Cyber Intelligence Weekly

Cyber Intelligence Weekly (July 28, 2024): Our Take on Three Things You Need to Know

Before we get started on this week’s CIW, I’d like to highlight our Incident Response Planning & Tabletop Exercises! 🛡️

From assessing your current capabilities to creating and testing detailed response plans, we provide the expertise and support you need to minimize downtime and mitigate impact. So you can focus on what you do best, your business.

Learn more: https://lnkd.in/ecrTJNgE

Away we go!

1. How a North Korean Agent Nearly Infiltrated KnowB4

In a recent incident, KnowBe4 discovered an attempted infiltration by a North Korean individual posing as a software engineer. The company had posted a job opening and went through their standard hiring procedures, including multiple interviews and background checks. Despite these efforts, the new hire began installing malware on their Mac workstation immediately upon receiving it.

This individual had used a stolen U.S.-based identity, which allowed them to pass all preliminary checks. The situation became suspicious when the Security Operations Center (SOC) detected unusual activity from the new hire's account. Upon investigation and collaboration with Mandiant and the FBI, it was revealed that the person was actually a North Korean agent. The photo provided during the hiring process was an AI-enhanced image based on a stock photo.

The attacker managed to perform several unauthorized actions, including manipulating session history files and transferring potentially harmful files using a Raspberry Pi. The SOC's attempts to contact the individual for clarification were met with evasive responses, leading to the containment of their device. This incident highlighted the risks associated with remote hiring and the importance of stringent security measures.

KnowBe4 has shared this experience as a learning moment, emphasizing the need for better vetting processes, enhanced monitoring, and coordination between HR, IT, and security teams. They provided several tips to prevent similar incidents, such as scanning remote devices, verifying physical locations of new hires, and scrutinizing resumes for inconsistencies. The incident underscores the necessity for robust security protocols to protect against sophisticated threats and to have a robust insider risk program.

2. Google Fixes Email Verification Flaw Exploited by Cybercriminals

Recently, Google addressed a vulnerability in their authentication process that allowed cybercriminals to bypass the email verification required to create Google Workspace accounts. This flaw enabled the attackers to impersonate domain holders at various third-party services that use Google’s “Sign in with Google” feature. The issue was identified after a user reported receiving a notice about a potentially malicious Workspace account linked to their email address.

Google detected the abuse campaign, which involved attackers circumventing the email verification step using a specially constructed request. This allowed them to gain access to third-party applications. The problem was fixed within 72 hours of its discovery, and additional detection measures were implemented to prevent similar bypasses in the future. Anu Yamunan, Google Workspace's director of abuse and safety protections, noted that the malicious activity began in late June and involved a few thousand Workspace accounts.

These attackers exploited a loophole by using one email address to sign up and a different one to verify the token, thereby bypassing the domain validation process. Although the affected Workspace accounts were not used to abuse Google services, the attackers aimed to impersonate domain holders to other online services. In one case, the bypass allowed unauthorized access to a user's third-party accounts, including Dropbox.

This incident is separate from a recent issue involving cryptocurrency-based domain names compromised during their transition to Squarespace. Squarespace has since fixed the weakness related to OAuth logins, which was exploited to hijack domains tied to cryptocurrency businesses.

 

3. Revisiting Kernel Access: Microsoft’s Plan for Enhanced Windows Security

Microsoft may be pushing for changes to enhance the resilience of Windows after the recent incident involving the CrowdStrike Falcon faulty update. The issue highlights the risks associated with software that operates at the kernel level. Microsoft is now advocating for changes that would prevent security vendors from accessing the Windows kernel, aiming to make the operating system more robust and secure.

The recent problem arose due to CrowdStrike's Falcon software, which runs at the kernel level to detect threats. This deep level of access means that any issues with the software can severely impact the system, as evidenced by the widespread outages caused by the recent update. Microsoft had attempted to restrict kernel access in the past with Windows Vista but faced resistance from security vendors and regulators. However, Apple's successful restriction of kernel access in macOS since 2020 has set a precedent that Microsoft is looking to revisit.

John Cable, vice president of program management for Windows servicing and delivery, emphasized the need for innovation and end-to-end resilience in Windows. He mentioned new security features like VBS enclaves and Azure Attestation, which do not require kernel mode drivers, as examples of modern security practices. These approaches align with the Zero Trust security model and highlight the potential for development practices that do not depend on kernel access.

The discussion about restricting kernel-level access is likely to continue, with Microsoft seeking to balance the security needs of its ecosystem with the operational requirements of security vendors. This conversation marks a significant step towards enhancing the security and resilience of Windows systems, ensuring that incidents like the CrowdStrike outage are less likely to occur in the future.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?