Information Technology

Microsoft has released 71 security fixes for software including an actively-exploited zero-day bug in Win32k. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for a total of four zero-day flaws, three of which are public.Products impacted by October’s security update include Microsoft Office, Exchange Server, MSHTML, Visual Studio, and the Edge browser. The zero-day bugs are tracked as CVE-2021-40449, CVE-2021-41338, CVE-2021-40469, and CVE-2021-41335.   CVE-2021-40449 is being actively exploited. Issued a CVSS severity score of 7.8, this vulnerability impacts the Win32K kernel driver. Boris Larin (oct0xor) with Kaspersky reported the flaw to Microsoft, and in a blog post published today, the cybersecurity firm said a clutter of activity, dubbed MysterySnail, is utilizing the use-after-free flaw.”Besides finding the zero-day in the wild, we analyzed the malware payload used along with the zero-day exploit, and found that variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities,” Kaspersky says.Immersive Labs’ Kevin Breen, Director of Cyber Threat Research, said that this issue “should definitely be a priority to patch.” 

“It’s noted as ‘exploitation detected’, meaning attackers are already using it against organizations to gain admin rights,” Breen commented. “Gaining this level of access on a compromised host is the first step towards becoming a domain admin — and securing full access to a network.”Read on: The three other zero-day vulnerabilities resolved in this round of patches are CVE-2021-41338 (CVSS 5.5), a Windows AppContainer Firewall bug that permits attackers to bypass security features; CVE-2021-40469 (CVSS 7.2), an RCE in Windows DNS Server; and CVE-2021-41335 (CVSS 7.8), an elevation of privilege bug in the Windows Kernel. Three critical bugs, CVE-2021-40486, CVE-2021-38672, and CVE-2021-40461, are also of note. The first security flaw impacts Microsoft Word whereas the other two affect Hyper-V. If exploited, all of them can lead to remote code execution.According to the Zero Day Initiative (ZDI), 11 of the security flaws patched this month were submitted through the ZDI program, including bugs resolved earlier in the month by the Edge browser team.Last month, Microsoft resolved over 60 bugs in the September batch of security fixes including an RCE flaw in MSHTML and a Windows DNS privilege escalation zero-day vulnerability. A month prior, the tech giant tackled 45 security flaws — seven of which were deemed critical — during the August Patch Tuesday.In other Microsoft news, the tech giant is readying a new Feedback Portal, expected to be ready in preview mode, by the end of 2021. The portal will be opened first for Microsoft 365 and Microsoft Edge products. The Redmond giant has also recently warned of password spraying attacks being launched against Office 365 customers. Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

1Password announced the release of a new feature that allows users to send items to anyone, including non-1Password users, securely. Named “Psst!” after ‘Password Secure Sharing Tool,’ the feature was built in response to studies showing that people increasingly have no choice but to share private information or secrets through insecure platforms like email, chat services, spreadsheets and texts. 1Password CEO Jeff Shiner told ZDNet that users have frequently requested functions that allow them to send passwords or other secret content to non-1Password users. Akshay Bhargava, the company’s chief product officer, said at its core, the feature is competing with the impulse to copy and paste sensitive information into an insecure channel simply. Hence, 1Password focused on creating something that was easy to use and simple. “It’s kind of a universal problem. Historically what’s happened is that to share those things, often people resort to bad security hygiene. We wanted to provide a really secure, simple, easy way to share with everyone regardless of if you have 1Password installed or not,” Shiner said. A recent study produced by 1Password found that 64% of respondents reused corporate credentials, API tokens, keys and certificates between projects. Other surveys show 76% of families share passwords by writing them down or sending them through text. Bhargava explained that users could share items by receiving a unique link that they can customize depending on their needs. Some links can be made to last for hours, while others can be set to be available for up to 30 days. 

The links automatically expire, and users can limit who is able to view whatever is inside the link by forcing the person to verify their email address. 
1Password
Chris Harris, director of data services at IT services company InfoStructure, vouched for the service, noting that he and his colleagues have to share lots of passwords with vendors and customers. The lack of a secure solution for this endangers both sides of the exchange. A number of other companies expressed frustration with the same issue and said they planned to use the 1Password tool for passwords and other business. The announcement was made alongside news that 1Password has more than 100,000 business customers. “Crossing the 100,000 business customers mark is a clear indication that businesses understand the need to safeguard their passwords and other sensitive information online,” Shiner said.   More

Biden signs the act into law. 
Gary Peters
Cybersecurity experts hailed the K-12 Cybersecurity Act this week after US President Joe Biden signed it into law on October 8, officially kicking off efforts by CISA to examine the cybersecurity risks associated with K-12 educational institutions.The law, which became one of the rare bills to pass in both the House and Senate, instructs CISA to examine the threats facing the nation’s schools and then provide recommendations as well as toolkits to educators on cybersecurity hygiene. There have been hundreds of cyberattacks against schools as cybercriminals seek out sensitive student and employee records over the last few years. The problem has gotten even worse since remote learning became the dominant mode of operation duringthe COVID-19 pandemic. Schools now face a barrage of ransomware attacks alongside other incidents that leak critical data from students and administrators alike. “This law highlights the significance of protecting the sensitive information maintained by schools across the country, and my Administration looks forward to providing important tools and guidance to help secure our school’s information systems,” Biden said while signing the law. “The global pandemic has impacted an entire generation of students and educators and underscores the importance of safeguarding their sensitive information, as well as for all Americans. This law is an important step forward to meeting the continuing threat posed by criminals, malicious actors, and adversaries in cyberspace. My Administration is marshalling a whole-of-nation effort to confront cyber threats.”The bill was originally introduced by US Senator Gary Peters and co-sponsored by Senators Jacky Rosen, Rick Scott and Bill Cassidy in 2019.

Rosen noted that she supported the bill after her state’s Clark County School District was hit with a ransomware attack last year. Rosen said schools in Nevada and across the country are increasingly becoming targets for ransomware and other cyberattacks, risking the personal information of students, faculty, and staff. “I’m proud to see this bipartisan legislation that I co-sponsored signed into law, and I know that the K-12 Cybersecurity Act will help school systems like the Clark County School District prevent debilitating ransomware attacks and have the tools and resources to combat cyber threats,” Rosen said.Experts said that while the bill seems relatively simple, it will be a major help to school districts that are often overburdened and lack the technical staff to manage a widening array of cybersecurity threats. Michael Webb, CTO at education security platform Identity Automation, said the law will be a catalyst for the changes that have already begun as a result of districts being threatened daily by malicious actors.Any amount of help is welcome to districts struggling to upgrade their cybersecurity strategy, Webb added. “The law will be effective at two things: raising awareness of the need to protect students online and offering guidance on how to do so. Making it happen? That’s the hard part. Most districts lack the capability of managing digital identities, which is the cornerstone of a strong cybersecurity posture today,” Webb said. “The acknowledgement of tools is an interesting one. What those tools are and how effective they will be is unknown. For example, you can use a free online tool today to find out whether your password has been exposed on the dark web, but how quickly do you take steps to find out, and how quickly do you change your password? It’s going to be almost a year before districts have something tangible to help them improve their cybersecurity approach.”Others noted that the initiatives would help funding-strapped schools that are unable to hire cybersecurity teams. Untangle senior vice president Heather Paunet said few educational institutions have a deep enough understanding of how to go about protecting themselves and having official guidelines and laws such as this one will help strengthen security as a priority in a standardized way across the country. She noted that cyberattackers are demanding higher sums, and some schools have been forced to close while dealing with the attack.But Netenrich threat hunter John Bambenek explained that many local government units, especially schools, simply don’t have money to spare. “While studying the risks and creating free resources and guides is a good first step, the reality is that smaller and poorer districts won’t be able to implement much of what is in the guide CISA will create, assuming they have any staff that can read and understand it in the first place,” Bambenek said. “This law is a good first step, but it cannot, and must not, be the last step.” More

Oracle is joining the Cloud Security Notification Framework project (CSNF), an initiative looking to develop a standardized framework for dealing with cloud security issues in enterprise environments, which often use a variety of different cloud services. That reliance on multiple providers can make keeping up with and reacting to security notifications and alerts difficult, because many cloud service providers have their own systems set up for security reporting. The disparate nature can make managing cloud security difficult for businesses – particularly following the growth in the use of cloud services over the past 18 months. 

