There’s a very good reason why AWS remains a leader in cloud computing. While many providers describe themselves as “customer obsessed,” few come close to our long-time partner in the lengths it goes to earn and retain the trust of its customers.
AWS starts with the customer and works backwards. That means the vast majority of its feature enhancements and new services are directly driven from their input. The latest is Amazon GuardDuty Malware Protection.
This threat detection tool, which will work closely with Trend Micro cloud solutions, will provide another valuable layer of defense in our fight against a shared adversary.
Shining a light on an expanding attack surface
Spurred by a drive for greater cost efficiency and business agility, global organizations are migrating to the cloud in droves. Gartner predicts the worldwide market for public cloud services will reach almost $495bn this year, and grow by over 21% in 2023. In this environment, security remains a persistent concern for cloud builders, because if not properly managed, investments can increase the digital attack surface.
According to recent Trend Micro research, many global organizations are already struggling to securely manage their cloud assets. We found that 73% of IT and business leaders are concerned with the size of their attack surface, and 43% claim it is “spiralling out of control.” Cloud is the area where most respondents say they have least insight. They want their cloud providers to do more—for example by building enhanced detection into their systems, to complement third-party tools.
That’s part of the reason why AWS built Amazon GuardDuty Malware Protection was built. This new feature is triggered by detection of known malicious signatures across the cloud network. Based on this detection, the service scans the associated Amazon EBS storage environment for malware and reports any findings to AWS Security Hub. Open APIs from here link to products like Trend Micro Cloud One to enhance existing detection and response efforts.
Better together
Trend Micro and AWS have been working closely together for over a decade now, and this latest announcement represents another exciting stage in the journey. Customers will welcome AWS native threat detection as a complement to their Trend Micro Cloud One capabilities, delivering a comprehensive range of features to secure the hybrid cloud. Once they add the AWS tool to our virtual patching, vulnerability scanning, lateral movement detection, posture management and other capabilities, joint customers will have a powerful set of integrated offerings to deliver simple, all-in-one cloud security and compliance.
In addition, this move from AWS validates our XDR strategy, which is focused on using as many data sources as possible to enhance detection and response. The bottom line is that security takes a village. Customers, cloud providers and security vendors have a shared responsibility to work together as the threat landscape continues to evolve. That’s what we’ll continue to do, expanding and deepening our strategic partnerships with AWS and other providers in a collective effort to make the digital world safer.
Google on Wednesday said it’s once again delaying its plans to turn off third-party cookies in the Chrome web browser from late 2023 to the second half of 2024.
“The most consistent feedback we’ve received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome,” Anthony Chavez, vice president of Privacy Sandbox, said.
In keeping this in mind, the internet and ad tech giant said it’s taking a “deliberate approach” and extending the testing window for its ongoing Privacy Sandbox initiatives prior to phasing out third-party cookies.
Cookies are pieces of data planted on a user’s computer or other device by the web browser as a website is accessed, with third-party cookies fueling much of the digital advertising ecosystem and its ability to track users across different sites to show targeted ads.
Privacy Sandbox is Google’s umbrella term for a set of technologies that aim to improve users’ privacy across the web and Android by limiting cross-site and cross-app tracking and offering improved, safer alternatives to serve interest-based ads.
While Google had originally planned to roll out the feature in early 2022, it revised the timeline in June 2021, pushing its proposal to transition from third-party cookies over a three-month period, starting in mid-2023 and ending in late 2023.
“It’s become clear that more time is needed across the ecosystem to get this right,” the company noted at the time.
The second extension comes as Google announced Topics API as a replacement for FLoC (short for Federated Learning of Cohorts) in January 2022, following it up with a developer preview of Privacy Sandbox for Android in May.
In February 2022, the U.K. Competition and Markets Authority (CMA) formally accepted commitments from Google over how it develops the technology, pointing out the need to flesh out Privacy Sandbox such that it promotes competition and supports publishers to raise revenue from ads while also safeguarding consumer privacy.
Under the new plan, Privacy Sandbox trials are expected to be expanded to users globally next month, with the number of users included in the tests ramped up throughout the rest of the year and into 2023.
Google also emphasized that users will be shown a prompt to manage their participation, adding it intends to make the APIs generally available by Q3 2023, with third-party cookie support tentatively dropped in H2 2024.
The CMA, for its part, acknowledged today that it’s aware of “alternative proposals being developed by third-parties,” and that it’s “working with the [Information Commissioner’s Office] to better understand their viability and likely impacts.”
Ransomware is a kind of malware used by cybercriminals to stop users from accessing their systems or files; the cybercriminals then threaten to leak, destroy or withhold sensitive information unless a ransom is paid.
Ransomware attacks can target either the data held on computer systems (known as locker ransomware) or devices (crypto-ransomware). In both instances, once a ransom is paid, threat actors typically provide victims with a decryption key or tool to unlock their data or device, though this is not guaranteed.
Oliver Pinson-Roxburgh, CEO of Defense.com, the all-in-one cybersecurity platform, shares knowledge and advice in this article on how ransomware works, how damaging it can be, and how your business can mitigate ransomware attacks from occurring.
What does a ransomware attack comprise?
There are three key elements to a ransomware attack:
Access
In order to deploy malware to encrypt files and gain control, cybercriminals need to initially gain access to an organization’s systems.
Trigger
The attackers have control of the data as soon as the malicious software is activated. The data is encrypted and no longer accessible by the targeted organization.
Demand
The victims will receive an alert that their data is encrypted and cannot be accessed until a ransom is paid.
