Introducing the Open Cybersecurity Schema Framework
At Black Hat, Amazon Web Services, IBM, Cloudflare, Splunk, Palo Alto Networks, Okta, CrowdStike, and several other cybersecurity companies announced the formation of the Open Cybersecurity Schema Framework to create a common data standard for sharing security information. The idea is to create a set of specifications for product and services to standardize alerts from different tools and speed interpretation of data. Currently vendors offer proprietary dashboards that require manual labor and custom code to move it to other tools. OCSF standards will be available on GitHub. Companies expect to integrate these specifications into products within the next few months.
(WSJ)
New flaw found in Intel SGX
Intel introduced software guard extensions, or SGX, to create a trusted execution environment to protect sensitive code like encryption keys even on compromised systems. Flaws in SGX aren’t anything new. Since 2018 researchers have discovered seven serious security holes with it. At the Black Hat conference, two PhD student security researchers presented a paper about an architectural flaw in the Advanced Programmable Interrupt Controller or APIC that completely breaks SGX guarantees in most 10th, 11th, and 12th generation Intel CPUs. This attack doesn’t require a side-channel, but does require root privileges. The researchers see this as particularly problematic for cloud instances, where one vulnerable server would cause a “significant threat to enclave security.” Intel released mitigations for the vulnerability starting August 9th, rolling out through server OEMs.
CISA adds to its Known Exploited Vulnerabilities database
The Cybersecurity and Infrastructure Security Agency added two more flaws to its catalog. Both show evidence of active exploitation. One is the DogWalk bug in the Windows Support Diagnostic Tool that’s been exposed for over two-years. We covered Microsoft patching it yesterday. CISA also added a path traversal bug in the UnRAR utility for Linux and Unix. This could allow someone to plant a malicious file on a system, extracting it to an arbitrary location while unpacking files. Civilian federal agencies must patch these vulnerabilities by August 30th.
Industrial ransomware drops
The cybersecurity firm Dragos reported it observed a drop in industrial ransomware on the quarter in Q2. Overall attackers were down 21% on the quarter to 125. The researchers suggest that the closure of the Conti ransomware group likely accounted for some of this decrease. In Q2, LockBit accounted for a third of industrial ransomware attacks. Even though it closed up shop in May, Conti still accounted for 13% of attacks in the quarter. The Black Basta group came in third with 12%. Researchers note the group did not account for any attacks in Q1, with the uptick in activity filling the void left by Conti. Manufacturing remained the most commonly hit sector, accounting for 69% of all ransomware attacks in Q2.
Thanks to today’s episode sponsor, Edgescan
Twilio hackers tried to hit Cloudflare
Earlier this week, we covered Twilio and confirmed it got hit with a sophisticated phishing attack. At the time, TechCrunch reported that other major companies were also targeted by the actors. Now Cloudflare confirmed it got hit too. The company said three employees fell for a similar phishing scam. However its use of hardware-based MFA keys prevented intruders from accessing its internal network. The details again show the attackers as being methodical and sophisticated, obtaining work and home numbers of Cloudflare employees and family members in an effort to make phishing successful. It’s estimated at least 76 Cloudflare employees received phishing text messages within the first minute of the attack, with the phishing domain only registered 40 minutes prior.
Google blocks Workspace account hijacking
Google added more security protections to its productivity suite. It will now show a “Verifty It’s You” prompt when a user attempts an action deemed risky in a session, and log these for admins to review. This should prevent threat actors who gain access to a user’s account credentials from obtaining sensitive organizational data. Users will use a trusted second factor for verification. These new features apply to all Workspace customers. Admins can temporarily disable these login challenges when needed.
Malware shifting from macros to shortcut files
File this under the eternal security game of cat and mouse. We’ve covered the slow rollout of Microsoft blocking VBA macros by default in Office. As macros become a less effective vector, a new report from HP Wolf Security found that malicious actors shifted to using shortcut LNK files to spread malware. The report found an 11% rise in archive files, including LNK files, containing malware on the year. Email remained a stalwart vector, delivering 69% of malware detected. Attackers generally include these shortcut files in ZIP attachments to help evade scanning.
Krebs on email alias security
Security researcher Brian Krebs looked at the security pros and cons of using email aliases. These can be useful to generate a custom email account still tied to your main inbox, letting you filter responses to that address. If you keep aliases discrete between sites, these can be used to track who shares or sells your email address. According to Hold Security founder Alex Holden, threat actors routinely scrub aliases to use the root email address when selling credential caches. HaveIBeenPwned backs this up with only 0.03% of records using an alias. While email alias usage remains fairly small overall, Apple’s Hide My Email service increased some adoption. Downsides of email aliases include some sites not supporting the + sign needed to use them, and also causing difficulty with account recovery if you don’t remember a specific alias.