Tag Archive for: admins

Biden admin’s cloud security problem: ‘It could take down the internet like a stack of dominos’

/in


The cloud has “become essential to our daily lives,” Kemba Walden, the acting national cyber director, said in an interview. “If it’s disrupted, it could create large potentially catastrophic disruptions to our economy and to our government.”

In essence, she said, the cloud is now “too big to fail.”

The fear: For all their security expertise, the cloud giants offer concentrated targets that hackers could use to compromise or disable a wide range of victims all at once. The collapse of a major cloud provider could cut hospitals off from accessing medical records; paralyze ports and railroads; corrupt the software that help financial markets hum; and wipe out databases across small businesses, public utilities and government agencies.

“A single cloud provider going down could take down the internet like a stack of dominos,” said Marc Rogers, chief security officer at hardware security firm Q-Net Security and former head of information security at the content delivery provider Cloudflare.

And cloud servers haven’t proved to be as secure as government officials had hoped. Hackers from nations such as Russia have used cloud servers from companies like Amazon and Microsoft as a springboard to launch attacks on other targets. Cybercriminal groups also regularly rent infrastructure from U.S. cloud providers to steal data or extort companies.

Among other steps, the Biden administration recently said it will require cloud providers to verify the identity of their users to prevent foreign hackers from renting space on U.S. cloud servers (implementing an idea first introduced in a Trump administration executive order). And last week the administration warned in its national cybersecurity strategy that more cloud regulations are coming — saying it plans to identify and close regulatory gaps over the industry.

In a series of interviews about this new, tougher approach, administration officials stressed that they aren’t giving up on the cloud. Instead, they’re trying to ensure that rapid growth doesn’t translate to new security risks.

Cloud services can “take a lot of the security burden off of end users” by relieving them of difficult and time-consuming…

Source…

Biden admin’s bug fix mandate aims to prevent the next major cybersecurity attack

/in


The Biden administration is requiring civilian federal agencies to fix hundreds of cybersecurity flaws, as reported earlier by The Wall Street Journal. As the WSJ states, the BOD 22-01 directive from the Cybersecurity and Infrastructure Security Agency (CISA) covers around 200 known threats that cybersecurity experts discovered between 2017 and 2020, as well as 90 more flaws that were found in 2021. Federal agencies have six months to patch older threats and just two weeks to fix the ones that were discovered within the past year.

The WSJ report points out that federal agencies are usually left to their own devices when it comes to security, sometimes resulting in poor security management. The goal is to force federal agencies to fix all potential threats, whether they’re major or not, and establish a basic list for other private and public organizations to follow. While zero-day vulnerabilities that exploit previously unknown openings get major headlines, addressing “the subset of vulnerabilities that are causing harm now” can get ahead of many incidents.

Previously, a 2015 order gave federal agencies one month to fix threats deemed “critical risk.” This was changed in 2019 to include threats categorized as “high risk,” as pointed out by the WSJ. The new mandate distances itself from prioritizing specific threat levels and instead acknowledges that small holes can quickly cause larger problems if hackers can find a way to take advantage of them.

“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks,” says CISA director Jen Easterly. “While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”

CISA’s newly released list of known vulnerabilities notably includes the…

Source…

CISA warns admins to urgently patch Exchange ProxyShell bugs

/in


CISA warns admins to urgently patch Exchange ProxyShell bugs

The US Cybersecurity and Infrastructure Security Agency (CISA) issued its first alert tagged as “urgent,” warning admins to patch on-premises Microsoft Exchange servers against actively exploited ProxyShell vulnerabilities.

“Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207,” CISA warned over the weekend.

“CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.”

These three security flaws (patched in April and May) were discovered by Devcore security researcher Orange Tsai, who used them to compromise a Microsoft Exchange server in April’s Pwn2Own 2021 hacking contest:

Actively exploited by multiple threat actors

This warning comes after similar ones alerting organizations to defend their networks from the wave of attacks that hit tens of thousands of organizations worldwide in March, with exploits targeting four zero-day Microsoft Exchange bugs known as ProxyLogon.

Even though Microsoft fully patched the ProxyShell bugs in May 2021, they didn’t assign CVE IDs for the three security vulnerabilities until July, thus preventing some organizations who had unpatched servers from discovering that they had vulnerable systems on their networks.

After additional technical details were recently disclosed, both security researchers and threat actors could reproduce a working ProxyShell exploit.

Then, just as it happened in March, attackers began scanning for and hacking Microsoft Exchange servers using the ProxyShell vulnerabilities.

After breaching unpatched Exchange servers, threat actors drop web shells that allow them to upload and execute malicious tools.

While, in the beginning, the payloads were harmless, attackers have begun deploying LockFile ransomware payloads delivered across Windows domains compromised using Windows PetitPotam exploits.

So far, US-based security firm Huntress Labs said it found over 140 web shells deployed by attackers on more than 1,900 compromised Microsoft Exchange servers until…

Source…

Microsoft will alert Office 365 admins of Forms phishing attempts

/in


Microsoft will alert Office 365 admins of Forms phishing attempts

Microsoft is adding new security warnings to the Security and Compliance Center (SCC) default alert policies to inform IT admins of detected phishing attempts abusing Microsoft Forms in their tenants.

Microsoft Forms is an app that enables web and mobile users to create surveys, polls, and quizzes for collecting feedback and data online.

It has recently been made available for personal use to anyone with a Microsoft account after previously being available only to business users with Microsoft 365 Personal and Microsoft 365 Family subscriptions.

Forms phishing activity alerts

Microsoft Forms detects phishing attempts with the help of proactive phishing detection (available for all public forms since July 2019 and for enterprise forms from September 2019).

This phishing protection feature will proactively identify malicious password collection in forms and surveys.

To do that, it uses automated machine reviews to “proactively detect malicious password collection in forms and surveys” to block phishers from abusing Microsoft Forms to create phishing landing pages.

Admins receive alerts of any users or forms blocked in their tenants for potential phishing. Microsoft is now working on also adding these phishing activity alerts to SCC’s Alert center.

“We are now adding Microsoft Forms’ phishing activities alert (for blocked forms and users due to confirmed and suspicious phishing) to the default alert policies in Microsoft’s Security and Compliance Center (SCC),” the company explains in a Microsoft 365 Roadmap entry.

“If there is any user restricted from sharing forms and collecting responses from Microsoft Forms because of confirmed phishing activities, or any form identified/detected as phishing form, IT admins will receive an alert in the SCC Alert center.”

Rolling out later this month

Microsoft is planning on making this new feature generally available worldwide in all environments by the end of this month.

Microsoft also added an option in November allowing Office 365 admins to review Microsoft Forms phishing attempts to confirm or unblock forms tagged as suspicious for potentially attempting to maliciously harvest sensitive data.

Once the notifications are added…

Source…