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

As more organisations shift services towards the cloud, more are adopting a multi-cloud strategy. But while this provides benefits, it also brings challenges with a rise in the number of alerts for different services and additional cybersecurity challenges. It’s because of this that CSNF is establishing a common information model, so alerts can be processed at scale while also ensuring the security of services. SEE: Ransomware attackers targeted this company. Then defenders discovered something curiousEstablished by ONUG – a collaborative body with the aim of identifying and providing cross-industry solutions to enterprise issues such as cybersecurity and data protection – the Cloud Security Notification Framework project was set up to help fix this problem. Major cloud providers Microsoft, Google and IBM were all already members of the scheme and now they’ve been joined by Oracle Cloud. “Multi-cloud is rapidly evolving from an accidental to a purposeful strategy for most organizations,” said Bala Chandran, vice president of software and general manager of security products at Oracle.  “I am excited to be joining the ONUG steering committee to help define standards that make cloud security simple and integrated for customers across their cloud platforms.” 

In addition to Oracle, Sysdig, Wiz, Intuit, Adobe, Qualys and F5 have joined the collaboration to work alongside cloud consumers, such as FedEx, Cigna, Raytheon Technologies, Fidelity, Goldman Sachs, and Kaiser, and cloud service providers, including Microsoft Azure, Google Cloud and IBM. Nick Lippis, co-founder and co-chairman of ONUG, said: “As more prominent industry players join the community, we are making even greater progress in creating an open-source standard to reduce the wall of worry that comes from increasing security alerts in multi-cloud environments.” MORE ON CYBERSECURITY More

At Next 21′ this year, Google announced a new Jira integration for Google Chat and Spaces alongside other improvements to Workspace.

Google Cloud

Google said it decided to invest in the underlying platform after seeing 4.8 billion apps installed in Google Workspace and more than 5,300 public apps in the Google Workspace Marketplace.”Developers have been able to build applications that integrate with Gmail, Drive, and Docs for years. And today, we’re announcing significant enhancements to the Google Workspace platform by making it just as easy for developers to build applications and integrate with Google Meet, Chat and Spaces,” Google explained.The Jira integration allows users to create new tickets quickly, see actionable previews and monitor issues as they come into the space they’re already using for collaboration. Joff Redfern, chief product officer at Atlassian, explained that modern work requires people to switch contexts and tools faster than ever before. “We believe an open ecosystem and tight integrations among the tools that users rely on every day is vital to their success. Since 2017, our Trello integration with Gmail has been installed by more than 7 million people,” Redfern said. “Today, we are excited to build on the partnership between Atlassian and Google to propel work collaboration further with the integration of Jira with Google Chat and Spaces.”

Google released a no-code development platform called AppSheet that they want to promote “collaboration equity.” The tool allows any team member to access certain documents and collaborate instantly with team members who are not in the field. The tool was built with frontline workers in mind, according to Google. “This new integration allows anyone — regardless of their coding experience — to reclaim time with custom, no-code apps and automations. Budgets and vacation requests can be approved, inventories and asset management systems can be updated, and much more — all with AppSheet and directly from your inbox,” Google explained. There will also now be client-side encryption (CSE) available to Google Meet users after the feature was unveiled for Drive, Docs, Sheets, and Slides users in June. Google is also announcing the beta of its Key Access Service Public APIs, which helps organizations manage their encryption keys. Data Loss Prevention (DLP) for Chat is also in beta right now as well. Google users will now be able to mark certain files under different classifications depending on their sensitivity level. The labels allow Drive users to classify documents and makes it easier for people to manage whether a document can be downloaded, shared or printed. Other protections against abusive content and behavior are also among the announcements released on Tuesday. “If a user opens a file that we think is suspicious or dangerous, we’ll display a warning to the user to help protect them and their organization from malware, phishing, and ransomware. This functionality is now available in Google Docs and will be rolling out soon for Google Sheets and Slides,” Google said.  More

Google announced the creation of a new security program and a group called the Google Cybersecurity Action Team as a way to offer organizations and regular users more robust cybersecurity protection.

