Citrix ADM, Sharepoint, Pegasus: first officer's log - week 5

This week's roundup features stories from Citrix ADM, Sharepoint, Pegasus, and more. Read the latest news from the world of cyber risk.

Mike Parkin | June 20, 2022

First Officer’s log, Terrestrial date, 20220720. Officer of the Deck reporting. One of the challenges of any major planetside expedition, as we were engaged in, is the potential exposure of crew members to local contagions. In this case, the near-endemic Coronavirus, that has been an issue for some time now. Fortunately, only one of our crew was exposed. Unfortunately, I have been relegated to isolation in my quarters and had to perform my duties through a telepresence unit. The bright side is the medical officer did not require me to isolate myself in medlab, and the command staff is accustomed to working with telepresence.

The mission, as it is said, goes on.

Off-site Backups are a thing for a reason

What happened

A new attack method that leverages Intended Functionality in decidedly unintended ways has been found in Microsoft’s widely used SharePoint. An attacker with access to a document on SharePoint could repeatedly write and encrypt it multiple times until the entire series of incremental backups became unusable. Or, they could just set the maximum undo level to a single digit and render it unrecoverable in only a few iterations.

Why it matters

A lot of organizations rely on the recovery functions in Microsoft Office for resiliency against ransomware and malicious deletion. Or even accidental deletion, to be fair. This technique would break that, rendering recovery impossible. Microsoft says the backup system is working as intended, which is true. But this is creatively abusing intended functionality to nefarious ends. Local copies and 3rd party “off-site” backup solutions can resist this kind of attack.

What they said

It’s been a busy day at the Office for those covering this story. Read more.

It’s legal, but is it ethical?

What happened

Commercial-grade attack tools are nothing new. They are used routinely by Law Enforcement and Intelligence agencies worldwide, and sometimes even my commercial entities under very special circumstances. The revelation of an Android spyware tool called “hermit,” apparently developed by a company in Italy, and deployed by the government of Kazakhstan, has raised some notice – as the revelation of the Pegasus spyware did before.

Why it matters

Sovereign states can do whatever their own laws allow within their borders. That’s part of what defines being a sovereign state. However, spyware tools raise some interesting ethical questions, especially for western democracies where personal privacy and liberty have been coded into law. What are the ethical concerns when developers create these tools in countries where they would be strictly controlled, but sell them in lands that might not have such tight restrictions, or are not known for having a good human rights record?

What they said

Unsurprisingly for a spyware story, this one has raised all sorts of coverage.

There are reasons to keep them isolated

What happened

A recent vulnerability in the Citrix ADM service could allow an attacker to reset the system’s admin password and then log in as the administrator after forcing a system reboot. Citrix has released patches for the affected versions of Citrix ADM and published mitigations.

Why it matters

While it might be challenging for an attacker to run the exploit and cause the admin password to reset and then follow it up with a forced reboot, it shows why admin access needs to be isolated in the first place. Industry best practice would have these things restricted to prevent access from unauthorized spaces. It’s just a bad thing™ to have admin access from the open internet. Full stop.

What they said

Citrix ADM

Naturally, for a service as popular as Citrix ADM, this vulnerability has a lot of people talking.

Speaking of Pegasus

What happened

US Defense Contractor L3Harris is in talks to buy Israel-based developer NSO, known for their commercial-grade spyware, Pegasus.

Why it matters

There was quite a bit of controversy surrounding Pegasus when news of its existence came out. But it gives some insight into the level of sophistication these professionally developed tools can have, and the implications they have for people’s personal privacy and liberty.

While many jurisdictions have very strict controls on when tools like this can be used, and who they can be used against, we know that those restrictions don’t always apply. And even regions with noble ideals, that try to maintain high standards, can’t always live up to them.

What they said

After so much time spent lurking in the shadows, Pegasus is now front and center in the conversation. Read more here.

Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy