This week the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI published a joint advisory about state-sponsored threat actors based in Russia who used exploits of multifactor authentication (MFA) defaults to breach an NGO.
The attackers exploited a critical Windows Print Spooler vulnerability, also known as ‘PrintNightmare’. By exploiting the vulnerability, tracked as CVE-2021-34527, the attackers were able to run arbitrary code with system privileges and gain access to the victims’ network, email accounts and cloud environment.
The advisory stated that “Russian state-sponsored cyber actors gained initial access [TA0001] to the victim organization via compromised credentials [T1078] and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials [TA0006] via brute-force password guessing attack [T1110.001], allowing them access to a victim account with a simple, predictable password.”
The FBI and CISA’s statement recommended that “organizations remain cognizant of the threat of state-sponsored cyber actors exploiting default MFA protocols and exfiltrating sensitive information”, and it also provided mitigation guidance for organisations affected.
Commenting on the news, and quoted in Data Breach Today, John Goodacre, Challenge Director for Digital Security by Design, and professor of computer architectures at the University of Manchester, said “providing technology that can block vulnerabilities from exploitation, and provide developers new techniques to configure and deliver security by default in their code, can’t come soon enough. While the current approach to cybersecurity expects every user of software to ensure it is properly configured and continually patched cannot be sustained given the increasing rate and severity of cyber-attacks. The UKRI Digital Security by Design programme is working with businesses to deliver new technologies which should block around 70% of the ongoing reported vulnerabilities from exploit. It also offers developers computer hardware that can physically isolate the various parts and interfaces of an application to stop attackers being able to use one vulnerability to open access to entire machines and their network.”
Earlier this week WebKit also released a number of new additions to WebKit in Safari 15.4, such as updates, fixes and new web technologies. Among these new additions was improved support for Content Security Policy (CSP) Level 3.
The WebKit update is the first of many for the year ahead, as WebKit have pledged a commitment to support web developers and anyone else who uses their web.
Commenting on this update, and quoted in The Daily Swig, John Goodacre said, “CSP are a set of features that permit a web developer to increase the security of their application by default. We will need to wait to see whether developers will undertake the increased effort to use the new features. A growing trend however is to somewhat relieve developers of such effort by creating technologies that deliver increased security by design. This could include for example development tools and frameworks that automatically implement CSP, or, as being investigated within the UKRI Digital Security by Design programme, where WebKit itself is implemented using secure by design approaches.”
Follow Innovate UK