Top Vulnerabilities in H1 2022
I would like to start of this message with a fact that cyber attacks continue to increase across the world, especially targeting infrastructures which have weak or misconfigured security solutions. The rate of success of these attacks are high – attributing to common weaknesses in cybersecurity hygiene. It is also important to highlight that not all successful cybersecurity breaches occur only via exploiting the latest zero days, many of these leverage weaknesses on common attack surfaces.
In this article, I will shed light on the most used “N-Days” (zero days known but no patch is available or patches have not been applied to new vulnerabilities).
As an example, the Help AG CSA (Cybersecurity Analysis) team has been conducting Red Teaming activities on high profile organizations that rely on cybersecurity controls but still fall victim to ransomware and fraudulent transaction requests – costing them millions, as well as reputational damage. When we simulate the attack, it comes with a game plan of compromising non-privileged users, and then escalating to higher privileges using zero-day attacks.
From these exercises, we have noticed that it is almost always misconfiguration, missing patches or caught off-guard users which ultimately allow the success of these attacks. The same approach is used over networks via embedding malware inside HTA (MS HTML Application), MS Office Macro enabled documents, or through other obfuscation techniques to deliver the malware over email. After the initial foothold, hackers will then relay these attacks to critical systems – very often to the Active Directory services which are utilized everywhere and highly critical for IT system operations.
Implementing default configurations without hardening, lack of user awareness against phishing attacks, setting up weak passwords and exposing critical listening ports to public networks are some of the common weaknesses that make an organization an easy target to an attacker. One of the latest examples is the Atlassian Confluence Plugin which had hardcoded credentials allowing hackers to gain access to client information. It is important to understand and track all the digital assets you have, how they are exposed, and whether they are well protected with correct defense mechanisms and the right configurations. For example, if you have Active Directory services on the cloud or inside the network, ensure to get them well protected and monitored, as well as have the ability to revert changes, which is key to limiting the attack and preventing them to succeed.
Each organization has different types of services, solutions, controls, and technologies and so, maintaining vulnerability management and continuous checks against attacks will help them distinguish and identify top vulnerabilities which need to be fixed and patched.
There is no such a thing as 100% security but improving to get better and ready for attacks and threats will prepare your organization to respond and recover swiftly if and when there’s a security breach.
Our final thought is that each organization will inevitably be a target as part of an attack campaign or a large-scale breach, and so to defend against these ever-evolving threats, it is highly recommended to follow these:
- Protect Active Directory services on cloud and on premises.
- Perform regular patch management and updates.
- Perform regular cyber hygiene trainings against phishing attacks.
- Keep track of IT assets.
- Perform quarterly penetration testing on both internal and external networks.
- Financial sectors should include Red Teaming on top of the infrastructure penetration testing.
- Change default passwords to more complex passwords.
- Enable multi-factor authentication for your organization users, even for personal login pages.
- Don’t use company assets for personal work.
Top 3 Vulnerabilities In H1 2022:
Atlassian Confluence Hardcoded Credentials (CVE-2022-26138)
Recently, there was a new threat against confluence users which allowed attackers to gain access to information and data of an organization, using the default credentials set by the product during the initial set up process. One of the key misjudgments of confluences’ approach during initial implementation was creating a “disabledsystemuser” with hardcoded passwords.
Remediation:
- Update the solution to the latest version 2.7.38 or 3.0.5
- Deleting the “disabledsystemuser” will also help mitigate the attack.
Zoho ManageEngine ADSelfService Plus (CVE-2021-40539):
Another commonly exploited vulnerability in the wild is Zoho ManageEngine ADSelfService, where the attacker can bypass the authentication through REST API weak implementation and then perform Remote Code Execution.
We have also seen that attacks against AD Services are commonly used to execute ransomware attacks and persistent attacks. In this case, it was shells like, Dropper, Godzilla, NGLite, KdcSponge and others.
Remediation:
Apply the patch provided.
Windows LSA (Local Security Authority) Spoofing Vulnerability (CVE-2022-26925):
As usual, it is very often we see and use new vulnerabilities on the Windows operating system as they are frequently targeted by hackers. One of the latest attacks – the local network attack or the privilege escalation technique, was using LSA RPC call to trick the Domain Controller to authenticate using NTLM. This would allow the NTLM hash pass to crack the password which would elevate the attacker to higher privileges.
Remediation:
- Refer to the details provide.