This one looks bad.. Global Affairs Canada, the Canadian agency that handles diplomatic relations, just got hacked to the core. One detail in this article is that the hack exploited some sort of VPN. Who wants to bet it's Ivanti?
The hackers who recently broke into Microsoft’s network and monitored top executives’ email for two months did so by gaining access to an aging test account with administrative privileges, a major gaffe on the company's part, a researcher said.
The new detail was provided in vaguely worded language included in a post Microsoft published on Thursday. It expanded on a disclosure Microsoft published late last Friday. Russia-state hackers, Microsoft said, used a technique known as password spraying to exploit a weak credential for logging into a “legacy non-production test tenant account” that wasn’t protected by multifactor authentication. From there, they somehow acquired the ability to access email accounts that belonged to senior executives and employees working in security and legal teams.
In Thursday’s post updating customers on findings from its ongoing investigation, Microsoft provided more details on how the hackers achieved this monumental escalation of access. The hackers, part of a group Microsoft tracks as Midnight Blizzard, gained persistent access to the privileged email accounts by abusing the OAuth authorization protcol, which is used industry-wide to allow an array of apps to access resources on a network. After compromising the test tenant, Midnight Blizzard used it to create a malicious app and assign it rights to access every email address on Microsoft’s Office 365 email service.
In Thursday’s update, Microsoft officials said as much, although in language that largely obscured the extent of the major blunder.
I found this image floating around on that wretched bird site. Am I interpreting it wrong or does it indicate there's a way to allow non-admins to read all inboxes? If not, can you show me an appropriate screenshot? (No need for the screenshot if too much of a hassle. Just an answer will suffice.)
Threat actors like Midnight Blizzard compromise user accounts to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. The misuse of OAuth also enables threat actors to maintain access to applications, even if they lose access to the initially compromised account. Midnight Blizzard leveraged their initial access to identify and compromise a LEGACY TEST OAUTH APPLICATION THAT HAD ELEVATED ACCESS TO THE MICROSOFT CORPORATE ENVIRONMENT. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. THE THREAT ACTOR THEN USED THE LEGACY TEST OAUTH APPLICATION TO GRANT THEM THE OFFICE 365 EXCHANGE ONLINE FULL_ACCESS_AS_APP ROLE, WHICH ALLOWS ACCESS TO MAILBOXES."
Or does being the tenant admin go beyond the above? If it does, can you or someone explain how?
I'm curious to know what security professionals think of the new intelligence assessment from the UK about AI increasing the number and impact of cyber attacks in the next 2 years.
Do you buy this assessment, or is it wrong? Why or why not?
-- AI will almost certainly increase the volume and heighten the impact of cyber attacks over the next two years. However, the impact on the cyber threat will be uneven (see table 1).
-- The threat to 2025 comes from evolution and enhancement of existing tactics, techniques and procedures (TTPs).
-- All types of cyber threat actor – state and non-state, skilled and less skilled – are already using AI, to varying degrees.
-- AI provides capability uplift in reconnaissance and social engineering, almost certainly making both more effective, efficient, and harder to detect.
-- More sophisticated uses of AI in cyber operations are highly likely to be restricted to threat actors with access to quality training data, significant expertise (in both AI and cyber), and resources. More advanced uses are unlikely to be realised before 2025.
-- AI will almost certainly make cyber attacks against the UK more impactful because threat actors will be able to analyse exfiltrated data faster and more effectively, and use it to train AI models.
-- AI lowers the barrier for novice cyber criminals, hackers-for-hire and hacktivists to carry out effective access and information gathering operations. This enhanced access will likely contribute to the global ransomware threat over the next two years.
-- Moving towards 2025 and beyond, commoditisation of AI-enabled capability in criminal and commercial markets will almost certainly make improved capability available to cyber crime and state actors.
Historian begs Americans not to downplay Trump's threats to use the military against them
If Donald Trump becomes the 47th president, Presidential historian Michael Beschloss said he believes there is going to be a severe danger of instituting the Insurrection Act and putting soldiers on missions to police American soil.
During a rally in Iowa, the 2024 Republican frontrunner described the metropolises of New York City and Chicago as “crime dens” and vowed to move fast to bring in the country's military might.
“The next time, I’m not waiting," he said. "One of the things I did was let them run it and we’re going to show how bad a job they do,” he said. “Well, we did that. We don’t have to wait any longer.”
Beschloss says we should be taking Trump at his word.
Can we at least agree that a statistically significant proportion of women and people of color think abortion should be illegal in all/most cases, according to Pew Research? I'm guessing these folks, also vote for sexist public officials who hate women?
Researchers on Wednesday presented intriguing new findings surrounding an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky. Chief among the discoveries: the unknown attackers were able to achieve an unprecedented level of access by exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of.
“The exploit's sophistication and the feature's obscurity suggest the attackers had advanced technical capabilities,” Kaspersky researcher Boris Larin wrote in an email. “Our analysis hasn't revealed how they became aware of this feature, but we're exploring all possibilities, including accidental disclosure in past firmware or source code releases. They may also have stumbled upon it through hardware reverse engineering.”
Other questions remain unanswered, wrote Larin, even after about 12 months of intensive investigation. Besides how the attackers learned of the hardware feature, the researchers still don’t know what, precisely, its purpose is. Also unknown is if the feature is a native part of the iPhone or enabled by a third-party hardware component such as ARM’s CoreSight
The mass backdooring campaign, which according to Russian officials also infected the iPhones of thousands of people working inside diplomatic missions and embassies in Russia, came to light in June. Over a span of at least four years, Kaspersky said, the infections were delivered in iMessage texts that installed malware through a complex exploit chain without requiring the receiver to take any action.
With that, the devices were infected with full-featured spyware that, among other things, transmitted microphone recordings, photos, geolocation, and other sensitive data to attacker-controlled servers. Although infections didn’t survive a reboot, the unknown attackers kept their campaign alive simply by sending devices a new malicious iMessage text shortly after devices were restarted.
A fresh infusion of details disclosed Wednesday said that “Triangulation”—the name Kaspersky gave to both the malware and the campaign that installed it—exploited four critical zero-day vulnerabilities, meaning serious programming flaws that were known to the attackers before they were known to Apple. The company has since patched all four of the vulnerabilities.
It's hard to overstate the importance of SSH in securing home networks, massive cloud centers and everything in between. Now, researchers have devised a novel cryptographic attack that breaks integrity of this widely used protocol. Dubbed Terrapin, it's the first-ever practical attack of its kind, and one of the very few attacks against SSH at all. Terrapin exploits weaknesses in the specification of SSH when paired with widespread algorithms (ChaCha20-Poly1305 and CBC-EtM) to remove an arbitrary number of protected messages at the beginning of the secure channel, thus breaking integrity. In practice, the attack can be used to impede the negotiation of certain security-relevant protocol extensions. Moreover, Terrapin enables more advanced exploitation techniques when combined with particular implementation flaws, leading to a total loss of confidentiality and integrity in the worst case.
As an added bonus, @trueskrillor, the lead author of the Terrapin paper (who still isn't active on Mastodon 🙁 ) is holding court in the comments forum. Now would be a good time to mosey on over and ask questions.
Lots of people asking what the CVEs are and where announcements from various parties can be found. This is a massive, massive (un)coordinated disclosure. Lots of broken or non-existent links at the moment. I'm expecting things will straighten out in an hour or two. Please be patient.