vulnerability

Microsoft Under Siege: Midnight Blizzard Exposes Tech Giant

The Midnight Blizzard attack on Microsoft, attributed to the Russian hacking group APT29 or Cozy Bear, stands as a stark reminder of the evolving landscape of cyber threats and the vulnerabilities that even tech giants face. This incident wasn’t just a routine data theft; it was a meticulously planned operation aimed at gathering highly sensitive corporate intelligence.

Detailed Analysis of the Attack Methodology
The attack method employed by Midnight Blizzard was a ‘password spray attack.’ This technique, while less sophisticated than some other hacking methods, proved effective due to its low and slow approach which evaded typical security measures. By using common passwords across multiple accounts, the hackers bypassed standard detection systems that are triggered by multiple failed login attempts on a single account. The simplicity of the approach underscores a critical vulnerability in cybersecurity: the reliance on strong passwords and the need for systems that can detect even the most subtle unusual activities.

In the context of such threats, the importance of vigilant monitoring and alerting systems like nGuard’s Managed Event Collection & Correlation (MECC) service cannot be overstated. MECC, functioning similarly to a SIEM tool, is designed to detect anomalies like password spraying. It plays a critical role in early detection, enabling organizations to respond swiftly to prevent extensive damage.

The Breach: Scope and Impact
Once inside Microsoft’s systems, the Midnight Blizzard hackers had access to sensitive email accounts, including those of senior leadership and key departments. This access could have provided them with a wealth of information, from internal communications to strategic plans. The exact scope of the information accessed remains unclear, but the potential for significant intellectual and operational damage was undoubtedly high.

This incident highlights the growing trend of targeting information that can strengthen an attacker’s own security and intelligence. It’s a shift from the more common goal of direct financial gain or widespread disruption, indicating a sophisticated understanding of the value of information in cyber warfare.

Microsoft’s Strategic Response
In reaction to the breach, Microsoft emphasized the urgent need to bolster their security, especially concerning their legacy systems. Recognizing that their existing defenses were inadequate against such sophisticated attacks, they undertook measures to enhance security protocols and implement faster updates.

The role of proactive security assessments becomes critical. nGuard’s Penetration Testing services could have been instrumental in identifying vulnerabilities like weak passwords, which are particularly susceptible to password spray attacks. Regular penetration testing simulates potential attack scenarios, uncovering weaknesses before they can be exploited.

Conclusion and Forward-Looking Strategies
The Midnight Blizzard attack on Microsoft is a pivotal event in cybersecurity, underscoring the critical need for robust and comprehensive defense strategies. This incident is a stark reminder that cyber threats are diverse and ever-evolving, and that organizations must be prepared for a wide range of attack methods. It highlights the necessity for ongoing vigilance, adaptation, and enhancement of cybersecurity measures. As the digital landscape continues to grow in complexity, the importance of being proactive and staying ahead of potential threats is paramount. This incident serves as a cautionary tale, urging organizations to rigorously evaluate and fortify their cybersecurity infrastructures to protect their valuable digital assets against sophisticated cyber threats.

Cisco’s Unity Connection Vulnerability: Root Access and Critical Fixes

Cisco has recently identified and patched a severe vulnerability in its Unity Connection product, posing a significant risk for unauthorized access and potential system compromise. Tracked as CVE-2024-20272, this critical flaw allows unauthenticated attackers to upload malicious files and execute unauthorized commands, potentially gaining root privileges on the affected system. This isn’t the only recent critical vulnerability for Cisco. Back in October, nGuard wrote about another set of Cisco critical zero-day vulnerabilities that were exploited on over 50,000 devices. This article delves into the intricacies of this vulnerability, its implications, and how organizations can secure their systems from being exploited.

The Critical Vulnerability Explained
The identified vulnerability resides within the web-based management interface of Cisco’s Unity Connection. Due to insufficient authentication, in a particular API and flawed validation of user-input data, malicious actors can exploit this flaw. Attackers can potentially upload arbitrary files, execute commands on the underlying operating system, and escalate privileges to root access. The versions of Cisco Unity Connection that are vulnerable to this discovery are:

Cisco Unity Connection Release	First Fixed Release
12.5 and earlier	12.5.1.19017-4
14	14.0.1.14006-5
15	Not vulnerable

Cisco’s Immediate Response and Updates
Acknowledging the severity of the issue, Cisco quickly rolled out patches to address the vulnerability. Organizations are highly advised to upgrade to the fixed versions immediately. Notably, these updates are categorized as engineering special releases.

