Manoharan Mudaliar

Cyber Security Consultant

The Most Common Attack Vectors for Ransomware

An attack vector is a path which attackers can exploit to gain unauthorized access into a network or computer to deliver a malicious outcome or a payload. Attack vectors give attackers a chance to exploit certain vulnerabilities in a system to install different kinds of malware before they launch consistent cyber attacks.

Attack vectors can also be predominantly used to gain access to personal identifiable information or sensitive data. An attack on sensitive data usually leads to a data breach; threatening financial and personal information from hundreds and thousands of customers. With the current cost of a data breach marked at $3.92 million, companies can actually benefit from taking the right steps at the right time to limit cyber attacks.

What Is Ransomware?

While attack vectors are the same for all kinds of cyber attacks, ransomware attacks put businesses in a heightened spot of bother. Call it the novelty of ransomware or just the widespread destruction these attacks have caused recently, but businesses sure do view the malware as a significant threat.

Most forms of ransomware lock or encrypt files on a system, while some other variants completely erase documents and relevant data. Once access to documents within the system is blocked, the malware automatically demands victims to pay a ransom in order to get their files back. Ransom figures can vary from case to case; based on the data that is on hold.

There have also been cases of embezzled businesses paying their ransom amount, only to receive other ransom requests for a full clean slate. Hence, if you thought you could gain access to your files by paying the ransom, then think twice.

Victims suffering from ransomware attacks are at risk of not only losing personal data and files, but also losing productivity and customer trust. Customers seldom deal with organizations that have gone through a major data breach without successful recovery.

While ransomware first came to the scene in 1989, a lot has changed about them since. Ransomware attacks have not only matured in sophistication, but are far more widespread than they ever were before. The year 2019 saw a 74 percent increase in ransomware attacks, with ransom payments currently orbiting around $80,000 on average in Q4 2019. With enhanced earning potential, ransomware sure is the malware of choice for Madoff’s of the cyber world.

Preventing Ransomware by Understanding the Vectors at Play

What can organizations in the line of fire do to better defend themselves from a ransomware attack? Security experts have for long recommended that organizations maintain up-to-date backups at all times. These backups should be stored offline, so that affected systems can be wiped and restored if all other defenses fail.

However, considering cyber attackers are revving up the heat, experts also feel that organizations can be better prepared if they’re watching for and blocking out the favorite tactics, procedures and techniques ransomware gangs like to follow.

Hence, it is critical for you to understand the tactics attackers use for encrypting your files and delivering their threats. An understanding of attack vectors will help you focus your security and attention towards all fronts that need better defense.

Loose RDP Endpoints

Rankings released by most security firms tracking the techniques commonly used by cyber attackers are mostly inconclusive because of geographic variations and the lack of diversity in incidents they’ve investigated.

However, recent research from a ransomware incident report firm, Coveware, suggests that RDP happens to be the most common vector used by attackers in the 1,000 incidents they studied from the first quarter of 2019. RDP accounted for more than half of all successful attacks covered by Coveware during this period, followed by phishing attacks and targets on known or disclosed software vulnerabilities.

RDP, or the remote desktop protocol, is an authentic tool that connects systems from across the firm and gives remote access to IT administrators. While RDP makes remote management more convenient and easier, it also leaves a loophole in the setup for attackers to barge through. Cyber attackers with access to RDP endpoints can use that entry point and the connected systems within the tool to establish their foothold over the corporate network and the data present in it.

Security firm McAfee recently mentioned that it has tracked “an increase in both the number of attacks against RDP ports and in the volume of RDP credentials sold on underground markets.”

Organizations with RDP systems can take quite a few steps to shut down vulnerable system endpoints. These steps include protecting the system with strong passwords, restricting access to the system for only VPN users and putting multifactor authentication in place before login. RDP systems can also be configured to amp up network-level authentication. This ensures that all users are required to authenticate themselves before they start an RDP session.

Phishing for Credentials

Email phishing is the second most popular ransomware attack vector used by attackers. Attackers use attachments, links or both together to trick curious users into downloading the attachment or opening the link.

Phishing emails usually come from known contacts. The email can ask users to enter their credentials for any bogus purpose. The credentials entered by the employee are then stolen and used to access key points within the target computer to install the ransomware.

Phishing can also happen through malicious email attachments. As we mentioned above, an unsuspecting employee will receive an email from a known or trusted source. The email will contain an attachment with it, which users will be asked to download. As soon as the user clicks on the attachment, the system is infected and the files within that system or the connected network are held for ransom.

Knowledge can truly be considered power when it comes to mitigating or limiting the risk of compromise or ransomware through phishing. Organizations looking to safeguard their data should educate employees on the dangers hosted by phishing emails. Employees should be warned against entering key credentials for any bogus purposes and should save contacts on email, to ensure similar looking email addresses do not swindle them.

