nGuard

----

Speak to An Expert

Advisory

Florida Water Treatment Plant Hack

Summary
Earlier this month, hackers successfully carried out an attack against an Oldsmar, Florida water treatment facility, coming awfully close to poisoning the water supply. Attackers were able to access the water treatment plant’s Supervisory Control and Data Acquisition (SCADA) systems remotely and increase the levels of sodium hydroxide that is added to the water from 100 parts per million to 11,100 parts per million. In small doses this chemical is safe to consume. Fortunately, the change was discovered immediately by an employee and they were able to reverse the change, prior to any modifications in the levels of sodium hydroxide.

How did they do it?
The water treatment plant is running Windows 7 operating system on its computers. This is an outdated, unsupported operating system which had not received any updates in over a year. Attackers were able to compromise the computers due to the outdated systems which are affected by multiple known vulnerabilities. This resulted in unauthorized access to the systems. The computers had also been utilizing TeamViewer, a remote access software, to administer the machines as needed and respond to alerts. All the computers on the network that used TeamViewer utilized the same password and allowed anyone from the internet to access these systems. A recent data breach database that was leaked in 2017 contained passwords that matched the domain of ci.oldsmar.fl.us. It is believed the attackers used these passwords to gain access via TeamViewer. Once attackers had gained access via the outdated operating system, they used this software to remotely access the desktop and modify the sodium hydroxide levels.

What to do?
If your organization is hosting critical infrastructure, like SCADA or Cardholder Data Environments (CDE) for PCI, it’s crucial to:

  • Properly segment these systems from non-critical networks.
  • Ensure all operating systems in use, across all networks, are supported by the vendor and receiving and applying regular security patches.
  • Regular testing to check for proper segmentation should be done to validate the security access controls in place are sufficient to limit access to critical infrastructure.
  • Limit the types of software allowed on your systems.
  • Eliminate all local administrator accounts to enforce the principle of least privilege.
  • Have a strong password policy that is strictly enforced for all types of accounts.

 nGuard has broad experience helping to secure all types of critical infrastructure organizations, including energy.  By leveraging penetration testingmanaged security solutions and Cyber Security Incident Response, we can help your organization become secure and meet your compliance goals.

February SolarWinds Update

As security researchers continue to delve into the issues surrounding the SolarWinds breach, additional implications and vulnerabilities are coming to light.

Last week researchers discovered 3 additional SolarWinds vulnerabilities that at worst, allow an attacker to achieve remote code execution with elevated privileges.

  1. CVE-2021-25274 affects the SolarWinds Orion platform through the Microsoft Message Queue. The Collector Service doesn’t set permissions on private queues which may allow an attacker to send specially crafted packets to the service to gain remote code execution.
  2. CVE-2021-25275 also affects the Orion platform and may allow an attacker to gain unauthorized access to the back-end database. This vulnerability would likely allow an attacker to gain administrator privileges for the application which can cause a world of trouble.
  3. CVE-2021-25276 affects the SolarWinds Serv-U FTP server. A directory that contains user’s password hashes is accessible to any Windows User that has access to the server’s filesystem. A malicious user could quickly add a user profile that would give them persistent access to the FTP server.

SolarWinds has since addressed these issues that were responsibly disclosed to them. While these vulnerabilities have not been found to be exploited in the wild and appear to be missing from the supply chain attack that we have been so closely following, it is highly recommended that users of the platform install the latest versions. Users of the SolarWinds Orion platform can find information related to the recent update here. Additionally, organizations utilizing the Serv-U FTP functionality can find a hotfix here (ServU-FTP 15.2.2 Hotfix 1). This is a direct .zip download. nGuard has been responding to many requests for services related to this massive SolarWinds breach. From incident response to preventative penetration testing assessments, nGuard is helping our clients to secure their data and protect their customers.

GDPR Fines On The Rise

Since the introduction of the European Union’s General Data Protection Regulation (GDPR) in May of 2018, they have handed out $330.5 million in fines with $192 million in the past year alone. As the GDPR regulation grows in maturity, regulators are growing tougher with their fines. Breach notifications are on the rise, as they have increased 19 percent over the past 12 months. Germany leads the way with 66,527 breach notifications and Italy has had the least with 3,460. Germany, France, and Italy are the top 3 countries that have imposed fines, with a combined $234 million since GDPR was enacted.

