I will be speaking at this event for resellers and MSP you can register here
 

 Zoho has released a security advisory to address an authentication bypass
vulnerability (CVE-2021-44757) in ManageEngine Desktop Central and Desktop
Central MSP. An attacker could exploit this vulnerability to take control of an
affected system.

CISA encourages users and administrators to review the Zoho
Vulnerability Notification and the Zoho ManageEngine
Desktop Central and ManageEngine
Desktop Central MSP security advisories and apply the recommended
mitigations immediately.

NCCoE Releases Draft
Project Description for IPv6 Transition

The National Cybersecurity Center of Excellence (NCCoE) has
released a new draft project description, Secure IPv6-Only Implementation in the Enterprise.
Publication of this project description begins a process to further identify
project requirements, scope, and hardware and software components for use in a
laboratory demonstration environment.

We want your feedback on this draft to help refine the project.
The comment period is now open and will close on January 27, 2022.

The project will address operational, security, and privacy issues
associated with the evolution to IPv6-only network infrastructures. It will
demonstrate tools and methods for securely implementing IPv6, whether as a
“greenfield” implementation or as a transition from an IPv4 infrastructure to
an IPv6-only network. This project will result in practice guides to encourage
the secure transition to IPv6-only enterprise IT environments.

We Want to Hear from You!

Review the project description and submit comments online on or before January 27, 2022. You
can also help shape and contribute to this project by joining the NCCoE’s IPv6
Transition Community of Interest. Send an email to ipv6-transition@nist.gov detailing your
interest.

We value and welcome your input and look forward to your comments.

Blockchain for Access
Control Systems: Draft NISTIR 8403 Available for Comment

NIST has released NIST Internal Report (NISTIR) 8403, Blockchain for
Access Control Systems, for public comment.

Protecting system resources against unauthorized access is the
primary objective of an access control system. As information systems rapidly
evolve, the need for advanced access control mechanisms that support
decentralization, scalability, and trust – all major challenges for traditional
mechanisms – has grown.

Blockchain technology offers high confidence and tamper resistance
implemented in a distributed fashion without a central authority, which means
that it can be a trustable alternative for enforcing access control policies.
This document presents analyses of blockchain access control systems from the
perspectives of properties, components, architectures, and model supports, as
well as discussions on considerations for implementation.

The public comment period is open through February 7, 2022. 
See the publication details
for a copy of the draft and instructions for submitting comments.

Public comments will
close on January 17 for Volume C of NIST SP 1800-34, Validating the Integrity
of Computing Devices 

The National Institute of Standards and Technology’s National
Cybersecurity Center of Excellence (NCCoE) has published the preliminary draft
Volume C of NIST SP
1800-34, Validating the Integrity of Computing Devices for public
comment. This is a reminder that the public comment period will close on
January 17, 2022. You can submit comments
online or via email to supplychain-nccoe@nist.gov.

Volume C includes specific product installation, configuration,
and integration instructions for building the example implementation, allowing
you to replicate all or parts of this project. Help the NCCoE make this guide
better by sharing your thoughts with us. If your organization prototypes this
solution, please share your experience with our team. You can also stay up to
date on the progress of this project by sending an e-mail to supplychain-nccoe@nist.gov to join our Supply
Chain Assurance’s Community of Interest.

 Following our discovery of the “Shrootless” vulnerability, Microsoft uncovered a new macOS vulnerability, “powerdir,” that could allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, thereby gaining unauthorized access to a user’s protected data. We shared our findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Apple released a fix for this vulnerability, now identified as CVE-2021-30970, as part of security updates released on December 13, 2021. We encourage macOS users to apply these security updates as soon as possible.

