Welcome to Cyber Security Today. It’s Friday, July 21st, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes David Shipley of New Brunswick’s Beauceron Security will be here to discuss some of the headlines. But first a review of headlines from the past seven days:
Microsoft admitted that what it believes was a China-based threat actor was able to forge an authentication key to sign into the enterprise email accounts of 25 unnamed organizations. David will weigh in on the implications of this security lapse. We’ll also look at the security of Docker images developers are uploading to Docker Hub, whether Google is going the right way in cutting internet access to some employees to lower the odds they’ll be hacked, and it wouldn’t be a show without talking about ransomware.
Elsewhere, new critical vulnerabilities have been spotted in the baseboard management controller (BMC) software made by American Megatrends that comes with many servers. Researchers at Eclypsium say these holes are on top of ones they discovered earlier this year. Why is this worrisome? Because threat actors stole the AMI source code elsewhere and may have discovered these vulnerabilities as well. IT admins should be on the lookout for security updates from their server manufacturers.
Cosmetics manufacturer Estee Lauder has admitted suffering a cyber attack. This comes after the AlphV ransomware group and the Clop gang say they hit the company. Estee Lauder acknowledges some data has been copied.
Ransomware attacks continue to hit record levels. According to the NCC Group there was a 221 per cent increase in publicly reported incidents in June compared to the same month a year ago.
One group that’s been more active recently is called Mallox, TargetCompany or Fargo by some researchers. Whatever the name this gang specializes in exploiting unsecured Microsoft SQL servers, especially those with poor passwords. Palo Alto Networks just released a background report on this gang.
(The following transcript is the first of four news items we discussed. To hear the full conversation play the podcast.)
Howard: News item one: Microsoft victimized by an authentication key forgery. Last week Microsoft admitted that what it believes was a China-based threat actor was able to get hold of an Azure AD authentication key after getting a consumer signing key. Then the hacker forged a key to sign into the enterprise email accounts of 25 unnamed organizations, including some governments. Microsoft is still investigating how the attacker got hold of the authentication key. Microsoft admits a validation error in its code allowed this attack to succeed.
What did you think when you read Microsoft’s explanation of this attack?
David Shipley: I’ll start with the good, the bad, and the ugly. the good is I appreciated the depth and transparency and relative speed from incident discovery to the level of detail Microsoft has provided. On the bad, I cringed. Because this is the security nightmare case that everyone worried about cloud security has raised from Time Immemorial — that the cloud is just somebody else’s computer and it’s only as secure as how secure they’re doing it. And it is disappointing to see that become real. The loss of a private signing key is huge. And I think the ugly is this: Is it really [only] 25 folks that got hit? And are we really looking at the fact that a Chinese-related crew had the potential Charlie and the Chocolate Factory Golden Key into enterprise Microsoft 365 environments? And the only reason this may not have been worse is they focused on their top 25 wish list? This is bad.
Howard: Explain what a [digital] authentication key is for those who don’t know.
David: A key is part of the concept of digital authentication. It’s the ability to securely attest that something can be trusted, whether it’s a digital certificate saying [in effect], ‘This is actually a secure encrypted connection between ITWorldCanada and you, or Amazon and you, or your banking website and you. There are two parts to this authentication system for using this public key or PKI model. There’s a private key that’s used in combination to sign a [digital] certificate and generate a unique authenticated public key. And the only way you can create that public key is using the private key in the appropriate context. But if you get your private key stolen, then other people can forge these certificates. It’s like the old joke about McLovin’s Hawaii driver’s license: You get a chance for your fake ID to actually be a real ID. In this case, I would have thought that Microsoft’s enterprise environment would have had an entirely different private key than the consumer environment. It’s just a good security control. I would have thought that their enterprise environment would want to protect that private key like Colonel Sanders protects the herbs and spices of the KFC recipe. This is the holy grail. And I would have thought that this kind of Golden Key ability to walk into these organizations would have been near impossible. What Microsoft has said is they had a validation error. And what I’m hoping in this case is that the enterprise version of their cloud software reused a lot of code from [consumer] Outlook.com or the authentication system wasn’t updated to reject the consumer key and only accept a dedicated enterprise key. Either way, this whole thing is a nightmare because what it sounds like is the attacker got a valid Microsoft online consumer account and [somehow] got a consumer authentication key. And then they were able to fabricate a forged enterprise key, which you would think should be impossible
… I think we really, really need to know how that private key got swiped. If it was leaked by a system, that’s bad. If it was stolen and leaked by a malicious insider, that’s bad. Frankly, any way you shake it, how they got it is bad. But to restore trust, we need to know how it happened so we can better judge how lessons learned have actually been applied.
Howard: We don’t know how long it took the attacker to do this, but if it wasn’t hard, it certainly would seem this is a very serious lapse in security.
David: This is super bad. And I think it’s interesting that the incident timeline goes back to May and it’s discovered in June. So how long have they [the attackers] had that key? And how much [data] did they get? That’s the other question. We probably won’t get the answer out of the 25 organizations were hit, but how bad was this? Will we ever really know?
Howard: Last Friday, Microsoft gave a detailed explanation about what happened. This Monday, a number of security experts called on Microsoft to give its business and government cloud customers expanded log information about access to their IT environments so that IT departments can better spot suspicious activity like this. And on Wednesday, Microsoft did that. They claimed that this had been in the works for some time, but very shortly, IT departments are going to get better logging information for their environments. Was that a coincidence that this was announced this week?
David: I know the White House has been pushing really, really hard on cloud providers and others fighting this notion that security is a premium feature. That’s like saying making sure that your car has airbags is a premium feature. No, that should just be expected. And it’s going to put Microsoft in a really interesting place given how much money they now make from selling security products to secure Office cloud and Azure cloud products. This could get really interesting, nipping a growing profit center for Microsoft in the bud. And while I like the idea of providing logs, it is not a panacea because remember, it’s after the fact. A log’s going to tell you the horse ran out of the barn. And depending on how fast the system is hitting a SIEM (security information and event management system), whether you have a SOC that’s going to generate an alert off of that logging information, how fast a SOC operator might actually look at that alert, that takes a lot of time.
The other thing that’s really interesting is while I like the idea of providing logs, I don’t believe for a second that this is going to be at no cost. There’s not going to be a separate premium tier add-on feature you buy, but it is going to cost Microsoft money to collect the data and make it available. And while you might not pay a separate fee, it’s going get calculated into future price increases [of Microsoft cloud services]. And we already know that prices in Canada are going up almost in the order of six per cent by this fall.