Vulnerabilities & Exploits

Recently, a set of vulnerabilities were identified which affect millions of Internet-of-Things (IoT) devices using software developed by a company called Treck. The discovering research firm has titled the whole set of vulnerabilities Ripple20. Types of at-risk devices can include assets such as power supply systems, programmable logic controllers (PLCs), and medical equipment. These vulnerabilities range in severity, with the most severe vulnerabilities discovered leading to remote code execution, exposure of sensitive information, and out-of-bounds writing. Below are two of the vulnerabilities rated as a 10 out of 10, being the most severe:

• CVE-2020-11896: The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.
• CVE-2020-11897: The Treck TCP/IP stack before 5.0.1.35 has an Out-of-Bounds Write via multiple malformed IPv6 packets.

Many affected vendors have already been notified by the research firm who discovered these vulnerabilities and are currently working on fixing and patching the issues. However, a very common trend with IoT devices is the lack of software and firmware updates. Although there are no working Proof-of-Concepts (POCs) for these vulnerabilities in the wild, it is not uncommon for Advanced Persistent Threat groups (APTs) and nation state actors to have the ability, time, and resources to reverse engineer security patches and develop a working exploit quickly. Because of this, nGuard recommends the below remediation strategies.

Take Inventory of Current IoT Devices

Taking an inventory of what is currently in your environment that may have this vulnerable software and removing any device that is not necessary for business related functions helps ensure a reduced attack surface.

Ensure Frequent Software and Firmware Updates

In addition to updating firmware and software of devices, consider reading the patch notes to understand what is being fixed. More often than not, software updates are pushed out to patch a security related flaw.

Conduct Penetration Tests

Include potential high-risk devices in scope for internal penetration tests to gain a better understanding of what an attacker could do.

Conduct Strategic Security Assessments

Initiate strategic security assessments to identify any critical gaps in your security program to protect against and mitigate threats like Ripple20.

Implement Proper Network Segmentation

By segmenting your network and keep high value target devices off of regular business networks, you reduce the risk of an attacker being able to exploit them.
 
For more information regarding Treck’s response to these vulnerabilities, please visit https://treck.com/vulnerability-response-information. 

Vulnerability Overview

ZeroLogon (CVE-2020-1472) is an immensely critical privilege escalation vulnerability affecting all versions of Windows Servers. A defect in the cryptography used by the NetLogon Remote Protocol known as AES-CFB8 allows unauthenticated adversaries to compromise Domain Controllers in an Active Directory environment. By inserting multiple zeroes into fields used by NetLogon messages, an attacker can achieve the following:

• Change the system password of the domain controller.
• Obtain valid domain administrator credentials.
• Obtain the password hash of any Active Directory user.
• Create Golden Tickets.

Want to know more about the technical details behind this major Windows Server vulnerability? Check out the Microsoft Report regarding ZeroLogon.

Want to see just how easy it is for an attacker on the internal network to exploit this vulnerability. Check out this video below!

Remediation

As you can see from the video above, it takes very little effort for an internal threat actor to fully compromise the Domain Controller. So, what can your organization do in order to ultimately remediate this critical vulnerability?

Fortunately, the solution is straightforward. The August 2020 Security Patch from Microsoft addresses this vulnerability for all affected versions of Windows. In many organizations Domain Controllers tend to fall behind on patches due to the impact updating a Domain Controller can have on many services and applications in the environment. Don’t lag behind on this update!

As security research becomes more prominent, critical vulnerabilities like ZeroLogon are on the rise. nGuard’s team of certified penetration testers are ready to cater to your needs by providing security assessments that bring attention to the weaknesses in your environment. Ready to learn more about nGuard’s Internal Penetration Testing assessment and its positive effects on the overall security landscape of the ever-growing internal network?

On June 27, 2017, an ongoing cyberattack was discovered that utilized a variant of a prior, widespread, ransomware exploit known as Petya.  This new attack, dubbed NotPetya by Kaspersky Labs, appeared to originate in Ukraine, but it quickly spread across Europe and the United States.  NotPetya makes use of some components of the NSA hacking tools revealed earlier this year from the Vault7 dump by the Shadow Brokers.  Researchers have discovered that the creators of the malware did not appear to do it for monetary purposes, noting that many red flags existed to show that this attack was designed to be a “wiper,” simply destroying all infected systems.

Ransomware and other similar malware variants have been extremely detrimental to many organizations already this year.  Beginning with WannaCry, and now NotPetya, these vicious pieces of software have exploited security weaknesses that many companies struggle with on an ongoing basis, specifically, deficiencies in patching processes, internal system misconfigurations, and lack of secure practices in general.  The cost to organizations can be significant, including consumption of IT personnel, system downtime, and outright data loss.  “Essentially, organizations can prevent these types of attacks by maintaining good security hygiene,” states JR Johnson, Senior Vulnerability Researcher with nGuard.  “Starting with patch management, good back-up processes and infrastructure, and regular security audits by third-parties.  With good security best practices, organizations can almost completely prevent these types of attacks from significantly affecting them.”

Regardless of an organization’s security program maturity, nGuard recommends that organizations take the time to evaluate their resiliency to these types of attacks.  Whether it is a strategic assessment of your organization’s security posture or tactical penetration testing to determine the effectiveness of your current security controls, nGuard can help your company be prepared for the next malware outbreak.

About nGuard Corporation

nGuard is a leading provider of expert security assessments, managed security services, security incident response, and other advanced security services to organizations across North American & around the world.  nGuard’s relentless focus on securing clients, as well as their unmatched security expertise, has helped them become one of the most sought after security firms in North America.

For more information, please visit:   www.nGuard.com