Talos researcher Chris Neal discussed how the security problem evolved in a blog post.

“Starting in Windows Vista 64-bit, to combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority,” Neal wrote. “Without signature enforcement, malicious drivers would be extremely difficult to defend against as they can easily evade anti-malware software and endpoint detection.”

Beginning with Windows 10 version 1607, Neal said, Microsoft has required kernel-mode drivers to be signed by its Developer Portal. “This process is intended to ensure that drivers meet Microsoft’s requirements and security standards,” he wrote.

Still, there are exceptions – most notably, one for drivers signed with certificates that expired or were issued prior to July 29, 2015.

If a newly compiled driver is signed with non-revoked certificates that were issued before that date, it won’t be blocked. “As a result, multiple open source tools have been developed to exploit this loophole,” Neal wrote.

And while Sophos reported that it had uncovered more than 100 malicious drivers, Neal said Cisco Talos “has observed multiple threat actors taking advantage of the aforementioned Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification.”

Forged Timestamps

Neal said that two timestamp forging tools that are popular ways of developing game cheats are now being used by threat actors. The tools are FuckCertVerifyTimeValidity, which was launched in 2018; and HookSignTool, available since 2019.

“To successfully forge a signature, HookSignTool and FuckCertVerifyTimeValidity require a non-revoked code signing certificate that expired or was issued before July 29, 2015, along with the private key and password,” Neal wrote. “During our research, we identified a PFX file hosted on GitHub in a fork of FuckCertVerifyTimeValidity that contained more than a dozen expired code signing certificates frequently used with both tools to forge signatures.”

Both tools present a serious threat, Neal said, since malicious drivers can give attackers kernel-level access to a system.

“Microsoft, in response to our notification, has blocked all certificates discussed in this blog post,” he noted.

A Real-World Example

In a separate blog post, Neal described one example of the threat, a malicious driver named RedDriver that’s been active since at least 2021. “Bypassing the driver signature enforcement policies by using HookSignTool allows a threat actor to deploy drivers that would otherwise be blocked from running,” he wrote. “RedDriver is a real-world example of this tool being effectively used in a malicious context.”

“During our research into HookSignTool, Cisco Talos observed the deployment of an undocumented malicious driver utilizing stolen certificates to forge signature timestamps, effectively bypassing driver signature enforcement policies within Windows … RedDriver is a critical component of a multi-stage infection chain that ultimately hijacks browser traffic and redirects it to localhost (127.0.0.1),” Neal wrote.

“As of publication time, the end goal of this browser traffic redirection is unclear,” he added. “However, regardless of intent, this is a significant threat to any system infected with RedDriver, as this allows all traffic through the browser to be tampered with.”

Defending Against Signed Drivers

Neal recommended blocking the certificates in question, “as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. However, it is important to note that compilation dates can be altered to match signature timestamps.”

KnowBe4 data-driven defense evangelist Roger Grimes told eSecurity Planet by email that an even greater threat could be presented if an attacker were to create something highly wormable. “A wormable exploit using a bogus signing certificate could cause a lot of problems,” he said.

The good news, Grimes said, is that all of this is preventable. “Microsoft provides several ways, such as Windows Defender Application Control, to prevent unwanted installing of drivers and software,” he said. “Customers just have to research how they work and enable them. Then this entire threat is gone.”

Read next:

• Best Antivirus Software
• Top Endpoint Detection and Response (EDR) Solutions
• Best Patch Management Software & Tools

The post Malicious Microsoft Drivers Could Number in the Thousands: Cisco Talos appeared first on eSecurityPlanet.

“While some Patch Tuesdays focus on fixes for minor bugs or issues with features, these patches almost purely focus on security-related issues,” Cloud Range vice president of technology Tom Marsland said by email. “They should be pushed to vulnerable machines immediately.”

The July 2023 fixes include updates for 130 vulnerabilities, a significant increase from last month’s total of 78. Here are the details.

See the Top Patch Management Tools

Malicious Drivers Addressed by Advisory

Microsoft also released a pair of advisories. The first, ADV230001, warns that drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) are being used maliciously by attackers who have gained admin privileges on compromised systems. The issue was first discovered by Sophos researchers on February 9.

“Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified,” Microsoft said. “We’ve suspended the partners’ seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat.”

In a blog post, SophosLabs principal researcher Andrew Brandt reported that the advisory was published following a Sophos research discovery of more than 100 malicious drivers that had been digitally signed by Microsoft and others, dating as far back as April 2021.

The second advisory, ADV230002, notes that Trend Micro released a patch in March for CVE-2023-28005, a secure boot bypass vulnerability in Trend Micro Endpoint Encryption Full Disk Encryption. “Subsequently Microsoft has released the July Windows security updates to block the vulnerable UEFI modules by using the DBX (UEFI Secure Boot Forbidden Signature Database) disallow list,” Microsoft said.

