Home / News / This Month In Cyber – April Edition

This Month In Cyber – April Edition

Welcome back to Emagine IT’s monthly, “This Month in Cyber”, where we make staying current on all things cyber easy and accessible. Let’s get into it.

March Catchup – Here’s what we missed last month:

NIST Unveils New Consortium to Operate its National Vulnerability Database: Tanya Brewer, the US National Institute of Standards and Technology (NIST) Vulnerability Database (NVD) program manager, announced late March at VulnCon that some aspects of the NVD, the most widely used software vulnerability repository, will be handed over to an industry consortium. This presented more questions than answers but at least made it clear that eyes were on the NVD from all sides – not just industry.

A New Roadmap for FedRAMP: The FedRAMP program has outlined a strategic plan that serves as a roadmap focused on streamlining the authorization process for cloud services within the federal government, emphasizing efficiency in security assessments and ongoing monitoring. This initiative promises to bolster the adoption of secure cloud technologies by standardizing procedures and ensuring continuous security vigilance.

Review of the Summer 2023 Microsoft Exchange Online Intrusion: Last year (2023) Microsoft Exchange Online experienced an intrusion by the hacking group associated with the government of the People’s Republic of China, known as Storm-0558. The attack compromised Microsoft’s cloud environment resulting in what some have called, “striking the espionage equivalent of gold”. The threat actors accessed the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China. As is its mandate, the Cyber Safety Review Board (CSRB, or the Board) conducted deep fact-finding around this incident. The Board concludes that this intrusion should never have happened and sited 7 justifications for this conclusion. One of those points was “Microsoft’s failure to detect a compromise of an employee’s laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021.”

Interested in a deeper dive on the March catch-up? Keep reading! If you’re more interested in jumping straight to the April Incidents and breaches, click here.

Navigating New Frontiers: NIST’s Shift with the NVD Consortium

In a strategic pivot responding to evolving cybersecurity challenges, NIST is setting a new course with the formation of a consortium to revitalize the National Vulnerability Database (NVD). Announced amidst a troubling slowdown in vulnerability updates, this consortium is poised to enhance the NVD’s functionality and responsiveness.

However, the lack of detailed and timely data has fueled concerns across the cybersecurity landscape, emphasizing the need for robust systems that support rapid and reliable vulnerability identification and management. The new consortium is set to integrate broad industry knowledge and feedback, focusing on streamlining processes and improving the speed and accuracy of information dissemination.

Critical to these efforts are enhancements in software identification and the automation of analysis processes. Improved identification techniques are essential for keeping pace with the complexities of modern software environments, where vulnerabilities can be nuanced and varied. Automation, in particular, is seen as a game-changer, poised to significantly reduce the manual workload involved in analyzing and mitigating threats, thus speeding up the entire process.

Moreover, the adoption of new standards like Package URLs (PURLs) will aid in the clear identification of software packages, ensuring more precise and effective management of vulnerabilities. These improvements are not just about responding to the current needs but also about anticipating future challenges in cybersecurity, hopefully making the NVD a more dynamic and resilient tool.

As NIST moves forward with these plans, the cybersecurity community watches with anticipation, interested to see that this collaborative approach will lead to a more robust and effective NVD, but only time will tell.

FedRAMP’s Strategic Revamp: A New Roadmap for Cloud Security and Efficiency

In a bold move to enhance cloud security within federal agencies, FedRAMP’s latest roadmap unveils strategic updates designed to streamline the authorization of cloud services and fortify cybersecurity infrastructure. This overhaul addresses critical needs for agility and clarity in the security process, reflecting a dynamic response to the evolving demands of digital government operations.

The new FedRAMP strategy emphasizes simplifying processes for cloud providers, making security outcomes more predictable and actionable for agencies. By orienting around the customer experience, FedRAMP aims to mitigate the complexities historically involved in gaining authorization, fostering a more accessible environment for innovative technologies. This shift is crucial as it seeks to balance rapid adoption of high-quality tech solutions against the backdrop of stringent security requirements.

