SANS NewsBites

Microsoft Should Provide Full Security Logs for Base Software License Levels; Network Access Control Done Right Provides Foundation for Ability to Trust or Not; Zimbra Workaround Required While Waiting for Patch

July 18, 2023  |  Volume XXV - Issue #56

Top of the News


2023-07-17

Call for Free Security Logs After Microsoft eMail Key Debacle

Last week, Microsoft disclosed that hackers with ties to China’s government used forged authentication tokens to break into email accounts at US government agencies and other organizations. It is not yet clear how the attacker obtained the encryption key necessary to create the tokens. The attack can be detected only by Microsoft customers with certain, more-expensive licenses. The situation has not escaped the notice of government officials: in a press call, a CISA senior said that “Every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box.”

Editor's Note

A little over twenty years ago Bill Gates kicked off the now infamous Trustworthy Computing Initiative in Microsoft in response to security concerns over Windows. It’s now time for a similar Trustworthy Cloud Computing Initiative to be started in Microsoft, and other cloud service providers, to ensure security is built into the cloud services being provided and not provided as an optional extra with additional costs.

Brian Honan
Brian Honan

The cost savings from moving to the cloud have to come from somewhere. If you want full insight into who accesses your data, how, and when: stay on premises. If you move to the cloud, you better hope that cloud providers can keep their access keys secure as once they lose them, even the most expensive logging option is unlikely to keep you secure.

Johannes Ullrich
Johannes Ullrich

While there is call for tiered services for cloud offerings, log information should not be tiered: it should be available at all license levels, ideally with options to send it straight to your SIEM/SOAR platform. That said, if you're a Microsoft 365 customer, talk to your technical account representative about what level of visibility can be gained by having E5/G5 licenses for your security and tenant administration teams, vs. upgrading all users to those levels.

Lee Neely
Lee Neely

Microsoft should do this and make logging available to all users. It just makes security sense. Even if they don’t store any logs or make you pay for extra storage, the logs should be available and exportable to everyone. This level of goodwill will go a long way. Is this the generational Windows XP SP2 story, and will we talk about this in 10 years?

Moses Frost
Moses Frost

Back in 2021 Microsoft was in the news for the extra costs associated with Advanced Audit and the costs to store those audit logs. They offered a 1-year free trail to Gov Cloud users and… things quieted down. Fast forward two years and we’re talking about access to advanced logging, again. Here’s the rub: a security practitioner wants everything logged for when a security incident occurs; I can’t argue with that position. Yet, that logging comes at a cost to the company in both storage and the skills necessary to review. What really should be discussed is how the evil-doer got access to an inactive signing key. That seems to be the more serious security lapse on Microsoft’s part.

Curtis Dukes
Curtis Dukes

2023-07-17

Forescout’s List of Riskiest Connected Devices

Forescout has published a list of the five riskiest connected devices in Information Technology (IT), the Internet of Things (IoT), Operational Technology (OT), and the Internet of Medical Things (IoMT). The lists are derived from “a data-driven approach by analyzing millions of devices in Forescout’s Device Cloud using Forescout’s multifactor risk scoring methodology.” Of the 20 types of devices in the lists, seven did not appear in last year’s lists: VPN gateways, security appliances, network-attached storage (NAS), out-of-band management, engineering workstations, remote terminal units, and blood glucose monitors.


2023-07-17

Zimbra Releases Fix for Actively Exploited Flaw in Collaboration Suite

Zimbra is urging users to apply a patch to Zimbra Collaboration Suite 8.8.15 to address an actively exploited vulnerability. The vulnerability can be exploited to steal or modify data. Zimbra plans to release an update that fixes the flaw later this month; for users who want to take preventive measures sooner, Zimbra has provided instructions for manually updating mailbox nodes.

The Rest of the Week's News


2023-07-17

Adobe’s July Security Updates Include Fixes for Critical Flaws in ColdFusion and InDesign

Adobe has released fixes to address critical vulnerabilities affecting ColdFusion and InDesign. The patches were part of Adobe’s scheduled monthly security update, which addressed 15 vulnerabilities in all.

