Center For Internet Security

Attacking FortiNAC Devices: Experts Advise Updating

A serious vulnerability in Fortinet’s FortiNAC network access control suite (CVE-2022-39952) is now being exploited by hackers to add a cron job that starts a reverse shell on vulnerable systems as the root user. This unauthenticated file path modification vulnerability poses a major security risk for enterprises using the FortiNAC solution because it may be used to execute commands remotely.

Fortinet has already released security upgrades to remedy the issue, and has recommended that users update susceptible appliances to the most recent versions. As the corporation hasn’t offered any mitigation advice or workarounds, updating is the only option to prevent attacks. Researchers from cybersecurity firms, including Shadowserver Foundation, GreyNoise, and CronUp, have recently observed attacks on CVE-2022-39952 from a variety of IP addresses. This indicates that attackers have already started focusing on unpatched FortiNAC devices.

Horizon3 security researchers have created proof-of-concept (PoC) exploit code which allows hackers to add a cron task that starts a reverse shell on vulnerable systems. Fortinet had previously issued a warning in December 2022 to customers to patch FortiOS SSL-VPN appliances against an actively exploited security flaw (CVE-2022-42475), which was also used as a zero-day in attacks against targets associated with the government.

In reaction to what it called “sensationalized claims” about recent exploitation attempts aimed at a vulnerability in its FortiNAC network access control product, Fortinet has offered some crucial clarifications. The company emphasized that it is yet unclear how exploiting CVE-2022-39952 will actually affect users. However, FortiNAC users should be aware of the possible hazard, as knowledgeable threat actors have been known to attack Fortinet products.

FortiNAC administrators are highly advised to update their software right away to a version of the software that is not impacted by the CVE-2022-39952 vulnerability. This includes FortiNAC versions 9.4.1 or later, 9.2.6 or later, 9.1.8 or newer, and 7.2.0 or later. Organizations may stop hackers from using this important vulnerability to gain access to their corporate networks by heeding this advice.

At nGuard, we understand the importance of proactive security measures to protect our clients from the evolving threat landscape. That’s why we offer a range of security services designed to help detect vulnerabilities like the FortiNAC vulnerability, including internal penetration testing, vulnerability management, and strategic security assessments. Our team of experts can work with clients to develop and implement policies and procedures to ensure they can quickly identify and address security threats, and stay up-to-date on emerging vulnerabilities through our security advisories. By partnering with nGuard, clients can rest assured that they have access to the latest security technologies and expertise to help them stay one step ahead of the threats.

Are You Prepared for the New Cyber Insurance Requirements?

As cyberattacks increase worldwide, insurance companies are tightening their cyber insurance policy requirements. This is due to the 80% rise in ransomware attacks last year, leading to a large number of claims. Among the new provisions are the requirement for multi-factor authentication (MFA) for all admin access and the protection of all privileged accounts. However, identifying gaps in MFA and privileged account protection within a network can be challenging for organizations. In addition to MFA, there are several other requirements that stipulate detailed attestation when filling out a cyber policy questionnaire. A few of those requirements are:

Security Awareness Training and Testing
This process is designed to educate employees on cyber security threats and risks, and to test their understanding of these issues through interactive simulations and assessments. The goal is to raise awareness, increase knowledge, and promote safe online behavior within an organization. To reduce your risk of phishing attacks, nGuard has been conducting Security Awareness Training and phishing testing though our Social Engineering Assessment for years.
Vulnerability Management
A thorough vulnerability management program will identify, assess, and prioritize vulnerabilities in an organization’s systems and networks, and take action to remediate or mitigate these risks to prevent exploitation. This helps maintain the security and integrity of systems and data by staying on top of vulnerabilities as they are discovered. Conducting monthly or quarterly vulnerability scans on an ongoing basis will not only help meet insurance requirements but also keep your network secure. nGuard’s Vulnerability Management can help you manage your external environment, internal environment, and meet PCI requirements with ASV scanning.
24/7/365 Monitoring
A Security Information and Event Management (SIEM) system collects and aggregates log data from various sources within an organization and uses analytics and threat detection techniques to identify potential security incidents and enable security teams to respond promptly. SIEM provides centralized security visibility and event correlation. nGuard’s managed security team performs both manual and automated daily log analysis that proactively detects suspicious activity in your environment with our managed SIEM service called Managed Event Collection & Correlation. nGuard is adding artificial intelligence and machine learning to detect and respond to security threats in real-time via UEBA (User and Entity Behavior Analytics).
Secured, Encrypted, Offsite Backups
Offsite backups refer to the storage of backup data at a remote location, typically in a secure data center, separate from the primary data storage. This helps ensure that the data can be recovered in case of a disaster or cyberattack and protected against data loss while minimizing downtime. Offsite backups are an important component of a comprehensive disaster recovery plan. A Strategic Security Assessment utilizing the Center for Internet Security (CIS) 18 Critical Security Controls as the foundation can help bring the lack of controls like this and others to light.
Endpoint Detection & Response (EDR)
This real-time security solution will monitor and respond to security threats on endpoint devices such as computers and servers using artificial intelligence and machine learning to detect and isolate security incidents.

As insurance carriers adjust the requirements to obtain and maintain coverage, a thorough assessment can help organizations identify and close security gaps to help meet the new cyber insurance requirements and improve their overall security posture. nGuard has a number of solutions that can help meet and exceed the requirements needed to obtain and maintain cyber insurance.

Vulnerability Exploits Overtake Phishing as Initial Attack Vector

Most security professionals will advise the number one way attackers gain an initial foothold on a network is, and continues to be, phishing and social engineering attacks. Palo Alto recently released their 2022 Incident Response Report which confirmed what most would say is true. At a combined 42%, phishing and social engineering make up almost half of all means of initial access.

