Cyber Month in Review September 2023

Welcome back to this month’s security in review. The world of security is always moving and evolving, with vulnerabilities, breaches and new guidance being released every day.

The volume and complexity of some of these can sometimes be overwhelming and difficult to keep track of. Due to missing last month’s review, this slightly extended article will help merge August and September into one piece to cover the most prominent stories from both so that together we can stay cyber secure.

UK Electoral Commission Data Breach

On the 8th of August last, the electoral commission issued a statement that admitted to a severe data breach exposing eight years’ worth of personally identifiable information. The registers breached at the time of the attack included the following:

· Names and addresses of anyone registered to vote in the UK between 2014 and 2022.
· Names and addresses of anyone who was registered in Northern Ireland in 2018.
· Names of anyone who was registered as an overseas voter between 2014 and 2022.

The attack involving 40 million voters was detected in October 2022, with unknown threat actors breaching their systems in August 2021. During the attack, the threat actors could control systems, gain copies of the electoral registers, and access the commission’s servers – including the mail server, which allowed for the further compromise of any internal and external communications with the agency.

The commission has said that the highly sophisticated attack had no impact on the security or process of UK elections. Still, an attack on a country’s democratic process is nonetheless a cause for concern, and the 10-month gap from the ICO report to public disclosure indicates the measures to remediate and mitigate was a complex process.

What Should I do (At a Glance)

The following information was affected by the incident:

• Personal data contained in the email system of the commission:
• Name, first name and surname.
• Email addresses (personal and business).
• Home address if included in a webform or email.
• Contact telephone number (personal and business).
• Content of the webform and email that may contain personal data.
• Any personal images sent to the commission.
• Personal data contained in Electoral Register entries:
• Name, first name and surname
• Home address in register entries
• Date on which a person achieves voting age that year.

However, the following Electoral Register data in particular was not affected:

• Anonymous registrations
• Address of overseas electors registered outside of the UK.

There is currently no indication that the information breached has been published online, nor is the data enough for someone to impersonate a user. That being said, there is still the possibility for some of the information to become public, with the following steps being available for you to understand your impact:

1. If you have not opted out of the open electoral register, the information held will have already been publicly accessible via websites like 192.com.

2. To check if your email address has been compromised, you can search https://haveibeenpwned.com to see if your email address has been released through reported data breaches.

3. You should check whether you have sent any communications to the commission between 2014 and 2022. If you have, it’s essential to understand what you’ve sent. If financial data is involved, there are free online credit check tools by reputable companies like Experian, which include online identity theft protection and monitoring.

The Electoral Commission’s statement can be found here: Public notification of cyber-attack on Electoral Commission systems | Electoral Commission

The official FAQ regarding the incident can be found here if you have more queries: Information about the cyber-attack

---

WinRar Zero-day Exploit

The popular file compression and archiving tool WinRar patched a zero-day vulnerability at the start of August after being under active exploitation since April this year. Identified as CVE-2023-38831, the exploit allows a threat actor to create a malicious .rar and .zip archive displaying seemingly benign files such as jpg images, txt files, or any other file format. However, on opening one of the files within the rar/zip, a script is quietly launched to install malware on the user’s device whilst simultaneously loading a fake document to maintain the ruse.

The vulnerability is triggered by the attacker modifying the zip file structure, which causes WinRAR’s Shell Execute function to receive an incorrect parameter when opening the fake file.

What Should I do (At a Glance)

WinRAR addressed the issue on the 2nd of August with version 6.23, which further fixed an additional vulnerability (CVE-2023-40477). Users should check their system for WinRAR instances and update to the latest patch as soon as possible. You can find the patch here: WinRAR News: WinRAR 6.23 final released (win-rar.com)

---

Android Fixes 32 Vulnerabilities, Including A Zero-Day

September has also seen the release of Android’s latest security update, fixing 33 vulnerabilities targeting Android 11, 12, and 13, including a zero-day, which is believed to be under “limited, targeted exploitation”.