Drive-By Malware Attacks

Drive-by malware attacks work on a framework similar to phishing to infect systems. Cyber criminals take control over legitimate websites by posting advertisements that redirect consumers over to malicious sites that host technical codes designed with the core purpose of exploiting all known vulnerabilities within a browser.

Exploit kits most frequently used in these drive-by attacks were RIG, Fallout, and Spelevo,” Group-IB says. “Some threat actors, such as Shade and STOP operators, immediately encrypted data on the initially compromised hosts, while many others, including Ryuk, REvil, DoppelPaymer, Maze and Dharma operators gathered information about the intruded network, moving laterally and compromising entire network infrastructures.”

Malicious Insiders

An insider is usually an employee who has access to private company vulnerabilities and information. A malicious insider is, hence, someone who exposes these vulnerabilities and private information to other threat actors.

Unhappy or disgruntled employees usually act as malicious insiders. All employees and users with access to networks and sensitive data can inflict irreparable damage through malicious intent and privileged misuse.

As an organization, you can benefit by keeping an eye out on all unhappy and disgruntled employees. By keeping an eye out, we want you to monitor their data and network access across devices. Even the slightest discrepancy should be considered a red flag.

Patchy Protection

Patchy protection or software vulnerability is the last attack vector we will shed light on. Unpatched software actually ends up laying out a welcome mat for every malware intruder and attacker. In many cases where software isn’t properly patched or updated, attackers can gain access to files and data within the networks, without having to actually harvest credentials from employees. Talk about making work easy for cyber criminals!

Once attackers gain access to the system through an unpatched hole in your software, they can attack key programs and exfiltrate sensitive consumer data. Additionally, a number of ransomware attacks have decreased their footprint and have evolved into newer forms where they are extremely hard to detect. The invisible nature of the attack usually means that the ransomware can dwell for an unlimited period of time in your setup, leading to maximum destruction, even if you are able to take some face saving measures.

To ensure vulnerabilities in your software aren’t exploited, you need to immediately identify and finish them. Periodic vulnerability scans can help you identify weaknesses within the setup and what you ought to do to eliminate them.

Regardless of how prepared you are, a cyber security consultant can do wonders for your fight against ransomware. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.

A Useful Guide to Web Application Pen-Testing

Guide to Web Application Pen-Testing

Penetration testing, or pen testing for short, is one of the most commonly used cybersecurity protocols for web applications. The premise of pen testing is to simulate unauthorized cyberattacks, both internally and externally, to gain access to sensitive information.

The end-user essentially behaves as a hacker would, exploiting potential vulnerabilities, but in a controlled environment. The point is to find any security vulnerabilities so they can be patched.

I’ve prepared this in-depth piece to guide you on what’s involved in the complex and systematic process that is web application pen-testing.

Read moreA Useful Guide to Web Application Pen-Testing

Hardware End-of-Life Data Breaches: What You Need to Know

Hardware End-of-Life Data Breaches

Cyber threats and cybersecurity go hand in hand; as one evolves, so must the other. As cybercriminals modify their strategies and methods in response to enhanced cybersecurity measures, cybersecurity solutions need to become more invasive and sophisticated. However, there’s one aspect of cybersecurity that leaves organizations vulnerable to data breaches: hardware end-of-life.

The Official Annual 2017 Cybercrime Report released by Cybersecurity Ventures estimated that worldwide spending on cybersecurity services and products would surpass $1 trillion from 2017 to 2021. However, while this does indicate prioritization of cybersecurity on the part of organizations, none of this spending accounts for hardware end-of-life, despite it being a relatively small expense.

In this piece, I’ll go over what organizations should know about hardware end-of-life data breaches.

Read moreHardware End-of-Life Data Breaches: What You Need to Know

Cisco Releases Major Security Updates on Various Platform

Cisco Security Advisory team releases security updates that address a vulnerability in multiple products.

Summary

Most of the vulnerabilities in various products highlight that a remote attacker could exploit vulnerabilities to take control of the affected system.

Major Affected Software and Appliance

  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software OSPF Packets Processing Memory Leak Vulnerability[1]
  • Cisco ASA Appliance Software and Firepower Threat Defense Software IPv6 DNS Denial of Service Vulnerability[2]
  • Cisco ASA Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability[3]
  • Cisco Adaptive Security Appliance Software Kerberos Authentication Bypass Vulnerability[4]
  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Path Traversal Vulnerability[5]
  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SSL/TLS Denial of Service Vulnerability[6]
  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Malformed OSPF Packets Processing Denial of Service Vulnerability[7]
  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Media Gateway Control Protocol Denial of Service Vulnerabilities[8]

Advisory

It is highly advised to review the Cisco Advisory for more information and apply the necessary steps.

