LITIGATION SUPPORT TIP OF THE NIGHT

A European cyber security company, With Secure, recently posted its findings on a flaw in the encryption method used in the local installation version of Microsoft Office 365.

Office Message Encryption (OME) works with Electronic Codebook (ECB). A party attempting to decrypt Office encrypted messages (which are sent as email attachments), may be able to determine the content by detecting where certain blocks of text, such as confidentiality footers or headings, repeat in multiple messages. The structure will be apparent even to a party that doesn't have the key for the encrypted text. ECB will encrypt repeating blocks of text in the same way. As stated in NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation, "in the ECB mode, under a given key, any given plaintext block always gets encrypted to the same ciphertext block. "

Unlike a more secure encryption method like Cipher Block Chaining (CBC) ECB does not use an initialization vector, a random factor which prevents blocks of identical plaintext (unencrypted text) from having the same encryption. This diagram on the Sophos cyber security blog, demonstrates the problem with ECB:

With Secure's post points out that a 2021 Microsoft FIPS (Federal Information Processing Standard) Compliance post [made to comply with the Information Technology Management Reform Act of 1996's encryption requirements] states that, "Legacy versions of Office (2010) require AES 128 ECB, and Office docs are still protected in this manner by Office apps.".

So apparently in order to avoid trouble with users running older versions of MS Office being unable to decrypt messages encrypted with CBC or another encryption method, Microsoft will continue to use the weaker ECB method.

Last month, CISA (Cybersecurity and Infrastructure Security Agency) published its Cybersecurity Incident

& Vulnerability Response Playbooks: Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability

Response Activities in FCEB Information Systems . An appendix to this guide provides a checklist to use in responding to a security breach incident.

A bare description of the checklist can be boiled down to these steps:

1. Report the incident (to CISA) within one hour

2. Assess the operational and information impact.

3. Collect data about the incident.

4. Identify the technical basis of the incident - the IOC (indicators of compromise - such as a file hash or IP address) and the TTPs (tactics, techniques, and procedures - which describe why and how the attack took place).

5. Use a third party for intrusion detection.

6. Tune tools to mitigate the attack.

7. Implement a containment strategy - system backups; close ports and servers; prevent domain name resolution for attackers.

8. Eradication - reimage systems from backups.

9. Reset passwords and install updates and patches.

10. Post-Incident action - after action hotwash to evaluate the incident response.

11. Coordinate with the CISA and receive a CISA National Cyber Incident Scoring System (NCISS) priority level.

Beware of the recent BazarBackdoor exploit. The malware works by sending an email which contains a link to a PDF file. The email may reference a customer complaint.

According to Sophos the link may appear like this and be to a URL referencing Adobe:

The link actually leads to the Win 10 application installer (used by the Microsoft store) and the recipient will be prompted to install an ‘Adobe PDF Component’.

The app installer file comes with its own doctored digital certificate.

Amongst other things BazarBackdoor runs PowerShell to get the IP address of your network.