Risky Business #800 Summary: The SharePoint Bug May Have Leaked from Microsoft MAP

Introduction

In the 800th episode of Risky Business, host Patrick Gray delves into a range of pressing information security issues, from significant data breaches to intricate cyberattacks impacting major organizations worldwide. The episode features an insightful discussion with Adam Boileau and concludes with an in-depth sponsor interview with Dan Cuthbert from Push Security.

1. SharePoint Bug Leak and Potential Microsoft MAP Involvement

Patrick Gray opens the episode by discussing a brewing scandal surrounding a SharePoint vulnerability. Initially disclosed by a Vietnamese hacker at the Pwn2Own competition in Berlin, the bug was handed over to Microsoft for patching. Approximately 60 days later, Microsoft released a patch through its Microsoft Active Protections Program (MAP).

Adam Boileau elaborates on the situation:

"[01:59] Adam Boileau: ... Microsoft said they're investigating whether or not these facts are related. But, you know, the glove does fit a little bit as."

The timing of the exploitation coincides suspiciously with the MAP patch release. Notably, Chinese companies participating in MAP are under scrutiny for potentially leveraging early access to the patch information to develop and deploy exploits swiftly. This breach has reportedly affected over 400 organizations, including the U.S. Department of Energy's National Nuclear Security Administration, raising significant concerns about national security implications.

Patrick questions the likelihood of rapid exploit development:

"[03:47] Patrick Gray: ... it feels like kind of the more realistic scenario."

Boileau adds:

"[03:05] Adam Boileau: ... finding the bug if you'd seen the patch and then turning it into an exploit probably is feasible within the timeframe we're talking about."

2. Expel's Fido U2F Bypass Claim Reversed

The podcast revisits a previous discussion about Expel's claim of bypassing Fido U2F authentication via cross-device methods. However, Adam clarifies:

"[07:52] Adam Boileau: ... they misread the logs. They've now published a mea culpa blog post."

This correction underscores the importance of verifying security claims and the challenges of interpreting cloud service logs accurately.

3. Tea App Data Breach Exposes Sensitive User Information

Patrick shifts focus to the Tea app, designed for women's safety by allowing users to research and report concerning behavior in men. A major breach exposed user verification data, including selfies and ID photos, followed by a subsequent leak of private user messages. These breaches were exploited on platforms like 4chan, leading to harassment and misinformation.

Adam highlights the severity:

"[13:34] Adam Boileau: ... there are basic things like that that ideally you should do before you launch something like this."

The breach emphasizes the critical need for robust security measures, especially in applications handling sensitive personal data.

4. NSA General Counsel April Falcon Doss Fired Amidst Political Pressure

The episode covers the firing of April Falcon Doss, the NSA's general counsel, reportedly due to pressure from Laura Loomer, a far-right activist. Patrick expresses mixed feelings:

"[16:48] Adam Boileau: ... when they review this in, you know, five, 10 years time, when the U.S. comes out of this mad phase."

This incident reflects the intertwining of cybersecurity leadership with political dynamics, raising questions about the stability and decision-making processes within federal agencies.

5. Mandiant’s Insight into Scattered Spider Kids’ VMware Exploits

Discussing research from Mandiant, Adam and Patrick explore the tactics of the Scattered Spider Kids group targeting VMware environments. The group employs methods like unmounting domain controller disks to extract credentials, albeit with some technical missteps.

"[19:11] Adam Boileau: ... it's kind of funny because in the end it just works. And as we often say on the show, it's really not dumb if it works."

Their approach underscores the balance between effective exploitation and the inherent flaws that can emerge from executing complex attacks.

6. VMware Patching Issues Under Broadcom’s Stewardship

Patrick addresses ongoing frustrations with Broadcom’s handling of VMware patches. Customers with perpetual licenses are experiencing delays in receiving security updates, leaving systems vulnerable.

"[22:05] Adam Boileau: ... it's extremely not good by Broadcom."

This situation highlights the challenges organizations face in maintaining security amidst vendor limitations and the critical importance of timely patch management.

