Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday April 5th, 2024. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler, head of Cyology Labs will be here to discuss some of the headlines from the past seven days.
They include a highly critical report on Microsoft from the U.S. Cyber Safety Review Board, a case study of a ransomware attack and the narrow escape the Linux community faced after a researcher discovered a plot to infect a critical open-source library.
Also in the news this week, five Canadian hospitals with a common IT provider who were hit by a ransomware attack last October revealed how many people were victims: Over 320,000. They will be getting notices next week.
City of Hope, a cancer treatment and research institution with facilities in California, Arizona, Illinois and Florida notified over 827,000 people data it holds on them was stolen. The incident was discovered in October. Data copied included names, contact information dates of birth Social Security numbers, drivers’ licence numbers. medical records and financial details.
American mortgage lender On Q Financial, which has branches across the country, notified over 211,000 people of a data theft. A hacker was able to exploit a vulnerability in the company’s use of ConnectWise’s ScreenConnect remote access software. Word of the vulnerability spread in February. However, On Q says it’s system was exploited almost 12 months ago, long before warnings were issued. Data stolen includes names and Social Security numbers.
A threat actor calling itself IntelBroker claims to have stolen classified files from a U.S. government contractor belonging to the Five Eyes intelligence co-operative. That group includes the U.S., Canada, the U.K., Australia and New Zealand. The Bleeping Computer news site says the U.S. State Department is investigating.
A threat actor that researchers at Trend Micro call Earth Freybug has created a new piece of malware to hide its activity. The researchers have given it the name Unapimon. It uses defensive evasion techniques like hijacking dynamic link libraries and unhooking APIs so Windows can see the other nasty things the threat actor is doing on a compromised system.
Progress Software released patches for its Flowmon network monitoring platform to patch a critical vulnerability. An unauthenticated remote attacker could use the hole to access Flowmon’s web interface.
Finally, Google released patches for 28 Android vulnerabilities in its April security fixes. It also warned that two of them may be under limited, targeted exploitation. As usual, the patches get installed automatically in Pixel smartphones. Distribution to phones from other manufacturers depends on the company and your wireless carrier.
(The following edited transcript is the first part of the discussion. To hear the full conversation play the podcast)
Howard: The Cyber Safety Review Board released its report into last year’s compromise of Microsoft Exchange Online email accounts — including those of senior American officials. The threat actor was a China-based group that researchers call Storm-0558. The review board is an arm of the U.S. Cybersecurity and Infrastructure Security Agency, but that didn’t stop it from taking Microsoft to the woodshed. The hack “was preventable and should never have occurred,” the report says. It calls Microsoft’s security culture “inadequate and requires an overhaul.” And it complained Microsoft hasn’t been up front with the public that it still doesn’t know how or when the hacking group obtained a signing key that allowed this attack to happen. Terry, this report really whacks Microsoft.
Terry Cutler: I love that comment, “Taking them out to the woodshed.” It [the report] actually answers questions for us, because we’re always wondering why whenever we do Office 365 penetration tests there’s so much read. It’s as if Microsoft turns off security by default and you have to re-enable everything. Whenever we do penetration tests we always come across user accounts that don’t have multifactor authentication turned on, password policy is not set, is it vulnerable to email spoofing, is it capable of receiving malicious attachments in their emails, or are there vulnerable plugins? We find all these things wrong in the system which should have been on and secured by default.
Howard: This report doesn’t just focus on Microsoft. It includes security recommendations for all cloud application providers. We’ll get to that shortly. But first here’s the background of this incident: In May and June of last year the threat actor called by researchers Storm-0058 compromised the Exchange Online mailboxes of 22 organizations and 500 people around the world. These included the email accounts of U.S. Commerce Secretary Gina Raymondo, the U.S. Ambassador to China, a member of U.S. Congress and the email accounts of several members of Britain’s National Cyber Security Center. The attacker had access to some of these cloud-based mailboxes for at least six weeks. It downloaded approximately 60,000 emails from the U.S. State Department alone.
How did this happen? The attacker had somehow got hold of a digital signing key that Microsoft had created in 2016 and used it to create valid authentication tokens. For those who don’t know, signing keys are used for secure authentication. Combined with another flaw in Microsoft’s authentication system the attacker had access to almost any exchange online account in the world.
Problem number 1, the stolen Microsoft Services Account key should have been able to only sign tokens for the consumer version and not the enterprise version of Outlook Web Access. The second problem was the key was issued in 2016 and was supposed to be retired in 2021 so shouldn’t have been able to sign new tokens at all. To this day no one knows how this gang got that key. Terry what did you think when you read this narrative?
