Thought leadership. Threat analysis. Cybersecurity news and alerts.
Did you know that the amount of money lost to cyberattacks in the US rose to a record $4.2 billion in 2020 and there were 800,000 cybercrime complaints made to the FBI? Phishing was the most common way used by cybercriminals to get confidential data from unsuspecting recipients.
Are you worried about the different cyberattacks that businesses have to watch out for? Do you want to learn about this cybersecurity threat so you can protect yourself and your business better? Keep reading to find out more.
1. Phishing Attack
The weakest link when it comes to your business's cybersecurity is your employees. They are vulnerable to many different kinds of cyberattacks, the most common of these being phishing attacks.
In this attack, cybercriminals trick your employees into revealing their login credentials. They might send an email with a malicious link in it, which when clicked asks them for their login details. If the employee is tricked into it, the cybercriminals can get access to their important accounts.
It's a cheap and efficient way for cybercriminals to get lots of sensitive and confidential data from people. This can leave your organization vulnerable to losing customers and future business because your reputation is degraded and negatively affected.
That's why people are always told never to click links in an email that seems suspicious and to never give out any sensitive or confidential information in an email.
2. Malware-Based Attack
Using a common delivery method like email, cybercriminals will install malware on the person's computer which will allow them access to the login details and other important data on the user's system. This kind of attack uses your weak link, i.e. employees, yet again. That's why training and informing your employees about various security threats is so crucial.
Sometimes the cybercriminals will select their targets carefully from the employee roster at an organization, but other times, they will send an email en masse and see what they get back.
3. Attacks Through Uploading Files
This file upload attack is used commonly on websites that allow users to upload files, like contact form attachments, social media posts, profile photos, etc. This allows cybercriminals to write a huge chunk of malicious code onto your server and get access to your entire website.
The problem is most websites have this file upload option on them, such as code in a user profile or contact form. No website seems safe from this vulnerability.
4. Outdated And Vulnerable Software
Sofware technology comes with a short life cycle and it needs constant updating, patches, and upgrades to ensure that it runs safely. And is also compatible with other software. It's important to ensure all the software your employees are updated and upgraded regularly.
Attacks on outdated software or those that haven't been patched happen primarily by attacks through SQL injection and brute force. So if you have a WordPress site, ensure that you update it to the latest version as soon as it's available to keep it safe from cyberattacks.
5. Password Attacks
The most common password used in the world in 2021 is still 123456! That leads to a situation where your sensitive accounts, databases, and servers are easily vulnerable to cybercriminals.
Even if you are using a complicated password for your login credentials, cybercriminals can use a bot to randomly generate passwords. They try logging into your account using those passwords until they get the correct one. That's called brute force attack.
Another way a cybercriminal can guess your password and get at your account is a dictionary attack where they analytically enter words in a dictionary as a password until they get the right one. Password spraying is where they use the few common passwords most people use and get access to your account that way.
That's why it's so important to choose a complicated password that's 8 characters or longer with alphanumeric characters and symbols.
Also, prompt your employees to change their password at least every six months. And make it mandatory so they can't log in without changing their password. This way they won't procrastinate on this very important task.
6. DNS Spoofing
How do you know you are going to the right website when you click on a particular link? You just assume you are, since you trust the internet and everything that happens on it (or most things that happen on it).
But through DNS spoofing, a cybercriminal submits false information into a DNS cache. This returns incorrect responses on a DNS query and lands the user on the wrong website. In this manner, the user submits their login information and other sensitive information to the wrong website, giving access to such important data to a cybercriminal.
7. Accidental Exposure Of Sensitive Data
Unfortunately, most people aren't too careful with their sensitive data. They leave it out in the 'open', making it vulnerable to data breaches, and unauthorized access to cybercriminals.
It's akin to leaving your laptop in a cafe and walking over to the bathroom to wash your hands. And being surprised when your laptop isn't anywhere to be found when you come back.
Ensure that anything that's publicly accessible doesn't contain any sensitive information on it. This includes files on public servers, error messages, database tables, and log files. All information online is vulnerable to a cyberattack and must be treated as such.
Cyberattacks Are Getting More Insidious As Time Goes On
Cybercriminals are becoming savvier and more dangerous as time goes on. They manipulate both online data and offline people to get access to sensitive information. If you are worried about cyberattacks and feel vulnerable to such security threats, putting your head in the sand won't help.
Speak to a cybersecurity cybersecurity experts at The Driz Group today.. We can help you build a solid plan for your business and employees to protect yourself from cyber threats of all kinds.
We are informed of all the latest to do with cybersecurity and will keep your system safe from all emerging threats. Our emergency response team is available 24/7 to protect you and your business.
Vulnerable Internet-Exposed Applications Compromised in 24 Hours, Report Shows
A study conducted by researchers from Palo Alto Networks' Unit 42 found that vulnerable internet-exposed applications are compromised in just 24 hours.
Vulnerable internet-exposed applications once compromised pose a security risk to cloud environments within the same infrastructure.
Between July 2021 and August 2021, Unit 42 researchers set up 320 honeypots to verify how fast threat actors compromise four vulnerable internet-exposed applications, namely, secure shell protocol (SSH), remote desktop protocol (RDP), Samba, and Postgres.
Honeypots are network-attached computers that are purposely set up to lure threat actors to access these network-attached computers. Honeypots are set up to study the attackers’ methodologies.
SSH is a protocol that allows users to open remote shells on other computers. Samba is a free software re-implementation of the Server Message Block (SMB) networking protocol. SMB is a communication protocol used for sharing access to files, printers, serial ports for Windows computers on the same network or domain.
RDP, meanwhile, is a network communications protocol developed by Microsoft, allowing users to remotely connect to another computer. Postgres, also known as PostgreSQL, is an enterprise-class open source database management system.
Access to any of these four standard applications allows attackers to remotely connect to the victim’s network and perform malicious activities such as further compromising cloud environments within the same network.
The honeypots deployed by the Unit 42 researchers had vulnerable SSH, Samba, RDP, and Postgres. For instance, they intentionally use weak usernames and weak passwords.
Weaknesses in SSH, Samba, RDP, and Postgres are often exploited by cyberattackers. Ransomware groups, including REvil and Mespinoza, are known to exploit internet-exposed applications to gain initial access to victims' environments.
In Q3 2021, Digital Shadows reported that RDP and SSH are among the top access of choice of Initial Access Brokers – individuals or groups that act as intermediaries in identifying vulnerable organizations and selling access to the networks of these vulnerable organizations to the highest bidder.
Unit 42 researchers found that 80% of the 320 honeypots were compromised within 24 hours and all of the honeypots were compromised within a week. Out of the four vulnerable internet-exposed applications, SSH was the most attacked application and on average, each SSH honeypot was compromised 26 times daily.
The researchers also found that one threat actor compromised 96% of 80 Postgres honeypots globally within 30 seconds. The researchers’ honeypots applied firewall policies to block IPs from known network scanners. They found that blocking known scanner IPs is ineffective in mitigating attacks as 85% of the attacker IPs were observed only on a single day.
"This number indicates that Layer 3 IP-based firewalls are ineffective as attackers rarely reuse the same IPs to launch attacks,” Unit 42 researchers said. “A list of malicious IPs created today will likely become outdated tomorrow.”
The researchers also found that vulnerable internet-exposed applications were compromised multiple times by multiple different attackers. As attackers competed for the victim’s resources, tools such as Rocke or TeamTNT were used to remove the malicious software (malware) left by other cyberattackers.
"The speed of vulnerability management is usually measured in days or months,” Unit 42 researchers said. “The fact that attackers could find and compromise our honeypots in minutes was shocking. When a misconfigured or vulnerable service [application] is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service.”
The speed at which threat actors find vulnerable internet-facing applications is achieved through the process called scanning. Threat actors aren’t alone in finding vulnerable internet-facing applications through scanning.
Legitimate scanning service providers, such as Shodan, Censys, and Shadowserver, allow users to find vulnerable internet-facing applications. These legitimate scanning service providers have fixed IP addresses. Threat actors, on the other hand, as shown in the findings of the Unit 42 researchers, don’t use fixed IP addresses, but rather change their IP addresses every day.
Unit 42 researchers identified an average of 75,000 unique scanner IP addresses globally that enumerated more than 9,500 different ports every day. The researchers found that Samba, Telnet (a protocol that allows users to connect to remote computers over a TCP/IP network, such as the internet), and SSH were the three most scanned services, accounting for 36% of scanning traffic globally.
Scanning, per se, doesn’t compromise vulnerable internet-facing applications. This method, however, is used by cybercriminals to identify potential victims.
Cybersecurity Best Practices
Here are some of the cybersecurity best practices to protect your organization’s vulnerable internet-exposed applications:
Keep to a bare minimum the exposure of applications to the internet. If internet-exposed applications aren’t used, disable them.
If there’s a need to expose these applications to the internet, secure them by applying in a timely manner the security updates, by using strong passwords, multi-factor authentication (MFA), and other security measures such as virtual private network (VPN).
In using a Firewall, use the whitelisting approach, rather than the blacklisting approach. In whitelisting, only the approved or whitelisted entities are given access to your organization’s network, blocking all others. Blacklisting, on the other hand, blocks known malicious IP addresses. As shown in the study conducted by Unit 42 researchers, cyberattackers regularly change their IP addresses defeating the purpose of blacklisting.
Some of the most widespread and devastating cyberattacks, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have included multiple vulnerabilities – a cyberattack methodology known as “chaining”.
What Is Chaining?
Chaining is a type of cyberattack that uses a combination of multiple cybersecurity vulnerabilities rated “critical”, “high”, “medium”, or even “low”.
Today’s publicly disclosed cybersecurity vulnerabilities are listed or cataloged under CVE, which stands for Common Vulnerabilities and Exposures. Each cybersecurity vulnerability in the list is given an identification number.
For example, CVE-2021-26855 is the identification number given to a part of an attack chain against Microsoft Exchange Server. This security vulnerability has a “critical” rating under CVSS, which stands for Common Vulnerability Scoring System.
Although sponsored by the U.S. Department of Homeland Security (DHS) and CISA, CVE is run by the non-profit organization MITRE. The Forum of Incident Response and Security Teams (FIRST) provides a standard for CVSS numerical score and qualitative representation (critical, high, medium, and low) for CVE entries. The National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), meanwhile, provides a free CVSS calculator for CVE entries.