Editor's Note

Of the fixes Adobe released, three are for ColdFusion and twelve are for InDesign. CVE-2023-29300 (deserialization of untrusted data flaw) has a CVSS score of 9.8. While rolling out these patches, make sure the March update which included the actively exploited CVE-2023-26360 (code execution and memory leak) was also applied. At this point, you should have migrated off Cold Fusion. Check for any lingering instances, get them patched, then address the migration plan.

Lee Neely
Lee Neely

If you’re still a user of ColdFusion, given the CVSS criticality score (9.8), prioritize the download and patch now.

Curtis Dukes
Curtis Dukes

Alarmingly, plenty of large platforms still use ColdFusion.

Moses Frost
Moses Frost

2023-07-17

CISA: Resources for Securing Data in Cloud Environments

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a factsheet with information for organizations migrating their operations ”to a cloud environment identify proper tools and techniques necessary for the protection of critical assets and data security.”


2023-07-17

Eight Vulnerabilities in BD Alaris Guardrails Suite MX Medical Infusion Products

Becton, Dickinson, and Co. has disclosed eight vulnerabilities affecting its medication infusion products. The flaws in the BD Alaris Guardrails Suite MX, versions 12.1.3 and earlier, could be exploited to compromise data, hijack sessions, modify firmware, and alter system configurations. BD said that “remediation and deployment planning for these vulnerabilities is currently in progress.” The US Cybersecurity and Infrastructure Security Agency (CISA) has published an ICS medical advisory detailing the vulnerabilities.


2023-07-17

JumpCloud Provides Additional Details About Cyberattack

IT management services firm JumpCloud says that a cyberattack launched by nation-state-sponsored threat actors earlier this summer targeted a specific subset of its customers. When JumpCloud learned of the attack, it reset all admin API keys as a precaution. The attackers gained initial access to JumpCloud’s environment with a spear-phishing attack.


2023-07-17

US Commerce Department EU-US Data Privacy Framework Website

The US Department of Commerce has launched a website that allows US organizations to certify their participation with the newly-adopted EU-US Data Privacy Framework. US organizations that transfer data between the EU and the US must certify participation by October 10, 2023. The website also allows US companies to certify compliance with the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework.


2023-07-17

Incidence of USB Drives as Initial Attack Vector on the Rise

According to Mandiant, the number of attacks using USB drives as the initial vector of intrusion has increased significantly over the first six months of 2023. In a blog post, Mandiant describes two attack campaigns that used USB drives as the initial vector of attack: SOGU and SNOWYDRIVE. SOGU has been used in attacks targeting both public and private organizations across sectors; SNOWYDRIVE has been used in attacks against the oil and gas industries in Asia.


2023-07-17

DMARC Implementation at Hospitals in South Africa and UAE

According to analysis from Proofpoint, just 28 percent of hospitals in South Africa and the United Arab Emirates (UAE) have implemented the strictest level of the Domain-based Message Authentication, Reporting and Conformance (DMARC) email authentication protocol. Healthcare organizations are increasingly becoming targets of ransomware operators, which speaks to the need to take extra precautions to protect their systems.

Internet Storm Center Tech Corner

Zimbra Vulnerability Exploited

https://blog.zimbra.com/2023/07/security-update-for-zimbra-collaboration-suite-version-8-8-15

WooCommerce Vulnerability Actively Being Exploited

https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/

Adobe ColdFusion Flaws exploited

https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-coldfusion-rce-bug-exploited-in-attacks/

CISA Cloud Security Fact Sheet: Free Tools for Cloud Environments

https://www.cisa.gov/sites/default/files/2023-07/Free%20Tools%20for%20Cloud%20Environments_508c.pdf

JumpCloud Breach

https://arstechnica.com/security/2023/07/jumpcloud-says-nation-state-hacker-breach-targeted-some-of-its-customers/

Microsoft Driver Certs Details

https://blog.talosintelligence.com/old-certificate-new-signature/

Threads App Lures

https://www.helpnetsecurity.com/2023/07/14/threads-app-lure/

First Releases CVSS 4.0 Preview

https://www.first.org/cvss/