nGuard

----

Speak to An Expert

Penetration Testing

Florida Water Treatment Plant Hack

Summary
Earlier this month, hackers successfully carried out an attack against an Oldsmar, Florida water treatment facility, coming awfully close to poisoning the water supply. Attackers were able to access the water treatment plant’s Supervisory Control and Data Acquisition (SCADA) systems remotely and increase the levels of sodium hydroxide that is added to the water from 100 parts per million to 11,100 parts per million. In small doses this chemical is safe to consume. Fortunately, the change was discovered immediately by an employee and they were able to reverse the change, prior to any modifications in the levels of sodium hydroxide.

How did they do it?
The water treatment plant is running Windows 7 operating system on its computers. This is an outdated, unsupported operating system which had not received any updates in over a year. Attackers were able to compromise the computers due to the outdated systems which are affected by multiple known vulnerabilities. This resulted in unauthorized access to the systems. The computers had also been utilizing TeamViewer, a remote access software, to administer the machines as needed and respond to alerts. All the computers on the network that used TeamViewer utilized the same password and allowed anyone from the internet to access these systems. A recent data breach database that was leaked in 2017 contained passwords that matched the domain of ci.oldsmar.fl.us. It is believed the attackers used these passwords to gain access via TeamViewer. Once attackers had gained access via the outdated operating system, they used this software to remotely access the desktop and modify the sodium hydroxide levels.

What to do?
If your organization is hosting critical infrastructure, like SCADA or Cardholder Data Environments (CDE) for PCI, it’s crucial to:

  • Properly segment these systems from non-critical networks.
  • Ensure all operating systems in use, across all networks, are supported by the vendor and receiving and applying regular security patches.
  • Regular testing to check for proper segmentation should be done to validate the security access controls in place are sufficient to limit access to critical infrastructure.
  • Limit the types of software allowed on your systems.
  • Eliminate all local administrator accounts to enforce the principle of least privilege.
  • Have a strong password policy that is strictly enforced for all types of accounts.

 nGuard has broad experience helping to secure all types of critical infrastructure organizations, including energy.  By leveraging penetration testingmanaged security solutions and Cyber Security Incident Response, we can help your organization become secure and meet your compliance goals.

February SolarWinds Update

As security researchers continue to delve into the issues surrounding the SolarWinds breach, additional implications and vulnerabilities are coming to light.

Last week researchers discovered 3 additional SolarWinds vulnerabilities that at worst, allow an attacker to achieve remote code execution with elevated privileges.

  1. CVE-2021-25274 affects the SolarWinds Orion platform through the Microsoft Message Queue. The Collector Service doesn’t set permissions on private queues which may allow an attacker to send specially crafted packets to the service to gain remote code execution.
  2. CVE-2021-25275 also affects the Orion platform and may allow an attacker to gain unauthorized access to the back-end database. This vulnerability would likely allow an attacker to gain administrator privileges for the application which can cause a world of trouble.
  3. CVE-2021-25276 affects the SolarWinds Serv-U FTP server. A directory that contains user’s password hashes is accessible to any Windows User that has access to the server’s filesystem. A malicious user could quickly add a user profile that would give them persistent access to the FTP server.

SolarWinds has since addressed these issues that were responsibly disclosed to them. While these vulnerabilities have not been found to be exploited in the wild and appear to be missing from the supply chain attack that we have been so closely following, it is highly recommended that users of the platform install the latest versions. Users of the SolarWinds Orion platform can find information related to the recent update here. Additionally, organizations utilizing the Serv-U FTP functionality can find a hotfix here (ServU-FTP 15.2.2 Hotfix 1). This is a direct .zip download. nGuard has been responding to many requests for services related to this massive SolarWinds breach. From incident response to preventative penetration testing assessments, nGuard is helping our clients to secure their data and protect their customers.

GDPR Fines On The Rise

Since the introduction of the European Union’s General Data Protection Regulation (GDPR) in May of 2018, they have handed out $330.5 million in fines with $192 million in the past year alone. As the GDPR regulation grows in maturity, regulators are growing tougher with their fines. Breach notifications are on the rise, as they have increased 19 percent over the past 12 months. Germany leads the way with 66,527 breach notifications and Italy has had the least with 3,460. Germany, France, and Italy are the top 3 countries that have imposed fines, with a combined $234 million since GDPR was enacted.

With the impact of COVID-19, organizations have been fortunate to have their fines drop significantly with the promise to improve their security posture. Marriott saw their fine reduced to $25 million from the original $123 million during a breach that lasted over 4 years and resulted in the compromise of 339 million guest’s information. British Airways saw their fine reduced to $27 million from the original $230 million as a result of personal data of over 400 thousand customers being stolen when their website redirected to a fraudulent one which collected personal details of customers. This went undetected for over 2 months. The pandemic has provided temporary relief on some fines, but this isn’t permanent. Organizations need to ensure they are following GDPR regulations or it is going to cost them in large-scale fines.

