OMIGOD: Cloud providers still using secret middleware

RSA Conference in brief Researchers from Wiz, who previously found a series of four serious flaws in Azure’s Open Management Infrastructure (OMI) agent dubbed “OMIGOD,” presented some related news at RSA: Pretty much every cloud provider is installing similar software “without customer’s awareness or explicit consent.”

In a blog post accompanying the presentation, Wiz’s Nir Ohfeld and Shir Tamari say that the agents are middleware that bridge customer VMs and the provider’s other managed services. The agents are necessary to enable advanced VM features like log collection, automatic updating and configuration syncing, but they also add new potential attack surfaces that, because customers don’t know about them, can’t be defended against.

In the case of OMIGOD, that included a bug with a 9.8/10 CVSS score that would let an attacker escalate to root and remotely execute code. Microsoft patched the vulnerabilities, but most had to be applied manually.

Wiz has published a GitHub page with a list of 12 agents installed secretly, just like OMI, on Azure, AWS, and Google Cloud, and they’re probably not all. “It is likely, based on our investigation, that there are more agents of which security researchers and cloud customers are unaware,” Ohfeld and Tamari said. 

Few understand their attack surface, says Trend Micro

Survey results from Trend Micro indicate that, when it comes to organizations understanding their attack surfaces, most don’t. 

In all, 73 percent of the 6,297 IT and business decision makers surveyed said they were worried about their growing attack vulnerability surface, which only 51 percent said they could fully define. 

Just over a third of respondents said that their security infrastructure was messy and constantly evolving, while 43 percent admitted their attack surface is “spiraling out of control,” Trend Micro said. Cloud environments were cited as the most opaque, and with most providers installing secret middleware it’s easy to understand why.

Bharat Mistry, technical director at Trend Micro, said that rapid IT modernization at the beginning of the COVID-19 pandemic is a large reason for current attack surface visibility problems. “In many cases [IT upgrades] unwittingly expanded the digital attack surface, giving threat actors more opportunities to compromise key assets,” he said. 

The study also gives a variety of reasons for why visibility hasn’t improved, like opaque supply chains, shadow IT services, remote employees and constant technical changes in vendor products, among others. 

Unfortunately, the top piece of advice that Trend Micro gives – “gain visibility” – is easier said than done. Unless you have the right tools, that is, which Trend Micro happens to be selling. 

Private sector to feds: More collaboration, please

A laundry list of private sector and cyber advocacy groups released a joint statement Tuesday arguing for “increased public private collaboration to improve the nation’s cybersecurity readiness.”

The signatories said that, while they think the Biden administration has taken steps to strengthen public-private cooperation, it hasn’t done enough. The signatories said they will “actively seek to engage US government partners with ideas and initiatives to strengthen national cyber resilience,” and put forward five proposals to that end:

  • Strengthening the reach of the Joint Cyber Defense Collaborative (JCDC), which signatories said they will do by working with the Collaborative and the Cybersecurity and Infrastructure Security Agency to accomplish
  • Building a collective understanding of threats by supporting “tools, technology, incentives, business processes and legal frameworks” necessary to do so
  • Improving contingency planning by identifying “the top 5 cyber contingencies that pose national security risk and develop proactive response plans”
  • Improving legal frameworks by identifying laws and regulations hampering progress
  • Improving teamwork by creating opportunities for long-term exchanges between government and private cybersecurity professionals

The signatories are in luck: Leaders from CISA, the NSA, and National Cyber Directory Chris Inglis spoke at RSA, and made specific mention of the JCDC at their panel discussion this week. 

“We can’t sustain the highest level of alert for an extensive period of time, which is why we’re thinking about … that relationship that government needs to have with the private sector,” CISA director Jen Easterly said at the panel. 

New MFA product allegedly resists prompt bombing

Single sign-on provider Xage claims to have made a new distributed, multi-layer multi-factor authentication (MFA) product that’s capable of resisting prompt bombs like those that let Lapsus$ break into Okta earlier this year.

MFA bombing isn’t so much a sophisticated hacking technique as it is a way to wear someone down by attempting to repeatedly log into one of their accounts that has MFA enabled. As the victim is bombarded with verification requests, the attacker sits back and hopes their flustered mark accidentally taps “Accept.” One mistake, and the attacker has free rein to do whatever the victim’s account has access to. 

What Xage is offering as a solution is, for all intents and purposes, a hybrid form of MFA and network segmentation: “Users reconfirm their identity as they are granted each layer of access privilege, allowing independent user verification at the level of a whole operation, a site, or even a single asset,” Xage said in a press release. The unique selling point Xage is claiming is the use of different MFA methods at each layer of access.

While a different type of MFA at each checkpoint definitely adds an additional layer of security, it’s unknown how well users would adapt to the user experience friction created by needing a different form of MFA for each granular access request.

Knock knock. Who’s there? Not who you wanted

A flaw in a widely-used physical security system could let a successful attacker unlock any and all doors the software manages. 

Carrier’s LenelS2 access control panels, which manage security door systems in facilities like hospitals, schools, transportation facilities and government offices, were found to have eight zero-day vulnerabilities when investigated by researchers from Trellix Threat Labs. 

The LenelS2 was chosen specifically because it’s widely used, and while the team expected to find some flaws, “we did not expect to find common, legacy software vulnerabilities in a relatively recent technology,” they said

Physical security has been a hot topic recently, and while this vulnerability is frightening, it would be tricky to pull off, as physical access to the controller’s debugging ports is required. With access to the ports and “utilizing hardware hacking techniques,” the researchers were able to gain root access and pull a full copy of the device’s firmware for emulation and vulnerability discovery. 

Armed with knowledge of the software, the team was able to chain a pair of vulnerabilities together to gain root access remotely. An injected program ran alogside the controller’s software allowed the attackers to unlock doors and subvert monitoring software. 

To mitigate the issue, Carrier said it’s necessary to disable web login for the LenelS2’s web portal; Once disabled, a physical switch on the controller has to be flipped to re-enable it. While that may re-secure a previously-compromised controller, an attacker would with physical access could simply flip the switch back. 

As an additional mitigation method, consider a padlock. ®

READ MORE HERE