Real-World Examples of Chaining Attacks
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 are four security vulnerabilities that are part of an attack chain against Microsoft Exchange Server.
Microsoft describes the four security vulnerabilities this way:
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM [named given by Microsoft to the group behind this chain attack] the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
In the blog post "HAFNIUM targeting Exchange Servers with 0-day exploits", Microsoft said CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 vulnerabilities were used by the threat actor HAFNIUM to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.
According to CISA, attackers don’t rely only on “critical” vulnerabilities to achieve their goals. For instance, some attackers use lower score vulnerabilities to first gain a foothold, then exploit additional vulnerabilities to escalate privilege on an incremental basis.
In the above-mentioned real-world example of chaining attacks, CVE-2021-26855 has a critical CVSS rating, while CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 have a high CVSS rating.
In a chaining attack, threat actors don’t necessarily exploit multiple security vulnerabilities in one application. There are cases in which threat actors exploit vulnerabilities in multiple applications during a single attack.
Mitigating the Risks of Chaining Attacks
The best cybersecurity best practice against chaining attacks is by keeping all software up to date.
Keeping all software up to date, however, is easier said than done. As of November 11, 2021, there are a total of over 160,000 CVE records. Organizations need to properly assess and prioritize which security vulnerabilities should be patched first.
In the study "Historical Analysis of Exploit Availability Timelines", researchers at Carnegie Mellon University found that only 4% of the total number of CVEs have been publicly exploited in the wild. The researchers further found that out of the 4% publicly exploited CVEs, 42% are being used on day 0 of disclosure; 50% within 2 days of disclosure; and 75% within 28 days of disclosure. The CVSS ratings of some of these publicly exploited CVEs have “medium” or even “low” severity ratings.
CISA recently established a “living” catalog of CVEs that are exploited in the wild. The agency calls these publicly exploited CVEs as “Known Exploited Vulnerabilities (KEVs)”. CISA initially listed 182 vulnerabilities from 2017-2020 and 108 from 2021.
CISA said that the CVSS scores or ratings don’t always accurately depict the danger or actual hazard that a CVE presents.
Instead of only focusing on vulnerabilities that carry a specific CVSS rating, KEVs target vulnerabilities for remediation that have known exploits and are being actively exploited by malicious cyber actors. CISA recommends that these KEVs have to be remediated within a more aggressive timeline.
CISA said these are two of the reasons for a more aggressive remediation timeline for KEVs:
Western Digital (WD) Hard Drives Remotely Wiped Clean Worldwide
Users worldwide of Western Digital (WD) hard drives, specifically My Book Live and My Book Live Duo devices, found their hard drives being wiped clean remotely last June 23.
Last June 24, a WD user named “sunpeak” started a thread on WD Community forum stating that all the data on his WD My Book Live device is gone. “Previously the 2T volume was almost full but now it shows full capacity,” sunpeak said.
Hundreds of WD My Book Live and My Book Live Duo devices echoed sunpeak, stating that their devices have been wiped clean remotely as well.
“It is very scary that someone can do factory restore the drive without any permission granted from the end user,” sunpeak said. The tread started said he found this user.log in the affected device:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
Another WD user added this message to the thread: “All my data is gone too. Message in GUI says it was ‘Factory reset’ today! 06/23. I am totally screwed without that data … years of it.”
Western Digital Statement
Last June 25, US-based company Western Digital recommended to users to disconnect their My Book Live and My Book Live Duo devices from the internet to protect their data on these devices. My Book Live and My Book Live Duo devices were introduced to the market in 2010 and these devices received their final firmware update in 2015.
“Western Digital has determined that some My Book Live devices are being compromised by malicious software,” Western Digital said. “In some cases, this compromise has led to a factory reset that appears to erase all data on the device.”
According to Western Digital, the log files that they’ve reviewed show that the attackers directly connected to the affected My Book Live and My Book Live Duo devices from a variety of IP addresses in different countries. The company said this shows that the affected devices were directly accessible from the internet, via direct connection or port forwarding that was enabled either manually or automatically via UPnP.
“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” Western Digital said.
The specific remote command execution vulnerability referred to by Western Digital is CVE-2018-18472 – in which all versions of Western Digital (WD) My Book Live has a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. This security vulnerability can be triggered by anyone who knows the IP address of the affected device. A proof-of-concept on how to exploit CVE-2018-18472 is publicly available.
As the last firmware update of WD My Book Live and My Book Live Duo devices was in 2015, CVE-2018-18472 vulnerability, therefore, wasn’t answered by WD developers in 2015.
Other Cyberattacks Affecting Hard Drives/Backups
WD My Book Live and My Book Live Duo devices can be attached to the network, as such, they’re known as network-attached storage (NAS) devices. Other examples of NAS devices are those made by Taiwanese corporation QNAP Systems, Inc.
In the past few years, QNAP NAS devices have been the target of malicious actors. In 2019, researchers at Intezer detected the malicious software known as QNAPCrypt.
"QNAP is a well-known vendor for selling NAS servers, which the malware was intended to infect and encrypt the containing files for ransom,” researchers at Intezer said. “NAS servers normally store large amounts of important data and files, which make them a valuable target for attackers and especially a viable target for ransomware campaigns.”
In 2014, researchers at FireEye observed cyberattackers attempting to exploit the BASH remote code injection vulnerability against QNAP NAS devices.
