All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of May 2, 2022. I’ve also included some comments on these stories.
Microsoft Azure Vulnerability Exposes PostgreSQL Databases to Other Customers
Microsoft on Thursday disclosed that it addressed a pair of issues with the Azure Database for PostgreSQL Flexible Server. If untended, these issues could result in unauthorized cross-account database access in a region, reports The Hacker News.
SAMANTHA ZEIGLER | Security Researcher at Tripwire
Microsoft disclosed vulnerabilities to their Azure Databases this week that were found in January. They mitigated the vulnerabilities rapidly after disclosure but waited to disclose them to the public until now. This gives them more time to analyze and protect against the vulnerability before publicizing it. The pair of vulnerabilities allowed for databases to be replicated by people with a forged certificate, thus giving access to stored data to attackers.
How to Attack Your Own Company's Service Desk to spot risks
In 2020 cybercriminals launched a spear phishing attack against Twitter that successfully scammed victims out of $180,000 worth of Bitcoin, reports Bleeping Computer. The attacker used a phone-based social engineering scam against Twitter employees in order to gain access to privileged accounts.
DYLAN D’SILVA | Security Researcher at Tripwire
Sometimes the path of least resistance actually works. Almost every company has an IT helpdesk, and cybercriminals are targeting them, seeing them as a potential ingress into a company's network. When phishing and reconnaissance are done correctly, it allows cybercriminals to build data profiles and information which will help them achieve their eventual goal of data breach/ransomware/malware/data destruction etc.; take your pick.
Once enough personal information has been obtained, the next step in the social engineering attack is to pose as a legitimate user and request a password reset. If successful, the criminal will then be "handed" a password to the user's account, which could potentially be a privileged account, and from there cause real damage.
Having a Red Team Exercise performed periodically will help leaders and cybersecurity professionals to determine how strong or weak that specific line of defense actually is. What is a Red Team Exercise you ask? For starters, it's not a pen-test. The goal of a pen-test is to identify and exploit as many security gaps as possible. The goal of a Red Team Exercise (which is sanctioned by the company) is to simulate a security incident, and the objective is that they only need to find one way in, exploit it as much as possible, potentially moving laterally across different networks to obtain sensitive information and achieve a specific goal. The underlying goal of the Red Team Exercise is to test the organization's detection and response capabilities.
Let me be clear in saying that this is not an "attack" against IT Helpdesks everywhere, as I have worked on Helpdesks previously and they helped me build strong technical skills. The idea here is to highlight that helpdesks are only one of many ways cybercriminals may try to exploit in order to achieve their goals.
Thoughts & Recommendations
- Have a Red Team Exercise performed on your Helpdesk, as well as other areas of the business. As stated in the article, the goal is to keep the attacks as lifelike as possible and representative of what might happen in the real world.
- Remember that this is a learning exercise for all. If the Red Team succeeds in their exercise, it's an opportunity for everyone to improve. No one should lose their job.
- Ongoing education as it relates to phishing, social engineering and cyberattacks. If your employees understand what and how these are perpetrated, they will be better prepared to spot and defend against them.
How the French fiber optic cable attacks accentuate critical infrastructure vulnerabilities
The pictures show neatly trimmed fiber optic cables dug up from underground behind what appears to be a well-hidden grate, notes CyberScoop. The apparent simplicity of the sabotage is all the more harrowing in light of how extensively it disrupted Internet service in France, experts said.
DYLAN D’SILVA | Security Researcher at Tripwire
Here is an example of a brazen attack on critical infrastructure, which disrupted internet service throughout much of France late last week.
The article highlights that the targeted fiber optic cables were cut on both sides, complicating the repairs. Fiber optic cables are notoriously difficult to repair, if they can be at all. Remember, fiber optic cables are made up of thin strands of glass fibers. According to what I could find, there are two methods of repair: 1) Fusion Splicing, which requires an expensive tool and proper training, or 2) Mechanical Splicing, which involves aligning the fiber cores, which is difficult to do, and results in higher-loss splices.
