Brief #9: Microsoft's Key Breach, US Military Emails Leak

TL;DR

• Microsoft's Stolen Key: A Skeleton Key to Azure Services
• Top Secret US Military Emails Misdirected to Mali Due to Typo
• Critical Vulnerabilities in Citrix ADC and Gateway Actively Exploited - Immediate Action Required
• Sophos Name Abused by New Ransomware Variant, SophosEncrypt
• AI Titans Pledge for Secure and Transparent AI Development

Microsoft's Stolen Key: A Skeleton Key to Azure Services

• A stolen Microsoft security key, allegedly by Beijing-backed spies, allowed unauthorized access to Microsoft's online services.
• The key was used to craft access tokens, granting access to Microsoft customer's email systems, including those of US government officials.
• Microsoft has revoked the compromised key but is yet to disclose how it was obtained.
• Security researchers from Wiz suggest that the compromised key could have been used to access a wider range of services than initially reported by Microsoft.

In a significant cybersecurity incident, a Microsoft security key was stolen, allegedly by Beijing-backed spies, granting them unauthorized access to Microsoft's online services. The key was used to craft access tokens, allowing the spies to access Microsoft customer's email systems, including those of US government officials. The breach was detected by a federal government agency, which raised the alarm.

Microsoft has since revoked the compromised key but has not publicly disclosed how it was obtained. The incident has raised serious questions about the security of Microsoft's online services, with the potential implications of the breach being far-reaching.

Security researchers from Wiz, an infosec outfit founded by former Microsoft cloud security engineers, have suggested that the compromised key could have been used to access a wider range of services than initially reported by Microsoft. This includes Microsoft applications using OpenID v2.0 access tokens for account authentication, such as Outlook, SharePoint, OneDrive, and Teams, as well as customer's own applications that support the "login with Microsoft" functionality.

Microsoft has pushed back on these claims, stating that many of the claims made are speculative and not evidence-based. The company has also expanded security logging availability, making it free for more customers by default, to help manage an increasingly complex threat landscape.

Top Secret US Military Emails Misdirected to Mali Due to Typo

• A simple typo has caused millions of emails intended for the US military to be sent to Mali, a pro-Russia state in West Africa.
• The typo involves the misspelling of the suffix used at the end of all US military email addresses (.mil) as .ml, which is the country identifier for Mali.
• The misdirected emails, which have been occurring for over a decade, include sensitive information such as medical data, passport details, crew lists, photos of bases, details of internal investigations, and travel plans.
• The issue has been raised with various US officials, and the Department of Defense has implemented policy, training, and technical controls to prevent such incidents.

Millions of emails intended for the US military have been inadvertently sent to Mali, a pro-Russia state in West Africa, due to a simple typo. The error involves the misspelling of the suffix used at the end of all US military email addresses. Instead of using ".mil," people have been typing ".ml," which is the country identifier for Mali.

This so-called "typo leak" has been happening for over a decade, and the misdirected emails contain sensitive information. This includes personal data about military contractors, serving personnel, and their families, such as medical data, passport details, crew lists, photos of bases, details of internal investigations, and travel plans.

The issue was discovered by Johannes Zuurbier, a Dutch entrepreneur who was contracted to manage the .ml domain. He has raised the issue with various US officials, including the US embassy in Mali, and has been gathering misdirected emails in an attempt to convince American authorities to address the problem.

The Department of Defense (DoD) has acknowledged the issue and has implemented policy, training, and technical controls to prevent such incidents. However, the risk remains, especially as Zuurbier's contract to manage the .ml domain has expired, and the Malian government will now be able to access the misdirected emails. This incident highlights the potential security risks that can arise from seemingly innocent typos and the importance of stringent cybersecurity measures.

Critical Vulnerabilities in Citrix ADC and Gateway Actively Exploited - Immediate Action Required

• Citrix has issued an alert about a critical vulnerability (CVE-2023-3519) in Netscaler ADC and Netscaler Gateway.
• The vulnerability is being actively exploited in the wild.
• The vulnerability allows an attacker to execute code remotely without authentication.
• Citrix strongly urges customers to install updated versions without delay.

Citrix has discovered a critical vulnerability (CVE-2023-3519) in its Netscaler ADC and Netscaler Gateway products, formerly known as Citrix ADC and Citrix Gateway. The vulnerability has a severity score of 9.8 out of 10 and is currently being exploited in the wild. The vulnerability allows an attacker to execute code remotely without authentication, provided the vulnerable appliance is configured as a Gateway VPN virtual server, ICA proxy, CVPN, RDP proxy, or an authentication virtual server (AAA server).