Big business for cybercriminals
The motives of cybercriminals deploying malware may vary but the end goal is typically that of financial gain.
What is the cost of being targeted by ransomware?
The average pay-out from ransomware attacks has risen from $312,000/£260,000 in 2020 to $570,000/£476,000 in 2021 – an increase of 83%. One report also showed that 66% of organisations surveyed were victims of ransomware attacks in 2021, nearly double that of 2020 (37%). This highlights the need for businesses to understand the risks and implement stronger defenses to combat the threats.
Ransomware continues to rank amongst the most common cyberattacks in 2022, due to its lucrative nature and fairly low level of effort required from the perpetrators. This debilitating attack causes an average downtime of 3 weeks and can have major repercussions for an organization, for its finances, operations and reputation.
Because there is no guarantee that cybercriminals will release data after a ransom is paid, it is crucial to protect your data and keep offline backups of your files. It’s also very important to proactively monitor and protect entry points that a hacker may exploit, to reduce the possibility of being targeted in the first place.
Who is at risk of being a target of ransomware?
In the past, cybercriminals have typically targeted high-profile organizations, large corporations and government agencies with ransomware. This is known as ‘big game hunting’ and works on the premise that these companies are far more likely to pay higher ransoms and avoid unwanted scrutiny from the media and public. Certain organizations, such as hospitals, are higher-value targets because they are far more likely to pay a ransom and to do so quickly because they need access to important data urgently.
However, ransomware groups are now shifting their focus to smaller businesses, in response to increased pressure from law enforcement who are cracking down on well-known ransomware groups such as REvil and Conti. Smaller companies are seen as easy targets that may lack effective cybersecurity defenses to prevent a ransomware attack, making it easier to penetrate and exploit them.
Ultimately, threat actors are opportunists and will consider most organizations as targets, regardless of their size. If a cybercriminal notices a vulnerability, the company is fair game.
How is ransomware deployed?
Phishing attacks
The most common delivery method of ransomware is via phishing attacks. Phishing is a form of social engineering and is an effective method of attack as it relies on deceit and creating a sense of urgency. Threat actors trick employees into opening suspicious attachments in emails and this is often achieved by imitating either senior-level employees or other trusted figures of authority.
Malvertising
Malicious advertising is another tactic used by cybercriminals to deploy ransomware, where ad space is purchased and infected with malware that is then displayed on trusted and legitimate websites. Once the ad is clicked, or even in some cases when a user accesses a website that’s hosting malware, that device is infected by malware that scans the device for vulnerabilities to exploit.
Exploiting vulnerable systems
Ransomware can also be deployed by exploiting unpatched and outdated systems, as was the case in 2017, when a security vulnerability in Microsoft Windows, EternalBlue (MS17-010), led to the global WannaCry ransomware attack that spread to over 150 countries.
It was the biggest cyberattack to hit the NHS: it cost £92m in damages plus the added costs of IT support restoring data and systems affected by the attack, and it directly impacted patient care through cancelled appointments.
Four key methods to defend your business against ransomware
It is crucial that businesses are aware of how a ransomware attack may affect their organization, and how they can prevent cybercriminals from breaching their systems and holding sensitive data to ransom. Up to 61% of organizations with security teams consisting of 11–25 employees are said to be most concerned about ransomware attacks.
The NHS could have avoided being impacted by the WannaCry ransomware attack in 2017 by heeding warnings and migrating away from outdated software, ensuring strategies were in place to strengthen their security posture.
It’s essential that your business takes a proactive approach to cybersecurity by implementing the correct tools to help monitor, detect, and mitigate suspicious activity across your network and infrastructure. This will reduce the number and impact of data breaches and cyberattacks.
Defense.com recommend these four fundamental tactics to help prevent ransomware attacks and stay one step ahead of the hackers:1 — Training
Cybersecurity awareness training is pivotal for businesses of all sizes as it helps employees to spot potentially malicious emails or activity.
Social engineering tactics, such as phishing and tailgating, are common and successful due to human error and employees not spotting the risks. It’s vital for employees to be vigilant around emails that contain suspicious links or contain unusual requests to share personal data, often sent by someone pretending to be a senior-level employee.
Security training also encourages employees to query visitors to your offices to prevent ransomware attacks via physical intrusion.
Implementing cybersecurity awareness training will help your business routinely educate and assess your employees on fundamental security practices, ultimately creating a security culture to reduce the risk of data breaches and security incidents.2 — Phishing simulators
These simulator tools support your security awareness training by delivering fake but realistic phishing emails to employees. Understanding how prone your staff are to falling for a real cybercriminal’s tactics allows you to fill gaps in their training.
When you combine phishing simulators with security training, your organization can lessen the chance of falling victim to a ransomware attack. The combination of training and testing puts you in a better position to prevent the cunning attempts of cybercriminals to infiltrate your IT systems and plant malware.3 — Threat monitoring
You can make your business less of a target for cybercriminals by actively monitoring potential threats. Threat Intelligence is a threat monitoring tool that collates data from various sources, such as penetration tests and vulnerability scans, and uses this information to help you defend against potential malware and ransomware attacks. This overview of your threat landscape shows which areas are most at risk of a cyberattack or a data breach.
Being proactive ensures you stay one step ahead of hackers and by introducing threat monitoring tools to your organization, you ensure any suspicious behaviour is detected early for remediation.4 — Endpoint protection
Endpoint protection is key to understanding which of your assets are vulnerable, to help protect them and repel malware attacks like ransomware. More than just your typical antivirus software, endpoint protection offers advanced security features that protect your network, and the devices on it, against threats such as malware and phishing campaigns.