The second most common way according to the above chart from Palo Alto is software vulnerabilities. However, in the first week of September, Kaspersky released its 2021 Incident Response Overview and it told a different story. 53.6% of the initial attack vectors they responded to were exploits of public-facing applications.

2021 had no shortage of time sensitive critical vulnerabilities including Log4j, Microsoft Exchange ProxyLogon, and three other CVEs related to the ProxyLogon vulnerabilities that were released in March of 2021. When these vulnerabilities are made publicly available it is only a matter of minutes before publicly facing systems are being scanned for vulnerable targets. Within hours, proof of concept exploits become available leading to an extremely high rate of organizations falling for such attacks.

In recent years, organizations have prioritized security awareness training and conducted social engineering and phishing training. But have those same organizations made it a priority to have a vulnerability management program in place?

How can organizations stay ahead of these attack trends? Start by building out a mature security program that includes annual penetration testing, ongoing vulnerability scanning, and a properly configured SIEM to alert on network anomalies. If you suspect a breach, identify a firm capable of responding to security incidents and secure an incident response retainer. Lastly, have an expert conduct a strategic security assessment to compare your organization’s security program to a known security standard like the Center for Internet Security Critical Security Controls.

URGENT NSA Cybersecurity Advisory

Weak Security Controls

Last week, multiple government agencies released a joint Cybersecurity Advisory to raise awareness about insufficient security configurations, weak controls, and other areas where cyber criminals easily gain access to company networks. This advisory lists out the best practices to protect your systems and goes into them in detail:

Control access.
Harden credentials.
Establish centralized log management.
Use antivirus.
Employ detection tools.
Operate services exposed on internet-accessible hosts with secure configurations.
Keep software updated.

This advisory also details some of the most common ways that attackers are gaining access to internal networks and explains the mitigation efforts that can be taken to prevent such attacks:

Exploit Public-Facing Applications
External Remote Services
Phishing
Trusted Relationship
Valid Accounts

It is essential that all organizations read or review this advisory and become familiar with the list of common exploit paths that attackers take to easily gain access to systems within the internal network. “As long as these security holes exist, malicious cyber actors will continue to exploit them,” said NSA Cybersecurity Director Rob Joyce. “We encourage everyone to mitigate these weaknesses by implementing the recommended best practices.” This advisory can be reviewed in detail here.

nGuard provides a wide variety of both tactical and strategic security assessments that can assist your organization in becoming more secure across the board. Tactical security assessments like external penetration testing, internal penetration testing, and social engineering can point out easily exploitable flaws that could lead an attacker to gaining some type of network access. Managed security services like vulnerability management and centralized log management provide ongoing protection as your network is being scanned for known vulnerabilities on an ongoing basis. Strategic security assessments give you one on one time with a qualified consultant who can help you build layers of security from the ground up. If you are reading this advisory and have any questions, nGuard is ready to talk with you and see where assistance is needed.

Multi-Factor Prompt Bombing Attacks

What Is It?
Multi-factor authentication (MFA) prompt bombing is a specific social engineering attack that bombards its victims with countless MFA push notifications. Generally, when people think of social engineering attacks, they think of suspicious emails or unexpected phone calls. However, MFA prompt bombing can be an even more effective strategy to gain access to people’s data, due to the fact it specifically uses social engineering tactics that target the human factor. Below are a few different ways these MFA prompt bombing attacks are carried out:

Send a large number of MFA prompt requests in hopes the user accepts to stop the distraction or annoyance.
Send only a small number each day in hopes a user accepts at some point. This method is stealthier and is more likely to fly under the radar as a malicious attack.
Call the user advising them they need to send an MFA prompt and they need to accept it.

The victim may ignore the first few notifications or calls, but at some point, may click accept to stop the annoyance and get back to what they were focusing on – all while not realizing what they have just done.

More and more authentication portals are adding the ability or requirement to

enable MFA notifications as a secondary form of authentication. The Center for Internet Security (CIS) Control 6 – Access Control Management requires MFA for external facing applications, remote network access, and administrative access. This attack is on the rise and will not be going away any time soon.

Recent Attacks Using This Technique
Back in March, nGuard released a Security Advisory about the Lapsus$ Crime Gang infiltrating Microsoft, Okta, and others. It turns out the group utilized this technique to gain access to these organizations. Lapsus$, in their Telegram channel said, “No limit is placed on the number of calls that can be made. Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

The image below shows a conversation from their Telegram Channel discussing how they were going to attempt this attack:

The SolarWinds breach that occurred last year that allowed APT29 (Cozy Bear), a group out of Russia, to create backdoors in 18,000 SolarWinds customer’s environments utilized this very same technique.

nGuard’s Experience with MFA Prompt Bombing
nGuard has been using this attack in our social engineering methodology for quite some time. Using these tactics, nGuard has successfully gained access to client’s VPN portals protected by MFA to obtain internal network access numerous times. nGuard has also used this attack to gain access via an organization’s single sign-on (SSO) page, giving us access to many sensitive internal applications. To protect your organization from this attack you can:

Conduct regular social engineering assessments to reinforce training.
Train employees to only accept MFA prompts when they are actively authenticating to a service.
Train employees to never give out MFA SMS codes to anyone.
Report the unsolicited MFA prompts as fraudulent.
Create alerts for anomalous events such as:
- Time of access
- Geolocation
- Large number of MFA prompts events
Draft a policy that states whether and how personal information is to be requested of employees via telephone.
Conduct employee training to raise awareness of social engineering techniques.
Train employees to identify and report suspicious requests for personal information.
Segment employee workstations from higher security zones in the internal network to reduce exposure of critical internal systems to attack from compromised workstations.

If you want to test your users’ likelihood of falling victim to such social engineering attacks, contact your Account Executive or Security Consultant for more information.