Cyber Intelligence Weekly (Sept 26, 2021): Our Take on Three Things You Need to Know

Welcome to our weekly post where I will be sharing some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

You can also Subscribe to receive Cyber Intelligence Weekly in your inbox each week.

Away we go!

1. Hey Hey, Zero-Day! 2021 Record Year for Zero-Day Exploits.

As we’ve mentioned in previous weeks, there have been several new zero-day exploits being exploited in the wild. We’ve also mentioned how the rate of discovery has been quite remarkable. As a quick refresher, a zero-day exploit is essentially an attack against a previously unknown vulnerability, that usually carries a heavy impact with it. As one can imagine, these stealthy types of attacks are highly coveted amongst criminal groups and governments alike as it gives the offensive agent a first mover advantage.

Patrick Howell O'Neill from the MIT Technology Review recently broke down the state of the zero-day market and some of the reasons behind the surge. He notes that this year alone has produced at least 66 zero-days to date. The data behind this can be found in public sources such as Google’s Project Zero, with a listing of all published zero-days by year that is posted here. Google’s Project Zero also cites that on average, a new zero-day (or sometimes referred to as, “0day”) is discovered every 17 days and the most common root-cause of these vulnerabilities are memory corruption issues, occurring at 68%.

There are many contributing factors for the rise in 0days that Mr. O’Neill calls out in his research:

• Rapid global proliferation of hacking activities and tools, both state-sponsored, and criminal backed.
• Defenders are becoming better at spotting these types of attacks now more than ever before.
• Simple supply and demand as zero-day exploits get harder to develop, they become that much more valuable.

Most organizations do not have the sophistication and technology capabilities to discover 0day attacks on the fly, which highlights the importance and reliance upon major threat intelligence feeds and the capabilities of organizations like Microsoft, Google, Crowdstrike and others. It is critically important for organizations to closely understand and monitor security updates and product releases directly from the source and major cybersecurity intelligence shops.

2. Massive Credential Leakage Occurring Through Microsoft Autodiscover

Amit Serper from Guardicore has released some new research showing that the Microsoft Autodiscover feature, which Microsoft describes as a service that “provides an easy way for your client application to configure itself with minimal user input”, has a design flaw that allows the service to leak web requests to Autodiscover domains outside of the user’s domain but in the same top-level domain.

A threat-actor can essentially acquire Autodiscover domains with a top-level domain suffix and set them up to receive pre-authenticated web-requests from unsuspecting client devices. This will allow them to start receiving and consuming valid domain credentials from various Autodiscover requests.

There are several mitigations that companies can consider:

• Ensure that support for basic authentication is disabled for Microsoft Exchange
• Ensure that you are actively blocking ‘Autodiscover’ domains at the firewall level.
• Test to ensure that apps do not let the Autodiscover protocol ‘fail upwards’.

This is another great example of the trade-off between operational convenience and security. The protocol was created to give those who operate and manage networks the ability to help configure devices and accounts much more efficiently. However, as this research shows, the efficiency can come at a heavy cost, unless properly understood and secured.

3. FBI Held Back Kaseya Ransomware Decryption Key

In a new report from the Washington Post, Ellen Nakashima and Rachel Lerman explain that FBI officials had decryption keys and tools for the victims of the Kaseya ransomware attack by the REvil ransomware gang as many as three weeks before they actually released them. Several organizations already noted that by the time the FBI offered up the decryption keys and tools that it was too late, and they had either rebuilt things from scratch or spent the previous three weeks restoring from backups and reconstituting systems.

According to the Washington Post report, the FBI had retrieved the decryption keys and tools through their own access to the attacker’s infrastructure. The FBI had apparently held back this information because they were planning an operating to disrupt the threat actors and they didn’t want to tip their hand. Unfortunately, the REvil gang went dark and pulled their own disappearing act before the FBI could launch their operation. The FBI ended up sharing the decryption keys and tools with Kaseya on July 21, nineteen days after the attack begun.

The decision that occurred here is similar to decisions that governments face when they uncover or come across zero-day exploits. Do you report the zero-day vulnerability to the software maker or keep it hush hush and use the information for you or your country's benefit? In the national security community, there is a formal process for evaluating such a decision, the Vulnerabilities Equities Process. Perhaps it is time for the FBI to consider a more formal process as well?

*Bonus* Follow Up From Last Week:

• Last week we reported on the critical Apple IOS update to combat code vulnerable to the NSO Group’s Pegasus spyware. This past week reports emerged of the spyware found on at least five French ministers and a diplomatic advisor to President Emmanuel Macron.