The Iranian threat actor known as OilRig has been observed exploiting a now-patched privilege escalation flaw impacting the Windows Kernel as part of a cyber espionage campaign targeting the U.A.E. and the broader Gulf region.
"The group utilizes sophisticated tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities

The Iranian threat actor known as OilRig has been observed exploiting a now-patched privilege escalation flaw impacting the Windows Kernel as part of a cyber espionage campaign targeting the U.A.E. and the broader Gulf region.

"The group utilizes sophisticated tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities like CVE-2024-30088 for privilege escalation," Trend Micro researchers Mohamed Fahmy, Bahaa Yamany, Ahmed Kamal, and Nick Dai said in an analysis published on Friday.

The cybersecurity company is tracking the threat actor under the moniker Earth Simnavaz, which is also referred to as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten.

The attack chains entail the deployment of a previously undocumented implant that comes with capabilities to exfiltrate credentials through on-premises Microsoft Exchange servers, a tried-and-tested tactic adopted by the adversary in the past, while also incorporating recently disclosed vulnerabilities to its exploit arsenal.

CVE-2024-30088, patched by Microsoft in June 2024, concerns a case of privilege escalation in the Windows kernel that could be exploited to gain SYSTEM privileges, assuming the attackers can win a race condition.

Initial access to target networks is facilitated by means of infiltrating a vulnerable web server to drop a web shell, followed by dropping the ngrok remote management tool to maintain persistence and move to other endpoints in the network.

The privilege escalation vulnerability subsequently serves as a conduit to deliver the backdoor, codenamed STEALHOOK, responsible for transmitting harvested data via the Exchange server to an email address controlled by the attacker in the form of attachments.

A notable technique employed by OilRig in the latest set of attacks involves the abuse of the elevated privileges to drop the password filter policy DLL (psgfilter.dll) in order to extract sensitive credentials from domain users via domain controllers or local accounts on local machines.

"The malicious actor took great care in working with the plaintext passwords while implementing the password filter export functions," the researchers said. "The threat actor also utilized plaintext passwords to gain access and deploy tools remotely. The plaintext passwords were first encrypted before being exfiltrated when sent over networks."

It's worth noting that the use of psgfilter.dll was observed back in December 2022 in a connection with a campaign targeting organizations in the Middle East using another backdoor dubbed MrPerfectionManager.

"Their recent activity suggests that Earth Simnavaz is focused on abusing vulnerabilities in key infrastructure of geopolitically sensitive regions," the researchers noted. "They also seek to establish a persistent foothold in compromised entities, so these can be weaponized to launch attacks on additional targets."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

OilRig Exploits Windows Kernel Flaw in Espionage Campaign Targeting UAE and Gulf

PRESS RELEASE

SAN FRANCISCO, Oct. 10, 2024 /PRNewswire/ -- Relyance AI, the leading AI-powered data governance platform that provides complete visibility and control over enterprise-wide data, today announced a $32.1 million Series B funding round to scale operations and meet the needs of the exploding use of artificial intelligence in the enterprise. Thomvest Ventures led the round. M12, Microsoft Ventures Fund, also participated in addition to Cheyenne Ventures and existing investors Menlo Ventures and Unusual Ventures.

As demand for AI surges in the enterprise, global regulators are mandating data protection safeguards that companies find impossible to implement. At the same time, legal, security, and engineering teams are grappling with endless questions about how customer data is being used to train AI models. The impact? Executives are stifled by their inability to realize AI's innovation potential, and according to KPMG, more than two-thirds (76%) of enterprises are worried about data privacy and security when they partner with third parties. The result could be catastrophic: more than a quarter of the Fortune 500 identified AI regulation as a risk in annual reports to the SEC, and many continue to struggle with established data privacy regulations such as GDPR, which led to a record €2.1 billion in fines in 2023.

This has become a business-critical problem for all enterprises that was impossible to solve before Relyance AI's fully integrated governance platform. Until now, privacy and security have been seen as separate challenges, with one woefully unaware of the other. Privacy teams didn't know if their commitments to regulations and customers were being met, and security teams didn't know what data should be in AI models. Relyance AI marries the two into one joint solution, which is the only way to enable innovation while ensuring compliance in a rapidly evolving regulatory landscape.

"The era of accepting subpar privacy, DSPM, and AI governance solutions is over. Relyance AI sets a new standard where data protection and innovation are not mutually exclusive," said Abhi Sharma, CEO and co-founder of Relyance AI. "It's impossible to keep up with the current state of regulations, especially when GDPR, HIPAA, the EU's AI Act, and a mosaic of local U.S. privacy laws are all different and sometimes at odds. We're making it possible to demystify this and embolden the C-suite, engineers, and legal teams to urgently green-light AI in the enterprise with an integrated governance approach." 

Relyance AI safeguards businesses from fines and reputation damage while boosting customer trust to accelerate business growth. The platform provides complete visibility into enterprise-wide data processing and compares it against contractual commitments, global privacy regulations, and compliance frameworks. The company has scaled significantly to meet recent demand for these capabilities. In the first half alone, Relyance AI increased its enterprise customer base by 30%, and the company is projected to double its annual recurring revenue in 2024. Its client list now includes Coinbase, Fivetran, Verkada, Snowflake, Logitech, Plaid, and Notion.

"We're thrilled to lead the investment in Relyance AI, a unique, automated data governance platform that addresses the urgent need for real-time data visibility and compliance in a world of explosive data growth and emerging regulations," said Umesh Padval, Managing Director, Thomvest Ventures. "Relyance AI empowers Chief Privacy, Security, and Information Officers to manage data privacy and compliance, avoiding costly penalties while driving safe and responsible AI adoption. We are excited to partner with CEO Abhi Sharmaand his team, who have built a solution that transforms compliance into a competitive advantage, enabling businesses to scale AI with trust and transparency."