Other Security Concerns: Exploits and End-of-Life Products
While addressing the Unity Connection vulnerability, Cisco also highlighted other potential threats. A medium-severity flaw, tracked as CVE-2024-20287, affects the discontinued WAP371 Wireless-AC/N dual radio access point. Since this product has reached its end-of-life (EOL), Cisco will not be issuing any workarounds or fixes. The presence of a command injection vulnerability on an unsupported end-of-life device calls for immediate action for those still utilizing it.

How to Stay Protected:

Vulnerability Scanning: Identify and rectify vulnerabilities before they are exploited.
External and Internal Penetration Testing: Simulate real-world attack scenarios to discover weaknesses in your defenses.
Cybersecurity Incident Response Services: Rapid response and mitigation strategies for security breaches.
Managed SIEM: Continuous monitoring and alerting to detect suspicious activities.
Security Device Audits: Comprehensive assessments of security infrastructure for potential weaknesses.
Phishing Assessments: Educate employees and test resilience against phishing attacks.
Strategic Gap Assessments: Tailored strategies to bridge security gaps and enhance resilience.

The recent discovery and patching of the critical Cisco Unity Connection vulnerability highlights the risk and threats that organizations face every day. Cisco’s prompt response in releasing patches shows the importance of proactive security measures. However, as demonstrated by the existence of vulnerabilities in end-of-life products, organizations must remain up to date by employing a multifaceted approach that includes regular vulnerability scanning, penetration testing, and comprehensive security audits.

TWiC | Phishing Kits, FBI Shuts Down Credential Site, WordPress Critical Vulnerability, and Cobalt Strike

In this edition of This Week in Cybersecurity, we will discuss how phishers are using Telegram to sell phishing kits and lure in inexperienced phishers. We will also cover the recent seizure of Genesis Market, a major marketplace for stolen credentials, by the FBI and international law enforcement. Additionally, we will discuss the critical vulnerability in the Elementor Pro website builder plugin for WordPress that has been exploited by unknown attackers. Finally, we will take a look at Microsoft’s legal action to seize domains related to criminal activity involving Cobalt Strike, a popular security testing application that is often abused by cybercriminals. Continue reading to learn more about these important topics and how they may impact your organization’s security posture.

Telegram Used to Sell Phishing Kits

There has been a continued growth of the use of Telegram by phishers to offer a variety of phishing services in the past few years. Phishers use Telegram channels to promote their services to anyone willing to pay. These services can range from creating automated phishing bots, generating phishing pages, collecting data and distributing phishing links. Within this black market, free content for aspiring phishers is also offered, along with free phishing kits and users’ personal data. The reason behind these free offers is to recruit an unpaid workforce or bait inexperienced phishers to bite.

In addition, paid offers for phishers on Telegram include access to phishing tools, guides for creating customized phishing pages, and phishing-as-a-service (PhaaS) subscriptions. nGuard’s wide range of security assessments include Social Engineering. It is important for an organization to test their employees with social engineering techniques to identify potential vulnerabilities and educate them on how to recognize and respond to real-world attacks, ultimately improving the overall security posture of the organization.

FBI and International Law Enforcement Shut Down Stolen Credential Site

Genesis Market, a major marketplace for stolen credentials of all types, was seized by law enforcement as part of Operation Cookie Monster. The marketplace was offering both consumer and corporate account identities, and the admins have not been identified or caught yet. Genesis Market was one of the most popular online shops for account credentials, device fingerprints, and cookies, and it provided access to a wide list of services with user accounts from all over the world. The seizure was possible due to international law enforcement and private sector coordination. Although some of the infrastructure has been taken offline, the platform’s site on the dark web is still reachable. The bot deployed would reside on the compromised computer and send the harvested information in real-time to its buyer. The platform provided access to a wide list of services with user accounts from all over the world and the customers of the market turned a pretty penny from using the stolen digital identities.

Users can check if their accounts were compromised and sold on Genesis Market through a portal from the Dutch Police specifically built for this purpose. During nGuard’s external and internal penetration testing we always check databases for known, leaked credentials and attempt to access user’s accounts and infrastructure should we discover any.

WordPress Site Builder Elementor Pro Has Critical Vulnerability Exploited

Unknown attackers are exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. Versions 3.11.6 and earlier are affected, with the flaw described as a case of broken access control. The issue was addressed in version 3.11.7, which was released on March 22. Successful exploitation of the high-severity flaw enables an authenticated attacker to take over a WordPress site with WooCommerce enabled. After doing so, a malicious user can set the default user role to administrator, creating an account that has administrator privileges. The attackers are also likely to redirect the site to a malicious domain or upload a malicious plugin or backdoor to further exploit the site. Users are urged to update to 3.11.7 or 3.12.0.

