JUSTFORTHESHELLOFIT

Hardware Supply Chain Risks

The need to deploy the latest server hardware in recent years has been increased due to risks that companies face because of security flaws in processors. These flaws are steadily increasing and affecting newer equipment at an alarming rate. Given the current state of dealing with the “Black Swan” event that is the COVID-19 pandemic, it may be prudent to include processor shortages as part of Business Continuity Planning.

The demand for silicon producers has surpassed the ability to provide supply ahead of schedule as TSMC and Intel (among others) are gearing up to provide solutions for greater capacity in manufacturing plants. The boom for interconnected devices with built in processors is reaching a point of exponential growth as the “Internet of Things” is taking it’s rightful place in history next to technology similar to the home computer, and the world wide web. Decreased supply capacity, increased supply demand, and looming processor security flaws are hinting to a catastrophe waiting to happen.

While the likelihood of such events culminating in devastating consequences is low, the significance of their impact results in a very big dilemma. The amount of resources needed to account for such an event are small enough to justify the inclusion of what might be seen as an outlier for risk management. The bolstering of detection technologies for specific threats during such a time should be weighed with considerations for the complexity of processor attacks as well as the current state of a companies cybersecurity infrastructure. While the sky is not falling yet, the potential for this looming event does exist.

Web Shells

Microsoft Exchange finds itself being updated repeatedly in a short span after the January discovery of suspect activity from a reportedly Chinese APT. Several CVE’s have been documented including the use of a Server Side Request Forgery (SSRF) vulnerability. There are new scripts out that are available to the public that can be used to scan and test systems facing the WAN.

If an attacker wants to enumerate mail exchange server data there are multiple tools available, given that domain names are a good place to start. This might fall under the Open Source Intelligence Gathering category known as OSINT. One free tool that is available with minimal installation is Maltego. Through the use of transformations on a domain name it may become easy to discover the information for mail exchange servers.

While SSRF style attacks are being circumvented in big cloud providers like AWS and Azure, it is interesting to note that this vulnerability does not affect Office 365 customers. Being relegated to on premise installations of Microsoft Exchange might be used for some information systems departments to consider the transition to online services as the rapid development of Microsoft’s hosted platform appears to be a higher priority than the continued support for Exchange.

BOLA is Super-Contagious

Given the choice of having IDOR or BOLA, which do you think is preferred? The correlation of Ebola Virus Disease aside, it should be noted that both IDOR and BOLA are one in the same. IDOR (Insecure Direct Object Reference) and BOLA (Broken Object Level Authorization) are abbreviations reserved for manipulating object ID’s via API’s in web applications.

But what does that really mean? Without getting overwhelmed with the details, an attacker can use legitimate access to an API to run queries and expose object ID’s and associated data that is using a predictable identifier. These types of techniques have been used in several different attacks over the years, and now BOLA finds itself at the top of the OWASP top Ten and it is being used to exploit web applications reapetedly.

Why does this matter right now? The level of complexity to find a BOLA is relatively low, and so the fact that it prevalent through applications means that there is some money to be made in finding and fixing this vulnerability. Those new to cybersecurity could use this opportunity to take advantage of low-hanging fruit, while earning experience and money hunting down these threats in the form of bug bounties and responsible disclosure.

Cybersecurity Weapon Control

While gun control in the United States is a very passionate topic for some, cybersecurity weapons are freely available to those that have the inclination to obtain them. With the recent disclosure of several cybersecurity tools (including the paid for Cobalt Strike) this may spark another conversation of regulation of software. Should we be required to register and license cybersecurity weapons in the modern era?

The open-source nature of collaborative software development can lead to greater access for enthusiasts, professionals, and criminals alike. With some features being granted on a pay-to-play basis, there are also other software packages that require an outright purchase and license to use. We see that eco-systems developed around Linux, Mac, and Windows are prolific with free software that is written for the communities, albeit closed source at times.

This freedom to obtain and use software may find itself regulated in the near future. There are accountability issues that arise from allowing cyber-weapons to fall into the hands of threat actors. If software engineers could find a way to create dependance for an online library or function in regards to registration, there may be a security control that could be applied.

Without advocating for controlling what is perceived as a open and free resource, it might be time to consider the registration of cyberweapons and their use online. When clients such as the U.S. Government become part of an attack from an Advanced Persistent Threat, it creates a window of opportunity to impart influence based on the open-mindedness of the affected. Not that drastic measures are warranted, but this could be time to construct the shell of the conversation.

Supply Chain Attacks

A supply chain attack is an indirect attack that originates from an organization that provides a good or service to the company being attacked. The idea here is that while the primary organization (US Government) will have strict security controls, it is not likely that all of the supplying vendors have the same controls.

We can see that the trust relationship, or relational boundary, between the primary organization and the vendor are what is truly being compromised. When the primary organization develops any outside relationships without requiring the same set of controls that they use internally, they will be susceptible to this type of attack.

