Author: jay f

 ISC
Releases Security Advisory for BIND

10/28/2021 12:05 PM EDT

 

Original
release date: October 28, 2021

The Internet Systems Consortium (ISC) has released a security advisory that
addresses a vulnerability affecting multiple versions of the ISC Berkeley
Internet Name Domain (BIND). A remote attacker could exploit this vulnerability
to cause a denial-of-service condition.

CISA encourages users and administrators to review the ISC advisory
for CVE-2021-25219 and
apply the necessary updates or workaround.

 Hackers have compromised a JavaScript NPM library with password-stealing
malware. The library, UAParser.js, garners 6 million downloads a week. The
threat came after hackers hijacked UAParser.js’s NPM account. GitHub has warned
users that any device with the package installed should be considered
compromised

 We are very excited and pleased to announce this rendition of the Ninja Training Series. With all the other training out there, our team has been working diligently to get this content out there. There are several videos and resources out there and the overall purpose of the MIP Ninja training is to help you master this realm. We aim to get you up-to-date links to the community blogs, training videos, Interactive Guides, learning paths, and any other relevant documentation. 

 

To make it easier for you to start and advance your knowledge gradually without throwing you in deep waters, we split content in each offering into three levels: beginner, intermediate, and advanced.  

 

In addition, after each section, there will be a knowledge check based on the training material you’d have just finished! Since there’s a lot of content, the goal of these knowledge checks is to help you determine if you were able to get a few of the major key takeaways.  

 

There’ll be a fun certificate issued at the end of the training: Disclaimer: This is NOT an official Microsoft certification and only acts as a way of recognizing your participation in this training content. 

 

Lastly, this training will be updated on a quarterly basis to ensure you all have the latest and greatest material! 

Go here

 

 Please Submit Comments –
Draft Baseline Criteria for Consumer Software Cybersecurity Labeling

Section 4s
of the President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028),” issued
on May 12, 2021, charges NIST, in coordination with the Federal
Trade Commission (FTC) and other agencies, to initiate pilot programs for
cybersecurity labeling. These labeling programs are intended to educate the
public on the security capabilities of software development practices.

To inform this effort, Sec. 4 (u)
of the EO directs NIST to “…identify secure software development practices or
criteria for a consumer software labeling program.” Furthermore, the identified
criteria “…shall reflect a baseline level of security practices, and if
practicable, shall reflect increasingly comprehensive levels of testing and
assessment that a product may have undergone.” Sec. 4 (u)
also states that “…NIST shall examine all relevant information, labeling, and
incentive programs, employ best practices, and identify, modify, or develop a
recommended label or, if practicable, a tiered software security rating system.
This review shall focus on ease of use for consumers and a determination of
what measures can be taken to maximize participation.”

Today, NIST has released for public comment a document that
advances these tasks: Draft Baseline Criteria for Consumer Software Cybersecurity Labeling.
This draft document addresses the need to develop appropriate cybersecurity
criteria for consumer software—and it informs the development and use of a
label for consumer software which will improve consumers’ awareness,
information, and ability to make purchasing decisions (while taking
cybersecurity considerations into account). This document was developed after
much input from a recent NIST workshop, position papers submitted to NIST,
additional extensive research, and many discussions with experts and
organizations from the public and private sectors.

We are seeking comments on all aspects of the criteria contained
in the draft document (more
details can be found in the ‘note to reviewers’ section of the draft document).
In accordance with the EO, NIST plans to produce a final version of
these criteria by February 6, 2022.

Please view the draft document HERE.

To submit comments, please email them to [email protected] using
the subject, “Draft Consumer Software Labeling Criteria,” by December
16, 2021.

 Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentials property of an Azure Active Directory (Azure AD) Application and/or Service Principal, and prevent reading of private key data previously stored in the keyCredentials property.