"These attacks result in the hackers having a root level remote shell, gaining full access to the contents of the NAS,” FireEye researchers said. “NAS systems are used by enterprises to store large volumes of files and house databases, as well as by consumers for personal storage. This makes NAS an attractive target for attackers given the broad types of data they handle. In this case, the attackers can gain full access the NAS contents as well as execute other commands.”
Cybersecurity Best Practices
The deletion of enormous data in WD My Book Live and My Book Live Duo devices is a lesson learned for many users.
Network-attached storage (NAS) devices, including WD My Book Live and My Book Live Duo devices and QNAP devices are becoming the target of cyberattackers due to the wealth of data that these devices hold.
It is important to practice the time-honored 3-2-1 backup rule. This rule states that your organization needs to have 3 copies of critical data (one production data and 2 backup copies), with two copies in different media, and one copy kept offsite for disaster recovery.
Living off the land has become the standard in today’s cyberattacks intent on evading security solutions.
Living off the land attack takes its name from the “living off the land” way of life, that is, living by eating only the food that one produces from the land.
In the cybersecurity context, living off the land cyberattack refers to turning legitimate programs and processes to perform nefarious activities. Living off the land enables cyberattackers to blend into victims’ networks and hide among the legitimate programs and processes to carry out a stealth attack. Traditional security solutions often ignore living off the land attacks as these activities are considered legitimate activities coming from legitimate programs and processes.
Astaroth: Example of a Malware that Lives Off the Land
Astaroth is an example of a malicious software (malware) that completely lived off the land to avoid detection. Astaroth is an info-stealing malware that abuses various legitimate Windows processes in an attempt to run undetected on computers using Windows operating system.
In the blog post "Latest Astaroth living-off-the-land attacks are even more invisible but not less observable," Microsoft Defender Security Research Team said they started seeing the updated attack chain of Astaroth in late 2019. In mid-2019, Microsoft Defender Security Research Team observed an unusual spike in activities related to Windows Management Instrumentation Command-line (WMIC), prompting the team to investigate it and found out that the unusual spike in activities related to WMIC was part of the Astaroth attack chain.
WMIC provides a command-line interface for Windows Management Instrumentation (WMI) – referring to the infrastructure for management data and operations on Windows operating systems.
Microsoft Defender Security Research Team said that after the WMIC abuses were exposed, Astaroth now completely avoids the use of WMIC and instead introduced new living off the land techniques that make the attack chain even stealthier such as abusing Alternate Data Streams (ADS) and abusing the legitimate process ExtExport.exe.
Alternate Data Streams (ADS) is a feature in Windows operating system that contains metadata for locating a specific file by title or author. ExtExport.exe, meanwhile, is a feature that ships with Internet Explorer to run a file. Microsoft Defender Security Research Team said that Astaroth uses ExtExport.exe to load malicious payload, while ADS is used to hide malicious payloads.
Other Examples of Living Off the Land Attacks
In the report “The Active Adversary Playbook 2021,” Sophos found that PowerShell and PsExec are among the top 3 legitimate tools used by cyberattackers in 2020 and early 2021. PowerShell and PsExec are legitimate Windows operating system tools used by system administrators.
PowerShell is an interactive command-line interface and scripting environment included in the Windows operating system, while PsExec is a Windows tool that can be used to execute a program on another computer. Microsoft said, “PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.”
According to Mitre, PowerShell commands and scripts have been known to execute malicious payloads, create new tasks on remote machines, identify configuration settings, evade defenses, exfiltrate data, pull Active Directory information from the target environment, issue interactive commands over a network connection, and access credential data.
Mitre reported that PsExec has been abused to download or upload a file over a network share, write programs to the ADMIN$ network share to execute commands on remote systems, and execute binaries on remote systems using a temporary Windows service.
Windows legitimate features aren’t the only programs abused by attackers in living off the land attacks. Third-party programs are also abused by living off the land attackers.
In 2017, the Petya, also known as NotPetya, malware spread worldwide via a tainted accounting software of the Ukrainian-based company MeDoc. In 2020, researchers at Sophos reported that the group behind the ransomware called "RobbinHood" used the signed driver, part of a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte as a means so that the threat group could load a second, unsigned driver into Windows.
“This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference,” Sophos said.
Living off the land attackers recently tainted SolarWinds software affecting thousands of the customers of SolarWinds that downloaded the tainted version of SolarWinds software.
Cybersecurity Best Practices
Here are some of the cybersecurity best practices in preventing and mitigating the effects of living off the land attacks:
Switch off or remove unneeded programs
Top 3 Tools Used by Cyberattackers in 2020 and Early 2021
Three legitimate pentesting tools – PowerShell, Cobalt Strike, and PsExec – topped the list of tools used by cyberattackers in breaking into victims’ networks in 2020 and early 2021, according to Sophos’ report based from frontline threat hunters and incident responders.
In the report “The Active Adversary Playbook 2021,” Sophos found that PowerShell, followed by Cobalt Strike, and PsExec are the top 3 tools used by cyberattackers in 2020 and early 2021.
PowerShell, Cobalt Strike, and PsExec are legitimate tools used by IT administrators and security professionals for penetration testing, also known as pentesting – an authorized simulated cyberattack against an organization’s computer system to examine exploitable vulnerabilities. Threat actors, however, have been using these same pentesting tools to break into victims’ networks.