The US Government typically relies on practices and control standards that are guided by a series of publications referred to as NIST Special Publications. While there are many different publications, NIST Special Publication 800-53 Rev 4 (Security and Privacy Controls for Federal Information Systems and Organizations) is of particular note concerning the management of internal systems and can be found here: https://nvd.nist.gov/800-53/Rev4/impact/high.

For agencies within the US Government that work with other companies, NIST 800-171 Rev 2 and the burgeoning CMMC (Cybersecurity Maturity Model Certification) provide guidance on how business should be conducted. Of course, just informing you that these standards and certifications exist is not enough to satisfy are need to understand the complexities of what has gone on.

For complexity sake, lets just say a man named Adam runs an organization named ACME. He has to manage all of the computers and he doesn’t have time to do it himself. Instead, he looks to industry leading software to manage his assets last March, and he is happily doing business for the rest of the year.

In December he finds out that the software he was using has been compromised, even though he has the best security around. He doesn’t have log retention for the last nine months because there were no indicators that he was compromised. Now Adam has to assume that everything in his company could have been compromised, and this incident now costs Acme more money than would have been saved by the management software.

That is what we are looking at here. And if you take this example, and then you apply it to every possible customer using the Solar Winds (orion.dll file) you will find that the problem is systemic and has grown out of control.

The interesting part about all of this, is that the threat actor for the attack is supposed to be an APT (Advanced Persistent Threat.) When you look at the big picture, it seems that an APT would have patched all systems after obtaining access in order to prevent other APT’s from conducting similar attacks. Being discovered this late into a hack may be an indicator of greed or laziness for the attackers.

Security Responsibilities that are a Bit Cloudy

When it comes to securing data in a cloud environment, the responsibility for security can be a bit cloudy. While cloud providers do clearly state who is responsible depending on the level of service, ultimately the responsibility should be shared by all parties involved. Albeit in storage, transfer, or process, data security should be managed with a holistic approach with the understanding that safeguarding of sensitive data is a primary function, not a secondary afterthought.

Recently in a conversation with AWS certified Bruce Elgort, the thought process for using auditing tools provided by Amazon as being sufficient was revealed. This train of thought puts the responsibility on the team configuring the S3 buckets, shifting responsibility of risk away from the vendor. A point was raised in response, indicating that it may be the governing bodies responsibility to safeguard data of its citizens.

When looking at the bigger picture it is revealed that many different parties share different parts of the responsibilities being discussed here. In cybersecurity it is well known that compliance drives spending for regulatory controls, however; compliance and security are not necessarily a tandem achieved when either one is carried out. Ultimately, the sector of business dictates what compliance standards are applied. Is it possible that more regulation is needed for cloud vendors?

BYON: The Next Big Security Risk

Bring Your Own Networking (BYON) appears to be the newest “Bring Your Own” fad given the drastic increase in remote work.  When one looks around there is not a lot of information out there. It is no wonder when considering how similar BYON and BYOD (Bring Your Own Device) are. They both can boost productivity, cut cost, and spread the need for network resources out to include outside networks. Just as BYOD has its own unique challenges, so does BYON.  NIST SP 800-124, section 2.2.3 indicates that “…organizations should plan their mobile device security on the assumption that the networks between the mobile device and the organization cannot be trusted.”

BYON can expose an enterprise network to risks that it would not face otherwise. Let’s go over an example of one situation a company could face.  Employees are working from home and can connect to corporate resources using multiple connections. This could be a home broadband network, a company VPN connection, or a mobile hotspot. What this allows an employee to do is work in three different realms at once.  While this is allows for greater productivity, Michael Tucker believes that it may be exposing companies to new risks. An employee can open a document on one connection, work with a database on another connection, and be manipulating cloud data on the other. The problem with this scenario is that external networks with limited controls are difficult to secure.

By using multiple connections, a security incident is of higher likelihood when network traffic and computing resources are not properly secured.  Through PT Network Attack Discovery, Positive Technologies disclosed that 97% of sample networks showed suspicious activities and 94% of networks were out of compliance with IS policies.  Imagine if an employee or vendor is downloading confidential data over an insecure network. There is a possibility that someone unauthorized is listening to your traffic and could steal or alter the data in transit. The corporate network is also more susceptible to viruses and malware that might be contracted during communications on an external network. This could spread the malware from all devices connected to the unsecure network to the enterprise network itself.

This all sounds scary and perhaps insurmountable, but it is not. According to a Tech Republic interview with SysAid CEO Sarah Lahav, the best defense is a good BYOD policy. Now there is a lot of information about that!

According Chris Witeck, senior director of product marketing at remote access provider iPass, there are many steps that can be taken to help secure this fast-growing trend, among them not allowing unauthorized access. This can be done by creating policy using a mobile device management (MDM) software like Citrix Endpoint Manager. This solution allows a company to secure endpoints while providing a centralized computing experience.