Anti-ransomware capabilities should be included in endpoint protection so it can effectively prevent attacks by monitoring suspicious behaviour such as file changes and file encryption. The ability to isolate or quarantine any affected devices can also be a very useful feature for stopping the spread of malware.
In summary
With ransomware groups continually looking for vulnerabilities to exploit, it’s important that businesses develop robust strategies to prevent ransomware threats: ensure your staff takes regular security awareness training, set up threat monitoring tools to detect and alert you of vulnerabilities, and implement endpoint protection to protect your devices across your network.
Following the above guidelines will increase your chances of safeguarding your business against ransomware attacks that could cost your organization a substantial amount of money and reputational damage.
Defense.com believes world-class cyber protection should be accessible to all companies, regardless of size. For more information, visit Defense.com.
Apple on Wednesday rolled out software fixes for iOS, iPadOS, macOS, tvOS, and watchOS to address a number of security flaws affecting its platforms.
This includes at least 37 flaws spanning different components in iOS and macOS that range from privilege escalation to arbitrary code execution and from information disclosure to denial-of-service (DoS).
Chief among them is CVE-2022-2294, a memory corruption flaw in the WebRTC component that Google disclosed earlier this month as having been exploited in real-world attacks aimed at users of the Chrome browser. There is, however, no evidence of in-the-wild zero-day exploitation of the flaw targeting iOS, macOS, and Safari.
Besides CVE-2022-2294, the updates also address several arbitrary code execution flaws impacting Apple Neural Engine (CVE-2022-32810, CVE-2022-32829, and CVE-2022-32840), Audio (CVE-2022-32820), GPU Drivers (CVE-2022-32821), ImageIO (CVE-2022-32802), IOMobileFrameBuffer (CVE-2022-26768), Kernel (CVE-2022-32813 and CVE-2022-32815), and WebKit (CVE-2022-32792).
Also patched is a Pointer Authentication bypass affecting the Kernel (CVE-2022-32844), a DoS bug in the ImageIO component (CVE-2022-32785), and two privilege escalation flaws in AppleMobileFileIntegrity and File System Events (CVE-2022-32819 and CVE-2022-32826).
What’s more, the latest version of macOS resolves five security vulnerabilities in the SMB module that could be potentially exploited by a malicious app to gain elevated privileges, leak sensitive information, and execute arbitrary code with kernel privileges.
Users of Apple devices are recommended to update to iOS 15.6, iPadOS 15.6, macOS Monterey 12.5 (Big Sur 11.6.8 or 2022-005 Catalina for older generation Macs), tvOS 15.6, and watchOS 8.7 to obtain the latest security protections.
Posted by Matthew Maurer and Mike Yu, Android team
To help keep Android users’ DNS queries private, Android supports encrypted DNS. In addition to existing support for DNS-over-TLS, Android now supports DNS-over-HTTP/3 which has a number of improvements over DNS-over-TLS.
Most network connections begin with a DNS lookup. While transport security may be applied to the connection itself, that DNS lookup has traditionally not been private by default: the base DNS protocol is raw UDP with no encryption. While the internet has migrated to TLS over time, DNS has a bootstrapping problem. Certificate verification relies on the domain of the other party, which requires either DNS itself, or moves the problem to DHCP (which may be maliciously controlled). This issue is mitigated by central resolvers like Google, Cloudflare, OpenDNS and Quad9, which allow devices to configure a single DNS resolver locally for every network, overriding what is offered through DHCP.
In Android 9.0, we announced the Private DNS feature, which uses DNS-over-TLS (DoT) to protect DNS queries when enabled and supported by the server. Unfortunately, DoT incurs overhead for every DNS request. An alternative encrypted DNS protocol, DNS-over-HTTPS (DoH), is rapidly gaining traction within the industry as DoH has already been deployed by most public DNS operators, including the Cloudflare Resolver and Google Public DNS. While using HTTPS alone will not reduce the overhead significantly, HTTP/3 uses QUIC, a transport that efficiently multiplexes multiple streams over UDP using a single TLS session with session resumption. All of these features are crucial to efficient operation on mobile devices.
DNS-over-HTTP/3 (DoH3) support was released as part of a Google Play system update, so by the time you’re reading this, Android devices from Android 11 onwards1 will use DoH3 instead of DoT for well-known2 DNS servers which support it. Which DNS service you are using is unaffected by this change; only the transport will be upgraded. In the future, we aim to support DDR which will allow us to dynamically select the correct configuration for any server. This feature should decrease the performance impact of encrypted DNS.
Performance
DNS-over-HTTP/3 avoids several problems that can occur with DNS-over-TLS operation:
As DoT operates on a single stream of requests and responses, many server implementations suffer from head-of-line blocking3. This means that if the request at the front of the line takes a while to resolve (possibly because a recursive resolution is necessary), responses for subsequent requests that would have otherwise been resolved quickly are blocked waiting on that first request. DoH3 by comparison runs each request over a separate logical stream, which means implementations will resolve requests out-of-order by default.
Mobile devices change networks frequently as the user moves around. With DoT, these events require a full renegotiation of the connection. By contrast, the QUIC transport HTTP/3 is based on can resume a suspended connection in a single RTT.
DoT intends for many queries to use the same connection to amortize the cost of TCP and TLS handshakes at the start. Unfortunately, in practice several factors (such as network disconnects or server TCP connection management) make these connections less long-lived than we might like. Once a connection is closed, establishing the connection again requires at least 1 RTT.In unreliable networks, DoH3 may even outperform traditional DNS. While unintuitive, this is because the flow control mechanisms in QUIC can alert either party that packets weren’t received. In traditional DNS, the timeout for a query needs to be based on expected time for the entire query, not just for the resolver to receive the packet.
