RSA conference coming soon Researchers from Wiz, who previously found a series of four fatal flaws in Azure’s Open Management Infrastructure (OMI) agent called “OMIGOD,” presented some related news at RSA: Pretty much every cloud provider installs similar software “without the awareness or the express consent of the customer .”
In a blog post accompanying the presentation, Wiz’s Nir Ohfeld and Shir Tamari say the agents are middleware that bridges customer VMs and the vendor’s other managed services. The agents are necessary to enable advanced VM features such as log collection, automatic refresh and configuration synchronization, but they also add new potential attack vectors that cannot be defended because customers are unaware.
In the case of OMIGOD, this included a bug with a CVSS score of 9.8/10 that allowed an attacker to root and run code remotely. Microsoft patched the vulnerabilities, but most had to be applied manually.
Wiz published a GitHub page with a list of 12 agents secretly installed on Azure, AWS and Google Cloud just like OMI, and that’s probably not all. “Based on our research, it’s likely that there are more agents that security researchers and cloud customers are unaware of,” Ohfeld and Tamari said.
Few understand their attack surface, says Trend Micro
Trend Micro survey results show that most companies do not understand their attack surfaces.
Overall, 73 percent of the 6,297 IT and business decision makers surveyed said they were concerned about their growing attack vulnerability surface, which only 51 percent said they could fully define.
Just over a third of respondents said their security infrastructure is messy and constantly evolving, while 43 percent admitted their attack surface is “getting out of control,” according to Trend Micro. Cloud environments have been called the most opaque, and with most vendors installing secret middleware, it’s easy to see why.
Bharat Mistry, technical director at Trend Micro, said that rapid IT modernization at the start of the COVID-19 pandemic is a major reason for the current attack surface visibility issues. “In many cases [IT upgrades] unintentionally widening the digital attack surface and giving threat actors more opportunities to compromise critical assets,” he said.
The study also cites a number of reasons why visibility hasn’t improved, including opaque supply chains, shadow IT services, remote workers, and constant technical changes in vendor products, among others.
Unfortunately, Trend Micro’s number one piece of advice – “Gain visibility” – is easier said than done. Unless you have the right tools, which Trend Micro happens to be selling.
Private Sector to Federal Agencies: More Cooperation, Please
A laundry list of private sector and cyber advocacy groups released a joint statement Tuesday advocating “increased public-private collaboration to improve the nation’s cybersecurity readiness.”
The signers said that while the Biden administration has taken steps to strengthen public-private collaboration, it has not done enough. The signatories stated that they will “actively seek to engage U.S. government partners with ideas and initiatives to strengthen national cyber resilience” and put forward five proposals to that end:
- Strengthening the outreach of the Joint Cyber Defense Collaborative (JCDC), which the signatories explained, by working with the Collaborative and the Cybersecurity and Infrastructure Security Agency to achieve this
- Building a collective understanding of threats by supporting the “tools, technology, incentives, business processes and legal frameworks” needed to do so
- Improving contingency planning by identifying “the top 5 cyber emergencies that pose a national security risk and developing proactive response plans”
- Improving the regulatory environment by identifying laws and regulations that impede progress
- Improving teamwork by creating opportunities for long-term exchanges between government and private cybersecurity professionals
The signatories are in luck: CISA, NSA and National Cyber Directory executive Chris Inglis spoke at RSA and specifically mentioned the JCDC at their panel discussion this week.
“We cannot maintain the highest alert level for an extended period of time, which is why we are thinking about … the relationship government needs to have with the private sector,” CISA Director Jen Easterly said at the panel.
New MFA product reportedly withstands instant bombing
Single sign-on provider Xage claims to have developed a new distributed, multi-layered, multi-factor authentication (MFA) product capable of withstanding prompt bombs like the ones Lapsus$ broke into Okta earlier this year let.
MFA bombing is less of a sophisticated hacking technique and more a way of wearing someone down by trying to repeatedly log into one of their accounts that has MFA enabled. While the victim is bombarded with verification requests, the attacker sits back and hopes his nervous sign accidentally hits “accept.” One mistake and the attacker is free to do whatever the victim’s account has access to.
What Xage offers as a solution is in every sense a hybrid form of MFA and network segmentation: “Users reconfirm their identity when they are granted each layer of access rights, enabling independent user verification at the level of an entire operation, a website or even a single asset,” Xage said in a press release. The unique selling proposition that Xage claims is the use of different MFA methods at each access layer.
While a different type of MFA definitely adds an additional layer of security at each checkpoint, it’s unknown how well users would adapt to the user experience friction of requiring a different form of MFA for each granular access request.
Knock Knock. Who’s there? Not who you wanted
A flaw in a widespread physical security system could allow a successful attacker to open any doors the software manages.
Researchers at Trellix Threat Labs examined Carrier’s LenelS2 access control panels, which manage security door systems in facilities such as hospitals, schools, transportation facilities and government offices, against eight zero-day vulnerabilities.
The LenelS2 was specifically chosen because of its widespread adoption, and while the team expected to find some bugs, “we didn’t expect to find common, legacy software vulnerabilities in a relatively new technology,” they said.
Physical security has been a hot topic lately, and while this vulnerability is scary, it would be difficult to eliminate as it requires physical access to the controller’s debugging ports. By accessing the ports and “using hardware hacking techniques,” the researchers were able to gain root access and obtain a full copy of the device’s firmware for emulation and vulnerability detection.
Armed with knowledge of the software, the team was able to chain a pair of vulnerabilities together to gain remote root access. An injected program running alongside the controller software allowed the attackers to open doors and subvert surveillance software.
According to the carrier, to fix the problem it is necessary to disable the web login for the web portal of LenelS2. Once disabled, a physical switch on the controller must be flipped to enable it again. While this can re-secure a previously compromised controller, an attacker with physical access could simply flip the switch back.
As an additional damage control method, consider a padlock. ®