Tag Archives: Vulnerability

Office 365 Vulnerability Allows Attackers to Encrypt Files

Proofpoint announced that they have discovered a vulnerability in Office 365 that allow attacker to encrypt files stored on SharePoint and OneDrive.

Proofpoint also has identified the attack chain as initial access, account takeover & discovery, collection & exfiltration, and monetization. “Once executed, the attack encrypts the files in the compromised users’ accounts. Like with endpoint ransomware activity, those files can only be retrieved with decryption keys” was said for the attack.

If an attacker gains access to the victim’s cloud, then he has two options; limiting the number of autosaves to one, or using the autosave feature 500 times after reaching the limit. At that point, researches explains that it is unlikely that an attacker would encrypt more than 500 files. Such an operation requires a lot of scripting work and a lot of computer resources, while significantly increasing the risk of detection.

Whichever option is chosen by the attacker, if a hacker encrypts the files until the saves work, then the victim has only two options: use backups physically isolated from the infrastructure or pay the attacker for a decryption key.

Still Have 445 Port Open to Internet?

CVE-2022-26809 is a vulnerability exists within the Remote Procedure Call Runtime component in Microsoft Windows. If an attacker successfully exploits the vulnerability, then she/he could run arbitrary code on the affected system.

To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.

The vulnerable system can be exploited without any interaction from any user.

This is a really contains a high risk and should be patched immediately.

Vulnerable Technologies:
Microsoft reports that the following products and versions are vulnerable:

Windows 7 32-bit SP 1
Windows 7 x64 SP 1
Windows 8.1 32-bit
Windows 8.1 x64
Windows 10 32-bit
Windows 10 x64
Windows 10 20H2 32-bit
Windows 10 20H2 ARM64
Windows 10 20H2 x64
Windows 10 21H1 32-bit
Windows 10 21H1 ARM64
Windows 10 21H1 x64
Windows 10 21H2 32-bit
Windows 10 21H2 ARM64
Windows 10 21H2 x64
Windows 10 1607 32-bit
Windows 10 1607 x64
Windows 10 1809 32-bit
Windows 10 1809 ARM64
Windows 10 1809 x64
Windows 10 1909 32-bit
Windows 10 1909 ARM64
Windows 10 1909 x64
Windows 11 ARM64
Windows 11 x64
Windows RT 8.1
Windows Server 2008 32-bit SP 2
Windows Server 2008 x64 SP 2
Windows Server 2008 R2 x64 SP 1
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Server Version 20H2

Mitigation:

Microsoft recommends blocking port 445 at the perimeter firewall as a technique to mitigate the possibility of internet-based exploitation.

Remediation:

Organizations need a continuous port/vulnerability scan to detect to see if any port is open momentarily to the outside. If a continuous scan is not possible because of sensitive systems, an Attack Surface Management system should be used for instant detection.

Everything About Attack Surface Management

For many years, we are using vulnerability scanners to identify security weaknesses and flaws in our internet facing environment. A vulnerability scan is an automated process and critically important for organizations to see what vulnerabilities they have and attackers can use if they target them.

Despite all this success, widespread use and importance, vulnerability scan has some gaps to manage the organizations’ attack surface.

Gaps of Vulnerability Scan

Vulnerability scan process is an active scan so risky to use for sensitive assets. It can cause slowness and even interruption. Because of this, especially for systems that need 24×7 operation and are critical, it is a technical risk for the availability of the systems. This is the most important of the hurdles ahead for making the scanning process continuously. The other one is the technique behind the vulnerability scanning, since it is an active scanning process, it takes too long for a wide range of networks. This risk sometimes causes the scan not to be completed in the desired time, and the scan times are slipped and the assets can’t be scanned for a long time. A significant risk remains for vulnerabilities discovered in the time between two scans and for machines installed in the DMZ.

For scanning, a scope is determined and this scope is scanned periodically. This causes Shadow IT. Services that are out of scope for various reasons or hosted in third party institutions remains as unscanned. Shadow IT is a very big problem especially for big organizations.

Vulnerability scanning is a process that focuses only on identifying vulnerabilities. However, attackers may use several findings about the organization like misconfigurations, compromised accounts, third party connections, etc.

What does attack surface management do differently?

There are several tools already in internet that we can check information about out organization. Passive subdomain tools, port scanners, certificate and dns record checkers, etc. Some of them are free and some of them paid services.

These services is also checked by attackers as the discovery phase before an attack. So, it is very important to check the findings at frequent intervals from these tools. However, there are many tools like that and it seems impossible to check all of them everyday, about all keywords of the organizations – keyword means here every word that an attacker searches for in the discovery phase, including brand, application, web site, VIP names, and others.

Fundamentally, Attack Surface Management is a passive scanning process that using these free or paid tools already hosted in internet. This passive scan provides a continuous scanning process. With the keywords explained above, Attack Surface Management tool scans all these tools continuously and since it is a passive scan, there is no any risk about the availability of the systems.

