Cyber Threat Intelligence Briefing - August 28, 2023

Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights new post-quantum cryptographic (PQC) standards, the addition of Python to Microsoft Excel, and a major WinRAR code execution vulnerability.

Preparing for the Quantum Leap

Last week, the Cybersecurity and Infrastructure Agency (CISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) released a factsheet highlighting the potential future impact of quantum computing capabilities, and to help organizations begin to prepare for the upcoming 'post-quantum' cryptographic (PQC) standards.

These new standards are set to be released by NIST in 2024 with the intent of safeguarding encryption against quantum computer capabilities.

Why PQC Matters

Many products, protocols, and services today rely on public key cryptography, with algorithms such as RSA, ECDH, or ECDSA.

These protocols are part of the fundamental infrastructure of the modern internet and currently allow for secure, encrypted communications (i.e. TLS certificates). With modern CPUs, breaking the encryption of these algorithms is extremely difficult and time-intensive.  However, these types of cryptography are vulnerable to quantum computers.

In theory, a large enough quantum computer can break public key cryptography by exhaustively searching for all possible secret keys at once.

Additionally, CISA warns that threat actors can harvest encrypted data now and break the encryption later once they have more robust quantum computing at their disposal.

While the factsheet targets critical infrastructure, any organization with sensitive data that should be kept encrypted and secret can benefit by transitioning to the new PQC standards.

What Steps Can I Take?

Although the upcoming PQC standards are not yet published, transitioning an environment to a new set of cryptographic protocols is complex and time-consuming.  This is why CISA is encouraging organizations to begin planning and preparation now, so they will be ready to execute once the new standards are released.

• Create an inventory of critical data that needs to be protected.
• Also, try to define how long the data needs to be protected.
• Create an inventory of quantum-vulnerable technology (devices and software that use public-key cryptography). This includes both IT as well as OT systems.
• Use this 'quantum-vulnerable' inventory in the risk assessment process.  This will help prioritize which systems (if any) need to deploy PQC as soon as it is available.
• Begin discussing post-quantum technologies with technology vendors.
• Identify and understand reliance and dependencies with supply chain vendors.  

For further details and instructions on how to begin planning for PQC, the full factsheet can be found here.

There's a Snake in My (Excel) Sheets

On August 22, Microsoft announced that Microsoft Excel will begin to include Python.

This feature will allow users to write Python code directly into a cell and leverage popular data processing libraries such as scikit-learn, Matplotlib, pandas, and more.

This new feature is currently being rolled out to users in the Beta Channel Insider program.

While the idea of yet another way to run code inside of an Excel workbook raises security concerns, it does appear that Microsoft has implemented this new feature with security in mind.

Per their Data Security documentation:

• All Python code does not run on the host machine.  It runs on an isolated hypervisor container in the Azure cloud.

• These containers have only a curated set of secured libraries provided by Anaconda.

• It does not have access to your computer, devices, or account.

• It does not have network access.

• It does not have access to a user token.

• The Python code accesses data from cells within the workbook using the 'xl()' function, and results are returned to the workbook from the hypervisor via the '=PY()' function, which displays results in the cell where the Python code was entered.

  • The Python functions cannot return other object types, such as macros or VBA code.

• It does not have access to other properties in the workbook, such as macros, VBA code, or other formulas and charts.

For further details on the security measures taken with this feature, please see the Microsoft publication here.

There are currently no known exploits or workarounds for these security controls.

PacketWatch will continue monitoring for evidence that this new feature can be abused.

You can find additional information here: https://techcommunity.microsoft.com/t5/excel-blog/announcing-python-in-excel-combining-the-power-of-python-and-the/ba-p/3893439

Major WinRAR Code Execution Vulnerability

CVE-2023-40477

A new high-severity vulnerability in the popular WinRAR archiving software was discovered and disclosed by security researcher 'goodbyeslene' at the Zero Day Initiative.

The vulnerability tracked as CVE-2023-40477 allows for arbitrary code execution if the user is tricked into opening a specially crafted archive file (typically via a phishing attack).

The developer of WinRAR, RARLAB, has released version 6.23, which addresses the vulnerability.  Release notes for this version can be found here.

Organizations leveraging WinRAR are strongly encouraged to patch as soon as possible.  It should also be noted that Windows 11 is implementing native support for tar, 7-zip, rar, and gz formats, which eliminates the requirement for using third party applications to work with these formats.

If these formats are not used within the organization, it is recommended to block these file types from being received at the email gateway.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you are interested in personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Disclaimer

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.