Field measurements during the initial limited rollout of this feature show that DoH3 significantly improves on DoT’s performance. For successful queries, our studies showed that replacing DoT with DoH3 reduces median query time by 24%, and 95th percentile query time by 44%. While it might seem suspect that the reported data is conditioned on successful queries, both DoT and DoH3 resolve 97% of queries successfully, so their metrics are directly comparable. UDP resolves only 83% of queries successfully. As a result, UDP latency is not directly comparable to TLS/HTTP3 latency because non-connection-oriented protocols have a different notion of what a “query” is. We have still included it for rough comparison.
Memory Safety
The DNS resolver processes input that could potentially be controlled by an attacker, both from the network and from apps on the device. To reduce the risk of security vulnerabilities, we chose to use a memory safe language for the implementation.
Fortunately, we’ve been adding Rust support to the Android platform. This effort is intended exactly for cases like this — system level features which need to be performant or low level (both in this case) and which would carry risk to implement in C++. While we’ve previously launched Keystore 2.0, this represents our first foray into Rust in Mainline Modules. Cloudflare maintains an HTTP/3 library called quiche, which fits our use case well, as it has a memory-safe implementation, few dependencies, and a small code size. Quiche also supports use directly from C++. We considered this, but even the request dispatching service had sufficient complexity that we chose to implement that portion in Rust as well.
We built the query engine using the Tokio async framework to simultaneously handle new requests, incoming packet events, control signals, and timers. In C++, this would likely have required multiple threads or a carefully crafted event loop. By leveraging asynchronous in Rust, this occurs on a single thread with minimal locking4. The DoH3 implementation is 1,640 lines and uses a single runtime thread. By comparison, DoT takes 1,680 lines while managing less and using up to 4 threads per DoT server in use.
Safety and Performance — Together at Last
With the introduction of Rust, we are able to improve both security and the performance at the same time. Likewise, QUIC allows us to improve network performance and privacy simultaneously. Finally, Mainline ensures that such improvements are able to make their way to more Android users sooner.
Acknowledgements
Special thanks to Luke Huang who greatly contributed to the development of this feature, and Lorenzo Colitti for his in-depth review of the technical aspects of this post.
Some Android 10 devices which adopted Google Play system updates early will also receive this feature. ↩
Google DNS and Cloudflare DNS at launch, others may be added in the future. ↩
DoT can be implemented in a way that avoids this problem, as the client must accept server responses out of order. However, in practice most servers do not implement this reordering. ↩
There is a lock used for the SSL context which is accessed once per DNS server, and another on the FFI when issuing a request. The FFI lock could be removed with changes to the C++ side, but has remained because it is low contention. ↩
Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in October 2021. A fix for this vulnerability, now identified as CVE-2022-26706, was included in the security updates released by Apple on May 16, 2022. Microsoft shares the vulnerability disclosure credit with another researcher, Arsenii Kostromin (0x3c3e), who discovered a similar technique independently.
We encourage macOS users to install these security updates as soon as possible. We also want to thank the Apple product security team for their responsiveness in fixing this issue.
The App Sandbox is Apple’s access control technology that application developers must adopt to distribute their apps through the Mac App Store. Essentially, an app’s processes are enforced with customizable rules, such as the ability to read or write specific files. The App Sandbox also restricts the processes’ access to system resources and user data to minimize the impact or damage if the app becomes compromised. However, we found that specially crafted codes could bypass these rules. An attacker could take advantage of this sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing additional payloads.
We found the vulnerability while researching potential ways to run and detect malicious macros in Microsoft Office on macOS. For backward compatibility, Microsoft Word can read or write files with an “~$” prefix. Our findings revealed that it was possible to escape the sandbox by leveraging macOS’s Launch Services to run an open –stdin command on a specially crafted Python file with the said prefix.
Our research shows that even the built-in, baseline security features in macOS could still be bypassed, potentially compromising system and user data. Therefore, collaboration between vulnerability researchers, software vendors, and the larger security community remains crucial to helping secure the overall user experience. This includes responsibly disclosing vulnerabilities to vendors.
In addition, insights from this case study not only enhance our protection technologies, such as Microsoft Defender for Endpoint, but they also help strengthen the security strategies of software vendors and the computing landscape at large. This blog post thus provides details of our research and overviews of similar sandbox escape vulnerabilities reported by other security researchers that helped enrich our analysis.
How macOS App Sandbox works
In a nutshell, macOS apps can specify sandbox rules for the operating system to enforce on themselves. The App Sandbox restricts system calls to an allowed subset, and the said system calls can be allowed or disallowed based on files, objects, and arguments. Simply put, the sandbox rules are a defense-in-depth mechanism that dictates the kind of operations an application can or can’t do, regardless of the type of user running it. Examples of such operations include:
the kind of files an application can or can’t read or write;
whether the application can access specific resources such as the camera or the microphone, and;
whether the application is allowed to perform inbound or outbound network connections.
Figure 1. Illustration of a sandboxed app, from the App Sandbox documentation (photo credit: Apple)
Therefore, the App Sandbox is a useful tool for all macOS developers in providing baseline security for their applications, especially for those that have large attack surfaces and run user-provided code. One example of these applications is Microsoft Office.
Sandboxing Microsoft Office in macOS
Attackers have targeted Microsoft Office in their attempts to gain a foothold on devices and networks. One of their techniques is abusing Office macros, which they use in social engineering attacks to trick users into downloading malware and other payloads.
