This week we briefed our clients on Part 1 of our Cybersecurity Awareness Back to Basics series, Linux CUPS vulnerabilities, and 3 Aruba vulnerabilities.
KEY TAKEAWAYS
October is Cybersecurity Awareness Month, and in this week's report, we will touch on some key cybersecurity fundamentals that are often overlooked. While these topics may seem trivial, these basic fundamentals will go a long way toward thwarting most cyberattacks, including ransomware.
Passwords
It's almost the end of 2024, and some of the most common passwords used today are still "Password!", "123456", and "Fall2024". Poor passwords, combined with a lack of multi-factor authentication (MFA), make it trivially easy for adversaries to brute-force or simply guess the correct password of their target, even on administrator accounts.
Making a Strong Password
There are two simple methods for creating and storing secure passwords. One is to use a password manager. These tools have random password generators built in, making it just a single click to generate a strong random password. These passwords can be extremely random and complex, as the user does not need to actually remember them; they will be stored in the password vault. Most modern password managers have web browser extensions that work seamlessly with web authentication pages. Do NOT store passwords in the web browser itself, use a password manager.
An alternative method is to make long, secure passwords that are memorable. This can be done with passphrases. Here's an example of how to build one:
How Often Should Passwords Be Changed?
Traditionally, accepted practice was to rotate passwords at regular intervals (every 30-90 days). With this method however, it has been shown that even with complexity requirements such as upper and lower case, numbers, and special characters, changing passwords this frequently drove users to make increasingly simpler and easier to guess passwords over time, making password strengths weaker.
New NIST guidelines now suggest having users set strong, secure passwords once, and only rotate them if there is evidence of a compromise.
Multi-factor Authentication
Multi-factor authentication (MFA) is one of the most effective ways to protect against unauthorized access of accounts. Regardless of how secure a password is, eventually they get leaked in data breaches. If threat actors are able to obtain these credentials, and the target account does not have MFA, the threat actor can trivially authenticate to the target account and gain initial access to the target environment. MFA should be enabled across ALL accounts for at least every account and application that is internet facing. While MFA is not a silver bullet, it greatly increases the amount of effort required for a threat actor to gain access to an account.
Patching
Remote exploitation of unpatched vulnerabilities continues to be one of the most effective ways for threat actors to gain an initial foothold in a target environment. While on rare occasions there are 0-day remote code execution vulnerabilities that do not have a patch and leave organizations exposed, these tend to be exploited only by very sophisticated threat actors and are generally more targeted attacks with narrow scope or impact. Most cybercriminals, especially modern ransomware groups, tend to abuse known vulnerabilities to gain initial access.
When planning your patch management program, ensure that ALL internet exposed devices and services are patched regularly. This includes security devices themselves. Firewalls, load balancers, proxies and gateways, have all had critical remote code execution vulnerabilities in recent years. For these types of critical vulnerabilities, having an emergency patch management system in place is crucial, as threat actors historically abuse and exploit vulnerabilities of these devices within 24 hours of vulnerability disclosure. Ensuring that all internet facing devices and services are fully patched at all times will greatly reduce your organization's attack surface.
Logging
Most organizations do not have the budget or manpower to maintain a central logging system. This means that logs are stored locally on each device. In last February's Threat Intel Report article "Where the Wild Logs Are", it posed a hypothetical scenario where your organization faces a ransomware outbreak, and the IR team requests logs from various devices such as firewalls, virtual machines, and various servers. Without central logging, how do you get those logs? What is the retention policy for logs on each device? What types of events are being logged on each device? What are the commands to run on each device to export the logs?
If the answers to these questions are not known ahead of time, days can be wasted figuring out the answer, and in the context of an IR, this can be devastating. By the time a solution is figured out of how to export logs from your firewall, the data that is needed may have already rolled over, and the data is gone forever. Understand where your logs are and how long they live in your environment. Document the findings and practice exporting logs from various devices at regular intervals.
Part 2 of Back to Basics will be in the October 21st report. In the meantime, be sure to revisit PacketWatch's 12 P's for Cyber Resilience for more cybersecurity tips.
Vulnerability Roundup
A set of vulnerabilities in the OpenPrinting Common Unix Printing System (CUPS) was recently disclosed. CUPS is an open-source printing system found across a variety of Linux distributions, including ArchLinux, Debian, Fedora, Red Hat Enterprise Linux, ChromeOS, and more. The CVEs identified in the disclosure are CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. These vulnerabilities can be chained together to allow an attacker to create a malicious, fake printing device on a network exposed Linux system running the vulnerable version of CUPS. Exploitability is slightly less likely as Rapid7 points out in their research that UDP port 631 must be accessible with the vulnerable service listening. Until systems can be fully patched, it is recommended to either disable the CUPS service, or block UDP port 631 from the internet.
HPE recently disclosed a fix for 3 critical vulnerabilities in their Aruba Access Points, which could allow for unauthenticated attackers to gain remote code execution (RCE). The CVEs are tracked as CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507. These vulnerabilities can be exploited by sending specially crafted packets across the PAPI (Aruba's Access Point management protocol) via UDP port 8211. The vulnerabilities affect Aruba Access Points using Instant AOS-8 and AOS-10. Impacted versions are:
Administrators are urged to patch as soon as possible. If the patches cannot be applied immediately, on AOS-8.x devices they can enable "cluster-security" which will block exploitation attempts, and on AOS-10 devices, HPE recommends blocking UDP port 8211 from all untrusted networks.
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.