According to Sophos report, correlations emerge among the top 3 tools found in victims’ networks. The report added that when PowerShell is used in an attack, Cobalt Strike was seen in 58% of cases, and PsExec in 49% of cases; Cobalt Strike and PsExec were used together in 27% of attacks; and the combination of Cobalt Strike, PowerShell, and PsExec occurs in 12% of all attacks.
PowerShell is a task-based command-line shell and scripting language designed for system administration in the Windows operating system. Attackers use PowerShell to conduct a number of malicious activities, including executing malicious code, creating new tasks on remote machines, identifying configuration settings, pulling Active Directory information from the target environment, evading defenses, exfiltrating data, and executing other commands.
The malicious software called “Emotet” has used PowerShell to retrieve the malicious payload and download additional resources like Mimikatz – ranked fourth in the tools used by cyberattackers in 2020 and early 2021 in the Sophos report. Mimikatz is capable of obtaining plaintext Windows account logins and passwords.
PsExec is a free Microsoft tool that is used by IT administrators to execute a program on another computer. This tool has been used by attackers to download or upload a file over a network share.
Cobalt Strike is a commercially available pentesting tool that’s marketed as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors."
This commercial pentesting tool was developed by researcher Raphael Mudge in 2012. This tool was recently acquired by HelpSystems. In 2020, the source code of Cobalt Strike version 4.0 was leaked to the public. Adversaries often use the purchased and pirated/cracked versions of Cobalt Strike.
This tool is capable of executing a payload on a remote host with PowerShell and using PsExec to execute a payload on a remote host. Cobalt Strike’s Beacon is used to perform actions such as collecting information on process details, reaching out to the command-and-control server on an arbitrary and random interval, breaking large data sets into smaller chunks for exfiltration, and capturing screenshots.
The tools PowerShell and Cobalt Strike were used in the recently unraveled supply chain attack on SolarWinds.
In the SolarWinds supply chain attack, attackers compromised the code update of SolarWinds’s product Orion, which gave the attackers the opportunity to attack customers that applied the compromised SolarWinds Orion update. The SolarWinds supply chain attack victims include cybersecurity firm FireEye and Microsoft.
In the blog post "Raindrop: New Malware Discovered in SolarWinds Investigation," security researchers at Symantec reported that the malicious software (malware) called "Raindrop" enabled the delivery of Cobalt Strike into the victims’ networks. Security researchers at Symantec reported that in the victim’s computer where the Raindrop malware was found, it was observed that several days later, PowerShell commands were executed on that computer, attempting to execute further instances of Raindrop malware on additional computers in the organization.
The top 3 tools, PowerShell, Cobalt Strike, and PsExec, used by cyberattackers in 2020 and early 2021 were all used by the group behind the ransomware called “DoppelPaymer.” Similar to modern-day ransomware, DoppelPaymer encrypts victims’ files, locking these victims out from accessing their files, and demands from victims to pay ransom in exchange for the decryption tool that would unlock the encrypted files.
Similar to other modern ransomware, the group behind DoppelPaymer threatens victims with the publication of their stolen files on the data leak site as part of the ransomware’s extortion scheme. In DoppelPaymer ransomware, PowerShell, Cobalt Strike, PsExec, and Mimikatz – ranked fourth in the tools used by cyberattackers in 2020 and early 2021 in the Sophos report – were used to stealing credentials, moving laterally inside the network, and executing different commands.
In the blog post "Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk," Microsoft 365 Defender Threat Intelligence Team said that defenders should pay attention to malicious “PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities.”
“Security teams can defend their organization by monitoring and investigating suspicious activity,” Sophos in the “The Active Adversary Playbook 2021” said. “The difference between benign and malicious is not always easy to spot. Technology in any environment, whether cyber or physical, can do a great deal but it is not enough by itself. Human experience and the ability to respond are a vital part of any security solution.”
How to Catch Golden SAML-Type Attacks
The supply chain attack on SolarWinds exposes the effectiveness of a cyberattack method called “Golden SAML.”
SolarWinds Supply Chain Attack Background
In December 2020, FireEye disclosed its discovery of the supply chain attack on SolarWinds product Orion – monitoring and management platform designed to simplify IT administration.
In the supply chain attack on SolarWinds Orion, attackers gained access to the source code of Orion; maliciously changed the code; and said malicious code was made part of the official updates released to the customers of SolarWinds. The malicious updates allowed the SolarWinds attackers to gain initial access to the networks of the customers of SolarWinds Orion. The attack affected nearly 18,000 customers of SolarWinds Orion.
Among the companies that admitted that they’ve been impacted by the SolarWinds supply chain attack are FireEye and Microsoft. As a result of the SolarWinds supply chain attack, FireEye disclosed that the attackers stole its Red Team assessment tools which leverage known Common Vulnerabilities and Exposures (CVEs) to test and validate clients’ cybersecurity posture. Microsoft, meanwhile, admitted that attackers were able to view the company’s “source code in a number of source code repositories.”
What Is Golden SAML?