On Windows systems, Microsoft Defender Application Guard for Office helps secure Microsoft Office against such macro abuse by isolating the host environment using Hyper-V. With this feature enabled, an attacker must first be equipped with a Hyper-V guest-to-host vulnerability to affect the host system—a very high bar compared to simply running a macro. Without a similar isolation technology and default setting on macOS, Office must rely on the operating system’s existing mitigation strategies. Currently, the most promising technology is the macOS App Sandbox.
Viewing the Microsoft sandbox rules is quite straightforward with the codesign utility. Figure 2 below shows the truncated sandbox rules for Microsoft Word:
Figure 2. Viewing the Microsoft Word sandbox rules with the codesign utility
One of the rules dictates the kind of files the application is allowed to read or write. As seen in the screenshot of the syntax below, Word is allowed to read or write files with filenames that start with the “~$” prefix. The reason for this rule is rooted in the way Office works internally and remains intact for backward compatibility.
Figure 3. File read and write sandbox rule for Microsoft Word
Despite the security restrictions imposed by the App Sandbox’s rules on applications, it’s possible for attackers to bypass the said rules and let malicious codes “escape” the sandbox and execute arbitrary commands on an affected device. These codes could be hidden in a specially crafted Word macro, which, as mentioned earlier, is one of the attackers’ preferred entry points.
For example, in 2018, MDSec reported a vulnerability in Microsoft Office on macOS that could allow an attacker to bypass the App Sandbox. As explained in their blog post, MDSec’s proof-of-concept (POC) exploit took advantage of the fact that Word could drop files with arbitrary contents to arbitrary directories (even after passing traditional permission checks), as long as these files’ filenames began with a “~$” prefix. This bypass was relatively straightforward: have a specially crafted macro drop a .plist file in the user’s LaunchAgents directory.
The LaunchAgents directory is a well-known persistence mechanism in macOS. PLIST files that adhere to a specific structure describe (that is, contain the metadata of) macOS launch agents initiated by the launchd process when a user signs in. Since these launch agents will be the children of launchd, they won’t inherit the sandbox rules enforced onto Word, and therefore will be out of the Office sandbox.
Shortly after the above vulnerability was reported, Microsoft deployed a fix that denied file writes to the LaunchAgents directory and other folders with similar implications. The said disclosure also prompted us to look into different possible sandbox escapes in Microsoft Word and other applications.
Exploring Launch Services as means of escaping the sandbox
In 2020, several blog posts described a generic sandbox escape vulnerability in macOS’s /usr/bin/open utility, a command commonly used to launch files, folders, and applications just as if a user double-clicked them. While open is a handy command, it doesn’t create child processes on its own. Instead, it performs an inter-process communication (IPC) with the macOS Launch Services, whose logic is implemented in the context of the launchd process. Launch Services then performs the heavy lifting by resolving the handler and launching the right app. Since launchd creates the process, it’s not restricted by the caller’s sandbox, similar to how MDSec’s POC exploit worked in 2018.
However, using open for sandbox escape purposes isn’t trivial because the destination app must be registered within Launch Services. This means that, for example, one couldn’t run files like osascript outside the sandbox using open. Our internal offensive security team therefore decided to reassess the open utility for sandbox escape purposes and use it in a larger end-to-end attack simulation.
Our obvious first attempt in creating a POC exploit was to create a macro that launches a shell script with the Terminal app. Surprisingly, the POC didn’t work because files dropped from within the sandboxed Word app were automatically given the extended attribute com.apple.quarantine (the same one used by Safari to keep track of internet-downloaded files, as well as by Gatekeeper to block malicious files from executing), and Terminal simply refused to run files with that attribute. We also tried using Python scripts, but the Python app had similar issues running files having the said attribute.
Our second attempt was to use application extensibility features. For example, Terminal would run the default macOS shell (zsh), which would then run arbitrary commands from files like ~/.zshenv before running its own command line. This meant that dropping a .zshenv file in the user’s home directory and launching the Terminal app would cause the sandbox escape. However, due to Word’s sandbox rules, dropping a .zshenv file wasn’t straightforward, as the rules only allowed an application to write to files that begin with the “~$” prefix.
However, there is an interesting way of writing such a file indirectly. macOS was shipped with an application called Archive Utility responsible of extracting archive files (such as ZIP files). Such archives were extracted without any user interaction, and the files inside an archive were extracted in the same directory as the archive itself. Therefore, our second POC worked as follows:
Prepare the payload by creating a .zshenv file with arbitrary commands and placing it in a ZIPfile. Encode the ZIPfile contents in a Word macro and drop those contents into a file “~$exploit.zip” in the user’s home directory.
Launch Archive Utility with the open command on the “~$exploit.zip” file. Archive Utility ran outside the sandbox (since it’s the child process of /usr/bin/open) and was therefore permitted to create files with arbitrary names. By default, Archive Utility extracted the files next to the archive itself—in our case, the user’s home directory. Therefore, this step successfully created a .zshenv file with arbitrary contents in the user’s home directory.
Launch the Terminal app with the open command. Since Terminal hosted zsh and zsh ran commands from the .zshenv file, the said file could escape the Word sandbox successfully.
Figure 4. Preparing a Word macro with our sandbox escape for an internal Red Team operation
Perception Point’s CVE-2021-30864
In October 2021, Perception Point published a blog post that discussed a similar finding (and more elegant, in our opinion). In the said post, Perception Point released details about their sandbox escape (now identified as CVE-2021-30864), which used the following facts:
Every sandboxed process had its own container directory that’s used as a “scratch space.” The sandboxed process could write arbitrary files, including arbitrary filenames, to that directory unrestricted.
