Cyber Month in Review September 2022

Jack Smallpage, Information Security Officer at CyberLab, reviews the latest cyber security news and advises how to protect your data.

He covers:

• • Lastpass Breach

• • Uber Breach

• • Microsoft Disabling Exchange Basic Online

• • Apple iOS 16 

• • Sophos Firewall RCE 

Welcome back to another issue of our Cyber Month in Review. Here you will read about some of the most significant vulnerabilities in the last weeks and what you can do to protect your organisation.

Lastpass Breach

At the end of August, right after last month’s article, the well-known and widely used password manager ‘LastPass’ suffered a security breach. The breach involved compromising some of LastPass’s source code and technical information, with the attacker holding internal access for four days before being detected and removed. After swiftly triggering a forensic process alongside Mandiant, the investigation has shown no activity beyond this timeframe, with no evidence of any access to customer data or encrypted password vaults either. The investigation also revealed that the attacker gained access to the Development environment using a compromised developer endpoint, achieving persistence once the developer had authenticated using MFA (multi-factor authentication).

What Should I Do?

Despite being a PR nightmare for the password manager, no customer data or password vaults were believed to be compromised. LastPass has assured they implemented enhanced controls and endpoint monitoring to prevent reoccurrence, learning from the incident as everyone should.
This then begs the question, is LastPass still secure, or should I move elsewhere? The usage of password managers is a discussion which is too long to include here. Still, ultimately they are absolutely worth it and recommended by countless security professionals, including the UK’s NCSC (National Cyber Security Centre), as long as you use them securely and understand the risks.

Regarding LastPass in particular, Sophos’ Paul Ducklin summed this up nicely by stating:

“Did you ditch Chrome when Google’s recent in-the-wild zero-day exploit was announced? Or Apple products after the latest zero-day double play?”.

That is to say that security incidents and breaches are now a horrid part of modern life, and moving from a provider after every incident could soon leave you with no one left! Instead, you should measure the facts and risks yourself and judge whether or not you are happy with the response and mitigations the company has put in place as a result of the incident and whether there are other solutions out there that better suit your ever-evolving needs.

You can read Sophos’ useful Q&A here: LastPass source code breach – do we still recommend password managers? – Naked Security (sophos.com).

Uber Breach

With similarities to the LastPass breach above, on September 15, Uber confirmed that they were the victim of an organisation-wide security breach, compromising several internal systems. The attacker is believed to be affiliated with the Lapsus$ hacking group.

The attack itself targeted an Uber EXT Contractor, where the contractor’s Uber password was likely compromised and purchased from the Dark Web after malware had infected their personal device. To bypass the accounts MFA (multi-factor authentication), the attacker used an ‘MFA Fatigue’ technique, whereby the attacker repeatedly bombards the user with 2FA login requests in the hope that the user eventually gets fed up (or confused) and accepts one. This is what happened in Uber’s instance, too, with some added social engineering to encourage the contractor by pretending to be IT support.

Once the attacker had access to the account, they found multiple PowerShell scripts. One, in particular, contains hardcoded credentials for a domain admin account for Thycotic, Uber’s Privileged Access Management (PAM) solution. From here, the attacker now had the elevated permissions required to access several tools, including AWS, G-Suite (which includes the admin dashboard for managing Uber email accounts), Slack, SentinelOne, HackerOne, and more.

What Should I Do?

The attack was certainly a scary one. After all, it’s one thing to have your basic systems breached, but with access to admin systems, security systems, AND access management systems, the attacker essentially got hold of the master key, which makes Uber’s current investigation incredibly difficult. They must sift through all their systems and logs with increased scrutiny to ensure the attacker hasn’t achieved persistence or modified any potential logs. This attack has also taught us some lessons that we should all be aware of:

1. 1. The basics beat the best of us: This attack was relatively simple in its execution but proves how it only takes one person/account to fall victim and your company to be compromised. Have a look at your training and culture and make sure your people understand the types of attacks that are out there. For example, does YOUR business know what an MFA fatigue attack is and what to look for? But it’s also important to clarify here that training will only reduce your chances of compromise, human error will never go away, and it’s essential to understand that this type of mistake could happen to anyone. Once you understand this, you can start to create a blame-free culture within your business that instead encourages people to report mistakes rather than hide or delay them out of fear of embarrassment or punishment.
   2. Multi-Factor isn’t foolproof: MFA/2FA is a powerful tool that can stop many compromises that would otherwise occur with basic authentication, but it isn’t an infallible one, as we’ve seen here. You can help strengthen your defence against MFA fatigue attacks by:
      • • Ensuring strong passwords are used, therefore unlikely to get to the MFA stage in the first place.
      • • Look into your MFA solution used. Is it a simple push notification, or does it require some user action that increases user thought/involvement?
      • • Ensure you have other solutions in place to detect and contain these kinds of attacks. Systems like Microsoft 365 can detect multiple/anomalous push notifications and abnormal activity, allowing you to respond quickly and contain any potential breach.

