Offensive Cybersecurity – Doing the Basics Right

I would like to start off this message with a fact that cybersecurity weaknesses and attacks are still increasing across the world especially targeting infrastructures which have weak or misconfigured security solutions.

The rate of success of these attacks are high – attributing to common weaknesses in cybersecurity hygiene. It is also important to highlight that not all successful cybersecurity breaches occur only via exploiting the latest zero days, many of these leverage weaknesses on common attack surfaces.

In this article, I will shed light on the most used “N-Days” (zero days known but no patch is available or patches have not been applied to new vulnerabilities). As an example, Help AG’s Offensive Cybersecurity team has been conducting red teaming activities on high profile organizations where they rely on cybersecurity controls but still end up being a victim of ransomware and fraudulent transaction requests costing them millions in addition to reputational damage.

When we simulate real attacks / breach simulation, it frequently comes with a game plan of compromising non-privileged users and escalating henceforth, to higher privileges using zero day attacks against technologies or services. Most often, the culprit is misconfiguration / missing patches or users which allow the attacks to succeed.

The same approach is used over the network via embedded malware inside the HTA (MS HTML application), MS Office macro enabled documents or other obfuscation techniques to deliver malware over email.

With an initial foothold, hackers will relay the attacks to critical systems and very often Active Directory services as they are utilized everywhere and are highly critical for the operation of IT systems and can be leveraged to elevate to other more critical attacks.

Common weaknesses of the organization observed by our team include implementing default configurations without hardening, lack of user awareness against phishing attacks, setting up weak passwords and exposing the critical listening ports to public network which would allow the attackers to identify the soft targets.

One of the latest examples is the Atlassian Confluence Plugin which had hard coded credentials allowing the hackers to gain access to client/customer information possessed by the organization.

It is important to understand the digital assets you have, how they are exposed, what is protecting them, whether they are well protected with correct defense mechanisms and correct configurations. For example, when it comes to Active Directory services, irrespective of whether these are hosted on the cloud or inside the network, make sure these are well protected, monitored and have the ability to revert the  changes in order to be efficient at limiting the impact of attacks or preventing them.

Each organization has different types of services, solutions, controls, and technologies and maintaining vulnerability management and continuous checks against attacks is essential to identify top vulnerabilities which need to be fixed and patched.

There is nothing like 100% security but what we should aim for is to be well prepared for various attacks and threats in order to be ready to respond and recover if and when security is breached.

On a closing note, it’s no news that every organization is susceptible to certain attacks as part of a targeted campaign or part of large-scale attacks, but to defend against the ever evolving threats, it is highly recommended to follow these best practices:

• Protect Active Directory services on cloud and on premises
• Perform regular patch management and updates
• Keep track of all IT assets
• Perform regular cyber hygiene trainings against phishing attacks
• Conduct quarterly penetration testing on both internal and external networks
• Financial sectors should prioritize red teaming in addition to infrastructure penetration testing
• Change default passwords to more complex passwords
• Enable Multi Factor Authentication for your organization’s users, even for personal login pages
• Don’t use company laptop for personal work

TOP VULNERABILITIES IN H2 2022

CVE-2021-34527 – PrintNightmare

During our penetration testing exercises, we continue to observe that one of the most used exploits in the wild are still the older exploits which are being heavily used to infiltrate into organizations through exposed print services both on local and remote targets.

PrintNightmare exploit was used massively to implant backdoor and ransomware-based attacks in UAE and worldwide. This vulnerability is still heavily leveraged by attackers in organizations where the patch or workaround to fix the risk has not been

Recommendations

• Disable print spooler services.
• Apply the patches as per MS guidelines

CVE-2022–41040 – ProxyNotShell Exchange Vulnerability

ProxyNotShell was another vulnerability which was exploited a lot in the wild to implant a ransomware or gain access to the systems. We have been engaged with several organizations for investigation of compromise, where hackers managed to breach the security and cause damage to core infrastructure. One of the key details to successfully exploit the vulnerability is having a simple low level user account to exploit this N-Day exploit, something that’s easy to obtain via social engineering attacks.

Recommendations

• Please follow the URL Rewrite rule.

CVE-2021-42278 – Pachine Exploit

This vulnerability was mainly used during further infiltration and privilege escalation attacks on
compromised machines with an attempt to gain access to domain controllers and execute higher privileged actions on the machines. One of the key attempts by attackers once they have a foothold on the network is to establish a persistence and modify key settings on the server or compromised machine.

Utilizing the “pachine” exploit, they are capable of escalating privileges to ensure the return to the target machine or compromise further targets within the network.

Recommendations

• Apply Microsoft patch.

CVE-2022-21371 – Oracle WebLogic Servers

This is yet another wildly used exploit on publicly exposed Oracle WebLogic servers where the attacker can perform one of the OWASP TOP 10 defined attacks, like directory traversal and read deployment descriptors for the web application which contains critical information like codes, credentials and more allowing the attacker to use against the server. Oracle solutions, especially web based solutions are often left without proper intermediary WAF or protection and exploitation of the target servers are often widely leveraged by attackers. Consumers often make the mistake of assuming that the applications developed by big vendors are completely secure by design and leave them without proper monitoring and relying on its own security mechanism.

Recommendations

• Follow the guideline set by Oracle