Proof-of-concept exploit code has been published this week for a new attack technique that can bypass the Kerberos authentication protocol in Windows environments and let intruders access sensitive network-connected services.

Named the Bronze Bit attack, or CVE-2020-17049, patching this bug caused quite the issue for Microsoft already.
The OS maker delivered an initial fix for Bronze Bit attacks in the November 2020 Patch Tuesday, but the patch caused authentication issues for Microsoft’s customers, and a new update had to be deployed this month to fix the previous issues.
On Wednesday, a day after Microsoft delivered the final patches, Jake Karnes, a security engineer at NetSPI, published a technical breakdown of the vulnerability so network defenders can understand how they are vulnerable and why they need to update, despite the patching process’ rocky start.
Accompanying his theoretical and practical breakdowns was also proof-of-concept exploit code that system administrators can use to check and see if the patch was installed correctly.
Golden, Silver, and now the Bronze ticket attack
According to Karnes, the Bronze Bit attack is another variation of the older and widely known Golden Ticket and Silver Ticket attacks against Kerberos authentication.
All three are post-compromise techniques that can be used after an attacker has breached a company’s internal network.

An attacker who infected at least one system on a network and extracted password hashes can use those hashes to bypass and forge credentials for other systems on the same network, as long as the network relies on the Kerberos authentication protocol, which has been included in all standard Windows versions since 2000.
The difference between Golden Ticket, Silver Ticket, and now the Bronze Bit attacks is in what parts of the Kerberos authentication protocol attackers go after.
In the case of Bronze Bit, attackers target the S4U2self and S4U2proxy protocols that Microsoft added as extensions to the Kerberos protocol.
“The attack uses the S4U2self protocol to obtain a service ticket for a targeted user to the compromised service, using the service’s password hash,” Karnes says.
“The attack then manipulates this service ticket by ensuring its forwardable flag is set (flipping the “Forwardable” bit to 1). The tampered service ticket is then used in the S4U2proxy protocol to obtain a service ticket for the targeted user to the targeted service,” he adds.

Image: Jake Karnes
Karnes says the attack was possible because the portion of the Kerberos service ticket where the Forwardable flag resides is not signed, and the Kerberos process is not able to detect service tickets that have been tampered with.
“This exploit bypasses 2 existing protections for Kerberos delegation, and provides an opportunity for impersonation, lateral movement, and privilege escalation,” the researcher added.
Karnes also the attack’s name comes from the Golden Ticket and Silver Ticket attacks, which use similar principles, but is named Bronze Bit instead of Bronze Ticket because the attack relies on flipping just a single bit. More

Fortinet delivered strong second quarter growth thanks to an expansion in business from EMEA and the Americas.  

Fortinet delivered second quarter revenue of $801.1 million, up 29.7% from a year ago. For the second quarter, Fortinet’s non-GAAP earnings of $0.95 a share were above expectations. Wall Street was expecting Fortinet to report second quarter earnings of $0.87 a share on revenue of $744.14 million.For 2021, Fortinet is projecting revenue of $3.21 billion to $3.25 billion with non-GAAP earnings of $3.75 to $3.90 a share.For the third quarter, Fortinet is projecting revenue between $800 million and $815 million with non-GAAP earnings between $0.90 and $0.95 a share.  In Q4, the company updated its FortiOS operating system with more than 300 new features including Zero Trust Network Access capabilities and tools to better secure networks and proliferating end points.Fortinet announced in March that it was investing $75 million in router maker Linksys as part of a “strategic alliance” aimed at securing work from home networks.

Ahead of the earnings call, the company unveiled a new FortiGate 3500F Next-Generation Firewall that is designed to protect organizations with hybrid data centers against ransomware and other attacks.Fortinet CMO John Maddison added that Fortinet is also “redefining services by expanding its security services options — which currently include FortiCare and FortiGuard — with FortiTrust, enabling a unified offering with one licensing model for flexible consumption options across networks, endpoints, and clouds.”

Tech Earnings More

Hackers have leaked the information they stole about the COVID-19 vaccines as part of a cyberattack targeting the European Union’s medical agency, the organisation has admitted.
The attack against the European Medicines Agency (EMA) was first disclosed last month and now it has been determined that those behind the hack gained access to information about coronavirus medicines.
“The ongoing investigation of the cyberattack on EMA revealed that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet. Necessary action is being taken by the law enforcement authorities,” the EMA said in a statement.

More on privacy

“The agency continues to fully support the criminal investigation into the data breach and to notify any additional entities and individuals whose documents and personal data may have been subject to unauthorised access,” the EMA added.
SEE: Network security policy (TechRepublic Premium)
The EMA’s work and the European medicines regulatory network  are unaffected by the breach and the approval and distribution of COVID-19 vaccines hasn’t been disrupted.
A previous update revealed that hackers gained access to the information by breaching one undisclosed IT application – and that the attackers were specifically targeting data related to COVID-19 medicines and vaccines. The investigation into the attack is currently still ongoing.

It isn’t the first time pharmaceuticals firms and other organisations involved in COVID-19 vaccine development and distribution have been targeted by hackers. The UK’s National Cyber Security Centre (NCSC) has previously warned that universities and scientific facilities are being targeted by state-sponsored hacking groups attempting to gain access to research data.
Microsoft has also issued a warning that state-sponsored hacking operations have been targeting coronavirus vaccine producers, while the World Health Organisation has also issued warnings over an increase in cyberattacks targetting health.

MORE ON CYBERSECURITY More

Maria Diaz/ZDNETFollow ZDNET: Add us as a preferred source More

On Thursday, the Department of Homeland Security (DHS) released new rules for the US’s freight railroad and passenger rail transit industry. The rules make it mandatory for companies to have a cybersecurity coordinator, report cybersecurity incidents to CISA, complete a cybersecurity self-assessment and create a cyber-incident response plan.

ZDNet Recommends

DHS officials repeatedly said the new rules were made after consultation with industry experts and meetings with rail companies. They added that the rules were pushed by the Transportation Security Administration (TSA) after CISA informed them of legitimate threats facing the rail industry. The government agency has faced backlash this year from companies in a variety of industries — as well as senior Republican lawmakers — for cybersecurity rules that some have called onerous and unnecessary. In October, Senators Roger Wicker, John Thune, Cynthia Lummis, Todd Young, Deb Fischer — all Republican leaders on the Committee on Commerce, Science and Transportation — slammed DHS’ use of emergency authority to push new rules for US railroad and airport systems, questioning whether they were “appropriate absent an immediate threat.”The Republican lawmakers said the “prescriptive requirements” rolled out by TSA “may be out of step with current practices” and may “limit affected industries’ ability to respond to evolving threats, thereby lessening security.” They also claimed the rules will impose “unnecessary operation delays at a time of unprecedented congestion in the nation’s supply chain.””Rather than prescriptive requirements that may not enhance capabilities to address future threats, TSA should consider performance standards that set goals for cybersecurity while enabling businesses to meet those goals,” the senators wrote. “If a determination is made to proceed with specific mandates, the notice and comment process would at least allow for thoughtful consideration of industry practices and concerns.” The senators additionally claimed that current practices are “working well.”

