A Month In Breaches: October

CTRL sees a proliferation in ransomware and bug amongst breaches this month.

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. We observed various security bug and ransomware amongst the threat landscape in October. CTRL Group recommends scheduling regular backups, and prompt patches to avoid further vulnerabilities.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening on the expansive and scary internet.

Cisco SD-WAN Security Bug Allows Root Code Execution

Cisco SD-WAN implementations are vulnerable to a high-severity privilege-escalation vulnerability in the IOS IE operating system that could lead to arbitrary code execution.

Cisco’s SD-WAN portfolio allows businesses of all sizes to connect disparate office locations via the cloud using various networking technologies, including standard internet connections. Appliances at each location enable advanced analytics, monitoring, application-specific performance specifications and automation for any connection across a company’s wide-area network.

IOS XE, meanwhile, is the vendor’s operating system that runs those appliances. It’s a combination of a Linux kernel and a monolithic application that runs on top of that kernel.

The bug (CVE-2021-1529) is an OS command-injection issue, which enables attackers to execute unexpected, dangerous commands directly on the operating system that normally wouldn’t be accessible. It specifically exists in the command-line interface (CLI) for Cisco’s IOS XE SD-WAN software, and could allow an authenticated, local attacker to execute arbitrary commands with root privileges. The advisory also noted that the exploitation path would involve authenticating to a vulnerable device and submitting “crafted input” to the system CLI. A successful compromise would give an attacker the ability to read and write any files on the system, perform operations as any user, change system configurations, install and remove software, upgrade the OS and/or firmware, and much more, including follow-on access to a corporate network.

Majority of organisations are efficient in patching vulnerabilities on the systems they know about. There is a gaping hole when enterprises do not have full visibility into their asset inventory. Abandoned and unknown IT assets are often the path of least resistance, and they are the ones getting attacked first. CTRL Group recommends adhering to strict patch management to mitigate any vulnerable systems against 0-day exploits and other dangerous attacks. Cisco has been releasing patches for its SD-WAN recently.

 

WordPress Plugin Bug Lets Subscribers Wipe Sites

Researchers have discovered a homicidal WordPress plugin that allows subscribers to wipe sites clean of content. The high-severity security flaw is found in Hashthemes Demo Importer, a plugin that’s used in more than 8,000 active installations. According to security researchers at Wordfence, the vulnerability allows any authenticated user to completely wipe a vulnerable site, “permanently deleting nearly all database content as well as all uploaded media.”

The HashThemes Demo Importer plugin is designed to let admins easily import demos for WordPress themes with a single click, without having to deal with dependencies such as XML files, .json theme options,.dat customizer files or .wie widget files. The issue identified was that the Hashthemes demo importer plugin hadn’t performed capability checks for many of its Ajax actions. Ajax is a JavaScript-based technology that allows a web page to fetch new information and present itself without refreshing the page. Any logged-in user could trigger the hdi_install_demo Ajax function and provide a reset parameter set to true resulting in the plugin running its database_reset function. This function wiped the database by truncating every database table on the site except for wp_options, wp_users, and wp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in wp-content/uploads.

This bug highlights the complexity of vulnerability management. Not only do organizations need to know the content management systems they are running, but also the plugins that are running on those systems too. This is yet another example of supply chain security where the WordPress system was trustworthy, but the plugin left them vulnerable. The source link provides a cheat sheet on how to incorporate security into your WordPress environment. In addition, CTRL Group also advises to always update the WordPress or check with your WordPress vendor so that the environment runs on the latest versions all time and that backups are taken regularly.

 

Ransomware Attacks are Evolving

Ransomware is an intensifying problem for all organizations, and it’s only going to get worse. What started as a floppy disk-based attack with $189 ransom demands has grown from a minor inconvenience for organizations into a multi-billion dollar cybercrime industry. The organizational threat of these types of attacks goes well beyond encryption of sensitive or mission-critical data – for many companies, the thought of a breach and data becoming publicly available on the internet makes a high ransom seem worth it. No wonder ransomware is on the rise: Organizations pay an average of $220,298 and suffer 23 days of downtime following an attack. These attacks not only compromise the availability of data but also often the confidentiality and integrity of data. That’s because many attacks are accompanied by data exfiltration. Paying threat actors for decryption keys doesn’t necessarily guarantee safety for your organization, as hackers can still sell the accessed data on the dark web.

Modern ransomware attacks typically include various tactics like social engineering, email phishing, malicious email links and exploiting vulnerabilities in unpatched software to infiltrate environments and deploy malware. What that means is that there are no days off from maintaining good cyber hygiene. The only practical approach is for organizations to implement a layered security strategy that includes a balance between prevention, threat detection and remediation – starting with a zero-trust security strategy. CTRL Group also recommends getting on top of patches for all the tools and services, along with regular scheduled backups for all systems. Organizations should consider going one step further by taking part in drills to test their responses to ransomware attacks.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS,  Manharsh and Vignesh.