"The future of AI governance isn't about compliance alone – it's about building trust, transparency, and accountability into every layer of your technology," said Todd Graham, Managing Partner at M12. "Relyance AI is the catalyst for that transformation, paving the way for AI implementation that is both compliant and incredibly fast."

"With Relyance AI, we established enhanced visibility of data processing activities, seeing an impressive increase of 1,660% within three weeks of deployment," said Deborah Usry, Senior Privacy and Product Counsel at NextRoll. "What used to be a time-consuming manual process is now an automated task that produces a robust record of our processing activities."

The funding will further develop Relyance AI's platform and scale its go-to-market efforts in response to significant recent momentum. Learn more here.

About Relyance AI  
Relyance AI is the new standard for organizations trust and data governance infrastructure. Relyance AI is the only platform providing real-time visibility into how and where data is being used compared to customer agreements, global privacy regulations, and compliance frameworks. Companies of all industries and sizes – including Coinbase, Snowflake, Logitech, Plaid, Notion, and more – trust Relyance AI to safeguard businesses from fines and reputational damage and to deliver the most complete customer trust experiences.

Relyance AI Raises $32M Series B Funding to Safeguard AI Innovation in the Enterprise

The future of cybersecurity will be shaped by how well we manage the explosion of NHIs.

Source: Brain light via Alamy Stock Photo

COMMENTARY

Imagine a vast and invisible army silently infiltrating your organization's digital defenses. No, this isn't the plot of a sci-fi thriller — it's the reality of non-human identities (NHIs) in today's cybersecurity landscape. As a seasoned security architect, I've watched this hidden force grow from a manageable contingent to a sprawling, often ungoverned multitude that's keeping chief information security officers (CISOs) awake at night. 

In my journey across startups and Fortune 500 companies, I've witnessed firsthand the mixed effects of NHIs. They keep our digital machinery running smoothly — but they are also a potential treasure trove for attackers looking to exploit our blind spots. It's time to shine a light on this invisible army and develop strategies to harness its power while mitigating its risks. 

**The Scale of the Problem**

Consider this: For every 1,000 human users in your organization, you likely have 10,000 non-human connections or credentials. Some estimates suggest the ratio could be as high as 45-to-1. These NHIs include service accounts, system accounts, API keys, tokens, and other forms of machine-based authentication that facilitate the complex web of interactions in our modern digital ecosystem. 

**Why NHIs Matter**

1.  Attack surface expansion: Each NHI represents a potential entry point for attackers. With their often-elevated privileges and lack of human oversight, compromised NHIs can be a goldmine for malicious actors. 
    
2.  Visibility challenges: Unlike human users, NHIs often operate in the background, created by developers or systems without proper governance. This lack of visibility makes them a significant blind spot for many security teams. 
    
3.  Privilege sprawl: Studies show that only 2% of permissions granted for NHIs are actually used. This massive overprovisioning of access rights creates an unnecessary risk landscape. 
    
4.  Third-party risk: NHIs often facilitate connections to external services and partners. When these third parties experience a breach, your organization's NHIs become a potential vector for lateral movement. 
    

**Real-World Implications**

The importance of securing NHIs is more than just theoretical. Recent high-profile incidents underscore their critical role in modern attacks. 

Nation-state actors have demonstrated proficiency in abusing OAuth applications to move laterally across cloud environments. At the same time, major software companies like Microsoft and Okta have fallen victim to attacks leveraging compromised machine identities. In a recent Securities and Exchange Commission (SEC) filing, even Dropbox disclosed a material incident involving a compromised service account. 

**Practical Steps for Mitigation**

1.  Discovery and inventory: You can't secure what you can't see. Implement tools and processes to continuously discover and catalog NHIs across all environments, including software-as-a-service (SaaS) applications. 
    
2.  Posture management: Go beyond simple inventory. Understand the permissions associated with each NHI, their usage patterns, and the potential risk they pose. 
    

**A Call to Action**

The explosion of NHIs represents both a challenge and an opportunity for the cybersecurity community. While the scale of the problem can seem daunting, we're ahead of the curve compared to where we were with human identity access management (IAM) decades ago. 

In my conversations with CISOs and security leaders, I've started to see a shift in mindset. There's a growing recognition that NHI security needs to be elevated to a top-tier priority, on par with traditional IAM and network security initiatives. 

As we move forward, I'm cautiously optimistic. The technology and practices to secure NHIs are evolving rapidly. We can turn the tide on this silent tsunami of risk with the right mix of visibility, automation, and a security-first culture. 

The future of cybersecurity will be shaped by how well we manage the explosion of non-human identities. As security professionals, it's our responsibility to lead the charge in this new frontier of identity security. Are you ready to meet the challenge? 

**About the Author**

Partner Solutions Architect

Vaibhav Malik has more than 14 years of experience in networking and security. He collaborates with global partners to create and deploy robust security solutions for enterprise clients. Malik is a recognized thought leader and expert in zero-trust security architecture. His previous roles at large service providers and security companies involved assisting Fortune 500 clients with network, security, and cloud transformation projects. He champions an identity and data-centric approach to security and is a popular speaker at industry events. With a master's in telecommunication from the University of Colorado Boulder and an MBA from the University of Illinois Urbana-Champaign, Malik's extensive expertise and hands-on experience make him an invaluable asset for organizations aiming to strengthen their cybersecurity posture in today's complex threat landscape.

The Invisible Army of Non-Human Identities

In its latest Windows preview, Microsoft adds a feature — Administrator Protection — designed to prevent threat actors from easily escalating privileges and restrict lateral movement.

Source: Mundissima via Shutterstock

Microsoft has introduced a significant security upgrade in its latest preview edition of Windows that aims to lock down local administrator privileges, making it much harder for cyberattackers to exploit privilege escalation issues.

The feature, Administrator Protection, changes the ability to elevate privileges from a free-floating capability to a "just-in-time" event that is much more limited in scope. The coming feature shifts the way Windows handles administrator permissions, moving from a split-token model gated by the User Account Control (UAC) prompt to an isolated, shadow environment managed by the system. This shadow administrator account disappears as soon as the designated task is completed, making it much harder for a cyberattacker to abuse the administrator's elevated privileges for malicious actions.

