The PacketWatch Intelligence Team
Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights Cybersecurity Awareness Month and a Vulnerability Roundup.
Cybersecurity Awareness Month: Back to Basics
A joint advisory was published by the NSA and CISA highlighting the top ten most common security misconfigurations they observed during recent red team and blue team engagements with various large organizations.
While this list may look like a bunch of common-sense items, these issues continue to plague organizations across the globe and give threat actors a huge edge when conducting their operations.
Organizations are strongly encouraged to review this list and work toward remediating any issues that are observed:
1. Default configurations of software and applications
Many network appliances, security devices, and software come off-the-shelf with built-in credentials, typically with administrator privileges. These need to be removed or disabled.
Many network services are enabled by default. The report specifically highlights Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS). If enabled within a network, these can be abused by threat actors in a variety of ways to gain unauthorized system access.
2. Improper separation of user/administrator privilege
Excessive account privileges - Use the principle of least-privilege to ensure accounts only have the minimum required permissions to complete necessary tasks.
Elevated service account permissions - As above, limit permissions of service accounts only to have the necessary permissions required to complete their task.
Non-essential use of elevated accounts - This entails using domain administrator or administrator accounts for day-to-day tasks instead of only using them when absolutely necessary for a privileged task.
3. Insufficient internal network monitoring
Visibility into the network is crucial for defending against attacks. This visibility should come from both host-based and network-based logs.
Organizations should have the ability to detect anomalous behavior on an endpoint (malware, suspicious processes, suspicious commands), as well as anomalous network traffic (e.g., command-and-control traffic, beaconing).
This is precisely why PacketWatch includes network traffic monitoring and analysis as a key pillar of its MDR service.
4. Lack of network segmentation
Logical and sometimes physical boundaries should be placed between user, production, and critical systems. For example, a user connected to the Guest Wi-Fi should not be able to access the domain controller directly.
5. Poor patch management
Patch management first begins with understanding the hardware and software in your environment. Assets that are unknown or forgotten will never get patched.
Regular patch management cycles should be implemented, especially for internet-facing assets.
Unsupported operating systems or software should be removed from the environment.
6. Bypass of system access controls
This highlights the use of pass-the-hash and Kerberoasting to bypass system access controls. Proper privileged account usage (Item 2) and proper credential hygiene (Item 9) can help blunt these attack methods.
7. Weak or misconfigured multifactor authentication (MFA) methods
While some MFA is better than no MFA, certain MFA implementations are more susceptible than others to phishing attacks, such as push notifications ("push bombing") and SMS authentication ("SIM swapping").
8. Insufficient access control lists on network shares and services
Users should only be able to access data shares that are absolutely necessary for their job role.
9. Poor credential hygiene
Easily crackable passwords - User account passwords should be at least 15 characters long; service account and administrator account passwords should be at least 25 characters long. These passwords should be random, non-dictionary passwords. Password managers are ideal for managing these.
Credential reuse - It is common practice for users to use their work account emails to register accounts on 3rd party sites. When these 3rd party sites are breached and the passwords are dumped online, if the user leveraged the same or similar password at the 3rd party site as they do within the organization, threat actors can abuse this to gain initial access.
Cleartext passwords - Storage of plaintext passwords on any device are a huge security risk. Passwords should be stored in an approved password manager or vault. Additionally, protocols that are unencrypted by default can leak plaintext passwords on the network (FTP, SMTP, etc.).
10. Unrestricted code execution
Only pre-approved software should be allowed to run on a host. System settings can be enabled to prevent the ability to run applications downloaded from untrusted sources. Application control tools can be leveraged to create allow-lists for software.
The full advisory can be found here which includes additional details of these misconfigurations, along with additional steps for remediation.
Vulnerability Roundup
Upcoming vulnerability disclosure for curl
On October 3, Daniel Stenberg (@badger) announced a forthcoming patch for curl (version 8.4.0) that will be released on October 11, which includes a fix for a still unknown "high severity CVE".
Due to the widespread usage of curl, this vulnerability has the potential to be a major security risk.
Organizations are strongly encouraged to begin identifying where curl is used within their environment so that patches can be applied in a timely manner once they are released.
PacketWatch's Andrew Oesterheld has created several queries that can be used across various platforms to help identify where curl is used. You can find them here.
0-day unauthenticated RCE in Exim mail transfer agent (MTA)
Last week, researchers from the Zero Day Initiative disclosed details of a critical vulnerability (CVE-2023-42115) in the Exim MTA software.
The flaw resides within the SMTP service which listens on port 25 by default. Since Exim is the default MTA on Debian Linux distributions, this vulnerability affects a large number of devices across the internet.
No patch is currently available, so the current mitigation is to restrict remote access to the internet.
Apple 0-day fixes
Apple released a new update for their iOS devices, version 17.0.3, to address CVE-2023-42824 - a local privilege escalation vulnerability in the XNU kernel, and CVE-2023-5217 - a heap buffer overflow vulnerability in the VP8 encoding of the libvpx video codec library which can allow for arbitrary code execution.
Both vulnerabilities have been observed being exploited in the wild. Users are urged to update their iOS devices as soon as possible.
Progress WS_FTP RCE
From the team that brought you MoveIt, comes another maximum severity critical vulnerability in a file sharing tool - WS_FTP.
The vulnerability, CVE-2023-40044, allows for unauthenticated remote code execution.
Proof-of-concept code has already been published. Organizations are strongly encouraged to patch as soon as possible.
Edge, Teams, Skype release patch for WebP and VP8 vulnerabilities
Patches have been introduced by Microsoft to address two critical vulnerabilities - CVE-2023-4863, the heap buffer overflow in the WebP (libwebp) library, and CVE-2023-5217, the heap buffer overflow in the VP8 encoding of the libvpx video codec library.
Successful exploitation of both vulnerabilities can lead to arbitrary code execution. Users are strongly encouraged to patch as soon as possible.
'Looney Tunables' Privilege Escalation in Linux
Researchers at Qualys published research disclosing a new privilege escalation vulnerability that affects several major Linux distributions including Fedora, Ubuntu, and Debian.
Tracked as CVE-2023-4911, successful exploitation allows the attacker to gain root privileges on the system.
Proof-of-concept code has already been published in the wild. Users are strongly encouraged to patch affected systems as soon as possible.
0-day Critical Privilege Escalation Vulnerability in Confluence Server and Data Center
Atlassian recently published a security advisory detailing how attackers exploited a previously unknown vulnerability in internet-accessible Confluence Data Center and Server instances.
The result of this exploit allowed the attacker to "create unauthorized Confluence administrator accounts and access Confluence instances".
This vulnerability, CVE-2023-22515, affects multiple versions of Data Center and Server 8.0+ instances.
Users are strongly encouraged to apply the newly released patch as soon as possible.
If unable to patch, administrators are recommended to restrict external network access to affected instances.
Cited Resources
- https://everything.curl.dev/protocols/curl
- https://www.zerodayinitiative.com/advisories/ZDI-23-1469/
- https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/
- https://support.apple.com/en-us/HT213961
- https://www.bleepingcomputer.com/news/apple/apple-emergency-update-fixes-new-zero-day-used-to-hack-iphones/
- https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023
- https://www.bleepingcomputer.com/news/security/progress-warns-of-maximum-severity-ws-ftp-server-vulnerability/
- https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-teams-get-fixes-for-zero-days-in-open-source-libraries/
- https://access.redhat.com/security/cve/CVE-2023-4911
- https://www.darkreading.com/vulnerabilities-threats/millions-linux-systems-looney-tunables-bug-root-takeover
- https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/
PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.
Disclaimer
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.