Out of some of the more popular articles regarding this subject, the most common and effective solution is end-user education.  Educating users will instill and awareness of proper security practices. There can be consequences for breaking these security practices as well, which might also serve as a good deterrent for improper behavior.

In the end, there are a lot of good things about BYON.  It provides greater employee satisfaction and lower corporate costs to name a couple. There are also significant security threats.  Using proper security policies and end-user education, the threat of a data breach is greatly reduced.

Don’t be a Bad Neighbor

This last Tuesday has come and gone and we are left with another high ranking vulnerability being patched by Microsoft during their monthly upkeep. CVE-2020-16898, aka “Bad Neighbor,” discloses an IPv6 vulnerability “which allows an attacker to send maliciously crafted packets to potentially execute arbitrary code on a remote system” according to Steve Povolny and Mark Bereza in a post at McAfee Labs.

Apparently the Windows TCP/IP stack has trouble when handling ICMPv6 Router Advertisement packets that make use of the Recursive DNS Server (RDNSS) Option. The Length field of this option needs to be not equal to a factor of 2. In other words it should be of value 3 or greater and be odd. If this is not the case, unpatched systems could result in a buffer overflow as the value mismatch is not compliant with RFC 8106. This is just a way of saying that data or instruction sets could be written into memory for execution.

Buffer overflow’s can lead to the creation of shell code to be executed by the target computer. This shell code could then be used to send malcrafted ICMPv6 data to adjacent unpatched computers within the network, turning this into a worm-able code. This can be subverted by updating to the latest patch from Microsoft, disabling IPv6, or disabling the RDNSS feature for IPv6. Even if you think that you are not proactively using IPv6 in your environment, it is often turned on automatically and remains this way until it is turned off.

ZeroLogon Required

T

Secura’s Tom Tervoort recently revealed the details for why you should have zero tolerance when patching ZeroLogon available in this white paper. There is also a proof of concept (POC) exploit now available on github. This vulnerability takes advantage of what is referred to as “a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol” in Secura’s summary.

So what does this mean and why is it important? While the vulnerability was disclosed previously and subsequentially patched by Microsoft, the release for the POC on September 11th, means that the attack is now easier to carry out. It requires less skill, and the vulnerability increases in risk because of the lack of complexity for the attack. It was already classified a 10.0 on a scale from 1 (lowest priority) to 10 (highest priority.) This type of attack can give threat actors access to the computer that is the controller for all the computers in a Windows domain (domain controller) resulting in the compromise of all associated accounts.

This isn’t the first disclosure of a bug in Netlogon by Tervoort. Much like previous SMB, Intel, RDP, Citrix, or other vulnerabilities, there has been a progression over time to dig around a little more and find that there are new problems with the same technology. Hopefully the evolution of DevSecOps can help with it’s “Shift Left” mentality to work on securing applications and protocols during the development phases. These problems may be much cheaper to fix in the beginning, even if it does result in companies shelling out more money for software in the long run.

The “R” Word

The very definition of ransomware is misleading. The use of ransomware is not necessarily for relieving an organization of money, and is often just a tool for leveraging a position in a complicated game of cat and mouse. Ransomware has made its way through government institutions, and is back to declaring unfathomable bounties as it debilitates the private industry. Prevention is favored over the cure in this case, and often is overlooked by the short sightedness of those in charge of budgets.

There is very little to be done during a hostage situation when your data is being held captive. People will spend much more than annual IT budgets to recover data they believe is gone. If you are facing an enemy that is already demanding money from you, it is probably already too late. Not all malware results in a ransom as seen by the ‘Meow’ attack.

BleepingComputer.com

With the introduciton of Lockheed Martin’s Cyber-Kill-Chain, a group published the “taxonomy of crypto-ransomware features” that illustrates the subversion techniques for avoiding this pitfall. The scholarly article is freely available here. This focused research pertains to personal computing devices, but similarities can be drawn to begin talks on future cybersecurity taxonomies relating to devices such as those found in mobile, or IoT. Interestingly, this group lists timing-based evasion techniques as one of the most common. This may indicate that stricter control policies based on behavioral characteristics of user logons and computer services may prove effective when combined with detection and automation. The stigma for automation is still present for early adopters though, because of the dynamic environments present in computing.

Lockheed-Taxonomy of Crypto-Ransomware

It is important to know how this taxonomy relates to real-world application and why ransomware is so prevalent. While security controls are very important, the fact remains that social engineering, especially phishing, has proven that humans are the weakest point of the architecture time and again. Susan Bradley covered this in her 2016 paper titled “Ransomware.” This SANS paper is not without or apart from providing analysis and remediation techniques with a general approach using current methodologies to recover or even prevent this from happening. With the taxonomy building a shell or framework, and using the paper for actionable steps, workplaces can begin to comfortably approach this topic instead of not talking about it because they think that will help them avoid it.