{"id": "DEBIAN:DSA-3523-1:F4594", "bulletinFamily": "unix", "title": "[SECURITY] [DSA 3523-1] iceweasel security update", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3523-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nMarch 20, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : iceweasel\nCVE ID : not available\n\nThis update disables the Graphite font shaping library in Iceweasel,\nDebian's version of the Mozilla Firefox web browser.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 38.7.1esr-1~deb7u1.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 38.7.1esr-1~deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 45.0.1esr-1 of the firefox-esr source package.\n\nWe recommend that you upgrade your iceweasel packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "published": "2016-03-20T22:04:17", "modified": "2016-03-20T22:04:17", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00097.html", "reporter": "Debian", "references": [], "cvelist": [], "type": "debian", "lastseen": "2018-10-18T13:49:01", "edition": 2, "viewCount": 0, "enchantments": {"score": {"value": 3.6, "vector": "NONE", "modified": "2018-10-18T13:49:01", "rev": 2}, "dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:1485"]}, {"type": "mssecure", "idList": ["MSSECURE:82D3580754DA96FD93831A7833D47D62"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:90DD0AABBC88137103AF5EBE0BC139D7"]}, {"type": "atlassian", "idList": ["ATLASSIAN:JRASERVER-70929"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:04DFB64876C2018B4C8089BDBC359066"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0541-1"]}, {"type": "kitploit", "idList": ["KITPLOIT:2480263761626163644"]}, {"type": "schneier", "idList": ["SCHNEIER:7771A7F05A95A96025A02D48BA85B7D1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:BCA35B2D5B3E7432E316ECDF7499D8CD", "TALOSBLOG:B6094C89CA7BC27EB70317743B95A344"]}, {"type": "cve", "idList": ["CVE-2020-11930", "CVE-2020-11928"]}, {"type": "ubuntu", "idList": ["USN-4331-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:48348", "EDB-ID:48346"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143735", "OPENVAS:1361412562311220201511", "OPENVAS:1361412562311220201509", "OPENVAS:1361412562310143731"]}], "modified": "2018-10-18T13:49:01", "rev": 2}, "vulnersScore": 3.6}, "affectedPackage": [{"OS": "Debian", "OSVersion": "7", "arch": "all", "operator": "lt", "packageFilename": "iceweasel_38.7.1esr-1~deb7u1_all.deb", "packageName": "iceweasel", "packageVersion": "38.7.1esr-1~deb7u1"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "iceweasel_38.7.1esr-1~deb8u1_all.deb", "packageName": "iceweasel", "packageVersion": "38.7.1esr-1~deb8u1"}], "immutableFields": []}

{"qualysblog": [{"lastseen": "2021-04-14T04:32:34", "bulletinFamily": "blog", "cvelist": [], "description": "It\u2019s no secret that the number of vulnerabilities is on the rise, and so too are the attempts by hackers to exploit them as quickly as they can. Over the last few years, the average time from vulnerability disclosure to exploit is down to a mere seven days. Organizations therefore need to move quickly and apply patches to protect systems from exploitation.\n\nJust today Microsoft released security updates for Microsoft Exchange servers which allow an unauthenticated attacker to execute arbitrary code on the remote system. Given the hacking spree that followed after the disclosure of [ProxyLogon](<https://blog.qualys.com/vulnerabilities-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>) vulnerability, CISA issued an [emergency directive](<https://cyber.dhs.gov/ed/21-02/#supplemental-direction-v2>) directing all federal agencies to install today&#x27;s security updates by 12:01 AM on Friday, **April 16th, 2021**.\n\nIt\u2019s easier said than done.\n\n### Patch Management Challenges\n\nIT teams tasked with patching the organization\u2019s digital infrastructure often face multiple hurdles while trying to achieve a seamless patching process that improves an organization\u2019s security posture. One of the primary challenges is the lack of a consolidated platform that both recommends and applies patches based on efficient vulnerability prioritization techniques.\n\nFurther, IT teams face the following pain points while performing security-driven patch management processes.\n\n 1. Disparate systems handling security vulnerability detection, prioritization and the patch deployment process. This often leads to \u2018patch fatigue\u2019 for IT teams who are tasked with applying a seemingly infinite number of patches while failing to address critical vulnerabilities that matter the most.\n 2. Lack of workflows based on underlying security SLAs to automate and scale the patching process.\n 3. Inability to quickly determine the exact patch required to remediate a vulnerable product or OS version.\n\nTo address these challenges Qualys developed its [Patch Management](<https://www.qualys.com/apps/patch-management/>) solution which provides a unified vulnerability detection (through VMDR), prioritization and remediation platform. By leveraging the integrated workflow between Qualys VMDR and Qualys Patch Management customers are able to remediate vulnerabilities much faster than those with disconnected patching solutions.\n\n### Advantages of Qualys Patch Management\n\nWith Qualys Patch Management, the Qualys Cloud Platform consolidates vulnerability assessment, threat prioritization and remediation, allowing IT and SecOps teams to centralize remediation of vulnerabilities across operating system and over 300 third-party applications.\n\nUsers can quickly target critical Common Vulnerability and Exposure IDs (CVEs) without researching knowledge base articles, then deploy the patch to endpoints, on-premises or cloud assets and verify remediation all from one console.\n\n\n\n### Introducing \u201cThis Month in Patches\u201d Webinar Series\n\nTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is excited to announce the start of a new monthly webinar series \u201c[This Month in Patches](<https://www.brighttalk.com/webcast/11673/479772>).\u201d\n\nIn this new monthly webinar series, which will occur on every **Thursday after Patch Tuesday**, Qualys Research team will discuss some of the key vulnerabilities disclosed in the past month (including Microsoft Patch Tuesday) and how to patch them.\n\nHere\u2019s what we will cover:\n\n * Vulnerability and threat landscape metrics covered by Qualys over the last month\n * Notable Patch Tuesday vulnerabilities assessed on risk, threat, priority and remediation perspectives\n * Actionable patch prioritization dashboards\n * Demo highlighting seamless prioritization and patching using Qualys\u2019 rich RTI information, vulnerability research and prioritization interface\n\n### Free 60-Day Patch Management Trial\n\nIn addition to the new webinar series, Qualys is also excited to announce the availability of a [free 60-day trial of Patch Management](<https://www.qualys.com/forms/patch-management/>). We hope the free trial will help global organizations and community of security professionals in general to deploy patches quickly and reduce the mean time to remediate.", "modified": "2021-04-14T04:20:07", "published": "2021-04-14T04:20:07", "id": "QUALYSBLOG:F0B17391D9E051197208C06ED39EFEA4", "href": "https://blog.qualys.com/category/product-tech", "type": "qualysblog", "title": "Introducing \u201cThis Month in Patches\u201d Webinar Series", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2021-04-13T22:30:15", "bulletinFamily": "tools", "cvelist": [], "description": "[  ](<https://1.bp.blogspot.com/-bwv7NyL5Egk/YG0DGYBWZCI/AAAAAAAAV2E/uzu3cSqMVocc77fl9xd5XR4nUesRIJB9ACNcBGAsYHQ/s793/traitor_1_demo.gif>)\n\n \n\n\nAutomatically exploit low-hanging fruit to pop a root shell. Linux [ privilege escalation ](<https://www.kitploit.com/search/label/Privilege%20Escalation> \"privilege escalation\" ) made easy! \n\nTraitor packages up a bunch of methods to exploit local [ misconfigurations ](<https://www.kitploit.com/search/label/Misconfigurations> \"misconfigurations\" ) and [ vulnerabilities ](<https://www.kitploit.com/search/label/vulnerabilities> \"vulnerabilities\" ) (including most of [ GTFOBins ](<https://gtfobins.github.io/> \"GTFOBins\" ) ) in order to pop a root shell. \n\nIt'll exploit most sudo privileges listed in GTFOBins to pop a root shell, as well as exploiting issues like a writable ` docker.sock ` . More routes to root will be added over time too. \n\n \n\n\n** Usage ** \n\n\nRun with no arguments to find potential vulnerabilities/misconfigurations which could allow privilege escalation. Add the ` -p ` flag if the current user password is known. The password will be requested if it's needed to analyse sudo permissions etc. \n \n \n traitor -p\n\nRun with the ` -a ` / ` --any ` flag to find potential vulnerabilities, attempting to exploit each, stopping if a root shell is gained. Again, add the ` -p ` flag if the current user password is known. \n \n \n traitor -a -p\n\nRun with the ` -e ` / ` --exploit ` flag to attempt to exploit a specific [ vulnerability ](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) and gain a root shell. \n \n \n traitor -p -e docker:writable-socket\n\n \n** Supported Platforms ** \n\n\nTraitor will run on all Unix-like systems, though certain exploits will only function on certain systems. \n\n \n** Getting Traitor ** \n\n\nGrab a binary from the [ releases page ](<https://github.com/liamg/traitor/releases> \"releases page\" ) , or use go: \n \n \n CGO_ENABLED=0 go get -u github.com/liamg/traitor/cmd/traitor \n \n\nIf the machine you're attempting privesc on cannot reach GitHub to download the binary, and you have no way to upload the binary to the machine over SCP/FTP etc., then you can try base64 encoding the binary on your machine, and echoing the base64 encoded string to ` | base64 -d > /tmp/traitor ` on the target machine, remembering to ` chmod +x ` it once it arrives. \n\n \n \n\n\n** [ Download Traitor ](<https://github.com/liamg/traitor> \"Download Traitor\" ) **\n", "edition": 1, "modified": "2021-04-13T21:30:00", "published": "2021-04-13T21:30:00", "id": "KITPLOIT:2038172355644588718", "href": "http://www.kitploit.com/2021/04/traitor-automatic-linux-privesc-via.html", "title": "Traitor - Automatic Linux Privesc Via Exploitation Of Low-Hanging Fruit E.G. GTFOBin", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "debian": [{"lastseen": "2021-04-13T22:15:37", "bulletinFamily": "unix", "cvelist": ["CVE-2021-25122", "CVE-2021-25329"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4891-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nApril 13, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : tomcat9\nCVE ID : CVE-2021-25122 CVE-2021-25329\n\nTwo vulnerabilities were discovered in the Tomcat servlet and JSP engine,\nwhich could result in information disclosure or denial of service.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 9.0.31-1~deb10u4.\n\nWe recommend that you upgrade your tomcat9 packages.\n\nFor the detailed security status of tomcat9 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat9\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 1, "modified": "2021-04-13T20:47:29", "published": "2021-04-13T20:47:29", "id": "DEBIAN:DSA-4891-1:1A529", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2021/msg00072.html", "title": "[SECURITY] [DSA 4891-1] tomcat9 security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "threatpost": [{"lastseen": "2021-04-13T21:48:32", "bulletinFamily": "info", "cvelist": [], "description": "A W2 tax email scam is circulating in the U.S. using Typeform, a popular software that specializes in online surveys and form building. The campaign is aimed at harvesting victims\u2019 email account credentials, researchers said.\n\nAccording to Armorblox, the campaign also bypasses native Google Workspace email security filters in the victims it examined.\n\n\u201cThe email impersonated an automated file-sharing communication from OneDrive, informing victims that they had received a file,\u201d researchers explained in [an analysis](<https://www.armorblox.com/blog/blox-tales-w2-tax-scam-using-typeform/>) on Tuesday. \u201cThe email was sent from a Hotmail ID and was titled \u2018RE: Home Loan,\u2019 followed by a reference number and the date, making it seem like the email was part of an ongoing conversation to lend it more legitimacy.