The 4 potential sources of privacy protection are markets, technology, self or co-regulation, and law. GDPR has taken the traditional approach of law to enforce privacy and data protection. With GDPR fines only increasing and being strictly enforced, it does show that laws do not necessarily mean the result will be increased privacy and security. The best piece of advice for organizations having to follow GDPR guidelines is to err on the side of caution, as fines and cumulative damage claims are only going to rise. As GDPR matures and evolves, there may be new, stricter regulations released in the future.

Top 5 Issues Discovered During a Typical Penetration Test

Information security is, and always will be, a constant exercise in risk discovery and follow-up risk reduction. No matter the remediations or solutions one may implement, there is always a new vulnerability or public exploit right around the corner. However, there are certainly patterns and attacks that maintain a significant lifetime in internal and external environments. These security issues tend to be more popular attack vectors, and will generally be targeted by attackers first. Therefore, detailed below are the top six security issues nGuard has found during standard penetration tests, the risk involved, as well as how to reduce or eliminate these issues.

Vulnerability 1
NBNS/LLMNR/WPAD Broadcasting Enabled

NetBIOS Name Service (NBNS), Link-Local Multicast Name Resolution (LLMNR), and Web Proxy Auto-Discovery (WPAD) all function by utilizing broadcast for name resolution, specifically the Domain Name Service (DNS) protocol. These broadcasts are generally benign, and quite useful at ensuring a smooth usage of internal resources. However, much like many modern services and protocols, it can be utilized to compromise an internal network. Whenever a ‘victim’ requests a specific resource, and said request contains a typo or mangling of the resource name, the DNS server will reply that the resource could not be found. In order to complete name resolution, the victim will then broadcast to the domain, asking if that particular resource with the typo is known to any other endpoint. Attackers can then respond to this broadcast by claiming to be the resource, then capturing NTMLv1/v2 hashes to be taken offline and cracked.

Diagram depicting the impersonation attack.

Remediation: By disabling NBNS/LLMNR/WPAD broadcasts, the threat of hashes being captured is minimized, thus removing a very popular attack method off the threat board.

Vulnerability 2
SMB Signaling Disabled

Server Message Block (SMB) signing allows for SMB traffic to be cryptographically signed for the sake of maintaining integrity. However, in certain configurations, this signing does not take place (or unsigned packets are allowed as a fallback), which can allow a Man in the Middle (MitM) attack to occur. By utilizing legitimate credentials, via impersonation attack for example, an attacker can then authenticate against the victim machine and gain full remote code execution (RCE).

nGuard has lots of experience using this particular attack to gain RCE on multiple host types, from workstations, to physical security control, to domain controllers. Additionally, by combining this attack with LSA dumping (below), an attacker can quickly attain complete control over the domain by either utilizing an existing Domain Administrator account, or even making their own (below). Do note, that while restricting PowerShell command execution on hosts can slow this process down, it is still entirely possible for an attacker to successfully compromise a domain utilizing this method.

Full remote code execution on test host.

Remediation: Avoiding this particular pitfall requires a domain group policy change to always digitally sign communications. Once this group policy is in effect, the ability to have full remote code execution is neutralized.

Vulnerability 3
LSA Dumping

The Local Security Authority Subsystem Service (LSASS) handles the security policy on Windows hosts; from handling password changes and logons, to writing security logs. LSA can also cache usernames and passwords in the registry that are used to log into a particular system, all in cleartext. That means that an attacker with RCE capabilities can ‘dump’ these credentials by using a valid set of credentials, and then use these dumped credentials to either move laterally along the network, or in certain cases, attain Domain Administrator.

Registry location for cached LSA cleartext credentials.

For example, in an internal penetration test, after successfully compromising a host via a well-publicized exploit (resulting in NT AUTHORITY\SYSTEM access), LSA was dumped hoping to attain valid credentials. Instead of getting normal user creds, the dump had found Domain Administrator credentials; which combined with access to a Domain Controller meant full control over the entire internal Windows network.

Remediation: In order to combat this, Microsoft released a patch (KB2871997), which requires some registry changes on applicable endpoints. The good news is that a restart is not required. The bad news is that this registry change requires constant vigilance, as an attacker that attains NT AURHORITY\SYSTEM access can revert the change and lie in wait for a user to log on to dump the cleartext credentials.

Vulnerability 4
Insufficient Logging and Alerting of Suspicious Activity

This may seem like a no-brainer to some, since security logging is paramount. However, sometimes things slip through the cracks. And sometimes these things are self-made Domain Administrator credentials.

