Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Guide to Securing Remote Access
The US Cybersecrity, Infrastructure Security Agency, in conjunction with the FBI, NSA, the Multi-State Information SHaring and Analysis Center (MS-ISAC) and Israel's National Cyber Directorate, has released a Guide to Securing Remote Access Software.
The guide provides an overview of remote access software, which is used for administration and remote monitoring of conventional IT systems as well as operational technology (OT) and industrial control systems (ICS) but goes on to discuss the malicious use of such software. Threat actors find it appealing because it often bypasses security tools, eliminates the need for development of tools such as backdoors and remote access trojans, often has privileged capabilities which can bypass management policies and can facilitate multiple types of intrusions and exploitations.
The guide provides TTP's and an extensive list of recommendations for organizations in general, as well as for customers of managed service providers and SaaS services, MSP's themselves, administrators and developers of remote access-capable products.
CISA, CISA and Partners Release Joint Guide to Securing Remote Access Software, Alert, 6 June 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/06/06/cisa-and-partners-release-joint-guide-securing-remote-access-software.
Clop Claims MOVEit
For the last few days, we've been following the breach of Progress Software's MOVEit file transfer service, which has triggered alarm in all kinds of places. MOVEit is one of many file transfer services which have sprung up to deal with the problems of users attempting to transfer large files by email. The fundamental problem is that SMTP-based Internet email is fundamentally a text-oriented system which was originally designed to transfer 7-bit ASCII text in only a slight advance over the earlier UUCP dial-up transfer of emails. MIME (the Multipurpose Internet Mail Extensions) allows binary attachments, but it does so by uuencoding or base64-encoding binary data into text, with resultant bloating; the result can be extremely large emails which are rejected by inbound email gateways. Add to this the problems of accidental miss-addressing of emails, etc., and you can see why email attachments are fundamentally A Bad Idea.
MOVEit, according to Progress, "provides provides secure collaboration and automated file transfers of sensitive data and advanced workflow automation capabilities without the need for scripting", but unfortunately the browser-based interface to both the MOVEit Transfer and MOVEit Cloud products turn out to be vulnerable to a classic, but critical, SQL injection vulnerability (CVE-2023-34362). No sooner had Progress disclosed the 0-day vulnerability than customers and incident response firms began discovering prior exploitation in the wild. Early victims include the government of the Canadian province of Nova Scotia, UK high-street pharmacy chain Boots, the BBC and British Airways.
Security resesearchers have found exploitation from several days prior to Progress's disclosure and there were early signs, such as scanning for the MOVEit login page, as far back as early March. Mandiant tentatively identified the threat actor involved as the FIN11 group, which is an affiliate of the Clop cybercrime operator. Microsoft followed up with a tweet confirming this:
"Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims. ... Exploitation is often followed by deployment of a web shell w/ data exfil capabilities. CVE-2023-34362 allows attackers to authenticate as any user. Lace Tempest (Storm-0950, overlaps w/ FIN11, TA505) authenticates as the user with the highest privileges to exfiltrate files."
Recommended remediation involves disabling all HTTP and HTTPS traffic to MOVEit Transfer, deleting any unauthorized files and user accounts, updating the installation with the latest release and then monitoring for further problems. Paul Ducklin, at Sophos' Naked Security Blog, has done a very nice explanatory write-up.
Progress Software, MOVEit Transfer Critical Vulnerability (May 2023), web article, 5 June 2023. Available online at https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023.
Microsoft Threat Intelligence, "Microsoft is attributing ... ", tweet, 5 June 2023. Available online at https://twitter.com/MsftSecIntel/status/1665537730946670595.
Ducklin, Paul, MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to do…, blog post, 5 June 2023. Available online https://nakedsecurity.sophos.com/2023/06/05/moveit-zero-day-exploit-used-by-data-breach-gangs-the-how-the-why-and-what-to-do/.
Google Releases Fix for Chrome 0-day
Google has released a fix for a Chrome vulnerability which is being exploited in the wild. The high-severity vulnerability, CVE-2023-3079, was discovered by Clément Lecigne of Google's Threat Analysis Group in early June, and is a type confusion bug in the V8 JavaScript and WebAssembly runtime and affects the desktop versions of Chrome
The fix has been incorporated in Chrome 114.0.5735.110 for Windows, and 114.0.5735.106 for Mac, so users should be camping on the Help / About Google Chrome menu option to ensure they get the new version ASAP. The Android version of Chrome seems to be unaffected, but browsers which are based on the Chromium source, such as Microsoft's Edge, are likely to have the same vulnerability so we should expect updates for those, too.
Sista, Srinivas, Stable Channel Update for Desktop, Google Chrome Releases blog, 5 June 2023. Available online at https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.