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe links included in the emails purport to lead to a document called \u201c2020_TaxReturn&amp;W2.pdf,\u201d researchers found. Instead, the links take users to a Typeform page where victims are asked to enter their email account credentials before being granted access to the file.\n\nHowever, entering email account information into the form only returns error messages. After several attempts, the campaign surfaces a message saying that \u201cthe document is secured\u201d and that the user\u2019s identity could not be verified.\n\n\u201cIt\u2019s likely that the error messages could be a smokescreen for the attackers to gather as many account ID and password combinations as unsuspecting victims are willing to enter in an attempt to brute-force their way to gain access to the W2,\u201d according to Armorblox. \u201cIn reality, there is no W2 pot of gold at the end of this malicious rainbow.\u201d\n\n## **Evading Google Workspace Email Filters**\n\nResearchers said that one of the most notable aspects of the campaign is its ability to skirt around email defenses, including native Google Workspace email security\n\nOne of the ways it does that is by sending the emails from a newly created Hotmail domain. This has the effect of helping mails get by email authentication checks like [DMARC, DKIM and SPF](<https://threatpost.com/airline-dmarc-policies-lag-opening-flyers-to-email-fraud/158449/>), which look for spoofed email addresses, among other things.\n\n\u201cAttackers often send emails from newly created Gmail, Yahoo, and Hotmail IDs to circumvent any filters and blocklists in place that block known low reputation domains,\u201d Armorblox researchers explained.\n\nAlso, using Typeform to host the phishing page means that filters won\u2019t clock the links as malicious since it\u2019s a trusted application. Other phishing attacks have been observed exploiting Box, [Google Firebase](<https://threatpost.com/crooks-tap-google-firebase-in-fresh-phishing-tactic/155967/>), Google Forms and Webflow in a similar manner.\n\n\u201cFree online services like Typeform make our lives easier, but unfortunately also lower the bar for cybercriminals to launch successful phishing attacks,\u201d researchers said.\n\nThe campaign also employed a number of techniques on the social-engineering front to pass the eye tests of unsuspecting end users, according to the analysis.\n\n\u201cThe email title, content and context aimed to induce a sense of fear and urgency in the victims. By using tax and deadline-related anxieties that beset the best of us, attackers hope that victims click before they think,\u201d researchers explained.\n\nThey added, \u201cThe email includes a link that says \u2018Learn about messages protected by Office 365\u2019 that leads to a real Microsoft-hosted page with security information. Attackers often include such signifiers in emails to lull victims into a false sense of security (no pun intended).\u201d\n\nAnd finally, the campaign replicates existing workflows by pretending to be automated file-sharing messages from OneDrive.\n\n\u201cWe get tons of such emails everyday informing us that someone has shared files with us, someone has replied to our message, someone has commented on a document and so on,\u201d according to Armorblox. \u201cWhen we see emails that seem similar (at first glance) to known email workflows, our brains tend to employ [System 1 thinking](<https://www.marketingsociety.com/think-piece/system-1-and-system-2-thinking>) and take quick action.\u201d\n\n## **How to Avoid Phishing Attacks **\n\n\u201cEmployees continue to fall for these scams because the emails are so authentic-looking, and it is difficult to tell the difference from the real thing,\u201d Joseph Carson, chief security scientist at Thycotic, told Threatpost.\n\nThus, a front line of defense is to develop better cybersecurity hygiene by educating employees on ways to detect email scams, he noted.\n\n\u201cIf an email does make it into the inbox, then go to the website and call the number to check if it is authentic and do not call the number if provided within the email as, most likely, it is fake also,\u201d he advised. \u201cCheck the email sender address and not the display name. Check the email for spelling mistakes. Check any hyperlink addresses by hovering over them to see where they send you. However, do not click on the links. Also check your personal details for accuracy. These simple tips will help employees avoid a potential cybersecurity nightmare for their organization.\u201d\n\nHank Schless, senior manager of security solutions at Lookout, also cautions organizations to not forget about mobile device.\n\n\u201cSecurity teams should be protecting employees across all endpoints to ensure they don\u2019t fall victim to a phishing attack or download a malicious attachment that compromises the organization,\u201d told Threatpost. \u201cThese types of scams are most effective on mobile devices, and attackers know this. For that reason, they are creating targeted phishing campaigns to take advantage of the mobile interface that makes it hard to spot a malicious message.\u201d\n\nAnd finally, people shouldn\u2019t assume that legitimate services equal a legitimate communication, according to Armorblox.\n\n\u201cThis piece of advice is also difficult to enact in practice, given the crowded nature of our inboxes,\u201d according to the analysis. \u201cHowever, try to be skeptical by default of any form that asks for your login credentials, even if the form is built using a legitimate service like Google or Typeform. These services are as easily available to cybercriminals as they are to the rest of us.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n\n**_ _**\n", "modified": "2021-04-13T18:29:33", "published": "2021-04-13T18:29:33", "id": "THREATPOST:94787E902DF1622BB52BEFD30A42A983", "href": "https://threatpost.com/tax-phish-google-workspace-email-security/165376/", "type": "threatpost", "title": "Tax Phish Swims Past Google Workspace Email Security", "cvss": {"score": 0.0, "vector": "NONE"}}], "github": [{"lastseen": "2021-04-13T18:15:08", "bulletinFamily": "info", "cvelist": [], "description": "GitHub Actions provide a powerful, extensible way to automate software development workflows. When access to outside resources is required, GitHub provides the ability to store [encrypted secrets](<https://docs.github.com/en/actions/reference/encrypted-secrets>) used by GitHub Actions to authenticate against these resources. This makes managing access more simple and secure.\n\nGood secret management practices include following principles of least privilege by narrowly scoping secrets to provide access to only what is required, limiting the manner in which the secret can be invoked, and rotating secrets when necessary. GitHub Actions provide several features to help your organization effectively implement a secret management strategy based on least privilege.\n\n## Secret availability\n\nSecrets can be stored within GitHub at three different levels: the [organization](<https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-organization>), a single [repository](<https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository>), or a repository [environment](<https://docs.github.com/en/actions/reference/environments#environment-secrets>). The level at which the secret should be stored depends on its scope and intended use.\n\n\n\nFor example, a Slack bot token with permissions to only post to organization-owned workspaces is used to broadcast status updates as part of CI/CD workflows. This token has no special access to any resources, and many different repositories\u2019 workflows will post similar updates to Slack. This secret might be stored at the organization level. When creating an organization secret, you can choose to make it available to all repositories in the organization, only private and internal repositories, or a selected set of repositories.\n\n\n\nA containerized application stores its custom images in AWS Elastic Container Registry (ECR). To ensure the automation used to deploy the application cannot be used to pull other containers, a unique token is created for the repository and stored as a repository-level secret.\n\nThat same containerized application is deployed as an Azure Web App in different dev, test, and prod environments. Each environment requires its own, unique publishing profile. Using environments, these can be stored as environment-level secrets within a repository.\n\n## Limiting use of secrets\n\nLeast privilege secret management is concerned not only with what a token can access, but also how can it be used, and by whom. Combining properly scoped secrets with [environment protections](<https://docs.github.com/en/actions/reference/environments#environment-protection-rules>), [CODEOWNERS](<https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners>), and [branch protection rules](<https://docs.github.com/en/github/administering-a-repository/about-protected-branches>) helps ensure secrets are only used for the intended purpose, by those authorized to do so.\n\nLet\u2019s consider the example of a company, MonaCorp, that wants to ensure a secret can only be used to deploy authorized changes of a single Azure Web Application, OctoMittens, to its production environment. Separate publishing profiles exist for dev, test, and production.\n\nFirst, each of these environments are defined in the repository.\n\n\n\nEach environment has its own `AZURE_WEBAPP_PUBLISH_PROFILE` secret, storing the respective value.\n\n\n\nWithout any additional configuration, someone with write access could create a branch `unauthorized-production-deployment`, modify a workflow file on that branch, and trigger the workflow\u2014causing the secret to be used to deploy to production. This type of unauthorized credential use can be prevented by:\n\n * Creating an environment protection rule limiting the branch(es) that can deploy to the `production` environment. In this case, a rule is created to allow only the `main` branch to deploy to `production`. \n\n * Configuring CODEOWNERS to establish ownership of the `.github/workflows` directory. Here the `@monacorp/automation-review` team is assigned ownership. \n \n ### Actions workflows\n .github/workflows/ @monacorp/automation-review\n\n * Creating a branch protection rule that requires review from CODEOWNERS for any merge into `main` and prevents force pushes.\n\nWith all these in place, the only available way to use the production `AZURE_WEBAPP_PUBLISH_PROFILE` secret is in workflows on the `main` branch targeting the `production` environment. Any attempt to use this secret elsewhere requires merging a workflow change targeting the `production` environment to the `main` branch, which requires approval by the automatically assigned `@monacorp/automation-review` team.\n\n## Integrating with secret stores\n\nMany companies use a centrally-managed secret store, such as HashiCorp Vault or Azure Key Vault, to store secrets and manage access. GitHub Actions can integrate with these stores while following all of the same principles discussed above.\n\nMonaCorp chooses to store all secrets in HashiCorp Vault. Storing those same secrets in multiple places would violate the DRY principle, create additional management overhead, and add unnecessary risk. MonaCorp needs to provide the same limited scope and access to secrets using HashiCorp Vault as they can completely within GitHub.\n\nTo do this, MonaCorp first creates unique [AppRoles](<https://www.vaultproject.io/docs/auth/approle>) in HashiCorp Vault for each of OctoMittens\u2019 environments: dev, test, and prod. Each AppRole is granted access only to the secrets necessary to deploy to its respective environment.\n\nSecond, MonaCorp stores the `roleId` and `secretId` for each HashiCorp Vault AppRole in GitHub as secrets in the corresponding environment.\n\n\n\nThird, MonaCorp configures their jobs in their GitHub Actions workflows to target a specific environment. Each job uses the [Vault Secrets](<https://github.com/marketplace/actions/vault-secrets>) action to authenticate against HashiCorp Vault as the AppRole for that environment, retrieve the desired secrets, and map them to environment variables. The action uses [GitHub\u2019s built-in masking](<https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#masking-a-value-in-log>) to prevent the values from showing up in any output to logs or the console.\n\nSimilar capabilities are available for those using Azure Key Vault via the [Azure Key Vault - Get Secrets](<https://github.com/marketplace/actions/azure-key-vault-get-secrets>) action.