This Week in Cyber: March 14th – March 18th

Digital Security by Design

This week the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI published a joint advisory about state-sponsored threat actors based in Russia who used exploits of multifactor authentication (MFA) defaults to breach an NGO.

The attackers exploited a critical Windows Print Spooler vulnerability, also known as ‘PrintNightmare’. By exploiting the vulnerability, tracked as CVE-2021-34527, the attackers were able to run arbitrary code with system privileges and gain access to the victims’ network, email accounts and cloud environment. 

The advisory stated that “Russian state-sponsored cyber actors gained initial access [TA0001] to the victim organization via compromised credentials [T1078] and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials [TA0006] via brute-force password guessing attack [T1110.001], allowing them access to a victim account with a simple, predictable password.”

The FBI and CISA’s statement recommended that “organizations remain cognizant of the threat of state-sponsored cyber actors exploiting default MFA protocols and exfiltrating sensitive information”, and it also provided mitigation guidance for organisations affected.

Commenting on the news, and quoted in Data Breach Today, John Goodacre, Challenge Director for Digital Security by Design, and professor of computer architectures at the University of Manchester, said “providing technology that can block vulnerabilities from exploitation, and provide developers new techniques to configure and deliver security by default in their code, can’t come soon enough. While the current approach to cybersecurity expects every user of software to ensure it is properly configured and continually patched cannot be sustained given the increasing rate and severity of cyber-attacks. The UKRI Digital Security by Design programme is working with businesses to deliver new technologies which should block around 70% of the ongoing reported vulnerabilities from exploit. It also offers developers computer hardware that can physically isolate the various parts and interfaces of an application to stop attackers being able to use one vulnerability to open access to entire machines and their network.”

Earlier this week WebKit also released a number of new additions to WebKit in Safari 15.4, such as updates, fixes and new web technologies. Among these new additions was improved support for Content Security Policy (CSP) Level 3. 

WebKit said that the update “improves support for Content Security Policy Level 3, providing enhanced security control over the loading of content, and helping web developers to mitigate risks of cross-site scripting and other vulnerabilities. Blocked resource violation reporting for inline script, inline style and eval execution is updated to match web standards. New support for ‘strict-dynamic’, ‘unsafe-hashes’, and ‘report-sample’ source expressions give developers more flexibility. Developers can also safely include external JavaScript in their pages using new support for hash source expressions.”

The WebKit update is the first of many for the year ahead, as WebKit have pledged a commitment to support web developers and anyone else who uses their web. 

Commenting on this update, and quoted in The Daily Swig, John Goodacre said, “CSP are a set of features that permit a web developer to increase the security of their application by default. We will need to wait to see whether developers will undertake the increased effort to use the new features. A growing trend however is to somewhat relieve developers of such effort by creating technologies that deliver increased security by design. This could include for example development tools and frameworks that automatically implement CSP, or, as being investigated within the UKRI Digital Security by Design programme, where WebKit itself is implemented using secure by design approaches.”

 


You can follow updates @DSbDTech or via LinkedIn here  #DSbDtech

Follow Innovate UK

Twitter @innovateuk

Innovate UK on Linkedin

You can find out more about the Industrial Strategy Challenge Fund here

Delivered by Digital Catapult, funded by UKRI through the Digital Security by Design programme.