Briefly Briefed: Newsletter #20 (25/01/24)
"Yo, yo, yo, 148-3 to the 3 to the 6 to the 9. Representing the ABQ."
This is week #20 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.
My ‘if you only read two’ recommendations for the week are:
Ransomware attacks leave small business owners feeling suicidal by Alexander Martin
Many CVE Records Are Listing the Wrong Versions of Software as Being Affected by pluginvulnerabilities.com
"Remember who you're working for."
Meme of the Week:
Many CVE Records Are Listing the Wrong Versions of Software as Being Affected by pluginvulnerabilities.com
This article discusses inaccuracies in Common Vulnerabilities and Exposures (CVE) records, highlighting instances where the wrong versions of software are listed as being affected by vulnerabilities. It cites examples where security providers like Wordfence and Patchstack, involved in the CVE system, inaccurately claim all previous versions of certain software as vulnerable. The article emphasises the significant implications of such inaccuracies, including misleading security assessments and incorrect identification of security breach sources. It advocates for a more accurate reporting system in the CVE records to mitigate these issues.
Whilst there is a lot of great work done by CNAs, NIST NVD and CISA, managing vulnerability data at a macro level still leaves a lot to be desired. This is one of a long list of issues relating to the accuracy and utility of vulnerability metadata at scale. The post illustrates the impact and overhead these shortfalls can create. It’s hardly news, but we (the collective infosec community) need to consider how to drive change and support agencies tasked with supporting these frameworks. Interestingly, according to this white paper, China’s CNVD is doing a better job than their US counterparts. Doubtless there are lessons to be learnt.
SECGov X Account Compromise by The SEC
The article describes a security incident involving the unauthorised access of the SEC's @SECGov X account on January 9, 2024. It details the SEC's response and coordination with law enforcement and federal oversight entities, including the FBI and DHS's Cybersecurity and Infrastructure Security Agency. The unauthorised access was achieved via a SIM swap attack on the SEC's phone number associated with the account. The article outlines the SEC's ongoing investigation, the disabling and re-enabling of multi-factor authentication on their accounts, and emphasises the SEC's commitment to cybersecurity and incident impact assessment.
I hope this is going on their Form 8k…. joking aside, this demonstrates why utilising SMS-based MFA is not a good idea. Attackers are becoming more skilled at bypassing MFA as adoption increases. It’s a good idea to enable more than two factors where the option is available, avoiding fall-back to SMS. It’s recommended to back-up authenticator apps securely, else you could lose access should your smart phone have issues (don’t save the files on your local machine unencrypted or in the same place you keep you passwords though!)
The article details a significant security breach at Toyota Tsusho Insurance Broker India (TTIBI) and Eicher Motors, initiated through a premium calculator website. The exploit involved a client-side email sending mechanism, which led to the leakage of an email account password and enabled access to TTIBI's Microsoft corporate cloud resources. The breach revealed extensive customer information including insurance policy PDFs, OTPs, and more. Despite reporting the vulnerability, TTIBI took over two months to address the issue and had not changed the compromised email password, highlighting significant security oversights and risks.
It’s often the most inconspicuous functionality that proves the most problematic! Anyone else remember using the calculator in Windows XP to priv esc? What is it about calculator apps?
How to Vet a Corporate Intelligence Vendor by Maria Robson-Morrow, Katherine Tucker, and Paul R. Kolbe (HBR)
This article emphasises the growing demand for intelligence vendors in the corporate sector. It presents four key questions to guide the selection of an intelligence vendor: ensuring the vendor's expertise aligns with the company's needs, confirming that their services can be tailored to specific requirements, verifying the vendor's ethical standards, and fostering a supportive relationship with them. The authors stress the importance of specialisation, ethical conduct, and mutual understanding in these vendor-client relationships to maximise the effectiveness and integrity of the intelligence services.
The post provides good insights in to how to select intelligence vendors to support security goals. These types of cyber-physical risks are increasingly falling to the CISO to manage, especially in cases of offshoring or vendor management.