Google Cloud

The Work Safer tool was built to provide a secure way for teams to communicate through email, meetings, messages, documents, and more.At Next ’21, the company said it melds Google’s cloud-native, zero-trust tools within Workspace with cybersecurity platforms from CrowdStrike and Palo Alto Networks.The Google Cybersecurity Action Team will bring together experts from across Google to help provide assistance to government entities, critical infrastructure and businesses. Phil Venables, CISO at Google Cloud and founder of the Google Cybersecurity Action Team, said their customers need a consistent approach to preparing for and defending against cybersecurity threats.”Our comprehensive suite of security solutions delivered through our platform and amplified by the Google Cybersecurity Action Team will help protect organizations against adverse cyber events with capabilities that address industry frameworks and standards,” Venables said. Google designed both initiatives to understand that many small and medium-sized businesses still use legacy hardware and need help securing tools that are often at the end of their rope. 

They also acknowledged that most companies are short-staffed and need assistance managing increasingly complicated technology, particularly now that many people work remotely. “For customers who want secure devices, Work Safer includes Pixel phones managed with Android Enterprise, Chrome Enterprise Upgrade, and HP Chromebooks. Customers can also leverage Google’s Titan Security Keys for account protection, reCAPTCHA Enterprise for website fraud prevention, Chronicle for security analytics, and a variety of migration services for a seamless transition,” Google explained. CrowdStrike and Palo Alto Networks will provide endpoint protection and network protection, respectively.”As daily headlines attest, threats are increasing, and vulnerabilities in older communication and collaboration systems continue to be exploited,” said Sunil Potti, vice president and general manager of Google Cloud Security. “Legacy productivity tools designed in the PC era were not architected for the new reality of real-time collaboration across a hybrid, highly-distributed and mobile-first workforce. With Work Safer, every small business, enterprise, and public sector institution can have access to the cutting edge  security protections to make hybrid work safer.” CrowdStrike CEO George Kurtz said businesses are in a cybersecurity arms race against adversaries and noted that the partnership with Google is centered on delivering “defense-in-depth, cloud-first security” that allows users to identify and remediate threats before they turn into attacks. He said pairing the CrowdStrike Falcon platform — which leverages cloud-scale AI for real-time protection and visibility — with Google Workspace’s architecture provides a natural fit for any organization implementing Zero Trust. The Google Cybersecurity Action Team will be providing blueprints, customer and engineering solutions, and programs for deploying Google technologies like those offered with Work Safer to help solve organizations’ most pressing security challenges. The team will offer organizations specific security strategies, workshops and educational content to help train their workers on how to stay safe. They will also provide threat briefings, preparedness drills, incident support and rapid response engagements alongside help with regulatory requirements. CISA Director Jen Easterly said it was good to see a large company like Google Cloud orient itself to support all organizations’ cybersecurity through its Cybersecurity Action Team and noted that Google will be part of the recently-created Joint Cyber Defense Collaborative. “Cybersecurity is at the top of every C-level and board agenda, given the increasing prominence of software supply chain exploits, ransomware, and other attacks. To address these unprecedented security challenges facing organizations in every industry today, we are announcing the creation of the Google Cybersecurity Action Team,” said Thomas Kurian, CEO of Google Cloud. “The Google Cybersecurity Action Team is part of our ongoing commitment to be the best partner for our enterprise and government customers along their security transformation journey.” Government entities and infrastructure organizations have faced a barrage of attacks in recent years, including incidents involving USAID, Colonial Pipeline and dozens of government agencies through the SolarWinds issue.  More

Cybersecurity company Cybereason is partnering with Google Cloud on an effort to provide Extended Detection and Response (XDR) tools to organizations looking for protection of their endpoints, networks, clouds and workspaces.

