While the attack surface has increased exponentially because of the cloud and everything-as-a-service providers, there are still ways in which host companies can harden supply chain security.

Today's cybersecurity landscape has changed dramatically due to digitalization and interconnectivity. While the benefits of each push businesses toward adoption, security risks associated with interconnectivity between networks and systems raise major concerns. Everything-as-a-service removes traditional security borders and opens the door to new cyber attacks that organizations might not be prepared to recognize or even deal with.

Moving resources into the hands of the final consumer now involves creating systems that handle, distribute, and process goods using a complex network of suppliers and services. These supply chains are what cybercriminals try to exploit, as third-party suppliers usually have some level of access to their customer's network. This, coupled with an advancing software stack that's integrated with critical internal infrastructures, increases the attack surface that threat actors can exploit to breach perimeter defenses.

Trust Is Often Exploited
The relationship between humans and technology is far from perfect. Cloud technologies can themselves be unpredictable in that they may interact with each other in unforeseen ways. When you add the human factor, which is inherently unpredictable, it raises security concerns that can be impossible to predict.

The cloud has become an integral part of digital businesses, but the lack of proper authorization, accountability, and authentication in the cloud enables security threats that we've come to know as supply chain attacks. This increased adoption of cloud services must push organizations to constantly reassess external audit programs and due diligence processes. This practice of regular re-evaluation must go through constant iterations to identify potential security blind spots while decreasing incident response times.


A feature in Microsoft Word that allows for the loading of sub-documents from a master document can be abused by attackers to steal a user’s credentials, according to Rhino Security Labs.

Dubbed subDoc, the feature was designed to load a document into the body of another document, so as to include information from one document into the other, while also allowing for the information to be edited and viewed on its own.

According to Rhino Security, the feature can also be used to load remote (Internet-hosted) subDoc files into the host document, thus allowing for malicious abuse in certain situations.

The feature, Rhino's researchers explain, is similar to attachedTemplate, another Office feature that can be abused by attackers for malicious purposes. The method allows the creation of malicious documents that would open an authentication prompt in the Windows style once the intended victim opens them, thus enabling the attacker to harvest credentials remotely.

“We determined, after testing in our sandbox environment, that abusing the subDoc method would allow us to do the same thing as the attachedTemplate method,” Rhino Security’s Hector Monsegur explains.

The researcher also points out that some organizations are not filtering egress SMB requests, meaning that they would leak the NTLMv2 (session protocol) hash in the initial SMB request. 

To exploit the feature, Rhino Security created a document opening a subDoc external resource using a Universal Naming Convention (UNC) path (a means of connecting to servers and workstations without specifying a drive) that points to a destination they would control.

This allowed them to load the Responder to listen for incoming SMB requests and collect the NTLMv2 hashes. Available on GitHub, Responder is a LLMNR, NBT-NS and MDNS poisoner designed to answer to File Server Service request, which is for SMB, and remain stealthy on the network.

“The attack process for this would be to send a tainted document out to several targets while running Responder server on associated C&C server. After targets open the document, we intercept the respective hashes, crack them using hashcat and use our newly found credentials for lateral movement across the target network,” Monsegur explains.

When the document is opened, subDoc automatically attempts to load and provides the user with a link instead of the would-be document. However, user interaction with the link isn’t required for the payload to execute, the researcher says. The link can also be hidden from the user, so that they wouldn’t detect the malicious intent.

The attack, the researcher points out, isn’t detected by popular anti-virus companies, mainly because the subDoc feature hasn’t been recognized publicly as an attack vector for malicious actions.

The security researcher also published an open source tool designed to generate a Word subDoc for a user-defined URL and also to integrate it into a user-specified ‘parent’ Word doc. Dubbed Subdoc Injector, the tool is available on GitHub.

“Office has a myriad of loosely-documented features that have yet to be explored. As more research goes into these functions, more vulnerabilities and abusable functions will likely be discovered, making the situation difficult for defenders to protect their systems,” Monsegur notes.

 source: the

Not a day goes by that Americans don’t wake to the news of a new cyber intrusion affecting private sector or government networks, whether major cyber hacks at Target or Equifax, sloppy data breaches like those Verizon experienced, or nation-state-sponsored efforts like the WannaCry virus. Companies and institutions are pouring more time, attention and resources into computer network security, because the networks are so critical. But why lock the front door when you leave the windows wide open? Bad actors can launch attacks and gain access to critical information through other routes too.