Quoted in the article is Bob Kolasky, who recently served as Director of CISA's National Risk Management Center, who highlighted a couple of key important points:
- This attack appears to be more significant than others in the past
- Fiber Optic Cables are not an easy asset to protect, given the sheer number of them
- The US has built resilience into its telecom and communication assets, including fiber optic systems, so if an attack was to take place, it would not be as detrimental, but there is work to do, especially with protecting vulnerable undersea cables.
Other countries in Europe have taken notice of what happened in France, and one can only assume they are taking increased necessary measures to protect their CI and fiber optic networks. While it would be next to impossible to secure every single cable from physical attack, I think what matters here is a couple of things:
- Risk Management and Identification - run all of your assets through a Risk Matrix to determine what is the most vulnerable.
- If available and at your disposal, use tools like ML and AI to assist with the above; the more data points and better data you have, the better able you will be to see where you are vulnerable.
- Detection & Response - Identify what detection methods you can and will use to determine attacks (both digital and physical), formulate response plans to each scenario and just as importantly, practice them.
Vulnerabilities in Aruba and Avaya Switches Expose Enterprise Networks to Attacks
Switches used by organizations around the world are affected by critical vulnerabilities, according to enterprise device security company Armis. If unchecked, these vulns could allow malicious actors to gain remote access to enterprise networks and steal valuable data, notes Security Weekly.
DYLAN D’SILVA | Security Researcher at Tripwire
This is a prime example of why Vulnerability Management is an important part of your overall cybersecurity strategy.
Network switches made by Avaya and Aruba, which are used by organizations in all sizes and verticals are affected by two types of critical vulnerabilities, which lead to REC (Remote Code Execution).
The root cause of this issue is related to a previously discovered flaw, by Armis Security, which was related to vulnerabilities in APC Smart-UPS devices, which misused NanoSSL, a popular TLS library. In Avaya and Aruba's cases, researchers found their network switches suffered from a similar flaw, as those products also appear to misuse the same TLS Library. This flaw is dubbed as TLStorm 2.0, and if properly exploited, it will allow an attacker to take full control of the switch, which can lead to:
- Breaking network segmentation, allowing more access to other devices, as well as lateral movement across the network.
- Exfiltration of data and corporate network traffic.
- Captive Portal Escape
- from helpnetsecurity.com
Aruba devices affected by TLStorm 2.0:
- Aruba 5400R Series
- Aruba 3810 Series
- Aruba 2920 Series
- Aruba 2930F Series
- Aruba 2930M Series
- Aruba 2530 Series
- Aruba 2540 Series
Avaya devices affected by TLStorm 2.0:
- ERS3500 Series
- ERS3600 Series
- ERS4900 Series
- ERS5900 Series
Patches from Avaya and Aruba are available from their support portals. From what the article reports, Armis Security worked with the vendors proactively to disclose the issues so they could be patched.
Thoughts and Recommendations
For those businesses using the Avaya and Aruba network products mentioned above, take immediate action and follow your company's patching guidelines (notifying users, scheduling downtime, taking backups of configs, establishing a rollback plan etc.). Remember that these devices may require downtime to patch and reboot, so I doubt it would be applied during regular business hours. For general best practices, consider the following:
- Asset Management - A lot of companies may have aging infrastructure, or perhaps a mishmash/variety/plethora (take your pick) of different hardware products, including different brands of network hardware for different reasons. Maybe your remediation strategy was never fully realized, or perhaps a new CIO/CISO/Leadership liked a specific brand and wanted to start migrating to that platform. Either way, do you and your team know every single piece of hardware on your network? If you don't know what assets reside on your network, how can you competently protect your business? All an attacker needs is one weakened entry point.
- Risk Management - Once you have a full inventory of your assets, then you can determine next steps on identifying what is out of date, requires patches, may need to be upgraded etc.
- Vulnerability and Patch Management - Apply the appropriate risk response, which can include applying the appropriate patches and updates to all devices, software etc. that have been deemed to pose a certain level of risk to the organization. As mentioned previously, ensure you are following your company's procedures.
- If you and your company are still trying to develop your cybersecurity strategy, consider using best practices Frameworks, such as NIST Cybersecurity Framework Version 1.1, and CIS Critical Security Controls.
U.S. DoD tricked into paying $23.5 million to phishing actor
The U.S. Department of Justice (DoJ) has announced the conviction of Sercan Oyuntur, 40, a resident of California, for multiple counts relating to a phishing operation that caused $23.5 million in damages to the U.S. reports Bleeping Computer.
