Penetration Testing

TWiC | Lapsus$ Ransomware, LastPass Hack & MS ZeroDay

The past couple of weeks have been busy ones for the world of cybersecurity. Multiple companies have disclosed serious hacks that have led to breaches of customer data and overall system availability. In this week’s security advisory, nGuard will detail some of these incidents and their impact on the cybersecurity landscape.

Cisco Data Breach Attributed to Lapsus$ Ransomware Group

The Lapsus$ crime gang is back at it again with an attack on the networking giant, Cisco. About a month ago, Cisco had disclosed that its systems were breached. A social engineering attack led adversaries on a pathway to overtaking an employee’s Google account. Saved credentials were then obtained from the browser and voice communications were utilized to trick the unsuspecting employee into accepting a multi-factor authentication push notification. Cisco believes the end goal of the attacker was to deploy ransomware on the network after gaining access to multiple systems. Cisco is reporting that attempts to deploy ransomware were unsuccessful.

LastPass Says Hackers Had Internal Access For Four Days

Lastpass reported a breach back in August and are now releasing some more details about the compromise. They are now reporting that an attacker had internal access to the company systems for four days before they were detected. Lastpass worked with a cybersecurity firm to investigate the incident and found that no customer data or password vaults were accessed during this time. LastPass maintains that your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass. The attacker was however able to access a developer endpoint and poke around the development environments.

Microsoft Patches a New Zero-Day Affecting All Versions of Windows

Microsoft is patching another zero-day vulnerability affecting all supported versions of Windows. This zero-day is reported as being used in real-world attacks. CVE-2022-37969 is a privilege elevation flaw in the Windows Common Log File System Driver. This is utilized for data and event logging. Once a system is compromised, this vulnerability can be used to escalate user privileges to the highest level, SYSTEM. 4 different security firms reported this vulnerability to Microsoft which makes them believe this could be widely used in real-world scenarios. They recommend patching immediately.

nGuard closely monitors trends in the world of cybersecurity and applies those trends to assessment activities and managed security services. Having penetration testing conducted periodically against network assets, web applications, and other critical infrastructure can prevent data breaches before they happen. Putting your employees through social engineering campaigns to test their security readiness can boost awareness. Having a security first mindset is essential in protecting the valuable data of organizations.

Vulnerability Exploits Overtake Phishing as Initial Attack Vector

Most security professionals will advise the number one way attackers gain an initial foothold on a network is, and continues to be, phishing and social engineering attacks. Palo Alto recently released their 2022 Incident Response Report which confirmed what most would say is true. At a combined 42%, phishing and social engineering make up almost half of all means of initial access.

Source: 2022 Incident Response Report

The second most common way according to the above chart from Palo Alto is software vulnerabilities. However, in the first week of September, Kaspersky released its 2021 Incident Response Overview and it told a different story. 53.6% of the initial attack vectors they responded to were exploits of public-facing applications.

Source: 2021 Incident Response Overview

2021 had no shortage of time sensitive critical vulnerabilities including Log4j, Microsoft Exchange ProxyLogon, and three other CVEs related to the ProxyLogon vulnerabilities that were released in March of 2021. When these vulnerabilities are made publicly available it is only a matter of minutes before publicly facing systems are being scanned for vulnerable targets. Within hours, proof of concept exploits become available leading to an extremely high rate of organizations falling for such attacks.

In recent years, organizations have prioritized security awareness training and conducted social engineering and phishing training. But have those same organizations made it a priority to have a vulnerability management program in place?

How can organizations stay ahead of these attack trends? Start by building out a mature security program that includes annual penetration testing, ongoing vulnerability scanning, and a properly configured SIEM to alert on network anomalies. If you suspect a breach, identify a firm capable of responding to security incidents and secure an incident response retainer. Lastly, have an expert conduct a strategic security assessment to compare your organization’s security program to a known security standard like the Center for Internet Security Critical Security Controls.

Password Guidelines You Need To Know

Conventional wisdom says passwords should be longer than 8 characters, they should contain complexity with upper case, lower case, numbers, and symbols, and Rotating passwords periodically is crucial to prevent them from being compromised. Consider rethinking your password requirements if this is still how you instruct your employees. In this security advisory, nGuard will lay out the password requirements you should be utilizing for employees.