Third Party Connections

With developing technology and methods, all companies need to work with many other companies and have a direct connection for this. The number of these links is increasing day by day. This situation also creates a great opportunity for attackers and in recent years attacks over third party connections increased and they mostly succeeds. This requires the risk management teams to closely monitor third-party risks.

Very understandably, organizations normally do not let others scan their environment. It is not possible to scan the organization to determine their vulnerabilities before starting a connection with them. It remains only to rely on the company’s own tests and some paper work that we will make the third-party connection. With Attack Surface Management, it can be very fast and risk free to identify their risks before creating the connection.

What to Expect from Attack Surface Management?

For covering all internet facing risk, security teams need to master all assets they have both hosted in their own institutions and third party. An Attack Surface Management tool should firstly show all the assets that organization have. These may include all subdomains, IP addresses, dns records, cloud environments, certificates, uris, etc. And also, all the technologies that the organization is using in their DMZ like the number of the web servers, applications and operating systems.

All these findings are critical for Shadow IT. Systems that are forgotten and not patched for long time causes big risks for the organizations.

The other important – and maybe the most important – output is the vulnerabilities of the systems. Attack Surface Management tools use tools like Shodan to investigate the vulnerabilities and unlike a vulnerability scan, Attack Surface Management may show the misconfigurations like forgotten default IIS or Apache web pages, default Admin panels, and again, IIS or Apache misconfigurations. Also missed configurations like DMARC records or A records can be important seeds for attackers for their discovery phases.

As we told above, it is critical to scan all of these assets often, and it is preferable to do it every day. The fact that this scan can be done every day and the scan time is also very important.

The number of tools that an Attack Surface Management product uses in passive scanning is also very important. Do not forget that the main purpose here is to perform the discovery phase of the attacker, and a vulnerability or misconfiguration that you cannot detect after these scans, but can be found by the attacker, can lead to very bad results.

Risk Management

For risk management processes, all tasks including vulnerabilities and misconfigurations should be followed regularly. For providing this, like other vulnerability management solutions, Attack Surface Management tools should be integrated with ticketing systems in the organizations. Via this integration, tasks can be assigned to engineers and followed in a single system.

Conti CVEs Leaked

On 27th of February, a member of Conti threat group started leaking data from the group, after Conti group announced that they are fully supporting Russia against Ukraine. Leakage process is still going on via “ContiLeaks” Twitter account.

Leakage started with unencrypted chat messages between Conti members. On 1st of March, the threat actor shared access information to several Conti storage servers and some screenshots of the folders in server.

On 4th of March, another Twitter account @c3rb3ru5d3d53c shared the vulnerabilities that Conti is using to compromise the systems with the screenshot below.

Conti has harmed many organizations and continues to do so. We know that even in February alone, they hacked many organizations and managed to get their data out.

As can be seen in the screenshot, the threat group is using vulnerabilities that already has patch, instead of using very sophisticated techniques. This situation shows us, even very simple vulnerability management can prevent most of these attacks. Even scanning with free tools and patching the vulnerabilities really can prevent your system actively. So, this sharing from @c3rb3ru5d3d53c Twitter account was very important for us because it shows us that even very simple measures can prevent big problems.

Strategic Partnership Between Nucleus and Mandiant

Nucleus and Mandiant announced a strategic partnership about vulnerability intelligence. Through this partnership, Nucleus customers can have access to Mandiant Advantage Vulnerability Intelligence data in real time.

“We spent the last year performing a deep dive into the vulnerability intelligence offerings of the leading threat intelligence providers and studying how their data could be useful in the context of vulnerability management,” said Steve Carter, CEO of Nucleus Security. “We chose to partner with Mandiant because they were most aligned with our vision of operationalizing vulnerability intelligence and transforming enterprise vulnerability management as we know it.”

Mandiant (formerly FireEye in TI) is leader in threat intelligence market for long years, also including threat actor knowledge, IoC feeds, dark web visibility, vulnerability and more.

With the integration, practitioners can accelerate the vulnerability prioritization and triage process using automation at scale.

CTI does not mean Fraud Detection

Organizations invests more and more to security tools, breach statistics keep increasing. About ten years ago and more, attackers were mostly alone, and were using basic tools, so it was easier to block them. But with the advanced techniques and tools, and the groups that came together to attack, made these attacks more difficult to block. There was no such thing as intelligence on our agenda. Some basic blacklists and virus databases were enough against most of the attackers.

CTI (Cyber Threat Intelligence) has become indispensable nowadays. We need more and more information about attackers day by day to gain advantage in this fight. At the same time, we see that a lot of people confuse threat intelligence with fraud. People seem really confused about what to expect from threat intelligence. In this post, I try to mention the needs and usage for CTI.

IoCs: Of course, IoCs are one of the most important things that we are waiting from a CTI product. We are feeding our tools with IoCs and this is the simplest thing for our security intelligence. It is possible to find open source IoCs on many historical threats on the internet. Our expectation from a CTI product should be that it gives us the latest IOCs on threats. While evaluating a CTI tool, it should be observed how much IOC it gives compared to its competitors. Some CTI vendors are mostly using Open IoCs, so it is important to check this value before paying money. Meanwhile, the accuracy of the IOCs is also an issue that should not be overlooked. There will be no point in pushing so many wrong IoCs into our systems every day, even those false positive IoC will cause us to waste time. And time is the most important value in a battle.