The keyCredentials property is used to configure an application’s authentication credentials. It is accessible to any user or service in the organization’s Azure AD tenant with read access to application metadata.
The property is designed to accept a certificate with public key data for use in authentication, but certificates with private key data could have also been incorrectly stored in the property. Access to private key data can lead to an elevation of privilege attack by allowing a user to impersonate the impacted Application or Service Principal.
Some Microsoft services incorrectly stored private key data in the (keyCredentials) property while creating applications on behalf of their customers. We have conducted an investigation and have found no evidence of malicious access to this data.
Microsoft Azure services affected by this issue have mitigated by preventing storage of clear text private key information in the keyCredentials property, and Azure AD has mitigated by preventing reading of clear text private key data that was previously added by any user or service in the UI or APIs.
As a result, clear text private key material in the keyCredentials property is inaccessible, mitigating the risks associated with storage of this material in the property.
As a precautionary measure, Microsoft is recommending customers using these services take action as described in “Affected products/services,” below. We are also recommending that customers who suspect private key data may have been added to credentials for additional Azure AD applications or Service Principals in their environments follow this guidance.

Affected products/services

Microsoft has identified the following platforms/services that stored their private keys in the public property. We have notified customers who have impacted Azure AD applications created by these services and notified them via Azure Service Health Notifications to provide remediation guidance specific to the services they use.

Product/Service	Microsoft’s Mitigation	Customer impact assessment and remediation
Azure Automation uses the Application and Service Principal keyCredential APIs when Automation Run-As Accounts are created	Azure Automation deployed an update to the service to prevent private key data in clear text from being uploaded to Azure AD applications. Run-As accounts created or renewed after 10/15/2021 are not impacted and do not require further action.	Automation Run As accounts created with an Azure Automation self-signed certificate between 10/15/2020 and 10/15/2021 that have not been renewed are impacted. Separately customers who bring their own certificates could be affected. This is regardless of the renewal date of the certificate. To identify and remediate impacted Azure AD applications associated with impacted Automation Run-As accounts, please navigate to this Github Repo In addition, Azure Automation supports Managed Identities Support (GA announced on October 2021). Migrating to Managed Identities from Run-As will mitigate this issue. Please follow the guidance here to migrate.
Azure Migrate service creates Azure AD applications to enable Azure Migrate appliances to communicate with the service’s endpoints.	Azure Migrate deployed an update to prevent private key data in clear text from being uploaded to Azure AD applications. Azure Migrate appliances that were registered after 11/02/2021 and had Appliance configuration manager version 6.1.220.1 and above are not impacted and do not require further action	Azure Migrate appliances registered prior to 11/02/2021 and/or appliances registered after 11/02/2021 where auto-update was disabled could be affected by this issue. To identify and remediate any impacted Azure AD applications associated with Azure Migrate appliances, please navigate to this link.
Azure Site Recovery (ASR) creates Azure AD applications to communicate with the ASR service endpoints.	Azure Site Recovery deployed an update to prevent private keydata from being uploaded to Azure AD applications. Customers using Azure Site Recovery’s preview experience “VMware to Azure Disaster Recovery” after 11/01/2021 are not impacted and do not require further action	Customers who have deployed and registered the preview version of VMware to Azure DR experience with ASR before 11/01/2021 could be affected. To identify and remediate the impacted AAD Apps associated with Azure Site Recovery appliances, please navigate to this link.
Azure AD applications and Service Principals [1]	Microsoft has blocked reading private key data as of 10/30/2021.	Follow the guidance available at aad-app-credential-remediation-guide to assess if your application key credentials need to be rotated. The guidance walks through the assessment steps to identify if private key information was stored in keyCredentials and provides remediation options for credential rotation.

[1] This issue only affects Azure AD Applications and Service Principals where private key material in clear text was added to a keyCredential. Microsoft recommends taking precautionary steps to identify any additional instances of this issue in applications where you manage credentials and take remediation steps if impact is found.

What else can I do to audit and investigate applications for unexpected use?

Additionally, as a best practice, we recommend auditing and investigating applications for unexpected use:

• Audit the permissions that have been granted to the impacted entities (e.g., subscription access, roles, OAuth permissions, etc.) to assess impact in case the credentials were exposed. Refer to the Application permission section in the security operations guide.
• If you rotated the credential for your application/service principal, we suggest investigating for unexpected use of the impacted entity especially if it has high privilege permissions to sensitive resources. Additionally, review the security guidance on least privilege access for apps to ensure your applications are configured with least privilege access.
• Check sign-in logs, AAD audit logs and M365 audit logs, for anomalous activity like sign-ins from unexpected IP addresses.
• Customers who have Microsoft Sentinel deployed in their environment can leverage notebook/playbook/hunting queries to look for potentially malicious activities. Look for more guidance here.
• For more information refer to the security operations guidance.

