Multi-factor authentication (MFA) is now a standard practice to prevent attacker access. A new CISA case report from the FBI illustrates how business policies and system usability may conflict with that goal.

Russian state-sponsored cyber actors gained initial access [TA0001] to the victim organization via compromised credentials [T1078] and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials [TA0006] via brute-force password guessing attack [T1110.001], allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.

Brute-force of a password should not have been possible in a properly configured MFA system.

Being un-enrolled due to inactivity should not have happened, as the account should have gone directly to a disabled state instead.

In other words if you disable MFA and use guessable passwords, security has basically been disabled.

Update March 17: This post has been getting a lot of traffic from one of the notorious news “scrapers”.

Pierluigi Paganini first copied this post verbatim on March 16th to a site called malwaredefinition.com, then rewrote it slightly March 17th changing the title to “node-ipc NPM Package sabotage to protest Ukraine invasion”. That version also used a reference to an article written tomorrow (March 18th) calling it the first appearance.

The post node-ipc NPM Package sabotage to protest Ukraine invasion appeared first on Security Affairs

That’s obviously suspect, given how a March 17th article couldn’t possibly come after the March 18th one.

And then his March 18th write-up certainly didn’t come after this March 16th one, which he removed from his references… anyway, back to the story.

---

The node-ipc package maintainer (Brandon Nozaki Miller in Monterey, California) intentionally sabotaged it around March 14th causing downstream failures.

The Snyk vulnerability database declared it critical.

Note: from versions 11.0.0 onwards, instead of having malicious code directly in the source of this package, node-ipc imports the peacenotwar package that includes potentially undesired behavior.

CVE-2022-23812 provides a stark summary of what happened to those affected by the sabotage.

This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji.

Overwriting files is hardly an act of peace.

On March 8th the “peacenotwar” module was submitted describing itself as an act of “protestware”.

This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia’s aggression that threatens the world right now.

On March 10th an issue was opened requesting help with messaging and ended with this excited prediction of impact.

Planning on using this in the CommonsJS release which is the big one. Should be like half a million messages delivered in a day or two.

More about Brandon Miller from his YouTube channel:

Details are still sketchy on CVE-2022-0971 reported yesterday by the Google Chrome team, while they very clearly gave it a critical rating (topping a list of eight more vulnerabilities ranked as high) .

Critical CVE-2022-0971: Use after free in Blink Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-02-21

A low complexity remotely exploitable bug, it’s coming in with a predicted CVSS base score of 9.8 or 10 out of 10 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The current fixed Chrome version is 99.0.4844.74

Google’s Blink code has generated a lot of bugs over time. Another “use-after-free” in the “layout implementation in Blink” was reported by them almost a decade ago in CVE-2013-6658

Multiple use-after-free vulnerabilities in the layout implementation in Blink, as used in Google Chrome before 33.0.1750.117, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving (1) running JavaScript code during execution of the updateWidgetPositions function or (2) making a call into a plugin during execution of the updateWidgetPositions function.

A search on Google Maps for COVID-19 cases highlights the northern “panhandle” area of Idaho, which stands out from the rest of the nation.

175 cases in Benewah County (population 9,285) is incredibly high. Why?

The 120 cases in Kootenai County (population 171,362) are a huge clue. Everything around Kootenai is showing spread, completely counter to the downward move everywhere else.

It looks fairly clear to me that the city of Coeur d’Alene failed in their basic duty to protect health, becoming an intentional infection center.

‘I would not vote to mandate masks’ says Coeur d’Alene mayor

Rates were at nearly half the population infected in early 2022.

Kootenai County’s positivity rate dropped to 4.3% based on 1,220 PCR tests for the week ending March 5. It reached a high of 40% just six weeks ago.

Google is pulling data from the NYT, and there’s evidence cases may be even higher than what was being reported by Idaho officials.

The Coeur d’Alene Wastewater plant conducted a test of the city’s sewage, and the results suggested as many as 490 people could be infected with COVID-19.[…] Officially, the Panhandle Health District reports that only 87 people have COVID-19 in Kootenai County.