As a test of proper logging and alerting of suspicious activity, nGuard engineers will often create a Domain Administrator account (normally ‘nGuardTest). Aside from granting Domain Admin access into an internal network, it also lets us see how quickly (if at all) the account gets detected. Sometimes this happens within a few minutes. Sometimes this happens in a few days. Sometimes, not at all. Any delay in detecting these accounts could be a sign that logging and alerting of this type of activity might be insufficient, and that work needs to be done to improve detection of anomalous activity. In the span of a few hours, a real-life attacker could potentially extract credentials, intellectual property, confidential emails, and proprietary information via a command and control (C2) channel or perform a ransomware attack and hold all your systems and data ransom. Therefore, the difference between detecting this type of activity in a few minutes versus a few hours, can make a massive difference in the potential risk.

nGuard Test Domain Admin account created in a Domain Controller.

Remediation: To combat this, nGuard recommends implementing a Security Information and Event Management (SIEM) solution, or a Managed Services/Security Solution (MSS). By having a central location where all logs and activity can be checked and correlated, it reduces the chance that these suspicious activities can slip through the cracks, and it may mean the difference between finding a rogue Domain Admin account in a few minutes, instead of a few days.

Vulnerability 5
Externally-Facing WordPress Login/Directories

WordPress, when implemented correctly and securely, can be a fantastic way to deliver content to customers. However, in many implementations, this is not the case – which lends to WordPress’ notoriety in information security circles. There are two reasons behind this:

⦁ Misconfigurations: It is very easy to overlook certain security settings in WordPress that would allow for greater security controls. Sometimes even something as benign as an externally-facing login in screen can be used against you.

⦁ Plugins: One would be hard-pressed to find a WordPress implementation that does not use plugins. They can be a powerful tool for many things, ranging from content delivery to Search Engine Optimization (SEO). However, the issue stems from plugins becoming outdated/no longer worked on, or not enforcing plugin security updates. If certain plugins become outdated, they can become a very real attack vector that can lead to compromise.

It isn’t rare to test WordPress applications and find an externally-facing wp-content/uploads directory which has been compromised with some form of malicious content, such as a web shell (that is, an exploit that allows attackers to have command execution on the victim machine through a web application). It is also not rare to see that XMLRPC.php is accessible externally, which can lead to brute-forcing attacks. With the right tools, an attacker can send hundreds of login attempts per single HTTP/HTTPS request, granting them the ability to easily brute-force WordPress logins.

Externally-Facing WordPress Administrative Login.

Remediation: Remediation usually involves ensuring that all WordPress implementations and plugins are up to date. If a plugin is no longer actively being developed, considering changing to another plugin with an active developer. Additionally, there are third-party solutions which can harden WordPress implementations, and reduce the potential attack surface.

Weak Passwords Lead to Routine Compromises

nGuard continues to observe weak passwords in widespread use across its customer-base, regardless of industry or size.  “It’s a major weakness that we continue to identify in a large percentage of our assessments,” states Evan Rowell, National Manager of Security Consulting.  “In situations where we are able to obtain access to the encrypted credentials, we’re able to crack large percentages of passwords in seconds, minutes, or hours.  We know from experience that standard corporate password policies are typically around eight characters, with some complexity.  Most users will choose a familiar word, capitalize the first letter, and add some digits or symbols to the end.  Even longer passwords are routinely cracked, so it’s not only a matter of length.  Advances in technology make this a huge risk, and many of our new customers are unaware of how easy it is to exploit.”

Most Governmental, Regulatory, and Compliance (GRC) based standards require varying password lengths and complexity, as well as Multi-Factor Authentication (MFA) to address this issue.  “There are several techniques that can help strengthen password weaknesses, but the basic premise is to use longer passwords with random character strings.  It can be difficult to convince management to train, require, and implement strong password policies, but our team has worked with numerous businesses over the years to do just that.”  While MFA helps immensely, and should be required when remotely accessing internal networks or administration of critical systems, Mr. Rowell indicates “it’s not a silver bullet and often can’t stop a determined hacker.  That’s why nGuard works to help businesses understand that a layered security approach is the most effective way to defend against attackers.  Better password policies, Multi-Factor Authentication, regular assessments, and remediation are all equally important.”

For more information, review nGuard’s Password Database Testing service, or contact us directly.

About nGuard Corporation

nGuard is a leading provider of expert security assessments, managed security services, security incident response, and other advanced security services to organizations across North America & around the world.  nGuard’s relentless focus on securing clients, as well as their unmatched security expertise, has helped them become one of the most sought after security firms in North America.

For more information, please visit:  www.nGuard.com