\n\n## Rotating secrets\n\nMonaCorp has a defined policy for secret rotation. Secrets maintained in Vault are rotated in Vault. These changes are automatically picked up by Actions workflows as the Vault Secrets action retrieves new credentials with each workflow run. When a secret stored in GitHub needs to be changed, such as the `secretId`, MonaCorp can automate updating secrets in GitHub via the [REST API](<https://docs.github.com/en/rest/reference/actions#create-or-update-a-repository-secret>).\n\n## Keeping things secret\n\nWith appropriately scoped secrets stored in the proper location(s), environment protection rules, CODEOWNERS, and optional integration with centrally-managed secret stores, GitHub provides organizations all the tools they need to securely manage authentication in their Actions workflows.", "modified": "2021-04-13T18:03:38", "published": "2021-04-13T18:05:20", "id": "GITHUB:189EC2125450076CF80DD8349B517E9D", "href": "https://github.blog/2021-04-13-implementing-least-privilege-for-secrets-in-github-actions/", "type": "github", "title": "Implementing least privilege for secrets in GitHub Actions", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-13T16:24:40", "bulletinFamily": "software", "cvelist": ["CVE-2021-27191"], "description": "The get-ip-range package before 4.0.0 for Node.js is vulnerable to denial of service (DoS) if the range is untrusted input. An attacker could send a large range (such as 128.0.0.0/1) that causes resource exhaustion.", "edition": 1, "modified": "2021-04-13T15:15:57", "published": "2021-04-13T15:15:57", "id": "GHSA-6Q4W-3WP4-Q5WF", "href": "https://github.com/advisories/GHSA-6q4w-3wp4-q5wf", "title": "Denial of Service in get-ip-range", "type": "github", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-04-13T18:51:18", "bulletinFamily": "software", "cvelist": ["CVE-2021-21394"], "description": "### Impact\nMissing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion.\n\n### Patches\nThe issue is fixed by #9321.\n\n### Workarounds\nDepending on the needs and configuration of the homeserver a few options are available:\n\n1. Using email as third-party identifiers be disabled by not configuring the `email` setting.\n2. Using phone numbers as third-party identifiers can be disabled by ensuring that `account_threepid_delegates.msisdn` is not configured.\n3. Additionally, the affected endpoint patterns can be blocked at a reverse proxy:\n\n * `^/_matrix/client/(r0|unstable)/register/email`\n * `^/_matrix/client/(r0|unstable)/register/msisdn`\n * `^/_matrix/client/(r0|unstable)/account/password`\n * `^/_matrix/client/(r0|unstable)/account/3pid`", "edition": 2, "modified": "2021-04-13T18:43:39", "published": "2021-04-13T15:12:51", "id": "GHSA-W9FG-XFFH-P362", "href": "https://github.com/advisories/GHSA-w9fg-xffh-p362", "title": "Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints", "type": "github", "cvss": {"score": 0.0, "vector": "NONE"}}], "mmpc": [{"lastseen": "2021-04-13T18:29:34", "bulletinFamily": "blog", "cvelist": [], "description": "_The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager [Natalia Godyla](<https://www.linkedin.com/in/nataliagodyla/>) talks with [Troy Hunt](<https://www.linkedin.com/in/troyhunt/>), founder of [Have I Been Pwned](<https://haveibeenpwned.com/>), information security author, and instructor at Pluralsight. In this blog, Troy shares his insights on the [evolution of identity](<https://www.microsoft.com/en-us/security/business/identity>), from the biggest gaps in identity to modern technology solutions. _\n\n**Natalia: How has identity evolved over the past 10 years?**\n\n**Troy:** There is so much identity-related data about other people accessible to everyone that the whole premise of having confidence in identity has fundamentally changed. A few years ago, I was invited to [testify in Congress](<https://securityledger.com/2017/12/congress-told-breaches-sharing-spell-end-of-authentication-by-what-we-know/>) about how knowledge-based authentication has been impacted by data breaches. The example I gave was that my father called a telecommunications company to shift his broadband plan to another tier. He told them his name and they asked for his date of birth, as if that\u2019s a secret.\n\nThe biggest shift is with this premise that identity can somehow be assured based on knowledge-based authentication like date of birth, mother&#x27;s maiden name, where you went to school, or, in the United States, Social Security number. That idea is fundamentally flawed and is a big area of identity that needs to change. There are so many services that have absolutely no reason to have your date of birth but do.\n\n**Natalia: What are the current gaps in identity solutions?**\n\n**Troy:** The traditional approach in the United States, where someone says, \u201cJust give us your Social Security number and then we\u2019ll know it&#x27;s you and it will be fine,\u201d has always been inherently flawed, but it\u2019s even more flawed now.\n\nThe bigger concern is what if other people try to prove my identity? I&#x27;m concerned about SIM swapping because there&#x27;s so much identity assurance that is done via SMS. The telecommunications companies will say, \u201cYou shouldn&#x27;t be doing that. You can&#x27;t be confident the person who owns the number is the right person.\u201d And the banks will say, \u201cThis is kind of all we have.\u201d I asked my telco, \u201cCan we put a lock on my SIM so the only way someone can migrate my SIM is if they come into your office and prove identity with a passport or driver\u2019s license?\u201d That would eliminate a lot of the problems. They said, \u201cWe can&#x27;t do that because it would be anticompetitive. Government legislation says we need to make it easy for people to transfer their number to another provider so that people have freedom of choice. Otherwise, they&#x27;re locked into the provider.\u201d And I responded with, \u201cThe outcome of that\u2014depending on the platform I\u2019m using\u2014could be that someone gets into a really important account of mine.\u201d Their response: I shouldn\u2019t have been using SIMs as a means of identity verification.\n\n**Natalia: How can organizations mitigate identity risk?**\n\n**Troy:** For many organizations, there hasn&#x27;t been a lot of forethought around what happens when incidents impact identity. One example is breach preparedness. For many years, many organizations would do disaster recovery planning\u2014the annual entire-site-has-gone-down exercise. I rarely see them drill into the impact of a data breach. Organizations rarely dry run what happens when information is leaked that may enable others to take on identities.\n\nOne organization that had a data breach and [did exceptionally well with disclosure](<https://www.eweek.com/security/imgur-image-hosting-service-discloses-breach-of-1-7m-users-accounts/>) was Imgur. Within 24 hours, they had all the right messaging sent to everyone and cycled passwords. I asked the Chief Technical Officer, \u201cHow did you do this so quickly?\u201d And he said, \u201cWe plan for it. We had literally written the procedures for how we would deal with an incident like this.\u201d That preparedness is often what&#x27;s lacking in organizations today.\n\n**Natalia: What\u2019s the biggest difference between enterprise and consumer identity technologies?**\n\n**Troy:** With internal, enterprise-facing identity, these individuals work for your organization and are probably on the payroll. You can make them do things that you can\u2019t ask customers to do. Universal 2nd Factor (U2F) is a great example. You can ship U2F to everyone in your organization because you&#x27;re paying them. Plus, you can train internal staff and bring them up to speed with how to use these technologies. We have a lot more control in the internal organization.\n\nConsumers are much harder. They are more likely to just jump ship if they don&#x27;t like something. Adoption rates of technologies, like [multifactor authentication](<https://www.microsoft.com/en-us/security/business/identity/mfa>), are extremely low in consumer land because people don&#x27;t know what it is or the value proposition. We also see organizations reticent to push it. A few years ago, a client had a 1 percent adoption rate of two-factor authentication. I asked, \u201cWhy don&#x27;t you push it harder?\u201d They said that every time they have more people using two-factor authentication, there are more people who get a new phone and don&#x27;t migrate their soft token or save the recovery codes. Then, they call them up and say, \u201cI have my username or password but not my one-time password. Can you please let me in?\u201d And they have to go through this big spiral\u2014how do we do identity verification without the thing that we set up to do identity verification in the first place?\n\n**Natalia: What should you consider when building systems and policies for consumers to balance user experience and security?**\n\n**Troy:** One big question is: What is the impact of account takeover? For something like Dropbox, the impact of account takeover is massive because you put a lot of important stuff in your Dropbox. If it&#x27;s a forum community like catforum.com, the impact of account takeover is minimal.\n\nI&#x27;d also think about demographics. Dropbox has enormously wide adoption. My parents use Dropbox and they&#x27;re not particularly tech-savvy. If we\u2019re talking about Stack Overflow, we&#x27;ve got a very tech-savvy incumbent audience. We can push harder on asking people to do things differently from what they might be used to, which is usually just a username and a password.\n\nAnother question is: Is it worth spending money on a per individual basis? My partner, who\u2019s Norwegian, can log on to her Norwegian bank using a physical token. The physical token is not just an upfront cost for every customer but there&#x27;s also a maintenance cost. You\u2019re going to have to cycle them every now and then, and people lose them. And you need to support that. But it&#x27;s a bank so they can afford to make that investment.\n\n**Natalia: What\u2019s your advice on securing identities across your employees, partners, and customers?**\n\n**Troy:** I recommend some form of strong authentication in which you have confidence that a username and a password alone are not treated as identity. That worries me, particularly given there&#x27;s so much credential stuffing, and there are billions of credential pairs in lists. There\u2019s also the big question: How did we establish identity in the first place? Whether it be identity theft or impersonation or even sock puppet accounts, how confident do we need to be in the identity at the point of registration, and then subsequently at the point of reauthentication? That will drive discussions around what level of identity documentation we need. But again, we come back to the fact that we don&#x27;t have a consistent mechanism in the industry, or in even in one single geography, to offer high assurance of identity at the time of registration.\n\n**Natalia: Passwordless is a huge buzzword. A lot of people think of it as a solution to many of our identity problems. What\u2019s your perspective?**\n\n**Troy:** I first started doing interviews a decade ago and people would ask, \u201cWhen are we going to get rid of passwords? Are we still going to have passwords 10 years from now?\u201d Well, we\u2019ve got more passwords than ever, and I think in 10 years, we will have more passwords. Even as we get [passwordless solutions](<https://www.microsoft.com/en-us/security/business/identity/passwordless>), the other passwords don&#x27;t go away.\n\nI have a modern iPhone, and it has Face ID. The value proposition of Face ID is that you don&#x27;t need a password. You are passwordless to authenticate your device. When the phone came, I took it out of the box and had to get on the network. What&#x27;s the network password? I&#x27;ve got no idea, so I go to 1Password and pull it out. So, there&#x27;s one password. Then, the phone asks: Would you like to restore from iCloud? What\u2019s your iCloud password? We\u2019re two passwords in now. Would you like to use Face ID? Yes, because I want to go passwordless. That&#x27;s cool but you&#x27;ve got to have a password as a fallback position. Now, we&#x27;re three passwords in to go passwordless. [Passwordless doesn&#x27;t necessarily mean we kill passwords](<https://www.microsoft.com/security/blog/2020/12/17/a-breakthrough-year-for-passwordless-technology/>) altogether but that we change the prevalence with which we use them.