Part of any robust security posture is working with researchers to help find vulnerabilities, so we can fix any findings before they are misused. We want to thank Karl Fosaaen of NetSPI who reported this vulnerability and Allscripts who worked with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD) to help keep Microsoft customers safe.

 The National Cybersecurity Center of Excellence (NCCoE) has
released two new draft publications: Special Publication (SP) 1800-31, Improving Enterprise Patching for General IT Systems: Utilizing
Existing Tools and Performing Processes in Better Ways,
and SP 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance
for Technology.

Patching is a critical component of preventive maintenance for
computing technologies—a cost of doing business, and a necessary part of what
organizations need to do in order to achieve their missions. However, keeping
software up-to-date with patches remains a problem for most organizations.

Draft SP 800-40 Revision 4 makes recommendations for creating an
enterprise strategy to simplify and operationalize patching while also
improving reduction of risk. Draft SP 800-40 Revision 4 will replace SP 800-40
Revision 3, Guide to
Enterprise Patch Management Technologies, which was released in
2013.

Draft SP 1800-31 describes an example solution that demonstrates
how tools can be used to implement the inventory and patching capabilities
organizations need for routine and emergency patching situations, as well as
implementing workarounds and other alternatives to patching.

We Want to Hear from You!

Review the draft publications and submit comments online on or
before January 10, 2022. You can also contact us at [email protected]. We value and welcome
your input and look forward to your comments.

 Find
out how to secure your apps and data in your Azure Virtual Desktop deployment.
Read Azure Virtual
Desktop Handbook: Security Fundamentals for technical, hands-on
guidance to help you protect your virtual desktops with built-in Azure security
features and other Microsoft security tools.

Download
this handbook to:

• Familiarize yourself with Azure
  Virtual Desktop architecture.
• Understand which Microsoft
  tools and Azure security services are automatically configured and which
  you’ll need to configure yourself.
• Implement the appropriate
  security measures for your organization’s data, apps, user identities,
  session hosts, and network access.

Learn best practices for using Azure Security
Center and improving your Azure Secure Score.

 

 Pre-Draft Call for Comments | Incorporating Privacy in
Awareness & Training

To
help organizations incorporate privacy into their security awareness and
training regimes, NIST plans to revise SP 800-50,
Building
an Information Technology Security Awareness and Training Program.
In the nearly two decades since SP 800-50 was published in 2003, cybersecurity
awareness and training resources, methodologies, and requirements have evolved
considerably—and new guidance to inform this work has come from Congress and
the Office of Management and Budget.  

Prior
to drafting the update, NIST is seeking public
comment on several topics, including the potential consolidation of
companion document SP 800-16,
Information
Technology Security Training Requirements: A Role- and Performance-Based
Model, into the revised SP 800-50. The proposed title for
SP 800-50 Revision 1 is Building a Cybersecurity and Privacy Awareness
and Training Program. Comments are due by November
5, 2021. 

Your
public comments will be used to influence future drafts, including an Initial
Public Draft of the update which is scheduled to be released in early 2022 as
SP 800-50 Revision 1.

Learn More

Blog From Microsoft

Hi, my name is Raymond
Roethof, and I am a Microsoft Security enthusiast with over fifteen years
of experience within the Microsoft landscape. My focus has been Microsoft
Security, and specifically with the last three years out of six as a Red
Teamer. In this blog post, I will go through an attacker or Red Teamer’s
challenges when Microsoft Defender for Identity is in place

Many organizations go through a digital transformation by the increasing use
of cloud services. Understanding the current state of the cloud service is
essential as maintaining the state is a shared responsibility between the
company and its cloud provider.

Many Red Teamers and attackers use the on-premises environment as a stepping
stone to the cloud. So, a company must understand the comprehensive set of
security controls and capabilities available in Microsoft Azure, Microsoft 365,
and on-premises. Active Directory can be a source for lateral movement and an
excellent initial attack vector due to the high-value information it holds.

Microsoft Defender for Identity is a cloud-based security
solution that leverages your on-premises Active Directory signals to identify,
detect, and investigate advanced threats, compromised identities, and malicious
insider actions directed at your organization. Defender for Identity
also protects Active Directory Federation Services (AD FS) in your
environment by detecting advanced threats and providing visibility into
authentication events generated by AD FS.

