attributes, AVSs can offer a reliable way to validate user attributes, reduce fraud, and improve access control. For government agencies, the report provides a foundation for building AVS solutions that enhance security while ensuring equity and privacy.

The public comment period is open through 11:59 pm Eastern Time on Friday, November 8, 2024. Comments may be submitted to [email protected].

Learn More

Trinity Ransomware

The United States Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) released this Threat Actor Profile regarding a relatively new threat actor identified as Trinity Ransomware. Even though the analysis is focused on the Healthcare and Public Health (HPH) Sector, all agencies and organizations are encouraged to review the information contained in the Threat Actor Profile.

Trinity ransomware is a relatively new threat actor, known for employing a double extortion strategy. This method involves exfiltrating sensitive data before encrypting files, thereby increasing pressure on victims to pay the ransom. This ransomware uses the ChaCha20 encryption algorithm, and encrypted files are tagged with the .trinitylock file extension. Trinity operates a victim support site for decryption assistance and a leak site that displays their victims. It also shares similarities with two other ransomware groups—2023Lock and Venus—suggesting possible connections or collaborations among these threat actors. The group’s tactics and techniques are sophisticated, making them a significant threat to the US HPH. HC3 is aware of at least one healthcare entity in the United States that has fallen victim to Trinity ransomware recently.

This HC3 Threat Actor Profile provides an overview, likely tactics, techniques, and procedures, indicators of compromise, and recommended mitigations. This advisory is being provided to assist all agencies and organizations in guarding against the persistent malicious actions of cyber criminals.