Golden SAML is an attack vector that was discovered back in 2017 by CyberArk Labs. One of the attack methods used by the attackers after gaining initial access to the networks of SolarWinds Orion customers is the Golden SAML. The use of Golden SAML in the SolarWinds supply chain attack is the first documented use of Golden SAML since the 2017 discovery.
Golden SAML allows attackers who gained initial access to a victim’s network such as in the case of SolarWinds supply chain attack to maintain persistence and gain access to the different services used by the victim in a convenient and stealth manner. “Golden SAML is a technique that allows attackers, once they got privileged access to the victim’s network, to impersonate almost any identity in the organization and acquire any type of privilege across almost all services of the organization (this depends on what services in the organization use SAML as their authentication protocol),” CyberArk Labs said in the latest blog post "Golden SAML Revisited: The Solorigate Connection .”
As described by CyberArk Labs, Golden SAML is basically a forged SAML. Short for Security Assertion Markup Language, SAML enables web browser Single Sign-On (SSO). SAML 2.0, first introduced in 2005, is the current standard version of the SAML protocol.
With SSO, a user only has to enter their login credentials once and the user is then given access to cloud services that support SAML authentication such as Microsoft Azure or Amazon Web Services (AWS). “In a golden SAML attack, attackers can gain access to any application that supports SAML authentication (e.g. Azure, AWS, vSphere, etc.) with any privileges they desire and be any user on the targeted application (even one that is non-existent in the application in some cases),” CyberArk Labs said.
On the part of an attacker, CyberArk Labs said, Golden SAML has the following advantages:
To perform the Golden SAML attack, CyberArk Labs said, the following requirements are needed: token-signing private key, IdP public certificate, IdP name, and Role name (role to assume). CyberArk Labs added that in order to get the private key, tools such as Mimikatz can be used.
According to FireEye, the supply chain attack on SolarWinds enabled the attackers to execute a customized Cobalt Strike – a commercial penetration testing tool that’s marketed as a “software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors." One of the tools included in Cobalt Strike is Mimikatz, a tool that’s capable of exploiting Windows Single Sign-On (SSO) functionality to harvest credentials.
Even though the Golden SAML has been a known attack vector since 2017, this hasn’t been addressed by the concerned vendors using the SAML 2.0 protocol as Golden SAML isn’t treated as a security vulnerability as an attacker needs to have domain admin access in order to perform it. The case in point is the SolarWinds supply chain attack in which the attackers already gained domain admin access.
According to FireEye, the SolarWinds supply chain attackers were observed targeting on-premises Active Directory Federation Services servers with the goal of obtaining the token-signing certificate to forge SAML tokens. Active Directory Federation Services is a software component developed by Microsoft that runs on Windows Server operating systems to provide users with Single Sign-On access to systems and applications.
Cybersecurity Best Practices
One of the cybersecurity measures to prevent a Golden SAML attack is by deploying a Privileged Access Management (PAM) solution – referring to a solution that helps manage, monitor, and secure privileged access to critical assets. It’s also important to monitor for suspicious SAML tokens such as those with an unusually long life.
In case there’s enough evidence that attackers have already accessed your organization’s Active Directory Federation Services servers, the following steps need to be done:
Hunt for Earliest Artifacts of Compromise
Three of Microsoft’s cyber defense teams recently published their collective findings on how threat actors got away in viewing the company’s crown jewel: Microsoft source code.
In the blog post "Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop," three of Microsoft’s cyber defense teams, Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center, and Microsoft Cyber Defense Operations Center revealed new details on how threat actors were able to view the company’s source code.
Last December 31st, Microsoft admitted that one internal account had been compromised and used to view source code in a number of source code repositories. "The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made," Microsoft said.
Microsoft earlier admitted that it was one of the victims of the Solarwinds supply chain attack. Microsoft is one of the thousands of Solarwinds’ clients that unwittingly downloaded the Solarwinds update that was maliciously modified with attached malicious software (malware) called "Solorigate" to further compromise the networks of those that downloaded the poisoned update.
In a report to the U.S. Securities and Exchange Commission, Solarwinds said, "SolarWinds currently believes the actual number of customers that may have had an installation of the [SolarWinds] Orion products that contained this vulnerability to be fewer than 18,000."
Microsoft provided the following timeline in which the attackers were able to compromise SolarWinds update:
Sept. 4, 2019: Attackers start assessing SolarWinds
Sept. 12, 2019: Attackers start injecting test code
Nov. 4, 2019: Attackers stop injecting test code
Feb. 20, 2020: Solorigate malware backdoor is compiled and deployed
March 2020: Estimated start of distribution of Solorigate malware backdoor
May 2020: Estimated start of actual hands-on-keyboard attacks
June 4, 2020: Attackers remove malware from SolarWinds build environment
Dec. 12, 2020: Solorigate malware supply chain attack disclosed
How the Attack Transpired
According to FireEye, one of the victims of the SolarWinds supply chain attack, the supply chain attack on SolarWinds enabled the attackers to execute a customized Cobalt Strike.
Cobalt Strike is a publicly available penetration testing tool that’s marketed as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike’s post-exploit capabilities include tools such as Mimikatz and Metasploit.
Mimikatz is a tool that’s capable of obtaining plaintext Windows account logins and passwords. Mimikatz also comes with many other features that test the security of networks.
Metasploit, meanwhile, is another penetration testing tool popularly used by both attackers and defenders. With Metasploit, attackers just pick a target, pick an exploit, and pick a payload to drop.
