Microsoft DirectMusic Remote Code Execution Vulnerability

CVE-2023-36702

Microsoft AllJoyn API Denial of Service Vulnerability

CVE-2023-36709

Microsoft WordPad Information Disclosure Vulnerability

CVE-2023-36563

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2023-36778

In Silicon Labs uC/TCP-IP 3.6.0, TCP ISNs are improperly random.

**NAC Innovation Leadership**

Forescout is the overall innovation leader in Frost & Sullivan’s NAC Market Radar report.

Get the Report

**Zero downtime?  
Zero downtime.**

Avoid service disruptions and revenue loss with OT/ICS discovery, assessment, threat detection and response.

Learn More

**Modernize Your SIEM/SOC**

Say goodbye to legacy SIEM costs and alert fatigue, with next-gen SIEM/XDR.

Learn More

**Risk and Exposure Management**

Identify, quantify and prioritize cybersecurity risk and compliance

*   Cyber asset management
*   Visibility & compliance
*   Risk prioritization

**Network Security**

Assess, segment and enforce with proactive and reactive controls

*   Network asset control
*   Risk & threat containment
*   Segmentation management

**Threat Detection & Response**

Detect, investigate and respond to true threats and incidents

*   True threat correlation
*   Optimized security operations
*   SecOps visibility

**Vendor & Device Agnostic**

**Real-Time & Continuous**

**Managed & Unmanaged Cyber Assets**

**Flexible Deployment**

**Converged Platform**

**Proven at Scale**

Explore the Forescout Platform

**39B+**

Unique Data Points Monitored

**Must-Read Research****The Riskiest Connected Devices in 2023**

Since 2020, Forescout Research has been tracking the riskiest devices on organizations’ networks. Our reports are entirely based on data coming directly from connected devices. Throughout the years, we have noticed that although many device types are consistently in these lists – such as IP cameras, VoIP equipment and programmable logic controllers (PLCs) – due either to their inherent criticality or to the persistent lack of attention from security teams, there are other devices whose current risk level reflect developments in the threat landscape.

Blog

**DarkGate Loader Delivered via Microsoft Teams – How It Works, How to Mitigate It and How Forescout Can Help**

Read More

Blog

**R4IoT: When Ransomware Meets the Internet of Things**

Read More

Analyst Report

**2022 Gartner Market Guide for Operational Technology (OT) Security**

Download

**Schedule a Demo**

Get a personalized tour of our solutions and see how we can help you automate cybersecurity.

CVE-2020-27630: Forescout – Manage cyber risk and mitigate threats, continuously.

Google is making passkeys, the emerging passwordless login technology, the default option for users as it moves to make passwords “obsolete.”

Less than six months ago, Google announced that it was launching support for the password replacement known as “passkeys” for all personal accounts across its billions of users. Today, the company said it is going a step further and will make passkeys the default login setting for users.

When you log in to your Google account, you’ll get a prompt to create a passkey and start using it for login instead of relying on your Gmail address and password. Google will be turning on the “skip password when possible” option in account settings, which is essentially the passkey green light. Users who don't want to kill their password just yet will still be able to turn that setting off so they don't receive the prompts.

Password-based authentication is so ubiquitous in digital systems that it isn't easy to replace. But passwords have inherent security problems because they can be guessed and stolen. And since it's so difficult to keep track of dozens or hundreds of passwords, users often reuse the same passwords on multiple accounts, making it easier for attackers to unlock all of those accounts in one fell swoop. Passkeys are specifically designed to address these issues and dramatically reduce the risk of phishing attacks by instead relying on a scheme that manages cryptographic keys stored on your devices for account authentication.

Google didn't share statistics on passkey adoption so far, saying instead in a blog post that “people have used passkeys on their favorite apps like YouTube, Search and Maps, and we’re encouraged by the results.” The company points out that passkey support is expanding across other apps and services. Apple and Microsoft both support passkeys. And companies like Uber and eBay recently launched passkeys, and they're coming to WhatsApp soon.

“Passwordless is something we set out to achieve 10-plus years ago, and we’re thrilled to not only see us already on the next step of the journey with passkeys by offering them by default, but also to see the great feedback from users who have made the switch,” Christiaan Brand, identity and security group product manager at Google, tells WIRED.

There's so much inertia on passwords around the world that even a player as big and influential as Google can't force the issue overnight. But the company is clearly using its influence to steer users with gentle pressure that seems likely to continue mounting as passkeys gain broader momentum.

“We’ll keep you updated on where else you can start using passkeys across other online accounts,” the company wrote today. “In the meantime, we’ll continue encouraging the industry to make the pivot to passkeys—making passwords a rarity, and eventually obsolete.”

Google Makes Passkeys Default, Stepping Up Its Push to Kill Passwords

Google on Tuesday announced the ability for all users to set up passkeys by default, five months after it rolled out support for the FIDO Alliance-backed passwordless standard for Google Accounts on all platforms.
"This means the next time you sign in to your account, you'll start seeing prompts to create and use passkeys, simplifying your future sign-ins," Google's Sriram Karra and Christiaan

Password Security / Technology

Google on Tuesday announced the ability for all users to set up passkeys by default, five months after it rolled out support for the FIDO Alliance-backed passwordless standard for Google Accounts on all platforms.

"This means the next time you sign in to your account, you'll start seeing prompts to create and use passkeys, simplifying your future sign-ins," Google's Sriram Karra and Christiaan Brand said.

"It also means you'll see the 'skip password when possible' option toggled on in your Google Account settings."

Passkeys are a new form of authentication that entirely eliminate the need for usernames and passwords, or even provides any additional authentication factor.

In other words, it's a passwordless login mechanism that leverages public-key cryptography to authenticate users' access to websites and apps, with the private key saved securely in the device and the public key stored in the server.

Each passkey is unique and bound to a username and a specific service, meaning a user will have at least as many passkeys as they have accounts, although there can be multiple passkeys per account since passkeys function only within the confines of the same platform.

A user can, therefore, have one passkey each for a website for Android, iOS, and Windows.

Thus, when a user signs into a website or app that supports passkeys, a random challenge is created and sent to the client, which, in turn, prompts the individual to verify using their biometric or a PIN in order to sign the challenge using the private key and send it back to the server.

Authentication is considered successful if the signed response can be validated using the associated public key.

An immediate benefit to passkeys is two-fold: they not only obviate the hassle of remembering passwords, but are also phishing-resistant, thereby safeguarding accounts against potential takeover attacks.

The development comes weeks after Microsoft officially began supporting passkeys in Windows 11 for improved account security. Other widely-used platforms like eBay and Uber have enabled passkey support in recent months.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Adopts Passkeys as Default Sign-in Method for All Users

By Deeba Ahmed
As the conflict escalates on the ground, hacktivists are gearing up for cyberwar.
This is a post from HackRead.com Read the original post: Hacktivists Trageting Critical ICS Infrastructure in Israel and Palestine

Amidst the escalating conflict between Palestine and Israel, both pro-Palestinian and pro-Israeli hacktivists are targeting critical Industrial Control Systems (ICS) that are vulnerable.

Several cybersecurity firms have reported that pro-Israeli and pro-Palestinian hacktivists are eyeing industrial control systems (ICS) amidst the growing tension between the two countries. ICSs could be a target of interest because hundreds of these systems are still vulnerable to exploitation.

Waqas Ahmed, the founder and editor of Hackread.com, noted that hacktivists typically resort to DDoS attacks or small-scale data leaks, especially during unfortunate escalations in the conflict between Palestine and Israel. However, in this case, they have escalated their activities to a higher level. An example of this escalation is AnonGhost, who hacked the Israeli rocket alert app Red Alert to send thousands of fake nuclear bomb alerts to Israeli smartphones.

AnonGhost posting their claims on Telegram (Screenshot: Telegram – Hackread.com)

Many hacktivists are looking to disrupt critical infrastructure and claim headlines because a cyberattack on critical infrastructure can cause severe economic, safety, operational, and reputational damage. Many ICSs, which are computerized systems installed to monitor/manage mechanical processes in different industries, remain exposed to such threats. 

In a report, CyberNews revealed that several Israeli organizations have exposed the SCADA communications protocol called Modbus. Around 400 exposed systems were identified along with 150 open Message Queuing Telemetry Transport (MQTT) ports. These ports manage communications between SCADA and MES (manufacturing execution system).

What’s worth noting is that this is not just in Israel, many Palestinian firms also have exposed MODBUS and MQTT, and in addition to that, have exposed Siemens automation and Symantec systems. Therefore, it isn’t surprising that threat actors are aiming to target them.