Introduced by Apple in 2012 on macOS Mountain Lion, TCC is essentially designed to help users configure the privacy settings of their apps, such as access to the device’s camera, microphone, or location, as well as access to the user’s calendar or iCloud account, among others. To protect TCC, Apple introduced a feature that prevents unauthorized code execution and enforced a policy that restricts access to TCC to only apps with full disk access. We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests. If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data. For example, the attacker could hijack an app installed on the device—or install their own malicious app—and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen.

It should be noted that other TCC vulnerabilities were previously reported and subsequently patched before our discovery. It was also through our examination of one of the latest fixes that we came across this bug. In fact, during this research, we had to update our proof-of-concept (POC) exploit because the initial version no longer worked on the latest macOS version, Monterey. This shows that even as macOS or other operating systems and applications become more hardened with each release, software vendors like Apple, security researchers, and the larger security community, need to continuously work together to identify and fix vulnerabilities before attackers can take advantage of them.

Microsoft security researchers continue to monitor the threat landscape to discover new vulnerabilities and attacker techniques that could affect macOS and other non-Windows devices. The discoveries and insights from our research enrich our protection technologies and solutions, such as Microsoft Defender for Endpoint, which allows organizations to gain visibility to their networks that are increasingly becoming heterogeneous. For example, this research informed the generic detection of behavior associated with this vulnerability, enabling Defender for Endpoint to immediately provide visibility and protection against exploits even before the patch is applied. Such visibility also enables organizations to detect, manage, respond to, and remediate vulnerabilities and cross-platform threats faster.

See the rest of this article posted on Microsoft. Here

New macOS vulnerability, “powerdir,” could lead to unauthorized user data access – Microsoft Security Blog

NISTIR 8349: Methodology
for Characterizing Network Behavior of Internet of Things Devices

The National Cybersecurity Center of Excellence (NCCoE) has
published for comment a draft NIST Internal Report (NISTIR) 8349: Methodology for Characterizing
Network Behavior of Internet of Things Devices. The public comment
period is open until February 11, 2022.

Securing a network is a complex task made more challenging when
Internet of Things (IoT) devices are connected to it. NISTIR 8349 demonstrates
how to use device characterization techniques and the MUD-PD open source tool to describe the communication
requirements of IoT devices in support of the manufacturer usage description (MUD) project. Manufacturers
and network administrators can use the techniques and tools described in the
report for capturing network communications from IoT devices, analyzing network
captures, and generating MUD files to help ensure IoT devices perform as
intended.

Your Input Matters      

The NCCoE relies on developers, providers, and users of
cybersecurity technology and information to provide input to our cybersecurity
reports and guidance to produce useful and technically correct resources. We
look forward to receiving your comments on this draft report.

Submit comments via email to iot-ddos-nccoe@nist.gov on or before February
11, 2022. You can also help shape and contribute to this project by joining the
loT Community of Interest by sending an email to iot-ddos-nccoe@nist.gov detailing your
interest.

 Original
release date: December 2, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity
Advisory identifying active exploitation of a vulnerability—CVE-2021-44077—in
Zoho ManageEngine ServiceDesk Plus. CVE-2021-44077 is an unauthenticated remote
code execution vulnerability that affects all ServiceDesk Plus versions up to,
and including, version 11305. 

This vulnerability was addressed by the update released by Zoho on September
16, 2021 for ServiceDesk Plus versions 11306 and above. If left unpatched,
successful exploitation of the vulnerability allows an attacker to upload
executable files and place webshells that enable post-exploitation activities,
such as compromising administrator credentials, conducting lateral movement,
and exfiltrating registry hives and Active Directory files. Zoho has set up a
security response plan center that provides additional details, a
downloadable tool that can be run on potentially affected systems, and a
remediation guide.

CISA encourages organizations to review the joint Cybersecurity
Advisory and apply the recommended mitigations immediately.

 Microsoft has observed multiple Iranian threat actors targeting the IT
services sector in attacks that aim to steal sign-in credentials belonging to
downstream customer networks to enable further attacks.

Iranian targeting of IT sector on the rise – Microsoft Security Blog