For detailed information, please visit

  1. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ospf-memleak-DHpsgfnv
  2. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ipv6-67pA658k
  3. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB
  4. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-asa-kerberos-bypass-96Gghe2sS
  5. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43
  6. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-dos-qY7BHpjN
  7. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ospf-dos-RhMQY8qx
  8. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-mgcp-SUqB8VKH

Reference

https://tools.cisco.com/security/center/publicationListing.x
https://www.us-cert.gov/ncas/current-activity/2020/05/07/cisco-releases-security-updates-multiple-products

 

Google Chrome Releases Critical Updates

Summary

Google released Chrome version 81.0.4044.138 for Windows, Mac, and Linux. It addresses vulnerabilities that an attacker could exploit to take control of an affected system.

Risk Level: Medium

Solution

Recommend applying the necessary updates. Upgrade to version Google Chrome 81.0.4044.138 or later.

For detailed information, please visit:[1]

How to upgrade to the latest version[2]

COVID-19 CYBER WARNING BY CISA & NCSC

The U.S. Department of Homeland Security (DHS), the United Kingdom’s National Cyber Security Centre (NCSC), and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint statement.

Cyber attackers are on the lookout for healthcare organizations and companies that are offering essential services to respond to the COVID-19 pandemic on a national and international level. Considering the situation of cybercriminal activities, the National Cyber Security Centre (NCSC), the Department of Homeland Security (DHS), and Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning and a joint advisory to the organizations.

Ever since the coronavirus outbreak, the risk of Advanced Persistent Threat (APT) actors trying to gain unauthorized access to these organizations’ networks and obtaining confidential COVID-19 data has significantly increased. APT actors may attempt to gather information on international and national policies for the healthcare sector or breach critical research data related to the coronavirus.

APT actors have been using password spraying for the past many years. It’s a data breaching technique where the cyber attacker attempts to obtain access by testing out a few common passwords on several organizations’ accounts, assuming that at least one account must have a common password. APT groups use this method to gain forceful access into government organizations, law enforcement agencies, research and academic organizations, telecommunication companies, financial institutions, and retail organizations.

Oracle Server Web Logic Vulnerable CVE-2020-2883

Oracle released notification to users about the previously disclosed vulnerability CVE-2020-2883, however, as per https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2883 the date entry created 20191210 comes with a disclaimer, seems to be resurfacing and proven to be considered as highly Vulnerable since malicious cyber actors are now targeting unpatched servers.

Known Affected version

10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.

Advisory;

It is highly advised to review the Oracle Blog and the April 2020 Critical Patch Updates for more information and apply the necessary patches as soon as possible.

Weblogic RCE exploits explained and demonstrated by researcher

https://github.com/hktalent/CVE_2020_2546

Reference;

https://www.us-cert.gov/ncas/current-activity/2020/05/01/unpatched-oracle-weblogic-servers-vulnerable-cve-2020-2883

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2883

https://nvd.nist.gov/vuln/detail/CVE-2020-2884

https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe%3a%2fa%3aoracle%3aweblogic_server%3a10.3.6.0.0

https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixEM

https://www.securityweek.com/oracle-says-hackers-targeting-recently-patched-vulnerabilities

Cisco IOS XE SD-WAN Software Command Injection Vulnerability

Cisco released security updates to mitigate a vulnerability in IOS XE SD-WAN solution software.

As per Cisco Security Advisories “An attacker could exploit this vulnerability to take control of an affected device”

Cisco has categorized High impact; hence it is advisable to review the Bug ID: CSCvs75505 and apply the required updates.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xesdwcinj-AcQ5MxCn

Sources:

The source of the bug reporting has credited to Julien Legras and Thomas Etrillard.

There are some interesting exploit examples, Please go through the exploit section.

https://www.synacktiv.com/category/exploit.html

https://www.synacktiv.com/posts/pentest/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html

Microsoft Office 365 security best practice and recommendation

U.S. Govt Issues O365 Security Practice and Recommendation

Summary

The majority of businesses are shifting to Microsoft Office 365 and other cloud services to amp up collaborations within their departments to fulfill the “telework” requirements. However, due to the rapid deployment of these cloud services, organizations may be ignoring the security factor associated with these third-party platforms.

Details

There are various security best practices and recommendations available to deploy. I strongly recommend to fine-tuning based on the deployment and design architecture, and never one size fits for all. Due to COVID-19 current situation and becoming a new normal for every organization and most of the works are carried from home “WHF.”

Microsoft O365 provides cloud-based email capabilities, also, chat and other various cloud applications. While the abrupt shift to work-from-home may necessitate the rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.

The below mentioned are the few best practice for O365 deployment;

Best Practices for O365 Deployment

Enable Multi-Factor Authentication for Administrator Accounts

Azure subscribers are, by default, assigned to the role of Global Administrator. These administrators have the highest privileges that permit them to modify every setting in your Azure Active Directory (AD) in an Office 365 environment. They can add new usernames and modify the old ones, assign tasks, reset passwords, manage licenses, and domain names. In an on-premise Active Directory environment, this is similar to the role of a domain administrator.