With the impact of COVID-19, organizations have been fortunate to have their fines drop significantly with the promise to improve their security posture. Marriott saw their fine reduced to $25 million from the original $123 million during a breach that lasted over 4 years and resulted in the compromise of 339 million guest’s information. British Airways saw their fine reduced to $27 million from the original $230 million as a result of personal data of over 400 thousand customers being stolen when their website redirected to a fraudulent one which collected personal details of customers. This went undetected for over 2 months. The pandemic has provided temporary relief on some fines, but this isn’t permanent. Organizations need to ensure they are following GDPR regulations or it is going to cost them in large-scale fines.

The 4 potential sources of privacy protection are markets, technology, self or co-regulation, and law. GDPR has taken the traditional approach of law to enforce privacy and data protection. With GDPR fines only increasing and being strictly enforced, it does show that laws do not necessarily mean the result will be increased privacy and security. The best piece of advice for organizations having to follow GDPR guidelines is to err on the side of caution, as fines and cumulative damage claims are only going to rise. As GDPR matures and evolves, there may be new, stricter regulations released in the future.

Cobalt Strike

What is Cobalt Strike?

Cobalt Strike is a powerful toolset being used by offensive security firms across the globe. With built in tools for reconnaissance, active exploitation, and post exploitation, Cobalt Strike has become one of the go-to tool sets for white hat security companies. The Cobalt Strike website labels the tool as a “threat emulation software.” This may lead one to believe that the software package is only being used for ethical simulations. Unfortunately, that is not the case, as we have seen a rise in Cobalt Strike being used for malicious purposes. During the WastedLocker ransomware attack, Cobalt Strike was used for lateral movement around the internal network. Cobalt Strike has also been used to target government entities in South Asia.

So how does Cobalt Strike work? The powerful tool uses a multi-stage attack process that allows an attacker to gain quiet, persistent access on network machines.

Reconnaissance

Cobalt Strike has a built in “system profiler.” This tool starts up a web server and fingerprints any machine that visits the rogue site. The valuable information that is collected can assist an attacker when deciding how to attack a machine.

Attacks

Cobalt Strike has a slew of options for getting a payload to execute on a target machine. By hosting a web drive-by attack or transforming a file into a trojan, attackers have a multitude of attack vectors for system takeover. Cobalt Strike has a proprietary website cloning tool that serves as an “innocent” place for victims to download a malicious file. Both Microsoft Office Documents and Microsoft Windows Programs can be transformed into malicious files that give an attacker persistent code execution on a machine.

Post-Exploitation

Once an attacker has found a way to exploit a network machine, Cobalt Strike really begins to show how powerful it is. The “Beacon” is a post-exploitation agent that is installed to gain persistent access to the compromised machine. The “Beacon” executes PowerShell scripts, acts as a keylogger, takes screenshots of desktop environments, downloads system files, and allows for the deployment of malicious software such as ransomware.

Detection and Prevention

Cobalt Strike is rather difficult to detect on a network due to its shellcode obfuscation abilities and Malleable Command and Control. These techniques allow the tool to successfully bypass most Anti-Virus controls that an organization would have in place. So how can your organization actively detect Cobalt Strike?

  • Examine network traffic. Cobalt Strike utilizes encryption over HTTPS, so a TLS inspection tool must be used.
  • Examine uncommon external destinations.
  • Examine network communications. Traffic that is generated by a C2 framework such as Cobalt Strike will generally be consistent and uniform. This type of traffic can be detected and examined. Keep in mind that there are “good bots” that exist on a network. OS and software updates have consistent traffic that can look similar to traffic generated by a command and control agent.
  • There are many resources out there that give advanced techniques for detecting and quarantining Cobalt Strike on a network. Review these and develop a quality solution for analyzing network traffic.

Top 5 Issues Discovered During a Typical Penetration Test

Information security is, and always will be, a constant exercise in risk discovery and follow-up risk reduction. No matter the remediations or solutions one may implement, there is always a new vulnerability or public exploit right around the corner. However, there are certainly patterns and attacks that maintain a significant lifetime in internal and external environments. These security issues tend to be more popular attack vectors, and will generally be targeted by attackers first. Therefore, detailed below are the top six security issues nGuard has found during standard penetration tests, the risk involved, as well as how to reduce or eliminate these issues.

Vulnerability 1
NBNS/LLMNR/WPAD Broadcasting Enabled

NetBIOS Name Service (NBNS), Link-Local Multicast Name Resolution (LLMNR), and Web Proxy Auto-Discovery (WPAD) all function by utilizing broadcast for name resolution, specifically the Domain Name Service (DNS) protocol. These broadcasts are generally benign, and quite useful at ensuring a smooth usage of internal resources. However, much like many modern services and protocols, it can be utilized to compromise an internal network. Whenever a ‘victim’ requests a specific resource, and said request contains a typo or mangling of the resource name, the DNS server will reply that the resource could not be found. In order to complete name resolution, the victim will then broadcast to the domain, asking if that particular resource with the typo is known to any other endpoint. Attackers can then respond to this broadcast by claiming to be the resource, then capturing NTMLv1/v2 hashes to be taken offline and cracked.

