Examining the Treat Landscape
Are you leaving treats on the table for attackers? Understand the current treat landscape and how to reduce your exposure.
The threat landscape is like a bowl of candy, full of options for ghouls and goblins to pick. Attackers have many treats from which to choose when targeting organizations. In observation of the Halloween season, let us explore attackers’ tricks and treats and what organizations can do to defend targets.
This blog post will explore tactics and vulnerabilities leveraged by attackers and how they compare to the treats of the season. I’ll avoid the topic of candy corn because it’s not a debate into which I wish to wade, but it’s worth noting that the maker of Brach’s Candy Corn was recently the victim of a ransomware attack that halted manufacturing of the contested candy. We’ll explore how attackers: achieve initial access, elevate privileges, compromise Active Directory and perform remote code execution.
Assorted bag: Initial access
In the bargain bag of assorted sweets, Pick N Mix, Penny Candy, whatever you call it, you never know what you’re going to get. It’s similar with initial access. Attackers have a cornucopia of options from which to choose to gain that first step into target networks.
At the 2021 Aspen Cyber Summit, Mandiant chief operating officer Kevin Mandia said it well: “Somewhere around 2016 or 2017[…] I noticed that whoever’s breaking in and whoever is doing the crime aren’t even the same people anymore [...] the criminal element is buying access from folks that we were having a harder time putting in a bucket as to who they are.” Now, those folks are a well-defined character in the threat landscape: initial access brokers (IAB).
IABs are a key component of the ransomware marketplace, but they also offer services to other threat actors. These IABs perform the initial breach of diverse targets and sell that access for a fee. They can be contracted to target specific organizations, but more often, threat actors shop from an inventory categorized by target size, industry and the level of privileges granted. These marketplaces can drastically shorten the amount of time and investment an attacker must make before launching an attack against a target.
IABs use the same variety of tactics as individual attackers: stolen credentials, brute-force attacks, misconfigurations and vulnerabilities. Remote Desktop Protocol (RDP) and virtual private network (VPN) solutions are consistently two of the top targets. According to separate research from Digital Shadows and KELA, RDP and VPN access are the top sellers on IAB marketplaces. According to a joint alert from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA), threat actors have been exploiting RDP to breach water and wastewater systems in the United States. Another FBI alert warns that the Ranzy Locker ransomware attempts brute force attacks against RDP for initial access.
To defend RDP, ensure you’re staying up-to-date and patching or mitigating vulnerabilities like BlueKeep (CVE-2019-0708), which is still a favorite among attackers. Also ensure you’re following best practices when configuring RDP; the Center for Internet Security has released a guide for securing RDP. The guidance is similar for VPNs. Vulnerabilities in VPN products have been the focus of many attacks from diverse threat actors. CISA and the NSA have released a guide for hardening VPNs. Across the board, password practices are critical.
Initial access is often accomplished with compromised credentials, whether through phishing or large scale password dumps. CISA has also specifically warned about password exposure for Fortinet FortiOS VPNs. Brute force attacks like password spraying are also common. In addition to credential theft, phishing is also used to serve up a whole host of vulnerabilities. Two recent vulnerabilities in Apple macOS Finder, which remains unpatched, and Microsoft MSHTML (CVE-2021-40444) will be useful to attackers in phishing attacks. There’s a joke somewhere in here about phishing emails being like the homemade candy you’re told not to trust.
A recent government alert warns that the BlackMatter ransomware group typically targets remote desktop software and leverages previously compromised credentials.
A later section of this piece will discuss another avenue of initial access: remote code execution (RCE).
Fun-sized bars: Privilege escalation and lateral movement
While these treats may be anything but fun for some, one may even call them a disappointment, there’s a reason they’re a Halloween staple. Reliable, cheap and guaranteed to at least meet the requirements of the occasion. A “minimum viable product,” rather than a “most valuable player.”
When discussing top vulnerabilities, privilege escalation is often part of the conversation but is frequently overshadowed by RCEs. Of the top exploited vulnerabilities from 2020, according to a joint advisory from CISA, the FBI, Australian Cyber Security Centre and the United Kingdom’s National Cyber Security Centre, only two were elevation of privilege (EoP) flaws (CVE-2020-0787 and CVE-2020-1472). That doesn’t mean, however, that these types of vulnerabilities are less of a treat for attackers.
EoP flaws are critical in many attack chains. Multiple reports have shown that attackers of all types have adopted CVE-2020-1472, also known as Zerologon, into their attacks. Netlogon is ubiquitous and the exploit has proven reliable.