The feature will limit the scope of an elevation of privileges for administrator-enabled accounts, says Rudy Ooms, a technical content creator at Patch My PC, who published a technical analysis of the feature.

"The old legacy concept is that you have a split token, and it's not that secure," Ooms says. "With the new Administrator Protection, things change, and it completely reimagines this approach by eliminating the direct use of the split tokens and replacing it with a hidden system, managed account."

The feature should make it much harder for cyberattackers using living-off-the-land techniques to elevate their privileges and co-opt administrator access on compromised systems. Post-compromise, most attackers use common applications — such as PowerShell and system services — paired with administrative privileges to move laterally.

The Administrator Protection feature is the latest tactic in software firms' push toward eliminating poor trust models in their software. It's also a dramatic improvement from the days of pass-the-hash attacks, where attackers could gain elevated privileges without knowing the administrator's credentials. With this new feature, attackers can still use the administrator's credentials to try to escalate privileges, but the window to do so is much smaller.

"Attackers have to rethink all their old tricks," says Jason Soroko, a senior fellow at certificate management firm Sectigo. "It impacts the ability for an attacker to be able to walk around as the administrator, and so living off the land is \[less of a threat\] because organizations have a lot of tools that are installed that are of great usage to the attacker."

**Administrators' Split Personalities on Windows**

Microsoft's current approach to handling elevated privileges is to give administrator accounts a "split token." The user account will by default be treated as a standard user — and with the same token, "TokenElevationTypeDefault" — limiting privileges. When a user attempts an action requiring administrative privileges, they must use the UAC feature to elevate their token to "TokenElevationTypeFull."

The split-token concept is a good approach, but it has problems, says Ooms.

"The problem here is this approach keeps admin rights relatively hidden but not inaccessible," he says. "Once the elevated admin token is activated, any malware running in the background can potentially hijack it and perform malicious actions. Essentially, while split tokens are better than running as an 'always-on' admin, they are still vulnerable to those kinds of attacks."

If Administrator Protection is enabled, users who elevate their privilege will switch to an isolated, managed system administrator account that protects the administrator token, according to Ooms's technical analysis.

"In my opinion, it will increase the security posture a lot because it reduces the attack surface," he says.

**Purpose-Built Accounts, Better Monitoring**

Microsoft declined to comment on the feature, but a spokesperson says the company plans to share more information at its Microsoft Ignite technology conference in November.

In the release notes for its Windows Preview, the company stated: "Administrator protection is an upcoming platform security feature in Windows 11, which aims to protect free floating admin rights for administrator users allowing them to still perform all admin functions with just-in-time admin privileges. This feature is off by default and needs to be enabled via group policy."

While the feature will significantly improve system security, the instantiation and destruction of a shadow administrator account for specific tasks is also a boon to companies monitoring account activity, says Sectigo's Soroko.

"If you're monitoring privileged accounts, then your ability to monitor these short-lived privileged accounts and make sure they're not walking around doing something that they shouldn't \[is much better\]," he says. "You are able to contextualize what that account was created for, there's now new opportunities for people who are defending."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Microsoft Previews New Windows Feature to Limit Admin Privileges

Rather than setting a regular cadence for changing passwords, users only need to change their passwords if there is evidence of a breach.

Thursday, October 10, 2024 14:00

Say goodbye to the days of using the “@” symbol to mean “a” in your password or replacing an “S” with a “$.” 

The U.S. National Institute of Standards and Technology (NIST) recently announced new guidelines for the ways website and organizations should handle password creation and management that will do away with many of the “common sense” things we’ve thought about passwords for years now.  

Here is a tl;dr version of what these proposed guidelines say: 

*   Passwords need to be at least eight characters long, and sites should have an additional recommendation to make them at least 15 characters long. 
*   Credential service providers (CSPs) should allow users to make their passwords as long as 64 characters. 
*   CSPs should allow ASCII and Unicode characters to be included in passwords. 
*   Rather than setting a regular cadence for changing passwords, users only need to change their passwords if there is evidence of a breach. 
*   There should not be requirements to implement a certain number of numbers or special characters into passwords. (Ex., “Password12345!”) 
*   Do away with knowledge-based authentication or security questions when selecting passwords. (Think: “What was the name of your college roommate?”) 

Now, we should make a few things here clear. Just because NIST is proposing these doesn’t mean anyone \*has\* to abide by them, these are merely guidelines that some of the larger tech companies in the U.S. can choose to adopt. And these are proposed rules for the time being, meaning the public and tech companies have time to weigh in on the matter before they are codified in any way. 

While these proposals may seem counterintuitive, it should make traditional text-based login credentials more manageable for users and admins. Studies have shown that requiring a mixture of special characters and numbers has led users to create easier-to-guess passwords like “$ummer2024!” or “P@ssword”.  

And policies that require users to change their passwords often have led them to create passwords that are neigh-impossible to remember, so users end up storing these passwords in easy-to-locate places near their computers, like on a physical piece of paper or saved to a .txt file on their desktop.  

The hope from NIST is that enforcing longer passwords will make it harder for adversaries to guess and less intimidating for users to manage their passwords. 

Of course, using a third-party password manager is usually the most secure option for anyone. But what NIST is proposing is still a step in the right direction, and if nothing else will make those of us who are more security-minded have a better time when creating a new account.  

**The one big thing **

The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings. October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities. The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.   

**Why do I care? **

CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine. Microsoft’s security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect users against adversaries trying to exploit this vulnerability. The other vulnerability that was exploited in the wild in this week’s security update is CVE-2024-43573, a platform spoofing vulnerability in Windows MSHTML. Platform spoofing vulnerabilities usually allow an adversary to gain unauthorized access to an environment by disguising themselves as a trusted source.   

