Blockchain for Access
Control Systems: Draft NISTIR 8403 Available for Comment

NIST has released NIST Internal Report (NISTIR) 8403, Blockchain for
Access Control Systems, for public comment.

Protecting system resources against unauthorized access is the
primary objective of an access control system. As information systems rapidly
evolve, the need for advanced access control mechanisms that support
decentralization, scalability, and trust – all major challenges for traditional
mechanisms – has grown.

Blockchain technology offers high confidence and tamper resistance
implemented in a distributed fashion without a central authority, which means
that it can be a trustable alternative for enforcing access control policies.
This document presents analyses of blockchain access control systems from the
perspectives of properties, components, architectures, and model supports, as
well as discussions on considerations for implementation.

The public comment period is open through February 7, 2022. 
See the publication details
for a copy of the draft and instructions for submitting comments.

Public comments will
close on January 17 for Volume C of NIST SP 1800-34, Validating the Integrity
of Computing Devices 

The National Institute of Standards and Technology’s National
Cybersecurity Center of Excellence (NCCoE) has published the preliminary draft
Volume C of NIST SP
1800-34, Validating the Integrity of Computing Devices for public
comment. This is a reminder that the public comment period will close on
January 17, 2022. You can submit comments
online or via email to [email protected].

Volume C includes specific product installation, configuration,
and integration instructions for building the example implementation, allowing
you to replicate all or parts of this project. Help the NCCoE make this guide
better by sharing your thoughts with us. If your organization prototypes this
solution, please share your experience with our team. You can also stay up to
date on the progress of this project by sending an e-mail to [email protected] to join our Supply
Chain Assurance’s Community of Interest.

 Following our discovery of the “Shrootless” vulnerability, Microsoft uncovered a new macOS vulnerability, “powerdir,” that could allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, thereby gaining unauthorized access to a user’s protected data. We shared our findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Apple released a fix for this vulnerability, now identified as CVE-2021-30970, as part of security updates released on December 13, 2021. We encourage macOS users to apply these security updates as soon as possible.

Introduced by Apple in 2012 on macOS Mountain Lion, TCC is essentially designed to help users configure the privacy settings of their apps, such as access to the device’s camera, microphone, or location, as well as access to the user’s calendar or iCloud account, among others. To protect TCC, Apple introduced a feature that prevents unauthorized code execution and enforced a policy that restricts access to TCC to only apps with full disk access. We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests. If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data. For example, the attacker could hijack an app installed on the device—or install their own malicious app—and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen.

It should be noted that other TCC vulnerabilities were previously reported and subsequently patched before our discovery. It was also through our examination of one of the latest fixes that we came across this bug. In fact, during this research, we had to update our proof-of-concept (POC) exploit because the initial version no longer worked on the latest macOS version, Monterey. This shows that even as macOS or other operating systems and applications become more hardened with each release, software vendors like Apple, security researchers, and the larger security community, need to continuously work together to identify and fix vulnerabilities before attackers can take advantage of them.

Microsoft security researchers continue to monitor the threat landscape to discover new vulnerabilities and attacker techniques that could affect macOS and other non-Windows devices. The discoveries and insights from our research enrich our protection technologies and solutions, such as Microsoft Defender for Endpoint, which allows organizations to gain visibility to their networks that are increasingly becoming heterogeneous. For example, this research informed the generic detection of behavior associated with this vulnerability, enabling Defender for Endpoint to immediately provide visibility and protection against exploits even before the patch is applied. Such visibility also enables organizations to detect, manage, respond to, and remediate vulnerabilities and cross-platform threats faster.

See the rest of this article posted on Microsoft. Here

New macOS vulnerability, “powerdir,” could lead to unauthorized user data access – Microsoft Security Blog

NISTIR 8349: Methodology
for Characterizing Network Behavior of Internet of Things Devices

The National Cybersecurity Center of Excellence (NCCoE) has
published for comment a draft NIST Internal Report (NISTIR) 8349: Methodology for Characterizing
Network Behavior of Internet of Things Devices. The public comment
period is open until February 11, 2022.

Securing a network is a complex task made more challenging when
Internet of Things (IoT) devices are connected to it. NISTIR 8349 demonstrates
how to use device characterization techniques and the MUD-PD open source tool to describe the communication
requirements of IoT devices in support of the manufacturer usage description (MUD) project. Manufacturers
and network administrators can use the techniques and tools described in the
report for capturing network communications from IoT devices, analyzing network
captures, and generating MUD files to help ensure IoT devices perform as
intended.

Your Input Matters      

The NCCoE relies on developers, providers, and users of
cybersecurity technology and information to provide input to our cybersecurity
reports and guidance to produce useful and technically correct resources. We
look forward to receiving your comments on this draft report.

Submit comments via email to [email protected] on or before February
11, 2022. You can also help shape and contribute to this project by joining the
loT Community of Interest by sending an email to [email protected] detailing your
interest.

 Original
release date: December 2, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity
Advisory identifying active exploitation of a vulnerability—CVE-2021-44077—in
Zoho ManageEngine ServiceDesk Plus. CVE-2021-44077 is an unauthenticated remote
code execution vulnerability that affects all ServiceDesk Plus versions up to,
and including, version 11305. 

This vulnerability was addressed by the update released by Zoho on September
16, 2021 for ServiceDesk Plus versions 11306 and above. If left unpatched,
successful exploitation of the vulnerability allows an attacker to upload
executable files and place webshells that enable post-exploitation activities,
such as compromising administrator credentials, conducting lateral movement,
and exfiltrating registry hives and Active Directory files. Zoho has set up a
security response plan center that provides additional details, a
downloadable tool that can be run on potentially affected systems, and a
remediation guide.

CISA encourages organizations to review the joint Cybersecurity
Advisory and apply the recommended mitigations immediately.

 Microsoft has observed multiple Iranian threat actors targeting the IT
services sector in attacks that aim to steal sign-in credentials belonging to
downstream customer networks to enable further attacks.

Iranian targeting of IT sector on the rise – Microsoft Security Blog

 Drupal has released security updates to address vulnerabilities that could
affect versions 8.9, 9.1, and 9.2. An attacker could exploit these
vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Drupal Security Advisory SA-CORE-2021-011 and apply
the necessary updates.

 Thanks to Kevin
Sheldrake, Roberto Rodriguez, Jessen Kurien and Ofer Shezaf for making this
blog possible.

For many years, people have been using Sysmon on their Windows systems to gain clarity on what is
happening on their machines and, for the security community, to highlight when
suspicious or malicious activity occurs. Collecting events from individual
hosts is crucial to ensuring you have the visibility needed to identify and
respond to malicious events and Sysmon provides a way to do just that. With the
introduction of Sysmon for Linux, that same clarity is available for many Linux
distros.  While we won’t be detailing all the available Sysmon for Linux
capabilities in this post, you can find the Sysmon documentation here,
read about how to deploy Sysmon in conjunction with Azure Sentinel, look at a
quick guide on how you can use Sysmon in conjunction with Azure Sentinel, or look through
our GitHub repository where we’ve been experimenting with Sysmon configs for Linux.

To frame the conversation around how Sysmon for Linux (shortened to Sysmon
from here on out) can be used to create clarity for security teams, we will
walk through how Sysmon events can be used to spot a specific MITRE ATT&CK
technique. The MITRE ATT&CK Matrix (Linux
focused version here) is a well-known and respected framework that many
organizations use to think about adversary techniques and assess detection
coverage. Just like on the Windows side, Sysmon can be used to highlight
tactics and techniques across the matrix. In this blog, we will focus in on the
Ingress Tool Transfer technique (ID T1105)
and highlight a couple of the Sysmon events that can be used to see it. We
observe this technique being used against Linux systems and sensor networks
regularly, and while we have tools to alert on this activity, it is still a
good idea to ensure you have visibility into the host so you can investigate
attacks. To look at this technique, we will show how to enable collection of
three useful events, what those events look like when they fire, and how they
can help you understand what happened. Additionally, we will show what those
events look like in Azure Sentinel.

Ingress Tool
Transfer (T1105)

It is common to see attackers taking advantage of initial access to a
machine by downloading a script or piece of malware. While “living off the
land” is still something to watch for, in attacks on our customers and against
our sensor network we see attempts to download tools very frequently.  In
fact, the MITRE ATT&CK page for Ingress Tool
Transfer shows 290 different pieces of malware and activity groups that use
this technique, so it is a good place to start showing how Sysmon can help add
coverage to different ATT&CK techniques.

For this example, we will focus on the five most commonly used tools for
downloading scripts and malware that we’ve seen run on our sensor networks. We
will look for wget, curl, ftpget, tftp, and lwp-download. You may want to
customize this list for your environment, but this will cover the majority of
what we see.

Create your Sysmon
configuration file

Just like Sysmon for Windows, you will want to create configuration files
based on the system you are wanting to collect logs for based on the role of
the system, your environment, and your collection requirements. The basics of
how to write and run a configuration can be found on the Sysmon documentation page and you can see some examples in
the MSTIC-Sysmon
repo so we’ll just focus on what we need for this specific technique. One
thing to note is that the Event IDs are consistent between Windows and Linux so
Event ID 1 represents process creation events in both environments.

We are interested in seeing when an attacker tries to download files to our
computer. There are a few ways we can see that behavior reflected. To begin, we
know that a process will have to get created to start the download. We also
know that a network connection will have to be made and, if the attacker is
successful, a file will be written. Lucky for us, Sysmon has us covered for all
three of these with ProcessCreate, NetworkConnect, and FileCreate events.

Below is a basic configuration that we can use to create those events based
on our list of the commonly used tools (it is available in our repo here). You can see we have
separate sections for each of the events we want and have said we want to
include the listed matches.  The tool name will be in the “Image” field,
and we’ve used “end with” because we generally expect to see file paths there
(ex. /bin/wget).