As seen with the widely reported interference in democratic elections, attacks can be launched cheaply and relatively easily by criminals, nation-states, terrorists, disgruntled employees, or even good people with sloppy habits who accidentally expose critical data. As a former Secretary of the Air Force, I can tell you that Air Force networks are attacked—and these attacks are repelled—thousands of times per week.

This is why, in addition to network security, the Air Force is focusing more resources on operational security. The private sector should follow suit.

Operational security means protecting assets that depend on lines of code in software to conduct missions, whatever those missions might be. This could involve anything from protecting advanced fighter aircraft to the HVAC systems on a base where critical operations take place. It could include the MRI machine in a hospital entrusted with sensitive patient data. Our critical infrastructure—the electrical grid and transportation systems, for example—can be equally vulnerable from an operational perspective, if network security is the sole focus.

The solution is to broaden the national cybersecurity approach to include “endpoint security” for vital operational systems. Stated another way, we need to wrap firewalls around certain vital machines to ensure that an intrusion in one area will not allow for a more extensive penetration to the broader network.

Consider a fictional scenario in which a U.S. nuclear facility is breached. A terrorist group launches a “cyber-physical attack” by unleashing a virus that penetrates sensors that monitor cooling. The malware is introduced when an infected flash drive is inserted into a network laptop during maintenance to adjust, for example, process sequences. The laptop is presumed to be safe because it’s not connected to the internet—it is “air gapped.” The virus targets specific endpoints that manage fail-safe functions such as temperature maximums. The virus tells temperature sensors to stop working. At the same time, it tells other mini computers to escalate heat-generating functions. The result could be catastrophic overheating and, ultimately, a meltdown.

Such an attack, and many others we haven’t thought of yet, are preventable when control systems are more deeply protected. Each device and sensor comprising the network can and should be shielded from malware that gets through the figurative front door.

Here’s the bottom line: we need a holistic approach to cybersecurity going forward, including network and endpoint security. Focusing on one but not the other could result in crippling losses in today’s machine-to-machine marketplace.

The government and the private sector need to keep working to lock the front door, and start doing a better job of bolting the windows.


In the near future – in all likelihood, later this month – at least Windows and Linux will get security updates that change the way those operating systems manage memory on Intel processors.

There’s a lot of interest, excitement even, about these changes: they work at a very low level and are likely to affect performance.

The slowdown will depend on many factors, but one report suggests that database servers running on affected hardware might suffer a performance hit around 20%.

“Affected hardware” seems to include most Intel CPUs released in recent years; AMD processors have different internals and are affected, but not quite as broadly.

So, what’s going on here?

On Linux, the forthcoming patches are known colloquially as KPTI, short for Kernel Page Table Isolation, though they have jokingly been referred to along the way as both KAISER and F**CKWIT.

The latter is short for Forcefully Unmap Complete Kernel With Interrupt Trampolines; the former for Kernel Address Isolation to have Side-channels Efficiently Removed.

Here’s an explanation.

Inside most modern operating systems, you’ll find a privileged core, known as the kernel, that manages everything else: it starts and stops user programs; it enforces security settings; it manages memory so that one program can’t clobber another; it controls access to the underlying hardware such as USB drives and network cards; it rules and regulates the roost.

Everything else – what we glibly called “user programs” above – runs in what’s called userland, where programs can interact with each other, but only by agreement.

If one program could casually read (or, worse still, modify) any other program’s data, or interfere with its operation, that would be a serious security problem; it would be even worse if a userland program could get access to the kernel’s data, because that would interfere with the security and integrity of the entire computer.

One job of the kernel, therefore, is to keep userland and the kernel carefully apart, so that userland programs can’t take over from the kernel itself and subvert security, for example by launching malware, stealing data, snooping on network traffic and messing with the hardware.

The CPU itself provides hardware support for this sort of separation: the x86 and x64 processors provide what are known as privilege levels, implemented and enforced by the chip itself, that can be used to segregate the kernel from the user programs it launches.

Intel calls these privilege levels rings, of which there are four; most operating systems use two of them: Ring 0 (most privileged) for the kernel, and Ring 3 (least privileged) for userland.