**So now what? **

Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64083 - 64086, 64089, 64090, 64111 and 64112. There are also Snort 3 rules 301034 - 301036 and 301041. 

**Top security headlines of the week  **

**Chinese state-sponsored actors are suspected to have breached several U.S. telecommunications providers to spy on U.S. government phone calls.** AT&T, Verizon and Lumen may have all been victims of the alleged counter-spying operation from the newly named APT Salt Typhoon. The actor potentially accessed information from systems that the U.S. government uses for court-authorized network wiretapping requests, all in the name of trying to steal government secrets. Though it’s still unclear how long Salt Typhoon had access to these networks, it’s clear they at least spent a few months on these networks, commonly used to cooperate with lawful U.S. requests for communication data. The attackers may have also accessed large amounts of other generic internet traffic through this operation. A separate Chinese APT known as Volt Typhoon became a major topic of conversation earlier this year for allegedly trying to infiltrate networks at U.S. military bases and other critical infrastructure sites. (Wall Street Journal, Washington Post) 

**Microsoft and the U.S. Department of Justice announced they had deactivated more than 60 domains and other attacker infrastructure associated with the Russian state-sponsored ColdRiver group.** ColdRiver is believed to be connected to Russia’s Federal Security Bureau (FSB) and recently has targeted non-governmental organizations, think tanks, military officials and intelligence officials in Ukraine and NATO countries. "The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials," U.S. Deputy Attorney General Lisa Monaco stated during the announcement of the disruption. ColdRiver (aka Callisto Group, Seaborgium and Star Blizzard) has been active since at least 2017. The U.S. State Department is now also offering up to a $10 million reward for any information that could help locate or identify any individual members of ColdRiver. (Security Magazine, Bleeping Computer) 

**With genetic testing company 23AndMe floundering, customers are left wondering what could happen to their personal information if the company goes bankrupt or goes out of business altogether.** 23AndMe, known for collecting DNA samples from customers and then providing them with a report about their ancestry, has lost millions of dollars in its valuation and stock price over the past few years.  However more than 15 million individuals have submitted their DNA to the company since it was founded in 2006, and privacy advocates are warning them to manually delete their data now before anything happens to the company. The company also has several data-sharing agreements with other private companies, which use 23AndMe data to conduct other studies and research. And because 23AndMe’s services do not fall under health care in the U.S., the company does not have to adhere to traditional HIPAA rules. Last year, the company was hit with a massive data breach that it said affected 6.9 million customer accounts, including 14,000 people who had their passwords stolen. U.S. law enforcement has also tried to access the company’s data in the past (requests that have been declined), and it is unclear if those requests would be allowed should the company no longer exist. (NPR, Business Insider) 

**Can’t get enough Talos? **

*   Cisco Talos: Advanced intelligence for global cyberthreats 
*   New MedusaLocker Ransomware Variant Deployed by Threat Actor 
*   MedusaLocker ransomware variant paired with ‘paid\_memes’ toolkit 
*   Vulnerability in popular PDF reader could lead to arbitrary code execution; Multiple issues in GNOME project 

**Upcoming events where you can find Talos**

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**it-sa Expo & Congress** **(Oct. 22 - 24)** 

_Nuremberg, Germany_

**White Hat Desert Con** **(Nov. 14)** 

_Doha, Qatar_

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8   
**MD5:** b209df2951e29ab5eab4009579b10b8d  
**Typical Filename:** FileZilla\_3.67.1\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.76491DF69A-95.SBX.TG

**SHA 256:** c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a   
**MD5:** 3bc6d86fc4b3262137d8d33713ed6082   
**Typical Filename:** 8c556f0a.dll   
**Claimed Product:** N/A   
**Detection Name:** Gen:Variant.Lazy.605353 

**SHA 256:** f0d7a2bb0c5db162332418747ba4987027b8a746b24c919a24235ff3b70d25e3   
**MD5:** 0d849044612667362bc88780baa1c1b7   
**Typical Filename:** CryptX.dll   
**Claimed Product:** N/A    
**Detection Name:** Gen:Variant.Lazy.605353 

**SHA 256:** 331fdf5f1f5679a6f6bb0baee8518058aba8081ef8f96e57fa3b74291fcbb814   
**MD5:** f23b90fc9bc301baf3e399e189b6d2dc   
**Typical Filename:** B.dll   
**Claimed Product:** N/A     
**Detection Name:** Gen:Variant.Lazy.605353

What NIST’s latest password standards mean, and why the old ones weren’t working

CVE description:

Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.


----- original report -----
# Cause
authd assigns user IDs as a pure function of the user name. Moreover, the set of UIDs is much too small for pseudo-random assignment to work: the birthday bound predicts random collisions will occur with probability 50% after only 54 562 IDs were assigned.

`authd` only checks for uniqueness [within its local cache](https://github.com/ubuntu/authd/blob/4946962aa4ac6e5b7d2b53503026659581c73907/internal/users/cache/update.go#L67-L71), which
- may be inconsistent across multiple systems within the same domain ;
- may be purged, due to being stored in `/var/cache` ;
- automatically removes entries of users who have not logged into that specific system within the last 6 months.

The current `GenerateID` method, authored in September 2024 (commit a6c85ed24b8d17a2d11c859e8d70f5a52fa69690),
repeatedly hashes the user name until the 4 leading bytes fall into the interval [60 000; 2³¹[ :
https://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/users/manager.go#L425
https://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/services/nss/nss.go#L188

Previous versions are affected by similar issues, though without the use of a cryptographic hash in `GenerateID`, making exploitation computationally-easier.


# Impact

Since GenerateID is a pure function with no secret input, and the set of UIDs is small, an adversary which can register users with chosen names can
- register multiple users with colliding IDs, or
- register a single user whose ID collides with a target user's, whether one managed by `authd`, or a system user whose well-known ID is in a range which [overlaps `authd`'s].

