It was discovered that the SQL plugin in cyrus-sasl2, a library
implementing the Simple Authentication and Security Layer, is prone to a
SQL injection attack. An authenticated remote attacker can take
advantage of this flaw to execute arbitrary SQL commands and for
privilege escalation.
TrickBot operators slowly abandon the botnet and replace it with Emotet
TrickBot, once one of the most active botnets on the internet and a primary delivery vehicle for ransomware, is no longer making new victims. However, there are signs its operators are transitioning the already infected computers to other botnets, including Emotet.
“Our team assesses with high confidence that Trickbot operators are working closely with the operators of Emotet,” researchers from security firm Intel 471 said in a new report. “There is clear evidence of this relationship, for example, the resurrection of Emotet began with Trickbot.”
Government Advisories Warn of APT Activity Resulting from Russian Invasion of Ukraine
Government agencies publish warnings and guidance for organizations to defend themselves against advanced persistent threat groups.
As governments around the world call for heightened cyber vigilance, the reality of our digital world comes into stark relief: there are no boundaries when it comes to the potential damage that can be inflicted as a result of nation-state conflicts. The tactical information shared in this blog is designed to help you prepare your digital response to these rapidly unfolding events.
Background
Jen Easterly, director of the Cyber Security and Infrastructure Security Agency (CISA), recently tweeted that, despite no specific credible threats against organizations in the United States by Russian state-sponsored activity, these advanced persistent threat (APT) groups have historically targeted organizations through a variety of means, including exploiting vulnerabilities in perimeter devices and utilizing Active Directory (AD) for lateral movement. CISA has called for every organization to “adopt a heighted posture of vigilance.”
🛡ALL organizations must adopt a heightened posture of vigilance. The time to act is NOW. We’re urging all orgs to put #ShieldsUp to:
– Reduce the likelihood of a cyber intrusion
– Quickly detect a potential intrusion
– Ensure you’re prepared to respond
– Maximize resilience 3/4
— Jen Easterly (@CISAJen) February 12, 2022
CISA announced Shields Up, an initiative to empower organizations and provide guidance on how to limit the exposure to common attack paths leveraged by these APT groups.
Analysis
In recent months, CISA has also issued joint advisories regarding specific vulnerabilities targeted by these APT groups and the steps organizations can take to mitigate their risks of exploitation. Both the U.K. National Cyber Security Centre and Australia Cyber Security Centre have released advisories on this subject as well.
In January, CISA, the Federal Bureau of Investigation (FBI) and National Security Agency (NSA) issued a joint cybersecurity alert regarding “Russian Cyber Threats to U.S. Critical Infrastructure.” This alert focuses on observed behavior from Russian state-sponsored threat groups targeting critical infrastructure organizations in several countries. The alert highlights the following sectors as key targets for the APT groups: defense industrial base, healthcare and public health, energy, telecommunications and government facilities.
According to the advisory, the following vulnerabilities have been used in these attacks to gain initial access:
CVE
Description
CVSSv3
VPR*
CVE-2018-13379
Fortinet FortiGate SSL VPN Path Traversal Vulnerability
9.8
9.9
CVE-2019-1653
Cisco Small Business Routers Information Disclosure
9.8
7.2
CVE-2019-2725
Oracle Weblogic Server Deserialization Vulnerability
9.8
9.2
CVE-2019-7609
Kibana Arbitrary Code Execution
10.0
9.2
CVE-2019-9670
Zimbra Software XML External Entity Injection Vulnerability
9.8
9.2
CVE-2019-10149
Exim Simple Mail Transfer Protocol Remote Code Execution
9.8
9.7
CVE-2019-11510
Pulse Connect Secure Arbitrary File Read
10.0
10.0
CVE-2019-19781
Citrix ADC And Gateway Directory Traversal Vulnerability
9.8
9.8
CVE-2020-0688
Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability
8.8
9.8
CVE-2020-4006
VMware Workspace One Command Injection
9.1
10.0
CVE-2020-5902
F5 BIG-IP Remote Code Execution
9.8
9.7
CVE-2020-14882
Oracle WebLogic Remote Code Execution
9.8
9.8
CVE-2021-26855
Microsoft Exchange Server Remote Code Execution
9.8
9.9
CVE-2021-26857
Microsoft Exchange Server Remote Code Execution
7.8
9.8
CVE-2021-26858
Microsoft Exchange Server Remote Code Execution
7.8
9.8
CVE-2021-27065
Microsoft Exchange Server Remote Code Execution
7.8
9.9
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on February 24 and reflects VPR at that time.
On February 16, CISA published a joint cybersecurity advisory along with the FBI, NSA regarding the “regular targeting” of United States cleared defense contractors (CDCs). According to the advisory, the attacks originate from state-sponsored threat actors in Russia. The targets of the attacks include both large and small CDCs, as well as subcontractors. These CDCs are being targeted because of existing contracts they hold with the United States Department of Defense (DoD) and Intelligence Community.
