Prepare. Patch. Protect.
As I look back on 2021, it was another year that was witness to a lot of vulnerabilities – especially in the applications that are core to many organizations. While some vulnerabilities may seem minor at first sight, when applied with the mindset and attack framework of an adversary, they can potentially have a detrimental impact on organizations.
We always have a lot of focus on understanding vulnerabilities, as the insights derived from that are influential in determining the tactics we devise when customers ask us to test their defenses and capabilities through our Red Teaming exercises.
Having worked in the technical domain of cybersecurity industry for over 10 years, dealing with active attacks, exploits of zero days, vulnerability research and our typical Vulnerability Assessment and Penetration Testing (VAPT) engagements, it is always the core security controls that we often see missing in organizations. This includes the ability to quickly update, patch and secure vulnerable systems. When the security controls are ignored both in the technical and non-technical aspects, anything which is stacked up as an additional layer of security without proper planning only leads to creating more complexities without security in the infrastructure. This is like a building a house without properly aligned pillars – it might collapse with small quakes.
I believe it is always important to understand the digital assets you have, how they are exposed, what is protecting them, and whether they are well secured with correct defense mechanisms and correct configurations. As an example, during typical penetration testing or red teaming, we find ways to gain access to internal systems, but organizations seem to be unaware of those endpoints or consider them to be low priority assets.
Having access to experienced specialists, proper security hygiene and continuously challenging your security controls with the latest attack vectors are great ways to stay sharp and alert against emerging threats.
100% security cannot be achieved, but being more resilient and ready for attacks and threats will prepare organizations to respond and recover if security is compromised.
As we are cruising through 2022, I would like to shed some light on the 2021 cybersecurity attack vectors which proved to be the ultimate disasters for many organizations worldwide, as well as on a personal level for some. Majority of the attacks were not very different from the ones that took place in 2020, which took advantage of the COVID-19 situation to perform phishing and ransomware attacks, and exploitation of breached credentials to gain access to systems and profiles of the users.
2021 had similar challenges, but this time, the attackers took advantage of zero days and chains of multiple exploits to breach the security of organizations. Especially Microsoft and remote management / Desktop environments have seen increased attacks on their products, the ones that organizations relied on to provide access to internal networks.
One of the most common weaknesses that we observed in organizations was the implementation of default configurations without hardening security, setting up weak passwords and exposing critical listening ports to public networks which would allow the attacker to identify soft targets.
We, in the Help AG Cybersecurity Analysis department, managed to simulate attacks utilizing the latest zero days and configuration weaknesses to breach and penetrate networks. From our experience in hunting zero days and research on vulnerabilities, we can confidently say that we tend to find and identify critical vulnerabilities in mature products which have been used for many years and yet it was possible to identify critical vulnerabilities.
For example, Microsoft Exchange or PrintSpooler zero days exposed a lot of organizations to direct attacks allowing adversaries to gain access to systems or escalate their privileges. These vulnerabilities have been there for years and were unknown to vendors, but attackers have taken advantage of them for their gain whether financial or others.
One thing that is certain is that finding zero days and critical vulnerabilities needs significant time and research which hackers are good at monetizing. Attackers are becoming more motivated and well-funded, having the resources to automate their game. Organizations are often impacted by cybersecurity incidents because they have been crawled by robots with targets identified, and these attacks honed and automated.
The other major weakness we see in organizations is the human factor. It is challenging to have technology protect against untrained, insecure behavior that gives attackers elevated access to the organization. Simple mistakes and overconfidence in technical security controls have led many organizations to incur huge losses in financial asset value, reputation, and integrity, whether it is due to a ransomware demand, unavailability of services or leakage of private data.
The combination of ransomware and availability issues in cyber incident scenarios combined with the fact that apps, users, and businesses are becoming more and more interconnected, means that failing to handle these basic elements of cyber hygiene can have severe impacts. While I have been giving the same advice for years, I still recommend the following:
- Perform regular patch management and updates.
- Keep track of IT assets.
- Perform regular cyber hygiene trainings against phishing attacks.
- Conduct quarterly penetration testing on both internal and external networks.
- Participate in Red Teaming exercises on top of the infrastructure penetration testing.
- Ensure proper password policies.
- Enable Multi-factor Authentication for your organizations’ users, even for personal login pages.
- Don’t use company laptop for personal work.