The open command had an interesting –env option that could set or override arbitrary environment variables for the launched app.
Therefore, Perception Point’s POC exploit was cleverly simple:
Drop a .zshenv file in the container directory. This was allowed because sandbox rules weren’t enforced on that directory.
Launch Terminal with the open command but use the –env option to override the HOME environment variable to point to the container directory. This made zsh consider the user’s home directory to be the container directory, and run commands from the planted .zshenv file.
Apple has since patched the vulnerability Perception Point reported in the latest version of macOS, Monterey. While we could still create the “~$exploit.zip” file in the user’s home directory, using open to launch the Archive Utility on the ZIP file now resulted in it being extracted to the Downloads folder. While this is an interesting behavior, we could no longer use it for sandbox escape purposes.
Final exploit attempt: Revisiting the ‘open’ command
After discovering that Apple has fixed both variants that abuse .zshenv, , we decided to examine all the command line options of the open command. Soon after, we came across the following:
Figure 5. The –stdin option in the open utility as presented by its manual entry
As mentioned earlier, we couldn’t run Python with a dropped .py file since Python refuses to run files with the “com.apple.quarantine” extended attribute. We also considered abusing the PYTHONSTARTUP environment variable, but Apple’s fix to CVE-2021-30864 apparently prevented that option, too. However, –stdin bypassed the “com.apple.quarantine” extended attribute restriction, as there was no way for Python to know that the contents from its standard input originated from a quarantined file.
Our POC exploit thus became simply as follows:
Drop a “~$exploit.py” file with arbitrary Python commands.
Run open –stdin=’~$exploit.py’ -a Python, which runs the Python app with our dropped file serving as its standard input. Python happily runs our code, and since it’s a child process of launchd, it isn’t bound to Word’s sandbox rules.
Figure 6. Sample minimal POC exploit code
We also came up with a version that’s short enough to be a Twitter post:
Figure 7. “Tweetable” POC exploit
Detecting App Sandbox escapes with Microsoft Defender for Endpoint
Since our initial discovery of leveraging Launch Services in macOS for generic sandbox escapes, we have been using our POC exploits in Red Team operations to emulate end-to-end attacks against Microsoft Defender for Endpoint, improve its capabilities, and challenge our detections. Shortly after our Red Team used our first POC exploit, our Blue Team members used it to train artificial intelligence (AI) models to detect our exploit not only in Microsoft Office but also on any app used for a similar Launch Services-based sandbox escape.
After we learned of Perception Point’s technique and created our own new exploit technique (the Python POC), our Red Team saw another opportunity to fully test our own detection durability. Indeed, the same set of detection rules that handled our first sandbox escape vulnerability still turned out to be durable—even before the vulnerability related to our second POC exploit was patched.
Figure 8. Microsoft Defender for Endpoint detecting Office sandbox escape
For Defender for Endpoint customers, such detection durability feeds into the product’s threat and vulnerability management capabilities, which allows them to quickly discover, prioritize, and remediate misconfigurations and vulnerabilities—including those affecting non-Windows devices—through a unified security console.
Although there is a greater awareness of cybersecurity threats than ever before, it is becoming increasingly difficult for IT departments to get their security budgets approved. Security budgets seem to shrink each year and IT pros are constantly being asked to do more with less. Even so, the situation may not be hopeless. There are some things that IT pros can do to improve the chances of getting their security budgets approved.
Presenting the Problem in a Compelling Way
If you want to get your proposed security budget approved, you will need to present security problems in a compelling way. While those who are in charge of the organization’s finances are likely aware of the need for good security, they have probably also seen enough examples of “a security solution in search of a problem” to make them skeptical of security spending requests. If you want to persuade those who control the money, then you will need to convince them of three things:
You are trying to protect against a real issue that presents a credible threat to the organization’s wellbeing.
Your proposed solution will be effective and that it isn’t just a “new toy for the IT department to play with”
Your budget request is both realistic and justified.
Use Data to Your Advantage
One of the best ways to convince those who are in charge that there is a credible cyber threat against the organization is to provide them with quantifiable metrics. Don’t resort to gathering statistics from the Internet. Your organization’s financial staff is probably smart enough to know that most of those statistics are manufactured by security companies who are trying to sell a product or service. Instead, gather your own metrics from inside your organization by using tools that are freely available for download.
Specops for example, offers a free Password Auditor that can generate reports demonstrating the effectiveness of your organization’s password policy and existing password security vulnerabilities. This free tool can also help you to identify other vulnerabilities, such as accounts that are using passwords that are known to have been leaked or passwords that do not adhere to compliance standards or industry best practices.
Example of Specops Password Auditor results in an Active Directory environment
Of course, this is just one of the many free security tools that are available for download. In any case, it is important to use metrics from within your own organization to demonstrate the fact that the security problem that you are trying to solve is real.
Highlight What a Solution Would Do
Once you demonstrate the problem to those who are in charge of the organization’s finances, do not make the mistake of leaving them guessing as to how you are planning on solving the problem. Be prepared to clearly explain what tools you are planning on using, and how those tools will solve the problem that you have demonstrated.
It’s a good idea to use visuals to demonstrate the practicality of your proposed solution. Be sure to explain how the problem is solved in non-technical language and enhance your argument with examples that are specific to your organization.
Estimated Time of Implementation and Seeing Results
We have probably all heard horror stories of IT projects that have gone off the rails. Organizations sometimes spend millions of dollars and invest years of planning into IT projects that never ultimately materialize. That being the case, it is important to set everyone’s mind at ease by showing them exactly how long it will take to get your proposed solution up and running and then how much additional time will be needed in order to achieve the desired result.
