Brief #9: Microsoft's Key Breach, US Military Emails Leak

Mandos Brief, Week 29 2023: Microsoft's security key breach, a typo causing US military emails leak, vulnerabilities in Citrix, SophosEncrypt malware and more.

7 min read
mandos brief #9 - week 29 2023


Microsoft's Stolen Key: A Skeleton Key to Azure Services

In a significant cybersecurity incident, a Microsoft security key was stolen, allegedly by Beijing-backed spies, granting them unauthorized access to Microsoft's online services. The key was used to craft access tokens, allowing the spies to access Microsoft customer's email systems, including those of US government officials. The breach was detected by a federal government agency, which raised the alarm.

Microsoft has since revoked the compromised key but has not publicly disclosed how it was obtained. The incident has raised serious questions about the security of Microsoft's online services, with the potential implications of the breach being far-reaching.

Security researchers from Wiz, an infosec outfit founded by former Microsoft cloud security engineers, have suggested that the compromised key could have been used to access a wider range of services than initially reported by Microsoft. This includes Microsoft applications using OpenID v2.0 access tokens for account authentication, such as Outlook, SharePoint, OneDrive, and Teams, as well as customer's own applications that support the "login with Microsoft" functionality.

Microsoft has pushed back on these claims, stating that many of the claims made are speculative and not evidence-based. The company has also expanded security logging availability, making it free for more customers by default, to help manage an increasingly complex threat landscape.

Top Secret US Military Emails Misdirected to Mali Due to Typo

Millions of emails intended for the US military have been inadvertently sent to Mali, a pro-Russia state in West Africa, due to a simple typo. The error involves the misspelling of the suffix used at the end of all US military email addresses. Instead of using ".mil," people have been typing ".ml," which is the country identifier for Mali.

This so-called "typo leak" has been happening for over a decade, and the misdirected emails contain sensitive information. This includes personal data about military contractors, serving personnel, and their families, such as medical data, passport details, crew lists, photos of bases, details of internal investigations, and travel plans.

The issue was discovered by Johannes Zuurbier, a Dutch entrepreneur who was contracted to manage the .ml domain. He has raised the issue with various US officials, including the US embassy in Mali, and has been gathering misdirected emails in an attempt to convince American authorities to address the problem.

The Department of Defense (DoD) has acknowledged the issue and has implemented policy, training, and technical controls to prevent such incidents. However, the risk remains, especially as Zuurbier's contract to manage the .ml domain has expired, and the Malian government will now be able to access the misdirected emails. This incident highlights the potential security risks that can arise from seemingly innocent typos and the importance of stringent cybersecurity measures.

Critical Vulnerabilities in Citrix ADC and Gateway Actively Exploited - Immediate Action Required

Citrix has discovered a critical vulnerability (CVE-2023-3519) in its Netscaler ADC and Netscaler Gateway products, formerly known as Citrix ADC and Citrix Gateway. The vulnerability has a severity score of 9.8 out of 10 and is currently being exploited in the wild. The vulnerability allows an attacker to execute code remotely without authentication, provided the vulnerable appliance is configured as a Gateway VPN virtual server, ICA proxy, CVPN, RDP proxy, or an authentication virtual server (AAA server).

Citrix has observed exploits of CVE-2023-3519 on unmitigated appliances and strongly advises its customers to switch to an updated version that fixes the issue. The updated versions include Netscaler ADC and Netscaler Gateway 13.1.4913 and later releases, 13.0.9113 and later releases of 13.0, 13.1FIPS 13.1.37159 and later releases of 13.1FIPS, 12.1FIPS 12.1.55297 and later releases of 12.1FIPS, and 12.1NDCPP 12.1.55297 and later releases of 12.1NDCPP.

In addition to CVE-2023-3519, the updates also include fixes for two other high-severity vulnerabilities, CVE-2023-3466 and CVE-2023-3467. CVE-2023-3466 is a reflected cross-site scripting (XSS) issue, while CVE-2023-3467 allows an attacker to elevate privileges to those of a root administrator (nsroot). Both vulnerabilities require specific conditions to be exploited.

Citrix strongly urges affected customers to install the relevant updated versions as soon as possible.

Sophos Name Abused by New Ransomware Variant, SophosEncrypt

SophosEncrypt, a newly discovered ransomware-as-a-service (RaaS), is impersonating the well-known cybersecurity provider Sophos. The ransomware uses the 'Sophos' name in its ransom note and the '.sophos' extension for encrypted files. The executable is written in Rust and uses AES256-CBC encryption with PKCS#7 padding.

When executed, the ransomware prompts the affiliate to enter a token associated with the victim that is likely first retrieved from the ransomware management panel. It then connects to a command-and-control server to verify the token's validity. The ransomware also prompts the affiliate for additional information to be used when encrypting the device, including a contact email, jabber address, and a 32-character password.

SophosEncrypt has the capability to change the Windows desktop wallpaper, displaying the 'Sophos' brand that it is impersonating. It also contains numerous references to a Tor site, which appears to be the affiliate panel for the ransomware-as-a-service operation.

The ransomware's command and control server at 179[.]43[.]154[.]137 has been linked to Cobalt Strike C2 servers used in previous attacks. The server has been associated for more than a year with both Cobalt Strike command-and-control and automated attacks that attempt to infect internet-facing computers with cryptomining software.

Researchers are still analyzing SophosEncrypt to see if any weaknesses could allow the recovery of files for free. If any weaknesses, or encryption issues, are found, updates will be provided.

AI Titans Pledge for Secure and Transparent AI Development

In a significant move towards responsible AI innovation, seven US tech giants have pledged to adhere to new safeguards in AI development. The companies, including Amazon, Google, Meta, Microsoft, and OpenAI, made this commitment in response to a growing list of concerns about the capabilities of AI tools to generate content that is increasingly difficult to distinguish from human-produced content.

The announcement was made at a White House meeting, where President Joe Biden outlined the goals of his administration in constructing public safeguards for these breakthrough digital tools. The President acknowledged the enormous risk that AI poses to society, economy, and national security, but also highlighted the incredible opportunities it offers.

The commitments, which will be implemented immediately, underscore three fundamental principles: safety, security, and trust. They come at a time when lawmakers are struggling to construct new regulatory oversight for the fast-moving AI industry. Despite efforts such as the creation of an AI Bill of Rights and executive action to limit the use of discriminatory computer algorithms by federal agencies, the need for industry-wide commitments to responsible AI innovation is more pressing than ever.

Share This Post

Check out these related posts

Brief #51: VPN Decloaking Attack, Azure Health Bot Vulnerabilities, CISO Dissatisfaction, and Incident Response Challenges

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #50: Postman API Credential Leaks, DHS AI Threat Guidelines, Effective Risk Communication, Cybersecurity Analyst Insights

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #49: Palo Alto XDR Exploit, GPT-4 Vulnerability Exploitation, CISO Insights, and Top Cybersecurity Courses

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 7 min read