WordPress is one of the most popular Content Management Systems (CMS) used by millions of websites worldwide. However, it is also one of the most targeted platforms for cyber-attacks. While WordPress is a powerful and flexible platform, it requires careful maintenance and attention to security best practices to keep it secure. nGuard commonly tests WordPress sites during external penetration testing, continuously monitors them with ongoing vulnerability management scans, and collecting logs through our managed event collection and correlation service. Regular penetration testing and vulnerability scanning, and log analysis can help ensure the ongoing security and integrity of a WordPress site, protecting against data breaches, financial losses, and reputational damage.

Microsoft Taking Down Illegal Versions of Cobalt Strike

Microsoft’s Digital Crimes Unit and the Health Information Sharing & Analysis Center have taken legal action to seize domains related to criminal activity involving cracked copies of the security testing application, Cobalt Strike. In January of 2021, nGuard wrote a detailed advisory on what Cobalt Strike is and what it is capable of. The tool is often abused by cybercriminals to carry out attacks ranging from financially motivated cybercrime to high-end state-aligned attacks. The court order names a range of entities and groups the companies allege misuse their technologies, including the LockBit and Conti ransomware groups, as well as a series of cybercrime operations. The legal order targets 16 anonymous “John Doe” actors engaged in a range of criminal behavior, from ransomware activity to malware distribution and development. This action builds on Microsoft’s pioneering use of domain seizure to disrupt the technical infrastructure malicious hackers rely on. It is likely only a first step to challenge illicit use of the hacking tool, as malicious actors will likely be able to retool their infrastructure. To simulate the same attacks executed by these malicious groups, nGuard’s Red Team Testing also uses tools like Cobalt Strike on network and system defenses. Having a Red Team assessment conducted will help enable better security by allowing your security teams to identify vulnerabilities and improve their defenses against potential attacks.

Beware: New Zero-Touch Exploit Targeting Microsoft Outlook Users

Microsoft Outlook users should be aware of a new critical vulnerability that has been discovered by Microsoft Threat Intelligence analysts. CVE-2023-23397 is a privilege elevation/authentication bypass vulnerability that affects all versions of Outlook for Windows. The vulnerability has a 9.8 CVSS rating and is considered a zero-touch exploit, meaning that it requires low complexity to abuse and does not require any user interaction.

According to security researchers, threat actors are exploiting this vulnerability by sending malicious emails, which do not even need to be opened. The vulnerability is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB share on a threat actor-controlled server on an untrusted network.

The attacker remotely sends a malicious calendar invite represented by .msg — the message format that supports reminders in Outlook — to trigger the vulnerable API endpoint PlayReminderSound using “PidLidReminderFileParameter” (the custom alert sound option for reminders).

Once the victim connects to the attacker’s SMB server, the connection to the remote server sends the user’s NTLM negotiation message automatically, which the attacker can use for authentication against other systems that support NTLM authentication. This could result in a NTLM relay attack to gain access to other services or even a full compromise of domains if the compromised users are admins.

It is important to note that all supported versions of Microsoft Outlook for Windows are affected by this vulnerability. Other versions of Microsoft Outlook, such as Android, iOS, Mac, as well as Outlook on the web and other M365 services, are not affected as they do not support NTLM authentication.

Security experts are warning that this vulnerability is trivial to deploy and “will likely be leveraged imminently by actors for espionage purposes or financial gain.” The earliest evidence of exploitation, attributed to Russian military intelligence, dates back to April 2022 against government, logistics, oil/gas, defense, and transportation industries located in Poland, Ukraine, Romania, and Turkey.

To mitigate the risk of exploitation, Microsoft has released a patch as part of their March 2023 Monthly Security Update, and users are advised to apply the patch immediately. Additionally, security administrators can reduce the risk of exploitation by blocking TCP 445/SMB outbound from their network, disabling the WebClient service, adding users to the Protected Users Security Group, and enforcing SMB signing on clients and servers to prevent a relay attack.

If you are concerned about your organization’s security, we recommend running the Microsoft-provided PowerShell script to scan emails, calendar entries, and task items for the “PidLidReminderFileParameter” property. This will help you locate problematic items that have this property and subsequently remove or delete them permanently.

In light of this critical vulnerability, it is important for organizations to take proactive measures to safeguard their systems and data. nGuard offers a range of cybersecurity services that can help organizations stay ahead of emerging threats like CVE-2023-23397. Our Penetration Testing services can help identify vulnerabilities in your systems and provide recommendations for patching and securing them. Our Strategic Assessment services can assist with patch management, ensuring that your systems are up to date with the latest security patches and updates. Don’t wait until it’s too late to protect your organization from cyber threats. Contact nGuard today to learn how we can help you secure your systems and data.

Microsoft Exchange Zero-Days Mitigated, Then Bypassed!

