A Month In Breaches: July

Malware, exploit and other breaches continue to plague the month, as discovered by CTRL's cybersecurity experts.

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. In June, we continue to see attack vectors prone to malicious activities. This month, we have seen multiple systems exploit, leaving them vulnerable to malicious activities.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening on the expansive and scary internet.

Kaseya Ransomware Supply-Chain Attack    

Kaseya, a company that provides cloud-based IT Management and security software for Managed Service Providers (MSPs) and enterprise clients became victim to a Ransomware Cyber Attack on the 2nd of July. The infamous Ransomware-as-a-Service group “REvil” locked up at least 60 of its direct customers causing a waterfall effect to a reported 1500 further customers spanning across 22 countries.

REvil criminal group targeted Kaseya due to its large reach within the MSP field and the potential for large scale infection. Three zero-day security vulnerabilities were discovered within Kaseya’s VSA (Virtual System / Server Administrator) Platform which is used by many of its customers.  In high confidence, the attack used a vulnerability to bypass Authentication within the VSA web interface which allowed the group to gain an authenticated session and upload a malicious payload, further laterally moving their way through the software and push ransomware updates to clients’ systems. Fortunately, Kaseya caught wind of this quickly and managed to shut down its servers and warn clients, limiting the attack to the already devastating number of affected clients.

It was reported that REvil gang demanded USD $70 million for the universal public decryption key, with Kaseya announcing on 21/7/2021 that it had obtained a decryption tool through a “trusted third party”, but not confirming if they had paid the ransom or not.

This recent cyber-attack demonstrates the potential for devastating effects of a compromised supply chain for businesses and how attacks may come from a trusted third party. Risk management of third parties is therefore especially crucial to understand the overall maturity of the third party’s cybersecurity program, identify gaps in program design or execution and manage the risk exposure that these third parties present. Managing risks of third parties require continuous monitoring starting from the vetting process to the annual audit. Continuous monitoring gives visibility into the ongoing risk posture of third parties, so risks and vulnerabilities can be identified as soon as they happen, or even before they occur.

Additionally, CTRL Group recommends making sure third-party contractors are always given permission according to the Principle of Least Privilege to reduce risk and contain compromises. A backup must be taken for all systems and servers.

 

Microsoft releases migrations for a Windows-NT LAN Manager exploit   

Microsoft rushed to release mitigations for a new exploit that forces remote Windows systems to reveal password hashes that can easily be cracked by malicious actors. The flaw lies in the Windows NT LAN Manager, according to the company, and has been dubbed PetitPotam.

The petitPotam bug is lies within the Windows operating system and the abuse of a remote access protocol called Encrypting File System Remote Protocol (MS-EFSRPC). This is designed to allow Windows systems to access remote decrypted data stores, effectively providing for the management of the sensitive data while enforcing access control policies, says Microsoft. PetitPotam has been identified as a form of manipulator-in-the-middle attack against the authentication system.

Security researcher Gilles Lionel published a proof-of-concept (PoC) exploit code to demonstrate the attack.

Microsoft released an advisory with additional details on how to mitigate these types of attacks. The recommended method is disabling NTLM authentication on Windows domain controllers. However, disabling NTLM authentication may risk breaking any application or system that leverages it within your environment. For administrators who are unable to disable NTLM on their domain, Microsoft recommends other mitigations listed below.

  • Disable NTLM on any AD CS Servers in your domain using the group policy
  • Disable NTLM for internet information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment”

 

Apple Patches Actively Exploited Zero-Day in iOS, MacOS   

Apple patches a zero-day flaw on Monday is being actively exploited in the wild. Found in both its iOS and macOS platforms, it can allow attackers to take over an affected system.

The memory-corruption flaw, tracked as CVE-2021-30807, is found in the IOMobileFrameBuffer extension which exists in both iOS and macOS, but has been fixed according to a specific device platform.

Exploiting CVE-2021-30807 can allow for threat actors “to execute arbitrary code with kernel privileges,” Apple said in the documentation describing the updates.

Apple released three updates, iOS 14.7., iPadOS 14.7.1 and macOS Big Sur 11.5.1 to patch the vulnerability on each of the platforms Monday.

iOS devices that should be updated immediately are: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS,  Jae, Murray & Zain.