Incident Response

National Security at Stake: Old Cisco Flaw Exploited by Russian Hackers Raises New Concerns

Introduction
The international cybersecurity community is continually challenged to stay one step ahead of new threats in an ever-changing cyber landscape. Russian hackers exploiting a six-year-old Cisco weakness to target government entities have caused serious national security concerns, according to a recent joint warning from the US and UK cybersecurity agencies. This development emphasizes how vital it is to stay on top of patch management & operating system updates in order to guard against prospective cyberattacks and safeguard critical data. In these situations, nGuard’s all-encompassing cybersecurity solutions can be crucial in protecting businesses and government institutions.

The Old Cisco Flaw Resurfaces with National Security Implications
In their IOS and IOS XE software, Cisco discovered a critical vulnerability (CVE-2017-3881) back in 2017 that might allow an unauthenticated attacker to take over vulnerable devices. Despite Cisco issuing a patch for this vulnerability, some vulnerable devices remained unpatched, enabling Russian hacker group APT28 a chance to take advantage of this long-standing weakness.

Concerns regarding the potential effects on national security have been raised by the exploitation of this Cisco vulnerability because APT28, also known as Fancy Bear, is notorious for attacking many corporations and government entities. Government agencies in the US and the UK have both been compromised, leading the cybersecurity groups in both nations to demand heightened vigilance and stronger security procedures.

This Cisco vulnerability is similar to earlier nGuard advisories on Fortinet vulnerabilities. A Fortinet authentication bypass vulnerability and industrial appliance issues that caused US airport sites to go offline were also the subject of urgent alerts. These occurrences, together with the Cisco fault exploitation, show how crucial it is to address security flaws and maintain strong cybersecurity measures in order to safeguard vital infrastructure and interests in national security.

Conclusion
Russian hackers’ use of the outdated Cisco vulnerability serves as a wake-up call for the international cybersecurity community, with significant ramifications for national security. Organizations and governmental bodies must maintain current security protocols and make investments in cybersecurity solutions to safeguard their systems and sensitive data as cyber threats continue to develop. By doing so, we may reduce the risks posed by knowledgeable hacker groups like APT28 and maintain the security of all nations.

Organizations can assure that their security infrastructure is strong and up-to-date by using nGuard’s Managed Security Services, which provide continuous monitoring, threat detection, and response. Additionally, enterprises can proactively detect and address security flaws with the use of nGuard’s Security Assessments, such as penetration testing and vulnerability assessments, before threat actors like APT28 can take advantage of them.

TWiC | U.S. House Data Leak, ICS Attacks, FortiOS Vulnerability, Cyber Insurance

FBI Investigating Data Breach Affecting U.S. House of Representatives Members and Staff

The Federal Bureau of Investigation (FBI) is investigating a data breach affecting members and staff of the U.S. House of Representatives. The breach saw account and sensitive personal information belonging to them and their families stolen from the servers of DC Health Link, which administers their health care plans.

While US House Chief Administrative Officer Catherine L. Szpindor has said, “it was unclear how many people had been affected by the breach.” A sample of the data reportedly posted on a hacking forum showed details of around 170,000 people. The information included names, dates of birth, addresses, email addresses, phone numbers, and Social Security numbers. At least one threat actor has reportedly put the data up for sale.

nGuard’s MECC (Managed Event Collection and Correlation) can help protect against malicious attacks by collecting and analyzing log data from various sources. MECC can then alert security teams to potential threats and provide them with the information they need to investigate and respond to an ongoing or potential attack. Should your organization fall victim to an attack like this, call nGuard to help with our Cyber Security Incident Response services.

New FortiOS and FortiProxy Critical Vulnerabilities

Fortinet has released patches to address 15 security flaws, including one critical vulnerability in FortiOS and FortiProxy that could allow an attacker to take control of affected systems. The buffer underwrite flaw (CVE-2023-25610) is rated 9.3 out of 10 for severity and was discovered by Fortinet’s internal security teams. The vulnerability could enable a remote, unauthenticated attacker to execute arbitrary code on the device or cause a denial-of-service attack. Fortinet has not yet seen any malicious exploitation attempts against the flaw, but users are urged to apply the patches quickly, as prior flaws in software have been actively abused in the wild. Workarounds include disabling the HTTP/HTTPS administrative interface or limiting IP addresses that can reach it. Just last week, nGuard wrote about another Fortinet critical vulnerability that was actively being exploited. As this continues to develop, nGuard has a number of solutions that can help your organization stay ahead of the curve, including internal penetration testing and vulnerability management.