The update includes three critical remote code execution fixes, one critical Qualcomm vulnerability, and the rest are rated ‘high’. The zero-day, identified as CVE-2023-35674, allows for local privilege escalation with no additional execution privileges or user interaction needed for exploitation.

What Should I do (At a Glance)

The Android patch has come out in two sets:

– 2023-09-01: This contains the essential security updates for framework and system vulnerabilities.
– 2023-09-05: This encompasses all the security fixes from the above update while including patches for the 3rd party closed source and Kernel components that may not be relevant to all Android devices.

Not all manufacturers patch the above immediately, so you may notice a delay in your device offering one of the above updates. However, once available, you should ensure your device is patched to either of the below versions (provided as template strings):

• [ro.build.version.security_patch]:[2023-09-01]
• [ro.build.version.security_patch]:[2023-09-05]

More information on the patch can be found on the Android Security Bulletin here: Android Security Bulletin—September 2023 | Android Open Source Project

---

Apple’s BLASTPASS zero-click exploit.

At the start of the month, Citizen Lab discovered an actively exploited vulnerability on the device of “an individual employed by a Washington DC-based civil society organization”. The exploit chain in question has been dubbed ‘BLASTPASS’ and is capable of compromising iPhones with no user interaction required.

The exploit chain manages this by utilizing vulnerabilities CVE-2023-31064 and CVE-2023-41061 to send a specially crafted malicious image in iMessage via PassKit attachments. Once the iMessage/attachment has been received and processed by the device (again, no interaction needed), the NSO Group’s Pegasus spyware is installed.

What Should I do (At a Glance)

Vulnerabilities that require no user interaction are always a worry in security as detection likelihood becomes slimmer as users are unlikely to ever discover the issue. Apple initially released updates for iOS 16 and MacOS Ventura but released backported updates for iOS 15 and MacOS Big Sur/Monterey 5 days later. All admins and users are urged to ensure their devices match with the minimum versions below to secure against the threat:

• iOS 15.7.9
• iOS 16.6.1
• MacOS 13.5.2
• MacOS 11.7.10
• MacOS Monterey 12.6.9

Citizen Labs notice can be found here for more information: BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild – The Citizen Lab

---

Microsoft’s Improvements & Investigation

Microsoft have been busy recently too, with various improvements put in place to continually improve the security of their services as we progress forward, as well as the results from their Storm-0558 investigation.

Blocking 3rd party printer drivers.

Microsoft has moved to block 3rd party printer drivers in Windows Update over the next four years. The decision has been made to help simplify the installation process of printers and, more importantly, reduce the security and compatibility issues that 3rd party drivers have proven to cause over the years. This action will mean that Microsoft no longer services what it calls “legacy v3” and “legacy v4” printer drivers for Windows.

Microsoft has stated, “With the release of Windows 10 21H2, Windows offers inbox support for Mopria-compliant printer devices over network and USB interfaces via the Microsoft IPP Class Driver”. Mopria will, therefore, remove the need for print device manufacturers to provide/support their own installers and drivers, making for a more uniform and secure framework.

At the time of this article, the timeline currently stands as follows:

– 2025: Microsoft will no longer allow new drivers to be published to Windows Update, though existing printer drivers on Windows Update can still be updated.
– 2026: When installing a new printer, Windows will modify its driver ranking order to prefer Windows IPP inbox class driver.
– 2027: With the exception of security-related fixes, 3rd party printer driver updates will no longer be allowed. Existing third-party printer drivers can be installed from Windows Update, or users can install printer drivers using an installation package provided by the print device manufacturer.

Enabling Exchange Extended Protection by Default by the end of Autumn.

Microsoft has also announced that Windows Extended Protection will be enabled by default moving forward on servers running Exchange Server 2019 after installing the 2023 H2 Cumulative Update (CU14).

Extended Protection is a Windows feature which protects servers from man-in-the-middle (MiTM) attacks and was first introduced in last year’s August 2022 security update. Since then, it has been improved and established enough to make a security default.

It’s important to note that this setting is only default and not enforced, which means admins can still opt out or opt in later should they choose by using the command-line setup. It is also important to note that “if you have any Exchange servers older than the August 2022 SU, you will break server-to-server communication with servers that have EP enabled”.