When asked about the latest regulations handed down by TSA for the rail industry, many cybersecurity experts involved in the rail industry expressed concern about how the new rules would work in practice.Jake Williams, CTO at BreachQuest, told ZDNet that at a high level, the directives seem reasonable. But a closer look at the new rules raised questions about how CISA would handle the deluge of incident reporting that is now required. “Section B.2.b of the Enhancing Rail Cybersecurity directive mandates the reporting of the discovery of malicious software on any IT system within 24 hours of discovery. It is hard to imagine how TSA will benefit from knowing about every malicious software discovery on every IT system,” Williams said. “Taken at face value, railway operators would have to report every piece of commodity malware that is discovered in the environment, even if antivirus or EDR prevented that malware from ever executing. Even if railway operators were properly staffed to create these reports, the TSA will likely miss significant reports buried in the noise. The onerous reporting requirements will likely reduce railway security, at least in the short term, as understaffed teams dedicate resources to reporting rather than network security.”Williams added that these policy language issues are typically discovered during the public comment period, which TSA chose to forego. “There are likely other significant issues in the two railway cybersecurity directives released by TSA without a public review period,” Williams noted. Ron Brash, vice president at ICS/OT software security firm aDolus Technology, echoed Williams’ concerns about the reporting requirements, explaining that most organizations lack the skill and resources to comply. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“Currently, beyond the obvious attacks such as ransomware, the majority of organizations have trouble differentiating between accidental and malicious events. For example, a forklift may clip a utility pole, and a fibre optic run is severed — connectivity may degrade or come to a full halt. Legislation such as this may result in overzealous behaviors because coordinators may jump to immediately claiming everything is cyber-related if the clock is fiercely ticking away, or conversely potentially result in the opposite of the intended effect: organizations may avoid reporting and improving infrastructure visibility altogether” Brash noted. “I hope neither occurs as that is counterproductive to the spirit of the objective and may discourage proactive action. If Biden’s XO for SBOMs and supply chain transparency overflow into rail and transportation, organizations will need accelerated security program growth and maturity yesterday. This is both a good thing and a bad thing because infrastructure resiliency certainly may increase, but bad because the overall amount of foundational catch up may lead to overanalysis paralysis or poor budget allocation.” He also said overly prescriptive approaches may result in too rigid of a structure and focus on the wrong elements, leading to a checkbox ticking exercise versus actual efforts to reduce cybersecurity risk.Amir Levintal, CEO of rail cybersecurity company Cylus, said the rail industry has made significant technological advances in the last decade, with digitization helping companies improve service, efficiency, comfort, communications, and more. But these efforts have also expanded the rail industry’s threat landscape for hackers, Levintal said.  “The TSA’s new directives, which require railways to bolster their cybersecurity measures, come as a direct response to the innovations the rail industry has onboarded recently and the resulting threats, and these regulations — along with similar ones in the EU — will only evolve as new technologies continue to be adopted across the planet,” Levintal explained. Despite the concerns about the new reporting requirements, some experts said the rail industry’s cybersecurity risks outweighed worries about overzealous reporting. Coalfire vice president John Dickson said that the potential for disruption is high given existing supply chain bottlenecks and the nature of rail networks. He noted that one or two key rail lines service entire regions of North America that are vulnerable to disruption and might cripple the US economy like the Colonial Pipeline event almost did. “We have not witnessed a rail industry event on the level of Colonial Pipeline, but a ransomware disruption, let alone a targeted attack, is a plausible scenario. Ransomware specifically, and malware automation generally, has lowered the bar so significantly for attackers that DHS CISA should be concerned and is well served to push the industry more,” Dickson said. “The railroad industry, particularly the freight portion of the railroad industry, is generally not considered to be on the bleeding edge of cybersecurity. It’s doubtful that without a regulatory ‘nudge’ from the Federal government, they are likely to not increase their cybersecurity hygiene on their own accord.”Padraic O’Reilly, chief product officer of CyberSaint, called the new rules a “good and timely development” that is “long overdue” because the rail industry is a vulnerable piece of the US critical infrastructure.With the 24-hour reporting requirement as the baseline, the industry will be moved on to the right track, O’Reilly explained, adding that it was good that government agencies had consulted groups like the Association of American Railroads (AAR) before releasing the regulations. The AAR said they and other rail industry groups had been consulting with Secretary of Homeland Security Alejandro Mayorkas and the TSA since October to “revise provisions that would have posed challenges in implementation.”The group said that with the latest regulations, “a number of the industry’s most significant concerns have been addressed.” All Class I railroad and Amtrak, as well as many commuter and short line carriers, already have chief information security officers and cybersecurity leads who will serve as the required cybersecurity coordinators, according to the AAR.Many companies also conduct cybersecurity assessments on a recurring basis and have been reporting some cyber threats to CISA through AAR’s Railway Alert Network (RAN). “For the better part of two decades, railroads have thoughtfully coordinated with each other and government officials to enhance information security, which has proven to be an effective, responsive way of addressing evolving threats,” said AAR President and CEO Ian Jefferies. “Let there be no mistake — railroads take these threats seriously and value our productive work with government partners to keep the network safe.”  More