"One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader," Microsoft’s cyber defense teams said.
According to Microsoft’s cyber defense teams, the following tactics allowed the attackers to hid their malware and malicious actions:
Each Cobalt Strike implant was assembled to be unique for every compromised computer and avoided any overlap and reuse of file name, folder name, export function names, HTTP requests, C2 domain/IP, file metadata, and timestamp.
Tools used by the attackers, including the legitimate tool called "ADFIND" (a search utility that can be used to query the Active Directory), were always renamed and placed in folders that imitated existing programs and files already present on the compromised computer.
Event logging captures network activities such as login sessions, account lockouts, and failed password attempts. Prior to conducting hands-on keyboard activity, the attackers disabled event logging through the use of a tool called "AUDITPOL." The attackers enabled event logging after conducting hands-on keyboard activity.
Prior to running network enumeration activities, the attackers prepared special firewall rules to lessen outgoing packets for certain protocols. After running network enumeration activities, the attackers removed the special firewall rules.
Prior to conducting lateral movement activities, the attackers first disabled certain security services. Lateral movement refers to activities that are conducted by attackers after gaining access to the victim’s network.
Attackers, in this case, gained initial access to the victims’ networks via the poisoned Solarwinds update. Post initial access activities are typically done in search of sensitive data and other high-value assets.
Microsoft’s cyber defense teams believed that the attackers used timestomping. In timestomping, attackers change the timestamps of a file – referring to the access, create, and change times of a file. The goal of timestomping is to derail forensic investigators or file analysis tools.
If All Else Fails
To date, the identities of the attackers behind the Solarwinds supply chain attack that spiraled into the compromise of other networks such as Microsoft and FireEye remain inconclusive.
One takeaway from this supply chain attack is the need for network segmentation. If all else fails, one way to protect your organization’s crown jewels is to implement network segmentation.
In network segmentation, your organization’s network is divided into sub-networks so that in case one sub-network is compromised, the other sub-networks won’t be affected.
Extent of the Supply Chain Attack on SolarWinds Orion Platform Software
In the past few days, details about the supply chain attack on the SolarWinds Orion Platform software have slowly unfolded, highlighting the dangers of this type of cyberattack.
What Is a Supply Chain Attack?
Supply chain attack is a type of cyberattack in which attackers maliciously change the source code of a software with the goal of compromising the end users of the said software.
In a statement, SolarWinds said it was a victim of a supply chain attack in which a still unknown attacker inserted a malicious software (malware) dubbed as “Sunburst” within SolarWinds Orion Platform software. According to SolarWinds, versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 of its Orion Platform software were compromised with the Sunburst malware.
Customers of SolarWinds that downloaded and installed the company’s Orion Platform software versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are at risk. If present and activated, the Sunburst malware, according to SolarWinds, “could potentially allow an attacker to compromise the server on which the Orion products run.”
The effects of a compromised server hosting the Sunburst malware is far and wide as SolarWinds Orion Platform software is specifically meant as a centralized monitoring and management software to keep track of all IT resources, including servers, workstations, mobile devices, and IoT devices.
Cybersecurity firm FireEye first discovered the Sunburst malware. The company is also responsible for naming this malware as “Sunburst.” Microsoft, meanwhile, refers to this malware as “Solorigate.” FireEye and Microsoft both admitted that they have been part of the victims of the supply chain attack on SolarWinds Orion Platform software.
Microsoft, in a statement, said: “Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
In the case of FireEye, the attacker stole the company’s “Red Team assessment tools.” According to FireEye, the stolen Red Team assessment tools are used to test its customers’ security.
“These tools [Red Team assessment tools] mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers,” FireEye said. “None of the tools contain zero-day exploits.”
According to FireEye, the Sunburst malware campaign may have started as early as Spring 2020 and is currently ongoing. In analyzing the Sunburst malware, FireEye said that after this malware is installed on the victim’s server, it stays dormant for up to two weeks. After this dormant period, the malware retrieves and executes commands, called “Jobs,” enabling transfer files, execute files, profile the system, reboot the machine, and disable system services.
FireEye added that the Sunburst malware hides its network traffic as the Orion Improvement Program (OIP) protocol “stores reconnaissance results within legitimate plugin configuration files,” allowing this malware to blend in with legitimate SolarWinds activity.
According to FireEye, victims of Sunburst malware include government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. “We anticipate there are additional victims in other countries and verticals,” FireEye said.
In analyzing the Solorigate malware, Microsoft said that the malicious code inserted into SolarWinds Orion Platform software consists of nearly 4,000 lines of code. “The fact that the compromised file is digitally signed suggests the attackers were able to access the company’s software development or distribution pipeline,” said Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center in the blog post "Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers."
“Evidence suggests that as early as October 2019, these attackers have been testing their ability to insert code by adding empty classes,” Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center added. “Therefore, insertion of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the software build, which would include digitally signing the compiled code. As a result, the DLL containing the malicious code is also digitally signed, which enhances its ability to run privileged actions – and keep a low profile.”
Mitigating Measures Against Supply Chain Attack
In the case of the SolarWinds Orion Platform software supply chain attack, it’s important to apply the update released by SolarWinds. The company offers more details on how to apply the update here.
