5 min read

Cyber Threat Intelligence Report

Picture of The PacketWatch Intelligence Team The PacketWatch Intelligence Team : September 23, 2024

Threat Intel Biweekly Briefing
Cyber Threat Intelligence Report

This week we briefed our clients on threats to organizations using FOUNDATION software and how Service Accounts are a gold mine for attackers.

 

 KEY TAKEAWAYS 

  • Default or embedded credentials found in many systems including FOUNDATION are being exploited to gain unauthorized access to systems.  Any default passwords should be changed to reduce the risk of compromise.
  • Service Accounts continue to be a focused target by attackers because of their elevated access, lack of monitoring, and general anonymity.
  • Critical and high-severity vulnerabilities in Microsoft, Cisco, VMware, SonicWall, Adobe, Ivanti, and SolarWinds. Patch now!


 

FOUNDATION Software Targeting

In mid-September, Huntress reported a threat to organizations using the FOUNDATION software, common in construction for planning and accounting. Attackers exploited default credentials to gain access and execute commands on host servers.

 

Exploitation

The software includes a Microsoft SQL Server instance. For mobile app deployment, port 4243 is open. Attackers used elevated 'sa' and 'dba' accounts to run shell commands directly on the OS.

 

How to Protect Your Organization

  • Review all open ports and services, ensuring they are vital for operations.
  • Implement firewall filtering to minimize risk.
  • Disable the xp_cmdshell option where feasible.
  • Replace default credentials with strong, unique passwords.

 

Beyond the Threat

Attackers are able to identify and exploit the use of default credentials within an organization they are attacking. They can use those default credentials to ‘live off the land’ and minimize their potential exposure while gathering information from the victim environment. Further, devices with default administrative credentials may be frequently used by other users giving an opportunity for an attacker to gain access to additional credentials. This is also why it’s a good idea to use a unique password for all systems within an environment as exposure of one credential doesn’t cause all systems to be compromised. Deploying and managing an enterprise class password manager or privileged access manager can reduce the impact of these attack vectors.


 

Service Accounts are a Gold Mine for Attackers

Service accounts or non-human identies (NHIs) are a standard part of any organization. They are often configured for repetitive, scheduled, or mundane tasks that don’t require human interaction or would be excessively time consuming for a human to perform. Often, these accounts have elevated privileges to allow them to perform the specified activities and rarely adhere to the full set of protections associated with human accounts. Couple that with the ability for the account to be monitored infrequently it makes them a prime target for attackers to exploit.

 

In the Wild

Service accounts are used in a significant number of security incidents for lateral or machine to machine movement within an organization. Industry experts suspect this number is currently at 70% and is expected to climb over the next few years. Of note, the SolarWinds supply-chain attack in 2020 and the US Office of Personnel Management attack in 2015 highlighted the use of service accounts to gain unauthorized access to systems while evading detection. At BlackHat in 2019 attendees were asked if service accounts were attractive targets. 51% of the responses came from active hackers while 49% were cybersecurity professionals and all of them agreed that the anonymity provided by use of service accounts put them high on the target list during an attack.

 

What is the Risk?

Non-Human identities and service accounts are appealing to attackers because they are rarely held to the same standard as standard accounts. While the initial password may be set to a higher standard, little to no auditing is performed to validate the service account is only performing the services designated. Additionally it is not unusual for service accounts to be used for multiple purposes making auditing even more difficult and making it easier for malicious activity to go unnoticed. Attackers can use these credentials to laterally move within the environment, make system and environment changes, download data, and stage deployment of malicious software.

 

How to Protect Your Organization

There are several things that can be done to protect your organization from misuse of NHIs and service accounts.

  • Document all service accounts within the environment
  • Use unique service accounts for each service being provided
  • Regularly change passwords associated with service accounts
  • Regularly audit service accounts and remove any service accounts not in use
  • Monitor service account usage to validate they are being used properly

 

Vulnerability Roundup

 

Microsoft MSHTML Zero-day

Microsoft previously released details and a patch for CVE-2024-43461 indicating it was not being actively exploited. New details have emerged indicating the Void Banshee APT hacking group is now actively using this vulnerability as part of an overall exploit chain. The vulnerability impacts the way Internet Explorer prompts a user when a file is downloaded, masking the actual filename of an object tricking the user into believing it is not malicious. This allows an attacker to open a malicious website or file thinking it is safe. This then results in malicious code being allowed to run remotely on the victim computer. The patch is currently available and is combined with patches for three other actively exploited zero-day vulnerabilities released in the September 2024 Patch Tuesday release.

 

Critical Vulnerabilities in Cisco Smart Licensing Utility

Two critical vulnerabilities in the Cisco Smart Licensing Utility were recently disclosed. Tracked as CVE-2024-20439 and CVE-2024-20440, these vulnerabilities allow for unauthenticated remote attackers to elevate privileges and access sensitive information. CVE-2024-20439 is for an undocumented hard-coded administrative account, and CVE-2024-20440 is for a verbose debug file that contains credentials that can be accessed via the API. One interesting caveat for these vulnerabilities that is described in the Cisco security advisory is that these are not exploitable "unless Cisco Smart Licensing Utility was started by a user and is actively running." Vulnerable versions are 2.0.0, 2.1.0, and 2.2.0, and administrators are urged to update to version 2.3.0.

 

Critical VMware vCenter Flaw Patch

VMware has released a patch for vulnerability CVE-2024-38812 addressing a critical security flaw in vCenter Server that can result in remote code execution. This vulnerability can allow an attacker to send a specially crafted packet triggering a heap overflow. The patch also addresses a privilege escalation flaw in vCenter Server (CVE-2024-38813) that could enable an attacker with network access to escalate privileges to root. These flaws have been fixed in the following versions:

  • vCenter Server 8.0 (Fixed in 8.0 U3b)
  • vCenter Server 7.0 (Fixed in 7.0 U3s)
  • VMware Cloud Foundation 5.x (Fixed in 8.0 U3b as an asynchronous patch)
  • VMware Cloud Foundation 4.x (Fixed in 7.0 U3s as an asynchronous patch)

 

 

SonicWall SSLVPN Bug Exploited in Ransomware Attacks

SonicWall has reported that CVE-2024-40766 applies to Gen 5, 6, and 7 firewall management access interface as well as the SSLVPN interface. This was previously reported as only applying to the management access interface and has been observed in the wild as an active exploit. A patch was provided on August 22nd for all impacted systems.

 

Adobe Reader Zero-day Identified

Security researchers have identified a zero-day vulnerability that impacts Adobe Reader. Listed as CVE-2024-41869, the bug allows a specifically crafted PDF document potentially allowing for remote code execution after an application crash. A previous fix released in August failed to completely address the issue causing Adobe to release an updated patch to remediate this issue.

 

Ivanti Discovers Another Critical Security Flaw

Ivanti has warned customers of their Cloud Service Appliance of another critical security vulnerability. CVE-2024-8190 affects version 4.6 of the Cloud Service Appliance which is listed as end of life. This vulnerability can allow an unauthorized user the ability to create admin accounts or modify existing accounts. Version 5 of the appliance is not vulnerable to this exploit.

 

SolarWinds Access Rights Management Vulnerability

SolarWinds has released a fix to address a critical security vulnerability in its Access Rights Management (ARM) software. This vulnerability received a CVSS score of 9.0 out of 10 and could result in remote code execution by an unauthenticated user. SolarWinds recommends updating to ARM version 2024.3.1 to address the vulnerability.





 

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

 

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.
Table of Contents