Terry: It obviously highlights the fundamental issue in the lifecycle management for cryptography keys and the fact that this key, which was only supposed to be used for the consumer version [of Outlook Online], was able to work on the enterprise level. That’s that’s a big problem. The incident also shines a light on a bigger problem around cloud security and the trust we have with them [cloud application providers]. People are always saying, ‘We’re going to move our system to the cloud,’ which is just somebody else’s hard drives. Now you’re outsourcing that cybersecurity burden to somebody else. This report shines a light on other cloud providers to reassess their cybersecurity practices. Are they practicing great identity and access management? Are they protecting their cryptographic keys and other sensitive assets?
It also highlights the fact that Microsoft needs to be more transparent [with customers about cyber incidents]. At one point there was there was a delay in Microsoft not knowing how the attackers got in. That caused a delay in disclosing [this attack] to the customers. So you need to work on prompt and transparent communication going forward.
Howard: The reason why the stolen digital key worked on enterprises as well as the consumer version of Outlook Web Access was an unknown vulnerability in the token validation system. The report says that responding to customer requests Microsoft had created a common endpoint service that listed active signing keys for both the consumer and the enterprise identity systems. But Microsoft didn’t adequately update its software development kits to differentiate between consumer and enterprise signing keys. The report says this was an unknown flaw. Does that let Microsoft off the hook?
Terry: Absolutely not. It might explain how the breach occurred but also highlights significant gaps in Microsoft security practices, particularly in the area of testing validation and oversight for the changes in critical systems. In cyber security the goal is [to follow] the principle of least privilege . These are fundamental principles. So by creating a system where the key intended for consumers could also be used in enterprise settings misses something. The oversight was not updating their SDKs.
Howard: Microsoft suspects that this attack succeeded because the gang compromised the login account of an employee who worked for a company that Microsoft bought in 2020. The gang’s access continued after the acquisition. The report says the fact that Microsoft didn’t detect this shows a weakness in its merger and acquisitions cyber security assessment practice — that is, when you’re buying a company you have to thoroughly go through it and make sure that its systems not only are cyber safe but that its employees haven’t been compromised, so when you bring them into your company you’re not exposed. This thing is a lesson for all companies.
Terry: We see this quite often. We experienced this around 2021 when one of our clients was acquiring another company. As soon as they connected the [new company’s] network there were tons of flags going off, endpoint detection with malware … So you need to really make sure that the environment is clean before you bring them [new employees in an aquisition] into your network. You want to do pre-accquisition due diligence. Make sure their cyber security assessments align with your best practices. Make sure the environment is clean from malware, any beacons and things like that. Do a penetration test on them. Plug up the network sensors to see if there are any beacons going out, if there’s any large amounts of data leaving the network. Do you have a proper incident response plan built around the new company as part of your existing plan …
Howard: Among the recommendations the review board makes is that Microsoft should consider lowering its priority on adding new cloud product features until substantial security improvements across the company have been made. That a good idea?
Terry: …The goal now is to build trust … You would think Microsoft would have all the security in place, but because they can’t secure it properly that could be lan escape for other cloud vendors to say, ‘If Microsoft can’t do it we can’t do it either…’
Howard: The review board also made a number of recommendations that any cloud application provider should follow. Among them: Cloud service providers should have modern controls around a rigorous threat model, automated digital key rotation should be a rule, adoption of a minimum standard for default audit logging to help detection, they should follow digital identity standards and they should be more transparent around incidents and notifying victims. The review board also recommends the U.S. should create a process to do special reviews of authorized government cloud providers following high impact situations. Are these recommendations tough enough?
Terry: It’s definitely a great step in the right direction. I think the problem we’re going to see is do we have enough knowledgeable [cybersecurity] staff to help implement all these solutions that we want? Is it going to be affordable? Because you know if it’s extremely expensive that cost has to be sent back to the customers. What we’re seeing now is that a lot of customers don’t want to spend all the time, money and resources to deal with cybersecurity. So they’re they’re going to outsource this piece — but the cloud providers better have a good solution in place that can really detect threats.
Howard: Before this episode was recorded I asked for comment from the Cloud Security Alliance, which is an industry group that that includes Microsoft, which recommends best security practices to cloud providers. Kurt Seifried the group’s chief innovation officer said that there’s no excuse for Microsoft to have used servers without hardware security modules to protect this particular signing key. It uses hardware security modules to protect other keys, he noted. He also added that last November Microsoft announced that under its Secure Future Initiative it’s moving management of identity signing keys to an integrated Azure infrastructure that has hardware security modules.
I also asked Microsoft for comment on the review board report. A spokesperson said “Recent events have demonstrated a need to adopt a new culture of engineering security in our own networks. While no organization is immune to cyber to act from well-resourced adversaries Microsoft has mobilized its engineering teams to identify and mitigate legacy infrastructure improve processes and enforce security benchmarks. Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us and detect and repel the cyber armies of our adversaries.” Microsoft will also review the final report for additional recommendations.
I think this is a report that everyone who works in IT or is studying for a career in IT should read.