\n\n_Keep an eye out for the second part of the interview where Troy Hunt shares best practices on how to secure identities in today\u2019s world._\n\n## Learn more\n\nTo learn more about Microsoft Security solutions [visit our website](<https://www.microsoft.com/en-us/security/business/solutions>). Bookmark the [Security blog](<https://www.microsoft.com/security/blog/>) to keep up with our expert coverage on security matters. Also, follow us at [@MSFTSecurity](<https://twitter.com/@MSFTSecurity>) for the latest news and updates on cybersecurity.\n\nThe post [How far have we come? The evolution of securing identities](<https://www.microsoft.com/security/blog/2021/04/13/how-far-have-we-come-the-evolution-of-securing-identities/>) appeared first on [Microsoft Security.", "modified": "2021-04-13T18:00:22", "published": "2021-04-13T18:00:22", "id": "MMPC:6177456E9A9ACF1448383C92030D9E84", "href": "https://www.microsoft.com/security/blog/2021/04/13/how-far-have-we-come-the-evolution-of-securing-identities/", "type": "mmpc", "title": "How far have we come? The evolution of securing identities", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-13T16:28:41", "bulletinFamily": "blog", "cvelist": [], "description": "As we have entered into new hybrid work environments, businesses need to think about how they will proactively protect their organizations from the influx of new or \u201cbring your own\u201d (BYO) connected devices. This new normal has exposed the most challenging cybersecurity landscape we\u2019ve ever encountered. As defenders, we know that users are**[ 71 percent more likely to be infected on an unmanaged device](<https://news.microsoft.com/en-xm/2020/10/19/microsofts-experts-offer-up-new-insight-into-the-world-of-cybersecurity/>).**\n\nThis is because security and IT teams don\u2019t have the ability to set the right security settings and configurations, can\u2019t update and patch OS and software vulnerabilities, and can&#x27;t prevent shadow IT and shadow apps. These unmanaged devices that are connecting to company networks present a huge opportunity for attackers to compromise these devices and launch broader attacks.\n\nMicrosoft is committed to staying ahead of this threat on behalf of our customers. Today, we announce a new set of capabilities that empower organizations to discover and secure unmanaged workstations, mobile devices, servers, and network devices on their business networks. All this, without the need to deploy new hardware or software, or make changes to the network configuration. Now, it\u2019s easier for organizations to lock down their network\u2019s foundation as they monitor unmanaged devices, enabling them to execute on their Zero Trust strategy.\n\nCustomers enrolled in Microsoft Defender for Endpoint public preview can take advantage of the latest capabilities that give them visibility into unmanaged endpoints (such as Windows, Linux, macOS, iOS, and Android) and network devices (such as routers, firewalls, WLAN controllers, and others) within minutes. From here, customers can use integrated workflows to onboard and secure the devices. These new Microsoft Defender for Endpoint features increase the security, productivity, efficiency, and safety of your environment.\n\n## The new complexity of hybrid domains\n\nUnmanaged devices are prone to attacks and are easily breached because they are invisible to security teams. Bad actors use them to stealthily perform lateral movements, jump network boundaries, and achieve persistence. Typically, few traces are left behind, enabling attackers to evade early detection and increase their dwell time.\n\nSecurity researchers and industry experts equally recognize the risks that unmanaged endpoints and network devices present. Leaders at Red Canary, a provider of SaaS-based security operations solutions and penetration testing services, share this perspective:\n\n> _&quot;We often engage with organizations immediately following a breach. In many cases, the root cause isn&#x27;t novel or being conducted by highly skilled adversaries,&quot; says Keith McCammon, Chief Security Officer, Red Canary. &quot;Organizations are being targeted by prolific adversaries that have streamlined the process of finding unmanaged assets, exploiting them, and operating with impunity within the victims&#x27; networks until they achieve their objective.&quot;_\n\nWhat prevents organizations from addressing the problem relates to a lack of tooling in security solutions, such as endpoint protection platforms (EPP), that are most commonly deployed by organizations.\n\n## How Microsoft Defender for Endpoint delivers additional protections to hybrid settings\n\nWe believe our customers shouldn\u2019t have to deploy additional tools to mitigate this problem. Therefore, we have added the ability to discover and secure unmanaged endpoints and network devices to Microsoft Defender for Endpoint. No hardware deployment or software deployment is needed, no change process, all these capabilities are part of Microsoft Defender for Endpoint, and customers can start benefiting from them right now. It\u2019s that easy.\n\nOnce network devices are discovered, security administrators will receive the latest security recommendations and vulnerabilities on them. Discovered endpoints (such as workstations, servers, and mobile devices) can be onboarded to Microsoft Defender for Endpoints, allowing all its deep protection capabilities.\n\n\n\n_Figure 1. Security recommendations for network devices. _\n\nWe\u2019re excited to share this news with you today, and we welcome your feedback as we work together to deliver discovery of unmanaged endpoints and network devices to Microsoft Defender for Endpoint. You can easily provide feedback to our teams in the Microsoft 365 security center. For those not already enrolled in the public preview, we encourage you to do so by turning on the [preview features](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/preview>). Once enrolled, you\u2019re able to secure your unmanaged network devices within minutes.\n\nAs defenders, we\u2019re committed to security for all, helping organizations gain confidence in the security of their devices, data, and digital actions, regardless of where the work gets done.\n\n## Learn more\n\nMore detailed information on our new network and endpoint discovery features can be found in our just-released blogs on Tech Community.:\n\n * [New network device discovery and vulnerability assessments ](<https://aka.ms/mde_networkdevices>)\n * [Endpoint discovery - navigating your way through unmanaged devices](<https://aka.ms/mde_unmanageddevices>)\n\nTo learn more about Microsoft Security solutions [visit our website.](<https://www.microsoft.com/en-us/security/business/solutions>) Bookmark the [Security blog](<https://www.microsoft.com/security/blog/>) to keep up with our expert coverage on security matters. Also, follow us at [@MSFTSecurity](<https://twitter.com/@MSFTSecurity>) for the latest news and updates on cybersecurity.\n\nThe post [Secure unmanaged devices with Microsoft Defender for Endpoint now](<https://www.microsoft.com/security/blog/2021/04/13/secure-unmanaged-devices-with-microsoft-defender-for-endpoint-now/>) appeared first on [Microsoft Security.", "modified": "2021-04-13T16:00:47", "published": "2021-04-13T16:00:47", "id": "MMPC:1F9A76FACA737A104F1B7340A0C16422", "href": "https://www.microsoft.com/security/blog/2021/04/13/secure-unmanaged-devices-with-microsoft-defender-for-endpoint-now/", "type": "mmpc", "title": "Secure unmanaged devices with Microsoft Defender for Endpoint now", "cvss": {"score": 0.0, "vector": "NONE"}}], "mssecure": [{"lastseen": "2021-04-13T18:18:28", "bulletinFamily": "blog", "cvelist": [], "description": "_The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager [Natalia Godyla](<https://www.linkedin.com/in/nataliagodyla/>) talks with [Troy Hunt](<https://www.linkedin.com/in/troyhunt/>), founder of [Have I Been Pwned](<https://haveibeenpwned.com/>), information security author, and instructor at Pluralsight. In this blog, Troy shares his insights on the [evolution of identity](<https://www.microsoft.com/en-us/security/business/identity>), from the biggest gaps in identity to modern technology solutions. _\n\n**Natalia: How has identity evolved over the past 10 years?**\n\n**Troy:** There is so much identity-related data about other people accessible to everyone that the whole premise of having confidence in identity has fundamentally changed. A few years ago, I was invited to [testify in Congress](<https://securityledger.com/2017/12/congress-told-breaches-sharing-spell-end-of-authentication-by-what-we-know/>) about how knowledge-based authentication has been impacted by data breaches. The example I gave was that my father called a telecommunications company to shift his broadband plan to another tier. He told them his name and they asked for his date of birth, as if that\u2019s a secret.\n\nThe biggest shift is with this premise that identity can somehow be assured based on knowledge-based authentication like date of birth, mother&#x27;s maiden name, where you went to school, or, in the United States, Social Security number. That idea is fundamentally flawed and is a big area of identity that needs to change. There are so many services that have absolutely no reason to have your date of birth but do.\n\n**Natalia: What are the current gaps in identity solutions?**\n\n**Troy:** The traditional approach in the United States, where someone says, \u201cJust give us your Social Security number and then we\u2019ll know it&#x27;s you and it will be fine,\u201d has always been inherently flawed, but it\u2019s even more flawed now.\n\nThe bigger concern is what if other people try to prove my identity? I&#x27;m concerned about SIM swapping because there&#x27;s so much identity assurance that is done via SMS. The telecommunications companies will say, \u201cYou shouldn&#x27;t be doing that. You can&#x27;t be confident the person who owns the number is the right person.\u201d And the banks will say, \u201cThis is kind of all we have.\u201d I asked my telco, \u201cCan we put a lock on my SIM so the only way someone can migrate my SIM is if they come into your office and prove identity with a passport or driver\u2019s license?\u201d That would eliminate a lot of the problems. They said, \u201cWe can&#x27;t do that because it would be anticompetitive. Government legislation says we need to make it easy for people to transfer their number to another provider so that people have freedom of choice. Otherwise, they&#x27;re locked into the provider.\u201d And I responded with, \u201cThe outcome of that\u2014depending on the platform I\u2019m using\u2014could be that someone gets into a really important account of mine.\u201d Their response: I shouldn\u2019t have been using SIMs as a means of identity verification.\n\n**Natalia: How can organizations mitigate identity risk?**\n\n**Troy:** For many organizations, there hasn&#x27;t been a lot of forethought around what happens when incidents impact identity. One example is breach preparedness. For many years, many organizations would do disaster recovery planning\u2014the annual entire-site-has-gone-down exercise. I rarely see them drill into the impact of a data breach. Organizations rarely dry run what happens when information is leaked that may enable others to take on identities.\n\nOne organization that had a data breach and [did exceptionally well with disclosure](<https://www.eweek.com/security/imgur-image-hosting-service-discloses-breach-of-1-7m-users-accounts/>) was Imgur. Within 24 hours, they had all the right messaging sent to everyone and cycled passwords. I asked the Chief Technical Officer, \u201cHow did you do this so quickly?\u201d And he said, \u201cWe plan for it. We had literally written the procedures for how we would deal with an incident like this.\u201d That preparedness is often what&#x27;s lacking in organizations today.\n\n**Natalia: What\u2019s the biggest difference between enterprise and consumer identity technologies?**\n\n**Troy:** With internal, enterprise-facing identity, these individuals work for your organization and are probably on the payroll. You can make them do things that you can\u2019t ask customers to do. Universal 2nd Factor (U2F) is a great example. You can ship U2F to everyone in your organization because you&#x27;re paying them. Plus, you can train internal staff and bring them up to speed with how to use these technologies. We have a lot more control in the internal organization.