The targeting activity spans from January 2020 through February 2022. The advisory says that the attackers have “maintained persistent access to multiple CDC networks” with the longest being for “at least six months.” They’ve used this access to exfiltrate both emails and data from these organizations.
Outside of the use of standard techniques (brute force, spear phishing emails), the threat actors have paired harvested credentials with known vulnerabilities to target public-facing applications including VPNs.
The following are a list of CVEs the threat actor has reportedly used:
CVE
Description
CVSSv3
VPR
CVE-2020-0688
Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability
8.8
9.8
CVE-2020-17144
Microsoft Exchange Server Remote Code Execution Vulnerability
8.4
9.9
CVE-2018-13379
Fortinet FortiGate SSL VPN Path Traversal Vulnerability
9.8
9.9
However, even if CDCs do patch known vulnerabilities within their networks, the threat actors will “alter their tradecraft” in an effort to regain access through “new means.” This is why these government agencies stress that CDCs “maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.”
In October 2020, CISA published an alert around Russian state-sponsored activity targeting the U.S. Government. In it, several of the vulnerabilities listed above are referenced. However, they also highlight CVE-2020-1472, dubbed “Zerologon,” a critical vulnerability in Microsoft’s Netlogon Protocol that is used as a post-exploitation vulnerability. Zerologon is a popular vulnerability among threat actors and ransomware groups, who often pair it with several of the initial access vulnerabilities in this blog post including several SSL-VPN vulnerabilities.
CVE
Description
CVSSv3
VPR
CVE-2020-1472
Microsoft Netlogon Elevation of Privilege Vulnerability
10.0
10.0
Defending Active Directory
For attackers, Active Directory is the holy grail for disrupting business operations, exfiltrating sensitive information and deploying malware across a network. Recognizing the importance of Active Directory, it is imperative that organizations are adequately prepared to defend against common techniques leveraged by these APT groups.
Once inside a network, these threat actors will map the environment’s AD in order to connect to domain controllers (DCs). The goal is to exfiltrate credentials from the network and export the ntds.dit AD database file. The threat actors have also been observed using the Mimikatz hacktool in order to “dump admin credentials” from DCs.
Securing users, groups, and computers that require privileges within AD should be a high priority. For example, privileged accounts that have certain attributes configured are susceptible to Kerberoasting, which can lead to impersonation or even Golden Ticket Attack.
Attackers are using these tactics to obtain domain level privileges within AD. Once they have domain level privileges, they will use Group Policy to distribute malware and ransomware. For instance, Ryuk ransomware is known for these tactics and they have also been leveraged recently by wiper malware.
Solution
Many of the vulnerabilities listed in these alerts are more than a year old and all have patches available. Organizations are strongly urged to find and patch any endpoints that are still vulnerable. In addition to listing vulnerabilities being targeted, the advisories include recommendations for preparing to defend against cyberattacks.
Organizations should also ensure that all passwords within AD are changed often and follow secure complexity and length suggestions to protect against password spray and password brute force attacks.
Identifying affected systems
A list of Tenable plugins to identify thesevulnerabilities can be found here.
A scan template and dashboard identifying the vulnerabilities listed in this blog post for Nessus, Tenable.io and Tenable.sc are in development. We will update this blog post once they are available.
Conclusion
Although nations and organizations are being targeted, history has taught us that the digital impact is likely to be far-reaching. But this speculation shouldn’t detract from the obvious: there are steps you can take to protect yourself. Tenable is committed to doing our utmost to help organizations guard themselves in a world where we must acknowledge that digital threats will be a significant part of any conflict scenario.
Get more information
CISA Advisory: Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology
CISA Advisory: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
Blog Post: Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Ransomware is top attack vector on critical infrastructure
Ransomware was the number one attack vector on critical infrastructure in 2021, according to a report by Dragos, a leading company in industrial cybersecurity. Nearly two-thirds of those attacks (65%), were aimed at the manufacturing sector, the company revealed in its annual review of cyber threats facing industrial organizations released Wednesday.
“You can combine all the other sectors together and not get to where manufacturing is getting hit,” Dragos CEO Robert M. Lee said at an information session held prior to the report’s release.
CVE-2020-14504
The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings.
CVE-2020-14502
The web interface of the 1734-AENTR communication module is vulnerable to stored XSS. A remote, unauthenticated attacker could store a malicious script within the web interface that, when executed, could modify some string values on the homepage of the web interface.
CVE-2020-14481
The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. If the compromised user has an administrative account, an attacker could gain full access to the user’s operating system and certain components of FactoryTalk View SE.
CVE-2020-14480
Due to usernames/passwords being stored in plaintext in Random Access Memory (RAM), a local, authenticated attacker could gain access to certain credentials, including Windows Logon credentials.
CVE-2020-14478
A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services.
CVE-2020-10640
Emerson OpenEnterprise versions through 3.3.4 may allow an attacker to run an arbitrary commands with system privileges or perform remote code execution via a specific communication service.