Robin’s Newsletter #273

10 September 2023. Volume 6, Issue 37

Results of Microsoft investigation into US government email compromise. Online Safety Bill E2EE clause to remain unenforced until 'technically feasible'.

Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Key material for the attack on Microsoft snuck out in a crash dump

Microsoft has shared the results of its investigations (h/t Alex) into a nation-state attack using highly-sensitive key material for its user authentication and email services.
The Chinese attackers, which Microsoft tracks as Storm-0558, used a consumer key to forge access tokens to access enterprise email accounts, including those of the US government (vol. 6, iss. 29).
Microsoft says it has safeguards to protect its systems, with tightly controlled and extremely limited access to production environments, the only place where the key material lives. However, a system crash copied the signing key to a crash dump, which scanning systems did not detect, and was subsequently transferred out of the production infrastructure for debugging. The account of an engineer with access to this debugging environment was compromised with token-stealing malware, which gave the Storm-0558 group access to the key material. Microsoft has updated the systems to prevent and detect key material in crash dumps.
Separately, incorrect assumptions by Microsoft developers and complexities around key validation mean that Microsoft’s email systems would “accept a request for enterprise email using a security token signed with the consumer key”.
It’s great to see Microsoft being open about their findings (and, ironically, given the clamour around security logs being a premium feature, admitting to not having logs to hand for some of their investigation), however, the report does rather skip over the initial access to the engineer’s account.
Ultimately, it looks like this was somewhat of a perfect storm of circumstances: if the key material had been detected and removed from the crash dump, it wouldn’t have happened; if the engineer’s account hadn’t been compromised, it wouldn’t have happened; if the key verification had been done correctly, it wouldn’t have happened. However, in an environment as large and as complex as Microsoft, the probabilities of such circumstances, I imagine, add up quite quickly.
More coverage at Techcrunch, CyberScoop, and ArsTechnica

Attack on Okta customers used dummy federated identity provider

Okta says four customers were hit by the recent social engineering campaign targeting super administrators. The attackers gained access to the accounts by getting the victim’s IT support personnel to reset the multi-factor authentication on the super admin accounts. Once the attackers had access to the victim’s Okta instance, they configured an additional identity provider, which they could use to spoof legitimate accounts with credentials known to the attacks and gain access to downstream systems.
Allowing Helpdesk personnel to reset Super Administrator accounts seems a weakness most organisations should try to avoid. It also sounds like Okta (and Microsoft, with ~Azure AD~ Entra) need to generate alerts or require a second-person authorisation when making significant configuration changes to identity provider configurations. Some rules for detecting these tactics, techniques and procedures are available on Okta’s website

Online Safety Bill

The UK government has backed down from a confrontation with Big Tech and privacy advocates over a controversial clause requiring telecommunications companies to scan messages for ‘harmful content’. Ofgem, the telco regulator, will only enforce the requirement once it is “technically feasible”.

“There is, let me be clear, no intention by the government to weaken the encryption technology used by platforms and we’ve built in strong safeguards into the bill to ensure user’s privacy is protected” — Lord Stephen Parkinson, Parliamentary Under-Secretary of State for Arts and Heritage.

Primary concerns centred on how the mass-scanning of end-to-end encrypted messages could be achieved without deliberately weakening said encryption. That led Apple (vol. 6, iss. 27), WhatsApp and Signal to all come out against the proposed legislation, and some to threaten to leave the UK market altogether.
There are further concerns over the potential misuse or abuse of technology and such capabilities by domestic and foreign authorities for surveillance. Former NCSC CEO Ciaran Martin penned an opinion piece for the FT warning that the controversial powers may damage Britain’s reputation and then never be used (vol. 6, iss. 16).

Interesting stats

84% of 25 popular car manufacturers say they can share your data, and 76% say they can sell personal data collected in their vehicles, which the Mozilla Foundation describes as “the worst product category we have ever reviewed for privacy.”

68% of repeat participants in a study into the inconsistencies of the Common Vulnerability Scoring System (CVSS) gave different severity ratings to the same vulnerabilities nine months later. Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities, Wunder et al. (PDF).

“CVSS is like democracy: the worst system available, except for all the other systems ever tried.” — participant in the CVSS study