In the latter case, as all access control performed by the Linux kernel (and other Unices' kernels) is based on IDs and not usernames, if the attacker can sign into a system, they will have the same privileges as the target user.  The attacker can bypass the uniqueness check in (at least) the following ways:
- engineer a situation where the system administrator purges `/var/cache` ;
- target a system account [whose UID is in `authd`'s range](https://github.com/ubuntu/authd/issues/547) ;
- target an account which hasn't logged into a specific system in more than 6 months.
  Note that this isn't limited to inactive accounts *within the entire domain*, and impersonation on a given system can potentially be leveraged to compromise the target account on other systems; for example:
  - user `alice` is known to log into `1.example.com` ;
  - the attacker computes a preimage (a username which yields the same UID), let's call it `bob` ;
  - the attacker creates the account `bob` and logs into `2.example.com`, succeeding if alice hasn't (recently) logged into that system ;
  - the attacker can now manipulate resources exposed on `2` as if they were alice; assuming `/home` is shared, they could manipulate `~alice/.ssh/authorized_keys`, `~alice/.config`, alice's shell's initialization file, etc.
    Note: NFSv4's `idmap` mechanism may prevent this, but isn't enabled by default (unless Kerberos is used, which isn't the case in an `authd` deployment)
  - at that point, gaining code execution as alice on `1.example.com` is usually trivial.

Since the necessary computation can be performed entirely offline, this wouldn't be affected by any rate-limits, and the only audit trail would be a single user registration. This would require on average less than 2³¹ computations of `GenerateID`: assuming SHA-256's cost is 25 cycles-per-byte, a clock speed of 3GHz, and short (≤32B) generated usernames, this is less than 10 minutes of a single core's time.

[overlaps `authd`'s]: https://github.com/ubuntu/authd/issues/547

# Remediation

The simplest and likely-best remediation path would be for the external IdP to provide a guaranteed-unique user ID in the correct range.
In OIDC, this is commonly communicated through a claim, though its name would need to be configurable as there's no real standard:
- CERN uses `cern_person_id`: https://auth.docs.cern.ch/user-documentation/oidc/config/ ;
- Okta, Zitadel, and many other IdPs, require the realm's administrator to define a custom attribute, conventionally called `uid` or `uidNumber` ;
- etc.

This is also supported by other commonplace identity providers, such as LDAP and Active Directory:
https://learn.microsoft.com/en-us/windows/win32/adschema/a-uidNumber

MS Entra presumably supports this as well.


If that is not possible for some reason, architectural changes to authd would likely be required:
assigning user IDs from a small space (such as Linux's 32b UIDs) requires mutable state to ensure uniqueness, whereas authd's design currently assumes no mutable state is held, aside from some transient, local cache.
Moreover, that mutable state may need to be synchronised across multiple machines as uniform UIDs are often necessary, for instance when accessing a common networked filesystem.


# Acknowledgements

Thanks to Michael Gebetsroither for assisting with the writeup, and Jamie Bliss for the same as well as investigating when the issue was introduced in authd.

CVE description:

Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.

\----- original report -----

**Cause**

authd assigns user IDs as a pure function of the user name. Moreover, the set of UIDs is much too small for pseudo-random assignment to work: the birthday bound predicts random collisions will occur with probability 50% after only 54 562 IDs were assigned.

authd only checks for uniqueness within its local cache, which

*   may be inconsistent across multiple systems within the same domain ;
*   may be purged, due to being stored in /var/cache ;
*   automatically removes entries of users who have not logged into that specific system within the last 6 months.

The current GenerateID method, authored in September 2024 (commit a6c85ed24b8d17a2d11c859e8d70f5a52fa69690),  
repeatedly hashes the user name until the 4 leading bytes fall into the interval \[60 000; 2³¹\[ :  
https://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/users/manager.go#L425  
https://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/services/nss/nss.go#L188

Previous versions are affected by similar issues, though without the use of a cryptographic hash in GenerateID, making exploitation computationally-easier.

**Impact**

Since GenerateID is a pure function with no secret input, and the set of UIDs is small, an adversary which can register users with chosen names can

*   register multiple users with colliding IDs, or
*   register a single user whose ID collides with a target user's, whether one managed by authd, or a system user whose well-known ID is in a range which overlaps authd's.

In the latter case, as all access control performed by the Linux kernel (and other Unices' kernels) is based on IDs and not usernames, if the attacker can sign into a system, they will have the same privileges as the target user. The attacker can bypass the uniqueness check in (at least) the following ways:

*   engineer a situation where the system administrator purges /var/cache ;
*   target a system account whose UID is in authd's range ;
*   target an account which hasn't logged into a specific system in more than 6 months.  
    Note that this isn't limited to inactive accounts _within the entire domain_, and impersonation on a given system can potentially be leveraged to compromise the target account on other systems; for example:
    *   user alice is known to log into 1.example.com ;
    *   the attacker computes a preimage (a username which yields the same UID), let's call it bob ;
    *   the attacker creates the account bob and logs into 2.example.com, succeeding if alice hasn't (recently) logged into that system ;
    *   the attacker can now manipulate resources exposed on 2 as if they were alice; assuming /home is shared, they could manipulate ~alice/.ssh/authorized_keys, ~alice/.config, alice's shell's initialization file, etc.  
        Note: NFSv4's idmap mechanism may prevent this, but isn't enabled by default (unless Kerberos is used, which isn't the case in an authd deployment)
    *   at that point, gaining code execution as alice on 1.example.com is usually trivial.

Since the necessary computation can be performed entirely offline, this wouldn't be affected by any rate-limits, and the only audit trail would be a single user registration. This would require on average less than 2³¹ computations of GenerateID: assuming SHA-256's cost is 25 cycles-per-byte, a clock speed of 3GHz, and short (≤32B) generated usernames, this is less than 10 minutes of a single core's time.