Our final thought is to never underestimate any attack, vulnerability or exposure of information, as anything can be used to attack the organization.
Top Five Vulnerabilities in 2021
I have compiled below a list of the top five of the vulnerabilities that were detected in 2021, and where we were most successful in exploiting through our Red Teaming exercises. In these exercises, we act and think like any cyber perpetrator but instead of asking for ransom, we give you a report of your weaknesses so that you can fix your vulnerabilities. Often, we are successful because systems were left unpatched, and we were able to exploit something that could have been easily prevented.
Please make it a bit harder for us when we do our Red Teaming exercises – and if you have not done a Red Teaming exercise yet, why not talk to us and tell us how we can assist you in testing and documenting your vulnerabilities.
PrintNightmare – CVE-2021-1675/CVE-2021-34527
In Q1 2021, there was a vulnerability discovered in the Print Spooler services which allowed the attacker to compromise the server and cause damage to the integrity of the endpoint devices and perform escalated command execution on the server. Once the actual exploit was made public around end of Q2 of 2021, the attack started to pick up against servers globally affecting operations of several networks. The impact of the zero day at that time was critical allowing the attacker to gain access to the systems.
The vulnerability allowed an attacker with a regular, unprivileged user account to remotely take control of a server running the Windows Print Spooler service. Successful exploitation empowers authenticated adversaries to perform privileged file operation abuse. A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges and then install programs; view, change, or delete data; or create new accounts with full user rights.
Unfortunately, the vulnerability was also lurking in critical servers like domain controllers, databases and other parts of the network which had to be well protected. We believe that the print Spooler service on the critical servers can be disabled to prevent the attack and apply below recommendations to maintain the security.
Follow the guidelines set by Microsoft: CVE-2021-34527 – Security Update Guide – Microsoft – Windows Print Spooler Remote Code Execution Vulnerability
vSphere Client Remote Code Execution – CVE-2021-21985
In May 2021, VMware had to grapple with the vulnerability on its product which could be used to perform Remote Code execution on the server. The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. VMware has evaluated the severity of this issue to be in the ‘critical severity’ range with a maximum CVSSv3 base score of 9.8. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. We believe that this score is one of the highest on the risk rating scale because it doesn’t require authentication prior to exploiting the vulnerability.
We believe these recommendations from VMware should be applied to prevent the attack: VMSA-2021-0010 (vmware.com)
Having access to experienced specialists, ensuring proper security hygiene and continuously challenging your security controls with the latest attack vectors are great ways to stay sharp and alert against emerging threats.
Pulse Secure Connect Buffer Overflow – CVE-2021-22894
Another critical vulnerability we saw was in Pulse Connect Secure (PCS) which allowed authentication bypass, enabling an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This attack was also easy to find on the internet due to the unique URL endings of the Pulse Secure and Google docking which targets via search engines, allowing the attacker to target mass instances.
A buffer overflow vulnerability that exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via a maliciously crafted meeting room.
The recommended solution for these vulnerabilities is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.4.
Attackers are becoming more motivated and well-funded, having the resources to automate their game. Organizations are often impacted by cybersecurity incidents because they have been crawled by robots with targets identified, and these attacks honed and automated.
This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be prevented against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.
A successful attack using the chain of vulnerabilities along with CVE-2021-26855 can lead to remote code execution on the exchange server and gain access to the server and pivot the attack to different segments of the network. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.
It is recommended to apply the security patches on the exchange server which can be further referenced here: CVE-2021-26855 – Security Update Guide – Microsoft – Microsoft Exchange Server Remote Code Execution Vulnerability
FortiOS Path Traversal / Arbitrary File Read – CVE-2018-13379 / 2020-12812
CVE-2018-13379 is a path traversal vulnerability in Fortinet’s FortiGate SSL VPN. An unauthenticated remote attacker could exploit this vulnerability by sending a specially crafted request containing a path traversal sequence to a vulnerable Fortigate SSL VPN endpoint in order to read arbitrary files from the device.
Combination of other vulnerabilities on the FortiOS like, default configuration security flow CVE-2019-5591 and CVE-2020-12812 could lead to access to critical infrastructure. To exploit the vulnerability, an attacker could connect to a vulnerable FortiGate device by impersonating an LDAP server. Successful exploitation would allow the attacker to harvest sensitive information intended for a legitimate LDAP server.
Follow the guides here: PSIRT Advisories | FortiGuard