7. Aeroflot and Minnesota Targeted by Cyber Partisans and Unknown Attackers

Aeroflot, Russia's largest airline, suffered cyberattacks from groups like the Belarusian Cyber Partisans and Silent Crow, leading to flight cancellations and data exfiltration. Similarly, Minnesota's St. Paul city systems were compromised, prompting the activation of the state's National Guard cyber units.

"[26:31] Adam Boileau: ... maybe, maybe I will be wrong. I hope I'm wrong. I'm not wrong."

These incidents illustrate the escalating threat landscape targeting both aviation and municipal infrastructures, emphasizing the need for robust defensive measures.

8. Post Luxembourg's Telecom Services Disrupted by Pro-Russian Hackers

Post Luxembourg faced a significant outage attributed to pro-Russian hacker groups, affecting emergency services and communications. Although services were restored, the attack demonstrates the vulnerability of essential services to sophisticated cyber threats.

9. Clorox Sues Cognizant Over Security Failures Facilitating Scattered Spider Attack

A legal battle ensues as Clorox sues Cognizant for negligence, alleging that inadequate security measures at Cognizant allowed Scattered Spider to compromise Clorox's systems, resulting in substantial damages.

"[31:34] Adam Boileau: ... Enterprise Security is to deal with that inevitable failure."

The case underscores the complexities of accountability in outsourced cybersecurity services and the imperative for clear contractual security obligations.

10. Critical Cisco Identity Services Engine (ISE) Vulnerability

Patrick and Adam discuss a severe vulnerability in Cisco's Identity Services Engine (ISE), where an API endpoint erroneously executes Python code sent via POST requests. This flaw permits unauthorized code execution, posing significant risks to authentication systems.

"[33:19] Adam Boileau: ... post Python to it and away she goes."

This vulnerability emphasizes the necessity for rigorous API security and the potential dangers of improperly sanitized inputs in critical infrastructure.

11. Arrest of Woman Operating North Korean Laptop Farm Highlighting Operational Security Failures

A woman from Arizona was sentenced to eight and a half years for running a laptop farm aiding North Korea, inadvertently revealing her criminal activities through a TikTok video showcasing her setup.

"[36:58] Adam Boileau: Maybe don't post."

This case highlights the importance of maintaining strict operational security to avoid unintentional exposure of illicit activities.

12. Cybercrime Forum Leak Zone Exposes Its Own User Data

The Leak Zone cybercrime forum inadvertently exposed its user records, including IP addresses and access times, due to an unsecured database. This ironic breach serves as a cautionary tale for cybercriminal platforms regarding data security.

"[37:51] Patrick Gray: Indeed."

Sponsor Interview: Push Security with Dan Cuthbert

The episode transitions to a sponsored segment featuring Dan Cuthbert from Push Security. Push Security offers a browser plugin that enhances identity security by monitoring login events, enforcing controls on third-party SaaS applications, and detecting phishing attempts. Dan emphasizes the tool's ability to provide comprehensive telemetry, aiding in proactive detection engineering.

"[42:04] Dan Cuthbert: ... you're now getting all this rich data that you can actually do stuff with."

He highlights how Push Security integrates with existing security infrastructures to offer deeper insights into user authentication patterns and potential anomalies, making it an invaluable asset for large organizations aiming to bolster their security posture.

Conclusion

Patrick Gray wraps up the episode by thanking Adam Boileau for his contributions and Dan Cuthbert for the insightful discussion on Push Security. The episode underscores the multifaceted challenges in the information security landscape, from vulnerabilities in major platforms to sophisticated cyberattacks targeting critical infrastructures. It also highlights the evolving tools and strategies necessary to counteract these threats effectively.

Notable Quotes:

• Adam Boileau [01:59]: "Microsoft says they're investigating whether or not these facts are related. But, you know, the glove does fit a little bit as."

• Patrick Gray [03:47]: "it feels like kind of the more realistic scenario."

• Adam Boileau [07:52]: "they misread the logs. They've now published a mea culpa blog post."

• Adam Boileau [22:05]: "it's extremely not good by Broadcom."

• Dan Cuthbert [42:04]: "you're now getting all this rich data that you can actually do stuff with."

Further Resources:

For more detailed information on the discussed topics, listeners are encouraged to check the episode's show notes, which include links to relevant articles and blog posts.