Cyber Month in Review July 2023

Welcome to this month’s security in review. The world of security is always moving and evolving, with vulnerabilities, breaches and new guidance being released every day.

The volume and complexity of some of these can sometimes be overwhelming and difficult to keep track of, so let’s use this article to help summarise some of this month’s highlights so that together, we can be more cyber aware.

Microsoft’s unpatched Zero-Day

Microsoft have had a busy month in July, with an investigation still believed to be ongoing, to find out how a Chinese threat group known as ‘Storm-0558’ managed to steal one of Microsoft’s internal private crypto keys, allowing for malicious access into Microsoft cloud services used by US and western European government agencies.

In addition to this, Microsoft also released their scheduled patch Tuesday revealing 132 flaws in total, including 6 actively exploited zero-days. One of these zero-days, identified as CVE-2023-36884 is a publicly disclosed exploit which allows for remote code execution in specially crafted Office documents. The nature of this vulnerability makes it perfect for phishing attacks, where the attacker can convince the victim to open the file and perform ‘remote code execution in the context of the victim’.

Whilst the zero-day was released on July 11^th, Microsoft are still investigating the issue to determine appropriate action which means businesses are exposed in the meantime, as evidenced by a separate blog post which showed the exploit being used in recent attacks targeting the NATO summit in Lithuania – believed to involve Russian-based threat group “RomCom” (also known as Storm-0978).

What Should I do (At a Glance)

Until Microsoft patches CVE-2023-36884, they have stated that customers who use Defender for Office and/or block all office applications from creating child processes via an attack surface reduction rule are protected from attachments attempting to exploit this vulnerability.

Those that are not protected by the above measures can find additional mitigation options in the Microsoft guide here: CVE-2023-36884 – Security Update Guide – Microsoft – Office and Windows HTML Remote Code Execution Vulnerability.

Further detail on Storm-0558 can be found in Microsoft’s article here: Analysis of Storm-0558 techniques for unauthorized email access | Microsoft Security Blog

 

JumpCloud Breach

Towards the end of last month, software firm JumpCloud were breached by North Korean state actor ‘Lazarus Group’. JumpCloud’s primary service is a cloud based open directory platform which is used to manage user identity, devices, and access across a network, slightly similar to that of Active Directory.

The attack itself was discovered on the 27^th of June, discovering that a week prior, the attackers had breached their systems through a spear-phish attack which granted unauthorised access to specific Jumpcloud systems. JumpCloud responded to this by rotating credentials, securing their network/perimeter and engaging incident response partner CrowdStrike as well as law enforcement.

It was during this investigation that ‘unusual activity in the commands framework’ was discovered for a small set of customers on July 5^th. From here further action was taken to secure the impacted customers and force a rotation of all admin API keys beginning on July 5^th.

What Should I do (At a Glance)

Analysis of the JumpCloud breach has shown it was an extremely targeted attack on specific customers from a highly advanced threat actor. Attacks like this remind us of the need to have a mind set on “when” and not “if” an incident happens approach. By having plans in place that assume compromise, your business can quicker react to the threat at hand with a more resilient process.

For businesses who use JumpCloud, their most recent statement has declared that “fewer than 5 JumpCloud customers were impacted and fewer than 10 devices total were impacted, out of more than 200,000 organisations”. All impacted customers have been notified directly.

The JumpCloud Security update and detail can be found here: [Security Update] Incident Details – JumpCloud

 

HaveIBeenPwned – The Breachers get breached!

With all this talk of breaches and data being exposed, the hacker’s have now a taste of their own medicine as the well-known hacking forum “BreachForums” was itself, breached in November 2022, with 2023 then progressing with the arrest of the website operator and seizure of the site by law enforcement.

BreachForums was a large hacking site and community allowing for the hosting, advertising, and selling of leaked data stolen from companies and governments worldwide. “The breach exposed 212k records including usernames, IP and email addresses, private messages between site members and passwords stored as argon2 hashes.” The data was provided to HaveIBeenPwned by an actor known as “breached_db_person”, who according to BleepingComputer shared the database to prove its authenticity to potential buyers.