Entropy is defined as “a measure of the amount of uncertainty an attacker faces to determine the value of a secret.” Traditionally, it was believed that entropy could be increased by requiring users to change their passwords frequently and by increasing the complexity of passwords. We now know that this is not the case. Length alone can provide password entropy at any level. Furthermore, if you change your passwords numerous times a year, you may find it difficult to remember passwords with high levels of complexity. Let’s take a look at some examples:

Password: nGu@rd2022!

This is an 11-character password with a high level of complexity. According to security.org, it would take a computer about 400 years to crack this password using brute force methodology. Engineers at nGuard say this password has a high probability of being cracked very quickly. It uses the company name with some common substitutions such as the “@” instead of the “a.” It also uses the current year, which is common among companies that force password changes on a regular basis.

Password: nGuard is a leading provider of security

This is a 40-character password with a low level of complexity. According to security.org, it would take a computer about 88 septendecillion years to crack this password using brute force methodology. Septendecillion is a 1 followed by 54 zeros. That’s a lot! The length of this password makes it more difficult to crack, but it is easier to remember and type out. Passwords like this won’t need to be changed unless they become compromised through social engineering or some form of clear-text password compromise.

In order to avoid forcing users to reset their password on a regular basis, nGuard recommends using password phrases like the example above. Set up alerts to notify IT when a specific account experiences too many failed login attempts. Additionally, limit the number of failed login attempts allowed within a certain time frame. With nGuard’s Managed Event Collection & Correlation (MECC) service, these types of things can be monitored. For an organization to maintain a strong password posture, that’s all you need to do. Your organization’s password security posture will be at the forefront of the industry if you do all of this and implement multi-factor authentication if possible.

Following the implementation of a strong password policy, nGuard can provide a variety of services to make sure you’re on the right path. Password Database Audits allow you to test the strength of your passwords against industry leading password crackers. By performing an internal penetration test, you can make sure that passwords are not being stored on machines in a way that makes them insecure (for instance, in plaintext).

Microsoft Zero-Day with No Patch!

Overview
CVE-2022-30190, known as Follina, was released by Microsoft on Monday, May 30th, 2022. The vulnerability resides within the Microsoft Support Diagnostics Tool (MSDT), which may allow an attacker to run arbitrary code with the privileges of the calling application. Microsoft Office applications use MSDT to troubleshoot and collect diagnostic information when something goes wrong.

This vulnerability was discovered by the independent cybersecurity researchers at nao_sec after they noticed a strange word document posted to VirusTotal. Using the Remote Template feature in Microsoft Word, an HTML file was pulled from a remote web server. It then made use of the “ms-msdt://” URI scheme to run a malicious payload. Experts are now saying this vulnerability is being exploited by attackers in the wild. Some security researchers have demonstrated execution of the malicious code merely by previewing the document in Windows File Explorer or Outlook.

Exploit
The video below demonstrates how easily this vulnerability can be exploited. Exploit code is now publicly available, making this process trivial. We will outline the steps taken in this video below:

An attacker downloads exploit code from GitHub.
This exploit code is then utilized to create the malicious Word document and stand up a web server to serve up the HTML file. In the video below, this Word document is called “sploit.docx.”
Once the user opens the Word document, you see the MSDT tool also fire off. MSDT is also commonly referred to as “Program Compatibility Troubleshooter.”
The producer of this video then shows you that both a cmd.exe process and powershell.exe process have been launched on the system. At this point, the document can be closed, but the malicious process is still running.
The demo then shows a Cobalt Strike window. Cobalt Strike is a command-and-control framework used for maintaining persistent access on compromised systems. You can see in the video that a “beacon” has been launched on the system. A beacon is an agent on the system that allows an attacker to maintain persistent access and run arbitrary code.
At this point the producer of this video runs “whoami” on the system itself to show you which user account launched the Word document. They then flip back to Cobalt Strike and run “whoami” from the interactive beacon. This displays the same user account. Persistent remote code execution achieved.

What To Do?
At this point in time, Microsoft has not released an official fix for this vulnerability. They are recommending that the MSDT URL protocol be disabled in order to protect systems from this vulnerability. That guidance can be found here. nGuard offers a bevy of services that can help prevent and identify these types of attacks. Both Social Engineering simulations and Social Engineering Awareness Training can assist your organizations employees in identifying these types of attacks. Internal Penetration Testing can boost the overall security posture of your internal network. If a machine on your network does become compromised, you have assurance that the adversary won’t make it very far. Lastly, Managed Event Collection & Correlation gives you 24×7 monitoring from advanced log analysis tools and nGuard professionals who are trained to detect suspicious activity.