Microsoft recommends the following actions depending on your current circumstances:

· Aug 2022 SU or later and EP enabled: Install CU14 (no special steps needed).
· Aug 2022 SU or later, but EP not yet enabled: Install CU14 with the default of ‘Enable EP’ left on.
· Exchange Server version earlier than the Aug 2022 SU: Microsoft quotes: “We send you thoughts and prayers, and very strong but gentle guidance to update your servers to the latest SU immediately.”

Adding HSTS support to exchange servers 2016 and 2019

As if the previous two weren’t enough, Microsoft has also announced that Exchange Server 2016 and 2019 will now support HTTP Strict Transport Security, also known as HSTS.

HSTS is a widely supported standard that instructs websites (such as OWA or ECP regarding Exchange Server) only to allow connections via HTTPS. Doing so helps protect against man-in-the-middle attacks, such as protocol downgrade attacks and cookie hijacking, while ensuring users can’t circumvent untrusted or invalid certificate warnings.

Microsoft further explains that HSTS “doesn’t just add protection against common attack scenarios, it also helps remove the need for the common (and now insecure) practice of redirecting users from an HTTP URL to an HTTPS URL”.

Admins looking to configure this new security feature should follow the documentation linked below carefully, as “some of the settings that are provided by the default IIS HSTS implementation (for example, HTTP to HTTPS redirect) must be configured in a different way as they could otherwise break connectivity to Exchange Server”.

Microsoft concludes July’s Storm-0558 investigation.

Finally, Microsoft released the results of their “comprehensive technical investigation” for Storm-0558 Key Acquisition this month, as initially mentioned in our July security article. During this investigation, Microsoft stated that the MSA key was leaked from a crash dump due to a signing system crash in April of 2021.

Due to the signing crash, a snapshot of the crashed process (“crash dump”) was taken, which should ordinarily redact sensitive information such as the signing key. However, in this instance, a race condition allowed the signing key to be present, which went undetected by Microsoft’s systems. This crash dump was then sent from Microsoft’s isolated production environment to the standard corporate/debugging environment.

Since the crash dump was now in the corporate environment (which allows for email access, etc.), the Storm-0558 actor could access it through a compromised Microsoft Engineer’s account and obtain the incorrectly contained key.
Microsoft has stated that due to their log retention, they can only mark this as the most probable mechanism but have otherwise put future mitigations in place relating to MSA key management to prevent re-occurrence.

What Should I do (At a Glance)

3rd party printer driver notice here: End of servicing plan for third-party printer drivers on Windows – Windows drivers | Microsoft Learn

Exchange Extended Protection notice here: Coming Soon: Enabling Extended Protection on Exchange Server by Default – Microsoft Community Hub

HSTS Support notice here: Announcing support for HSTS on Exchange Server 2016 and 2019 – Microsoft Community Hub

HSTS configuration guidance can be followed here: Configure HTTP Strict Transport Security (HSTS) in Exchange Server | Microsoft Learn

Microsoft’s Storm-0558 investigation results can be read further here: Results of Major Technical Investigations for Storm-0558 Key Acquisition

---

Conclusion

This article has covered many topics this month, with the UK electoral breach causing a serious scare and a call for improvement. Apple’s BLASTPASS exploit is causing concern to the masses who use iPhones. It hasn’t just been Apple affected, as Android’s 32 vulnerability fix and Microsoft’s patch Tuesday and improvements show that security and patching are essential regardless of your OS preference.

As always, it is important to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month. Others, such as Google Chrome’s active exploit fix, Apache’s RocketMQ bug, Adobe’s Acrobat and Reader exploit in the wild, Atlas VPN’s zero-day, and Notepad++’s four vulnerability fix, are many examples of other updates you should be aware of and research.

If you have been caught off-guard by some of this month’s developments, look at your security processes and see what changes you can make to ensure you stay caught up in the future. Just 20 minutes of research each day can help you keep on top of the significant security trends and alerts which help protect your business and keep you cyberaware! 

If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.