TTPs: According to Pyramid of Pain – we discussed in the related post deeply – TTPs are the most valued information for defenders. Sun Tzu says that “if you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Of course this is very meaningful. If you do not know what tools, techniques and tactics your enemies are using, it d be very difficult to win a battle. For a defender, the most valuable information are these TTPs and tools that the enemy is using. From a CTI vendor, this must be one of your most important expectations.

Threat Groups: As mentioned before, attackers now works together, they come together and join forces. And while a group is successful on technique with specific tools and malwares, they rarely change these TTPS and tools. So, it is very important to know who is targeting your geography, country and sector. With these information, organizations get really useful IOCs for themselves, and can design their defense according to these attackers’ TTPs. According to this, maybe tracking the threat groups are also the most important thing for the first two bullets (IoCs and TTPs). You can take random IOCs and install them on your systems, but this is never the same as working with the information of attackers you know who they are.

Vulnerabilities: are critical because attackers use these vulnerabilities to infiltrate. It is vital to be aware of vulnerabilities as quickly as possible after they appear. Meanwhile, the information whether these vulnerabilities are exploitable or not, and their criticality and knowledge of affected systems should also be among the things you expect from CTI. Of course, you need a proactive patch management to use these information in success.

Dark Web Tracking: Every day, a lot of information about companies is offered for sale on the dark web or different attackers and groups come together by communicating here. It is not possible to track all forums and portals in dark web continuously for a security team. One of the expectations from the CTI should be the constant monitoring of the dark web and access to information about threats to the organization.

CTI is not Fraud Detection: Fraud is an important subject to save customers our and users. There are many fraud techniques that fraud teams need to be aware of but CTI is not fraud. As mentioned at the beginning, people seem really confused about what CTI and fraud are. Some CTI vendors provide fraud data to their customer. It is undisputed very valuable. But a CTI product should not be evaluated solely on the fraud information obtained. For a good CTI investment, the above issues should be evaluated.

Log4j Vulnerable Hosts List on Sale

log4j persistently keeps its place on the agenda. Although it has been stated that it is very critical and many articles have been written about it, a list has been published and put up for sale that is including more than 500k potential and 220k vulnerable hosts. You can reach to repo for this sale with the link below;

https://github.com/razz0r/CVE-2021-44228-Mass-RCE

Log4j is highly critical because it does not require user permission to run the vulnerability, and very easy to exploit. It is highly recommended to implement the patches quickly.

Cyber Attack to Belgian Defense Ministry

Belgium’s ministry of defense confirmed on Monday it had been hit by a cyber attack.

Log4j vulnerability discovered earlier in December and very popular in recent days. According to the Belgian Defense Ministry officials, hackers exploited Log4j vulnerability in one of their systems. The ministry uncovered the attack last Thursday.

A lot has been written about Log4j in recent days, we will not touch on the details of the vulnerability here but it is important to say that this vulnerability hit a long list of software.

We already know that some hacker groups including state sponsored groups started using this vulnerability. It is a really critical vulnerability and need to patched as soon as possible (today) if not done yet.

Subdomain Enumeration

Subdomain enumeration is an information gathering technique. It can be used to define the all sites opened to the internet in a company. In large organizations, it is very common to have some forgotten websites that having vulnerabilities or some sensitive data. So, subdomain enumeration also important for bug bounty.

The first technique is searching for passive dns information. There are a lot of ways to search for dns information however it should also be noted that the DNS information of closed servers may remain in the cache.

DNSdumpster.com: can give archive information about the domain also with some additional information like geolocation, nmap port scan, visualization of the domain mapping, and HTTP responses to check whether the site is alive or not.

crt.sh: is another interesting tool for searching for SSL certificates used by a domain and its subdomains.

Virustotal: When you search a domain in virustotal, it gives you all subdomains and additional information about the domain.

Other technique is automated.

amass: has a lot of options showing subdomains and things associated with it.

Sublist3r: Sublister lists subdomains of a domain, meanwhile it has a bruteforce module. Domain wordlists can be used with this module called subbrute.

#sublist3r -v -d facebook.com

Carbon Black Critical Bug

VMware Carbon Black has published an update to resolve critical authentication bypass vulnerability on Carbon Black App Control product. App Control is a solution to lock down critical systems and servers to prevent unwanted changes and ensure continuous compliance with regulatory mandates.

This authentication bypass vulnerability was followed by CVE-2021-21998. VMware Carbon Black App Control versions 8.6.x, 8.5.x, 8.1.x, and 8.0.x are affected by this vulnerability.

With this auth bypass vulnerability, threat actors who can access to the management server of the App Control application can bypass the authentication and get admin privilege. With this privilege, attackers can seize critical information on the system and can deactivate EPP and EDR features on the target systems.

VMware announced that the vulnerability has been solved with the 8.6.2 and 8.5.8 versions. It is critical to upgrade the system not to be affected from critical attacks.