According to Microsoft, a Gaza-based threat actor Storm-1133, has started targeting Israeli private-sector, telecom, and defense organizations. This group is affiliated with Hamas, which controls the Gaza Strip. This means the fight has already started in the cyber realm.

Microsoft’s annual Digital Defense Report reveals that Storm-1133 uses different social engineering techniques and fake LinkedIn profiles to lure employees to Israeli organizations. They send phishing emails, deliver malware, conduct espionage, and even infiltrate third-party organizations having public ties to achieve their objectives. After the group gains access to its target organization, it deploys backdoors. It avoids detection by regularly updating its C2 infrastructure.

There are reports that the Israeli government and media outlets have also become targets of hacktivists. A multitude of attacks, mostly DDoS, are observed targeting Israeli organizations/entities. However, not all threat actors have claimed allegiance with any of the two parties involved. Such as ThreatSec intends to target both sides simultaneously.

“As you might know, we don’t like Israel, but… We also don’t like War! Soooo, as we have attacked Israel in the past, we now attack the Gaza region, where many of the Hamas fighters are located!” the group wrote on Telegram and claimed to own every server of Alfanet.ps, including Gaza strip’s biggest ISP Quintiez Alfa.

For your information, ThreatSec is one of the five families of the world’s most well-organized groups. The others include GhostSec, Stormous, SiegedSec, and Blackforums. Many other groups are actively targeting Israeli and Palestinian organizations.

In the ongoing conflicts, The Archivists Domain and ThreatSec have targeted Palestinian infrastructure, with The Siegedsec supporting the Palestinian side. Additionally, the Gonjeshke Darande group has been targeting Iran. (Screenshots: Hackread.com)

On Sunday, the website gov.il became inaccessible worldwide, and the Russian Killnet group took responsibility for the attack on Telegram. Killnet later stated that they won’t target ordinary Israeli citizens as they are after the regime that “sold itself to NATO.”

“The atrocities that Hamas or Israel commit against civilians are terrible! We exclude the possibility of attacking the critical infrastructure of both sides!” the gang noted on Telegram.

Microsoft’s researchers noted that nation-state threat actors are more interested in long-term espionage campaigns. Israel, the US, Ukraine, and South Korea are some of the most regularly targeted nations in the MENA and Asia-Pacific regions.

****_RELATED ARTICLES_****

1.  Israel’s Channel 10 TV Station Hacked by Hamas
2.  Israeli Oil Refinery Giant BAZAN Hit by Fresh Wave of Cyber Attacks
3.  Hackers interrupt Eurovision webcast in Israel with missile attack alert
4.  Hamas hackers posed as women to con IDF into downloading malware
5.  Israel Faces Fresh Wave of Cyberattacks Targeting Critical Infrastructure

Hacktivists Trageting Critical ICS Infrastructure in Israel and Palestine

Summary Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability (CVE-2023-44487) impacts any internet exposed HTTP/2 endpoints. As an industry leader, Microsoft promptly opened an investigation and subsequently began working with industry partners for a coordinated disclosure and mitigation plan.

**Summary**

Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability (CVE-2023-44487) impacts any internet exposed HTTP/2 endpoints. As an industry leader, Microsoft promptly opened an investigation and subsequently began working with industry partners for a coordinated disclosure and mitigation plan. Microsoft recommends customers follow the guidance provided in this blog to ensure your services are hardened and protected against this DDoS attack technique.

This DDoS attack, known as ‘HTTP/2 Rapid Reset’, leverages a flaw in the implementation of HTTP/2. Microsoft promptly created mitigations for IIS (HTTP.sys), .NET (Kestrel), and Windows, which were part of Microsoft Security Updates released on Oct 10th, 2023.

While this DDoS has the potential to impact service availability, it alone does _not_ lead to the compromise of customer data, and at this time we have seen no evidence of customer data being compromised.

**Attack Details**

This HTTP/2 vulnerability allows malicious actors to launch a DDoS attack targeting HTTP/2 servers. The attack sends a set number of HTTP requests using HEADERS followed by RST\_STREAM and repeating this pattern to generate a high volume of traffic on the targeted HTTP/2 servers. By packing multiple HEADERS and RST\_STREAM frames in a single connection, attackers can cause a significant increase in the request per second and high CPU utilization on the servers that eventually can cause resource exhaustion.