Over 40% of Industrial Control Systems (ICS) Were Attacked in 2022

Over 40% of industrial control systems (ICS) computers globally experienced malicious attacks in 2022, according to Kaspersky research into telemetry statistics. The report highlighted growth in Russia, which saw a 9% increase in malicious activity in 2022, but Ethiopia was the top target overall with 59% of its ICS footprint seeing malicious activity.

Kaspersky noted that blocked malicious scripts and phishing pages targeting ICS were particularly common threats, seeing an 11% rise from 2021. The percentage of ICS computers experiencing malicious activity varied from 40.1% in Africa and Central Asia to 14.2% and 14.3% respectively in Western and Northern Europe. nGuard has been helping protect Industrial control systems, SCADA networks, and critical infrastructure for over 20 years with security assessments, penetration testing, incident response, and managed SIEM services.

Low-coverage Cyber Insurance Plans Help Meet Compliance and Contractual Requirements

As the cyber insurance market experiences a surge in claims for ransomware attacks, insurance carriers and brokers have started imposing tighter rules on the companies that can qualify for coverage, raising prices and reducing the amount of coverage offered per policy. nGuard recently wrote about requirements needed to obtain cyber insurance. Policy coverages have significantly dropped in recent times, with some as low as $5m, and some companies cannot purchase as much insurance as they would like. However, some contracts and compliance regulations require that a company have a cyber insurance policy, which can pose a problem for those that lose coverage. Basic policies are now available for more organizations to obtain affordable coverage, allowing them to avoid a breach of compliance and fulfill contractual obligations.

Microsoft Exchange Zero-Days Mitigated, Then Bypassed!

Earlier this month two new zero-day exploits, CVE-2022-41040 and CVE-2022-41082, were released and code named ProxyNotShell due to similarities to another set of flaws called ProxyShell. nGuard covered one of the more recent Exchange zero-day vulnerabilities last year in another security advisory.

CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability with 8.8 severity score out of 10. CVE-2022-41082 has been rated a 6.3 severity score out of 10 and allows Remote Code Execution (RCE) when PowerShell can be access by a malicious attacker. These vulnerabilities affect Microsoft Exchange Server 2013, 2016, and 2019 for on-premises deployments. Microsoft stated, “While these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user. Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy.”

If an attacker can successfully exploit these vulnerabilities, they can compromise the victim’s system, obtain a web shell and install it, then attempt to pivot to other hosts on the network for further compromise. Microsoft said, with medium confidence, they can attribute many of the already carried out attacks to state-sponsored actors. These state-sponsored actors installed the China Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration.

Microsoft has yet to release a patch for these vulnerabilities but did release workarounds for these two zero-days. However, shortly after their release it was discovered the recommended fix could be easily circumvented. This caused Microsoft to rewrite the mitigation to take this into account:

Open IIS Manager
Select Default Web Site
In the Feature View, click URL Rewrite
In the Actions pane on the right-hand side, click Add Rule(s)…
Select Request Blocking and click OK
Add the string “.*autodiscover\.json.*PowerShell.*” (excluding quotes)
Select Regular Expression under Using
Select Abort Request under How to block and then click OK
Expand the rule and select the rule with the pattern: .*autodiscover\.json.*Powershell.* and click Edit under Conditions
Change the Condition input from {URL} to {REQUEST_URI}

Microsoft also released a PowerShell script to apply the mitigation.

Outside of the Microsoft mitigations, you can protect your organization by:

Updating firewall rules, IPS, IDS systems to block known IP addresses targeting this vulnerability. You can download an updated list of malicious IPs and manually enter them in your perimeter protection devices.
Implementing multi-factor authentication (MFA) and training users not to accept unwanted MFA prompts.
Disabling Exchange Legacy Authentication.
Having a SIEM to help respond to ongoing threats to your environments based on correlating events from logs.
Ensuring you have a robust vulnerability management program in place to stay on top of the latest threats.
Conducting penetration testing on a frequent basis to ensure that attackers have limited or no path to pivot throughout your networks.
Either having an Incident Response retainer in place or having a pre-selected vendor to call should your organization fall victim to zero-days like this or any other attack.

