Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
Top 3 Worst Cybersecurity PracticesThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently listed three cybersecurity practices as dangerous practices that can give rise to enhanced damages to technologies accessible from the internet. Below are the three practices that CISA has deemed as “dangerous” practices. The presence of these bad practices in organizations, CISA said, “is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public.” 1. Use of Unsupported (End-of-Life) SoftwareSecurity vulnerabilities in software are but normal. Software vendors, within a specified timeframe, are always on the lookout for these software security vulnerabilities. During this specified period, regular or unscheduled security updates, also known as patches, are released by security vendors to fix known security vulnerabilities. After the specified timeframe, also known as the software’s end-of-life (EOL), software vendors will stop releasing patches. Attackers love to exploit software that have reached their end of life on the premise that many users still use software that have reached their EOL. An example of software that has reached its end of life is Windows 7 operating system. On January 14, 2020, Microsoft ended its support for the Windows 7 operating system. Customers who purchased an Extended Security Update (ESU) plan can still receive support or security updates from Microsoft. In this case, the continued use of Windows 7 without ESU is a dangerous practice. “In 2017, roughly 98 percent of systems infected with WannaCry employed Windows 7 based operating systems,” the Federal Bureau of Investigation (FBI) said in its Private Industry Notification (PDF File). “After Microsoft released a patch in March 2017 for the computer exploit used by the WannaCry ransomware, many Windows 7 systems remained unpatched when the WannaCry attacks began in May 2017. With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target.” 2. Use of Known/Fixed/Default Passwords and CredentialsThe use of known/fixed/default passwords is another bad practice that’s disastrous in technologies accessible from the internet. In July 2021, Microsoft Threat Intelligence Center reported that it observed new activity from the NOBELIUM threat actor using tactics such as password spray and brute-force attacks. In the blog post "Protecting your organization against password spray attacks," Diana Kelley, Microsoft Cybersecurity Field CTO said that adversaries in password spray attacks “acquire a list of accounts and attempt to sign into all of them using a small subset of the most popular, or most likely, passwords.” The Microsoft Cybersecurity Field CTO, meanwhile, said that brute-force attacks are targeted compared to password spray attacks, with attackers going after specific users and cycles through as many passwords as possible using dictionary words, common passwords, or conducting research to see if they can guess the user’s password, for instance, discovering family names through social media posts. In July 2021 as well, UK’s National Cyber Security Centre reported that it observed an increase in activity as part of malicious email and password spraying campaigns against a limited number of UK organizations. 3. Use of Single-Factor AuthenticationThe use of single-factor authentication is another bad practice that’s disastrous in technologies accessible from the internet. Single-factor authentication is the simplest form of authentication. With single-factor authentication, a user matches one credential to verify oneself online. The most common credential is the password to a username. “The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” CISA said. “This dangerous practice is especially egregious in technologies accessible from the Internet.” Cybersecurity Best PracticesBelow are the cybersecurity practices that best counter the above-mentioned bad practices:
"There are over 300 million fraudulent sign-in attempts to our cloud services every day,” Maynes said. “By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access.” MFA, however, shouldn’t be your organization’s only defense against malicious actors as there are a handful known ways of bypassing MFA. . Practice network segmentation. In network segmentation, your organization’s network is sub-divided into sub-networks so that in case of a disaster in one network, the other networks won’t be affected. Modern Email Threat: Morse Code Used in Phishing AttacksMicrosoft has revealed that cybercriminals are changing tactics as fast as security and protection technologies do, with the latest tactic: The use of Morse code in phishing attacks. In the blog post "Attackers use Morse code, other encryption methods in evasive phishing campaign," Microsoft 365 Defender Threat Intelligence Team said that a year-long investigation found a targeted, invoice-themed XLS.HTML phishing campaign in which the attackers changed obfuscation and encryption mechanisms every 37 days on average, showing high motivation and skill level in order to constantly evade detection and keep the malicious operation running. The phishing campaign’s primary goal, Microsoft 365 Defender Threat Intelligence Team said, is to harvest sensitive data such as usernames, passwords, IP addresses, and location – information that attackers can use as an initial entry point for later infiltration attempts. In a phishing attack, attackers masquerade as a trusted entity and trick a victim into opening an email with a malicious attachment. In the phishing campaign observed for a year by Microsoft 365 Defender Threat Intelligence Team, the attackers initially sent out emails to targeted victims about a bogus regular financial-related business transaction, specifically sending a vendor payment advice. According to Microsoft 365 Defender Threat Intelligence Team, the malicious email contains HTML file attachment with “xls” file name variations. An attachment with xls file name ordinarily means it’s an Excel file. Opening this attachment, however, leads to a fake Microsoft Office 365 credentials dialog box, and lately to a legitimate Office 365 page. Entering one’s username and password into the fake Microsoft Office 365 credentials dialog box or legitimate Office 365 page leads to the activation of the attackers’ phishing kit – harvesting the user’s username, password, and other information about the user. According to Microsoft 365 Defender Threat Intelligence Team, the malicious HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. “Some of these code segments are not even present in the attachment itself,” Microsoft 365 Defender Threat Intelligence Team said. “Instead, they reside in various open directories and are called by encoded scripts. In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show.” Morse CodeNamed after one of the inventors of the telegraph Samuel Morse, Morse Code is a code for translating letters to dots and dashes. According to Microsoft 365 Defender Threat Intelligence Team, in place of the plaintext HTML code, the attackers used Morse code – dots and dashes – to hide the attack segments. The use of Morse code in phishing attacks was first reported by u/speckz on Reddit last February. Lawrence Abrams of Bleeping Computer followed up the initial report of u/speckz. Abrams said Morse code was used by a threat actor to hide malicious URLs in their phishing campaign to bypass secure mail gateways and mail filters. When viewing the HTML attachment in a text editor, Abrams said, instead of the plaintext HTML code, Morse code is placed instead with dots and dashes. For instance, the letter “a” is written in “.-” and the letter 'b' is written in “-…”. “The script then calls a decodeMorse() function to decode a Morse code string into a hexadecimal string,” Abrams said. “This hexadecimal string is further decoded into JavaScript tags that are injected into the HTML page. These injected scripts combined with the HTML attachment contain the various resources necessary to render a fake Excel spreadsheet that states their sign-in timed out and prompts them to enter their password again. Once a user enters their password, the form will submit the password to a remote site where the attackers can collect the login credentials.” According to the Microsoft 365 Defender Threat Intelligence Team, Morse code was observed in the February (“Organization report/invoice”) and May 2021 (“Payroll”) waves. In the February phishing campaign, the Team said links to the JavaScript files were encoded using ASCII then in Morse code. In May, the Team added that the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code. Cybersecurity Best PracticesThe changing tactics and speed that cybercriminals use to update their obfuscation and encoding techniques in launching their phishing campaigns via Office 365 environment call for the following cybersecurity best practices:
To better protect your organization against modern threats and mitigate cyber risks, schedule a consultation with one of our cybersecurity experts today. What Is Kubernetes and How to Protect This Attack SurfaceKubernetes is fast becoming the target of attackers to steal data, steal computing power, or cause a denial of service. What Is Kubernetes?Kubernetes is an open-source system that’s often hosted in the cloud. It’s used to automate the deployment, scaling, and management of applications. Companies that use Kubernetes include Google and Tesla. Google originally developed and released Kubernetes as open-source in 2014. Google Cloud is the known birthplace of Kubernetes. Kubernetes development drew inspiration from Google’s Borg. “Google's Borg system is a cluster manager that runs hundreds of thousands of jobs, from many thousands of different applications, across a number of clusters each with up to tens of thousands of machines,” Google said. “It achieves high utilization by combining admission control, efficient task-packing, over-commitment, and machine sharing with process-level performance isolation. It supports high-availability applications with runtime features that minimize fault-recovery time, and scheduling policies that reduce the probability of correlated failures. Borg simplifies life for its users by offering a declarative job specification language, name service integration, real-time job monitoring, and tools to analyze and simulate system behavior.” While Kubernetes offers users a way to automate the deployment, scaling, and management of applications, it presents complexities. "Kubernetes clusters can be complex to secure and are often abused in compromises that exploit their misconfigurations,” the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency said in the advisory “Kubernetes Hardening Guidance.” Tesla CaseIn February 2018, researchers at RedLock discovered that attackers had infiltrated Tesla’s Kubernetes console which wasn’t password protected. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry,” RedLock researchers said. According to RedLock researchers, attackers in the Tesla case stole the computing power for crypto mining from within one of Tesla’s Kubernetes pods. The researchers added that the attackers used the following evasion techniques to hide the illicit crypto mining: . The attackers didn’t use a well-known public “mining pool” in this attack, making it difficult for standard IP/domain-based threat intelligence feeds to detect the malicious activity. . The attackers hid the true IP address of the mining pool server behind a free content delivery network (CDN) service, making IP address-based detection of crypto mining activity difficult. . The mining software was configured to listen on a non-standard port, making it difficult to detect malicious activity based on port traffic. . The attackers configured the mining software to keep the usage low to evade detection. Common Sources of Compromise in Kubernetes According to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, the three common sources of compromise in Kubernetes are malicious threat actors, supply chain risks, and insider threats. Malicious Threat ActorsAccording to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, malicious threat actors often target the following Kubernetes architecture for remote exploitation: control plane, worker nodes, and containerized applications. The Kubernetes control plane is used to track and manage the cluster. The agencies said the Kubernetes control plane lacking appropriate access controls is often taken advantage by attackers. The Kubernetes worker nodes host the kubelet and kube-proxy service. According to the said agencies, worker nodes are potentially exploitable by attackers. The agencies added that the containerized applications running inside the Kubernetes cluster are common targets. "An actor can then pivot from an already compromised Pod or escalate privileges within the cluster using an exposed application’s internally accessible resources,” the agencies said. Supply Chain RisksIn supply chain risks, attackers may compromise a third-party software and vendors used to create and manage the Kubernetes cluster. A malicious third-party application running in Kubernetes could provide attackers with a foothold. The compromise of the underlying systems (software and hardware) hosting Kubernetes could provide attackers with a foothold as well. Insider ThreatsInsiders threats refer to individuals from within the organization who use their special knowledge and privileges against Kubernetes clusters. These individuals can be administrators, users, and cloud service or infrastructure provider. According to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, Kubernetes administrators have control over the Kubernetes environment, giving them the ability to compromise the Kubernetes environment. Users who have knowledge and credentials to access containerized services in the Kubernetes cluster could compromise the Kubernetes environment as well. Cloud service or infrastructure provider, meanwhile, has access to physical systems or hypervisors managing Kubernetes nodes. This access could be used to compromise a Kubernetes environment. Cybersecurity Best PracticesThe U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency recommend the following best practices in order to protect your organization’s Kubernetes environment:
2021 Top 25 Most Dangerous Software WeaknessesSoftware has weaknesses. The most dangerous software weaknesses are those that are often easy to find, easy to exploit, and can allow attackers to completely take over a system, prevent an application from working, or steal data. MITRE recently released the 2021 top 25 most dangerous software weaknesses – a demonstrative list of the most dangerous software weaknesses over the previous two calendar years. To create the 2021 list, MITRE used the Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), and the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. The Software Weaknesses ListHere are the top 25 most dangerous software weaknesses over the previous two calendar years: 1. Out-of-Bounds WriteOut-of-bounds write, also known as memory corruption, occurs when the software writes data past the end or before the beginning of the intended buffer. This software weakness can result in code execution, corruption of data, or a crash. 2. Improper Neutralization of Input During Web Page GenerationImproper neutralization of input during web page generation, also known as cross-site scripting (XSS), occurs when the software doesn’t neutralize or incorrectly neutralizes user-controllable input before it’s outputted as a web page. 3. Out-of-Bounds ReadOut-of-bounds read occurs when the software reads data past the end or before the beginning of the intended buffer. This software weakness can cause a crash or allow attackers to read sensitive information from other memory locations. 4. Improper Input ValidationImproper input validation occurs when the software receives input or data, but it doesn’t validate or incorrectly validates the input. When a software doesn’t validate input properly, attackers can craft the input in a form that isn’t expected by the rest of the application. This can result in altered control flow, arbitrary code execution, or arbitrary control of a resource. 5. Improper Neutralization of Special Elements used in an OS CommandImproper neutralization of special elements used in an OS command, also known as OS command injection or shell injection, occurs when the software doesn’t neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it’s sent to a downstream component. This can allow attackers to execute dangerous commands directly on the operating system. 6. Improper Neutralization of Special Elements used in an SQL CommandImproper neutralization of special elements used in an SQL command, also known as SQL injection, occurs when the software doesn’t neutralize or incorrectly neutralizes special elements that can modify the intended SQL command when it’s sent to a downstream component. This can allow attackers to alter query logic to bypass security checks, execute system commands, or insert additional statements that modify the back-end database. 