By: Alex Shanteau, Senior Security Consultant, MAD Security | January 3, 2019
As the untamed cyber threat landscape evolves in scope, sophistication, and reach, the risks organizations face will continue to increase not only in number, but in severity, and they are finding new ways to infiltrate your internal and external networks every day. In this blog post, we’ll take a look at some common threats you’re likely to see throughout 2019, and over the next several weeks we will go in-depth on prevention and mitigation of these types of attacks.
Sophisticated Phishing Campaigns
Most phishing attacks come in the form of email spam, tricking users out of their credentials, financial, or other sensitive information. Phishing emails have come a long way from the cliché Nigerian Prince scam. Most current phishing emails replicate an email you may think is completely normal and credible, and can come in a number of formats, from a LinkedIn request to a fraudulent invoice. These phishing emails are becoming ever more sophisticated, including the successful usage of multi-factor authentication, the inclusion of homographic domain names, and almost perfect impersonation of legitimate applications. This attack vector exploits the weakest link in the cyber defense chain – people – and can lead to devastation and sometimes catastrophic compromises for companies.
During a recent red team exercise we conducted for an enterprise-sized company, LinkedIn phishing requests were sent to targeted employees that were identified by combing publicly available information on the Internet. These users received an email asking them to join a group associated with their company on LinkedIn. When users clicked on the link included in the email, it took them to a replica login page where they were asked to log into LinkedIn, and of course a number of the users did. We captured these credentials and then attempted to log into public company assets using them. Low and behold, at least one employee was reusing their LinkedIn password for their company account (that’s another issue) and we were able to compromise extremely confidential information using this entry route.
Phishing attacks commonly lead to things such as stolen credentials, stolen funds through mistakes made from paying fraudulent invoices, and system compromise from opening attachments with executable code.
Finding and remediating software vulnerabilities is an ongoing battle. One of the biggest challenges is staying constantly aware of what assets reside on your network. Without knowing what you have, how can you possibly keep it up-to-date? Incident response reports and even the results we have from penetration tests we’ve conducted often identify that the effective attack vector ended up being an old, forgotten system that was set up for a reason no one can remember.
During a recent penetration test we conducted for a large financial institution, we went through the process of normal penetration testing – reconnaissance, identification of vulnerabilities and weaknesses, exploitation of these vulnerabilities to gain access to systems, and then establishing persistence by maintaining that access. During reconnaissance, an old test box running Windows XP was identified conveniently located in a long-forgotten and unmonitored part of their network. Further investigation found this system to be vulnerable to MS08-067, which is a legendary vulnerability affecting Windows XP and Windows 2003 systems. Upon exploitation of the system we dumped all the credentials and went about using these compromised credentials to login to anything we could across the entire network. We eventually stumbled across a system hosting a shared network drive where customer information was being dumped to a text file. This was a huge security issue for the firm; had a malicious attacker been able to gain access to this information, due to the sensitivity of it, this particular institution would have experienced at minimum a PR nightmare, and very likely the potential for catastrophic financial losses. Remember this all started because of a forgotten, un-patched, Windows XP system that had nothing of interest on it and housed no sensitive data.
Software vulnerabilities can not only provide a convenient attack vector into a vulnerable system but can be the initial stepping stone for a persistent foothold into your company’s network. Especially when outdated or forgotten servers reside within your company’s infrastructure. This foothold is a crucial step to enabling an attacker’s ability to compromise data, deploy tools and malware, or otherwise disrupt business functions.
Ransomware poses a major threat causing data loss, business downtime, and loss of revenue. Ransomware really changed the game when it started becoming more prevalent. Attackers are no longer just targeting lucrative information like PII or intellectual property – they are now targeting anything of value to a person or entity.
One of the recent high-profile breaches related to ransomware was the NotPetya attack that originated in the Ukraine. NotPetya “crippled multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, and French construction company Saint-Gobain,” [i] resulting in over $10 billion in damages. Outside of monetary damages, NotPetya also shut down the entire Ukrainian government. The attack even shut down the computers used by scientists at the Chernobyl cleanup site.
Ransomware can cause major disruption to an organization’s business activities, from destruction of data to blackmail to attempting to regain access to lost data and more.
Using smartphones and other devices to access critical information has become increasingly common across all industries. While this is convenient, it also increases the risk of exposure of your sensitive business data. Beyond this, as much as 5.8% of mobile devices worldwide are infected with malware[ii] . Additionally, many regulatory and compliance frameworks such as NIST 800-171, HIPAA, and FFIEC are requiring a Mobile Device Management (MDM) solution to ensure that sensitive data is protected on mobile devices. We often find that many of the companies we assess have never even considered implementing an MDM solution and don’t necessarily even know where to start.
As I alluded to previously, this issue is so prevalent that during the course of many compliance engagements we’ve conducted, there have only been a handful of companies that one of our mobile device tests done during an engagement where we were able to break into the device and compromise the company network through VPN access on the device. In addition to this we were able to harvest sensitive data stored on the device itself. If the company had an MDM solution in place, it would have ensured that the device was nuked during the test preventing any potential damages.
Unsecured and vulnerable mobile devices run the risk of introducing malware or other malicious software into an environment, allowing for theft of data stored on the devices, increasing risk to an organization.
These are only a few of the many threats out there and on the rise. Navigating solutions for any of these attacks can be daunting, and that is why cybersecurity providers exist. Over the next month we will be exploring these four kinds of threats in a blog series to discuss ways of prevention and mitigation. So stay tuned and check back to this page in the next week!