TWiC | Lapsus$ Ransomware, LastPass Hack & MS ZeroDay

The past couple of weeks have been busy ones for the world of cybersecurity. Multiple companies have disclosed serious hacks that have led to breaches of customer data and overall system availability. In this week’s security advisory, nGuard will detail some of these incidents and their impact on the cybersecurity landscape.

Cisco Data Breach Attributed to Lapsus$ Ransomware Group

The Lapsus$ crime gang is back at it again with an attack on the networking giant, Cisco. About a month ago, Cisco had disclosed that its systems were breached. A social engineering attack led adversaries on a pathway to overtaking an employee’s Google account. Saved credentials were then obtained from the browser and voice communications were utilized to trick the unsuspecting employee into accepting a multi-factor authentication push notification. Cisco believes the end goal of the attacker was to deploy ransomware on the network after gaining access to multiple systems. Cisco is reporting that attempts to deploy ransomware were unsuccessful.

LastPass Says Hackers Had Internal Access For Four Days

Lastpass reported a breach back in August and are now releasing some more details about the compromise. They are now reporting that an attacker had internal access to the company systems for four days before they were detected. Lastpass worked with a cybersecurity firm to investigate the incident and found that no customer data or password vaults were accessed during this time. LastPass maintains that your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass. The attacker was however able to access a developer endpoint and poke around the development environments.

Microsoft Patches a New Zero-Day Affecting All Versions of Windows

Microsoft is patching another zero-day vulnerability affecting all supported versions of Windows. This zero-day is reported as being used in real-world attacks. CVE-2022-37969 is a privilege elevation flaw in the Windows Common Log File System Driver. This is utilized for data and event logging. Once a system is compromised, this vulnerability can be used to escalate user privileges to the highest level, SYSTEM. 4 different security firms reported this vulnerability to Microsoft which makes them believe this could be widely used in real-world scenarios. They recommend patching immediately.

nGuard closely monitors trends in the world of cybersecurity and applies those trends to assessment activities and managed security services. Having penetration testing conducted periodically against network assets, web applications, and other critical infrastructure can prevent data breaches before they happen. Putting your employees through social engineering campaigns to test their security readiness can boost awareness. Having a security first mindset is essential in protecting the valuable data of organizations.

Vulnerability Exploits Overtake Phishing as Initial Attack Vector

Most security professionals will advise the number one way attackers gain an initial foothold on a network is, and continues to be, phishing and social engineering attacks. Palo Alto recently released their 2022 Incident Response Report which confirmed what most would say is true. At a combined 42%, phishing and social engineering make up almost half of all means of initial access.

The second most common way according to the above chart from Palo Alto is software vulnerabilities. However, in the first week of September, Kaspersky released its 2021 Incident Response Overview and it told a different story. 53.6% of the initial attack vectors they responded to were exploits of public-facing applications.

2021 had no shortage of time sensitive critical vulnerabilities including Log4j, Microsoft Exchange ProxyLogon, and three other CVEs related to the ProxyLogon vulnerabilities that were released in March of 2021. When these vulnerabilities are made publicly available it is only a matter of minutes before publicly facing systems are being scanned for vulnerable targets. Within hours, proof of concept exploits become available leading to an extremely high rate of organizations falling for such attacks.

In recent years, organizations have prioritized security awareness training and conducted social engineering and phishing training. But have those same organizations made it a priority to have a vulnerability management program in place?

How can organizations stay ahead of these attack trends? Start by building out a mature security program that includes annual penetration testing, ongoing vulnerability scanning, and a properly configured SIEM to alert on network anomalies. If you suspect a breach, identify a firm capable of responding to security incidents and secure an incident response retainer. Lastly, have an expert conduct a strategic security assessment to compare your organization’s security program to a known security standard like the Center for Internet Security Critical Security Controls.