**Remediation**

The simplest and likely-best remediation path would be for the external IdP to provide a guaranteed-unique user ID in the correct range.  
In OIDC, this is commonly communicated through a claim, though its name would need to be configurable as there's no real standard:

*   CERN uses cern_person_id: https://auth.docs.cern.ch/user-documentation/oidc/config/ ;
*   Okta, Zitadel, and many other IdPs, require the realm's administrator to define a custom attribute, conventionally called uid or uidNumber ;
*   etc.

This is also supported by other commonplace identity providers, such as LDAP and Active Directory:  
https://learn.microsoft.com/en-us/windows/win32/adschema/a-uidNumber

MS Entra presumably supports this as well.

If that is not possible for some reason, architectural changes to authd would likely be required:  
assigning user IDs from a small space (such as Linux's 32b UIDs) requires mutable state to ensure uniqueness, whereas authd's design currently assumes no mutable state is held, aside from some transient, local cache.  
Moreover, that mutable state may need to be synchronised across multiple machines as uniform UIDs are often necessary, for instance when accessing a common networked filesystem.

**Acknowledgements**

Thanks to Michael Gebetsroither for assisting with the writeup, and Jamie Bliss for the same as well as investigating when the issue was introduced in authd.

**References**

*   GHSA-4gfw-wf7c-w6g2
*   https://nvd.nist.gov/vuln/detail/CVE-2024-9312
*   https://www.cve.org/CVERecord?id=CVE-2024-9312

GHSA-4gfw-wf7c-w6g2: Authd allows attacker-controlled usernames to yield controllable UIDs

Palo Alto Networks GlobalProtect versions 5.1.x, 5.2.x, 6.0.x, 6.1.x, 6.3.x and versions less than 6.2.5 suffer from a local privilege escalation vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20241009-0 >  
=======================================================================  
              title: Local Privilege Escalation via MSI installer  
            product: Palo Alto Networks GlobalProtect  
 vulnerable version: 5.1.x, 5.2.x, 6.0.x, 6.1.x, <6.2.5, 6.3.x  
      fixed version: >=6.2.5, all other versions are not patched yet  
         CVE number: CVE-2024-9473  
             impact: high  
           homepage: https://docs.paloaltonetworks.com/globalprotect  
              found: 2023-11-16  
                 by: Michael Baer (Office Fürth)  
                     SEC Consult Vulnerability Lab 

                     An integrated part of SEC Consult, an Eviden business  
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"GlobalProtect enables you to use Palo Alto Networks next-gen firewalls or  
Prisma Access to secure your mobile workforce."

Source: https://docs.paloaltonetworks.com/globalprotect

Business recommendation:  
------------------------  
The vendor provides a patched version v6.2.5 which should be installed immediately.  
Further affected branches will be patched by the vendor in the future, except  
branch 5.2.x which is EOL. Users are urged to upgrade to the most recent versions.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI installer (CVE-2024-9473)  
The configuration of the GlobalProtect MSI installer file was found to  
produce a visible conhost.exe window running as the SYSTEM user when using   
the repair function of msiexec.exe. This allows a local, low-privileged  
attacker to use a chain of actions, to open a fully functional cmd.exe  
with the privileges of the SYSTEM user. 

Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI installer (CVE-2024-9473)  
For the exploit to work, GlobalProtect has to be installed via the MSI file.  
Afterwards, any low-privileged user can start the repair of GlobalProtect by  
double-clicking the installer and trigger the vulnerable actions  
without a UAC popup. The installer, if deleted from it's original location,  
can be found in C:\Windows\Installer with a randomized name.

During the repair process, the subprocess PanVCrediChecker.exe gets  
called with SYSTEM privileges and performs a read action on the file   
"C:\Program Files\Palo Alto Networks\GlobalProtect\libeay32.dll".

This can be used by an attacker by simply setting an oplock on the file.  
As soon as it gets read, the process is blocked until the lock is released.  
To do that, one can use the 'SetOpLock.exe' tool from  
"https://github.com/googleprojectzero/symboliclink-testing-tools"  
with the following parameters:

SetOpLock.exe "C:\Program Files\Palo Alto Networks\GlobalProtect\libeay32.dll" x  
See figure 1 [lock.webp]

During the repair process, the locked file is accessed several times. The lock  
has to be released by pressing ENTER five times before the conhost.exe  
window opens. For the sixth request, the lock should not be released to keep the  
window open. The conhost window that gets opened when PanVcrediChecker.exe is  
executed doesn't close and can then be interacted with.

The attacker can then perform the following actions to   
spawn a SYSTEM shell:  
- Right click on the top bar of the window  
- Click on properties [ see figure 2 openbrowser.webp]  
- Under options, click on the "new console features" link [see figure 2  
    openbrowser.webp]  
- Open the link with e.g. firefox or chrome [see figure 2 openbrowser.webp]  
- In the opened browser window press the key combination CTRL+o  
- Type cmd.exe in the top bar and press Enter [see figure 3 cmd.webp]

Note that this does not work using a recent version of the Edge Browser.

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested which were the only versions  
available to SEC Consult at the time of the test. SEC Consult was not  
entirely sure, which exact version the product was:  
- ProductVersion as stated by the PropertyTable: 5.2.10  
- Version as stated by Windows after installing: 5.1.5  
- 6.1.2 is affected as well

The vendor confirmed that versions <6.2.5 are affected. Furthermore,  
all other branches 5.1.x, 5.2.x, 6.0.x, 6.1.x and 6.3.x are affected  
as well. Branch 5.2.x is end of life according to the vendor and will  
not be patched.