Other newsy bits / in brief

The International Criminal Court at The Hague has stated that it will investigate and prosecute cybercrimes that violate the Rome Statute (genocide, crimes against humanity, war crimes, and the crime of aggression). In an interview, ICC’s lead prosecutor Karim Khan initially shared the change, with an ICC spokesperson confirming prosecutions may be brought “in certain circumstances” and “where the case is sufficiently grave.”
Police Service North Ireland (PSNI) Chief Constable Simon Byrne has resigned following ‘discontent’ from officers following the accidental release of their personal data by the force in August (vol. 6, iss. 33).
The UK Electoral Commission has admitted failing Cyber Essentials in 2021. The failure was around out-dated operating systems on some computer devices and mobile phones, which the Commission points out is unrelated to the “complex cyber-attack” (vol. 6, iss. 33), which compromised their email server in the same year.
Toyota shut down production at fourteen of its Japanese factories two weeks ago was “not caused by a cyberattack” but because its production order system ran out of disk space.
LastPass is ‘the common thread’ between a string of cryptocurrency thefts from 150 people totalling $35 million, says MetaMask. Taylor Monahan, MetaMask’s lead product manager, speculates that someone may have gained access to the ‘seed phrase’ needed to access the victim’s wallets, which the victims had stored in their password manager. LastPass costs all of their customers’ password vault data at the end of 2022 (vol. 5, iss. 49).
Zaun, a high-security fencing manufacturer and supplier to the UK Ministry of Defence, was compromised by the LockBit ransomware group. While systems weren’t encrypted, around 10GB of data may have been exfiltrated, though the company says that it “[does] not believe that any classified documents… have been compromised”. LockBit gained entry through a computer running the end-of-life Windows 7 operating system.
See Tickets has disclosed a data breach affecting 323,000 customers between 28th February and 2nd July. The description of the incident sounds like MageCart-style card-skimming, with attackers “inserting multiple instances of malicious code into a number of its e-commerce checkout pages.”
Swedish insurer Trygg-Hansa has been fined 35M kr (~£2.5M; ~$3.1M) by the country’s privacy regulator for leaking personal, health, financial and other data of its customers. The firm’s online portal used sequential customer numbers and performed no authentication on requests, meaning that you could increment the ID in a URL to access another customer’s quotation. The flaw existed from October 2018 until February 2021, and 650,000 people may have been affected.
Reuse community Freecycle has announced a data breach, with attackers making off with the user IDs, email address and hashed passwords of 7 million users. Cybercriminals advertised the data for sale in May, but the company only became aware on 30th August. The attackers appear to have compromised the password of the charitable organisation’s founder and used that to access member information and forum posts.
The University of Sydney has announced a breach at an undisclosed third-party service provider affecting applications and enrolments of international students.

-TissuPath, an Australian pathology clinic, says that ten years’ worth of referral letters containing names, dates of birth, contact and insurance details have been stolen by attackers. “TissuPath’s main database and reporting system that stores patient diagnoses was not compromised,” the company said.

Three models of ASUS wifi router suffer from a lack of proper input validation that can lead to [unauthenticated remote code execution. The vulnerabilities (CVE-2023-39238, …239, …240) all score 9.8/10, and are found in the RT-AX55, RT-AX56U_V2, and RT-AC86U models.
Cisco has acknowledged a ‘zero-day’ vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defence (FTD) solutions that has been used by ‘Akira ‘ransomware criminals since March.
iPhone users can be spammed with pop-ups prompting them to connect to nearby Apple devices using the cheap Flipper Zero hacking tool. Apple uses Bluetooth Low Energy to advertise their device’s capabilities to nearby devices and in user features like AirDrop and to connect to other devices. The technique spoofs these broadcasts and causes an assault of annoying pop-ups on the victim’s device.
The Chinese government has banned some employees at central government organisations from using iPhones for work or even bringing them into the office.
Apple has fixed two ‘zero-click’ vulnerabilities, dubbed BLASTPASS, and used by NSO Group’s Pegasus spyware. The high security ‘Lockdown mode’ available to all iPhone users is believed also prevent the attack chain.
Google Chrome users can opt out of sharing their browsing history with sites to serve ads.
The Information Commissioner’s Office has started a review into fertility tracking apps, amidst research suggesting that advertisers may be using personal data from some apps to profile users and show personalised ads.
Eleven members of the Trickbot cybercrime group are now subject to sanctions from the US and UK governments.
The owner of M-13, a Russian penetration testing firm, Vladislav Klyushin, has been sentenced to nine years for conducting insider trading. Klyushin and two employees broke into companies and stole financial filings before release.
Investments, mergers & acquisitions: API security startup Pynt has raised $6 million seed funding to automate security testing and integrate with existing development tools. ActiveFence has acquired Spectrum Labs to add AI tools the track’ online toxicity’ to its portfolio products for trust and safety teams.

And finally

North Korea’s Lazarus group compromised the ‘hot wallets’ of online casino Stake.com and made off with $41 million of Ethereum and Binance Smart Chain cryptocurrency.
North Korea are also targeting cyber security researchers again.

Robin

Robin's Newsletter - Volume 6

“Microsoft” “Storm-0558” “China” “Nation-State” “Okta” “Identity” “Connected Vehicles” “Common Vulnerability Scoring System (CVSS)” “Police Service Northern Ireland (PSNI)” “Electoral Commission” “Toyota” “LastPass” “NSO Group” “Pegasus (spyware)” “Spyware” “Zero-click” “End-to-End Encryption (E2EE)” “Online Safety Bill” “Mass Surveillance” “Child Sexual Abuse Material (CSAM)” “International Criminal Court” “Cyber-norms” “Rome Statute” Card-skimming MageCart

Robin’s Newsletter #274

Robin’s Newsletter #272