The default Active Directory authentication protocol is Kerberos, an
authentication protocol based on tickets, and is known for being the target
method of many attacks. Kerberos is an authentication protocol developed by MIT
and adopted by Microsoft since Windows 2000. Kerberos can also be complicated
and as a result, hard to secure.

This blog post will go through attacking Active Directory
as a Red Teamer and having Defender for Identity in place to protect this
high-value information. What do I have to consider before I make my next move?
Let’s find out how Defender for Identity makes my job so difficult.

Attack Kill Chain

As a Red Teamer or an attacker, you want to reach your goal as quickly as
possible, preferably without noticing. The purpose and time it takes to perform
the attack differs in every scenario. Attackers are mainly financially driven
as Red Teamers have a specific pre-defined objective to reach.

Most of the attacks require multiple steps to reach their goal. Red Teamers
or attackers use some form of an attack kill chain as a process.

(Figure 1 – an
example of an attack kill chain process)

 

Note: With the digital transformation to the cloud
and the complexity of most attacks, a one-size-fits-all kill chain is not
feasible anymore, but the Cyber Attack Kill Chain is a good indication of how a Red
Teamer or attacker performs an attack. The graphic shown above is more focused
on compromising an endpoint, for example. 

 Reconnaissance
of Active Directory

 Reconnaissance is a critical and consistent step in any kill chain. Most
information found is likely used during an attack at a later stage. Information
like server names, IP addresses, operating systems, forest architecture,
trusts, service principal names (SPNs), groups and memberships, access control
lists, and well-known security misconfigurations is probably part of every
reconnaissance phase within Active Directory.

 The challenge as a Red Teamer (or an attacker – assume I’m
referring to both throughout this blog) starts with Defender for
Identity being enabled at the reconnaissance phase.

 A Red Teamer needs to have a valid set of credentials, a
hash, or any form of authentication to communicate with Active Directory.
Attacks like phishing e-mails can contain a malicious payload that runs under
the user context. This way, a Red Teamer or attacker can perform an attack as
an authenticated user. Without any authentication, a Red Teamer uses an attack
like AS-Rep roasting and password sprays. If you are a Red
Teamer or an attacker, Defender for Identity detects this kind of attack
and alerts in almost real time.

 Lateral Movement
Active Directory

 The ultimate objective for a Red Teamer is data. For most organizations,
data is one of the most valuable assets. Getting access to all data at the
initial entry is rare for a Red Teamer or attacker, so it is common to see
lateral movement during an attack.

Let us say a Red Teamer gets a foothold, either remotely or on the network,
within the environment without being noticed as an authenticated user. The next
step would be to seek identities with higher privileges or an identity to
access high-value assets, like data.

Attacks like Kerberoasting are also common since service accounts mainly
have high privileges to services that contain high-value assets. Kerberoasting is also an attack that Defender for
Identity detects. Defender for Identity also detects newer attacks
like PetitPotam as well since version 2.158.14362.

Extended
Detection and Response

With Extended Detection
and Response (XDR), Microsoft delivers a new approach to provide intelligent,
automated, and integrated security across domains to help defenders connect
seemingly disparate alerts and get ahead of attackers. Due to signal sharing
between Microsoft Defender for Endpoint and Defender for Identity, an
indicator shows if the endpoint contains an alert within Defender for Endpoint.
An analyst can isolate the endpoint within seconds, and as a Red Teamer, you
will need to find another entry point to continue your journey. The analyst is
also probably more alert and now monitoring the environment even closer as a
result.

 

(Figure
2 – an illustration of an attacker navigating a minefield)

 

Every step we take next as a Red Teamer or
an attacker is like walking in a minefield.

 

From
on-premises to the cloud

 

Although many
organizations go through digital transformation by the increasing their use of
cloud services, attackers can use the on-premises environment as a stepping
stone to the cloud. One of my blog posts describes creating a forged security token to
authenticate to Azure AD using a private key from the AD FS server.
Unfortunately for me, Defender for Identity now detects this method of
attack as well:

 

(Figure 3 – A
screenshot showing the alert status of an AD FS DKM key read with supporting
evidence)