DYLAN D’SILVA | Security Researcher at Tripwire
The headline itself is almost unbelievable to read: U.S DoD tricked into paying $23.5M to a phishing actor, but as the saying goes "it's not a matter of if, it’s just a matter of when" as it relates to a business experiencing some sort of cyberattack, be it phishing, ransomware, data exfiltration/cyber espionage, data destruction (and the list goes on).
I think the consensus would be that the DoD would have the best tools and people to thwart cyberattacks against their systems, and while that may be true, the reality is that phishing scams have always and will continue to rely on humans, who are fallible.
The phishing operation as explained in the article appears to be quite simple in some respects and sophisticated in others. The attacker was able to carry out the following:
- Register a domain that was very similar to a legitimate domain used by the DoD/Military.
- Phishing emails were sent from the fake domain to a list of Vendors obtained from a database where companies who want to do business with the Government register themselves.
- The email had a cloned "login.gov" website where the victims input their account details (for their access to the vendor database).
- At least one case showed that the attacker logged into one of the stolen accounts and noticed a $23M pending payment.
- The attacker then logged into the vendor database posing as the victimized corporation and changed the registered banking information to one that they controlled.
How they overcame safeguards:
- The DoD Server had security measures in place that scanned the database every 24 hours for bank account changes and blocked payments of invoices that met specific criteria.
- The attackers discovered this and resorted to calling a DoD Support Department and provided false explanations and requested manual approval of the changes, which was done.
How they got caught:
- The attackers also opened a separate shell company so they could funnel and launder money through, however when the $23M payment when through, they used falsified invoices of a car dealership's car sales to make it look like the $23M was legitimate.
- The dealership used in the scheme wasn't a government contractor and wasn't registered in the vendor database, which was flagged as a mismatch
Thoughts & Recommendations
- Have ongoing user education/training and knowledge building. This could involve setting up an internal phishing program/campaign that you run against all your employees to validate how well they can spot a phish. If a user falls for a phishing attempt, provide them with more learning opportunities. To be clear, this should not be a "naming and shaming" exercise. The objective is to better equip and prepare your employees to spot and stop legitimate phishing attempts in their tracks.
- Where applicable, have automated data validation in place, which could include a FIM solution. Don't know what FIM (File Integrity Monitoring) is or what it does? Find out.
- Secondary, manual processes for data manipulation may be in place for a good reason. If those manual processes are used, double-check why they are being and what's being changed.
- Use the NIST Cybersecurity Framework and CIS Controls and Guidelines to help build your cybersecurity strategy, which include "Detection" and "Response" guidelines when an incident occurs.
Critical RCE Bug Reported in dotCMS Content Management Software
A pre-authenticated remote code execution vulnerability has been disclosed in dotCMS, an open-source content management system written in Java and "used by over 10,000 clients in over 70 countries around the globe, from Fortune 500 brands and mid-sized businesses," describes The Hacker News.
ANDREW SWOBODA | Senior Security Researcher at Tripwire
dotCMS is subject to a code execution vulnerability. This vulnerability allows attackers to utilize a directory traversal and a file upload vulnerability. An attacker could upload a malicious file that gives them access to a shell on an affected system. To exploit this issue an attacker could overwrite files to upload the web shell. The vendor has released versions 22.03, 5.3.8.10, and 21.06.7 to fix this issue.
Unpatched DNS Bug Puts Millions Of Routers, IoT Devices At Risk
An unpatched Domain Name System (DNS) bug in a popular standard C library can allow attackers to mount DNS poisoning attacks, researchers have found. Threat Post notes that this bug could affect millions of IoT devices and routers, potentially taking control of them.
SAMANTHA ZEIGLER | Security Researcher at Tripwire
Increasing numbers of Internet of Things devices in our daily lives come with increased vulnerability. An example of this is the unpatched DNS bug that affects routers and IoT devices that use the C standard libraries uClibc and uClibc-ng. There is a flaw in the libraries that allow for the predictability of the transaction IDs. The transaction IDs being predictable can allow attackers that win a race condition to successfully execute a DNS poisoning attack. There is currently no fix for this bug at this time.