Similarly ubiquitous and reliable for attackers, the Server Message Block (SMB) protocol is leveraged by diverse threat groups to achieve lateral movement in their attacks. Specifically, CISA has warned of the TrickBot malware and BlackMatter ransomware abusing SMB. To keep with the theme, SMBGhost (CVE-2020-0796) is a vulnerability in the SMBv3 protocol that has been exploited by attackers since its public disclosure.
Both of the vulnerabilities highlighted here are over a year old and continue to be delicious treats for attackers. Organizations must ensure they do not allow critical, exploited vulnerabilities like this to haunt their networks for any extended period of time. It’s also important to broaden your understanding of risk to consider how vulnerabilities could be chained with other attack vectors to compromise systems.
Specialty candy: Active Directory
The nice little surprise; the candy you expect someone to keep for themselves, not hand out to strangers. This is the case when vulnerabilities have the potential to compromise Active Directory (AD). Impact on AD immediately increases the urgency when responding to an advisory, like the jolt of excitement seeing anything imported in a candy bowl. Recently, attackers have received a lot of these specialty treats. Several groups of named vulnerabilities this year have been leveraged by attackers to compromise AD.
This summer, researcher Gilles Lionel disclosed the PetitPotam NTLM relay attack that could be used to force domain controllers to authenticate with an attacker-controlled destination. Roughly a month after disclosure, ransomware groups were seen exploiting this attack. PetitPotam was partially patched in Microsoft’s August Patch Tuesday release, but that patch is incomplete. As an important note, the LockFile ransomware has chained Microsoft Exchange vulnerabilities with PetitPotam to take over domain controllers.
In September, the threat group referred to as NOBELIUM was observed deploying malware named FoggyWeb which is a “passive and highly targeted backdoor” in compromised AD Federation Services servers. While these were targeted attacks, it does illustrate the importance for all organizations to properly secure AD.
AD is a top target for ransomware and many services have added these vulnerabilities to their treat bags. To learn more about securing Active Directory read the whitepaper on the top AD misconfigurations putting your organization at risk.
Full-sized candy bar: Remote code execution
In the sea of penny candies and fun-sized treats, nothing beats the full-sized bars. Attackers love RCE like we all love to see a full-sized treat. Of the 12 top exploited vulnerabilities from 2020, according to the aforementioned advisory, seven were RCEs. In the earlier section on initial access, VPNs were one of the top targets and it may be in part due to the plethora of RCEs in VPN solutions, in addition to their role as a gateway to target networks. The top exploited vulnerability of 2020 was an RCE in a VPN product: CVE-2019-19781 in Citrix Application Delivery Controllers (ADCs) and Gateways.
More recently, RCE flaws in Microsoft Exchange have been leveraged by attackers. Threat groups have been making news all year by exploiting vulnerabilities in Microsoft Exchange in attacks. The HAFNIUM threat group in particular was detected using zero-days in Exchange against high level targets. Researcher Orange Tsai has disclosed several vulnerabilities in Microsoft Exchange that were quickly adopted by attackers, including ProxyLogon and ProxyShell. RCEs in Exchange have proven to be exceptional treats for attackers; both ProxyLogon and ProxyShell have been widely exploited by threat groups.
In addition to ransomware and nation state threats, RCEs are commonly used to load cryptocurrency miners on targets. Two recent RCEs in particular have been quickly adopted by cryptominers: CVE-2021-38647, aka OMIGOD, and CVE-2021-26084 in Atlassian Confluence OGNL.
Not candy: Side-channel vulnerabilities
Every year, you get at least one item that is distinctly not a treat: raisins, dental floss, applesauce. I don’t want to dwell too long on these disappointments but the class of vulnerability that immediately came to mind were side-channel attacks.
The big names remain Meltdown and Spectre but, since their disclosure nearly four years ago, more side-channel attacks have been reported with some degree of fanfare — only to then shortly fade from collective memory like a true specter.
While the furor that accompanied the disclosure of Meltdown and Spectre might have been warranted due to the novelty of the research, side-channel attacks are not a vector with which the vast majority of organizations need to be concerned, especially considering the difficulty in patching or mitigating this class of vulnerabilities.
Without the right intelligence, vulnerability management can feel like ghost-hunting. Organizational changes like remote working, mergers, or acquisitions make it difficult for organizations to locate all their assets and keep them up-to-date without the proper tools and staffing. Many organizations are likely haunted by CVEs based on their own unique IT history. Asset inventory and management, along with truly comprehensive scanning, are critical to tracking down as many of these ghosts as possible.
If you want to have a little more spooky fun, play our game to see if your network will survive the attack of cyber demons this Halloween.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities can be found here.
Get more information
- CIS guide for securing RDP
- CISA and NSA guide for hardening VPNs
- Whitepaper on securing Active Directory
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Are You Vulnerable to the Latest Exploits?
Enter your email to receive the latest cyber exposure alerts in your inbox.