Information Security News 4-17-2023

Vice Society Ransomware uses New PowerShell Data Theft Tool in Attacks

Article Link: https://www.bleepingcomputer.com/news/security/vice-society-ransomware-uses-new-powershell-data-theft-tool-in-attacks/

• The Vice Society ransomware gang is deploying a new PowerShell script to automate data theft from compromised networks. In addition to the script automating the exfiltration process, it relies on “living off the land” scripts and binaries to evade detection.
• When the PowerShell script is launched, it reviews system files. Unit 42, who first identified the new script, noted that the script ignores files that are under 10 KB in size and those without file extensions. Likewise, it specifically targets folders associated with a master list of 433 strings in a variety of languages, primarily including English and German.
• The exfiltration portion of the script also has rate limiting settings, which set a maximum of 10 simultaneously running jobs of 5 directory groups. This further allows the bad actors to lay low until file encryption begins.
• Link to Unit42’s Report: https://unit42.paloaltonetworks.com/vice-society-ransomware-powershell/

A “By-Design” Flaw in Microsoft Azure can Allow Storage Accounts Takeover

Article Link: https://securityaffairs.com/144682/hacking/microsoft-azure-bug.html

• Researchers from Orca demonstrated how to abuse Microsoft Azure Shared Key authorization to gain full access to storage accounts and potentially critical business assets. The issue can also be abused to move laterally in the environment and potentially execute remote code.
• Microsoft recommends disabling shared key access and using Azure AD authentication instead; however, shared key authorization is enabled by default when creating storage accounts.

Compatibility Mess Breaks Not One but Two Windows Password Tools

Article Link: https://www.theregister.com/2023/04/14/microsoft_laps_compatibility/

• According to Microsoft, if organizations install the legacy LAPS GPO CSE on a machine patched with the April 11, 2023, security update and an applied legacy LAPS policy, both Windows LAPS and legacy LAPS will break.
• Microsoft noted that symptoms of issues include the triggering of Windows LAPS event log IDs 10031 and 10032, as well as legacy LAPS event ID 6. There is a published workaround until a fix is rolled out.
• Link to Microsoft’s Report: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview

Why Shadow APIs are More Dangerous than You Think

Article Link: https://thehackernews.com/2023/04/why-shadow-apis-are-more-dangerous-than.html

• Shadow APIs, or application programming interfaces that aren’t officially documented or supported, are a growing risk for many organizations. Unfortunately, many APIs aren’t routed through an API gateway or web application firewall, further increasing associated risk.
• Since APIS are rarely visible to security teams, shadow APIs provide hackers with a defenseless path to exploit vulnerabilities.
• As APIs continue to become more common, it is important for security teams to manage these technologies and the risk they introduce. As the article notes, a key component to managing shadow APIs, and APIs in general, starts with identifying all APIs that are running in an organization’s network. From there, security teams can work to address risks associated with APIs.

To Improve Security, Consider How the Aviation World Stopped Blaming Pilots

Article Link: https://www.theregister.com/2023/04/14/aviations_just_culture_improves_cybersecurity/

• According to the director of ISACA, Serge Christiaans, the cybersecurity industry should move away from a blame culture to a “just” culture that understands mistakes will happen and encourages reporting errors, akin to the aviation industry.
• In a just culture, errors are viewed as learning opportunities instead of moral failing, creating transparency and enabling constant improvement.
• As the article notes, cybersecurity can learn from aviation in using the review of human error as a catalyst to explore whether or not certain mistakes are potentially systemic.

LastPass Breach Reveals Important Lessons

Article Link: https://www.darkreading.com/attacks-breaches/lastpass-breach-reveals-important-lessons

• As more details emerge relating to the LastPass data breach, organizations, particularly security companies, can look at the incident as a good source of important lessons.
• LastPass’ data breach in August 2022 provided a number of lessons to learn. These include adhering to an established BYOD policy, addressing legacy vulnerabilities to mitigate endpoint risk, avoiding easily bypassed MFA should, and building security into products and infrastructure from the start.
• The article highlights that cyberattacks can often be prevented with basic cybersecurity measures. Security companies aren’t immune to cyberattacks. As such, organizations should learn from the errors of other organizations to improve their own security practices.

LinkedIn Now Allows You to Verify Your Workplace

Article Link: https://www.helpnetsecurity.com/2023/04/13/linkedin-verify-workplace/

• Microsoft has introduced Entra Verified ID, a new feature that allows users to verify their workplace on the business-focused social media platform, to combat the surge of fake LinkedIn accounts.
• Essentially, Verified ID comes with an Azure AD Free subscription. Organizations can issue cryptographically signed digital credentials and provide them to employees as a digital employee ID. From there, employees are allowed to share their credentials with apps and websites. When these credentials are sent to websites, like LinkedIn, the organization can cryptographically authenticate the digital employee ID.
• Microsoft looks to roll this feature out by the end of April. LinkedIn is also looking to offer two other options for verification. These include identity verification with the “CLEAR” platform that uses a government ID and phone number and the second is via a company-issued email address.

Security is a Revenue Booster, not a Cost Center

Article Link: https://www.darkreading.com/edge-articles/security-is-a-revenue-booster-not-a-cost-center

• Security has historically been seen as a cost center, which has led to it being given as little money as possible. Many security leaders have supported this mindset by focusing solely on how expensive incidents could be.
• The article highlights how security can be used as a means to generate revenue and gain more customers as opposed to solely taking up the organization’s resources.
• Additionally, by making periodic moves to help sales, it could illustrate to the CFO, the COO, the CEO, and the board the potential for using security to help with the bottom line, resulting in more resources being diverted to security initiatives.

U.S. and International Partners Issue Guidance on Securing Technology by Design and Default

Article Link: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3361073/nsa-us-and-international-partners-issue-guidance-on-securing-technology-by-desi/

• CISA, NSA, FBI, and 6 other international partners developed an information sheet to encourage technology manufacturers to create products that are secure-by-design and secure-by-default.
• The agencies highlight the importance of prioritizing security throughout a product’s lifecycle to reduce the likelihood of security incidents.
• In addition to the recommendations listed in the report, the authoring agencies encourage the use of the Secure Software Development Framework (SSDF), also known as the NIST SP 800-218.