Diagram depicting the impersonation attack.

Remediation: By disabling NBNS/LLMNR/WPAD broadcasts, the threat of hashes being captured is minimized, thus removing a very popular attack method off the threat board.

Vulnerability 2
SMB Signaling Disabled

Server Message Block (SMB) signing allows for SMB traffic to be cryptographically signed for the sake of maintaining integrity. However, in certain configurations, this signing does not take place (or unsigned packets are allowed as a fallback), which can allow a Man in the Middle (MitM) attack to occur. By utilizing legitimate credentials, via impersonation attack for example, an attacker can then authenticate against the victim machine and gain full remote code execution (RCE).

nGuard has lots of experience using this particular attack to gain RCE on multiple host types, from workstations, to physical security control, to domain controllers. Additionally, by combining this attack with LSA dumping (below), an attacker can quickly attain complete control over the domain by either utilizing an existing Domain Administrator account, or even making their own (below). Do note, that while restricting PowerShell command execution on hosts can slow this process down, it is still entirely possible for an attacker to successfully compromise a domain utilizing this method.

Full remote code execution on test host.

Remediation: Avoiding this particular pitfall requires a domain group policy change to always digitally sign communications. Once this group policy is in effect, the ability to have full remote code execution is neutralized.

Vulnerability 3
LSA Dumping

The Local Security Authority Subsystem Service (LSASS) handles the security policy on Windows hosts; from handling password changes and logons, to writing security logs. LSA can also cache usernames and passwords in the registry that are used to log into a particular system, all in cleartext. That means that an attacker with RCE capabilities can ‘dump’ these credentials by using a valid set of credentials, and then use these dumped credentials to either move laterally along the network, or in certain cases, attain Domain Administrator.

Registry location for cached LSA cleartext credentials.

For example, in an internal penetration test, after successfully compromising a host via a well-publicized exploit (resulting in NT AUTHORITY\SYSTEM access), LSA was dumped hoping to attain valid credentials. Instead of getting normal user creds, the dump had found Domain Administrator credentials; which combined with access to a Domain Controller meant full control over the entire internal Windows network.

Remediation: In order to combat this, Microsoft released a patch (KB2871997), which requires some registry changes on applicable endpoints. The good news is that a restart is not required. The bad news is that this registry change requires constant vigilance, as an attacker that attains NT AURHORITY\SYSTEM access can revert the change and lie in wait for a user to log on to dump the cleartext credentials.

Vulnerability 4
Insufficient Logging and Alerting of Suspicious Activity

This may seem like a no-brainer to some, since security logging is paramount. However, sometimes things slip through the cracks. And sometimes these things are self-made Domain Administrator credentials.

As a test of proper logging and alerting of suspicious activity, nGuard engineers will often create a Domain Administrator account (normally ‘nGuardTest). Aside from granting Domain Admin access into an internal network, it also lets us see how quickly (if at all) the account gets detected. Sometimes this happens within a few minutes. Sometimes this happens in a few days. Sometimes, not at all. Any delay in detecting these accounts could be a sign that logging and alerting of this type of activity might be insufficient, and that work needs to be done to improve detection of anomalous activity. In the span of a few hours, a real-life attacker could potentially extract credentials, intellectual property, confidential emails, and proprietary information via a command and control (C2) channel or perform a ransomware attack and hold all your systems and data ransom. Therefore, the difference between detecting this type of activity in a few minutes versus a few hours, can make a massive difference in the potential risk.

nGuard Test Domain Admin account created in a Domain Controller.

Remediation: To combat this, nGuard recommends implementing a Security Information and Event Management (SIEM) solution, or a Managed Services/Security Solution (MSS). By having a central location where all logs and activity can be checked and correlated, it reduces the chance that these suspicious activities can slip through the cracks, and it may mean the difference between finding a rogue Domain Admin account in a few minutes, instead of a few days.

Vulnerability 5
Externally-Facing WordPress Login/Directories

WordPress, when implemented correctly and securely, can be a fantastic way to deliver content to customers. However, in many implementations, this is not the case – which lends to WordPress’ notoriety in information security circles. There are two reasons behind this:

⦁ Misconfigurations: It is very easy to overlook certain security settings in WordPress that would allow for greater security controls. Sometimes even something as benign as an externally-facing login in screen can be used against you.