When you are making these projections, be careful to be realistic and not to make promises based on an overly ambitious implementation schedule. You should also be prepared to explain how you arrived at your projection. Keep in mind upcoming projects, company-wide goals, and fiscal year ideals when factoring in timing.
Demonstrate the Estimated Savings
Although security is of course a concern for most organizations, those who are in charge of an organization’s finances typically want to see some sort of return on investment. As such, it is important to consider how your proposed solution might save the company money. A few ideas might include:
Saving the IT department time, thereby reducing the number of overtime hours worked
Avoiding a regulatory penalty that could cost the organization a lot of money
Bringing down insurance premiums because data is being better protected
Of course, these are just ideas. Every situation is different, and you will need to consider how your security project can produce a return on investment given your own unique circumstances. It is important to include a cost-saving element for clarity sake, even if it is citing the average cost of a data breach in your industry.
Show You’ve Done Your Homework with a Pricing Comparison
As you pitch your proposed solution, stakeholders are almost certain to ask whether there might be a less expensive product that would accomplish your objectives. As such, it’s important to spend some time researching the solutions offered by competing vendors. Here are a few things that you should be prepared to demonstrate:
The total cost for implementing each potential solution (this may include licensing, labor, support, and hardware costs)
Why you are proposing a particular solution even if it is not the least expensive
If your solution is the least expensive, then be prepared to explain what you might be giving up by using the cheapest vendor.
What each vendor offers relative to the others
A Few Quick Tips
As you make your budgetary pitch, keep in mind that those to whom you are presenting likely have a limited understanding of IT concepts. Avoid using unnecessary technical jargon and be prepared to clearly explain key concepts, but without sounding condescending in the process.
It’s also smart to anticipate any questions that may be asked of you and have answers to those questions ready to go. This is especially true if there is a particular question that makes you a little bit uncomfortable.
Present your information clearly, confidently, and in a concise manner (I.e., make it quick!) so you can make your case without wasting time.
The James Webb Telescope reveals emerging stellar nurseries and individual stars in the Carina Nebula that were previously obscured. Credits: NASA, ESA, CSA, and STScI. Full image here.
“Somewhere, something incredible is waiting to be known.” — Carl Sagan
In the past few years, space technology and travel have been trending with increased attention and endeavors (including private ones). In our 2021 Year in Review we showed how NASA and SpaceX flew higher, at least in terms of interest on the Internet.
This week, NASA in collaboration with the European Space Agency (ESA) and the Canadian Space Agency (CSA), released the first images from the James Webb Telescope (JWST) which conducts infrared astronomy to “reveal the unseen universe”.
Webb’s First Deep Field is the first operational image taken by the James Webb Space Telescope, depicting a galaxy cluster with a distance of 5.12 billion light-years from Earth. Revealed to the public on 11 July 2022. Credits: NASA, ESA, CSA, and STScI. Full image here.
So, let’s dig into something we really like here at Cloudflare, checking how real life and human interest has an impact on the Internet. In terms of general Internet traffic in the US, Radar shows us that there was an increase both on July 11 and July 12, compared to the previous week (bear in mind that July 4, the previous Monday, was the Independence Day holiday in the US).
Next, we look at DNS request trends to get a sense of traffic to Internet properties (and using from this point on EST time in all the charts). Let’s start with the cornucopia of NASA, ESA and other websites (there are many, some dedicated just to the James Webb Telescope findings).
There are two clear spikes in the next chart. The first was around the time the first galaxy cluster infrared image was announced by Joe Biden, on Monday, July 11, 2022 (at 17:00), with traffic rising 13x higher than in the previous week. There was also a 5x spike at 01:00 EST that evening. The second spike was higher and longer and happened during Tuesday, July 12, 2022, when more images were revealed. Tuesday’s peak was at 10:00, with traffic being 19x higher than in the previous week — traffic was higher than 10x between 09:00 and 13:00.
The first image was presented by US president at around 17:00 on July 11. DNS traffic was 1.5x higher to White House-related websites than any time in the preceding month.
Conclusion: space, the final frontier
As we saw in 2021, space projects and announcements continue to have a clear impact on the Internet, in this case in our DNS request view of Internet traffic. So far, what the James Webb Telescope images are showing us is a glimpse of a never-before-seen picture of parts of the universe (there’s no lack of excitement in Cloudflare’s internal chat groups).
You can keep an eye on these and other trends using Cloudflare Radar and follow @CloudflareRadar on Twitter — recently we covered extensively Canada’s Internet outage.
Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.
To learn more about our mission to help build a better Internet, start here. If you’re looking for a new career direction, check out our open positions.
New survey reveals lack of staff, skills, and resources driving smaller teams to outsource security.
As business begins its return to normalcy (however “normal” may look), CISOs at small and medium-size enterprises (500 – 10,000 employees) were asked to share their cybersecurity challenges and priorities, and their responses were compared the results with those of a similar survey from 2021.
Here are the 5 key things we learned from 200 responses:
1 — Remote Work Has Accelerated the Use of EDR Technologies
In 2021, 52% of CISOs surveyed were relying on endpoint detection and response (EDR) tools. This year that number has leapt to 85%. In contrast, last year 45% were using network detection and response (NDR) tools, while this year just 6% employ NDR. Compared to 2021, double the number of CISOs and their organizations are seeing the value of extended detection and response (XDR) tools, which combine EDR with integrated network signals. This is likely due to the increase in remote work, which is more difficult to secure than when employees work within the company’s network environment.