1.  

For more information on the breach and the impact, please see Uber’s Security Update here: Security update | Uber Newsroom.

Microsoft Disabling Exchange Basic Online

Moving away from breaches momentarily, Microsoft notified all customers at the start of this month that it will finally be disabling basic authentication starting October 1, 2022.

Having initially announced the decision three years ago, Microsoft is now increasing the pressure fully to bring about better security practices and move clients and apps over to Modern Authentication. The move won’t be binary. They intend to select from the remaining tenants randomly and disable basic authentication for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell first. These tenants will then be able to re-enable it once per protocol manually to fix any issues that may occur etc., until the end of December 2022. As of January 2023, however, the protocols will permanently be disabled for basic auth.

What Should I Do?

Until now, Microsoft has already been disabling basic auth for millions of tenants that weren’t using it, so this is the final push to get everyone secure. Make sure you check your systems for any potential instances and devise a plan quickly if there are any remaining. January next year could then be too late!
For more information on this, see Microsoft’s article here: Basic Authentication Deprecation in Exchange Online – September 2022 Update – Microsoft Tech Community

Apple iOS 16

Apple has been busy this month, too, with a security patch for its 8th zero-day vulnerability this year, as well as introducing the new security features in iOS 16. The zero-day could allow maliciously crafted applications to execute arbitrary code with kernel privileges and impacts the following:

• • iPhone 6 and later.

• • All iPad Pro models.

• • iPad Air 2 and later.

• • iPad 5th generations and later.

• • iPad mini 4 and later.

• • iPod touch (7th generation)

• • Macs running on macOS Big Sur 11.7

• • Macs running on macOS Monterey 12.6

The vulnerability was patched, however, in iOS 15.7, iPadOS 15.7, macOS Monterey 12.6, and macOS Big Sur 11.7.

Beyond the zero-day, Apple also released iOS 16 in preparation for its newer iPhone 14 series. The update sadly doesn’t support iPhone 6S, iPhone 7 series, iPod Touch, iPad mini 4, or the iPad Air 2 – though all newer devices are supported. This newer iOS comes with a new security feature called “Lockdown Mode” designed to provide more extreme protection for higher-risk individuals who more sophisticated threats may target. When enabled, the device is much more heavily restricted, reducing the attack surface for things such as spyware and other features that could be used against you.

What Should I Do?

It’s essential to separate these two updates here. iOS 15.7 is a security update fixing a high severity zero-day, which should be applied to all devices within your business and personal life.

iOS 16, however, has only just been released and instead offers a much larger change to how your iOS functions, with new additions and features. For some, it is simpler to jump straight into iOS 16 and get ahead of the curve, whilst for others, they prefer to wait until the update matures slightly to ensure any initial release bugs are ironed out.

You can find more details on iOS 16 to help you make your decision here: iOS 16 – Apple (UK)

Sophos Firewall RCE

Finally, Sophos fixed a critical remote code execution vulnerability in their Firewall product, specifically within the User Portal and Webadmin of Sophos Firewall. Being exploited in the wild, Sophos has observed the vulnerability being used to “target a small set of specific organisations, primarily in the South Asia region”.

What Should I Do?

No action is required for customers with the “Allow automatic installation of hotfixes” feature enabled on the affected versions. Otherwise, remediation and versions involved can be found in the advisory here: Resolved RCE in Sophos Firewall (CVE-2022-3236) | Sophos.

Conclusion

Some well-known companies hit this month, again showing the importance of Social Engineering awareness and the small techniques used by attackers to get significant results. Microsoft’s push to Modern Authentication will likely catch some system admins off-guard, too, so check your systems to ensure that you aren’t one of them! As always, it is essential to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month. Others such as Microsoft’s Patch Tuesday’s other fixes, Trend Micro’s Apex One exploit warning, Magento’s critical vulnerability, 2K2K’s breach, and Zyxel’s NAS Critical RCE are just honourable mentions as examples of other updates you should be aware of and research.

If you have been caught off-guard by some of this month’s developments, look at your security processes and see what changes you can make to ensure you don’t get caught out in the future. Just 20 minutes of research each day can help you keep on top of the major security trends and alerts, which help protect your business and keep you cyber aware! 

If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.