OpenSSL3 Critical vulnerability: How to fix CVE-2022-3602 and CVE-2022-3786 | Read here  >>

The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Product update: Group and deduplicate vulnerabilities with “Vulnerability Clusters” for efficient cyber risk management | Read here  >>

OpenSSL3 Critical vulnerability: How to fix CVE-2022-3602 and CVE-2022-3786 | Read here  >>

The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Product update: Group and deduplicate vulnerabilities with “Vulnerability Clusters” for efficient cyber risk management | Read here  >>

Perspectives

ProxyNotShell, MFA and more: first officer's blog - week 20

ProxyNotShell, MFA difficulties, social media hacks, and more. Here's the latest in cyber risk, in the latest first officer's blog.

Mike Parkin | October 09, 2022

First Officer’s log, Terrestrial date, 20221010. Officer of the Deck reporting.  

While en route to [REDACTED] to pick up Lieutenant [REDACTED] and her team after their successful field mission, we have been redirected to Starbase 42. Apparently to answer some existential questions about life, or the universe, or something. The reason for the diversion is not currently clear except to the most senior command staff. 

The crew has been instructed to take advantage of the station’s recreational facilities while we are here, but to be ready to resume action at a moment’s notice. While some of the crew are disembarking for a brief liberty call, most are remaining aboard pending an update from the Captain. Many of us have learned from experience that situations like this can often shift from light recreation to intense activity with very little notice. 

I have sent a message to Lieutenant [REDACTED] to update them on the situation and our potential delay in picking them up. She responded rather stoically, though from the background noise it appeared that the post-mission debriefing with the government on [REDACTED] had devolved into a drinking contest between the various vendor representatives. 

We can only imagine how that will turn out, but we will have sickbay standing by when we arrive, just in case.

There is no silver bullet 

What happened 

Threat actors are finding ways to bypass multi-factor authentication according to recent research by a major security vendor. Recent security incidents have reinforced this conclusion, with several of them being user compromises where an MFA system was installed. 

Why it matters 

While multi-factor authentication goes a long way toward preventing threat actors from compromising user accounts, it’s not a silver bullet. Not all MFA systems are created equal, and not all of them are implemented correctly in practice. Some are inherently easier to bypass, often because they miss the balance between being effective and being convenient enough that people are willing to use them. 

For example, a physical token is often much more effective than a system that relies on a “confirmation” from an app. That fact was highlighted by a recent breach that involved a threat actor trying repeatedly to log in with compromised credentials until the user finally got tired of the constant app alerts and finally said “OK” to make it shut up. You can guess where that went. 

What they said  

This one got people talking. Read more.

Wouldn't that be anti-social media? 

What happened 

A recent report by the Identity Theft Resource Center has shown an increase in hijacking attacks against social media accounts. While their sample sizes are limited and self-selected, the overall conclusion that threat actors may aggressively go after social media accounts with serious consequences for some victims is valid. 

Why it matters 

Threat actors have targeted social media accounts since there have been social media accounts to target. For some people, it’s just a minor inconvenience. Though for others, losing access to their family and friends through social media can be heartbreaking. In some cases, losing access can mean a substantial financial hit, especially for people who consider themselves “influencers” and garner much of their income from sites like Instagram or TikTok. 

That’s not even considering the potential damage an attacker could do by impersonating someone to their colleagues. After all, social engineering is a lot easier when you’re already working from a position of trust. 

What they said  

The more traditional media outlets have had plenty to say about this... 

When the first fix doesn’t work . . . a ProxyNotShell update

What happened 

Microsoft’s initial workaround for the recent vulnerability known as “ProxyNotShell” was shown to be too specific, with attackers being able to work around the mitigation. Microsoft has subsequently released updated recommendations that address the issue and should serve to mitigate potential attacks until a patch is released. 

Why it matters  

When a potentially major vulnerability surfaces, it’s common practice to identify and deploy mitigations as soon as possible until a full patch is developed. The challenge can be in making the temporary fix too specific based on the vulnerability as it was known. That appears to be what happened here in the case of ProxyNotShell, with a very specific ruleset to compensate for the attack. Unfortunately, the rule set was too specific and there were ways to work around it. 

Fortunately, Microsoft’s new recommendations are more generic and should cover a broader attack surface. But the real fix will be a patch. Which should be available soon. We hope. 

What they said 

Proxy not shell

Plenty have been covering ProxyNotShell and its mitigation actions. Read more here.

___________________________________________________________________________________________________________________________

Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel