Thought leadership. Threat analysis. Cybersecurity news and alerts.
Vulnerable Internet-Exposed Applications Compromised in 24 Hours, Report Shows
A study conducted by researchers from Palo Alto Networks' Unit 42 found that vulnerable internet-exposed applications are compromised in just 24 hours.
Vulnerable internet-exposed applications once compromised pose a security risk to cloud environments within the same infrastructure.
Between July 2021 and August 2021, Unit 42 researchers set up 320 honeypots to verify how fast threat actors compromise four vulnerable internet-exposed applications, namely, secure shell protocol (SSH), remote desktop protocol (RDP), Samba, and Postgres.
Honeypots are network-attached computers that are purposely set up to lure threat actors to access these network-attached computers. Honeypots are set up to study the attackers’ methodologies.
SSH is a protocol that allows users to open remote shells on other computers. Samba is a free software re-implementation of the Server Message Block (SMB) networking protocol. SMB is a communication protocol used for sharing access to files, printers, serial ports for Windows computers on the same network or domain.
RDP, meanwhile, is a network communications protocol developed by Microsoft, allowing users to remotely connect to another computer. Postgres, also known as PostgreSQL, is an enterprise-class open source database management system.
Access to any of these four standard applications allows attackers to remotely connect to the victim’s network and perform malicious activities such as further compromising cloud environments within the same network.
The honeypots deployed by the Unit 42 researchers had vulnerable SSH, Samba, RDP, and Postgres. For instance, they intentionally use weak usernames and weak passwords.
Weaknesses in SSH, Samba, RDP, and Postgres are often exploited by cyberattackers. Ransomware groups, including REvil and Mespinoza, are known to exploit internet-exposed applications to gain initial access to victims' environments.
In Q3 2021, Digital Shadows reported that RDP and SSH are among the top access of choice of Initial Access Brokers – individuals or groups that act as intermediaries in identifying vulnerable organizations and selling access to the networks of these vulnerable organizations to the highest bidder.
Unit 42 researchers found that 80% of the 320 honeypots were compromised within 24 hours and all of the honeypots were compromised within a week. Out of the four vulnerable internet-exposed applications, SSH was the most attacked application and on average, each SSH honeypot was compromised 26 times daily.
The researchers also found that one threat actor compromised 96% of 80 Postgres honeypots globally within 30 seconds. The researchers’ honeypots applied firewall policies to block IPs from known network scanners. They found that blocking known scanner IPs is ineffective in mitigating attacks as 85% of the attacker IPs were observed only on a single day.
"This number indicates that Layer 3 IP-based firewalls are ineffective as attackers rarely reuse the same IPs to launch attacks,” Unit 42 researchers said. “A list of malicious IPs created today will likely become outdated tomorrow.”
The researchers also found that vulnerable internet-exposed applications were compromised multiple times by multiple different attackers. As attackers competed for the victim’s resources, tools such as Rocke or TeamTNT were used to remove the malicious software (malware) left by other cyberattackers.
"The speed of vulnerability management is usually measured in days or months,” Unit 42 researchers said. “The fact that attackers could find and compromise our honeypots in minutes was shocking. When a misconfigured or vulnerable service [application] is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service.”
The speed at which threat actors find vulnerable internet-facing applications is achieved through the process called scanning. Threat actors aren’t alone in finding vulnerable internet-facing applications through scanning.
Legitimate scanning service providers, such as Shodan, Censys, and Shadowserver, allow users to find vulnerable internet-facing applications. These legitimate scanning service providers have fixed IP addresses. Threat actors, on the other hand, as shown in the findings of the Unit 42 researchers, don’t use fixed IP addresses, but rather change their IP addresses every day.
Unit 42 researchers identified an average of 75,000 unique scanner IP addresses globally that enumerated more than 9,500 different ports every day. The researchers found that Samba, Telnet (a protocol that allows users to connect to remote computers over a TCP/IP network, such as the internet), and SSH were the three most scanned services, accounting for 36% of scanning traffic globally.
Scanning, per se, doesn’t compromise vulnerable internet-facing applications. This method, however, is used by cybercriminals to identify potential victims.
Cybersecurity Best Practices
Here are some of the cybersecurity best practices to protect your organization’s vulnerable internet-exposed applications:
Keep to a bare minimum the exposure of applications to the internet. If internet-exposed applications aren’t used, disable them.
If there’s a need to expose these applications to the internet, secure them by applying in a timely manner the security updates, by using strong passwords, multi-factor authentication (MFA), and other security measures such as virtual private network (VPN).
In using a Firewall, use the whitelisting approach, rather than the blacklisting approach. In whitelisting, only the approved or whitelisted entities are given access to your organization’s network, blocking all others. Blacklisting, on the other hand, blocks known malicious IP addresses. As shown in the study conducted by Unit 42 researchers, cyberattackers regularly change their IP addresses defeating the purpose of blacklisting.
The Rise of Internet Access Brokers
Researchers from BlackBerry Research & Intelligence Team recently discovered three separate threat groups using the same IT infrastructure maintained by a threat actor dubbed as Zebra2104, which the researchers believe to be an Initial Access Broker.
What Is an Initial Access Broker?
As the name denotes, an Initial Access Broker either buys or sells goods or assets for others. In this case, what is being bought or sold for others is the initial access to the victim’s network.
Once an Initial Access Broker has access to an organization’s network, the broker then advertises this initial access to prospective buyers in the underground forums on the dark web. Initial Access Brokers typically sell access to the victim’s network to the highest bidder on underground forums. The winning bidder then deploys ransomware or other malicious software (malware) to steal or snoop the victim’s critical data.
Initial Access Broker is the first kill chain of many cyberattacks, including ransomware attacks. Initial access to victims’ networks comes in different forms. These include access to vulnerable and internet exposed remote desktop protocol (RDP) and virtual private network (VPN).
VPN, in principle, establishes a protected network connection when using public networks. In the past few years, a number of vulnerabilities have been discovered in many VPN products. RDP, short for remote desktop protocol, is a network communications protocol developed by Microsoft, allowing a computer user to remotely connect to another computer.
In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks", Microsoft Defender Security Research Team said that computers with RDP exposed to the internet are an attractive target for attackers as they offer attackers a simple and effective way to gain access to a network. According to Microsoft Defender Security Research Team, brute-forcing RDP doesn’t need a high level of expertise or the use of exploits.
“RDP connections almost always take place at port 3389, and attackers can assume that this is the port in use and target it to carry out man-in-the-middle attempts, amongst other attacks,” Digital Shadows researchers said in the blog post “Initial Access Brokers In Q3 2021”.
Digital Shadows researchers reported that during the third quarter of 2021, RDP and VPN continued to be the access of choice for Initial Access Brokers. During the third quarter of 2021, the average price for VPN was $1869, while the average price for RDP was $1902. According to Digital Shadows researchers, RDP and VPN were also the most popular access of choice for Initial Access Brokers Q1 and Q2 2021.
“This [popularity of RDP and VPN] is likely due to a combination of the increased use of both technologies as a result of the COVID-19 pandemic and the opportunities afforded to an actor purchasing a VPN or RDP access,” Digital Shadows researchers said.
Digital Shadows researchers added that the VPN-RDP combination – referring to access type that uses VPN access to a victim’s RDP dedicated server – was significantly more expensive in Q3 than the last quarter. “It’s realistically possible that this access type [VPN-RDP] may represent a more secure method of gaining access to targeted networks, and as a result, become more desirable for interested actors,” Digital Shadows researchers said.
Digital Shadows researchers reported that Initial Access Brokers are advertising various accesses to RAMP (Ransom Anon Mark Place), a recently relaunched Russian-language cybercriminal forum.
In the blog post "Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware", BlackBerry researchers said they uncovered a connection between the criminal activities of three distinct threat groups, MountLocker, Phobos, and StrongPity. “While it might seem implausible for criminal groups to be sharing resources, we found these groups [MountLocker, Phobos, and StrongPity] had a connection that is enabled by a fourth; a threat actor we have dubbed Zebra2104, which we believe to be an Initial Access Broker (IAB),” BlackBerry researchers said.
MountLocker is a ransomware group that has been active since July of 2020. Phobos is another ransomware group that was first seen in early 2019. Phobos has been victimizing small-to-medium-sized organizations across a variety of industries. StrongPity, also known as Promethium, is an espionage group that has been active since at least 2012.
According to BlackBerry researchers, a single domain led them down a path where they uncovered multiple ransomware attacks by MountLocker, Phobos, and a command-and-control (C2) of StrongPity. “The path also revealed what we believe to be the infrastructure of an IAB: Zebra2104,” BlackBerry researchers said.
Cybersecurity Best Practices
Cybercrime groups nowadays mimic multinational organizations’ business models. Similar to multinational organizations, cybercrime groups establish partnerships and alliances with other organizations, in this case, with Initial Access Brokers.
Considering that RDP and VPN are the popular initial accesses, it’s important to guard these two gateways. Here are some of the best practices to guard RDP and VPN:
Some of the most widespread and devastating cyberattacks, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have included multiple vulnerabilities – a cyberattack methodology known as “chaining”.
What Is Chaining?
Chaining is a type of cyberattack that uses a combination of multiple cybersecurity vulnerabilities rated “critical”, “high”, “medium”, or even “low”.
Today’s publicly disclosed cybersecurity vulnerabilities are listed or cataloged under CVE, which stands for Common Vulnerabilities and Exposures. Each cybersecurity vulnerability in the list is given an identification number.
For example, CVE-2021-26855 is the identification number given to a part of an attack chain against Microsoft Exchange Server. This security vulnerability has a “critical” rating under CVSS, which stands for Common Vulnerability Scoring System.
Although sponsored by the U.S. Department of Homeland Security (DHS) and CISA, CVE is run by the non-profit organization MITRE. The Forum of Incident Response and Security Teams (FIRST) provides a standard for CVSS numerical score and qualitative representation (critical, high, medium, and low) for CVE entries. The National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), meanwhile, provides a free CVSS calculator for CVE entries.
Real-World Examples of Chaining Attacks
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 are four security vulnerabilities that are part of an attack chain against Microsoft Exchange Server.
Microsoft describes the four security vulnerabilities this way:
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM [named given by Microsoft to the group behind this chain attack] the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
In the blog post "HAFNIUM targeting Exchange Servers with 0-day exploits", Microsoft said CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 vulnerabilities were used by the threat actor HAFNIUM to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.
According to CISA, attackers don’t rely only on “critical” vulnerabilities to achieve their goals. For instance, some attackers use lower score vulnerabilities to first gain a foothold, then exploit additional vulnerabilities to escalate privilege on an incremental basis.
In the above-mentioned real-world example of chaining attacks, CVE-2021-26855 has a critical CVSS rating, while CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 have a high CVSS rating.
In a chaining attack, threat actors don’t necessarily exploit multiple security vulnerabilities in one application. There are cases in which threat actors exploit vulnerabilities in multiple applications during a single attack.
Mitigating the Risks of Chaining Attacks
The best cybersecurity best practice against chaining attacks is by keeping all software up to date.
Keeping all software up to date, however, is easier said than done. As of November 11, 2021, there are a total of over 160,000 CVE records. Organizations need to properly assess and prioritize which security vulnerabilities should be patched first.
In the study "Historical Analysis of Exploit Availability Timelines", researchers at Carnegie Mellon University found that only 4% of the total number of CVEs have been publicly exploited in the wild. The researchers further found that out of the 4% publicly exploited CVEs, 42% are being used on day 0 of disclosure; 50% within 2 days of disclosure; and 75% within 28 days of disclosure. The CVSS ratings of some of these publicly exploited CVEs have “medium” or even “low” severity ratings.
CISA recently established a “living” catalog of CVEs that are exploited in the wild. The agency calls these publicly exploited CVEs as “Known Exploited Vulnerabilities (KEVs)”. CISA initially listed 182 vulnerabilities from 2017-2020 and 108 from 2021.
CISA said that the CVSS scores or ratings don’t always accurately depict the danger or actual hazard that a CVE presents.
Instead of only focusing on vulnerabilities that carry a specific CVSS rating, KEVs target vulnerabilities for remediation that have known exploits and are being actively exploited by malicious cyber actors. CISA recommends that these KEVs have to be remediated within a more aggressive timeline.
CISA said these are two of the reasons for a more aggressive remediation timeline for KEVs:
Ransomware Attack Shuts Down Several Toronto Transit Commission (TTC) Services
Toronto Transit Commission (TTC), the public transport agency that provides public transportation services to commuters in Toronto and from surrounding municipalities, is still reeling days after a ransomware attack hit the agency’s computer network.
In a statement released last October 29th, TTC said that last October 28th, it learned it was the victim of a ransomware attack. The agency said TTC IT staff detected "unusual network activity" and attackers "broadened their strike on network servers."
TTC said the impacted services and systems include:
In the absence of the TTC's Vision system, operators have been forced to communicate with Transit Control with radios. Customers of Wheel Trans van service who couldn’t book online were asked to phone to reserve pickup. And without email service, customers are asked to call.
Shabnum Durrani, TTC head of corporate communications, told IT World Canada that she couldn’t say what ransomware strain attacked TTC. She couldn’t say also if the attackers were able to copy emails of employees, nor could she say if any corporate data was copied. When asked whether TTC has been in contact with the ransomware attackers, Durrani said, “I cannot comment on that at this time.”
As of November 3, TTC spokesperson Stuart Green said that Wheel Trans online booking system is now up and running.
Ransomware Attacks on Public Transport Systems
In December 2020, Metro Vancouver's transportation network TransLink confirmed that it was a victim of a ransomware attack.
“We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure,” TransLink CEO Kevin Desmond said in a statement. “This attack included communications to TransLink through a printed message.”
The ransomware attack on TransLink led to multi-day transit payment problems.
Back in 2016, the San Francisco Municipal Transportation Agency (SFMTA) confirmed that it was a victim of a ransomware attack. SFMTA said the ransomware attack affected approximately 900 office computers, and SFMTA's payroll system was temporarily affected. The transportation agency said no data was accessed from any of its servers.
What Is Ransomware?
Ransomware is a type of malicious software (malware) that encrypts victims’ files, preventing victims from accessing their files. Ransomware attackers demand ransom payment from victims in exchange for the decryption tool that promises to unlock the encrypted files.
A few years back, there was no transparency on whether ransomware attackers also steal data from victims. Today, ransomware attackers are open that aside from encrypting files, they also steal data from victims. The acknowledgment that ransomware attackers steal data from victims gives rise to double extortion, and lately triple extortion.
In triple extortion, ransomware attackers demand ransom payment for each of these attack tactics:
Ransomware attackers first demand ransom payment for the decryption tool that promises to unlock the encrypted files.
Ransomware attackers now acknowledge that before encrypting files, they exfiltrate or steal data. Many ransomware attackers now maintain a website that names ransomware victims. These victims are threatened that stolen data from their computer networks will be published online if payment for the non-publication of the stolen date won’t be paid.
What used to be a stand-alone attack, Distributed Denial-of-Service (DDoS) has been made part of the whole attack process of some ransomware attackers. Darkside, the group behind the Colonial Pipeline ransomware attack has been known to add DDoS attack to their attack tactics.
In a DDoS attack, attackers overwhelm the target or its surrounding infrastructure with a flood of Internet traffic. One example of a DDoS attack is flooding a corporate website with malicious Internet traffic, preventing legitimate users from accessing the corporate website.
Adding DDoS on top of encryption and stealing data, adds pressure to IT staff who are already overwhelmed with the encryption and stolen data issues.
Security researchers also refer to ransomware triple extortion as an expansion of demand payments to victims’ customers, partners, and other third parties. Vastaamo, a Psychotherapy Center in Finland with nearly 40,000 patients, declared bankruptcy after attackers breached for nearly a year the Center’s computer network.
Attackers demand from Vastaamo to pay nearly half a million US dollars in Bitcoin. Patients’ personally identifiable information, including the actual written notes that therapists had taken, was stolen by the attackers. A few years after the breached period, attackers started sending extortion messages to the patients, asking them to pay a certain amount of money to prevent their data from being published. The attackers already leaked online the private data of hundreds of patients.
Cybersecurity Best Practices
Here are some cybersecurity best practices against ransomware attacks:
Steve E. Driz, I.S.P., ITCP