The post details Microsoft's response to an attack by the nation-state actor known as Midnight Blizzard, identified as Russian state-sponsored actor Nobelium. The attack, detected on January 12, 2024, involved a password spray attack compromising a non-production test account and accessing a small percentage of Microsoft's corporate email accounts. It emphasises that the attack didn't stem from a vulnerability in Microsoft products or services and did not affect customer environments, production systems, source code, or AI systems. Microsoft outlines its commitment to security and business risk balance, mentioning the Secure Future Initiative and a move towards applying current security standards to all Microsoft-owned legacy systems and internal business processes. The post concludes with a pledge to share information and learnings to benefit the community and to continue collaborating with law enforcement and regulators.
The attack on Microsoft was the big news of the past week, as it became public following their SEC form 8K filing. Some industry stalwarts are sceptical of the details Microsoft have released, including Crowdstrike CEO George Kurtz, highlighting that details are unusually ‘scant’. This isn’t the first time he’s had a public pop at Microsoft though, and probably won’t be the last! It will be interesting to see more high-profile disclosures from publicly listed companies via this route, and the impact on share price and security spend.
How do you know you are "Ready to Respond"? by Angelika Rohrer
The article introduces the Continuous Improvement (CI) Framework, a tool designed to assess and improve an organization's readiness to respond to incidents. It emphasises the importance of having a well-maintained operational infrastructure for effective incident response. The framework includes a systematic approach to categorise and measure response strategies, identifying gaps in operational infrastructure, and guiding the prioritisation of improvements. The CI Framework is presented as a dynamic and scalable solution for organisations to enhance their incident response capabilities.
It’s great to see an emphasis on continuous improvement as part of IRPs. One of the most common mistakes in incident response, is not taking the time to evaluate past performance. This is often due to time pressures and the reliance of multi-purpose secops teams who’re spread thin. However, alongside testing well-documented plans, ‘lessons learnt’ are essential.
Ransomware attacks leave small business owners feeling suicidal by Alexander Martin (The Record)
The article, based on a Royal United Services Institute (RUSI) report, highlights the severe psychological impact of ransomware attacks on small business owners. It details cases where business owners felt suicidal and the need for PTSD support teams due to the immense stress caused by such attacks. The report underscores the intertwining of personal and professional lives in small businesses, intensifying the emotional toll of these cyber incidents. It also notes the often-overlooked stress on IT teams in larger organisations, leading to burnout and other mental health issues.
This is really distressing to see, but not wholly surprising. It can be quite emotionally draining to be a defender in larger organisations too, especially during late nights and ongoing campaigns (as I’m sure many of you know.) The report findings reiterate the human cost of cyberattacks. I hope that cyber-criminals will come to understand the affect their actions have on other human beings, sometimes ruining livelihoods.
The LVE Project is a repository that documents and tracks vulnerabilities and exposures of large language models. It focuses on identifying and sharing information about potential security and ethical issues associated with these advanced AI systems. The site is an open-source, Apache-2 licensed project, encouraging contributions from the community. It features various sections such as documentation, challenges, and a blog, aiming to foster a global collaborative effort in red teaming language models and addressing issues related to privacy, reliability, security, and trust.
As focal points for LLMs and AI safety and security emerge, it’s unclear which one will become ‘the Highlander’ of cybers. This is a useful resource though, and already has a good amount of data.
Financial Services Organizations Experience 137% Increase in Vendor Email by Mick Leach (Abnormal Security)
The article discusses a significant increase in vendor email compromise (VEC) and business email compromise (BEC) attacks targeting the financial services sector in 2023. It highlights a 137% rise in VEC attacks and a 71% increase in BEC attacks, illustrating the growing sophistication of cybercriminals in exploiting email systems. The article underscores the need for financial services organisations to adopt advanced security measures and strategies to counter these threats.
Some useful data to inform business cases and for aggregated reports, especially for those in the financial services industry.
How to Introduce Semgrep to Your Organization by Maciej Domanski (Trail of Bits)
The article provides a comprehensive guide on integrating Semgrep, a static analysis tool, into an organisation. It covers a seven-step plan for effective implementation, focusing on understanding Semgrep's capabilities, exploring its rulesets, tailoring it to specific organisational needs, and ensuring its ethical and effective use. The article emphasises the importance of training teams on Semgrep, customising its features, and integrating it into the CI/CD pipeline for optimal security and code quality enhancement.