**Protecting your services from CVE-2023-44487**

This HTTP DDoS activity is primarily targeted at layer 7 rather than layer 3 or 4. Microsoft hardened layer 7 protections in our web service implementations and patched services to better protect customers from the impact of these DDoS attacks. While these tools and techniques are highly effective at mitigating the majority of disruptions, Microsoft consistently reviews the performance of its hardening capabilities and incorporates learnings into refining and improving their effectiveness.

*   Microsoft services used for hosting web applications have applied security updates to provide mitigations against this attack.
    
*   Microsoft recommends customers that are self-hosting web applications patch web servers/proxies using Windows update or Open-Source Software (OSS) fixes for CVE-2023-44487 as quickly as possible to protect their environments. Affected products requiring customer action have been released in our Microsoft Security Update Guide.
    
*   Microsoft recommends enabling Azure Web Application Firewall (WAF) on Azure Front Door or Azure Application Gateway to further improve security posture. WAF rate limiting rules are effective in providing additional protection against these attacks. Review recommendation section or this blog for more details.
    
*   Microsoft recommends restricting internet access to your web applications where possible.
    
*   If you are unable to apply the appropriate patches and your web application is not protected by WAF on Azure Front Door or Application Gateway, consider disabling HTTP2 on your web services. Please note disabling the HTTP2 protocol in your environment should be a deliberate decision, carefully assessing its potential impact on your products and services, as it can significantly influence performance and user experience.
    

**Recommendations – Layer 7 DDoS Protection Tips**

Microsoft recommends using layer 7 protection services such as Azure Web Application Firewall (WAF) (available with Azure Front Door, Azure Application Gateway) to protect web applications. Review the following mitigation guidance to reduce the impact of layer 7 DDoS attack: Application DDoS protection.

If using Azure WAF on Azure Front Door or Application Gateway:  

*   Use the bot protection managed rule set provides protection against known bad bots. For more information, see Configuring bot protection on Azure Front Door and Configuring bot protection on Application Gateway.
*   IP addresses and ranges that you identify as malicious should be blocked. For more information, see examples at Create and use custom rules for Azure Front Door and Create and use v2 custom rules for Application Gateway.
*   Traffic from outside a defined geographic region, or within a defined region, should be blocked, rate limited, or redirected to a static webpage. For more information, see examples at Create and use custom rules for Azure Front Door and Create and use v2 custom rules for Application Gateway.
*   Create rate limiting custom rules to automatically block and rate limit HTTP or HTTPS attacks that have known signatures. For more information, see examples at Create rate limiting custom rules for Azure Front Door and Create rate limiting custom rules for Application Gateway.

If using Azure API Management, in addition to fronting with WAF, customers should enable the following configuration:

*   Deploy your API Management instance into Virtual Network and enable DDOS protection
*   Apply L7 rate limit policy to block excessive HTTP traffic.

**Azure and M365**

Per the Cloud Shared Responsibility Model, Microsoft will be applying the appropriate security updates to the Microsoft managed SaaS and PaaS services as well as IaaS auto patched services using Safe Deployment Practices. Additionally, these services are also protected by DDoS services.  Customers using IaaS services that are on a manual patching are encouraged to apply the updates based on the guidance outlined above.

Microsoft follows Coordinated Vulnerability Disclosure (CVD), which systematically and responsibly manages the discovery, reporting, and remediation of security vulnerabilities. CVD allows us to collaborate with researchers and the wider security community in a way that prioritizes user security and system integrity. By following a coordinated approach, we can work with researchers and industry partners to ensure that potential vulnerabilities are addressed before they’re made public, reducing the risk of exploitation.

Part of any robust security posture is working with researchers to help find vulnerabilities, so we can fix any findings before details of the vulnerabilities are broadly available and misused. We want to thank Amazon, Cloudflare, and Google who reported this vulnerability under Coordinated Vulnerability Disclosure (CVD). We also want to thank the partners in the open-source community that worked with the Microsoft Security Response Center (MSRC) to develop fixes and help keep Microsoft customers safe.

**References**

*   Application DDoS protection - Azure Web Application Firewall | Microsoft Learn
*   DDoS protection on Azure Front Door | Microsoft Learn
*   2022 in review: DDoS attack trends and insights | Microsoft Security Blog
*   Joint CISA FBI MS-ISAC Guide on Responding to DDoS Attacks and DDoS Guidance for Federal Agencies | CISA

Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?**

Successful exploitation of this vulnerability requires an attacker to win a race condition.

Tag

#microsoft