Vendor contact timeline:  
------------------------  
2023-11-17: Contacting vendor through PSIRT@PaloAltoNetworks.com  
            asking for most recent software version  
2023-11-21: Vendor confirms receipt of contact  
2023-11-23: Vendor denies providing most recent version and asks for  
            full technical report via their online form:  
            https://security.paloaltonetworks.com/report  
            Note: Submitting the advisory draft via online form  
            repeatedly results in server errors  
2023-11-23: Sending the advisory via PSIRT@PaloAltoNetworks.com  
2024-01-11: Contacting vendor through PSIRT@PaloAltoNetworks.com  
            asking for confirmation of receiving the advisory and  
            status of their triage.  
2024-01-12: Vendor confirms receiving the advisory.  
            The issue is tracked internally.  
2024-03-06: Contacting vendor through PSIRT@PaloAltoNetworks.com   
            asking for update of the vulnerability.  
2024-04-02: The vendor notifies that the product team is working  
            on the report.  
2024-04-08: Asking vendor to notify about updates and the timeline  
            of a fix.  
2024-04-24: Vendor was able to reproduce the issue, but not in the  
            most recent versions. 5.1.5 is affected, but not 5.2.10  
            nor 5.1.12, nor 6.2.2.  
2024-05-23: Asking vendor about affected/fixed versions and regarding  
            CVE number.  
2024-05-30: Vendor apologizes for version confusion, following up with team  
            internally. Vendor plans to publish an advisory with CVE, but  
            no date yet, asks us to wait/coordinate our advisory with theirs.  
2024-06-03: Answering that we will wait for their release & advisory.  
2024-06-17: Asking for a status update regarding the version numbers &  
            advisory release.  
            Vendor: no ETA/timeline yet, no version information.  
2024-09-25: Asking for a status update regarding the vendor advisory and for  
            confirmation of the available fixes.  
2024-09-27: Vendor investigated further and previous versions are unfortunately  
            affected as well. Product team works on a fix, advisory & CVE  
            release scheduled for 9th October 9 AM PT.  
2024-09-27: Acknowledging the coordinated advisory release for 9th October.  
2024-10-03: Vendor communicates further information regarding affected versions  
            and their advisory draft.  
2024-10-07: Vendor confirms 5.2.x as affected as well, but is EOL without fix.  
2024-10-09: Coordinated release of security advisory.

Solution:  
---------  
The vendor provides an updated version v6.2.5 which fixes the issues for this  
specific branch. Other versions are not yet patched and will be fixed in future  
releases.

Further information can be found at the vendor's website.  
https://security.paloaltonetworks.com

Users are urged to upgrade to the latest version and remove old versions  
of the MSI installer, especially users of v5.2.x as this branch is EOL and won't  
receive an update.

SEC Consult has also released a blog post on 12th September 2024 regarding MSI  
installer security issues tracked as CVE-2024-38014 and a general fix by  
Microsoft. We have contacted Microsoft to have a more general solution for  
every affected vendor. For further details check out the blog post:  
https://r.sec-consult.com/msi

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab   
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Michael Baer, Johannes Greil / 2024

Palo Alto Networks GlobalProtect Local Privilege Escalation

Boston and London, U.S. and U.K., 10th October 2024, CyberNewsWire

**Boston and London, U.S. and U.K., October 10th, 2024, CyberNewsWire**

The agreement has marked over 600,000 fraudulent domains for takedown in just two months through automated defense and proactive prevention. Abusix and Red Sift to hold exclusive webinar sharing insights on transforming cyber attack mitigation.

Abusix, an organization specializing in internet abuse prevention, and Red Sift, a leader in misconfiguration and exposure management, have announced a new partnership aiming to transform how organizations can navigate from a reactive to a proactive approach for managing security risk.

Cyber threats such as email phishing, business email compromise (BEC), and brand impersonation remain persistent challenges for organizations globally. Addressing these issues requires both visibility and automation to enable faster detection and mitigation of such attacks.

Addressing these challenges head on, Abusix and Red Sift’s partnership aims to offer security teams visibility and action to neutralize risks preemptively. Since the agreement was enabled in August 2024, over 630,000+ domains have been marked for takedown. This outcome is attributed to Abusix’s real-time reporting capabilities for the swift identification of potential threats, and Red Sift’s ability to transform data into actionable defenses and real-time value for its customers. This is enabled through Red Sift leveraging Abusix’s data in both Red Sift OnDMARC and Red Sift Brand Trust. 

> **Rahul Powar, CEO and Co-Founder of Red Sift said:** “We find ourselves in an ever changing landscape where new attacks and methods for cyber abuse are ever prevalent. Working together with Abusix, we are harnessing new innovation and knowledge sharing to offer increased visibility to a wider remit of large enterprises and small businesses that are vulnerable to cyber threat. This in turn allows us to provide real-time solutions to mitigate against costly reputational damage and shift the industry’s approach from reactive to proactive.” 

> **Tobias Knecht, CEO and Founder of Abusix said:** “It’s not just about sharing data—it’s about sharing it with the right organizations. 95% of all attacks on enterprises originate from service provider and hosting provider networks. Enabling rapid takedowns by sharing actionable intelligence with service providers and hosting providers is a crucial step in reducing overall attack volume at its core. Through our partnership with Red Sift and their unique data solutions, we are taking a significant step forward in safeguarding the internet and improving network security overall.”

The newly formed collaboration is a move to raise the effectiveness and application use of email threat data for cybersecurity across the board and to upgrade the industry’s approach to attack mitigation. Together, the two companies are addressing ongoing critical gaps in the cybersecurity landscape by addressing crucial business needs for increased domain security and prevention of brand abuse. 

Those interested can join an exclusive webinar to learn how Abusix and Red Sift are transforming cyber attack mitigation — readers can reserve a spot today and hear about proactive strategies to protect organizations from email phishing, brand impersonation, and other emerging threats.

Readers can also learn more about the partnership’s Success Story here.

****About Abusix****

Abusix transforms vast amounts of real-time data into actionable insights, helping organizations protect against cyber threats. Its unique data ecosystem enables security teams across all sectors to proactively mitigate attacks by pinpointing the origins of cyber abuse. By enabling collaboration between enterprises, security vendors, and service providers, Abusix works to reduce the overall volume of attacks, driving a more secure internet. 