I wouldn’t normally share product specific ‘how-tos’ outside of the CSPs (AWS, Azure, GCP), but this post has broader appeal, and I’m a big fan of Semgrep and their approach to SAST.
Hunting Adversary Infrastructure Training Course by Michael Koczwara
The course is designed to teach advanced techniques in hunting adversary infrastructure. It covers topics like infrastructure hunting, tooling, tracking criminal groups and nation-state actors from various countries, and exploring post-exploitation frameworks. The course is aimed at developing practical skills and deepening theoretical understanding of tracking APTs, criminal, and ransomware groups. It emphasises on learning how to track threat actors' infrastructure and advanced pivoting techniques.
Over the last few years, Michael has made some great contributions to threat hunting (especially around C2 frameworks). This training looks great for anyone involved in SOCs, threat hunting or detection engineering.
The Fundamentals of AD Tiering by Tobias Thorbjørn Munch Torp
The blog post by Tobias Thorbjørn Munch Torp provides a detailed guide on implementing Active Directory (AD) tiering. It covers the core concepts and practical steps to classify, organise, and secure AD environments into different tiers based on access privileges and security requirements. The post emphasises the importance of a structured approach to prevent unauthorised access and enhance overall AD security, offering a comprehensive view on tiering strategies for effective administration and security management.
Best. Name. Ever.
This is a well covered area of research and documentation, but there are some useful takeaways and it serves as a great primer for non-security engineers who need to tackle the AD tiering challenge.
It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable by Jon Williams, Senior Security Engineer (Bishop Fox)
The article discusses vulnerabilities in SonicWall next-generation firewall devices, specifically series 6 and 7. It reveals two unauthenticated denial-of-service vulnerabilities that potentially allow for remote code execution (although they were not discovered by Bishop Fox themselves). The vulnerabilities, identified as CVE-2022-22274 and CVE-2023-0656, were found to be fundamentally similar but exploitable at different HTTP URI paths. The article reports that 76% of the scanned SonicWall firewalls exposed to the internet are vulnerable to one or both issues, posing significant security risks.
It’s 2024?? Why didn’t anyone tell me?! This is a nice piece of research by Bishop Fox, and illustrates the challenges vendors and organisations have when trying to patch. Network devices are generally more difficult to patch and many organisations don’t run the latest and greatest code versions for a number of technical (normally compatibility) reasons. That said, there’s unlikely to be a good use-case to not mitigate those specific CVEs.
Web LLM Attacks by Portswigger Web Security Academy
The article discusses the vulnerabilities associated with integrating Large Language Models (LLMs) into websites. It outlines how attackers can exploit these models to access data, APIs, or user information indirectly. The key techniques include prompt injection, exploiting LLM APIs, and indirect prompt injection. The article emphasises the need for robust security measures, such as treating APIs accessible by LLMs as publicly available and avoiding feeding sensitive data to LLMs. It provides insights into the potential risks and suggests best practices for safeguarding against LLM attacks.
This is a great resource, and for me, signifies the start of Web LLM pen testing going more mainstream. The content in the Web Security Academy is consistently high, and this is no exception.
The article delves into the vulnerabilities in AI, focusing on a universal prompt injection attack in the GPT Store. It highlights how most GPTs, including those used in popular applications like Canva, are susceptible to information leaks. The post explains the concept of a prompt injection attack, where a special phrase is used within a prompt to disclose hidden pre-prompts or instructions of the AI, potentially leading to data breaches and other risks. The article also discusses the implications of such vulnerabilities, suggesting the need for better security measures in AI applications.
I really enjoyed this post (and subsequently playing with the pre-prompt injection payload and trying my own.) I’m not convinced this particular vector will disclose anything THAT sensitive, but I’m often surprised by what software ‘builders’ will decide to store where.
Thanks for reading ‘Briefly Briefed:’ - To receive the newsletter on a weekly basis, please subscribe below.