\n\nConsumers are much harder. They are more likely to just jump ship if they don&#x27;t like something. Adoption rates of technologies, like [multifactor authentication](<https://www.microsoft.com/en-us/security/business/identity/mfa>), are extremely low in consumer land because people don&#x27;t know what it is or the value proposition. We also see organizations reticent to push it. A few years ago, a client had a 1 percent adoption rate of two-factor authentication. I asked, \u201cWhy don&#x27;t you push it harder?\u201d They said that every time they have more people using two-factor authentication, there are more people who get a new phone and don&#x27;t migrate their soft token or save the recovery codes. Then, they call them up and say, \u201cI have my username or password but not my one-time password. Can you please let me in?\u201d And they have to go through this big spiral\u2014how do we do identity verification without the thing that we set up to do identity verification in the first place?\n\n**Natalia: What should you consider when building systems and policies for consumers to balance user experience and security?**\n\n**Troy:** One big question is: What is the impact of account takeover? For something like Dropbox, the impact of account takeover is massive because you put a lot of important stuff in your Dropbox. If it&#x27;s a forum community like catforum.com, the impact of account takeover is minimal.\n\nI&#x27;d also think about demographics. Dropbox has enormously wide adoption. My parents use Dropbox and they&#x27;re not particularly tech-savvy. If we\u2019re talking about Stack Overflow, we&#x27;ve got a very tech-savvy incumbent audience. We can push harder on asking people to do things differently from what they might be used to, which is usually just a username and a password.\n\nAnother question is: Is it worth spending money on a per individual basis? My partner, who\u2019s Norwegian, can log on to her Norwegian bank using a physical token. The physical token is not just an upfront cost for every customer but there&#x27;s also a maintenance cost. You\u2019re going to have to cycle them every now and then, and people lose them. And you need to support that. But it&#x27;s a bank so they can afford to make that investment.\n\n**Natalia: What\u2019s your advice on securing identities across your employees, partners, and customers?**\n\n**Troy:** I recommend some form of strong authentication in which you have confidence that a username and a password alone are not treated as identity. That worries me, particularly given there&#x27;s so much credential stuffing, and there are billions of credential pairs in lists. There\u2019s also the big question: How did we establish identity in the first place? Whether it be identity theft or impersonation or even sock puppet accounts, how confident do we need to be in the identity at the point of registration, and then subsequently at the point of reauthentication? That will drive discussions around what level of identity documentation we need. But again, we come back to the fact that we don&#x27;t have a consistent mechanism in the industry, or in even in one single geography, to offer high assurance of identity at the time of registration.\n\n**Natalia: Passwordless is a huge buzzword. A lot of people think of it as a solution to many of our identity problems. What\u2019s your perspective?**\n\n**Troy:** I first started doing interviews a decade ago and people would ask, \u201cWhen are we going to get rid of passwords? Are we still going to have passwords 10 years from now?\u201d Well, we\u2019ve got more passwords than ever, and I think in 10 years, we will have more passwords. Even as we get [passwordless solutions](<https://www.microsoft.com/en-us/security/business/identity/passwordless>), the other passwords don&#x27;t go away.\n\nI have a modern iPhone, and it has Face ID. The value proposition of Face ID is that you don&#x27;t need a password. You are passwordless to authenticate your device. When the phone came, I took it out of the box and had to get on the network. What&#x27;s the network password? I&#x27;ve got no idea, so I go to 1Password and pull it out. So, there&#x27;s one password. Then, the phone asks: Would you like to restore from iCloud? What\u2019s your iCloud password? We\u2019re two passwords in now. Would you like to use Face ID? Yes, because I want to go passwordless. That&#x27;s cool but you&#x27;ve got to have a password as a fallback position. Now, we&#x27;re three passwords in to go passwordless. [Passwordless doesn&#x27;t necessarily mean we kill passwords](<https://www.microsoft.com/security/blog/2020/12/17/a-breakthrough-year-for-passwordless-technology/>) altogether but that we change the prevalence with which we use them.\n\n_Keep an eye out for the second part of the interview where Troy Hunt shares best practices on how to secure identities in today\u2019s world._\n\n## Learn more\n\nTo learn more about Microsoft Security solutions [visit our website](<https://www.microsoft.com/en-us/security/business/solutions>). Bookmark the [Security blog](<https://www.microsoft.com/security/blog/>) to keep up with our expert coverage on security matters. Also, follow us at [@MSFTSecurity](<https://twitter.com/@MSFTSecurity>) for the latest news and updates on cybersecurity.\n\nThe post [How far have we come? The evolution of securing identities](<https://www.microsoft.com/security/blog/2021/04/13/how-far-have-we-come-the-evolution-of-securing-identities/>) appeared first on [Microsoft Security.", "modified": "2021-04-13T18:00:22", "published": "2021-04-13T18:00:22", "id": "MSSECURE:6177456E9A9ACF1448383C92030D9E84", "href": "https://www.microsoft.com/security/blog/2021/04/13/how-far-have-we-come-the-evolution-of-securing-identities/", "type": "mssecure", "title": "How far have we come? The evolution of securing identities", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-13T16:18:28", "bulletinFamily": "blog", "cvelist": [], "description": "As we have entered into new hybrid work environments, businesses need to think about how they will proactively protect their organizations from the influx of new or \u201cbring your own\u201d (BYO) connected devices. This new normal has exposed the most challenging cybersecurity landscape we\u2019ve ever encountered. As defenders, we know that users are**[ 71 percent more likely to be infected on an unmanaged device](<https://news.microsoft.com/en-xm/2020/10/19/microsofts-experts-offer-up-new-insight-into-the-world-of-cybersecurity/>).**\n\nThis is because security and IT teams don\u2019t have the ability to set the right security settings and configurations, can\u2019t update and patch OS and software vulnerabilities, and can&#x27;t prevent shadow IT and shadow apps. These unmanaged devices that are connecting to company networks present a huge opportunity for attackers to compromise these devices and launch broader attacks.\n\nMicrosoft is committed to staying ahead of this threat on behalf of our customers. Today, we announce a new set of capabilities that empower organizations to discover and secure unmanaged workstations, mobile devices, servers, and network devices on their business networks. All this, without the need to deploy new hardware or software, or make changes to the network configuration. Now, it\u2019s easier for organizations to lock down their network\u2019s foundation as they monitor unmanaged devices, enabling them to execute on their Zero Trust strategy.\n\nCustomers enrolled in Microsoft Defender for Endpoint public preview can take advantage of the latest capabilities that give them visibility into unmanaged endpoints (such as Windows, Linux, macOS, iOS, and Android) and network devices (such as routers, firewalls, WLAN controllers, and others) within minutes. From here, customers can use integrated workflows to onboard and secure the devices. These new Microsoft Defender for Endpoint features increase the security, productivity, efficiency, and safety of your environment.\n\n## The new complexity of hybrid domains\n\nUnmanaged devices are prone to attacks and are easily breached because they are invisible to security teams. Bad actors use them to stealthily perform lateral movements, jump network boundaries, and achieve persistence. Typically, few traces are left behind, enabling attackers to evade early detection and increase their dwell time.\n\nSecurity researchers and industry experts equally recognize the risks that unmanaged endpoints and network devices present. Leaders at Red Canary, a provider of SaaS-based security operations solutions and penetration testing services, share this perspective:\n\n> _&quot;We often engage with organizations immediately following a breach. In many cases, the root cause isn&#x27;t novel or being conducted by highly skilled adversaries,&quot; says Keith McCammon, Chief Security Officer, Red Canary. &quot;Organizations are being targeted by prolific adversaries that have streamlined the process of finding unmanaged assets, exploiting them, and operating with impunity within the victims&#x27; networks until they achieve their objective.&quot;_\n\nWhat prevents organizations from addressing the problem relates to a lack of tooling in security solutions, such as endpoint protection platforms (EPP), that are most commonly deployed by organizations.\n\n## How Microsoft Defender for Endpoint delivers additional protections to hybrid settings\n\nWe believe our customers shouldn\u2019t have to deploy additional tools to mitigate this problem. Therefore, we have added the ability to discover and secure unmanaged endpoints and network devices to Microsoft Defender for Endpoint. No hardware deployment or software deployment is needed, no change process, all these capabilities are part of Microsoft Defender for Endpoint, and customers can start benefiting from them right now. It\u2019s that easy.\n\nOnce network devices are discovered, security administrators will receive the latest security recommendations and vulnerabilities on them. Discovered endpoints (such as workstations, servers, and mobile devices) can be onboarded to Microsoft Defender for Endpoints, allowing all its deep protection capabilities.\n\n\n\n_Figure 1. Security recommendations for network devices. _\n\nWe\u2019re excited to share this news with you today, and we welcome your feedback as we work together to deliver discovery of unmanaged endpoints and network devices to Microsoft Defender for Endpoint. You can easily provide feedback to our teams in the Microsoft 365 security center. For those not already enrolled in the public preview, we encourage you to do so by turning on the [preview features](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/preview>). Once enrolled, you\u2019re able to secure your unmanaged network devices within minutes.\n\nAs defenders, we\u2019re committed to security for all, helping organizations gain confidence in the security of their devices, data, and digital actions, regardless of where the work gets done.\n\n## Learn more\n\nMore detailed information on our new network and endpoint discovery features can be found in our just-released blogs on Tech Community.:\n\n * [New network device discovery and vulnerability assessments ](<https://aka.ms/mde_networkdevices>)\n * [Endpoint discovery - navigating your way through unmanaged devices](<https://aka.ms/mde_unmanageddevices>)\n\nTo learn more about Microsoft Security solutions [visit our website.](<https://www.microsoft.com/en-us/security/business/solutions>) Bookmark the [Security blog](<https://www.microsoft.com/security/blog/>) to keep up with our expert coverage on security matters. Also, follow us at [@MSFTSecurity](<https://twitter.com/@MSFTSecurity>) for the latest news and updates on cybersecurity.\n\nThe post [Secure unmanaged devices with Microsoft Defender for Endpoint now](<https://www.microsoft.com/security/blog/2021/04/13/secure-unmanaged-devices-with-microsoft-defender-for-endpoint-now/>) appeared first on [Microsoft Security.", "modified": "2021-04-13T16:00:47", "published": "2021-04-13T16:00:47", "id": "MSSECURE:1F9A76FACA737A104F1B7340A0C16422", "href": "https://www.microsoft.com/security/blog/2021/04/13/secure-unmanaged-devices-with-microsoft-defender-for-endpoint-now/", "type": "mssecure", "title": "Secure unmanaged devices with Microsoft Defender for Endpoint now", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2021-04-13T18:39:29", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0797", "CVE-2021-1732", "CVE-2021-28310"], "description": "\n\nWhile analyzing the [CVE-2021-1732 exploit](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) originally discovered by the DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we discovered another zero-day exploit we believe is linked to the same actor. We reported this new exploit to Microsoft in February and after confirmation that it is indeed a zero-day, it received the designation CVE-2021-28310. Microsoft [released a patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>) to this vulnerability as a part of its April security updates.\n\nWe believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access. Unfortunately, we weren&#x27;t able to capture a full chain, so we don&#x27;t know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities.\n\nThe exploit was initially identified by our advanced exploit prevention technology and related detection records. In fact, over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again. We will continue to improve defenses for our users by enhancing technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone. In this blog we provide a technical analysis of the vulnerability and how the bad guys exploited it. More information about BITTER APT and IOCs are available to customers of the Kaspersky Intelligence Reporting service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## Technical details\n\nCVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using DirectComposition API. [DirectComposition](<https://docs.microsoft.com/en-us/windows/win32/directcomp/directcomposition-portal>) is a Windows component that was introduced in Windows 8 to enable bitmap composition with transforms, effects and animations, with support for bitmaps of different sources (GDI, DirectX, etc.). We&#x27;ve already published a [blogpost](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>) about in-the-wild zero-days abusing DirectComposition API. DirectComposition API is implemented by the win32kbase.sys driver and the names of all related syscalls start with the string &quot;NtDComposition&quot;.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/13101315/CVE_2021_28310_01.png>)\n\n_**DirectComposition syscalls in the win32kbase.sys driver**_\n\nFor exploitation only three syscalls are required: NtDCompositionCreateChannel, NtDCompositionProcessChannelBatchBuffer and NtDCompositionCommitChannel. The NtDCompositionCreateChannel syscall initiates a channel that can be used together with the NtDCompositionProcessChannelBatchBuffer syscall to send multiple DirectComposition commands in one go for processing by the kernel in a batch mode. For this to work, commands need to be written sequentially in a special buffer mapped by NtDCompositionCreateChannel syscall. Each command has its own format with a variable length and list of parameters.\n \n \n enum DCOMPOSITION_COMMAND_ID\n {\n \tProcessCommandBufferIterator,\n \tCreateResource,\n \tOpenSharedResource,\n \tReleaseResource,\n \tGetAnimationTime,\n \tCapturePointer,\n \tOpenSharedResourceHandle,\n \tSetResourceCallbackId,\n \tSetResourceIntegerProperty,\n \tSetResourceFloatProperty,\n \tSetResourceHandleProperty,\n \tSetResourceHandleArrayProperty,\n \tSetResourceBufferProperty,\n \tSetResourceReferenceProperty,\n \tSetResourceReferenceArrayProperty,\n \tSetResourceAnimationProperty,\n \tSetResourceDeletedNotificationTag,\n \tAddVisualChild,\n \tRedirectMouseToHwnd,\n \tSetVisualInputSink,\n \tRemoveVisualChild\n };\n\n**_List of command IDs supported by the function DirectComposition::CApplicationChannel::ProcessCommandBufferIterator_**\n\nWhile these commands are processed by the kernel, they are also serialized into another format and passed by the Local Procedure Call (LPC) protocol to the Desktop Window Manager (dwm.exe) process for rendering to the screen. This procedure could be initiated by the third syscall \u2013 NtDCompositionCommitChannel.\n\nTo trigger the vulnerability the discovered exploit uses three types of commands: CreateResource, ReleaseResource and SetResourceBufferProperty.\n \n \n void CreateResourceCmd(int resourceId)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = CreateResource;\n \tbuf[1] = resourceId;\n \tbuf[2] = PropertySet; // MIL_RESOURCE_TYPE\n \tbuf[3] = FALSE;\n \tBatchLength += 16;\n }\n \n void ReleaseResourceCmd(int resourceId)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = ReleaseResource;\n \tbuf[1] = resourceId;\n \tBatchLength += 8;\n }\n \n void SetPropertyCmd(int resourceId, bool update, int propertyId, int storageOffset, int hidword, int lodword)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = SetResourceBufferProperty;\n \tbuf[1] = resourceId;\n \tbuf[2] = update;\n \tbuf[3] = 20;\n \tbuf[4] = propertyId;\n \tbuf[5] = storageOffset;\n \tbuf[6] = _D2DVector2; // DCOMPOSITION_EXPRESSION_TYPE\n \tbuf[7] = hidword;\n \tbuf[8] = lodword;\n \tBatchLength += 36;\n }\n\n_**Format of commands used in exploitation**_\n\nLet&#x27;s take a look at the function CPropertySet::ProcessSetPropertyValue in dwmcore.dll. This function is responsible for processing the SetResourceBufferProperty command. We are most interested in the code responsible for handling DCOMPOSITION_EXPRESSION_TYPE = D2DVector2.\n \n \n int CPropertySet::ProcessSetPropertyValue(CPropertySet *this, ...)\n {\n ...\n \n if (expression_type == _D2DVector2)\n {\n if (!update)\n {\n CPropertySet::AddProperty<D2DVector2>(this, propertyId, storageOffset, _D2DVector2, value);\n }\n else\n {\n if ( storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF )\n {\n goto fail;\n }\n \n CPropertySet::UpdateProperty<D2DVector2>(this, propertyId, _D2DVector2, value);\n }\n }\n \n ...\n }\n \n int CPropertySet::AddProperty<D2DVector2>(CResource *this, unsigned int propertyId, int storageOffset, int type, _QWORD *value)\n {\n int propertyIdAdded;\n \n int result = PropertySetStorage<DynArrayNoZero,PropertySetUserModeAllocator>::AddProperty<D2DVector2>(\n this->propertiesData,\n type,\n value,\n &propertyIdAdded);\n if ( result < 0 )\n {\n return result;\n }\n \n if ( propertyId != propertyIdAdded || storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF )\n {\n return 0x88980403;\n }\n \n result = CPropertySet::PropertyUpdated<D2DMatrix>(this, propertyId);\n if ( result < 0 )\n {\n return result;\n }\n \n return 0;\n }\n \n int CPropertySet::UpdateProperty<D2DVector2>(CResource *this, unsigned int propertyId, int type, _QWORD *value)\n {\n if ( this->properties[propertyId]->type == type )\n {\n *(_QWORD *)(this->propertiesData + (this->properties[propertyId]->offset & 0x1FFFFFFF)) = *value;\n \n int result = CPropertySet::PropertyUpdated<D2DMatrix>(this, propertyId);\n if ( result < 0 )\n {\n return result;\n }\n \n return 0;\n }\n else\n {\n return 0x80070057;\n }\n }\n\n**_Processing of the SetResourceBufferProperty (D2DVector2) command in dwmcore.dll_**\n\nFor the SetResourceBufferProperty command with the expression type set to D2DVector2, the function CPropertySet::ProcessSetPropertyValue(\u2026) would either call CPropertySet::AddProperty&lt;D2DVector2&gt;(\u2026) or CPropertySet::UpdateProperty&lt;D2DVector2&gt;(\u2026) depending on whether the update flag is set in the command. The first thing that catches the eye is the way the new property is added in the CPropertySet::AddProperty&lt;D2DVector2&gt;(\u2026) function. You can see that it adds a new property to the resource, but it only checks if the propertyId and storageOffset of a new property are equal to the provided values after the new property is added, and returns an error if that&#x27;s not the case. Checking something after a job is done is bad coding practice and can result in vulnerabilities. However, a real issue can be found in the CPropertySet::UpdateProperty&lt;D2DVector2&gt;(\u2026) function. No check takes place that will ensure if the provided propertyId is less than the count of properties added to the resource. As a result, an attacker can use this function to perform an OOB write past the propertiesData buffer if it manages to bypass two additional checks for data inside the properties array.\n \n \n (1)\tstorageOffset == this->properties[propertyId]->offset & 0x1FFFFFFF\n (2)\tthis->properties[propertyId]->type == type\n\n_**Conditions which need to be met for exploitation in dwmcore.dll**_\n\nThese checks could be bypassed if an attacker is able to allocate and release objects in the dwm.exe process to groom heap into the desired state and spray memory at specific locations with fake properties. The discovered exploit manages to do this using the CreateResource, ReleaseResource and SetResourceBufferProperty commands.\n\nAt the time of writing, we still hadn&#x27;t analyzed the updated binaries that are fixing this vulnerability, but to exclude the possibility of other variants for this vulnerability Microsoft would need to check the count of properties for other expression types as well.\n\nEven with the above issues in dwmcore.dll, if the desired memory state is achieved to bypass the previously mentioned checks and a batch of commands are issued to trigger the vulnerability, it still won&#x27;t be triggered because there is one more thing preventing it from happening.\n\nAs mentioned above, commands are first processed by the kernel and only after that are they sent to Desktop Window Manager (dwm.exe). This means that if you try to send a command with an invalid propertyId, NtDCompositionProcessChannelBatchBuffer syscall will return an error and the command will not be passed to the dwm.exe process. SetResourceBufferProperty commands with expression type set to D2DVector2 are processed in the win32kbase.sys driver with the functions DirectComposition::CPropertySetMarshaler::AddProperty&lt;D2DVector2&gt;(\u2026) and DirectComposition::CPropertySetMarshaler::UpdateProperty&lt;D2DVector2&gt;(\u2026), which are very similar to those present in dwmcore.dll (it&#x27;s quite likely they were copy-pasted). However, the kernel version of the UpdateProperty&lt;D2DVector2&gt; function has one notable difference \u2013 it actually checks the count of properties added to the resource.\n \n \n int DirectComposition::CPropertySetMarshaler::UpdateProperty<D2DVector2>(DirectComposition::CPropertySetMarshaler *this, unsigned int *commandParams, _QWORD *value)\n {\n unsigned int propertyId = commandParams[0];\n unsigned int storageOffset = commandParams[1];\n unsigned int type = commandParams[2];\n \n if ( propertyId >= this->propertiesCount\n || storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF)\n || type != this->properties[propertyId]->type )\n {\n return 0xC000000D;\n }\n else\n {\n *(_QWORD *)(this->propertiesData + (this->properties[propertyId]->offset & 0x1FFFFFFF)) = *value;\n ...\n }\n return 0;\n }\n\n_**DirectComposition::CPropertySetMarshaler::UpdateProperty&lt;D2DVector2&gt;(\u2026) in win32kbase.sys**_\n\nThe check for propertiesCount in the kernel mode version of the UpdateProperty&lt;D2DVector2&gt; function prevents further processing of a malicious command by its user mode twin and mitigates the vulnerability, but this is where DirectComposition::CPropertySetMarshaler::AddProperty&lt;D2DVector2&gt;(\u2026) comes in to play. The kernel version of the AddProperty&lt;D2DVector2&gt; function works exactly like its user mode variant and it also applies the same behavior of checking property after it has already been added and returns an error if propertyId and storageOffset of the created property do not match the provided values. Because of this, it&#x27;s possible to use the AddProperty&lt;D2DVector2&gt; function to add a new property and force the function to return an error and cause inconsistency between the number of properties assigned to the same resource in kernel mode/user mode. The propertiesCount check in the kernel could be bypassed this way and malicious commands would be passed to Desktop Window Manager (dwm.exe).\n\nInconsistency between the number of properties assigned to the same resource in kernel mode/user mode could be a source of other vulnerabilities, so we recommend Microsoft to change the behavior of the AddProperty function and check properties before they are added.\n\nThe whole exploitation process for the discovered exploit is as follows:\n\n 1. Create a large number of resources with properties of specific size to get heap into predictable state.