Actively Exploited Flaws

Microsoft identified five vulnerabilities that are being actively exploited:

• CVE-2023-32046, an elevation of privilege vulnerability in Windows MSHTML with a CVSS score of 7.8
• CVE-2023-32049, a security feature bypass vulnerability in Windows SmartScreen with a CVSS score of 8.8
• CVE-2023-36874, an elevation of privilege vulnerability in the Windows Error Reporting Service with a CVSS score of 7.8
• CVE-2023-36884, a remote code execution vulnerability in Office and Windows HTML with a CVSS score of 8.3
• CVE-2023-35311, a security feature bypass vulnerability in Microsoft Outlook with a CVSS score of 8.8

Ivanti vice president of security products Chris Goettl said by email that CVE-2023-32046 could be leveraged in a variety of ways, including email and web-based attacks. “If exploited, the attacker would gain the rights of the user that is running the affected application, so running least privilege would help to mitigate the impact of this vulnerability and force the attacker to take additional steps to take full control of the target system,” he wrote.

Action1 vice president of vulnerability and threat research Mike Walters observed in a blog post that CVE-2023-35311 requires user interaction but not elevated privileges. “It’s important to note that this vulnerability specifically allows bypassing Microsoft Outlook security features and does not enable remote code execution or privilege escalation,” he wrote. “Therefore, attackers are likely to combine it with other exploits for a comprehensive attack.”

CVE-2023-36874, Walters noted, can be exploited locally with low complexity and without requiring elevated privileges or user interaction. “To exploit this vulnerability, an attacker needs to gain access to the system using other exploits or harvested credentials,” he wrote. “The compromised user account must have the ability to create folders and performance traces on the computer, which is typically available to normal users by default.”

Unpatched RomCom Office Exploit

In an unusual move, CVE-2023-36884 was announced with no patch yet available.

“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products,” Microsoft said. “Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers,” the company added. “This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

A separate Microsoft blog post links CVE-2023-36884 to a phishing campaign by a Russian hacker group named Storm-0978 or RomCom, which has been “targeting defense and government entities in Europe and North America” by “using lures related to the Ukrainian World Congress.” The campaign was first detected in June 2023.

Microsoft Defender for Office 365 protects users from attachments designed to exploit CVE-2023-36884. Microsoft said organizations who cannot that don’t have those protections can set the registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION to avoid exploitation.

“Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications,” the company added.

Rapid7 lead software engineer Adam Barnett told eSecurity Planet that a patch could be issued as part of next month’s Patch Tuesday, but admins should be alert for a potential earlier fix.

“Microsoft Office is deployed just about everywhere, and this threat actor is making waves; admins should be ready for an out-of-cycle security update for CVE-2023-26884,” Barnett said.

Remote Desktop Flaw

Cyolo head of research Dor Dali highlighted CVE-2023-35332, a security feature bypass flaw in Windows Remote Desktop Protocol with a CVSS score of 6.8. The issue is linked to the fact that the RDP Gateway enforces the use of Datagram Transport Layer Security (DTLS) version 1.0, which has been deprecated since March 2021 due to known flaws.

“This vulnerability not only presents a substantial security risk, but also a significant compliance issue,” Dali said by email. “The use of deprecated and outdated security protocols, such as DTLS 1.0, may lead to non-compliance with industry standards and regulations – like SOC2, FEDRAMP, PCI, HIPAA, and others.”

If it’s not possible to apply Microsoft’s update, Dali recommends simply disabling UDP support in the RDP Gateway. “This prevents the establishment of the secondary channel over UDP, eliminating the use of the deprecated DTLS 1.0 and thereby mitigating the vulnerability – a necessary step that could potentially impact performance, but that will ensure security and compliance until the server can be updated,” he said.

Also read: Secure Access for Remote Workers: RDP, VPN & VDI

The post Microsoft Patch Tuesday Addresses 130 Flaws – Including Unpatched RomCom Exploit appeared first on eSecurityPlanet.

“This implies that adversaries can execute around 150 different techniques that will be undetected by the SIEM,” says the CardinalOps report. “Or stated another way, SIEMs are only covering around 50 techniques out of all the techniques that can potentially be used by adversaries.”

The Third Annual Report on the State of SIEM Detection Risk by detection posture management vendor CardinalOps is based on analysis of configuration metadata from a wide variety of SIEM instances, including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic, across verticals that include banking and financial services, insurance, manufacturing, energy, media and telecom, professional and legal services, and managed security services providers (MSSPs) and managed detection and response (MDR) vendors.