Earlier this month two new zero-day exploits, CVE-2022-41040 and CVE-2022-41082, were released and code named ProxyNotShell due to similarities to another set of flaws called ProxyShell. nGuard covered one of the more recent Exchange zero-day vulnerabilities last year in another security advisory.

CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability with 8.8 severity score out of 10. CVE-2022-41082 has been rated a 6.3 severity score out of 10 and allows Remote Code Execution (RCE) when PowerShell can be access by a malicious attacker. These vulnerabilities affect Microsoft Exchange Server 2013, 2016, and 2019 for on-premises deployments. Microsoft stated, “While these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user. Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy.”

If an attacker can successfully exploit these vulnerabilities, they can compromise the victim’s system, obtain a web shell and install it, then attempt to pivot to other hosts on the network for further compromise. Microsoft said, with medium confidence, they can attribute many of the already carried out attacks to state-sponsored actors. These state-sponsored actors installed the China Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration.

Microsoft has yet to release a patch for these vulnerabilities but did release workarounds for these two zero-days. However, shortly after their release it was discovered the recommended fix could be easily circumvented. This caused Microsoft to rewrite the mitigation to take this into account:

Open IIS Manager
Select Default Web Site
In the Feature View, click URL Rewrite
In the Actions pane on the right-hand side, click Add Rule(s)…
Select Request Blocking and click OK
Add the string “.*autodiscover\.json.*PowerShell.*” (excluding quotes)
Select Regular Expression under Using
Select Abort Request under How to block and then click OK
Expand the rule and select the rule with the pattern: .*autodiscover\.json.*Powershell.* and click Edit under Conditions
Change the Condition input from {URL} to {REQUEST_URI}

Microsoft also released a PowerShell script to apply the mitigation.

Outside of the Microsoft mitigations, you can protect your organization by:

Updating firewall rules, IPS, IDS systems to block known IP addresses targeting this vulnerability. You can download an updated list of malicious IPs and manually enter them in your perimeter protection devices.
Implementing multi-factor authentication (MFA) and training users not to accept unwanted MFA prompts.
Disabling Exchange Legacy Authentication.
Having a SIEM to help respond to ongoing threats to your environments based on correlating events from logs.
Ensuring you have a robust vulnerability management program in place to stay on top of the latest threats.
Conducting penetration testing on a frequent basis to ensure that attackers have limited or no path to pivot throughout your networks.
Either having an Incident Response retainer in place or having a pre-selected vendor to call should your organization fall victim to zero-days like this or any other attack.

TWiC | Lapsus$ Ransomware, LastPass Hack & MS ZeroDay

The past couple of weeks have been busy ones for the world of cybersecurity. Multiple companies have disclosed serious hacks that have led to breaches of customer data and overall system availability. In this week’s security advisory, nGuard will detail some of these incidents and their impact on the cybersecurity landscape.

Cisco Data Breach Attributed to Lapsus$ Ransomware Group

The Lapsus$ crime gang is back at it again with an attack on the networking giant, Cisco. About a month ago, Cisco had disclosed that its systems were breached. A social engineering attack led adversaries on a pathway to overtaking an employee’s Google account. Saved credentials were then obtained from the browser and voice communications were utilized to trick the unsuspecting employee into accepting a multi-factor authentication push notification. Cisco believes the end goal of the attacker was to deploy ransomware on the network after gaining access to multiple systems. Cisco is reporting that attempts to deploy ransomware were unsuccessful.

LastPass Says Hackers Had Internal Access For Four Days

Lastpass reported a breach back in August and are now releasing some more details about the compromise. They are now reporting that an attacker had internal access to the company systems for four days before they were detected. Lastpass worked with a cybersecurity firm to investigate the incident and found that no customer data or password vaults were accessed during this time. LastPass maintains that your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass. The attacker was however able to access a developer endpoint and poke around the development environments.

Microsoft Patches a New Zero-Day Affecting All Versions of Windows

Microsoft is patching another zero-day vulnerability affecting all supported versions of Windows. This zero-day is reported as being used in real-world attacks. CVE-2022-37969 is a privilege elevation flaw in the Windows Common Log File System Driver. This is utilized for data and event logging. Once a system is compromised, this vulnerability can be used to escalate user privileges to the highest level, SYSTEM. 4 different security firms reported this vulnerability to Microsoft which makes them believe this could be widely used in real-world scenarios. They recommend patching immediately.

nGuard closely monitors trends in the world of cybersecurity and applies those trends to assessment activities and managed security services. Having penetration testing conducted periodically against network assets, web applications, and other critical infrastructure can prevent data breaches before they happen. Putting your employees through social engineering campaigns to test their security readiness can boost awareness. Having a security first mindset is essential in protecting the valuable data of organizations.

vulnerability

Learn how nGuard can secure your data

Chat Popup