This week we briefed our clients on threats to organizations using FOUNDATION software and how Service Accounts are a gold mine for attackers.
KEY TAKEAWAYS
In mid-September, Huntress reported a threat to organizations using the FOUNDATION software, common in construction for planning and accounting. Attackers exploited default credentials to gain access and execute commands on host servers.
Exploitation
The software includes a Microsoft SQL Server instance. For mobile app deployment, port 4243 is open. Attackers used elevated 'sa' and 'dba' accounts to run shell commands directly on the OS.
How to Protect Your Organization
Beyond the Threat
Attackers are able to identify and exploit the use of default credentials within an organization they are attacking. They can use those default credentials to ‘live off the land’ and minimize their potential exposure while gathering information from the victim environment. Further, devices with default administrative credentials may be frequently used by other users giving an opportunity for an attacker to gain access to additional credentials. This is also why it’s a good idea to use a unique password for all systems within an environment as exposure of one credential doesn’t cause all systems to be compromised. Deploying and managing an enterprise class password manager or privileged access manager can reduce the impact of these attack vectors.
Service accounts or non-human identies (NHIs) are a standard part of any organization. They are often configured for repetitive, scheduled, or mundane tasks that don’t require human interaction or would be excessively time consuming for a human to perform. Often, these accounts have elevated privileges to allow them to perform the specified activities and rarely adhere to the full set of protections associated with human accounts. Couple that with the ability for the account to be monitored infrequently it makes them a prime target for attackers to exploit.
In the Wild
Service accounts are used in a significant number of security incidents for lateral or machine to machine movement within an organization. Industry experts suspect this number is currently at 70% and is expected to climb over the next few years. Of note, the SolarWinds supply-chain attack in 2020 and the US Office of Personnel Management attack in 2015 highlighted the use of service accounts to gain unauthorized access to systems while evading detection. At BlackHat in 2019 attendees were asked if service accounts were attractive targets. 51% of the responses came from active hackers while 49% were cybersecurity professionals and all of them agreed that the anonymity provided by use of service accounts put them high on the target list during an attack.
What is the Risk?
Non-Human identities and service accounts are appealing to attackers because they are rarely held to the same standard as standard accounts. While the initial password may be set to a higher standard, little to no auditing is performed to validate the service account is only performing the services designated. Additionally it is not unusual for service accounts to be used for multiple purposes making auditing even more difficult and making it easier for malicious activity to go unnoticed. Attackers can use these credentials to laterally move within the environment, make system and environment changes, download data, and stage deployment of malicious software.
How to Protect Your Organization
There are several things that can be done to protect your organization from misuse of NHIs and service accounts.
Vulnerability Roundup
Microsoft previously released details and a patch for CVE-2024-43461 indicating it was not being actively exploited. New details have emerged indicating the Void Banshee APT hacking group is now actively using this vulnerability as part of an overall exploit chain. The vulnerability impacts the way Internet Explorer prompts a user when a file is downloaded, masking the actual filename of an object tricking the user into believing it is not malicious. This allows an attacker to open a malicious website or file thinking it is safe. This then results in malicious code being allowed to run remotely on the victim computer. The patch is currently available and is combined with patches for three other actively exploited zero-day vulnerabilities released in the September 2024 Patch Tuesday release.
Two critical vulnerabilities in the Cisco Smart Licensing Utility were recently disclosed. Tracked as CVE-2024-20439 and CVE-2024-20440, these vulnerabilities allow for unauthenticated remote attackers to elevate privileges and access sensitive information. CVE-2024-20439 is for an undocumented hard-coded administrative account, and CVE-2024-20440 is for a verbose debug file that contains credentials that can be accessed via the API. One interesting caveat for these vulnerabilities that is described in the Cisco security advisory is that these are not exploitable "unless Cisco Smart Licensing Utility was started by a user and is actively running." Vulnerable versions are 2.0.0, 2.1.0, and 2.2.0, and administrators are urged to update to version 2.3.0.
VMware has released a patch for vulnerability CVE-2024-38812 addressing a critical security flaw in vCenter Server that can result in remote code execution. This vulnerability can allow an attacker to send a specially crafted packet triggering a heap overflow. The patch also addresses a privilege escalation flaw in vCenter Server (CVE-2024-38813) that could enable an attacker with network access to escalate privileges to root. These flaws have been fixed in the following versions:
SonicWall has reported that CVE-2024-40766 applies to Gen 5, 6, and 7 firewall management access interface as well as the SSLVPN interface. This was previously reported as only applying to the management access interface and has been observed in the wild as an active exploit. A patch was provided on August 22nd for all impacted systems.
Security researchers have identified a zero-day vulnerability that impacts Adobe Reader. Listed as CVE-2024-41869, the bug allows a specifically crafted PDF document potentially allowing for remote code execution after an application crash. A previous fix released in August failed to completely address the issue causing Adobe to release an updated patch to remediate this issue.
Ivanti has warned customers of their Cloud Service Appliance of another critical security vulnerability. CVE-2024-8190 affects version 4.6 of the Cloud Service Appliance which is listed as end of life. This vulnerability can allow an unauthorized user the ability to create admin accounts or modify existing accounts. Version 5 of the appliance is not vulnerable to this exploit.
SolarWinds has released a fix to address a critical security vulnerability in its Access Rights Management (ARM) software. This vulnerability received a CVSS score of 9.0 out of 10 and could result in remote code execution by an unauthenticated user. SolarWinds recommends updating to ARM version 2024.3.1 to address the vulnerability.
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.