A Month In Breaches: September

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

Zerologon Vulnerability

Zerologon has a critical severity with a CVSS score of 10 out of 10. It is a privilege-escalation vulnerability (CVE-2020-1472) in the Netlogon Remote Protocol (MS-NRPC) which allows an attacker to gain administrative privileges to access the Active Directory domain controllers of the company. MS-NRPC is a remote procedure call (RPC) interface that is used by Windows for user and computer authentication on domain-based networks. The vulnerability exists as Netlogon allows authentication of computers to the domain controller and change the Active Directory password. Impersonation of the computer may be performed by an attacker to change the password for both the domain controller and Active Directory, therefore gaining full control on the Windows domain.

The first phase of patches has been released last August but is only available for Windows Server versions that are still supported and receive security updates. It is necessary to immediately update the domain controllers with the patches released by Microsoft in August. According to Microsoft, “The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions. CTRL Group also insists on maintaining strong patch management to secure all loose endpoints with the most recent patches.

FortiGate VPN Default Configuration Leads to MITM Attack

According to a recent report, the default configurations of Fortinet’s FortiGate VPN appliance could open organizations to man-in-the-middle (MitM) attacks. It was found that the FortiGate SSL-VPN client only verifies whether the certificate required for client authentication purpose was issued by Fortinet or by some other trusted certificate authority. Thus, an attacker could easily present a certificate issued to a different FortiGate router without raising any flags. This will lead to a man-in-the-middle attack using which they could inject their own traffic and communicate with devices inside the organisation, including point-of-sale and data centres. Shodan revealed that more than 200000 businesses are using default configurations and could be easily breached.

Fortinet does not consider this particular issue to be a vulnerability. According to them, the users have full ability to manually change and replace the default certificates to secure their connections appropriately. Each VPN appliance and the set-up process provide multiple clear warnings in the GUI with documentation offering guidance on certificate authentication and sample certificate authentication and configuration examples. Hence, CTRL group suggests considering these warnings seriously to avoid exposing your organisation to risks.

LockiBot Password Stealer Trojan

LokiBot is an information stealer trojan-type malware designed to collect data from widely used web browsers, FTP and email clients. It typically enters systems without the user’s consent. This Virus specifically targets Windows and Android operating systems. A main feature of LokiBot is to record sensitive data. LokiBot gathers the information mainly from web browsers be it passwords, login credentials, bank details etc and continually tracks user’s activity. This information once accessed is immediately saved on a remote server controlled by LokiBot’s developers.

To avoid infection by Lokibot, use network scanners and review your network. Be very careful while browsing the internet and think before opening or clicking any email attachments. Software patches and updates are something which does a lot of protection to our network. Make sure you have scanning tools to see if your network is fully patched. While downloading software make sure you download from official sources only, using direct download links. Additionally, installing antivirus/antimalware only from trusted developers and keeping it up-to-date is important to decrease the chance of malware infection.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS, M-Singh, V-MSK, Jae and Yvette