In case the Sunburst/Solorigate malware is suspected to be inside your organization’s network, it’s important to isolate and block internet access to IT infrastructure where SolarWinds software was installed for further review and investigation.
If isolation isn’t possible, the following mitigating measures should be taken:
Cyberattack Surface Widens As World Sees Increase in Remote Work
With much of the world now working remotely and likely to remain this way after the COVID-19 pandemic, the attack surface that could be exploited by cyberattackers has widened, a new study showed.
A new study by RiskIQ showed that with much of the global economy being run from homes, attackers now have far more access points to probe and exploit. Attack surface, as defined in the study, refers to everything that needs defending, starting from inside the corporate network and extending all the way to the internet and into the homes of workers working from home. RiskIQ identified the following attack areas:
Web-Based Attack Surface
Across the internet in just over two weeks, RiskIQ observed 2,959,498 new domains (equivalent to 211,392 per day) and 772,786,941 new unique hosts to the web (equivalent to 55,199,067 per day). New domains, also known as new websites, and new unique hosts to the web, according to RiskIQ, represent as possible targets for threat actors.
RiskIQ found that 2,480 of the Alexa top 10,000 domains were running at least one potentially vulnerable web component, and 8,121 potentially vulnerable web components in total were found in the Alexa top 10,000.
To highlight the attack surface faced by organizations, RiskIQ conducted a study on the companies that comprise the FTSE-30 – a group of 30 large-cap organizations in the UK. RiskIQ found that on average, each FTSE-30 organization has 324 expired certs, 25 SHA-1 certs, 743, potential test sites, 28 insecure login forms, 385 total insecure forms, 46 web frameworks with known vulnerabilities, 80 PHP 5.x instances with end of life (EOL) end of the year, and 664 web servers at release levels with known vulnerabilities.
In addition, last March, with the spike of online shopping due to COVID-1, RiskIQ reported that it detected a 30% increase in Magecart skimmers – a type of cyberattack that involves digital credit card theft by skimming online payment forms.
Modern websites are made up of common features such as underlying operating systems, frameworks, third-party applications, plugins, and trackers. "This commonality of approach is attractive to malicious actors, as a successful exploit written for a vulnerability or exposure on one site can be reused across many sites," RiskIQ said.
A recent report from Verizon Data Breach Report, showed that external-facing web applications, in which network security tools have no visibility, were exploited the most by cyberattackers.
Remote Access Attack Surface
According to RiskIQ, the rush to stand up new systems outside the firewall to enable a remote workforce has expanded attack surfaces quicker, with virtual private network (VPN) usage surged 112% over just six weeks, and a 26.11% increase in Microsoft Remote Access Gateway instances, peaking around March 20 when stay-at-home orders took full effect.
RiskIQ found that on average, each FTSE-30 organization has 45 mail servers, 7,790 cloud-hosted apps (Amazon and Azure), 26 potentially vulnerable Citrix Netscaler instances, 8 potentially vulnerable Palo Alto GlobalProtect instances, 9 potentially vulnerable Pulse Connect instances, 25 potentially vulnerable Fortinet instances, and 1,464 remote access service instances.
Mobile Attack Surface
There's more to mobile apps than Apple and Google Play Mobile App Stores as there are hundreds of online stores in which threat actors sell their mobile apps. RiskIQ said malicious actors compromise legitimate apps and launch fake apps in other app store ecosystem and the open internet.
In 2019, RiskIQ found 170,796 blacklisted mobile apps across 120 mobile app stores and the open internet. Eighty-six percent of the blacklisted apps, RiskIQ said, claimed the READ_SMS permission, which allows the app to read messages and can be used for nefarious activities such as circumventing two-factor authentication.
Social Engineering Attack Surface
Social engineering refers to the impersonation of domains, subdomains, landing pages, websites, mobile apps, and social media profiles to trick employees and consumers in installing malicious software (malware) or into giving up login credentials and other personal information.
In the first quarter of 2020, RiskIQ identified 21,496 phishing domains impersonating 478 unique brands. For the same period, it also identified 720,188 instances of domain infringement across 170 unique brands. RiskIQ noted that 317,000 new websites related to “COVID-19” or “coronavirus” in the two weeks between March 9 and 23.
Cybersecurity Best Practices in Securing Your Organization's Attack Surface
Traditional cybersecurity measure uses a firewall that acts as a barrier between a trusted internal network and untrusted external network such as the internet. The COVID-19 pandemic and the resulting government-mandated stay-at-home measure leaving organizations no option but to allow workers to work from home, has widened the attack surface as the boundaries of what are inside the firewall and what are outside the firewall are no longer clear.
Here are some cybersecurity best practices in securing your organization's attack surface:
Whether it's for the web, mobile or operating systems, all software used for these platforms should be kept up to date. Failure to apply the latest software update leaves this attack surface vulnerable for attack.
Malicious actors can simply probe into your organization's vulnerable internet-connected assets by conducting a simple internet scan. It's important to conduct a regular full inventory of these internet-connected assets, determining, for instance, what assets need software update.
Early detection of social engineering attempts that impersonate your organization's domains, subdomains, landing pages, websites, mobile apps, and social media profiles that target your employees and customers and letting them know about these social engineering attempts is one of the effective measures in disrupting
Steve E. Driz, I.S.P., ITCP