FBI Secretly Removing Malware

Late last week, Attorney General Merrick Garland announced that the FBI was removing malware from computer systems around the world in an attempt to thwart Russian cyber-attacks. In March, the White House warned that Russia could be targeting critical infrastructure in the United States. The malware that is being removed from systems by the FBI is reported to allow an arm of the Russian military called the GRU to take over machines and create botnets for DDoS attacks. The GRU is Russia’s largest foreign intelligence agency responsible for handling multiple forms of military intelligence.

The Justice Department says that this strain of malware is designed to compromise externally facing firewalls and loop them into a botnet called Cyclops Blink. The botnet is controlled by a notorious group called Sandworm that has been known to work with the GRU. The DOJ warned owners of infected devices that their machines were part of this Cyclops Blink botnet, but decided that it was not worth the wait and took it upon themselves to remove the malware from infected devices.

Through secret court orders, the Justice Department and FBI were able to quietly remove this malware from infected devices across the globe. After removing the malware, the FBI also closed the management port that was being used as the attack vector. The Biden administration has been ramping up their cyber security operations since the breakout of war in Ukraine. While Ukraine has been the number 1 target of cyber attacks over the last couple months, authorities warn that critical infrastructure organizations in the United States could be next.

Performing external penetration testing and having a formal external vulnerability management program can help to thwart attacks like this. By identifying these vulnerabilities and patching them before adversaries get their hands on them, you can protect your externally facing machines from becoming a part of a worldwide botnet.

Lapsus$ Crime Gang: Hacking Microsoft, Okta, and More

Lapsus$ is a hacking group that first appeared in December of 2021 when they were extorting Brazil’s Ministry of Health. Recently they have been in the news for posting information and screenshots from internal breaches of companies like Microsoft, Nvidia, and Okta. Lapsus$ is unorthodox in their operations in that they do not operate on the dark web or on any social media platforms. Instead, Lapsus$ leverages email and a public Telegram channel which now has over 45,000 members. Lapsus$ does not attempt to hide any of their activity or cover their tracks. In fact, they have been known to join Zoom calls of organizations they have compromised and interrupt their incident response process.

With such high profile targets, it was initially thought that Lapsus$ was state-sponsored but it has been reported that their head is a multi-millionaire 16-year-old teenager in Oxford, England. Researchers tracking the group have said, “The teen is so skilled at hacking — and so fast — that researchers thought the activity they were observing was automated.” Lapsus$ has been spotted recruiting on various online platforms since November 2021. Recruiting ads offering $20,000 a week to perform SIM swapping for AT&T, Verizon, and T-Mobile customers.

Although the group has done significant damage already, the good news is London Police have arrested seven individuals, all 16 to 21 years old in connection with the hacking group.

Microsoft Breach Last week, Microsoft confirmed Lapsus$ was responsible for obtaining and leaking about 37 GB of pieces of their source code for Bing, Cortana, and over 250 Microsoft projects via access it had through a single account. Lapsus$ initially obtained access via stolen credentials which allowed privileged access and the exfiltration of data.

Microsoft has been tracking Lapsus$ for some time now, calling it DEV-0537. Microsoft’s Threat Intelligence Center stated, “… the objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”

Okta Breach

Okta, a single-sign-on identity management service that works in cloud and on-premises environments announced Lapsus$ was able to gain access to one of their employee’s laptops for five days in January. The access was originally obtained through subprocessor Sykes Enterprises which is owned by Sitel Group. Lapsus$ utilized compromised credentials to access Sykes Enterprises. It was discovered the credentials were used on VPN gateways. Once Lapsus$ had access they discovered a file on Sitel’s network called DomAdmins-LastPass-xlsx. This would indicate a file with Domain Administrator passwords from the password manager LastPass was exported and saved locally. Lapsus$ was able to pivot to Okta’s network and posted screenshots of their access.

Some screenshots from the incident response investigation were posted showing the timeline of events and activity. Activity such as searching Bing for privilege escalation tools on GitHub, disabling endpoint protection agents, and searching and downloading Mimikatz –a tool to extract and save authentication credentials and Kerberos tickets from a host — were performed during the attack.

Okta has faced a wave of criticism on their slow response to the breach after receiving the incident response report. Okta chief security officer David Bradbury said the company “should have moved more swiftly to understand its implications.” As of now, Okta has stated the breach has impacted 366 of their customers during the 5-day period of the attack.

Other Attacks

Lapsus$ has been highly active in the recent months. To read more about other attacks they have carried out on high-profile organizations click the links below.