Citrix has observed exploits of CVE-2023-3519 on unmitigated appliances and strongly advises its customers to switch to an updated version that fixes the issue. The updated versions include Netscaler ADC and Netscaler Gateway 13.1.4913 and later releases, 13.0.9113 and later releases of 13.0, 13.1FIPS 13.1.37159 and later releases of 13.1FIPS, 12.1FIPS 12.1.55297 and later releases of 12.1FIPS, and 12.1NDCPP 12.1.55297 and later releases of 12.1NDCPP.

In addition to CVE-2023-3519, the updates also include fixes for two other high-severity vulnerabilities, CVE-2023-3466 and CVE-2023-3467. CVE-2023-3466 is a reflected cross-site scripting (XSS) issue, while CVE-2023-3467 allows an attacker to elevate privileges to those of a root administrator (nsroot). Both vulnerabilities require specific conditions to be exploited.

Citrix strongly urges affected customers to install the relevant updated versions as soon as possible.

Sophos Name Abused by New Ransomware Variant, SophosEncrypt

• A new ransomware-as-a-service (RaaS) called SophosEncrypt has been discovered, impersonating the cybersecurity firm Sophos.
• The ransomware uses the 'Sophos' name in its ransom note and the '.sophos' extension for encrypted files.
• The ransomware executable is written in Rust and uses AES256-CBC encryption with PKCS#7 padding.
• The ransomware connects to a command-and-control server address and has been associated with both Cobalt Strike command-and-control and automated attacks that attempt to infect internet-facing computers with cryptomining software.

SophosEncrypt, a newly discovered ransomware-as-a-service (RaaS), is impersonating the well-known cybersecurity provider Sophos. The ransomware uses the 'Sophos' name in its ransom note and the '.sophos' extension for encrypted files. The executable is written in Rust and uses AES256-CBC encryption with PKCS#7 padding.

When executed, the ransomware prompts the affiliate to enter a token associated with the victim that is likely first retrieved from the ransomware management panel. It then connects to a command-and-control server to verify the token's validity. The ransomware also prompts the affiliate for additional information to be used when encrypting the device, including a contact email, jabber address, and a 32-character password.

SophosEncrypt has the capability to change the Windows desktop wallpaper, displaying the 'Sophos' brand that it is impersonating. It also contains numerous references to a Tor site, which appears to be the affiliate panel for the ransomware-as-a-service operation.

The ransomware's command and control server at 179[.]43[.]154[.]137 has been linked to Cobalt Strike C2 servers used in previous attacks. The server has been associated for more than a year with both Cobalt Strike command-and-control and automated attacks that attempt to infect internet-facing computers with cryptomining software.

Researchers are still analyzing SophosEncrypt to see if any weaknesses could allow the recovery of files for free. If any weaknesses, or encryption issues, are found, updates will be provided.

AI Titans Pledge for Secure and Transparent AI Development

• Seven leading US tech companies, including Amazon, Google, Meta, Microsoft, and OpenAI, have voluntarily committed to new safeguards for AI development.
• The commitments aim to manage the risks of advanced AI systems and focus on three fundamental principles: safety, security, and trust.
• The announcement came during a White House meeting, where President Joe Biden outlined his administration's goals for constructing public safeguards for AI tools.
• The commitments will be implemented immediately, addressing growing concerns about the abilities of AI tools to generate human-like content.

In a significant move towards responsible AI innovation, seven US tech giants have pledged to adhere to new safeguards in AI development. The companies, including Amazon, Google, Meta, Microsoft, and OpenAI, made this commitment in response to a growing list of concerns about the capabilities of AI tools to generate content that is increasingly difficult to distinguish from human-produced content.

The announcement was made at a White House meeting, where President Joe Biden outlined the goals of his administration in constructing public safeguards for these breakthrough digital tools. The President acknowledged the enormous risk that AI poses to society, economy, and national security, but also highlighted the incredible opportunities it offers.

The commitments, which will be implemented immediately, underscore three fundamental principles: safety, security, and trust. They come at a time when lawmakers are struggling to construct new regulatory oversight for the fast-moving AI industry. Despite efforts such as the creation of an AI Bill of Rights and executive action to limit the use of discriminatory computer algorithms by federal agencies, the need for industry-wide commitments to responsible AI innovation is more pressing than ever.