Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Do you have support?
Regular patching is important, but no hardware or software lasts forever. In your digital asset inventory, track the “end of support” and “end of life” milestones for all components in your networks so you can budget and plan to migrate off obsolete platforms well in advance.
Internet Explorer 11 end-of-support deadline just weeks away
On July 23, Microsoft issued a reminder that Microsoft 365 support for Internet Explorer 11 is ending – and soon.
“Beginning August 17, 2021, Microsoft 365 apps and services will no longer support Internet Explorer 11 (IE11) and users may have a degraded experience [with], or be unable to connect to, those apps and services. These apps and services will phase out over weeks and months to ensure a smooth end of support, with each app and service phasing out on independent schedules,” according to the blog post. Microsoft warned users that support will be unavailable for those having difficulty accessing Microsoft 365 apps and services from IE11; further, users “should expect no new features and that [their] daily usage experience could get progressively worse over time until the apps and services are disconnected.”
Internet Explorer 11 is the last version of IE, ending a 20+ year run for the Internet browser in the Windows environment. In May, Microsoft confirmed that IE11 “will be retired and go out of support on June 15, 2022, for certain versions of Windows 10”. In June, Microsoft also revealed that Windows 11, due in the fall, will not even ship with IE11 as Microsoft channels all of its energies towards the Edge browser product.
U.S. government accuses China of “irresponsible behaviour” in cyberspace
In a statement published on July 19, the White House accused the People’s Republic of China (PRC) of “irresponsible” and “destabilizing” behaviour in cyberspace. The statement also confirmed the U.S. government’s “high degree of confidence” that threat actors affiliated with China’s Ministry of State Security (MSS) were among those who exploited the zero-day vulnerabilities disclosed in Microsoft Exchange Server in early March 2021. “The PRC has fostered an intelligence enterprise that includes contract hackers who also conduct unsanctioned cyber operations worldwide, including for their own personal profit,” according to the statement.
The European Union, Australia, New Zealand, and Japan have all thrown their support behind the statement from the Biden administration. The 29 partner nations to the United States in NATO have followed suit: “Canada is confident that the PRC’s Ministry of State Security (MSS) is responsible for the widespread compromising of the Exchange servers,” said Foreign Affairs Minister Marc Garneau in a statement on July 19.
The governments’ position is aligned with Microsoft’s initial analysis of the Exchange exploits. Within days of the original attacks, Microsoft researchers had identified HAFNIUM – a cyber espionage group with alleged ties to the Chinese government – as the primary threat actors behind the breaches of on-premises versions of Microsoft Exchange Server. An estimated 60,000 networks around the world were compromised.
The PRC was quick to fire back at the U.S. and its allies. In a press conference July 20, China’s Foreign Ministry Spokesperson Zhao Lijian lashed out at the White House, describing its statement as “groundless accusations out of thin air against China on the cyber security issue. This act confuses right with wrong and smears and suppresses China out of political purpose,” according to the translated transcript. “The so-called technical details released by the US side do not constitute a complete chain of evidence.”
Some may see the accusations against the PRC as pointless, serving only to increase tensions and rhetoric between global cyber powers. However, Microsoft’s Tom Burt, Corporate Vice-President, Customer Security & Trust, has a different perspective: “Attributions like these will help the international community ensure those behind indiscriminate attacks are held accountable. The governments involved in this attribution have taken an important and positive step that will contribute to our collective security. Transparency is critical if we’re to combat the rising cyber attacks we see across the planet against individuals, organizations and nations.”
Atlassian announces critical Jira patch
Atlassian software has reported patches for a significant vulnerability identified in its Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center applications. The vulnerability could allow threat actors to connect to an “Ehcache RMI network service” on up to five high-order port numbers to execute “arbitrary code of their choice”. The vulnerability has a criticality rating of 9.8 out of 10.
The vulnerability is of particular concern due to the number of releases involved. For most products, almost all versions dating back to 2014 are affected, starting from 6.3.0. For the Jira Service Management Data Center, almost all versions dating back to version 2.0.2 are affected.
Atlassian has emphasized that the bugs do not affect Jira cloud customers: “Non-Data Center instances of Jira Server (Core & Software) and Jira Service Management are not affected,” according to the post.
Jira Data Center products are widely used for DevOps, project management, service management, and document collaboration. Users are strongly encouraged to assess and apply the necessary patches as soon as possible, currently available through the Atlassian website.
Infosecurity Magazine suspends website
www.infosecurity-magazine.com, a news and information security resource website, has been the target of a sustained distributed denial of service (DDoS) attack. Originally citing “network issues” to explain the outages, the website has now posted (through a content distribution network landing page) that they have suspended operations temporarily until the website can be migrated to a new hosting provider. The threat actors, and their motivation, have not been disclosed.
Service problems first cropped up in early July, creating intermittent disruptions to the website. More recently, filters checking browser settings and origin were implemented in an effort to distinguish valid traffic from malicious requests. Infosecurity’s social media presences are all still operational.
Amnesty International releases briefing document on Pegasus Project
On July 23, Amnesty International released a briefing document providing background on the “Pegasus Project” and a series of security recommendations in the wake of the stunning revelations last week about the NSO Group and its Pegasus spyware. Recommendations for all nation-states, and a sweeping set of proposed limitations and controls for the NSO Group and its investors were presented. The recommendations are designed to curtail abuses of secretive cyber surveillance which Amnesty International described as “an international human rights crisis”.
On July 18, Paris-based non-profit Forbidden Stories and a global consortium of over 80 journalists from 17 news organizations released a bombshell report that “military-grade” spyware, licensed by Israeli firm NSO Group, was being used to hack smartphones belonging to heads of state, journalists, religious figures, human rights activists, and business executives, among others. Forbidden Stories described it as a “worldwide scandal – a global web of surveillance whose scope is without precedent.”
The investigation was triggered by a data leak of some 50,000 mobile numbers of potential surveillance targets. “On there were 10 prime ministers, three presidents – including France’s Emmanuel Macron – and the king of Morocco. The Indian government, suspected of being an NSO client, is thought to have selected numbers of the Dalai Lama’s Tibetan government-in-exile,” according to a report in the Washington Post. Evidence of hacking was found on 37 smartphones analyzed by researchers during the investigation. Potential NSO clients were identified in 11 countries in all, while the mobile numbers on the list spanned more than 45 countries.
The Pegasus spyware is frighteningly effective. The most recent versions of the malware can be launched without user intervention; for example, Pegasus could be deployed via a WhatsApp call, or through vulnerabilities in iMessage on iOS devices – even if the target doesn’t answer a call or open a text. Once a device is compromised, Pegasus can provide an attacker with full access to all of the device’s local data – including calls, messages, emails, contact lists, and pictures or videos. Further, Pegasus can enable an attacker to silently take control of the phone’s microphone and camera, effectively turning it into a surveillance device.
Given the high profile of the majority of the holders of mobile numbers, the average iPhone or Android user is unlikely to be a target of the malware. Fixes are being developed for iOS and Android platforms; meanwhile, Amnesty International has developed a toolkit called MVT that can be used to diagnose potentially infected devices. Pegasus detection capability is also reportedly integrated into the latest version of the iVerify app (available for iOS and coming soon for Android). Malware detection providers are also working to release software updates to help detect potential indicators of compromise. For users with more immediate concerns about their devices, Reporters Without Borders has published a detailed counter-measure report.