Highlight of the week

Google's Project Zero’s paper Escaping the Doom Loop details initiatives to reduce the risk of vulnerabilities and protect researchers.

All these initiatives aim to increase transparency, address the root cause of vulnerabilities, prioritize modern secure software development practices, and protect good-faith security researchers. One of the main pain points lies within the vulnerability management realm, with the same cycle of finding and patching vulnerabilities, only for another one to pop up, being an endless loop.

Google's Project Zero has pioneered aggressive patch and disclosure timelines over the years. Building on their ongoing work, they propose new initiatives, which include greater transparency from vendors and governments in vulnerability exploitation and patch adoption. This transparency will help the community diagnose whether current approaches are working or not.

They also want to address friction points throughout the vulnerability lifecycle to ensure risks to users are being comprehensively addressed, identifying the real root cause of vulnerabilities (42.5% of zero days analyzed in 2022 were variants of previously known bugs), and prioritizing modern secure software development practices that can close off entire avenues of attack.

Furthermore, Google aims to protect good-faith security researchers who make significant contributions to security through their efforts to find vulnerabilities before attackers can exploit them. Unfortunately, these researchers can still face legal threats when their contributions are unwelcome or misunderstood, which creates a chilling effect on beneficial research and vulnerability disclosure.

Google is founding the Hacking Policy Council, who will engage in focused advocacy to ensure new policies and regulations support best practices for vulnerability management and disclosure. Additionally, Google is providing seed funding for the Security Research Legal Defense Fund to protect security research by funding legal representation for individuals performing good-faith research in cases that would advance cybersecurity for the public interest.

These are really good initiatives and I’m certain they’ll help tip the scale on the good side.

📰 https://blog.google/technology/safety-security/new-initiatives-to-reduce-the-risk-of-vulnerabilities-and-protect-researchers/

🧠 Whitepaper "Escaping the Doom Loop": https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Report_-_Escaping_the_Doom_Loop.pdf

Selection of the week

Microsoft is finally adding MicrosoftGraphActivityLog as an available log source ! It means defenders will finally be able to see UserId, ServicePrincipalId, RequestUri and more to investigate on suspicious activities. The only catch, it's in Private Preview for now… Let’s hope Microsoft makes it broadly available quickly.

🗣️ https://twitter.com/DrAzureAD/status/1646162221234266112

📰 https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/microsoftgraphactivitylogs

PR move or … ? Microsoft, Health-ISAC and Fortra obtained a court order to disrupt infrastructures where cracked copies of Cobalt Strike are used. Cracked copies are used by Conti and LockBit among others. Any move to try to take down adversary infrastructures is welcomed, but in the light of the recent (February 2023) RCE discovered in Fortra’s GoAnywhere software, the timing and publicizing of this action raise questions, because as Hogan-Burney reminds: “As we have since 2008, Microsoft’s DCU will continue its efforts[…]”

📰 https://duo.com/decipher/microsoft-and-partners-move-to-disrupt-use-of-cracked-cobalt-strike-copies

📝 https://blog.qualys.com/vulnerabilities-threat-research/2023/02/15/forta-goanywhere-zero-day-exploited-by-threat-actors

Kaspersky has discovered a zero-day vulnerability in the Common Log File System (CLFS) driver on Microsoft Windows servers ! It was assigned the CVE-2023-28252 and patched by Microsoft on April 11, 2023. The Elevation of Privileges exploit uses “an out-of-bounds write (increment) triggered when the system attempts to extend the metadata block”. This was used by a cybercrime group to deploy the Nokoyawa ransomware. This group has used a large number of similar but unique CLFS driver exploits since at least June 2022. Kaspersky provides a few IoCs to help investigations.

📰 https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/

📝 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252

A new report by CitizenLab highlighted that high-risk individuals' iPhones were compromised using a zero-click exploit named ENDOFDAYS. The attackers used backdated and "invisible iCloud calendar invitations" to target a zero-day vulnerability affecting iPhones running iOS 1.4 up to 14.4.2 between January 2021 and November 2021. The spyware, called KingsPawn by Microsoft, was designed to self-delete and clean out any tracks from victims' iPhones to evade detection. Its capabilities include recording audio from phone calls, taking pictures through the device's front or back camera, generating iCloud TOTP code, tracking the device's location... Commercial and mercenary spyware aren’t close to disappear.

📰 https://www.bleepingcomputer.com/news/security/iphones-hacked-via-invisible-calendar-invites-to-drop-quadream-spyware/

📝 https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/

CISA released a new whitepaper: Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by Design and -Default. One interesting concept: loosening guides. The device/software is secured by default, but the provider explains how to loosen the security settings and the risk associated in doing so.

🧠 https://www.cisa.gov/sites/default/files/2023-04/principles_approaches_for_security-by-design-default_508_0.pdf

Check Point Research has discovered three vulnerabilities in the Microsoft Message Queuing (MSMQ) service, with the most severe being QueueJumper (CVE-2023-21554), a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe. Shadowserver, Shodan and Censys have already updated their scanners, and more than 360,000 IPs have the 1801/tcp port open to the Internet with the MSMQ. Security researchers (https://infosec.exchange/@goncalor and https://cyberplace.social/@GossiTheDog) have picked up these scans, but they report no malicious activities so far, even though the exploit seems to be working.

📝 https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/

LAPS is now compatible with AzureAD ! Local Administrator Password Solution is used to manage the password of a specified local administrator account by regularly rotating the password and backing it up to Active Directory (AD). It is now natively integrated into Windows. Among the new features for on-premise is the capability to (finally!) encrypt the password, and for AAD, the capabilities to store, automatically rotate passwords and assign RBAC policies to control the retrieval. It’s now available in the April 11th security update for Windows 10&11 Pro, EDU, and Enterprise, Windows Server 2019&2022 and Windows Server Core 2022.

📰 https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747

Google wants to help you manage the dependencies of your software ! If you’re using npm, Go, Maven, PyPI or Cargo, you’ll be glad to know Google has announced the release of the deps.dev API, which provides access to a huge dataset of security metadata, including dependencies for more than 50 million open source package versions. It’s an attempt to tackle the complex landscape of software supply chain and their risks, by providing developers an easy integration of this data into their CI/CD pipelines. The API is free and doesn’t require a registration.

📰 https://security.googleblog.com/2023/04/announcing-depsdev-api-critical.html?m=1

The FCC and FBI's Denver field office released a warning about "juice jacking" attacks at public USB charging stations, citing cybersecurity experts. However, the source of the warnings is unclear, with the FCC citing a 2019 NYT article and the LA DA's warning having been taken down in December 2021 after officials could not point to any cases. Despite of this, there are no plans to correct the post or provide a mechanism for the public to challenge the warning. Even though there are some risks (with tools like the O.MG cable), such fuss around this issue seems disproportionate and risks/protections should be clearly stated…

🗣️ https://infosec.exchange/@dangoodin/110188301817196614

Conclusion

Vulnerabilities aren't going away soon, but a shift towards security by default/design and more transparency into components, their risks & lifecycle are more than welcomed.

Have a good week!