7. Use After FreeUse after free occurs when the use of previously-freed memory can cause the software to crash, cause corruption of valid data, or result in the execution of arbitrary code. 8. Improper Limitation of a Pathname to a Restricted DirectoryImproper limitation of a pathname to a restricted directory, also known as path traversal, occurs when the software doesn’t properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that’s outside of the restricted directory. This can allow attackers to escape outside of the restricted location to access files or directories that are elsewhere on the system. 9. Cross-Site Request Forgery (CSRF)Cross-site request forgery occurs when the web application doesn’t or can’t sufficiently verify a valid request provided by the user. This can allow attackers to trick a client into making an unintentional request to the web server which will then be treated as a valid request. 10. Unrestricted Upload of File with Dangerous TypeUnrestricted upload of file with dangerous type occurs when the software allows the uploading or transferring of files of dangerous types which can be automatically processed within the software’s environment. 11. Missing Authentication for Critical FunctionMissing authentication for critical function occurs when the software doesn’t perform any authentication for functionality that requires a valid user identity. This can allow attackers to read or modify sensitive data, access administrative or other privileged functionality, or execute arbitrary code. 12. Integer Overflow or WraparoundAn integer overflow or wraparound occurs when the software performs a calculation in which the logic assumes that the resulting value will always be larger than the original value. This can allow attackers to introduce other weaknesses when the calculation is used for execution control or resource management. 13. Deserialization of Untrusted DataDeserialization of untrusted data occurs when the software deserializes untrusted data without sufficiently verifying that the resulting data will be valid. An assumption that the code in the deserialized object is valid is susceptible to exploitation. Attackers can change unexpected objects or data that was assumed to be safe from modification. 14. Improper AuthenticationImproper authentication occurs when the software doesn’t prove or insufficiently proves that the user’s identity is correct. 15. NULL Pointer DereferenceNULL pointer dereference occurs when the software dereferences a pointer that it expects to be valid, but is NULL, causing an exit or crash. 16. Use of Hard-coded CredentialsThe use of hard-coded credentials creates a software weakness that allows attackers to bypass the authentication that has been configured by the software administrator. 17. Improper Restriction of Operations within the Bounds of a Memory BufferImproper restriction of operations within the bounds of a memory buffer, also known as buffer overflow, occurs when the software performs operations on a memory buffer, but it can write to or read from a memory location that’s outside of the intended boundary of the buffer. This can allow attackers to change the intended control flow, execute arbitrary code, cause the system to crash, or read sensitive information. 18. Missing AuthorizationMissing authorization occurs when a software doesn’t perform an authorization check when a user attempts to access a resource. This can allow attackers to read sensitive data, modify sensitive data, or gain privileges by modifying or reading critical data directly, or by accessing privileged functionality. 19. Incorrect Default PermissionsIncorrect default permissions occur when during the installation of the application, installed file permissions are set to allow anyone to modify those files. This can allow attackers to read or modify application data. 20. Exposure of Sensitive Information to an Unauthorized ActorExposure of sensitive information to an unauthorized actor, also known as information leak, occurs when the software exposes sensitive information to a user that isn’t explicitly authorized to have access to that information. 21. Insufficiently Protected CredentialsInsufficiently protected credentials occur when the software transmits or stores authentication credentials, but it uses an insecure method. This can allow attackers to gain access to user accounts and access sensitive data. 22. Incorrect Permission Assignment for Critical ResourceIncorrect permission assignment for critical resource occurs when the software specifies permissions for a security-critical resource, allowing the resource to be read or modified by attackers. 23. Improper Restriction of XML External Entity ReferenceImproper restriction of XML external entity reference occurs when the software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control. Common consequences of this software weakness include attackers being able to access arbitrary files on the system, or can cause consumption of excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. 24. Server-Side Request Forgery (SSRF)According to MITRE, in server-side request forgery, the “web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.” A real-world example of server-side request forgery attack allowed attackers to request a URL from another server, including other ports, which allowed proxied scanning. 25. Improper Neutralization of Special Elements used in a CommandImproper neutralization of special elements used in a command occurs when data from an untrusted source enters the application and the data from an untrusted source is executed as a command by the application. This gives attackers privileges or capabilities that they would not otherwise have. |
AuthorSteve E. Driz, I.S.P., ITCP Archives
September 2024
Categories
All
|
8/31/2021
0 Comments