The Azure Global Administrator accounts are created before any other account so that they can start with tenant configuration and user migration. These Global Administrator accounts aren’t granted multi-factor authentication by default. Even the new feature “secure by default” also needs to be enabled by the subscriber first. This feature helps with effectuating administrators’ usage of Multi-factor Authentication. The Global Administrator accounts are open to the internet because they are cloud-based. Lack of security can make these accounts vulnerable to online attackers, and they can hack into customers’ accounts during user migration to Microsoft Office 365.

Assign Administrator Roles Using Role-Based Access Control (RBAC):

Given the privileges assigned to the Global Administrator’s role, these accounts should only be used when required. It’s best to use specified administrator roles for Azure Active Directory (AD) such as application administrator, application developer, authentication administrator, and others to avoid or at least minimize the assigning of high-level privileges.

Shifting to the less-privileged rule can minimize the risks of a data breach if any account of administrator is attacked. Administrators must be assigned permissions limited to their roles and tasks.

Enable the Unified Audit Log (UAL):

Unified Audit Log is a logging feature in Microsoft Office 365 that comprises events and data related to Exchange Online, Azure Activity Drive (AD), SharePoint, OneDrive, Power Bi, and other online services offered by O365. This event log allows administrators to keep an eye on any malicious activities or actions against organizational policies. To ensure maximum data protection, the Security and Compliance Center is allowed access to the Unified Audit Log.

While all users don’t have permissive privileges in an Office 365 environment, they can still access information that can be damaging for a business if retrieved by unauthorized personnel. Also, cybercriminals can breach into unauthorized user accounts via phishing emails. They can further breach into other organizations’ cloud system via the applications and features that the hacked user account has access to.

Disable Legacy Protocol Authentication When Appropriate

Azure Activity Directory (AD) is a feature that Office 365 uses to corroborate with its email service, Exchange Online. It is linked to a variety of devised protocols including:

  • Post Office Protocol (POP3)
  • Simple Mail Transport Protocol (SMTP)
  • Internet Message Access Protocol (IMAP)

However, these protocols do not support the modern multi-factor authentication features because they are used with the senior email clients. Subscribers and users have access to disable the legacy mail protocols at any given time. However, if senior email clients are necessary for a business, the legacy protocols won’t be deactivated if a tenant or user tries to disable it. This leaves email accounts with only a password and username as the principal method for authentication and increases the risk of internet attacks.

One way of handling this security issue is to create a log of all the user email accounts that still require the use of legacy protocol and only authorize those accounts to access the protocols. Using the policies of Conditional Access in Azure Active Directory can help minimize the number of users allowed to access and authenticate with the legacy mail protocols. Taking these measures will significantly decrease an organization’s risk of cyberattacks.

Enable Alerts for Suspicious Activity

Enabling alerts and Unified Activity Log (UAL) in a Microsoft Office 365 environment can largely enhance an organization’s effectiveness in pinpointing malicious activities happening within their cloud. It will alert the Security and Compliance Center whenever an abnormal event is identified. It’s advised for the organizations to at least enable alerts for suspicious logins, such as those from unrecognized IP addresses and user accounts that have exceeded the benchmark set for sent emails.

Incorporate Microsoft Secure Score

Microsoft also offers a built-in feature called the Microsoft Secure Score, which measures an organization’s security condition relative to the Office 365 services it uses and offers recommendations for improvements and upgrades.

Though the recommendations offered by this tool do not provide information on all aspects of security configuration, it’s still beneficial for organizations because Office 365 keeps upgrading and adding to its offerings. Microsoft Secure Score provides a centralized dashboard to organizations for timely tracking of activities and enhancing compliance and security within the Office 365 environment.

Combine Audit Logs With Current Security Information and Event Management (SIEM) Tool:

Organizations must integrate their existing log management and tracking solutions with their O365 Unified Audit Log (UAL). It will further enhance their ability to identify abnormal activities on-premises and correlate them with potential malicious activities in the Office 365 environment.  This will ensure that you can detect unusual activity in your environment and correlate it with any potential anomalous activity in O365.

It’s highly recommended that organizations practice the following measures:

  • Enabling multi-factor authentication (MFA). This is one of the most effective mitigations to eliminate the risk of credential theft of administrators and users in the O365 environment.
  • Securing Azure AD Global Administrators from cyberattacks and following the rule of “Least Privilege.”
  • Authenticating Unified Audit Log (UAL) in the Security and Compliance Center.
  • Enabling alerts for proactive actions against malicious logins and emails.
  • Integrate with organizational SIEM solutions.
  • Disable legacy email protocols, if not required, or limit their use to specific users.