2 — 90% of CISOs Use an MDR Solution
There is a massive skills gap in the cybersecurity industry, and CISOs are under increasing pressure to recruit internally. Especially in small security teams where additional headcount is not the answer, CISOs are turning to outsourced services to fill the void. In 2021, 47% of CISOs surveyed relied on a Managed Security Services Provider (MSSP), while 53% were using a managed detection and response (MDR) service. This year, just 21% are using an MSSP, and 90% are using MDR.
3 — Overlapping Threat Protection Tools are the #1 Pain Point for Small Teams
The majority (87%) of companies with small security teams struggle to manage and operate their threat protection products. Among these companies, 44% struggle with overlapping capabilities, while 42% struggle to visualize the full picture of an attack when it occurs. These challenges are intrinsically connected, as teams find it difficult to get a single, comprehensive view with multiple tools.
4 — Small Security Teams Are Ignoring More Alerts
Small security teams are giving less attention to their security alerts. Last year 14% of CISOs said they look only at critical alerts, while this year that number jumped to 21%. In addition, organizations are increasingly letting automation take the wheel. Last year, 16% said they ignore automatically remediated alerts, and this year that’s true for 34% of small security teams.
5 — 96% of CISOs Are Planning to Consolidate Security Platforms
Almost all CISOs surveyed have consolidation of security tools on their to-do lists, compared to 61% in 2021. Not only does consolidation reduce the number of alerts – making it easier to prioritize and view all threats – respondents believe it will stop them from missing threats (57%), reduce the need for specific expertise (56%), and make it easier to correlate findings and visualize the risk landscape (46%). XDR technologies have emerged as the preferred method of consolidation, with 63% of CISOs calling it their top choice.
Something has to be readable for machines and humans to understand it, right? Easy-to-read content has a greater chance of success as more people tend to understand it quickly. The same goes for machines — search engines rely on structured data to help them understand the meaning of your pages. In Yoast SEO 19.3, we’re bringing readability improvements to both humans and machines.
Schema structured data in Yoast SEO 19.3
You probably know the importance of structured data — search engines use it to grasp your content. They use those insights to determine if your content is valid for a rich result, visually highlighting it in the search results. But schema does other things as well.
A better way to handle images in the schema
In Yoast SEO 19.3, we’re improving how we handle images in our schema. If you want the proper pictures to show on your different output channels, you must be sure that search engines can find the right ones. We’ve changed the way we handled this.
At first, we relied on the OpenGraph image and Twitter image. The thing is, these often contain text to help them stand out on social media. On Google Discover, text on an image is not helpful and might hinder the performance of your post. Now, we output the textless featured image as the initial image for search engines to use. The main benefit is that services like Google Discover can use the right image — making your content shine! It increases the chance that your content will do well on Google Discover.
More robust handling of the webpage’s schema id
Yoast SEO comes with a thorough structured data implementation. From the start, we’ve been advocating using the id to tie all the different parts of a site together in one schema graph. In Yoast SEO 19.3, we’re improving how we handle the @id of the main schema WebPage node to be just the permalink for the current page. Doing this makes it easier for other plugins to build on our work.
Yoast SEO Premium: New word complexity assessment to grade content
The readability analysis in Yoast SEO helps you to write content that is easy to read and quick to understand. We see excellent readability as a fundamental human right online. Sometimes, people accuse us of dumbing down content, but we like to turn that around — by making your content easier to read, you open it up for a lot more people.
For years, we used the Flesch Reading Easy score to give you a sense of how difficult a text would be to understand for users of different levels. This reading score works well, but it’s hard to make it more actionable. We’re introducing a new word complexity analysis that scans your content to see if you use too many complex words in your text.
Go Premium and get access to all our features!
Premium comes with lots of features and free access to our SEO courses!
Word complexity is in beta and English only for now
One of the advantages of the complex word assessment is that it’s actionable. We can mark words that are complex according to our definition. The words we recognize as complex are, for the most part, complicated words that you might want to reconsider. By marking them in the text, you can easily change these to a more common alternative.
Of course, some words aren’t that difficult, but we still highlight them. Also, you might be in a situation where your keyphrase is considered a complex word. In rare cases, you might get a bit of duality in the feedback. That is one of the reasons we’re releasing the word complexity feature in Yoast SEO Premium beta and for English only.
The word complexity feature can highlight difficult words in your text
Flesch Reading Ease score moved to Insights tab
In Yoast SEO 19.3, you’ll notice that the Flesch Reading Ease score is no longer available in the readability section as it’s been replaced by the word complexity feedback. We haven’t removed it, but we’ve moved it to the Insights tab. Here, you’ll find the score and some other excellent insights into your content, like the word count, reading time, and the prominent words feature.
In the Yoast SEO Insights tab, you can find more information about your article
Enhancement to the crawl settings
The past two releases of Yoast SEO Premium saw the introduction and expansion of our new crawl settings. With these crawl settings, you can get better control over what search engines crawl and don’t crawl on your site. This is designed to help you decrease the baggage that WordPress comes with out of the box.
We’re not done with the crawl settings because we have many ideas to improve and expand these. In Yoast SEO Premium 18.9, we’re improving the handling of RSS feeds. We now add canonical HTTP headers from RSS feeds to their parent URLs (for instance, your homepage or specific categories or tags), so the feeds are less likely to appear in search results.
Update now to Yoast SEO 19.3
This is just a sampling of the changes and fixes to Yoast SEO 19.3. We have structured data updates, a new word complexity assessment in Yoast SEO Premium 18.9, improvements to the crawl settings, and more. Go download it now!