See the Top SIEM Solutions

Misconfigured SIEM Rules

The researchers also found that 12 percent of all SIEM rules are broken and will never fire due to issues like misconfigured data sources, missing fields, and parsing errors.

“Worse, organizations are often unaware of the gap between the theoretical security they assume they have and the actual security they have in practice, creating a false impression of their detection posture,” the report states.

Key reasons for that gap, according to CardinalOps, include complexity, constant change, the unique nature of each enterprise, error-prone manual processes, and challenges in hiring and retaining skilled personnel.

Also read: 5 Ways to Configure a SIEM for Accurate Threat Detection

Plenty of Data, Not Enough Detections

At the same time, CardinalOps found that SIEMs already ingest enough data to cover 94 percent of all MITRE ATT&CK techniques. “This suggests we don’t need to collect more data, but rather we need to scale our detection engineering processes to develop more detections faster,” the report states.

Security layers monitored by SIEMs, according to the findings, include Windows (96 percent), Network (96 percent), Identity and Access Management (96 percent), Linux/Mac (87 percent), Cloud (83 percent), and Email (78 percent).

Still, just 32 percent monitor containers. “One explanation for this might be that, due to the dynamic nature of microservices-based application environments, monitoring them can be a hefty challenge and they are likely to bring a significant volume of data to SIEM platforms,” the report suggests. “Another explanation might be that detection engineers are challenged by the prospect of writing high-fidelity detections to alert on anomalous activity for these highly-dynamic assets.”

Key Steps to Take

The report offers four key recommendations to enhance SIEM detection coverage and quality — starting with reviewing current SIEM processes.

The other three recommendations are:

• Become more intentional about how you develop and manage detection content
• Build or refresh your use case management processes
• Measure and continuously improve

As part of the first step of reviewing current processes, the report offers a number of avenues for inquiry:

• What is the approach for finding false negatives – and what adversary techniques, behaviors, and threats are being missed?
• How are use cases managed and prioritized? “Typically, we find they’re added to the backlog via an ad-hoc process,” driven by a combination of:

• Threat analysts and threat intelligence

• Breach and attack simulation (BAS) tools

• News about high-profile attacks and vulnerabilities

• Manual pentesting

• Red teaming

• How are detections developed today and what is the process for turning threat knowledge into detections?
• How long does it typically take to develop new detections?
• Is there a systematic process to periodically identify detections that are no longer functional due to infrastructure changes, changes in vendor log source formats, etc.?

“Most organizations don’t have good visibility into their MITRE ATT&CK coverage and are struggling to get the most from their existing SIEMs,” CardinalOps CEO and co-founder Michael Mumcuoglu said in a statement. “This is important because preventing breaches starts with having the right detections in your SIEM – according to the adversary techniques most relevant to your organization – and ensuring they’re actually working as intended.”

Read next: Implementing and Managing Your SIEM Securely: A Checklist

The post Enterprise SIEMs Miss 76 Percent of MITRE ATT&CK Techniques appeared first on eSecurityPlanet.

The six critical vulnerabilities are as follows:

• CVE-2023-24897, a remote code execution vulnerability in .NET, .NET Framework, and Visual Studio, with a CVSS score of 7.8
• CVE-2023-29357, an elevation of privilege vulnerability in Microsoft SharePoint Server, with a CVSS score of 9.8
• CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015, three remote code execution vulnerabilities in Windows Pragmatic General Multicast (PGM), each with a CVSS score of 9.8
• CVE-2023-32013, a denial of service vulnerability in Windows Hyper-V, with a CVSS score of 6.5

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, noted in a blog post that this is the third month in a row in which Windows Pragmatic General Multicast (PGM) has had a flaw addressed with a CVSS score of 9.8. “While not enabled by default, PGM isn’t an uncommon configuration,” he wrote. “Let’s hope these bugs get fixed before any active exploitation starts.”

Action1 vice president of vulnerability and threat research Mike Walters separately observed that the three PGM flaws can be exploited over the network without requiring privileges or user interaction.

“To mitigate this vulnerability, consider checking if the Message Queuing service is running on TCP port 1801 and disable it if not needed,” Walters advised. “However, be cautious as this may impact system functionality. It is generally recommended to install the available patch instead of relying solely on mitigation strategies.”

Flaws in SharePoint, .NET, Visual Studio

Exploitation of the SharePoint Server flaw CVE-2023-29357, Walters noted, also requires no privileges or user interaction. “Customers using Microsoft Defender and the AMSI integration feature in their SharePoint Server farm(s) are protected against this vulnerability,” he wrote. “While there are no confirmed cases of exploitation yet, Microsoft warns that the likelihood of exploitation is high. It is essential for organizations using SharePoint 2019 to apply the patch to mitigate this serious vulnerability.”