Google Cloud

The companies explained that Google Cloud’s Chronicle cybersecurity analytics platform “ingests, normalizes, and analyzes petabytes of data from the complete IT environment on planetary-scale infrastructure.”Cybereason claims it examines 23 trillion security-related events per week and said the combination of their work with Google Cloud’s tool “automates prevention for common attacks, guides analysts through security operations and incident response and enables threat hunting with precision at a pace never before achieved.”Thomas Kurian, CEO of Google Cloud, said Cybereason “continues to disrupt the market and deliver on their vision for a future-ready extended detection and response defense platform.””Google Cloud is dedicated to delivering the industry’s most trusted cloud to accelerate customers’ digital transformation efforts with security products that meet them wherever they are,” Kurian said. “We’re excited to partner with Cybereason to help customers quickly secure their hybrid and cloud environments with the combined capabilities of Google Cloud and Cybereason’s XDR services.”Yonatan Striem-Amit, Cybereason’s CTO, told ZDNet that Google Cloud and Cybereason connected over an initiative to create a “truly open” XDR set of offerings. He specifically cited Cybereason’s MalOp Engine, which is a patented tool that examines the “full attack story across every device, user identity, application and cloud deployment.”

Striem-Amit said the first focus of the company is to drive innovation in the XDR space, noting that the ability to transform security data into threat prediction and incident response guidance is necessary. The tool is different from other XDR solutions on the market, according to Striem-Amit, because most XDR solutions “are little more than a single console which displays individual alerts from multiple sources.” “Cybereason and Google Cloud relentlessly focus on ending ‘malicious operations.’ By bringing Cybereason’s MalOp Engine with Google Cloud’s log analytics capabilities, we provide customer with a holistic view of the entire attack chain, prevention of the threat regardless of what system it is running on, and single-click response across the entire IT stack on computers, networks, cloud infrastructure, identity, and SaaS solutions. The combined technology becomes easy to deploy within minutes,” Striem-Amit said. “Many organizations are looking at XDR to provide meaningful incident response to fight ransomware, identity, and business email compromise. Most of today’s offerings are siloed, expensive, and fail to catch threats.”According to the company, the Cybereason Defense Platform combines AI-powered detection and response (EDR and XDR), next-gen antivirus (NGAV), Anti-Ransomware Protection and other tools. More

Microsoft says 250 Office 365 customers in the US and Israeli defense technology sector have been targeted with ‘password-spraying’ attacks, where attackers try to access many accounts with commonly used passwords. The technique relies on people using variations of common passwords. The password attacks focussed on critical infrastructure companies operating in the Persian Gulf and were carried out by a group Microsoft is tracking as DEV-0343 – most likely a new group from Iran.  

ZDNet Recommends

The ‘DEV’ tag indicates that the group is not a confirmed state-sponsored attack group, but it could become one eventually. SEE: BYOD security warning: You can’t do everything securely with just personal devicesThe Microsoft Threat Intelligence Center (MSTIC) said it had observed DEV-0343 “conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.”Microsoft said “less than 20″ of the targeted tenants were successfully compromised.The risk of compromise from password-spraying attacks is significantly reduced for organizations that roll out multi-factor authentication.    

The hacking group targeted companies that support US, European Union and Israeli organizations producing military radars, drones, satellite systems, and emergency response communication systems, as well as geographic information systems (GIS), spatial analytics, Persian Gulf ports, and maritime and cargo transportation companies in the region.”Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans. Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program,” Microsoft said. Microsoft last week raised a red flag over Russian state-sponsored hacking, labelling Russia’s intelligence hackers the most active cyber threat in the world. Not only are Kremlin-backed hackers more prolific, they’re also increasingly effective, according to Microsoft. It also flagged a significant uptick in Iranian hacks against Israeli organizations. “This year marked a near quadrupling in the targeting of Israeli entities, a result exclusively of Iranian actors, who focused on Israel as tensions sharply escalated between the adversaries,” Microsoft noted in its latest Digital Defense Report.Its latest warning to US and Israeli organizations operating in the Middle East says they should be on the lookout for suspicious Tor connections to their networks. 

“DEV-0343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy network. They are most active between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC) with significant drop-offs in activity before 7:30 AM and after 8:30 PM Iran Time. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization,” Microsoft warned in a blogpost. SEE: Microsoft’s Windows 11: How to get it now (or later)DEV-0343 frequently targets the Exchange endpoints, including Autodiscover and ActiveSync, with password-spraying attacks. This allows DEV-0343 to validate active accounts and passwords, and further refine its password-spray activity, Microsoft said.Microsoft’s primary recommended defense is enabling multi-factor authentication since this should block remote access to accounts with compromised credentials. It also recommends admins check and enforce Exchange Online access policies and to block all incoming traffic coming from services like the Tor network.  More