What Should I do (At a Glance)

Given that the database was shared with HaveIBeenPwned for selfish reasons, it is important to remember that it is still being actively sold and leaked by one person at the very least. This adds an element of urgency where individuals AND businesses should utilise HaveIBeenPwned’s free service to check personal emails and/or company domains for potential breach information and compromised credentials – ensuring to take mitigations such as resetting passwords where necessary.

You can access HaveIBeenPwned here for more information: Have I Been Pwned: Check if your email has been compromised in a data breach

Github release passwordless support

Sticking with the Blue team for a bit, Github have also announced that they will be joining the ever-growing support for passwordless account security. This announcement comes 14 months after they had announced MFA enforcement on all users who contribute code on GitHub.com by the end of 2023 back in May 2022.

Passwordless authentication is a method to verify a user’s identity by replacing passwords with either something the user is (Fingerprint, Face ID etc) or something the user has (authenticator app, hardware token etc). With passwords being the cause for over 80% of breaches according to FIDO, it’s easy to see why many organisations (including Microsoft and Apple) are introducing passwordless for a safer and faster way to log-in.

The passwordless method GitHub propose in their announcement is the introduction of passkey authentication – initially released as public beta. The passskeys are associated with individual devices (computer, mobile etc) and will require user verification, essentially acting as MFA in one solution by combining something you are/know (Biometric or PIN) with something you have (the device attached to the passkey).

What Should I do (At a Glance)

Github’s progression into passwordless is a useful reminder for us to review our own password and authentication policies/methods, updating them where necessary. At the very minimum, all systems and users should have MFA enforced to reduce the impact of credential theft and improve overall system resilience against low-complexity attacks – something also championed by Cyber Essentials requirement.

For systems like Github that support passwordless, admins may find that the increased security (especially when paired with MFA) along with the increased useability, makes the method an enticing upgrade which can improve overall security whilst simultaneously making users happy – something fairly rare when it comes to security!

More information on GitHub’s passwordless introduction and instructions for enrolement can be found here: Introducing passwordless authentication on GitHub.com – The GitHub Blog

For more depth, the NCSC’s guidance to zero trust principles can be found here: 5. Authenticate and authorise everywhere – NCSC.GOV.UK.

Sophos impersonation

And finally, Sophos found themselves being impersonated this month by a new ransomware-as-a-service called ‘SophosEncrypt’. Detected by ‘MalwareHunterTeam’, the ransomware was initially thought to be part of a red team exercise by Sophos, however, Sophos X-Ops quickly confirmed that the encryptor was not of their doing and investigated further.

The ransomware – written in rust, seems to do more than simply encrypt the victims’ files, with one tested sample also allowing for keylogging and WMI command functionality too. Like other ransomware, it also excludes select directories to ensure the system can boot enough to allow communication with the victim and also checks the language settings on the system to prevent execution if it’s set to Russian.

The ransom note created from the attack is named “information.hta” and includes the attacker contact details as well as implementing a desktop wallpaper impersonating the ‘Sophos’ brand.

What Should I do (At a Glance)

After analysis, Sophos found a hardcoded IP address associated with cobalt strike command and control and have confirmed that their Sophos Intercept X product “blocks the execution and malicious behaviours of this ransomware” using signatures and blocking access to the associated IP address.

More detail on the ransomware and the signatures involved can be found in Sophos’s detailed article here: Sophos Discovers Ransomware Abusing “Sophos” Name – Sophos News

Conclusion

This month has seen a fair share of zero-days and updates, with Microsoft’s office zero-day proving particularly interesting. However, Github’s progression into passwordless and HaveIBeenPwned’s access to the BreachForum’s database provide some wins on the blue team side too.

As always, it is important to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month. Others such as Ivanti’s endpoint manager zero-day,MikroTik’s super admin elevation flaw, Sonicwall’s GMS firewall flaw, and Zimbra’s XSS zero-day are examples of other updates you should be aware of and research.

If you have been caught off-guard by some of this month’s developments, look at your security processes and see what changes you can make to ensure you don’t get caught out in the future. Just 20 minutes of research each day can help you keep on top of the significant security trends and alerts which help protect your business and keep you cyberaware! If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.