One aspect that jumps out is the leadership component of this new roadmap. With digital authorization now being done through Governance, Risk Management, and Compliance (GRC) platforms, it’s easier to enable faster, well-informed leadership decisions. Leadership of an organization can be constantly faced with difficult decisions about their FedRAMP Authorization progression, but with now being able to make these decisions quicker and results produced faster, the workflow is more enhanced within multiple levels of that organization and the FedRAMP Authorization progression.https://www.youtube.com/embed/MKnBPbAyvU4?si=OJIroO_hIpmCtYYN&start=775

However, even with Software as a Service (SaaS) products going through FedRAMP Authorization, and being used and widely adopted, there’s still a chance that FedRAMP misses the opportunity on products that can’t afford the FedRAMP process. We need better. It just takes too long and is too costly for most businesses.

Microsoft Exchange and Risk Vulnerabilities

While this story started in May and June of 2023, in March 2024, the Cyber Safety Review Board (CSRB) put out a summary assessment of the Microsoft Exchange Online Intrusion where online mailboxes of 22 organizations and 500 individuals from government officials around the world were breached. While there are many findings, there was one that stood out: Microsoft’s failure to detect a compromise of an employee’s laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network back in 2021.

Mergers and Acquisitions (M&A) aren’t a hot topic many think about when it comes to security risk and potential vulnerabilities. There’s email phishing, social engineering, living off the land, etc. but not much about inheritance.

This goes back to people first, technology second. Because the CSRB found that this breach should not have happened. And through their analysis process of conducting deep fact finding of the situation, and they find that the breach shouldn’t happen, what else is to blame but people?

This was a failure of policy and people not enforcing it. And, unfortunately, there aren’t many consequences for allowing this to happen.

April Incidents and Breaches That Left Their Mark:

While not fully a breach report, Cisco warns of a global surge in brute force attacks targeting VPN, SSH services, and web application authentication interfaces. If successful, threat actors could obtain unauthorized network access, lock out users from their accounts, and/or deny conditions of service. Basically, threat actors are continuously DDoS-ing remote access VPN services over a wide range of geographic zones.

When someone creates an SSH server on the internet, within an hour of it being live, it’s bombarded by SSH attacks . And those SSH attacks are just using potential password combinations that may be viable. But this has been happening, according to Erik on our podcast, for decades. So the volume of this occurring with Cisco products must be through the roof if they’re reporting on this.

Another reason is the constant cyber conflict that has been ramping up for a while. Whether it’s nation state (China, Russia, etc.) or black hat attackers, they’re brute forcing these SSH VPN services and attacking the supply chain of these trillion and multi-billion-dollar companies. Because as we’ve just discussed, it’s easier to attack the supply chain found within the M&A Microsoft bought than Microsoft Azure.

This segues into how GPT-4 is being used to exploit most vulnerabilities through reading threat advisories.

GPT-4 and AI’s role in Hacking

University of Illinois Urbana-Champaign researchers have found AI language models, particularly GPT-4, with their enhanced capabilities, can sift through threat advisories and exploit vulnerabilities more efficiently than ever before. According to their study, 87% of tested vulnerabilities – 13 out of 15 to be specific – could be exploited from these AI models in a multitude of open-source software. While they do not yet, and really, emphasis on yet, outperform expert humans, the study concluded with stressing organizations to proactively apply security best practices for AI.

It’s no secret that AI is changing the game in cybersecurity. You can point AI to a GitHub repository and not only can it find that vulnerability, but craft one as well – making it ideal for any threat actors looking for a vulnerability that’s fast and cheap. And not only can it identify and craft the vulnerability, it can create the social engineering email – that once was easy to identify through the use of broken English – with perfect grammar and spelling, it can craft the payload, the exploit, etc.

The only way you can combat AI is by exploiting AI.

Government Regulations from April

CISA Cybersecurity Incident Reporting Requirements Proposed

In March 2024, CISA introduced new cybersecurity incident reporting rules for critical infrastructure firms. These regulations mandate prompt reporting of incidents within 72 hours of detection. Failure to comply could result in fines. The proposal grants CISA subpoena power to gather essential data, aiming to improve transparency and accountability. These measures emphasize the pressing need to fortify cybersecurity resilience in critical sectors, aligning with broader national security objectives. The public has until June 3, 2024 to submit comments on this proposal.

Key Events in the Next 30-90 Days

Speaking of dates, there are quite a few events coming right up and some still a bit away. Here are the ones we feel are the most important: