Highlight of the week

It is now possible to partially protect Sign-In and Access tokens in Azure AD !  This new mechanism (in Preview only) binds a token to a registered device, making it worthless outside of this device. Requirements are:

• Windows 10 or newer devices that are Azure AD joined, hybrid Azure AD joined, or Azure AD registered.
• OneDrive sync client version 22.217 or later
• Teams native client version 1.6.00.1331 or later

📝 https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-token-protection

Although protecting tokens is necessary, zero trust approaches can be improved with all the right components in place. In 2018, David "dwizzzle" Weston from Microsoft's Offensive/Device Security team wrote a great reminder/primer on the topic titled "Zer0ing Trust - Do Zero Trust Approaches Deliver Real Security ?".

Device trust and identity trust are two key components of a zero trust approach. Once in place, access control rules can be coded to grant the proper accesses to a resource.

Device trust is important, but most platforms lack the proper hardware integrity mechanisms to authenticate and evaluate a device. Most approaches to device trust are software-based, which is not as secure as hardware-based approaches and makes them more prone to tampering. Workarounds with EDR and/or vulnerability management tools are not deeply integrated, and vendors rarely work together to improve device trust capabilities, often insisting that users use their stack and nothing else!

Identity trust is the second component of zero trust, and involves enforcing identity and authentication to prevent unwanted access and lateral movement. However, there is a strong dependency on the scope of enforcement, and zero trust network (ZTN) products often can't cover all scenarios, such as non-HTTP protocols. Additionally, not all multi-factor authentication (MFA) methods are created equal, and some may not support all browsers or be secure enough (avoid SMS!). To really use identity as the new "core" perimeter, networks may need to be re-architected to redefine how resources are reached.

There is no magic product or implementation for zero trust approaches. Instead, it must be seen as a whole, with re-architecting often needed, and identity as the new core perimeter.

🧠 The full presentation https://github.com/dwizzzle/Presentations/blob/master/David Weston - Zer0ing Trust - Do Zero Trust Approaches Deliver Real Security.pdf

As a parting thought, private signing key for Intel's Boot Guard security technology were found in the recent MSI leak (they are used in the UEFI Secure Boot mechanism). That’s bad for zero trust approaches, as Intel Boot Guard should no longer be fully trusted. One step backward for device trust.

🧰 Firmware signing keys as well as Intel BootGuard Keys list: https://github.com/binarly-io/SupplyChainAttacks/blob/main/MSI/ImpactedDevices.md

📰 https://binarly.io/posts/Leaked_Intel_Boot_Guard_keys_What_happened_How_does_it_affect_the_software_supply_chain

Have a good zero trust journey...

Selection of the week

The threat actor Water Orthrus has launched two new campaigns, CopperStealth and CopperPhish, targeting different regions and companies. CopperStealth installs a rootkit to deliver additional malware in China, while CopperPhish globally phishes credit card information. The actor has shifted from stealing personal information to cryptocurrency and now credit card information. A great report by Trend Micro.

📝 https://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html

Google is updating its Vulnerability Reward Programs (VRP) for Android, with a new quality rating system to “encourage more security research” and ensure user security. Reports will be rated as High, Medium, or Low quality based on the level of detail provided, with the aim of encouraging more detailed reports and faster issue resolution, as well as higher bounty rewards for researchers, now up to 15k$. But CVEs will no longer be assigned unless the vulnerability is rated High or Critical.

📰 https://security.googleblog.com/2023/05/new-android-google-device-VRP.html

Splunk Threat Research Team explains the detection engineering process they have, to push new rules to ESCU. Also, since v4, Sigma rules are better incorporated in their workflow.

📝 https://www.splunk.com/en_us/blog/security/security-content-from-the-splunk-threat-research-team.html

🧰 An application to help writing new detection content https://github.com/splunk/contentctl

Proofpoint is highlighting several techniques used by attackers after compromising a M365 user account or having a Teams token:

• “Using tabs for phishing users or instant malware download
• Weaponizing meeting invites by replacing default URLs with malicious links
• Weaponizing messages by replacing existing URLs with malicious links”

More details in the post, but don’t look for guidance on how to detect these because there is none.

📝 https://www.proofpoint.com/us/blog/threat-insight/dangerous-functionalities-in-microsoft-teams-enable-phishing

nccgroup providing another great set of tools to enumerate process properties and find ones vulnerable to injection.

🧰 https://github.com/nccgroup/DetectWindowsCopyOnWriteForAPI

AWS is showing through 2 scenarios how to use Cloudtrail Lake and the associated queries: AWS access keys compromised and AWS IAM Identity Center user credentials compromised.

📝 https://aws.amazon.com/fr/blogs/security/investigate-security-events-by-using-aws-cloudtrail-lake-advanced-queries/

Anton Chuvakin published a post-RSA post where he talks about XDRs, not AI, cloud security, zero trust (again…) and other stuff !

️️️🗣 https://medium.com/anton-on-security/rsa-2023-not-under-the-genai-influence-yet-fda234de2c8d

Conclusion

I hope you enjoyed this edition !

Have a good week.