A Month In Breaches: November

A Month in Breaches November Issue, breaches, Breach Data, compromise

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. We observed system compromise and numerous cybersecurity attacks in November. Please see below for mitigation strategies recommended by CTRL Group.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening on the expansive and scary internet.

A Chinese Attack Group manages Library of Breached Certificates 

APT41, a freelance Chinese APT group, is notorious for carrying out attacks to steal intellectual property (cyber espionage), as well as for their own personal financial gain. Recently it was found to be managing a library of breached digital certificates to support their cyber-attacks against supply chain vendors. These attacks often come to serve China’s geopolitical aspirations, dictated by the regime. 

The APT41 group spent the last decade conducting attacks with the aim to compromise code signing keys and certificates in “low value” targets. These certificate libraries now aid them in their wide array of cyber espionage attacks against businesses from multiple industries. 

The library contains digital certificates and keys acquired from underground marketplaces, other Chinese attack groups and cyber-attacks conducted by the group itself. This allows the group to pick the suitable certificate for specific victims, which increases their success rate as it allows the malware to bypass security controls by appearing legitimate. 

Digital certificates are used to confirm the identity of the software creator, to ensure that the code is issued by a trusted publisher and has not been altered by a malicious threat actor. Users and security tools typically trust signed code even if they don’t know the company that developed it or the issuer of the certificate, hence the high-risk potential in malicious actors acquiring code signing keys. 

Can you prevent this attack?  

Yes, you can defend (if not mitigate) the risk, using the following recommendations regarding your supply chain security:  

  1. Ensure that only authorised parties have administrative permissions to your development environment. 
  2. Configure your systems so that only developers can only submit code signed with a cryptographic key, such as GPG (GNU Privacy Guard). 
  3. Make sure that keys used by automation expire periodically, to limit the attacker’s time to maliciously use them if they are compromised. 
  4. Follow the principle of least privilege access – systems should have read access only to source code. 
  5. Only trust registries from trusted sources – set an authorized list of registries your dependency manager allows connections to, so malicious packages from public registries do not compromise your systems. 
  6. Use static application security testing (SAST) to identify serious security issues. 
  7. Maintain segregation between the dev environment and production, to ensure that the principle of least privilege is maintained at each stage. 
  8. Prior to deployment in any environment, validate an artifact’s digest against the artifact in the repository to ensure that it has not been compromised. 
  9. Require two code reviews at the time of pull requests. 
  10. Make sure artifacts are signed, to ensure untrusted ones are not deployed to customer environments. 

 

 

Threat Actors Find and Compromise Exposed Services in 24 Hours 

In a new study conducted by researchers from Palo Alto Networks’ Threat Intelligence team, ‘Unit 42’, hundreds of honeypots were set up, and 80% of them were compromised within the first 24 hours. 

Honeypots are servers configured to appear as if they are running various software as lures to monitor threat actors’ tactics. Malicious actors are constantly scanning the Internet for exposed services that could be exploited to access internal networks or perform other malicious activity. To track what software and services are targeted by threat actors, researchers create publicly accessible honeypots.  

During their research, Unit 42 included honeypots with remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB), and were kept alive from July to August 2021. These honeypots were deployed worldwide, with instances in North America, Asian Pacific, and Europe. 

Researchers set up 320 of them to see how quickly threat actors would target exposed cloud services, and report that 80% of them were compromised in under 24 hours. The time to first compromise is analogous to how much the service type is targeted. For SSH honeypots, which were the most targeted, the meantime for the first compromise was three hours, and the mean time between two consecutive attacks was about 2 hours. 

Unit 42 also observed a notable case of a threat actor compromising 96% of the experiment’s 80 Postgres honeypots in just 30 seconds. This finding is very concerning as it could take days, if not longer, to deploy new security updates once they are released, while threat actors can exploit exposed services within hours. The researchers also wanted to determine whether the location makes any difference and reported that the APAC region received the most attention from threat actors. 

Unit 42 also wanted to examine the common belief that blocking malicious IPs by drawing data from network scanning projects (which identify hundreds of thousands of malicious IPs daily) helps mitigate these attacks. This was checked using a sub-group of 48 honeypots, and the results were surprising: blocking over 700,000 IPs had almost no impact on the number of attacks between the sub-group and the control group. 

Recommended Mitigation Actions 

Unit 42 recommended the following mitigation actions against threat actors that are constantly scanning the Internet for exposed services: 

  1. Block privileged ports on your network. 
  2. Create audit rules to monitor all the open ports and exposed services.
  3. Create automated response and remediation rules to fix misconfigurations automatically.
  4. Deploy next-generation firewalls (WFA or VM-Series) in front of the applications. 
  5. Always install the latest security updates as they become available, as threat actors rush to utilise exploits for new vulnerabilities as they are published. 

 

 

U.S., U.K. and Australia Warn of Iranian Hackers Exploiting Vulnerabilities 

the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC) and the U.K.’s National Cyber Security Centre (NCSC) have released a joint advisory warning of active exploitation of Fortinet and Microsoft Exchange vulnerabilities by Iranian state-sponsored actors, to gain initial access to vulnerable systems for follow-on activities such as data exfiltration and ransomware. 

The Iranian threat actor is believed to have leveraged multiple Fortinet vulnerabilities dating back to March 2021, as well as a remote code execution flaw affecting Microsoft Exchange Servers since October 2021.  

The agencies did not attribute the activities to a specific advanced persistent threat (APT) actor. Targeted victims include Australian organizations and a wide range of entities across multiple U.S. critical infrastructure sectors, such as transportation and healthcare. The agencies assess that the actors are focused on exploiting known vulnerabilities across the board rather than targeting specific sectors. 

These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion. The list of vulnerabilities being exploited in this campaign are: 

  1. CVE-2021-34474 (CVSS score: 9.1) – Microsoft Exchange Server remote code execution vulnerability (aka “ProxyShell”). 
  2. CVE-2020-12812 (CVSS score: 9.8) – FortiOS SSL VPN 2FA bypass by changing username case.
  3. CVE-2019-5591 (CVSS score: 6.5) – FortiGate default configuration does not verify the LDAP server identity.
  4. CVE-2018-13379 (CVSS score: 9.8) – FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.

 

Recommended Mitigation Actions 

The FBI, CISA, ACSC, and NCSC urge organisations to apply the following recommendations to mitigate the risk of compromise from Iranian government-sponsored cyber actors. 

  1. Immediately patch software affected by vulnerabilities identified in this advisory – CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. 
  2. Regularly evaluate and update blocklists and allowlists. 
  3. Regularly back up data, air gap, and password protect backup copies offline. 
  4. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).  
  5. Implement network segmentation to restrict the adversary’s lateral movement.  
  6. Audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties.  
  7. Require administrator credentials to install the software.  
  8. Use multi-factor authentication where possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems.  
  9. Require all accounts with password logins to have strong, unique passwords. 
  10. If you use RDP, restrict it to limit access to resources over internal networks. 
  11. Disable unused remote access/RDP ports. 
  12. Monitor remote access/RDP logs.  

 

 

– CTRL GROUP SECURITY OPERATIONS CENTRE Cyber Threat Intelligence Analyst, Yonatan