Cyber Pulse: Edition 160 | 20 August 2021

CMMC pathfinder assessment

The US Department of Homeland Security will conduct a “pathfinder assessment” to determine a path forward regarding a new cybersecurity compliance programme that shares similarities to the US Defence Department’s Cybersecurity Maturity Model Certification, or CMMC. In a special notice, the agency seeks input on its nascent effort to improve industry compliance with existing and future cyber-hygiene requirements. The notice is authored by DHS Chief Information Officer Eric Hysen and acting Chief Procurement Officer Paul Courtney, and follows several high-profile cyber events, including the SolarWinds hack and Colonial Pipeline attack.

“In light of recent events, DHS seeks to advance our process in assessing industry compliance with cyber hygiene clause requirements,” the notice states. “DHS has been closely monitoring the Department of Defence’s implementation of the Cybersecurity Maturity Model Certification (CMMC) program to identify lessons learned and best practices for consideration by DHS as we advance our process.  Our end goal is to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award.”

The Defence Department’s CMMC program mandates third-party reviews for its contractors and is designed to end the practice of simply taking companies at their word on the cybersecurity controls they implement. The Pentagon intends to reduce the loss of what it assesses to be hundreds of billions of dollars in intellectual property to cyber adversaries each year. The program is rolling out now, and all defence contractors are required to be compliant by 2026. 

Unofficial Windows patch for PetitPotam NTLM attack

A second unofficial patch for the Windows PetitPotam NTLM relay attack has been released to fix further issues not addressed by Microsoft's official security update. An NTLM relay attack is when a threat actor can force a server or domain controller to authenticate against an NTLM relay server under a threat actor's control. This NTLM relay would then forward the request to a targeted victim's Active Directory Certificate Services via HTTP to receive a Kerberos ticket-granting ticket (TGT), which allows the attacker to assume the identity of the domain controller and take over the Windows domain.

Security researcher GILLES Lionel, aka Topotam, disclosed a new technique called PetitPotam that performs unauthenticated forced authentication on domain controllers, using various functions in the MS-EFSRPC (Microsoft Encrypted File System) API.

"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM," explains Microsoft in the CVE-2021-36942 advisory.

Unfortunately, Microsoft's update is incomplete, and it is still possible to abuse PetitPotam. To provide a more complete patch, the 0patch micropatching service has released an updated unofficial patch that can be used to block all known PetitPotam NTLM relay attacks.

ICS vendors assess INFRA:HALT vulnerabilities

Forescout Research Labs and JFrog Security Research found a total of 14 vulnerabilities in NicheStack, a TCP/IP stack used by many operational technology (OT) vendors. The flaws, a majority of which have been assigned critical and high severity ratings, can be exploited for remote code execution, denial of service (DoS) attacks, obtaining information, TCP spoofing, and DNS cache poisoning. In an attack scenario described by the researchers, the attacker remotely exploits one of the INFRA:HALT vulnerabilities to crash a programmable logic controller (PLC) and disrupt the associated physical process.

Major ICS vendors and other organisations have released advisories in response to the discovery and disclosure of the INFRA:HALT vulnerabilities. This includes the US Cybersecurity and Infrastructure Security Agency (CISA), Germany’s CERT@VDE, and the CERT Coordination Center at Carnegie Mellon University. Each of the vendors that have confirmed being impacted – Schneider Electric, Siemens, Phoenix Contact – have released advisories describing the impact on their products.

T-Mobile reveals data breach

The third-largest US wireless carrier said personal data, including social security numbers and driver's license information, of more than 40 million former and prospective customers was stolen along with data from 7.8 million existing T-Mobile wireless customers. Dates of birth, first and last names were also stolen, the telecom services provider said, but adding there was no indication their financial details had been compromised. The company, which had 104.8 million customers as of June, acknowledged the data breach on Sunday after US-based digital media outlet Vice reported that a seller had posted on an underground forum offering private data, including social security numbers from a breach at T-Mobile servers.

“Customers trust us with their private information, and we safeguard it with the utmost concern. A recent cybersecurity incident put some of that data in harm’s way, and we apologise for that. We take this very seriously, and we strive for transparency in the status of our investigation and what we’re doing to help protect you.”

T-Mobile (T.N) said approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed.

New Windows 10 21H2 build comes with improved WiFi security

Microsoft has released Windows 10 21H2 19044.1200 with the awaited new Windows Hello security feature, WPA3 HPE support, and GPU computing in the Windows Subsystem for Linux.

The promised features:

• Adding WPA3 H2E standards support for enhanced Wi-Fi security.
• Windows Hello for Business introduces a new deployment method called cloud trust to support simplified passwordless deployments and achieve a deploy-to-run state within a few minutes.
• GPU compute support in the Windows Subsystem for Linux (WSL) and Azure IoT Edge for Linux on Windows (EFLOW) deployments for machine learning and other compute-intensive workflows.

"In response to the Dragonblood paper, IEEE 802.11 updated SAE by defining a new 'Hash-to-Element' (H2E) method, as an optional alternative to the existing 'Hunting-and-Pecking' method for the secret PWE (Password Element) derivation used in SAE authentication," explained Cisco.

With the new GPU compute support, Windows Subsystem for Linux users will be able to use NVIDIA CUDA and DirectML to perform machine learning and AI development. This feature allows Windows users to use their graphics card to "to accelerate math-heavy workloads and use its parallel processing to complete the required calculations faster, in many cases, than utilising only a CPU." The WPA3 H2E (Hash-to-Element) protocol adds better protection from a Wi-Fi side-channel attack called "DragonBlood" that could steal a WPA3 password.

Autodesk software critical vulnerability

During a recent client engagement, the DGC (DiCicco, Gulman & Company) penetration testing team identified a previously unknown vulnerability affecting the Autodesk Licensing Service, a software component bundled with nearly all licensed Autodesk products. The vulnerability exists in a software component common to most Autodesk products and impacts nearly all organisations using licensed Autodesk software in any capacity. The Common Vulnerabilities and Exposures number is CVE-2021-27032, Autodesk Licensing Service: Local Privilege Escalation.

Because these software products are so widely deployed across the public and private sectors, vulnerabilities in Autodesk products pose a significant risk to many organisations, as Autodesk products are often used to generate and process intellectual property and other sensitive data. While a vulnerability in any one Autodesk product represents a risk to the organisations that happen to be using that specific piece of software, a vulnerability that affects nearly all Autodesk applications is considered a critical issue requiring immediate attention.

DGC found and disclosed this vulnerability to the Autodesk immediately after discovering it during a penetration testing engagement. Autodesk has fixed this vulnerability in version 10.2.0.4231 of the affected service, and has provided a security advisory for their customers detailing the vulnerability and affected software versions.