\n 2. Create additional resources with properties of specific size and content to spray memory at specific locations with fake properties.\n 3. Release resources created at stage 2.\n 4. Create additional resources with properties. These resources will be used to perform OOB writes.\n 5. Make holes among resources created at stage 1.\n 6. Create additional properties for resources created at stage 4. Their buffers are expected to be allocated at specific locations.\n 7. Create &quot;special&quot; properties to cause inconsistency between the number of properties assigned to the same resource in kernel mode/user mode for resources created at stage 4.\n 8. Use OOB write vulnerability to write shellcode, create an object and get code execution.\n 9. Inject additional shellcode into another system process.\n\nKaspersky products detect this exploit with the verdicts:\n\n * HEUR:Exploit.Win32.Generic\n * HEUR:Trojan.Win32.Generic\n * PDM:Exploit.Win32.Generic", "modified": "2021-04-13T17:35:50", "published": "2021-04-13T17:35:50", "id": "SECURELIST:A3D3514100806269750A23D748D34C59", "href": "https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/", "type": "securelist", "title": "Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "taosecurity": [{"lastseen": "2021-04-13T16:18:24", "bulletinFamily": "blog", "cvelist": [], "description": "[](<https://1.bp.blogspot.com/-sAiwY4ZN_WY/YHTciVwTUEI/AAAAAAABLPk/sGvTNKPnv206IteGLduT-0L2ufRzNUeeQCLcBGAsYHQ/s2048/The%2BBest%2Bof%2BTaoSecurity%2BBlog%252C%2BVolume%2B4.jpg>)\n\n \n\n\nI've completed the [TaoSecurity Blog book series](<https://amzn.to/326esgx>).\n\nThe new book is [The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship](<https://amzn.to/3mFnIlb>). \n\nIt's available now for [Kindle](<https://amzn.to/3mFnIlb>), and I'm working on the print edition. \n\nI'm running a [50% off promo on Volumes 1-3 on Kindle](<https://amzn.to/326esgx>) through midnight 20 April. Take advantage before the prices go back up.\n\n[](<https://1.bp.blogspot.com/-j9sPtsrFD6Y/YHTZlcRQ0UI/AAAAAAABLPU/5rU0ogS3r_07H6WQc8euN0dmQp5NYqNQACPcBGAYYCw/s1689/capture_001_12042021_190617.jpg>) \n--- \n \n\n\nI described the new title thus:\n\n> Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich.\n> \n> In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material. \n> \n> In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives.\n> \n> Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or policy audiences. It features posts from other blogs or news outlets, as well as some of his written testimony from eleven Congressional hearings. For the first time, Mr. Bejtlich publishes documents that he wrote as part of his abandoned war studies PhD program. This last batch of content was only available to his advisor, Dr. Thomas Rid, and his review committee at King's College London.\n> \n> Read how the security industry, defensive methodologies, and strategies to improve national security have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.\n\nThis will likely be my final collection of writings. I've discovered some documents that may be of interest to historians, so I may contribute those to a [national security archive like my friend Jay Healey did a few years ago](<https://nsarchive.gwu.edu/briefing-book/cyber-vault/2019-06-29/joint-task-force-computer-network-defense-20-years-later>).\n\nThe only other work I might do for these four volumes is to record Audible editions. That would take a while, but I'm thinking about it.\n\n \n\n\nCopyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)", "modified": "2021-04-13T15:00:00", "published": "2021-04-13T15:00:00", "id": "TAOSECURITY:87BBF4ACD402EE17EDC1237224470431", "href": "https://taosecurity.blogspot.com/2021/04/new-book-best-of-taosecurity-blog.html", "type": "taosecurity", "title": "New Book! The Best of TaoSecurity Blog, Volume 4", "cvss": {"score": 0.0, "vector": "NONE"}}], "fireeye": [{"lastseen": "2021-04-13T16:34:05", "bulletinFamily": "info", "cvelist": [], "description": "High-profile security incidents in the past decade have brought increased scrutiny to cyber security for operational technology (OT). However, there is a continued perception across critical infrastructure organizations that OT networks are isolated from public networks\u2014such as the Internet. In Mandiant\u2019s experience, the concept of an \u2018air gap\u2019 separating OT assets from external networks rarely holds true in practice.\n\nIn 2018, we released a blog post presenting the tools and techniques that TEMP.Veles used during the TRITON incident to traverse from an external compromise of the information technology (IT) network of a critical infrastructure organization to the safety systems located deep in the OT network. We regularly reproduce this approach in our OT-focused red team engagements to expose similar attack paths across client infrastructure and to identify environment specific opportunities to prevent and detect network propagation techniques across intermediary systems.\n\nIn this blog post, we share another case study from one of our OT Red Team engagements to illustrate the tactics, techniques, and procedures (TTPs) that can be leveraged by sophisticated threat actors to breach the protected perimeter between an IT network and an OT network. We also examine some of the different types of critical information often found in IT networks that an attacker can leverage during later stages of the Targeted Attack Lifecycle. The goal of this engagement was to access an endpoint meter control infrastructure for a state-wide smart grid environment from the Internet and turn it off. \n\nTo hear our experts relay more on this and other OT Red Team lessons learned, join our [FireEye Mandiant Virtual Summit session](<https://www.brighttalk.com/webcast/12695/480199?utm_source=FireEye&utm_medium=brighttalk&utm_campaign=480199>).\n\nVisit our website to learn more about Mandiant\u2019s OT security practice or contact us directly to request Mandiant services or threat intelligence.\n\n#### Building the Foundation: Information Gathering for IT-OT Network Propagation\n\nTargeted OT attacks attempting to cause physical impacts require planning. A sophisticated actor who is motivated to disrupt or modify an industrial process from a public network will necessarily need to maintain access to the victim environment and remain undetected for enough time to accomplish their objective. Throughout this time, the actor will strive to learn about the control process to formulate the attack, figure out how to pivot to the OT systems and bypass security controls, and sometimes even develop or deploy custom OT malware.\n\nSimilar to the techniques used by TEMP.Veles to reach the OT network during the TRITON incident, Mandiant\u2019s experience during red team engagements highlights that collecting information from IT network assets plays a crucial role in targeted OT attacks. As a result, the internal reconnaissance phase for OT targeted attacks begins in the enterprise network, where the actor obtains knowledge and resources to propagate from an initial compromise in the IT network to remote access in the OT network. Detailed information collected about the target, their security operations, and their environment can also support an actor's attempts at remaining undetected while expanding operations.\n\n \nFigure 1: Targeted OT attack from a public network\n\n#### Thinking Like an Adversary: How to Turn Off Smart Energy Meters\n\nThe ideal scenario for an attacker targeting OT systems is to achieve their objective while remaining undetected. Mandiant\u2019s Red Team works with clients across critical infrastructure industries to simulate attack scenarios in which actors can accomplish this goal by gaining access to OT systems via compromise of external facing IT networks. During these engagements, we emulate real actor behaviors to learn about our target and to determine the best paths for IT/OT network propagation.\n\nFor this engagement, we simulated an end-to-end OT-specific attack scenario in which we tested the security controls and response capabilities of an organization to protect smart grid meter control infrastructure from an external attacker. Mandiant leveraged weaknesses in people, process, and technology to gain remote access from the public Internet and to achieve a set of pre-approved objectives in the OT environment.\n\n_Establishing a Foothold in the IT Network_\n\nMandiant conducted a spear phishing exercise to gain initial access into the client\u2019s enterprise network from the Internet. We defined a combination of two different phishing scenarios that we deployed to test email filtering and egress monitoring controls:\n\n * Embedded link for a malicious file hosted on a Mandiant owned domain on the Internet\n * Email attachment for a Microsoft Office document with auto - executable macro code\n\nThis exercise allowed our team to achieve code execution on a user workstation in the enterprise environment and to establish an unattributable egress communication path to a Mandiant hosted Cobalt Strike Command and Control (C&amp;C) server on the Internet. After establishing a stable communication path with workstations in the enterprise environment, we utilized the following publicly available offensive security tools (OST) to escalate privileges and to obtain domain administrator level access:\n\n * [ldapsearch](<https://linux.die.net/man/1/ldapsearch>) to enumerate information in the enterprise domain\n * [PowerSploit](<https://github.com/PowerShellMafia/PowerSploit>) to exploit common security misconfigurations in IT\n * [WMImplant](<https://github.com/FortyNorthSecurity/WMImplant>) to move laterally from one system to another in the internal network\n * [Mimikatz](<https://github.com/gentilkiwi/mimikatz/wiki>) to extract credentials for local user and domain administrator accounts\n\nAs domain administrators, we gained unrestricted access to a variety of resources connected to the enterprise domain (e.g. server resources, file shares, IT applications, and administrator consoles for IT systems). During the initial stages of our engagement, our actions were in no way different to other less sophisticated intrusions on industrial organizations, such as [financially-motivated](<https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html>) compromises.\n\n_Defining Our Path to the OT Network_\n\nSimilar to real world threat actors carrying out targeted OT attacks, Mandiant\u2019s OT Red Team dedicates significant effort for internal reconnaissance in the IT network to develop a logical mapping of the extended network architecture and discover targets of interest (people, processes, or technology). The information we acquire helps us to (a) define paths to propagate from the IT to the OT network and (b) achieve our final objective in the OT network without raising alarms. During OT Red Team engagements across different industries, we follow a real attacker\u2019s cost-benefit analysis to determine which sources or methods are most likely to help us obtain that information.\n\n \nFigure 2: Information sources and target information from enterprise networks\n\nFor this engagement, we leveraged the domain administrator credentials obtained in the previous phase to gain access to Microsoft System Center Configuration Manager (SCCM) in the IT network. Logged into the SCCM console, we leveraged software deployment features for collection to establish C&amp;C over user workstations belonging to pre-selected departments in the client organization.\n\nMandiant chose the specific groups based on the names of their departments and the description attributes, which suggested a high likelihood of member users with high privilege access for network infrastructure or application management. This included members of the following groups: network management, firewall administration, control engineering, and smart meter operations.\n\nAccess to user workstations of target employees in these departments enabled us to:\n\n * Capture keystrokes to obtain remote desktop protocol (RDP) credentials for the OT network by using a Cobalt Strike modified script\n * Login to department file shares and extract OT system design documents\n * Extract network design documents and backup files for OT firewall configurations found in the firewall management console\n * Find plaintext credentials for OT management systems from operation manuals\n\nInternal reconnaissance in the IT network not only allowed us to obtain remote access credentials for the OT network, but to also gain a deeper understanding of the business processes and technical control system operations in the OT environment by reviewing internal OT-specific operational procedures and security documentation such as asset inventories and configurations.