CyberCX Security Report | October 2020
There’s no shortage of cyber-attacks making the headlines, but what do they mean for you?
At CyberCX, we keep a close eye on the news to identify reports of the latest trends, issues and exploits.
Here we present a selection of recent news stories that caught our attention, and the important lessons we can learn to keep secure.
Critical Vulnerability Allows Attackers to Bypass O365 MFA
Multi Factor Authentication (MFA) is one of the most effective strategies you can adopt to secure your environment. By requiring two or more forms of authentication, it is possible to make it much harder for malicious actors to gain access to your systems and confidential data.
However, like everything in the world of cyber security, MFA is not a set-and-forget technology. Older authentication protocols could still be leaving you exposed.
Researches have uncovered critical vulnerabilities in Web Services Trust (WS-Trust) authentication protocols. WS-Trust, when used in conjunction with a user account and password, implements an authentication flow. The login credentials are presented to the authenticating resource in an unencrypted form. This does not align with current encryption standards and has been described as ‘inherently insecure’ by Microsoft.
Microsoft currently has WS-Trust authentication protocols in place when connecting to Power Apps, its suite of tools that can be used to rapidly develop custom business applications. One Power Apps tool that is particularly at risk is Common Data Service, a cloud-based platform that allows multiple applications to access the same underlying data.
Recognising the risks associated with relying on WS-Trust authentication, Microsoft moved in February this year to begin phasing it out when connecting to Common Data Service. The change affected applications that use Microsoft.Xrm.Sdk.Client.OrganizationServiceProxy and Microsoft.Xrm.Tooling.Connector.CrmServiceClient classes for the authentication type of ‘Office365.’
With WS-Trust authentication in place, there was the potential for attackers to spoof IP addresses with simple request header manipulation, thereby allowing them to bypass MFA and gain full access to Office 365 accounts including emails, files, contact and other data.
WS-Trust is scheduled to be fully retired by Microsoft in April 2022.
For any organisation relying on WS-Trust to secure applications, it is recommended to move towards using Azure Active Directory, which offers greater protection for applications making use of Common Data Service.
CLICK HERE for detailed information from Microsoft to secure your applications that are still relying on WS-Trust authentication protocols.
Insecure Third-Party Opens Way for Hackers
With organisations increasingly integrating with a wide range of third-party systems, Supply Chain Risk Management has never been more critical. The Australian Cyber Security Centre (ACSC) warns that whenever a third-party is involved in the delivery of a product or service, there is likely be an induced cyber security risk from that entity, which could also adversely affect your customers.
It’s a lesson painfully being learnt by Melbourne-based global derivatives broker Pepperstone.
Investigators believe hackers targeted a third-party service provider used by Pepperstone and stole passwords. The cyber criminals then used those credentials to gain access to the internal client relationship management system, compromising a limited amount of personal client information.
This example demonstrates the importance of conducting extensive supply chain and third-party risk assessments.
ACSC recommends following these four steps to manage supply chain risk:
- Know your system. An organisation must determine criticality of their systems, with regard to sensitivity and business value, especially in a national security context, in order to inform appropriate risk activities.
- Understand your supply chain risk. Make relevant system risk assessments by knowing the systems well, including how they can be exploited and keeping informed of the relevant current threats.
- Manage your supply chain risk. Objectively manage supply chain alongside other system cyber security risks. Avoiding risk may be possible through re-architecture of a system or process in order to minimise the impact of a realised risk. Reducing risk could be accomplished by choosing vendors who have a demonstrated commitment to cyber security.
- Monitor your supply chain and the controls. Your supply chain and the systems they support will change over time. Regularly monitor and review your Supply Chain Risk Management (SCRM) controls. Ensure that the whole organisation supports a secure supply chain and any incidents are reported in a consistent manner.
We strongly urge all organisations to undertake comprehensive supply chain and third-party risk assessments before integrating external systems into their environments.
CLICK HERE for more detailed advice from the ACSC on supply chain risk management.
Don’t Neglect Patching
Many organisations struggle to keep up with patching activities. With so many systems in your environment, and updates constantly being released, it’s all too easy to slip behind. When this occurs, it’s tempting to just focus on the most critical patches. However, neglecting less critical patches is an avoidable mistake. They too can be exploited by cyber-criminals and other malevolent entities over time, so you need a system in place to ensure you get through the backlog of patches.
Several new reports investigating approaches to patching and vulnerability management indicate that most businesses, regardless of industry or size, only fix bout 10% of vulnerabilities found each month. This is a worrying statistic as it indicates businesses are being left open to exploitation as they struggle to implement effective patch management strategies.
We understand that patching all vulnerabilities can be a challenge, especially where legacy systems are concerned. It takes time and may require dedicated staff. You also need to factor the impact of shutting down critical services to perform updates, not to mention concerns about disrupting services.
We recommend adopting a three-stage approach: Categorise, Prioritise, Bite-Size.
- Categorise. To begin, you need oversight of what you’re dealing with. This is best achieved by sorting systems into manageable categories. Mission critical systems that are needed to maintain your operations should be grouped and occupy much of your patching focus.
- Prioritise. Whilst you should prioritise those patches that are most critical, you should not neglect the others. Make sure to regularly work through your backlog of less-critical patches too.
- Bite-Size. Break down your list of vulnerabilities into bite-sized tasks to make it easier for your IT team to begin tackling the task, one grouping at a time.
We also recommend adopting an aggressive patching approach. This means that as soon as an update is released, proceed to patch as quickly as possible. By rolling out smaller numbers of patches more frequently, rather than trying to patch many vulnerabilities at a time as part of a monthly cycle, makes it easier to ensure you don’t fall behind.
CLICK HERE for guidance from the ACSC on approaches to patching systems.
Zerologon Vulnerability Potentially Allows Attackers Full Administrative Rights in Your Domain
You know a vulnerability is serious when the Australian Cyber Security Centre (ACSC) issues a strongly worded recommendation to immediately patch affected systems.
The vulnerability that has recently caused so much concern is known as Zerologon (CVE-2020-1472).
This exploit, with a CVSS criticality score of 10, allows attackers to obtain admin privileges without any authentication or credentials. All it takes to be executed is one unsuspecting employee clicking on a malicious link. This opens the way for an unauthenticated attacker to exploit a flaw in Microsoft’s Netlogon Remote Protocol (NRP) to establish a Transmission Control Protocol (TCP) connection to an internet-exposed domain controller, thereby obtaining administrator access to the victim’s network.
Once inside the network, the attacker is able to quickly and easily escalate privileges, take control of all active directories and completely compromise the Windows domain. They could potentially run a specially crafted application on any device on the network – all without any need to authenticate.
We cannot emphasise enough the importance of urgently rolling out patches as quickly as possible to fix such vulnerabilities. Any delay will leave your network exposed to attack which could have significant consequences for your organisation, impacting the security of your systems and compromising your valuable data.
CLICK HERE for guidance from Microsoft on how to patch systems to address this dangerous vulnerability.