Rapid7 lead software engineer Adam Barnett pointed out by email that while the FAQ provided with Microsoft’s advisory for CVE-2023-29357 states that both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable, no related patches are listed for SharePoint 2016.

“Defenders responsible for SharePoint 2016 will no doubt wish to follow up on this one as a matter of some urgency,” Barnett wrote. “Microsoft also explains that there may be more than one patch listed for a particular version of SharePoint, and that every patch must be installed to remediate this vulnerability (although order of patching doesn’t matter).”

Regarding CVE-2023-24897, Barnett observed that exploitation of the flaw in .NET, .NET Framework and Visual Studio requires the attacker to trick a victim into opening a specially-crafted malicious file.

“Although Microsoft has no knowledge of public disclosure or exploitation in the wild, and considers exploitation less likely, the long list of patches – going back as far as .NET Framework 3.5 on Windows 10 1607 – means that this vulnerability has been present for years,” he wrote.

See the Best Patch Management Software & Tools

Other Noteworthy Flaws

Ivanti vice president of security products Chris Goettl noted by email that two lower-severity flaws were also patched in Microsoft Exchange Server.

“CVE-2023-32031 could potentially trigger malicious code in the context of the server’s account through a network call,” Goettl wrote. “CVE-2023-28310 could allow the attacker to execute code via a PowerShell remoting session. Neither have been disclosed or exploited, but given the sophistication of threat actors who specialize in targeting Exchange Server, it is recommended not to let these linger for long.”

And Silverfort senior research tech lead Dor Segal said by email that CVE-2023-29362, a remote code execution vulnerability in Remote Desktop Client with a CVSS score of 8.8 is also worth noting.

“Using an RDP client can give admins a false sense of security: they can see what’s going on in a remote server or that client’s computer, but they believe themselves to be protected from malicious activity on the client’s end thanks to the RDP,” Segal said. “This vulnerability unfortunately proves that wrong.”

“CVE-2023-29362 allows an attacker who has compromised a Windows machine to attack and spread to any RDP client connected to that same machine,” Segal added. “In the case of admins or other privileged machines, this could potentially lead to compromise of the entire domain. It’s worth noting that patching is needed on the client’s side – not the server’s – so we recommend first patching privileged clients before moving on to the rest of the clients in the organization.”

Read more:

• Cybersecurity Agencies Release Guidance for PowerShell Security
• Secure Access for Remote Workers: RDP, VPN & VDI
• Top Vulnerability Management Tools

The post Windows PGM Accounts for Half of Patch Tuesday’s Critical Flaws appeared first on eSecurityPlanet.

Not surprisingly, they can be challenging to manage. A recent Gurucul survey of over 230 security pros at the recent RSA Conference found that managing and configuring SIEM solutions can be an overwhelming task.

More than 42 percent of respondents said it takes weeks, months, or longer to add new data sources to their SIEM, and over 30 percent said they don’t know how to do so. Almost 17 percent said they aren’t confident their SIEM can detect unknown threats, and almost 21 percent simply don’t know if it can or not.

Over 61 percent of respondents said they get more than 1,000 security alerts a day, and almost 20 percent said they get too many alerts to count.

In an interview with eSecurity Planet, Gurucul vice president of product marketing and solutions Sanjay Raja said getting control of that flood of information – and making good use of it – requires effective configuration and customization.

See the Top SIEM Solutions

Cloud Data Adds to SIEM Challenges

The cloud is a key factor in the SIEM configuration challenge. As organizations move more and more infrastructure to the cloud, the amount of data available for analysis just keeps growing, Raja said.

“Each architecture in the cloud is offering its own datasets, and it’s actually offering a lot more detail…and there’s a lot more alerting going on because of that,” he said.

At the same time, Raja said it’s often unclear whether the data security teams are getting from the cloud is actually what they need. “Are you getting the right datasets? Are you getting a complete set of datasets? People are struggling with trying to understand, ‘Am I really seeing everything from the cloud that I need to?'”

That can quickly become overwhelming. “A lot of the folks on the SOC team aren’t experts on the cloud,” Raja said. “Sure, the cloud team is really responsible for moving anything over to there, but now, as a security administrator, I have to be able to understand what that data means.”

So security experts now have to become cloud experts as well. “Before, I didn’t really have to know a ton about the app, or about the server – those are more simplistic. The cloud is much more complex,” Raja said. “And it becomes even worse when you’ve got multi-cloud environments.”

Also read: Implementing and Managing Your SIEM Securely: A Checklist

Detection Engineering

Helping security analysts parse the data that comes in is also an ongoing challenge. To address that challenge, Gurucul is seeing the rise of detection engineering groups, Raja said. “They’ve always been there, but they’re becoming more important to organizations to be able to configure and refine down the amount of data that gets sent to the security analysts.”

Raja said Gurucul also sees a lot of organizations struggling to support new devices, or new versions of devices. “The data changes, and now I need to be able to look at it differently, and yet the data parsers that were included with my platform don’t support that new version, so what do I do? This is where they go back to a detection engineer and build a parser that way.”

It’s also critically important to build effective detection models, monitoring for activity that crosses specific thresholds such as repeated login attempts. “You need the ability to either create your own models, or ideally to customize existing models, because now you can tweak them for your organization and your IT and governance rules,” Raja said.

That’s inevitably an ongoing process, with models having to be modified in response to new threats. “If I see a really high-profile attack out there that does some known behavior, I want to be able to tweak that in my model to go, ‘Okay, I’ve seen this is a problem – let me change the model a bit, and now I’m ready for it,'” Raja said.

Five Key Areas of SIEM Configuration

Ultimately, Raja said, there are five key things to keep in mind regarding SIEM configuration if you want to avoid the kind of overload and frustration found among the security pros surveyed at RSA.

1. Configure the full set of data sources you want to pull in: “Configuring your SIEM to be able to pull in all that data across cloud, across regions, remote, is very important, because otherwise you’re not getting a complete picture.”
2. Configure the SIEM to parse incoming data effectively: “That means, as a SOC, I’m monitoring the things that are important from a security standpoint, and sifting through all the other data to figure out, is this important or is it not important?”
3. Configure cloud sources to send the right data to the SIEM: “A lot of times, the security admin doesn’t know whether what the cloud is sending is correct or not, so they have to work with the cloud team to make sure they’re getting the right data for monitoring purposes.”
4. Configure the SIEM to leverage identity data effectively: “If you can pull that data into your SIEM and view it in your SIEM, you can start to look at that dataset and be more effective at determining what’s allowed and what’s not.”
5. Build an effective and comprehensive set of threat models: “The included models in most SIEMs are pretty light, and they’re pretty limited. If you can get detection engineering to build a set of robust threat models, that’s going to help detect a threat faster.”

Effective configuration makes the rest of your job much easier. “The more you can do up front around configuring things right, getting things working and deployed properly, and being able to parse data properly, the more it makes all the other functions easier within a SOC,” he said.

Read next: Security Data Lakes Emerge to Address SIEM Limitations

The post 5 Ways to Configure a SIEM for Accurate Threat Detection appeared first on eSecurityPlanet.

RSR updates are new – the first batch was delivered at the beginning of this month. As Apple explained in a recent support document describing the updates, “They deliver important security improvements between software updates – for example, improvements to the Safari web browser, the WebKit framework stack, or other critical system libraries. They may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist ‘in the wild.'”

Because RSR updates are focused solely on urgent security patches, it makes sense to install them as quickly as possible. While they can be disabled, they’re delivered and applied automatically by default.

Although there was an install issue discussed on Reddit earlier this month when the first RSR updates was released, the problem Addigy describes appears to be both more persistent and more complex.

Stuck Updates and Unresponsive MDM

By checking customer environments in which its clients have macOS and iOS devices under management, Addigy found that some macOS devices end up in a “stuck” state in which the RSR update is delivered but never installed.

“More concerningly, there is no way for IT departments to know which machines are not implementing RSR updates without manually inspecting each machine and enabling the update,” Addigy warned today.

Critically, the stuck state also impacts the MDM stack on the affected device. “Addigy discovered the RSR wasn’t being implemented after finding that the MDM client binary gets stuck after executing the OSUpdateScan command and stops communicating with the Apple MDM Framework that Addigy follows,” the company said.

“If the MDM client on the device is unresponsive, necessary MDM actions are delayed, leading to potential security vulnerabilities in this critical RSR case,” the company added.

One in Four macOS Devices

According to Addigy, the issue affects only macOS devices, not iPhones or iPads, and impacts a quarter of all MDM-managed macOS environments. “As a result, all MDM vendors and customers are encouraged to audit their environments to ensure the critical RSR update is making its way onto every eligible machine under management,” the company said.

In response, Addigy has released a new MDM Watchdog utility that monitors the MDM framework on devices for the stuck condition described above and automatically fixes any in which it’s discovered.

“The stuck state condition we discovered within our customers’ environments affects one out of every four devices, so the impact to macOS environments in any enterprise is likely the same,” Addigy CEO Jason Dettbarn said in a statement.

Learn more about enterprise mobility management (EMM) and unified endpoint management (UEM) solutions

The post New Apple RSR Flaw Blocks MDM Functionality on macOS Devices appeared first on eSecurityPlanet.

Yiling He of China’s Zhejiang University and Yu Chen of Tencent Security’s Xuanwu Lab are calling the attack BrutePrint, which they say can be used to hijack fingerprint images.

An attack like BrutePrint could present a significant threat to passkeys, an increasingly popular way to replace passwords with authentication methods like fingerprint authentication or face recognition.

And the attack is cheap to carry out. “The adversarial equipment is mainly a printed circuit board (PCB), which is inexpensive and universal,” the researchers wrote. “For specific smartphone models, adaptive flexible printed circuit (FPC) is required. The equipment costs around 15 dollars in total.”

Also read: Google Launches Passkeys in Major Push for Passwordless Authentication

Bypassing Attempt Limits

Simply put, BrutePrint acts as a middleman to bypass any attempt limits and to hijack fingerprint images. “Specifically, the bypassing exploits two zero-day vulnerabilities in smartphone fingerprint authentication (SFA) framework, and the hijacking leverages the simplicity of SPI [Serial Peripheral Interface] protocol,” the researchers wrote.

The two zero-days leveraged in the attack, either of which can be used to bypass attempt limits, are a Cancel-After-Match-Fail (CAML) flaw and a Match-After-Lock (MAL) flaw. “Instead of an implementation bug, CAMF and MAL leverage logical defects in the authentication framework,” the researchers wrote. “Therefore, it exists across various models and OSes.”

Trying the attack on 10 different smartphone models with updated operating systems, the researchers were able to go three times over the attempt limit on Touch ID – and they successfully enabled unlimited attempts on Android devices, clearing the way for brute-force attacks.

They tested the attacks on the following devices, covering iOS, Android, and HarmonyOS: Apple iPhone SE and iPhone 7, Samsung Galaxy S10+, OnePlus 5T and 7 Pro, Huawei P40 and Mate30 Pro 5G, OPPO Reno Ace, Vivo X60 Pro, and Xiaomi Mi 11 Ultra.

Also read: Mobile Malware: Threats and Solutions

Fingerprint Image Hijacking

For fingerprint image hijacking, the researchers took advantage of a weakness in fingerprint sensors’ SPI protocol to enable man-in-the-middle attacks.

“SFA sensors except Touch ID do not encrypt any data and lack mutual authentication,” they wrote. “Together with the frequency that is possible for injection, the situation leads SFA vulnerable to MITM attack on SPI.”

“Fingerprint image hijacking is feasible on all devices except for Apple, which is the only one that encrypts fingerprint data on SPI,” they added.

How to Respond to the BrutePrint Threat

To mitigate the CAMF flaw, the researchers recommended an additional error-cancel attempt limit setting – and more importantly, they urged vendors of fingerprint sensors to encrypt key data.

And it’s not just about smartphones – they warned that BrutePrint could also be applied to other biometric systems.

“The unprecedented threat needs to be settled in cooperation of both smartphone and fingerprint sensor manufacturers, while the problems can also be mitigated in OSes,” they wrote. “We hope this work can inspire the community to improve SFA security.”

Read next:

• The Best Password Managers for Business & Enterprises
• Best Identity and Access Management (IAM) Solutions
• Best Antivirus Software

The post A Threat to Passkeys? BrutePrint Attack Bypasses Fingerprint Authentication appeared first on eSecurityPlanet.

The vulnerabilities are caused by improper validation of requests sent to the switches’ web interfaces, the company said.

While the Cisco Product Security Incident Response Team (PSIRT) says it’s not aware of any malicious use of these flaws, it says proof-of-concept exploit code is available online.

Vulnerable products include 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, 550X Series Stackable Managed Switches, Business 250 Series Smart Switches, Business 350 Series Managed Switches, Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, and Small Business 500 Series Stackable Managed Switches.

Despite the severity of the flaws, Cisco says the last three products in the list above won’t be covered by software updates or by workarounds because they’ve entered the end-of-life process. “Cisco has not and will not release firmware updates to address the vulnerabilities described in the advisory for these devices,” the company stated.

Nine Independent Vulnerabilities

The flaws are not dependent on one another. “Exploitation of one of the vulnerabilities is not required to exploit another vulnerability,” the company explained. “In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.”

The flaws, according to Cisco, include the following:

• CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189 – four vulnerabilities with a critical CVSS score of 9.8 that could enable an unauthenticated remote attacker to execute arbitrary code with root privileges.
• CVE-2023-20024, CVE-2023-20156, CVE-2023-20157, and CVE-2023-20158 – four vulnerabilities with a high CVSS score of 8.6 that could enable an unauthenticated remote attacker to cause a denial-of-service condition.
• CVE-2023-20162 – one vulnerability with a high CVSS score of 7.5 that could enable an unauthenticated remote attacker to access unauthorized information.

Also read:

• Network Protection: How to Secure a Network
• 34 Most Common Types of Network Security Protections

APT Group Targeting TP-Link Routers

Separately, the Check Point Research Threat Intelligence Team recently uncovered a malicious firmware implant for TP-Link routers that provides attackers with full control of infected devices.

The researchers say the implant’s firmware-agnostic design could allow it to be integrated into other brands of routers as well. “While we have no concrete evidence of this, previous incidents have demonstrated that similar implants and backdoors have been deployed on diverse routers and devices from a range of vendors,” the researchers noted.

Check Point attributes the custom MIPS32 ELF implant, named Horse Shell, to a Chinese state-sponsored advanced persistent threat (APT) group they’re calling Camaro Dragon.

The discovery was made while investigating a series of targeted cyber attacks against European foreign affairs entities, though the researchers noted that router implants are often installed arbitrarily in order to create a chain of infected nodes.

“We are unsure how the attackers managed to infect the router devices with their malicious implant,” the researchers wrote. “It is likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication.”

Ransomware Vulnerabilities Not Always Detected

In other vulnerability news, researchers from Securin, Ivanti and Cyware said that vulnerability scanning solutions from Tenable, Nexpose and Qualys are not detecting 18 high-risk vulnerabilities exploited by ransomware groups (see images below).

They also noted that while the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has prioritized 63% of vulnerabilities that are exploited by ransomware gangs in its Known Exploited Vulnerabilities (KEV) catalog, “there are still 131 vulnerabilities that are being exploited by ransomware that need to be included in the KEV catalog.”

Also read: How to Recover From a Ransomware Attack

The post Cisco Warns of Multiple Flaws in Small Business Series Switches appeared first on eSecurityPlanet.

The six critical flaws are:

• CVE-2023-24903, a remote code execution vulnerability in the Windows Secure Socket Tunneling Protocol (SSTP)
• CVE-2023-24941, a remote code execution vulnerability in the Windows Network File System — we’ll go more in depth on this one
• CVE-2023-24943, a remote code execution vulnerability in Windows Pragmatic General Multicast (PGM)
• CVE-2023-24955, a remote code execution vulnerability in Microsoft SharePoint Server (more on this one below)
• CVE-2023-28283, a remote code execution vulnerability in Windows Lightweight Directory Access Protocol (LDAP)
• CVE-2023-29325, a remote code execution vulnerability in Windows OLE, also discussed below

Actively Exploited Vulnerabilities

The first of the two flaws that are being actively exploited, CVE-2023-29336, is a Win23k elevation of privilege vulnerability with a CVSS score of 7.8 – but as Ivanti vice president of security products Chris Goettl pointed out in a blog post, the security rating is less important than the fact that it’s actively being exploited. “The exploit doesn’t require user interaction and if exploited would give the attack system-level privileges,” he noted.

The second flaw being actively exploited is CVE-2023-24932, a Windows Secure Boot security feature bypass vulnerability with a CVSS score of 6.7 – again, Goettl said, it’s best to ignore the rating and focus on the confirmed exploits. “The vulnerability does require the attacker to have either physical access or administrative permissions on the target system, with which they can install an affected boot policy that’ll be able to bypass Secure Boot to further compromise the system,” he wrote.

See the Best Patch Management Software & Tools

Flaw Leveraged by BlackLotus for Evasion

Separate Microsoft guidance notes that the vulnerability addressed by CVE-2023-24932 is being used by the BlackLotus bootkit to exploit CVE-2022-21894, a Secure Boot vulnerability first patched more than a year ago. “This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled,” Microsoft noted. “This is used by threat actors primarily as a persistence and defense evasion mechanism.”

Action1 vice president of vulnerability and threat research Mike Walters noted in a blog post that additional steps are required to mitigate CVE-2023-24932, as noted in the Microsoft support article KB5025885. “Considering that this vulnerability is already being actively exploited and poses the risk of delivering malware during boot time, it is strongly advised to promptly apply the provided update and take the necessary precautions,” Walters wrote.

Another significant flaw that demands immediate attention, Walters suggested, is CVE-2023-24941, a critical remote code execution vulnerability in the Windows Network File System (NFS) with a CVSS score of 9.8. “This vulnerability pertains to NFS version 4.1, following a series of vulnerabilities in different NFS versions last year,” he wrote. “Although version 4.1 was previously fixed, it has now been found to possess another flaw.”

“With a network attack vector and low attack complexity, this vulnerability requires no privileges or user interaction to exploit,” Walters added.

Also read: Patch Management Policy: Steps, Benefits and a Free Template

SharePoint and Outlook Vulnerabilities

Silverfort senior researcher Yoav Iellin noted by email that several of the flaws being addressed impact SharePoint, including CVE-2023-24950, CVE-203-24955, and CVE-2023-24954.

“The first two vulnerabilities require user privileges to create a SharePoint site,” Iellin explained. “Once a threat actor has obtained the credentials of a user with these privileges, they could steal the NTLM hash of the SharePoint domain user and escalate their privileges. From this stage and using the three vulnerabilities together, a threat actor could potentially achieve the SharePoint server credentials.”

And while the Windows OLE remote code execution flaw CVE-2023-29325 might seem relatively innocuous, Iellin warned that it’s worth noting for its ease of exploitation.

“With this vulnerability, the simple act of glancing at a carefully crafted malicious email in Outlook’s preview pane is enough to enable remote code execution and potentially compromise the recipient’s computer,” Iellin said. “At this stage, we believe Outlook users will be the main attack vector, although it has the potential to be used in other Office programs as well.”

Read next:

• Automated Patch Management: Definition, Tools & How It Works
• Top Vulnerability Management Tools
• Top Breach and Attack Simulation (BAS) Vendors

The post Microsoft Flaws Include Secure Boot Bypass, System-Level Takeovers appeared first on eSecurityPlanet.

In a brief blog post entitled “The beginning of the end of the password,” Google group product manager Christiaan Brand and senior product manager Sriram Karra called passkeys “the easiest and most secure way to sign into apps and websites and a major step toward a ‘passwordless future.'”

Google’s move will make passkeys an additional verification option alongside passwords and two-factor verification. Passkeys can be created within Google accounts at g.co/passkeys.

Passkeys, Brand and Karra wrote, “let users sign into apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN. And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.”

Today’s announcement follows a plan introduced a year ago to implement passwordless support for FIDO Sign-in standards in Android and Chrome, with support from Apple and Microsoft. “Passkeys are a safer, faster, easier replacement for your password,” Microsoft corporate vice president of product management Alex Simons wrote at the time. Microsoft began its own move toward passwordless in Sept. 2021.

As Apple software engineering manager Ricky Mondello put it earlier today, “Step 1: Build everyone’s confidence in passkeys. Step 2: Yeet the password.”

Also read: What Is a Passkey? The Future of Passwordless Authentication

Your Device Is Your Password

In a separate blog post published today, Google’s Arnar Birgisson and Diana K. Smetters explained how passkeys work.

A cryptographic private key is stored on your device, and the corresponding public key is uploaded to Google. “When you sign in, we ask your device to sign a unique challenge with the private key,” Birgisson and Smetters wrote. “Your device only does so if you approve this, which requires unlocking the device. We then verify the signature with your public key.”

It also ensures that the signature can only be shared with Google websites and apps. “This means you don’t have to be as watchful with where you use passkeys as you would with passwords, SMS verification codes, etc.,” Birgisson and Smetters wrote.

“When you use a passkey to sign into your Google Account, it proves to Google that you have access to your device and are able to unlock it,” Birgisson and Smetters wrote. “Together, this means that passkeys protect you against phishing and any accidental mishandling that passwords are prone to, such as being reused or exposed in a data breach.”

Syncing Between Devices

Some platforms can sync passkeys to other devices using end-to-end encryption – a passkey created on an iPhone, for example, can also be accessed on other Apple devices that are signed into the same iCloud account. “This protects you from being locked out of your account in case you lose your devices, and makes it easier for you to upgrade from one device to another,” Birgisson and Smetters wrote.

Still, passkeys do allow anyone with physical access to your unlocked device to access your account. “While that might sound a bit alarming, most people will find it easier to control access to their devices rather than maintaining good security posture with passwords and having to be on constant lookout for phishing attempts,” Birgisson and Smetters wrote.

In the short term at least, some challenges remain. In response to a customer query, 1Password tweeted that “support for passkeys in 1Password isn’t available quite yet but will be coming this summer!” Another user noted that passkeys are not yet supported in Google Workspace, observing, “Workspace admins first have to enable passkeys, but the option is not available yet.”

And using Firefox on a MacBook Air with a fingerprint sensor, my attempt to create a passkey returned a frustratingly straightforward error message: “A passkey can’t be created on this device.” Unsurprisingly, though, it worked using Chrome.

Despite any shortcomings or hiccups, Google’s move is a big move forward for passkeys, and a future without passwords in general.

Read next:

• The Best Password Managers for Business & Enterprises
• Best Identity and Access Management (IAM) Solutions

The post Google Launches Passkeys in Major Push for Passwordless Authentication appeared first on eSecurityPlanet.