\n\n_Propagating to the OT Network_\n\nDuring the process of propagation from IT to OT networks, an actor will leverage previously compromised systems, credentials, or applications to access systems in higher security zones\u2014such as OT demilitarized zones (DMZ). Based on our observations during multiple red teaming engagements and research, the most likely attack vectors for propagation are:\n\n \nTable 1: Most likely attack vectors for IT/OT propagation\n\nFor this engagement, we initially analyzed the system architecture to define the best path to follow. Engineers from the target organization were required to use multi-factor-authentication (MFA) to gain remote access to jumpbox servers in the OT network. While not impossible, bypassing this setup would require more time and resources. We instead decided to search for other plausible attack propagation paths.\n\n \nFigure 3: Formal communication path from enterprise to OT network\n\nReviewing the firewall configuration files, we identified a dedicated communication path for management access to a Microsoft Windows patch management server in a DMZ between the IT network and the OT network. This patch management server was running on a virtual machine in the DMZ network, while the administration console for the underlying hypervisor software itself was hosted in the IT network.\n\nMandiant logged into the administration console for the hypervisor software using IT network domain administrator credentials. We then leveraged guest machine administration features via direct console access to execute commands on the patch management server in the DMZ network. The compromise of the patch management server in the DMZ allowed us to pivot via SMB connections to Microsoft Windows-based intermediary systems in the OT network.\n\n \nFigure 4: Remote attack propagation path from IT network to OT network\n\nLastly, we compromised Microsoft Windows server systems in the OT network to complete the objectives of the exercise. Using OT credentials retrieved in the previous phases, we authenticated to the SMB service (using single factor authentication) by pivoting through the patch management server in the DMZ network. This enabled us to execute remote console commands on management servers (such as the domain controller) in the OT network.\n\nWith access to the domain controller in the core OT network, we extracted credentials for high privilege domain administrator accounts in the OT network using DCSYNC and Mimikatz. Using these accounts, we gained control of management servers, application servers, and operator workstations in the OT network. Mandiant was also able to use compromised credentials to login to the human machine interface (HMI) portal for the meter control infrastructure and issue a disconnect command for a target endpoint meter in the smart grid environment.\n\n#### Strategic Collection and Detection Opportunities During Reconnaissance and Network Propagation\n\nAlthough specific capabilities such as malware and tooling vary amongst incidents, internal reconnaissance and network propagation are consistently needed for sophisticated adversaries to expand remote operations from external networks to OT systems. Focusing collection, detection, and hunting efforts on assets or information that are likely to be compromised during these phases presents defenders with strategic opportunities to hunt for and detect targeted adversary activity before it poses a risk to control systems. \n\n * In a previous blog post stating our approach to OT security, we highlighted that IT networks close to production networks and OT intermediary systems remain the best zones to detect OT targeted attacks, a.k.a. \u201cThe Funnel of Opportunity\u201d. As actors pivot across systems and networks to gather information and elevate privileges, they leave footprints that can be tracked before they propagate to critical systems.\n * An actor who covertly performs internal reconnaissance and propagates to the OT network is already positioned to cause damage on mission critical assets and is unlikely to be discovered. Early detection of adversary activity before reaching critical OT systems will decrease the dwell time and the risk of an incident.\n * OT defenders can prioritize collection and detection, alert triage, and incident response efforts by becoming familiar with the types of information and services that OT focused threat actors commonly search for during internal reconnaissance in IT networks and network propagation across OT intermediary systems.\n * Understanding where this information resides presents defenders with a catalog of systems and networks to focus collection and detection efforts on. Defenders can create tailored detections to hunt for adversary activity pursuing this information, prioritize alert response efforts, and identify additional security controls to implement. Mandiant red teaming in OT can help organizations identify which data is valuable for attackers to support their network propagation efforts and which systems are most likely to be compromised by attackers targeting OT networks.\n\nVisit our website for more information or to request Mandiant services or threat intelligence.\n", "modified": "2021-04-13T15:00:00", "published": "2021-04-13T15:00:00", "id": "FIREEYE:C60F2C759270A6CF7F5835ACBDA69AF8", "href": "https://www.fireeye.com/blog/threat-research/2021/04/hacking-operational-technology-for-defense-lessons-learned.html", "type": "fireeye", "title": "Hacking Operational Technology for Defense: Lessons Learned From OT Red\nTeaming Smart Meter Control Infrastructure", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-13T14:37:15", "bulletinFamily": "info", "cvelist": [], "description": "We are thrilled to launch _M-Trends 2021_, the 12th edition of our annual FireEye Mandiant publication. The past year has been unique, as we witnessed an unprecedented combination of global events. Business operations shifted in response to the worldwide pandemic and threat actors continued to escalate the sophistication and aggressiveness of their attacks, while in parallel leveraged unexpected global events to their advantage.\n\nWe discuss all of this and much more in the full report, which is available for download today. But first, here is a sneak preview of the most popular _M-Trends_ metric where we answer the critical question: Are organizations getting better at detecting attacks?\n\nIn short, yes! Back in 2011, we reported a 416-day global median dwell time, indicating that attackers were operating undetected on a system or network for over a year on average. This time, from Oct. 1, 2019 through Sept. 30, 2020, the median dwell time has decreased to only 24 days. This means\u2014for the first time in _M-Trends_ history\u2014the median dwell time has dropped to under one month.\n\nAlthough this drop in dwell time is promising, it is critical for organizations to remember that cyber adversaries typically only need a few days to achieve their objective, such as identifying and stealing the crown jewels of a victim organization or launching a crippling ransomware attack. Organizations across the globe must remain vigilant, to prepare for the next incident.\n\nThere is much more to unpack in the _M-Trends 2021 _report. Here is a quick rundown of what to expect:\n\n * **By the Numbers**: A large and diverse set of metrics including attacker dwell time, detection by source, industry targeting, growing threat techniques, sophisticated malware families, and more.\n * **Ransomware**: Front-line stories on how this harmful threat is evolving, challenges with recovery, and best practice hardening strategies to effectively combat this threat.\n * **Newly Named Threat Groups**: More on FIN11, a financially motivated threat group that we promoted in 2020, which has been active since at least 2016 and is most recently known for operations involving ransomware and extortion.\n * **Pandemic-Related Threats**: Breakdown of countless espionage campaigns targeting ground-breaking research in the race to learn more about COVID-19.\n * **UNC2452/SUNBURST**: UNC2452\u2019s headline-making compromise of environments via an implant in the SolarWinds Orion platform, mapped to the attack lifecycle framework with details at every stage.\n * **Case Studies**: Mandiant engagements involving the rise of insider threats and how to be more prepared, plus advanced red teaming tactics that enabled access to executive emails without any exploits.\n\nFor over a decade, the mission of _M-Trends_ has always been the same: to arm security professionals with insights on the latest attacker activity as seen directly on the front lines, backed by actionable learnings to improve organizations\u2019 security postures within an evolving threat landscape.\n\nDownload the _M-Trends 2021_ report today, and then for more information, check out the [FireEye Mandiant Virtual Summit](<https://virtualsummit.fireeye.com/index.html>). Starting today and running through April 15, the event includes a variety of sessions, with three related to _M-Trends_: one that provides an [overview of the report and highlights key topics](<https://virtualsummit.fireeye.com/track-expertise.html#top-cyber-trends>), another focused on our [\u201cBy the Numbers\u201d chapter](<https://virtualsummit.fireeye.com/track-expertise.html#mtrends-2021>) coupled with mitigation solutions related to these metrics, and one covering [the report through a lens from the EMEA region](<https://www.brighttalk.com/webcast/10703/479027>). [Register now](<https://virtualsummit.fireeye.com/index.html>)!\n", "modified": "2021-04-13T13:45:00", "published": "2021-04-13T13:45:00", "id": "FIREEYE:680FAF40E665DA0F09E7C0FB26B5F076", "href": "https://www.fireeye.com/blog/threat-research/2021/04/m-trends-2021-a-view-from-the-front-lines.html", "type": "fireeye", "title": "M-Trends 2021: A View From the Front Lines", "cvss": {"score": 0.0, "vector": "NONE"}}], "fedora": [{"lastseen": "2021-04-14T00:51:25", "bulletinFamily": "unix", "cvelist": [], "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino. ", "modified": "2021-04-13T14:30:13", "published": "2021-04-13T14:30:13", "id": "FEDORA:21F483052787", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: mosquitto-1.6.14-1.fc33", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-14T00:51:25", "bulletinFamily": "unix", "cvelist": [], "description": "Faster alternative to Net::CIDR when merging a large number of CIDR address ranges. Works for IPv4 and IPv6 addresses. ", "modified": "2021-04-13T14:30:12", "published": "2021-04-13T14:30:12", "id": "FEDORA:67EFC3052787", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: perl-Net-CIDR-Lite-0.22-1.fc33", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-14T00:51:25", "bulletinFamily": "unix", "cvelist": [], "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino. ", "modified": "2021-04-13T14:19:53", "published": "2021-04-13T14:19:53", "id": "FEDORA:E366030E4E8D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: mosquitto-1.6.14-1.fc32", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-14T00:51:25", "bulletinFamily": "unix", "cvelist": [], "description": "Faster alternative to Net::CIDR when merging a large number of CIDR address ranges. Works for IPv4 and IPv6 addresses. ", "modified": "2021-04-13T14:19:52", "published": "2021-04-13T14:19:52", "id": "FEDORA:B66D730E4E94", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: perl-Net-CIDR-Lite-0.22-1.fc32", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhat": [{"lastseen": "2021-04-13T12:28:06", "bulletinFamily": "unix", "cvelist": ["CVE-2021-27364", "CVE-2021-27365"], "description": "This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.\n\nSecurity Fix(es):\n\n* kernel: out-of-bounds read in libiscsi module (CVE-2021-27364)\n\n* kernel: heap buffer overflow in the iSCSI subsystem (CVE-2021-27365)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2021-04-13T14:26:31", "published": "2021-04-13T14:01:55", "id": "RHSA-2021:1173", "href": "https://access.redhat.com/errata/RHSA-2021:1173", "type": "redhat", "title": "(RHSA-2021:1173) Important: kpatch-patch security update", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}]}