Abusix serves a global client base, including Cloudflare, Amazon Web Services (AWS), Vodafone, Digital Ocean, and multiple government organizations worldwide. Dedicated to enhancing the global security ecosystem, Abusix continues to make threat intelligence accessible and impactful across industries. Readers can learn more at abusix.com

****About Red Sift****

Red Sift aims to enable organizations to anticipate, respond to, and recover from cyber attacks while continuing to operate effectively. The award-winning Red Sift Pulse Platform is an integrated solution that combines four interoperable applications, internet-scale cybersecurity intelligence, and innovative generative AI that intends to put organizations on a path to cyber resilience. 

Red Sift is a global organization supported by a diverse team across 15 countries. It boasts an international client roster that includes Capgemini, Domino’s, ZoomInfo, Athletic Greens, and several leading law firms. Red Sift is the official DMARC provider for Cisco and a trusted partner for Microsoft and Entrust, among others. Readers can learn more at redsift.com

**Contact**

**Head of Marketing**  
**Serena Li**  
**Abusix**  
**\[email protected\]**

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The average higher education institution is getting hit once a week now, and as one University of Oregon attack shows, the sector often lacks the resources to keep pace.

Source: Simon Turner via Alamy Stock Photo

The education sector is facing thousands of cyberattacks per week these days — especially universities, a good portion of which experience at least one incident per week.

Education was the third most targeted industry in second quarter of 2024, according to Microsoft's latest "Cyber Signals" report. This finding corroborates data from Check Point Software, indicating that the education and research sectors now face more than 2,500 attacks weekly, up 15% over the past couple of years.

The US has it the worst, but schools and related organizations across the world face the same sorts of risks. In Europe, for example, 43% of institutes of higher education report experiencing a cyber incident at least once a week, if not more often. Schools for earlier age groups faced significantly less frequent attacks (13% to 16%).

As Microsoft explained, education makes for a uniquely soft target, combining the vulnerabilities, blind spots, and legacy infrastructure issues endemic to various other major industries, but all in one package.

**Education Sector Is an "Industry of Industries"**

Schools — in particular, universities — tend to combine the functions of many kinds of organizations in one package.

A university is also a financial institution with lending capabilities (sometimes even more the latter than the former), and a healthcare and housing provider to its students and faculty. Schools at every level host payment processing systems, websites and email domains, and networks that, especially since the COVID-19 pandemic, can resemble Internet service providers. They employ food service and athletics staff, and host events. They might be in possession of potentially sensitive research data, and all of them have to manage the full spectrum of personally identifiable information (PII) belonging to usually thousands of people at once.

It follows, then, that educational institutions enjoy all of the cybersecurity challenges any other industry faces. New and legacy technologies commingle. Public schools struggle with funding. Cybersecurity talent is tough to find and retain. Students and teachers bring their own devices on and off campus every day, each one potentially carrying malware. And virtual learning extends the attack surface outward.

In some ways, these issues affect schools to a greater degree than they do other industries. For instance, bring your own device (BYOD) risk is one thing in a corporate environment, where employees can be educated in cyber-risk, but it's an entirely different beast at schools, where those devices belong to children.

Or, consider QR codes. According to Microsoft's telemetry, more than 15,000 malicious phishing and spam messages are directed to educational institutions every day, with so-called "quishing" on the rise.

In open and collaborative environments like schools, "defenses that typically would be in place to help reduce the noise and create more effective defenses don't always work," explains Corey Lee, security chief technology officer (CTO) for Microsoft's M365 Security.

Schools tend to pass around lots of QR codes, but lack the same rigor in vetting the messages they travel with. "A lot of that has to do with the fact that email filters are not the same in education environments. Post-detection and response capabilities aren't always the same in education environments. So when we have business email compromise attacks that use advanced lures like QR codes, it becomes very hard to detect and respond to," Lee says.

**Taking Hackers to School**

In 2021, Oregon State University experienced a cyberattack "unlike anything before," Microsoft wrote. In the aftermath, it established its own security operations center.

A number of universities have done the same, or more. Louisiana State University (LSU), the University of Cincinnati, and California Polytechnic State University all operate SOCs. In Texas, the state's Department of Information Resources (DIR) oversees a Regional Security Operations Center in collaboration with Angelo State University in San Angelo.

"Education, as a sector, doesn't necessarily have lots of advanced personnel just sitting around, not doing anything. Oftentimes, \[security staff\] wear multiple hats, and they're limited," Lee explains. Luckily, universities have a significant, untapped pool of potential talent waiting to be activated.

"The challenge oftentimes is being addressed by scaling through students — being able to activate students to help them join in on the fight and be effective and efficient security defenders for the school."

Student-staffed SOCs serve multiple functions at once: not only helping to protect universities, but also other nearby educational, government, or even private organizations, all while training a new generation of cybersecurity talent. As Lee says, "They're helping to address the security skill shortage, while defending home base."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft: BYOD, QR Codes Lead Rampant Education Attacks

Cisco Talos is releasing a GDT file on GitHub that contains various definitions for functions and data types.

Thursday, October 10, 2024 06:00

While reverse-engineering Windows drivers with Ghidra, it is common to encounter a function or data type that is not recognized during disassembly.  

This is because Ghidra does not natively include the majority of the definitions for data types and functions used by Windows drivers.  

Thankfully, these problems can usually be solved by importing Ghidra data type archive files (.gdt) that contain the relevant definitions.  

However, it is not uncommon that the definitions in question aren’t available in a preexisting .gdt file, meaning a new definition must be created manually. Additionally, in some cases, the function or data type may be undocumented by Microsoft, making the process of creating a new definition a more tedious process.  

To aid analysts in reverse engineering Windows drivers, Cisco Talos is releasing a GDT file on GitHub that contains various definitions for functions and data types that have been created as needed during our analysis of malicious drivers, as they were not present in the commonly used data type archives.  

It is important to note that this archive is not intended to contain all undocumented Windows functions or serve as a replacement for other available data type archives, but as a supplement to them. This is a long-term project that will continue to grow when new definitions are created by our analysts and added to the public release.  

The archive can be found here on our GitHub repository.

Tag

#microsoft