⦁ Plugins: One would be hard-pressed to find a WordPress implementation that does not use plugins. They can be a powerful tool for many things, ranging from content delivery to Search Engine Optimization (SEO). However, the issue stems from plugins becoming outdated/no longer worked on, or not enforcing plugin security updates. If certain plugins become outdated, they can become a very real attack vector that can lead to compromise.

It isn’t rare to test WordPress applications and find an externally-facing wp-content/uploads directory which has been compromised with some form of malicious content, such as a web shell (that is, an exploit that allows attackers to have command execution on the victim machine through a web application). It is also not rare to see that XMLRPC.php is accessible externally, which can lead to brute-forcing attacks. With the right tools, an attacker can send hundreds of login attempts per single HTTP/HTTPS request, granting them the ability to easily brute-force WordPress logins.

Externally-Facing WordPress Administrative Login.

Remediation: Remediation usually involves ensuring that all WordPress implementations and plugins are up to date. If a plugin is no longer actively being developed, considering changing to another plugin with an active developer. Additionally, there are third-party solutions which can harden WordPress implementations, and reduce the potential attack surface.

The New Year Could Bring Familiar and Unexpected Threats to the Cyber Security World

The Information Security Forum (ISF) has released its predictions regarding the top five global security threats businesses will face in 2018 (Information Security Forum, 2017).  They include:

  • Crime-As-A-Service (CaaS) Expands Tools & Services
  • Internet of Things (IoT) Adds Unmanaged Risks
  • Supply Chain Remains the Weakest Link in Risk Management
  • Regulation Adds to Complexity of Critical Asset Management
  • Unmet Board Expectations Exposing Major Incidents

These threats are already present while introducing the challenges of new regulations and corporate expectations on security professionals.  The expansion of Crime-As-A-Service was predicted by the ISF for 2017, this time last year, to become a major issue.  (Kitten, 2016)  The Risk of IoT devices was also present and confirmed in June 2017 by the Altman Vilandrie & Company. when they released a survey of approximately “400 IT executives across 19 industries that showed nearly half (48%) of firms have experienced at least one IoT security breach, representing 13.4% of the total revenues for companies with revenues under $5 million annually and tens of millions of dollars for the largest firms.  (Boulanger, 2017)

With the identification of these already present, ongoing, and probable expansion of security threats, the ISF has also predicted that continuity, regulation, and unmet expectations will provide problems.  The ISF predicts supply chain continuity will pose a risk to every organization, due to the lack of “strong, scalable, and repeatable processes” (Information Security Forum, 2017) in place during procurement of resources and vender management.  A breakdown of the supply chain could mean loss of revenue, along with a public relation’s nightmare.  The European Union General Data Protection Regulation will also offer a new challenge for businesses, holding stricter regulations regarding personal data.  Businesses could face a legislative quandary if a breach occurs under their watch.  Finally, CISOs may be facing a heavier burden when communicating unmet board expectations, should results not be immediate and a breach hits-the-wire.  With the constant bombardment of security breaches and leaks throughout the media in 2017, corporate boards have increase information security budgets to provide a more robust security posture.  However, even with increased financial backing, misalignment with expectations from the board, and the implementation may be problematic if a breach were to occur.

Facing these threats can pose a multitude of headaches for any organization.  nGuard recommends that organizations take the time to evaluate their processes.  Furthermore, businesses should conduct a risk assessment to better gauge their security posture and conduct tactical penetration testing to determine the effectiveness of their current security controls.

References:

Boulanger, C. (2017, June 01).  Survey: Nearly Half of U.S. Firms Using Internet of Things Hit by Security Breaches.  Retrieved 29NOV2017, Web http://www.businesswire.com/news/home/20170601006165/en

Information Security Forum (2017, November 28).  Information Security Forum Forecasts 2018 Global Security Threat Outlook.  Retrieved 29NOV2017, Web https://www.prnewswire.com/news-releases/information-security-forum-forecasts-2018-global-security-threat-outlook-300562342.html

Kitten, T. (2016, December 6).  ‘Crime-as-a-Service’ a Top Cyber Threat for 2017.  Retrieved 29NOV2017, Web http://www.databreachtoday.co.uk/interviews/crime-as-a-service-top-cyber-threat-for-2017-i-3406

About nGuard Corporation

nGuard is a leading provider of expert security assessments, managed security services, security incident response, and other advanced security services to organizations across North America & around the world.  nGuard’s relentless focus on securing clients, as well as their unmatched security expertise, has helped them become one of the most sought after security firms in North America.

For more information, please visit:  www.nGuard.com